Forms-Based Authentication 42
How to Enable Forms-Based Authentication When Using SSL Offloading 42
Before You Begin 42
Procedure 42
For More Information 43
Securing Communication: Front-End to Other Servers 43
IP Security (IPSec) 43
IPSec Protocols 44
IPSec Policy 44
IPSec with Firewalls and Filtering Routers 44
Service Packs: Upgrading Front-End and Back-End Servers 45
Upgrading Considerations for Outlook Web Access 46
Scenarios for Deploying a Front-End and Back-End Topology 47
Advanced Firewall in a Perimeter Network 47
Scenario 48
Setup Instructions 48
Discussion 49
Issues 49
How to Set Up a Front-End and Back-End Topology with an Advanced Firewall in a Perimeter
Network 50
Before You Begin 51
Procedure 51
Front-End Server behind a Firewall 52
Scenario 52
Setup Instructions 52
Discussion 53
How to Set Up a Front-End and Back-End Topology with a Front-End Server Behind a
Firewall 53
Before You Begin 53
Procedure 54
Web Farm with a Firewall 54
Scenario 55
Setup Instructions 55
Discussion 55
Issues 55
How to Set Up a Front-End and Back-End Topology with a Web Farm Behind a Firewall 55
Before You Begin 56
Procedure 56
Front-End Server in a Perimeter Network 56
Scenario 57
Setup Instructions 57
Discussion 58
Issues 58
How to Set Up a Front-End and Back-End Topology with a Front-End Server in a Perimeter
Network 59
Before You Begin 59
Procedure 59
For More Information 60
Configuring Exchange Front-End Servers 60
How to Designate a Front-End Server 60
Before You Begin 60
Procedure 61
For More Information 61
Creating HTTP Virtual Servers 62
How to Create a Virtual Server 62
Procedure 62
Configuring Authentication 63
How to Configure Authentication on a Front-End Server 63
Before You Begin 64
Procedure 64
Configuring the Front-End Server to Assume a Default Domain 64
Configuring Forms-Based Authentication for Exchange Server 2003 65
How to Configure a Front-End Server to Assume a Default Domain 66
Before You Begin 66
Procedure 66
How to Configure Forms-Based Authentication on Exchange Server 2003 66
Before You Begin 67
Procedure 67
Allowing the Use of an E-Mail Address as the Logon User Name 67
How to Allow the Use of an E-mail Address as the Logon User Name 68
Before You Begin 68
Procedure 68
Disabling Unnecessary Services 69
URLSCan and IIS Lockdown Wizard 70
Disconnecting and Deleting Public and Mailbox Stores 71
Configuring Network Load Balancing 72
Configuring Secure Sockets Layer 72
How to Configure SSL for POP3, IMAP4, and SMTP 72
Procedure 72
How to Configure SSL for HTTP 73
Procedure 73
For More Information 73
Configuring SMTP on the Front-End Server 73
Mail for Internal Domains 74
Mail for External Domains 74
Configuring DSAccess for Perimeter Networks 74
Disabling the NetLogon Check 75
Disabling the Directory Access Ping 75
Specifying Domain Controllers and Global Catalog Servers 75
How to Disable the NetLogon Check on a Front-End Server 76
Before You Begin 76
Procedure 76
How to Disable the Directory Access Ping 77
Before You Begin 77
Procedure 77
Hosting Multiple Domains 77
Method One: Create Additional Virtual Servers 78
Method Two: Create Additional Virtual Directories 80
How to Add a Virtual Directory Under an HTTP Virtual Server in Exchange Server 2003 80
Procedure 81
For More Information 81
How to Create Virtual Directories 81
Procedure 82
Configuring a Back-End Server 82
Configuring Authentication on a Back-End Server 83
Creating and Configuring HTTP Virtual Servers on Back-End Servers 83
Method One: Configure Additional Virtual Servers 84
Method Two: Create Additional Virtual Directories 84
How to Configure Additional Virtual Servers on a Back-End Server 84
Before You Begin 85
Procedure 85
Configuring Firewalls 85
Configuring an Internet Firewall 86
Configuring ISA Server 86
Configuring an Intranet Firewall 87
Advanced Firewall Server in the Perimeter Network 87
Front-end Server in Perimeter Network 88
Basic Protocols 88
Active Directory Communication 89
Domain Name Service (DNS) 90
IPSec 90
Remote Procedure Calls (RPCs) 91
Stopping RPC Traffic 91
Restricting RPC Traffic 91
Front-End and Back-End Topology Checklist 92
Front-End and Back-End Topology Troubleshooting 97
Troubleshooting Tools 97
General Troubleshooting Steps 97
Logon Failures 98
Troubleshooting Outlook Web Access 99
Copyright 99
Front-End and Back-End Server Topology
Guide for Exchange Server 2003 and
Exchange 2000 Server
Microsoft® Exchange Server 2003 and Microsoft Exchange 2000 Server support using a
server architecture that distributes server tasks among front-end and back-end servers. In
this architecture, a front-end server accepts requests from clients and proxies them to the
appropriate back-end server for processing. This guide discusses how Exchange Server
2003 and Exchange 2000 Server support the front-end and back-end server architecture.
Also covered are several front-end and back-end scenarios and recommendations for
configuration.
Note:
Download Front-End and Back-End Server Topology Guide for Microsoft Exchange
Server 2003 and Exchange 2000 Server to print or read offline.
Introduction to Front-End and Back-End
Topologies for Exchange Server 2003
and Exchange 2000 Server
Microsoft® Exchange Server2003 and Microsoft Exchange2000 Server support using a
server architecture that distributes server tasks among front-end and back-end servers. In
this architecture, a front-end server accepts requests from clients and proxies them to the
appropriate back-end server for processing. This guide discusses how Exchange Server2003
and Exchange2000 Server support the front-end and back-end server architecture. This
guide also describes several front-end and back-end scenarios and provides
recommendations for configuration.
Note:
A front-end server is a specially configured server running either Exchange
Server2003 or Exchange 2000 Server software. A back-end server is a server with a
standard configuration. There is no configuration option to designate a server as a
back-end server. The term "back-end server" refers to all servers in an organization
that are not front-end servers after a front-end server is introduced into the
organization.
9
Important:
The information in this guide pertains to Exchange Server 2003 or later, and
Exchange 2000 Server with Service Pack 3 (SP3) or later. Therefore, if you are
running earlier builds, upgrade to either Exchange Server 2003 or
Exchange 2000 Server with Service Pack 3 (SP3) to take full advantage of the
features described in this guide.
Assumed Knowledge
You should have an understanding of Microsoft® Office Outlook® Web Access, Outlook
Mobile Access, Exchange ActiveSync®, RPC over HTTP, Hypertext Transfer Protocol
(HTTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), and
Internet Message Access Protocol (IMAP) version 4rev1 in a standard Exchange
deployment, in addition to basic Exchange 2000 Server and Microsoft Windows® Internet
Information Services (IIS) concepts.
New Exchange Server 2003 Features for the
Front-End and Back-End Architecture
Exchange Server 2003 builds on the front-end and back-end server architecture and adds
new features and capabilities such as RPC over HTTP communication that enables users
with Outlook 2003 clients to access their Exchange information from the Internet.
Additionally, the standard version of Exchange Server 2003 enables you to configure a
server as a front-end server.
Kerberos Authentication
New for Exchange Server 2003 is the ability for the Exchange front-end server to use
Kerberos authentication for HTTP sessions between the front-end and its respective back-
end servers. While the authentication is now using Kerberos, the session is still being sent
using clear text. Therefore, if the network is public or the data is sensitive, it is recommended
that you use Internet Protocol security (IPSec) to secure all communication between the
Exchange front-end and back-end servers.
RPC over HTTP
With Exchange Server 2003 you can now use the Windows RPC over HTTP feature to
enable users who are running Outlook 2003 to be able to access their corporate information
from the Internet. Information about how to plan, deploy, and manage this new feature for
Exchange is in Exchange Server 2003 RPC over HTTP Deployment Scenarios .
10
Exchange Server 2003 Editions
Exchange Server 2003 is available in two editions, Exchange Server 2003 Standard Edition
and Exchange Server 2003 Enterprise Edition. You can configure either for use as a front-
end server in a front-end and back-end server architecture.
Note:
Exchange 2000 Server can be used only as a back-end server in a front-end and
back-end configuration. However, Exchange 2000 Enterprise Server can be used as
a front-end server or a back-end server in a front-end and back-end configuration.
For more information about the differences between Exchange 2000 Server and
Exchange 2000 Enterprise Server, see Microsoft Knowledge Base article 296614,
"Differences between Exchange 2000 Standard and Enterprise versions."
Forms-Based Authentication
Exchange Server 2003 includes a new authentication feature for your Outlook Web Access
clients. For information about how to enable this feature, see Authentication Mechanisms for
HTTP.
Outlook Web Access Version Support
To provide the new Exchange Server 2003 version of Outlook Web Access for users,
Exchange Server 2003 must be installed on both the front-end server and the back-end
server to which your users connect. When users connect to an Exchange 2003 front-end and
back-end server, they are able to take advantage of the following features:
• Forms-based authentication
• Replying to and forwarding posts in a public folder through Outlook Web Access
• Integrated authentication between the front-end and back-end servers
Different combinations of Exchange Server 2003, Exchange 2000 Server, and Microsoft
Exchange Server 5.5 determine the version of Outlook Web Access that your users can use.
The following table lists the version of Outlook Web Access that users have access to, based
on the versions of Exchange that are installed on the front-end and back-end servers.
Outlook Web Access versions available to users
Front-end server Back-end server Outlook Web Access version
Exchange 5.5 Exchange 5.5 Exchange 5.5
Exchange 5.5 Exchange 2000 Exchange 5.5
Exchange 5.5 Exchange 2003 Not supported
11
Exchange 2000 Exchange 5.5 Not supported
Exchange 2000 Exchange 2000 Exchange 2000
Exchange 2000 Exchange 2003 Not supported
Exchange 2003 Exchange 5.5 Not supported
Exchange 2003 Exchange 2000 Exchange 2000
Exchange 2003 Exchange 2003 Exchange 2003
The Exchange Server 2003 version and the Exchange 2000 Server version of Outlook Web
Access are substantially different from the Exchange Server 5.5 version of Outlook Web
Access. The Exchange Server 5.5 version of Outlook Web Access uses Active Server Pages
(ASP) to communicate with an Exchange computer that uses Collaboration Data Objects
(CDO) 1.2 and MAPI. The number of clients that can access the mailbox store at the same
time is limited by the MAPI-based connection to the Exchange computer.
The Exchange Server 2003 version and the Exchange 2000 Server version of Outlook Web
Access do not use MAPI to access the mailbox store, and they do not use ASP pages for
client connections. Clients continue to connect to the Web Access Component through
Hypertext Transfer Protocol (HTTP). However, the Internet Information Services (IIS) server
that hosts the Outlook Web Access component uses the Microsoft Exchange Store service to
provide access to the user's messaging functions. IIS receives Outlook Web Access client
requests as a proxy for message traffic between a Web client and an Exchange 2003 server
or an Exchange 2000 server. If the server contains the Exchange 2003 database, Outlook
Web Access uses a high-speed channel to access the mailbox store. If the server is a front-
end server, Outlook Web Access sends the request to a back-end server using HTTP.
Front-End and Back-End Topologies
Overview
The figures in this topic describe the common implementations of the front-end and back-end
server architecture. The following figure illustrates a simple Exchange front-end and back-end
topology.
12
An Exchange front-end and back-end server architecture without an advanced firewall
The following figure illustrates the recommended scenario that uses an advanced firewall,
such as Microsoft® Internet Security and Acceleration (ISA) Server with Service Pack1 (SP1)
and Feature Pack1, between the Internet and the Exchange front-end server.
The recommended Exchange front-end and back-end server architecture
13
Front-End and Back-End Topology
Advantages
The front-end and back-end server topology should be used for multiple-server organizations
that provide e-mail access to their employees over the Internet. Additionally, organizations
that use Microsoft® Office Outlook® Web Access, POP, IMAP, and RPC over HTTP on their
internal network can also benefit from a front-end and back-end server topology.
Single namespace
The primary advantage of the front-end and back-end server architecture is the ability to
expose a single, consistent namespace. You can define a single namespace for users to
access their mailboxes (for example, https://mail for Outlook Web Access). Without a front-
end server, each user must know the name of the server that stores their mailbox. This
complicates administration and compromises flexibility, because every time your organization
grows or changes and you move some or all mailboxes to another server, you must inform
the users.
With a single namespace, users can use the same URL or POP and IMAP client
configuration, even if you add or remove servers or move mailboxes from server to server.
Additionally, creating a single namespace ensures that HTTPS, POP, or IMAP access
remains scalable as your organization grows. Finally, a single namespace reduces the
number of server certificates required for SSL encryption because clients are using SSL to
the same servers and using the same namespace.
Offloads SSL Encryption and Decryption
Clients such as Microsoft Office Outlook® 2003 or Outlook Web Access that access your
Exchange servers from the Internet should use Secure Sockets Layer (SSL) to connect to
their Exchange servers to protect the traffic from interception. However, processing SSL
traffic can be a significant overhead for a server. The front-end and back-end architecture
allows the front-end to handle the SSL encryption, freeing up the processor on the back-end
Exchange servers to allow for increased overall e-mail performance. Additional improvements
can be made using SSL accelerators or offloading SSL encryption to advanced firewalls
(such as ISA 2000 with Service Pack 1 and Feature Pack 1).
Security
You can position the front-end server as the single point of access on or behind an Internet
firewall that is configured to allow only traffic to the front-end from the Internet. Because the
front-end server has no user information stored on it, it provides an additional layer of security
14
Không có nhận xét nào:
Đăng nhận xét