Re: FrontEnd/BackEnd Vs ISA (reverse proxy)

From: Kenny Wood (Kenwood_at_online.microsoft.com)
Date: 04/04/04

  • Next message: Stephen Rayment: "MAC Entourage access to Exchange" 
    Date: Sun, 04 Apr 2004 05:02:12 GMT

    Hello and thank you for your post.

    Let me clarify the FE/BE communication. The communication between the FE and BE will be HTTP, it will not use
    SSL at all. SSL Bridging is possible when using multiple ISA servers, but has nothing to do with Exchange. This
    goes for all protocols with Exchange (referring to Exchange specific protocols, not OS like IPSEC). When
    communicating to the front end over an encrypted session, the request is decrypted at the FE server, and
    PROXIED back to the appropriate BE server utilizing the equivalent decrypted protocol (i.e. HTTPS becomes
    HTTP, POPS becomes POP3, IMAPS becomes IMAP4).

    If you must force SSL communication to each server you will need to utilize ISA or some other mechanism outside
    of Exchange.

    Just as an FYI, FE/BE was never intended to be a security concept.

    Kenny Wood
    CISSP, MCSE
    PSS Security
    Microsoft Corporation 

    -- 
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are 
subject to the terms specified at http://www.microsoft.com/info/cpyright.htm 
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the 
newsgroup/thread from which they originated.  
--------------------
From: "Jim Harrison [MSFT]" <jmharr@online.microsoft.com>
References: <OUxngdjFEHA.3252@TK2MSFTNGP11.phx.gbl>
Subject: Re: FrontEnd/BackEnd Vs ISA (reverse proxy)
Date: Tue, 30 Mar 2004 15:01:10 -0800
Lines: 54
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2096
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2096
Message-ID: <Or5UtrqFEHA.684@tk2msftngp13.phx.gbl>
Newsgroups: 
microsoft.public.exchange.connectivity,microsoft.public.exchange2000.connectivity,microsoft.public.exch
ange2000.protocols,microsoft.public.isaserver
NNTP-Posting-Host: tide137.microsoft.com 207.46.238.137
Path: cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!
tk2msftngp13.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.exchange2000.connectivity:17035 
microsoft.public.exchange2000.protocols:6996 microsoft.public.isaserver:32809 
microsoft.public.exchange.connectivity:94216
X-Tomcat-NG: microsoft.public.exchange2000.protocols
A1 - it's entirely up to you.  This is called SSL-bridging and you can configure it to be either HTTP or 
HTTPS
A2 - Since ISA can cache some portion of the OWA pages (static gifs and such), you get a performance 
gain by placing ISA between the 
users and the Exch FE box
Take a look at Feature Pack 1.
It incorporates some neat feature aimed squarely at Exch publishing.
-- 
 Jim Harrison [ISASE]
 Read the help, books and articles!
 This posting is provided "AS IS" with no warranties, and confers no rights.
"FE" <frederic@esnouf.net> wrote in message news:OUxngdjFEHA.3252@TK2MSFTNGP11.phx.gbl...
Hi,
I need to implement Exchange 2003 on several sites (1 org). I have one main
site (with the internet connection) and a few remote site with a very a poor
connection (1 E2003 per site, and 1 local DC/GC).
The customer want OWA ... for all the users (from the internet not for
internal use)
I have in DMZ an ISA Server used for reverse proxy.
I must use HTTPS so I will be able to use GZIP (and the web page for
authentication)... and so compress the data transfered from the remote sites
(poor link) to the remote user (connected somewhere on the internet).
I have 2 options :
    1) use ISA as a revers proxy, and use 1 URL per remote server
(site1.owa.company.com, poorsite1.owa.company.com, ...)
    2) install a FrontEnd on the main site.
Question 1 : If I use a frontend server, how will be the dialog between the
FE and the remote BE server (with a URL such as
https://poorsite1.owa.company.com/exchange) ? HTTPS or HTTP ? If I check the
documentation about Exchange 2000 (even if I use E2003), they say that the
dialog is HTTP between the FE and the BE. If the dialog is HTTP I cannot use
GZIP which is not good.
Question 2 : what is the best in a performance point of view ? User a
FrontEnd or user ISA as a revers proxy ?
Thanks for your advices.
Regards
FE
  • Next message: Stephen Rayment: "MAC Entourage access to Exchange"

    Relevant Pages

    • Re: ISA - Single NIC - FTP Issue
      ... > and always attempts an anonymous login. ... > Recently I began testing the ISA 2004 server. ... > HTTP, HTTPS and FTP protocols. ...
      (microsoft.public.isa.configuration)
    • ISA2004 issues (pretty detailed description and therefore much reading :)
      ... My configuration: ... within AD environment (member server). ... Local DNS server configured to return my ISA ... Client Username Protocol Destination Port Action Rule HTTP Method URL ...
      (microsoft.public.isa)
    • Re: Help. Loss of OWA and SPS access via Internet after ISA 2004 u
      ... Filter Information: Blocked by the HTTP Security filter: URL normalization was not complete after one pass ... HTTP Status Code: 12217 The request was rejected by the HTTP filter. ... The other thing you can do is go to the ISA monitoring. ... Then on the server, query ISA for that workstation's IP address for the last x time period. ...
      (microsoft.public.windows.server.sbs)
    • 504: Proxy Time OUt error ISA 2004
      ... For more information about this event, see ISA Server Help. ... An unhandled exception occurred during the execution of the ... Exception Details: System.Net.WebException: The request failed with HTTP ...
      (microsoft.public.isa)
    • Re: FrontEnd/BackEnd Vs ISA (reverse proxy)
      ... and BE will be HTTP, ... has nothing to do with Exchange. ... > PROXIED back to the appropriate BE server utilizing the equivalent ... utilize ISA or some other mechanism outside ...
      (microsoft.public.exchange2000.protocols)