fontend_backend exchage mail
TRANSCRIPT
-
8/11/2019 Fontend_backend Exchage Mail
1/100
Front-End and Back-End Server TopologyGuide for Microsoft Exchange Server200 and Exchange 2000 Server
Microsoft Corporation
Published: December 12, 2006
Author: Exchane !er"er Documentation #eam
!"stract
#his uide discusses Exchane !er"er front$end and bac%$end ser"er architecture and
topolo&'
Comments( !end feedbac% to exchdocs)microsoft'com'
mailto:[email protected]?subject=Print%20Feedback:%20Front-End%20and%20Back-End%20Server%20Topology%20Guide%20for%20Microsoft%20Exchange%20Server%202003%20and%20Exchange%202000%20Servermailto:[email protected]?subject=Print%20Feedback:%20Front-End%20and%20Back-End%20Server%20Topology%20Guide%20for%20Microsoft%20Exchange%20Server%202003%20and%20Exchange%202000%20Server -
8/11/2019 Fontend_backend Exchage Mail
2/100
-
8/11/2019 Fontend_backend Exchage Mail
3/100
#ontents*ront$End and +ac%$End !er"er #opolo& uide for Exchane !er"er 200- and Exchane
2000 !er"er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .
/ntroduction to *ront$End and +ac%$End #opoloies for Exchane !er"er 200- and Exchane
2000 !er"er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .
Assumed nolede'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10
e Exchane !er"er 200- *eatures for the *ront$End and +ac%$End Architecture''''''' ''10
erberos Authentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10
3PC o"er 4##P'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10
Exchane !er"er 200- Editions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11*orms$+ased Authentication''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11
5utloo% eb Access 7ersion !upport'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11
*ront$End and +ac%$End #opoloies 5"er"ie''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''12
*ront$End and +ac%$End #opolo& Ad"antaes'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''18
!inle namespace'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''18
5ffloads !!9 Encr&ption and Decr&ption'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 18
!ecurit&''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 18
/mpro"ed Public *older Access and *eatures'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1
/ncreased /MAP Access to Public *olders'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1
Multiple Protocols !upported'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
4o a *ront$End and +ac%$End #opolo& or%s'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''16
/nteration ith /nternet /nformation !er"ices'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''16
3emote Procedure Calls in a Perimeter etor%''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 16
Dependenc& on D!Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1;
!&stem Attendant on *ront$End !er"ers'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1;
!upportin P5P and /MAP Clients''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.
Authentication for P5P and /MAP Clients''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.
/MAP Access to Public *olders''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1.
3unnin !M#P for P5P and /MAP Clients'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''20
!upportin 4##P Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '21
*indin
-
8/11/2019 Fontend_backend Exchage Mail
4/100
!implif&in the 5utloo% eb Access
-
8/11/2019 Fontend_backend Exchage Mail
5/100
Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 82
*or More /nformation'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''8-
!ecurin Communication: *ront$End to 5ther !er"ers'''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 8-/P !ecurit& ?/P!ec@'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 8-
/P!ec Protocols'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 88
/P!ec Polic&'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 88
/P!ec ith *irealls and *ilterin 3outers''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''88
!er"ice Pac%s: ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' 1
Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
*ront$End !er"er behind a *ireall'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2
!cenario'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2
!etup /nstructions'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' 2
Discussion''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' -
4o to !et
-
8/11/2019 Fontend_backend Exchage Mail
6/100
!etup /nstructions'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;
Discussion'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
/ssues''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
4o to !et
-
8/11/2019 Fontend_backend Exchage Mail
7/100
Disconnectin and Deletin Public and Mailbox !tores''''''''''''''''''''''''''''''''''''''''''''''''''''''''';1
Confiurin etor% 9oad +alancin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''';2
Confiurin !ecure !oc%ets 9a&er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;2
4o to Confiure !!9 for P5P-, /MAP8, and !M#P''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';2
Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;2
4o to Confiure !!9 for 4##P''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-
Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;-
*or More /nformation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-
Confiurin !M#P on the *ront$End !er"er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';-
Mail for /nternal Domains'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;8
Mail for External Domains''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;8
Confiurin D!Access for Perimeter etor%s'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';8
Disablin the et9oon Chec%'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';
Disablin the Director& Access Pin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';
!pecif&in Domain Controllers and lobal Catalo !er"ers''''''''''''''''''''''''''''''''''''''''''''''';
4o to Disable the et9oon Chec% on a *ront$End !er"er''''''''''''''''''''''''''''''''''''''''''''''''';6
+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;6
Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;6
4o to Disable the Director& Access Pin'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';;
+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''' ;;Procedure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;;
4ostin Multiple Domains''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';;
Method 5ne: Create Additional 7irtual !er"ers''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';
Method #o: Create Additional 7irtual Directories''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''0
4o to Add a 7irtual Director&
-
8/11/2019 Fontend_backend Exchage Mail
8/100
4o to Confiure Additional 7irtual !er"ers on a +ac%$End !er"er'''''''''''''''''''''''''''''''''''''''8
+efore >ou +ein''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '''''
Procedure'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Confiurin *irealls''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Confiurin an /nternet *ireall''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''6
Confiurin /!A !er"er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''6
Confiurin an /ntranet *ireall'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';
Ad"anced *ireall !er"er in the Perimeter etor%''''''''''''''''''''''''''''''''''''''''''''''''''''''''''';
*ront$end !er"er in Perimeter etor%'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+asic Protocols'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Acti"e Director& Communication''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .
Domain ame !er"ice ?D!@''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .0
/P!ec''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' .0
3emote Procedure Calls ?3PCs@'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .1
!toppin 3PC #raffic'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.1
3estrictin 3PC #raffic'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .1
*ront$End and +ac%$End #opolo& Chec%list'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '.2
*ront$End and +ac%$End #opolo& #roubleshootin''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.;
#roubleshootin #ools''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .;
eneral #roubleshootin !teps'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''.;
9oon *ailures'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' .
#roubleshootin 5utloo% eb Access'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''..
Cop&riht'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ..
-
8/11/2019 Fontend_backend Exchage Mail
9/100
Front-End and Back-End Server TopologyGuide for Exchange Server 200 andExchange 2000 Server
Microsoft Exchane !er"er 200- and Microsoft Exchane 2000 !er"er support usin a
ser"er architecture that distributes ser"er tas%s amon front$end and bac%$end ser"ers' /n
this architecture, a front$end ser"er accepts reuests from clients and proxies them to the
appropriate bac%$end ser"er for processin' #his uide discusses ho Exchane !er"er
200- and Exchane 2000 !er"er support the front$end and bac%$end ser"er architecture'
Also co"ered are se"eral front$end and bac%$end scenarios and recommendations for
confiuration'
$ote%
Donload *ront$End and +ac%$End !er"er #opolo& uide for Microsoft Exchane
!er"er 200- and Exchane 2000 !er"erto print or read offline'
&ntroduction to Front-End and Back-EndTopologies for Exchange Server 200
and Exchange 2000 ServerMicrosoft Exchane !er"er200- and Microsoft Exchane2000 !er"er support usin a
ser"er architecture that distributes ser"er tas%s amon front$end and bac%$end ser"ers' /n
this architecture, a front$end ser"er accepts reuests from clients and proxies them to the
appropriate bac%$end ser"er for processin' #his uide discusses ho Exchane !er"er200-
and Exchane2000 !er"er support the front$end and bac%$end ser"er architecture' #his
uide also describes se"eral front$end and bac%$end scenarios and pro"ides
recommendations for confiuration'
$ote%
A front$end ser"er is a speciall& confiured ser"er runnin either Exchane
!er"er200- or Exchane 2000 !er"er softare' A bac%$end ser"er is a ser"er ith a
standard confiuration' #here is no confiuration option to desinate a ser"er as a
bac%$end ser"er' #he term =bac%$end ser"er= refers to all ser"ers in an oraniBation
that are not front$end ser"ers after a front$end ser"er is introduced into the
oraniBation'
http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352http://go.microsoft.com/fwlink/?LinkId=69352 -
8/11/2019 Fontend_backend Exchage Mail
10/100
&'portant%
#he information in this uide pertains to Exchane !er"er 200- or later, and
Exchane 2000 !er"er ith !er"ice Pac% - ?!P-@ or later' #herefore, if &ou arerunnin earlier builds, uprade to either Exchane !er"er 200- or
Exchane 2000 !er"er ith !er"ice Pac% - ?!P-@ to ta%e full ad"antae of the
features described in this uide'
!ssu'ed (no)ledge>ou should ha"e an understandin of Microsoft 5ffice 5utloo% eb Access, 5utloo%
Mobile Access, Exchane Acti"e!&nc, 3PC o"er 4##P, 4&pertext #ransfer Protocol
?4##P@, !imple Mail #ransfer Protocol ?!M#P@, Post 5ffice Protocol "ersion- ?P5P-@, and
/nternet Messae Access Protocol ?/MAP@ "ersion8re"1 in a standard Exchane
deplo&ment, in addition to basic Exchane 2000 !er"er and Microsoft indos/nternet
/nformation !er"ices ?//!@ concepts'
$e) Exchange Server 200 Features for theFront-End and Back-End !rchitecture
Exchane !er"er 200- builds on the front$end and bac%$end ser"er architecture and adds
ne features and capabilities such as 3PC o"er 4##P communication that enables users
ith 5utloo%200- clients to access their Exchane information from the /nternet'
Additionall&, the standard "ersion of Exchane !er"er200- enables &ou to confiure a
ser"er as a front$end ser"er'
(er"eros !uthenticatione for Exchane !er"er200- is the abilit& for the Exchane front$end ser"er to use
erberos authentication for 4##P sessions beteen the front$end and its respecti"e bac%$
end ser"ers' hile the authentication is no usin erberos, the session is still bein sent
usin clear text' #herefore, if the netor% is public or the data is sensiti"e, it is recommended
that &ou use /nternet Protocol securit& ?/P!ec@ to secure all communication beteen the
Exchane front$end and bac%$end ser"ers'
*+# over ,TT+ith Exchane !er"er200- &ou can no use the indos 3PC o"er 4##P feature to
enable users ho are runnin 5utloo%200- to be able to access their corporate information
from the /nternet' /nformation about ho to plan, deplo&, and manae this ne feature for
Exchane is in Exchane !er"er 200- 3PC o"er 4##P Deplo&ment !cenarios'
0
http://go.microsoft.com/fwlink/?LinkId=47577http://go.microsoft.com/fwlink/?LinkId=47577 -
8/11/2019 Fontend_backend Exchage Mail
11/100
Exchange Server 200 EditionsExchane !er"er200- is a"ailable in to editions, Exchane !er"er200- !tandard Edition
and Exchane !er"er200- Enterprise Edition' >ou can confiure either for use as a front$
end ser"er in a front$end and bac%$end ser"er architecture'
$ote%
Exchane 2000 !er"er can be used onl& as a bac%$end ser"er in a front$end and
bac%$end confiuration' 4oe"er, Exchane 2000 Enterprise !er"er can be used as
a front$end ser"er or a bac%$end ser"er in a front$end and bac%$end confiuration'
*or more information about the differences beteen Exchane 2000 !er"er and
Exchane 2000 Enterprise !er"er, see Microsoft nolede +ase article 2.6618,
=Differences beteen Exchane 2000 !tandard and Enterprise "ersions'=
For's-Based !uthenticationExchane !er"er200- includes a ne authentication feature for &our 5utloo% eb Access
clients' *or information about ho to enable this feature, seeAuthentication Mechanisms for
4##P'
.utlook /e" !ccess ersion Support#o pro"ide the ne Exchane !er"er200- "ersion of 5utloo% eb Access for users,
Exchane !er"er200- must be installed on both the front$end ser"er and the bac%$end
ser"er to hich &our users connect' hen users connect to an Exchane 200- front$end and
bac%$end ser"er, the& are able to ta%e ad"antae of the folloin features:
*orms$based authentication
3epl&in to and forardin posts in a public folder throuh 5utloo% eb Access
/nterated authentication beteen the front$end and bac%$end ser"ers
Different combinations of Exchane !er"er200-, Exchane2000 !er"er, and Microsoft
Exchane !er"er' determine the "ersion of 5utloo% eb Access that &our users can use'
#he folloin table lists the "ersion of 5utloo% eb Access that users ha"e access to, based
on the "ersions of Exchane that are installed on the front$end and bac%$end ser"ers'
.utlook /e" !ccess versions availa"le to users
*ront$end ser"er +ac%$end ser"er 5utloo% eb Access "ersion
Exchane ' Exchane ' Exchane '
Exchane ' Exchane 2000 Exchane '
Exchane ' Exchane 200- ot supported
http://go.microsoft.com/fwlink/?LinkId=3052&kbid=296614http://go.microsoft.com/fwlink/?LinkId=3052&kbid=296614 -
8/11/2019 Fontend_backend Exchage Mail
12/100
Exchane 2000 Exchane ' ot supported
Exchane 2000 Exchane 2000 Exchane 2000
Exchane 2000 Exchane 200- ot supported
Exchane 200- Exchane ' ot supported
Exchane 200- Exchane 2000 Exchane 2000
Exchane 200- Exchane 200- Exchane 200-
#he Exchane !er"er200- "ersion and the Exchane2000 !er"er "ersion of 5utloo% eb
Access are substantiall& different from the Exchane !er"er' "ersion of 5utloo% eb
Access' #he Exchane !er"er' "ersion of 5utloo% eb Access uses Acti"e !er"er Paes
?A!P@ to communicate ith an Exchane computer that uses Collaboration Data 5bects
?CD5@1'2 and MAP/' #he number of clients that can access the mailbox store at the same
time is limited b& the MAP/$based connection to the Exchane computer'
#he Exchane !er"er200- "ersion and the Exchane2000 !er"er "ersion of 5utloo% eb
Access do not use MAP/ to access the mailbox store, and the& do not use A!P paes for
client connections' Clients continue to connect to the eb Access Component throuh
4&pertext #ransfer Protocol ?4##P@' 4oe"er, the /nternet /nformation !er"ices ?//!@ ser"er
that hosts the 5utloo% eb Access component uses the Microsoft Exchane !tore ser"ice to
pro"ide access to the userFs messain functions' //! recei"es 5utloo% eb Access client
reuests as a prox& for messae traffic beteen a eb client and an Exchane200- ser"er
or an Exchane2000 ser"er' /f the ser"er contains the Exchane200- database, 5utloo%
eb Access uses a hih$speed channel to access the mailbox store' /f the ser"er is a front$end ser"er, 5utloo% eb Access sends the reuest to a bac%$end ser"er usin 4##P'
Front-End and Back-End Topologies.vervie)
#he fiures in this topic describe the common implementations of the front$end and bac%$end
ser"er architecture' #he folloin fiure illustrates a simple Exchane front$end and bac%$end
topolo&'
2
-
8/11/2019 Fontend_backend Exchage Mail
13/100
!n Exchange front-end and "ack-end server architecture )ithout an advanced fire)all
#he folloin fiure illustrates the recommended scenario that uses an ad"anced fireall,
such as Microsoft /nternet !ecurit& and Acceleration ?/!A@ !er"er ith !er"ice Pac%1 ?!P1@
and *eature Pac%1, beteen the /nternet and the Exchane front$end ser"er'
The reco''ended Exchange front-end and "ack-end server architecture
-
8/11/2019 Fontend_backend Exchage Mail
14/100
Front-End and Back-End Topology
!dvantages#he front$end and bac%$end ser"er topolo& should be used for multiple$ser"er oraniBations
that pro"ide e$mail access to their emplo&ees o"er the /nternet' Additionall&, oraniBations
that use Microsoft 5ffice 5utloo% eb Access, P5P, /MAP, and 3PC o"er 4##P on their
internal netor% can also benefit from a front$end and bac%$end ser"er topolo&'
Single na'espace#he primar& ad"antae of the front$end and bac%$end ser"er architecture is the abilit& to
expose a sinle, consistent namespace' >ou can define a sinle namespace for users to
access their mailboxes ?for example, https:GGmail for 5utloo% eb Access@' ithout a front$
end ser"er, each user must %no the name of the ser"er that stores their mailbox' #his
complicates administration and compromises flexibilit&, because e"er& time &our oraniBation
ros or chanes and &ou mo"e some or all mailboxes to another ser"er, &ou must inform
the users'
ith a sinle namespace, users can use the same
-
8/11/2019 Fontend_backend Exchage Mail
15/100
for the oraniBation' /n addition, the front$end ser"ers authenticate reuests before prox&in
them, protectin the bac%$end ser"ers from denial$of$ser"ice attac%s'
&'proved +u"lic Folder !ccess and FeaturesA front$end Exchane ser"er increases the robustness of accessin public folders, as it
%nos the state of bac%$end ser"ers and can use multiple referrals to access public folder
data' #his includes s&stem data such as calendar freeGbus& information' /n addition, in
Exchane !er"er 200-, a front$end Exchane ser"er enables &our users usin 5utloo% eb
Access to repl& or forard to posts in public folders' ithout a front$end ser"er, public folder
posts can be onl& read'
&ncreased &M!+ !ccess to +u"lic Folders#he /MAP protocol specification allos a ser"er to refer a client to another ser"er' Exchane
supports this referral functionalit& in cases here a public folder store on a particular ser"er
does not contain the content reuested and the client needs to be referred to another ser"er'
4oe"er, this reuires a client that supports /MAP referrals, and most clients do not support
referrals' ?#he
-
8/11/2019 Fontend_backend Exchage Mail
16/100
,o) a Front-End and Back-End Topology
/orksAlthouh the eneral functionalit& of the front$end ser"er is to prox& reuests to the correct
bac%$end ser"ers on behalf of the client computers, the exact functionalit& of the front$end
ser"er depends on the protocol and the action bein performed'
#his section discusses the indos and Microsoft Exchane !er"er components that are
essential to understandin ho front$end and bac%$end topolo& or%s' Ma%e sure that &ou
understand ho these components function in a front$end and bac%$end topolo& and assess
hether the modifications ill affect &our oraniBation'
#his section also explains ho front$end and bac%$end ser"ers support the "arious client
protocols'
&ntegration )ith &nternet &nfor'ationServices
Exchane stores confiuration information in Acti"e Director& director& ser"ice, hereas
/nternet /nformation !er"ices ?//!@ stores confiuration information in the metabase' #he
metabase is a local confiuration database shared b& the protocols that //! supports' #he
Exchane !&stem Attendant ser"ice reularl& replicates rele"ant confiuration chanes made
in Acti"e Director& throuh Exchane !&stem Manaer to the metabase' >ou can tell henthe confiuration replication has occurred b& loo%in for entries in E"ent 7ieer from the
metabase update ser"ice ?M!ExchaneM
-
8/11/2019 Fontend_backend Exchage Mail
17/100
3emote Procedure Calls are used b& /nternet /nformation !er"ices ?//!@ to authenticate
clients on the front$end ser"er'
ependency on S!ccess
D!Access is a shared Exchane !er"er component that accesses and stores director&
information in a cache' D!Access d&namicall& detects the director& ser"ers that other
Exchane components should contact, based on criteria such as Acti"e Director& site
confiuration and Acti"e Director& ser"er a"ailabilit&' Exchane front$end ser"ers use
D!Access to determine hich ser"er contains a particular userFs mailbox, the !imple Mail
#ransfer Protocol ?!M#P@ addresses that exist for a user obect, the ser"ers that contain
public folder stores, and so on'
D!Access uses 9ihteiht Director& Access Protocol ?9DAP@ for most operations' 4oe"er,
D!Access still uses 3PCs to call the et9oon ser"ice for each domain controller and lobal
catalo ser"er that it disco"ers'
/f &ou put a front$end ser"er in a perimeter netor% here &ou ant to restrict 3PC traffic
beteen the perimeter netor% and the corporate netor% to specific ser"ices onl&, the
et9oon 3PC from D!Access to domain controller and lobal catalo ser"ers ma& fail' /f
this occurs, D!Access determines that 3PC connecti"it& is ust bloc%ed, and that the ser"ers
are still a"ailable' 4oe"er, D!Access continues to send the et9oon 3PC, hich ma&
affect performance'
#o stop D!Access from doin the et9oon 3PC chec%, &ou can create a reistr& %e&' *or
more information about optimiBin D!Access in a perimeter netor%, see Confiurin
D!Access for Perimeter etor%s'
Syste' !ttendant on Front-End Servers
+& default, Exchane !&stem Attendant no loner reuires 3PCs hen it runs on a front$end
ser"er' #he components of !&stem Attendant that use 3PCs are no loner loaded on front$
end ser"ersH therefore, these components are disabled hen &ou desinate a ser"er as a
front$end ser"er' #he folloin list briefl& describes these components:
S+roxy
#he D!Prox& ser"ice refers MAP/ clients ?such as Microsoft 5ffice 5utloo%2002@ to
lobal catalo ser"ers for lobal address list loo%ups' D!Prox& also allos MAP/ clients
ith older "ersions of 5utloo% to access Acti"e Director&' D!Prox& no loner runs on
front$end ser"ersH therefore, the front$end ser"er can no loner determine hich bac%$
end ser"er contains a MAP/ clientFs mailbox' As a result, &ou cannot point a MAP/ client
6
-
8/11/2019 Fontend_backend Exchage Mail
18/100
to the front$end ser"er to determine the userFs bac%$end ser"er and then route the
reuest to the appropriate ser"er'
$ote%
#o enable D!Prox& on the front$end ser"er for routin MAP/ client reuests,
install Exchane 2000 !er"er !er"ice Pac% - ?!P-@ and create the reistr& %e&
described in Microsoft nolede +ase article -1.1;, =IADM: >ou Cannot
Perform a Chec% ames Juer& Aainst a *ront$End Exchane Computer'= ote
that to recei"e these referrals, the client must ha"e 3PC access to the front$end
ser"er' Additionall&, the front$end ser"er must ha"e 3PC access to domain
controllers'
*ecipient 7pdate Service
#he 3ecipient
-
8/11/2019 Fontend_backend Exchage Mail
19/100
Supporting +.+ and &M!+ #lients
hen &ou use a front$end ser"er, the names of the ser"ers that host the mailboxes arehidden from the users' Client computers connect to one host name shared b& the front$end
ser"ers' As a result, mo"in users beteen ser"ers is transparent to the users and reuires
no reconfiuration of client computers'
#o lo on, a P5P or /MAP client sends the front$end ser"er a loon reuest that contains the
name of the mailbox to be accessed' #he front$end ser"er authenticates the user and uses
Acti"e Director& to determine hich bac%$end ser"er contains the userFs mailbox' #he front$
end ser"er then proxies the loon reuest to the appropriate bac%$end ser"er' #he bac%$end
ser"er then sends the results of the loon operation bac% to the front$end ser"er, hich
returns the results of the operation bac% to the client' !ubseuent P5P or /MAP commands
are similarl& handled'
$ote%
!M#P must be a"ailable to allo P5P and /MAP clients to submit e$mail' >ou can
install !M#P on the front$end ser"er or set up a separate !M#P ser"er' E$mail
submission throuh !M#P on the front$end ser"er or%s the same as it does on an&
other ser"er runnin Exchane' *or more information about ho to confiure !M#P
on a front$end ser"er, see Confiurin Exchane *ront$End !er"ers'
!uthentication for +.+ and &M!+ #lients
P5P and /MAP e$mail clients send user and passord information in clear text' /f the front$end ser"er is accessible from the /nternet, &ou should confiure !!9 so that user
authentication information and data is not passed o"er the /nternet in clear text'
&M!+ !ccess to +u"lic Foldershen a non referral$enabled /MAP client connects to a bac%$end ser"er, it can access onl&
public folders that ha"e a replica on the userFs home ser"er' #o access public folders that
ha"e replicas on other ser"ers, an /MAP client must be referral$enabled' A referral$enabled
client issues special commands to an /MAP ser"er to create a list of the public folders
a"ailable to the client' hen the client computer reuests a public folder that does not ha"e a
local replica, the ser"er responds to the client reuest ith a referral
-
8/11/2019 Fontend_backend Exchage Mail
20/100
a"ailable to a non referral$enabled client' hen the front$end ser"er recei"es a referral
response from the bac%$end ser"er, it does not pass this response bac% to the client' /nstead
it follos the referral for the client and ma%es a connection to the appropriate bac%$end ser"er
that has the data' #he bac%$end ser"er then responds ith the reuested item, hich the
front$end ser"er rela&s bac% to the client'
*unning SMT+ for +.+ and &M!+ #lients
P5P and /MAP protocols are used onl& for recei"in mailH &ou must confiure !M#P on the
front$end ser"er so that P5P and /MAP clients can submit mail' >ou do not ha"e to run !M#P
on the Exchane front$end ser"er' /nstead, &ou can use another ser"er as a dedicated !M#P
atea&'
&'portant%
#o run !M#P on the front$end ser"er and enable it to accept inbound mail ?mail for
&our domains@, &ou must mount a mailbox store on the front$end ser"er' #his mailbox
store must not contain an& mailboxes' >ou must mount a mailbox store on the front$
end ser"er because an& non$deli"er& reports ?D3s@ must be routed throuh the
mailbox store for formattin'
#o confiure !M#P so that P5P and /MAP clients can submit mail to external domains, &ou
must allo rela&in'
+& default, Exchane allos rela&in onl& from authenticated clients' /t is recommended that
&ou %eep this default' Clients such as Microsoft 5utloo% Express 6'0 and Microsoft 5ffice5utloo% 200-, and pre"ious "ersions of 5utloo% Express and 5utloo% support !M#P
authentication in addition to #ransport 9a&er !ecurit& ?#9!@ encr&ption'
>ou should not allo rela&in in either of the folloin a&s:
>ou should not allo anon&mous rela&in to all /P addressesH if &our front$end ser"er is
connected to the /nternet, doin this allos an&one on the /nternet to use &our ser"er to
send mail'
>ou should not allo rela&in from specific client /P addresses' E"en if &ou are familiar
ith the subnet from hich clients send mail, the /nternet en"ironment ma%es it difficult to
determine such a specific set of /P addresses'
$ote%
/f &ou ant the front$end ser"er to act as the bridehead ser"er beteen &our
compan& and the /nternet, it is recommended that the ser"er on the /nternet that
accepts mail for &our domains has the abilit& to scan incomin messaes for "iruses'
20
-
8/11/2019 Fontend_backend Exchage Mail
21/100
$ote%
*or more information, see the Exchane technical uide, Exchane !er"er 200-
#ransport and 3outin uide'
Supporting ,TT+ !ccess
hether enerated b& a broser or a specialiBed client, 4##P reuests from the client
computer are sent to the front$end ser"er' #he front$end ser"er uses Acti"e Director& to
determine hich bac%$end ser"er to prox& the reuest to'
After determinin the appropriate bac%$end ser"er, the front$end ser"er forards the reuest
to the bac%$end ser"er' Apart from specific header information that indicates the reuest as
passed throuh a front$end ser"er, the reuest is almost the same as the oriinal reuestsent from the client' /n particular, the 4##P host header, hich matches the name of the
front$end ser"er to hich the reuest as sent ?meanin the hostname or full& ualified
domain name that the user entered in the broser@, remains unchaned' #he front$end ser"er
contacts the bac%$end ser"er usin the hostname of the bac%$end ser"er ?for example,
bac%end1@, but in the 4##P headers of the reuest, the front$end ser"er sends the host
header used b& the client, for example, 'adatum'com' #he host header settin ensures
that the appropriate bac%$end Exchane "irtual ser"er handles the reuest' *or more
information about confiurin "irtual ser"ers on a bac%$end ser"er, see Confiurin a +ac%$
End !er"er'
*or 4##P reuests, the front$end ser"er ala&s contacts the bac%$end ser"er o"er #CP port
0 ?the default 4##P port@, reardless of hether the client contacted the front$end ser"er
throuh port 0 or 88- ?the !!9 port@' #his means that:
4##P "irtual ser"ers on the Exchane front$end ser"er can listen onl& on port 0 ?4##P@
or 88- ?4##P!@'
$ote%
o other ports other than port 0 and port 88- can be used for 4##P "irtual
ser"ers on the Exchane front$end ser"ers'
!!9 encr&ption is ne"er used beteen the front$end and bac%$end ser"ers, althouh the
client should use it to communicate ith the front$end ser"er'
4##P "irtual ser"ers that differentiate themsel"es from other ser"ers onl& b& port number
are not supported in a front$end and bac%$end topolo&' *or example, if a bac%$end
ser"er has an 4##P "irtual ser"er listenin on port 00, a client can access that bac%$
end ser"er onl& if the client is pointed directl& to the bac%$end ser"er ?for example,
http:GGbac%end1:00Gdata@' A client connectin to the front$end ser"er cannot access this
data'
2
http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579http://go.microsoft.com/fwlink/?LinkId=47579 -
8/11/2019 Fontend_backend Exchage Mail
22/100
#he bac%$end ser"er processes the 4##P reuest from the front$end normall&, and the
response is sent unchaned throuh the front$end ser"er bac% to the client' #his hole
process is not "isible to the client, hich ust interacts ith the front$end ser"er' #he client is
unaare of ho the reuest as handled internall&'
Finding 7ser Mail"oxes#o pro"ide access to mailbox folders throuh 4##P, &ou must ha"e a "irtual director& on both
the Exchane front$end and bac%$end ser"ers that points to the mailboxes'
$ote%
-
8/11/2019 Fontend_backend Exchage Mail
23/100
the user name and sent to the correct bac%$end ser"er' #his is %non as implicit loon'
/mplicit loon is useful onl& for loin on to 5utloo% eb AccessH specialiBed 4##P clients
enerall& do not use implicit loon'
Exchange 2000 Server S+ and Exchange Server 200
/mplicit loon ma%es use of the !M#P domain specified on the 4##P "irtual director& to
identif& the user' #herefore, users connectin to that "irtual ser"er must ha"e an e$mail
address in their list of !M#P prox& addresses on their obect in Acti"e Director& ith the same
domain'
Exchange Server 200 S+
/mplicit loon no loner relies exclusi"el& on the !M#P domain specified' All the user
information can be leaned from their loon'
-
8/11/2019 Fontend_backend Exchage Mail
24/100
Si'plifying the .utlook /e" !ccess 7*1#hange +ass)ord> Feature/f &ou are usin 5utloo% eb Access, &ou can enable the Chane Passord feature in //! to:
Alert users hen their passords expire'
Enable users to use the .ptionsbutton in 5utloo% eb Access to chane their
passords'
eep in mind that if &ou ant to use the Chane Passord feature, &ou must also use !!9beteen clients and the front$end ser"er to secure the passord durin transmission'
Additionall&, &ou must create a "irtual director& named //!AdmPd on the front$end ser"er
and bac%$end ser"ers to handle the Chane Passord reuests'
$ote%
#he onl& time &ou must reuire !!9 on a bac%$end ser"er is hen &ou ant users to
be able to connect to the bac%$end ser"er directl&' 3emember, hoe"er, that front$
end ser"ers cannot use !!9 hen connectin to bac%$end ser"ers' #herefore, if &ou
reuire !!9 on the bac%$end ser"er, ensure that &ou do not reuire !!9 on the
folloin directories so that front$end ser"ers can still connect to them: Exchane,
Public, Excheb, Exadmin, and an& mailbox or public folder "irtual roots'
*or more information about ho to confiure the Chane Passord feature, see Microsoft
nolede +ase article -2;1-8, =ICCC: 45 #5:
-
8/11/2019 Fontend_backend Exchage Mail
25/100
4##P' /dentical "irtual directories must exist on each front$end ser"er and on all bac%$end
ser"ers that host the public folder tree'
A reuest made to a
-
8/11/2019 Fontend_backend Exchage Mail
26/100
+u"lic folder referral through a front-end server
1' An 4##P client authenticates aainst the front$end ser"er and reuests
GpublicGPublic*older2'
2' #he front$end ser"er authenticates the user aainst Acti"e Director& and reuests the
location of the userFs default public folder store'
-' Acti"e Director& indicates to the front$end ser"er that the userFs default public folder store
is on !er"er1'
8' #he front$end ser"er sends the client reuest to !er"er1'
' !er"er1 tells the front$end ser"er that it does not ha"e the contents of
GpublicGPublic*older2, but !er"er2 and !er"er- do'
6' #he front$end ser"er performs a hashin alorithm aainst the list of ser"ers ith the
content ?in this case, !er"er2 and !er"er-@' #he results of the hash in this case turn out
to be !er"er2, so the front$end ser"er forards the reuest to !er"er2'
$ote%
A hashin alorithm applies a i"en number ?in this case, the userFs securit&
to%en@ and uses it to enerate a position in a list so that the distribution of all
possible inputs is e"en o"er the list'
;' !er"er2 returns the contents of GpublicGPublic*older2 to the front$end ser"er, hich then
sends the contents to the 4##P client'
25
-
8/11/2019 Fontend_backend Exchage Mail
27/100
The efault 8M!+&9 +u"lic Folder Tree
hen a client accesses the default public folder tree in 5utloo% eb Access, an attempt is
made to maintain parit& ith MAP/ clients such as 5utloo%' Each mailbox store is associatedith a particular public folder store somehere in the oraniBation ?sometimes on the same
ser"er as the mailbox store, sometimes on a dedicated public folder ser"er@' #he public folder
store associated ith the userFs mailbox store is the public folder store that displa&s the public
folder hierarch& ?tree@ in 5utloo%'
hen a user reuests a public folder in the default public folder tree throuh 4##P, the front$
end ser"er authenticates the user and loo%s up the user in Acti"e Director& to see hich
public store is associated ith that userFs mailbox store' #he front$end ser"er then forards
the reuest to the userFs public folder ser"er'
ote that if the front$end ser"er is not confiured to authenticate users, reuests for public
folders are not load balanced'
General-+urpose +u"lic Folder Trees
Default public folder tree ser"ers ha"e an association ith mailbox stores because of their
MAP/ heritaeH eneral$purpose public folder trees do not ha"e such an association' As a
result, reuests for folders in eneral$purpose public folder trees are handled slihtl&
differentl& than reuests for folders in the default public folder tree'
hen a client ma%es a reuest to access a eneral$purpose public folder tree, the front$end
ser"er first contacts Acti"e Director& to find a list of all ser"ers runnin
Exchane 2000!er"er or Exchane !er"er 200- in the oraniBation that ha"e a replica of
the particular eneral$purpose public folder tree that the client is attemptin to access'
$ote%
eneral$purpose public folder trees are not a"ailable in Exchane!er"er ''
#he front$end ser"er then uses the userFs authentication to%en in a hashin alorithm aainst
the list of ser"ers to ensure that:
-
8/11/2019 Fontend_backend Exchage Mail
28/100
/hen #ontent &s $ot !vaila"le on the Back-End Server
#he front$end and bac%$end topolo& has special handlin for times hen the bac%$end
ser"er recei"es a reuest for a public folder for hich it does not ha"e a replica' #his handlinoccurs for folders in the default public folder store in addition to folders in eneral$purpose
public folder trees'
hen a bac%$end ser"er recei"es such a reuest, it returns a list of the ser"ers that ha"e the
contents of the reuested folder' #he front$end ser"er does not pass this information bac% to
the client, but runs the same hashin alorithm aainst the ne list of ser"ers aain, to
ensure load balancin and consistent "ies' As a result, in oraniBations that use partial
replicas of public folder trees, the front$end ser"er ma& ha"e to perform to 4##P reuests to
satisf& the clientFs sinle reuest' 4oe"er, in processin the clientFs reuest, the front$end
ser"er caches information about hich ser"ers ha"e the content, alloin the front$end
ser"er to a"oid extra reuests hen data in the same folder is accessed in the future'
#he caches maintained b& the front$end ser"er substantiall& reduce the number of ueries
sent to Acti"e Director& and bac%$end ser"ers for both public and pri"ate folder accesses'
Cache information expires after ten minutes and is also reset hen chanes in ser"er
confiuration are detected'
$ote%
Exchane' ser"ers cannot be selected because the& do not support the reuired
4##P ebDA7 extensions'
Back-End Server o)nti'e
/f a bac%$end ser"er is don for maintenance or is otherise inaccessible o"er 4##P, the
front$end ser"er cannot connect to it' #he front$end ser"er mar%s that ser"er =una"ailable= for
a period of 10 minutes and sends the reuest to a different ser"er if there are other ser"ers
a"ailableH the reuest fails if no other ser"ers are a"ailable' hile the bac%$end ser"er is
una"ailable, the front$end ser"er automaticall& directs reuests to other ser"ers' #herefore,
after a bac%$end ser"er returns to production, it miht be inaccessible throuh the front$end
ser"er for as lon as 10 minutes, because the front$end ser"er miht still ha"e that bac%$end
ser"er mar%ed as una"ailable'
#his process sinificantl& increases reliabilit& for public folder access' #he front$end ser"er
ill attempt to contact multiple bac%$end ser"ers for the data, hereas a client connectin
directl& to a bac%$end ser"er ill not'
!dding or *e'oving Back-End Servers
#he oal of the hashin alorithm is load balancinH hoe"er, a condition of the alorithm is
that the distribution of users across ser"ers depends on the number of ser"ers' #herefore, if
the list of ser"ers hostin the content for a public folder chanes because of the addition or
2
-
8/11/2019 Fontend_backend Exchage Mail
29/100
remo"al of a ser"er, the result of the hashin alorithm ma& direct the user to a ne ser"er
for future reuests' #&picall&, hen the ser"er processin a userFs reuest chanes the user
cannot tell that an&thin ph&sical chaned, ith the exception of the folloin:
-
8/11/2019 Fontend_backend Exchage Mail
30/100
Before ?ou Begin+efore &ou perform the procedures in this topic, it is important that &ou first read =4o a
*ront$End and +ac%$End #opolo& or%s= in the Exchane !er"er 200- and Exchane 2000
!er"er *ront$End and +ac%$End !er"er #opolo& uide'
#o successfull& complete the procedures in this topic, confirm the folloin:
#he front$end ser"er has authentication enabled'
+rocedure
To si'plify the .utlook /e" !ccess 7*1
1'
-
8/11/2019 Fontend_backend Exchage Mail
31/100
$ote%
Anon&mous authentication on the front$end ser"er is reuired hen it is located in a
perimeter netor% and cannot use 3emote Procedure Calls' #his is not arecommended scenario, as user access cannot be bloc%ed b& the front$end ser"er'
*or more information about pass$throuh authentication, see =Pass$#hrouh
Authentication= later in this topic'
&'portant%
/t is stronl& recommended that &ou use dual authentication, in hich &ou confiure
both front$end and bac%$end ser"ers to authenticate users' *or more information, see
=Dual Authentication= later in this topic'
ual !uthentication+& default, dual authentication is used ith front$end and bac%$end ser"ers' /n dual
authentication, both front$end and bac%$end ser"ers are confiured to authenticate users' >ou
should confiure front$end ser"ers to perform authentication hene"er possible' /f &ou cannot
enable authentication on the front$end ser"er, implicit loon does not or%, and &ou cannot
load$balance public folder reuests' >ou can use explicit loon to ain access, reardless of
ho authentication is confiured'
$ote%
Exchane relies on //! to authenticate 4##P reuests' //! uses 3PCs to director&
ser"ers to do authentication' /f 3PCs are not alloed beteen the front$end ser"er
and the director& ser"er, &ou must use pass$throuh authentication' *or moreinformation about ho to enable pass$throuh authentication and the ris%s of doin
so, see =Pass$#hrouh Authentication= later in this topic'
+ass-Through !uthentication/n pass$throuh authentication, the front$end ser"er is confiured ith anon&mous
authentication, so it does not as% the user for an authoriBation header' #he front$end ser"er
forards the userFs reuest to the bac%$end ser"er, hich as%s the user for authentication'
#he bac%$end ser"erFs reuest for authentication and the userFs response are routed
unchaned throuh the front$end ser"er'
$ote%
hen &ou use pass$throuh authentication, anon&mous 4##P reuests o directl& to
the bac%$end ser"er here the& are authenticated' >ou should use pass$throuh
authentication onl& if absolutel& necessar&' #he recommended strate& is to place an
ad"ance fireall in the perimeter netor% and the front$end ser"er behind the internal
fireall Q so it has full 3PC access to the internal netor%' /f &ou do ant to place the
-
8/11/2019 Fontend_backend Exchage Mail
32/100
front$end ser"er in the perimeter netor%, it ma& be more secure to allo 3PCs than
to allo anon&mous reuests to reach bac%$end ser"ers, because pass$throuh
authentication allos reuests from an& source, "alid or in"alid, to be passed to &our
bac%$end ser"ers' *or more information, see !cenarios for Deplo&in a *ront$End
and +ac%$End #opolo&'
hen pass$throuh authentication is used, the front$end ser"er cannot load$balance public
folder reuests, because it does not ha"e the authentication to%en on hich to perform a
hashin alorithm' Additionall&, implicit loon ill not or%'
-
8/11/2019 Fontend_backend Exchage Mail
33/100
prompts them for authentication and the& must re$enter their credentials, e"en if the& alread&
used indos to lo on'
-
8/11/2019 Fontend_backend Exchage Mail
34/100
$ote%
+oth Exchane200- and Exchane 2000 bac%$end ser"ers ill support interated
authentication from an Exchane
200- front$end ser"er'
Basic !uthentication#he front$end proxies the basic authentication credentials to the bac%$end ser"ers' #o secure
this information, it is hihl& recommended that /P!ec be used beteen the front$end and
bac%$end ser"ers'
$ote%
+asic authentication beteen the front$end and bac%$end ser"ers is supported b&
both Exchane 2000 and Exchane 200- front$end ser"ers'
7ser 1ogon &nfor'ationhen authenticatin aainst a front$end ser"er, b& default, the user must enter his or her
user name in the folloin format: domain\username' >ou can confiure the front$end ser"er
to assume a default domain so that users do not need to remember their domain'
An additional option for authentication is to confiure a user principal name ?
-
8/11/2019 Fontend_backend Exchage Mail
35/100
Features 1ost "y +lacing an Exchange Front-End Server in the +eri'eter $et)ork )ithout*+# !ccess
&'portant%
#his section applies if &ou place an Exchane front$end ser"er in the perimeter
netor% and do not allo 3PC traffic across the internal fireall'
Corporations that ha"e perimeter netor%s often restrict the t&pe of traffic that passes from
the perimeter netor% into the corporate intranet'
ithout 3PC access to Acti"e Director& ser"ers, the front$end ser"er cannot authenticate
clients' #herefore, features that reuire authentication on the front$end ser"er ?such as
implicit loon and public folder tree load balancin@ ill not or%' Public folder access ispossible, but the front$end ser"er cannot load$balance the reuests because the front$end
ser"er cannot determine the identit& of the user' ithout the userFs authentication to%en, the
front$end ser"er cannot perform the load balancin hashin alorithm' As a result, all
anon&mous reuests for a public folder are routed to the same bac%$end ser"er'
$ote%
/t is recommended that &ou use an ad"anced fireall ser"er ?such as /!A !er"er@
rather than the front$end ser"er in the perimeter netor%' *or more information, see
Ad"anced *ireall in a Perimeter etor%'
$ote%
/MAP and P5P clients reuire !M#P for sendin e$mail messaes' /f &ou do not
allo 3PC traffic across the internal fireall, &ou cannot run !M#P on the front$end
ser"er to support /MAP and P5P clients because hen 3PC traffic is bloc%ed,
M!Exchane/! does not run on the front$end ser"er' 4oe"er, &ou can set up a
separate ser"er to perform !M#P functions for /MAP and P5P clients'
/f 3PC ports are not alloed beteen the perimeter netor% and the corporate intranet, &ou
must use pass$throuh authentication' ith pass$throuh authentication, the front$end ser"er
passes reuests to the bac%$end anon&mousl&, and then the bac%$end ser"er performs the
authentication'
4
-
8/11/2019 Fontend_backend Exchage Mail
36/100
#onsiderations /hen eploying a Front-
End and Back-End Topologyhen deplo&in a front$end and bac%$end topolo&, &ou must account for se"eral factors
includin, expected load, hardare needs, administrati"e o"erhead, load balancin, and
securit&' #he folloin sections co"er these factors in more detail'
o $ot #luster Front End ServersClusterin the Exchane front$end ser"ers does not offer an& performance benefit' *ront$end
ser"ers are stateless so performance is much better ha"in to separate ser"ers sharin
connections ?or etor% 9oad +alanced@ rather than clusterin them'
*eco''ended Server #onfigurations and*atios
!er"er confiuration depends on man& factors, includin the number of users for each bac%$
end ser"er, the protocols used, and the expected load on the s&stem' #he confiuration of
particular models of ser"ers should be done in consultation ith a hardare "endor or
consultant'
enerall&, one front$end ser"er is reasonable for e"er& four bac%$end ser"ers' 4oe"er, this
number is pro"ided onl& as a suested ratio and startin point, not as a rule' *ront$endser"ers do not need lare or particularl& fast dis% storae, but should ha"e fast CP
-
8/11/2019 Fontend_backend Exchage Mail
37/100
/P address' Each member of the 9+ cluster performs a hashin alorithm to map incomin
clients to one of the members of the 9+ cluster based on the client /P address, port, and
other information' hen a pac%et arri"es, all ser"ers or hosts perform the same hashin
alorithm, and the output is one of the hosts' #hat host then responds to the pac%et' #he
mappin does not chane unless the number of hosts in the 9+ cluster chanes' #he
confiuration of e"er& ser"er in the 9+ cluster must be same, otherise clients ma&
experience different beha"ior dependin on hich ser"er the& are routed to'
$ote%
9+ has no health monitorinH if the orld ide eb Publishin !er"ice on a front$
end ser"er is not runnin, for example, 9+ continues to send reuests to that
ser"er' >ou can run Microsoft Application Center 2000 on a front$end ser"er to set up
9+ and monitor the health of load$balanced ser"ers' ?4oe"er, &ou cannot manae
Exchane resources or replicate Exchane confiuration information throuh
Application Center'@ *or more information about Application Center, see the Microsoft
Application Centereb site'
Althouh it is not reuired, &ou should ensure that each user is ala&s sent to the same front$
end ser"er for the duration of a session' #his uses the !ecure !oc%ets 9a&er ?!!9@
handsha%e cachin and connection state information alread& maintained on the front$end
ser"er' Additionall&, this is reuired for forms$based authentication, as onl& the front$end
ser"er that issues the coo%ie can decr&pt it' /n 9+, this is referred to as =client affinit&'= Man&
hardare solutions also ha"e this abilit&
$ote%
Ad"anced fireall ser"ers ma& affect &our abilit& to 9+$cluster &our front$endser"ers, particularl& if the& mas% the incomin client /P address' *or more
information, see the product documentation or contact &our manufacturer for more
details'
*educing irtual Server #reation/n some circumstances, it could be important to reduce the number of "irtual ser"ers created
on the bac%$end ser"ers' >ou should not reduce the number of "irtual ser"ers unless &ou full&
understand ho 4##P "irtual ser"ers or%' >ou can reduce "irtual ser"er creation b& either of
to methods'
Anal&Be the users and data on each bac%$end ser"er to determine if users ill e"er be
directed to that particular ser"er' /f a bac%$end ser"er contains mailboxes for onl&
adatum'com, there is no need for that bac%$end ser"er to ha"e a "irtual ser"er for
contoso'com' /f users from contoso'com are later added to that bac%$end ser"er, hoe"er, an
administrator ma& need to create a "irtual ser"er for contoso'com'
!imilarl&, &ou onl& ha"e to create "irtual directories for resources &our users ill reuire
access to' 5n a ser"er that has no public store, the public "irtual director& is not reuired'
6
http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849http://go.microsoft.com/fwlink/?linkid=30849 -
8/11/2019 Fontend_backend Exchage Mail
38/100
7sing Fire)alls in a Front-End and Back-
End Topology/f &our netor% is "isible to the /nternet, it is hihl& recommended that &ou use either a
softare or hardare fireall solution' *irealls control traffic to the netor% b& usin such
methods as port filterin, /P filterin, and, in ad"anced fireall solutions, application filterin'
#here are se"eral options for incorporatin a fireall into a front$end and bac%$end topolo&H
!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&describes these options'
enerall&, it is recommended that &ou use an ad"anced fireall ser"er in &our topolo& ?for
more information about usin an ad"anced fireall, seeAd"anced *ireall in a Perimeter
etor%@'
+ort FilteringAt a minimum, an& fireall &ou use to help protect ser"ers from the /nternet must use port
filterin' Port filterin restricts the t&pe of netor% traffic that comes throuh the fireall b&
alloin access onl& to information sent to specific ports' *or example, &ou ma& confiure the
fireall facin the /nternet to accept onl& 4##P! traffic b& openin #CPG/P port 88-'
#he folloin to sections describe to important concepts related to #CPG/P connections:
source port "ersus destination port, and direction of the #CPG/P connection'
Source +ort versus estination +orthen computer A opens a #CPG/P connection to computer +, to ports are used: the source
port ?on computer A@, and the destination port ?on computer +@' #he netor% stac% on the
computer that initiates the connection enerall& selects source ports at random' Destination
ports are the ports on hich the specified ser"ice is listenin ?for example, port 88- for
4##P!@' /n this uide, an& reference to a port used b& a specific ser"ice refers to the
destination port'
irection of the T#+ #onnection
hen &ou open fireall ports, most firealls reuire &ou to specif& the direction of theconnection' *or example, to allo a front$end ser"er to contact bac%$end ser"ers, &ou must
open port 0 for 4##P traffic' 4oe"er, bac%$end ser"ers ne"er initiate ne #CPG/P
connections to the front$end ser"erH the& onl& respond to reuests that ere initiated b& the
front$end' #herefore, on &our fireall, &ou need to onl& enable allo 4##P port 0
connections from the front$end to the bac%$end' /n this uide, such connections are referred
to as =inbound= ?in other ords, the connections are inbound to the corporate netor%@'
-
8/11/2019 Fontend_backend Exchage Mail
39/100
&+ FilteringMan& fireall solutions also support /P filterin' /P filterin impro"es the reliabilit& of the
fireall b& alloin &ou to restrict traffic throuh the fireall to specific ser"ers' *or example,
in a perimeter netor%, &ou ma& ant to confiure D!Access to use specific domain
controllers and lobal catalo ser"ers, and then use /P filterin to ensure that the front$end
ser"ers connect to onl& those domain controllers and lobal catalo ser"ers'
!pplication FilteringAd"anced firealls such as /!A !er"er can pro"ide ad"anced inspection at the application
protocol le"el' #his inspection allos the fireall to perform functions such as filterin 3PC
interfaces and "alidatin 4##P reuest s&ntax' Application filterin is the main reason h&
usin an ad"anced f ireall in &our topolo& pro"ides the most securit&'
,elping to Secure #o''unication% #lientto Front-End Server
#o help secure data transmitted beteen the client and the front$end ser"er, it is hihl&
recommended that the front$end ser"er be !!9$enabled' Additionall&, to ensure that user
data is ala&s secure, access to the front$end ser"er ithout !!9 should be disabled ?this is
an option in the !!9 confiuration@' hen usin basic authentication, it is critical to protect
the netor% traffic b& usin !!9 to protect user passords from netor% pac%et sniffin'
$ote%
/f &ou do not use !!9 beteen clients and the front$end ser"er, data transmission to
&our front$end ser"er ill not be secure' /t is hihl& recommended that &ou confiure
the front$end ser"er to reuire !!9'
/t is recommended that &ou obtain an !!9 certificate b& purchasin a certificate from a
number of third$part& certification authorities' Purchasin a certificate from a certification
authorit& is the preferred method because the maorit& of brosers alread& trust man& of
these certification authorities'
Alternatel&, &ou can use Microsoft Certificate !er"er to install &our on certificationauthorities' Althouh installin &our on certificate authorit& ma& be less expensi"e, brosers
ill not trust &our certificate, and users ill recei"e a arnin messae indicatin that the
certificate is not trusted'
*or more information, see Microsoft nolede +ase article -202.1, =ICCC: #urnin on !!9
for Exchane 2000 !er"er 5utloo% eb Access'=
=
http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291http://go.microsoft.com/fwlink/?LinkID=3052&kbID=320291 -
8/11/2019 Fontend_backend Exchage Mail
40/100
#onfiguring SS1 in a Front-End and Back-EndTopology
>ou do not need to confiure !!9 on bac%$end ser"ers hen usin a front$end ser"er,
because the front$end ser"er does not support usin !!9 to communicate ith bac%$end
ser"ers' >ou can confiure !!9 on the bac%$end ser"ers for use b& clients that are directl&
accessin them'
hen 4##P is used to access data, bac%$end ser"ers need to enerate absolute
-
8/11/2019 Fontend_backend Exchage Mail
41/100
Accelerator cards are enerall& used directl& on the front$end ser"er, and the& offload the
encr&ption and decr&ption o"erhead' #his increases the throuhput of each connection and
decreases the amount of or% the softare on the ser"er must do'
External accelerator de"ices sit beteen the clients and the front$end ser"ers' #raffic comin
from the client is decr&pted on the accelerator de"ice and sent to the front$end ser"er
unencr&pted' 9i%eise, traffic from the front$end ser"er is sent to the accelerator de"ice
unencr&pted, and then it is encr&pted for transmission to the client'
#he most important factor to consider hen choosin hat t&pe of !!9 accelerator to use is
the number of front$end ser"ers in &our topolo&' /f &ou ha"e a small number of front$end
ser"ers, addin !!9 accelerator cards to each of them is a simple, cost$effecti"e a& to
offload !!9 duties' +ecause the !!9 decr&ption is done on the front$end ser"er, there is no
need for extra confiuration of the =*ront$End$4ttps: on= header for 5utloo% eb Access'
*or a lare number of front$end ser"ers, the cost of additional accelerator cards and theadministrati"e cost of storin and confiurin !!9 certificates on each ser"er e"entuall& is not
to be cost effecti"e' /n this case, a separate !!9 accelerator de"ice ma& be a more cost
effecti"e option for &our topolo& because it needs to be confiured onl& once, reardless of
the number of front$end ser"ers' #hese de"ices enerall& cost more than an accelerator card,
so eih the options in &our on topolo& to determine hich to use' eep in mind that for
5utloo% eb Access, an external !!9 de"ice must ha"e be able to notif& the front$end ser"er
that !!9 as used ith the =*ront$End$4ttps: on= header'
SS1 .ffloading
/f there is a separate ser"er beteen the client and the front$end ser"er that is offloadin the
!!9 decr&ption, the front$end ser"er is unaare that the oriinal reuest as created usin
!!9' /n this case, that ser"er must be able to pass the =*ront$End$4ttps: on= header to the
front$end ser"er, hich then passes it to the bac%$end ser"er'
/f &our !!9 offloadin ser"er does not support addin a custom header, &ou can install an
/nternet !er"er Application Prorammin /nterface ?/!AP/@ on the front$end ser"er to add this
header' *or information, see the Microsoft nolede +ase article -2;00, =4o to confiure
!!9 5ffloadin for 5utloo% eb Access in Exchane 2000 !er"er and in Exchane !er"er
200-'= Alternati"el&, &ou can confiure !!9 beteen the !!9 decr&ption ser"er and the front$
end ser"er' 4oe"er, if &ou added that separate ser"er to offload the additional traffic caused
b& !!9 encr&ption and decr&ption, this method defeats that purpose' #his method ould stillallo that separate ser"er to filter the traffic'
A separate !!9 accelerator de"ice ma& be a more cost$effecti"e option for &our topolo&
because it needs to be confiured onl& once, reardless of the number of front$end ser"ers'
#hese de"ices enerall& cost more than an accelerator card, so eih the options in &our
on topolo& to determine hich to use' eep in mind that for 5utloo% eb Access, an
external !!9 de"ice must be able to notif& the front$end ser"er that !!9 as used ith the
=*ront$End$4ttps: on= header'
3
http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800http://go.microsoft.com/fwlink/?linkid=3052&kbid=327800 -
8/11/2019 Fontend_backend Exchage Mail
42/100
For's-Based !uthentication/f &ou are usin forms$based authentication ith !!9 offloadin, &ou ill need to confiure
&our Exchane front$end ser"ers to be able to handle this scenario' *or detailed instructions,
see 4o to Enable *orms$+ased Authentication hen R95CA9RMAC4/ES!>!#EMSCurrentControl!etS!er"icesSM!ExchaneebS
5A
-' 5n the Editmenu, point to $e), and then clic% /.* alue'
8' /n the details pane, name the ne "alue SS1.ffloaded'
' Clic% the SS1.ffloadedD53D "alue, and then clic% Modify'
6' /n Edit /.* alue, under Base, clic% eci'al'
;' /n the alue atabox, enter the "alue '
32
-
8/11/2019 Fontend_backend Exchage Mail
43/100
' Clic% .('
$ote%
>ou must restart the -!7C ser"ice for these chanes to ta%e effect'
For More &nfor'ation *or more information, see:
Considerations hen Deplo&in a *ront$End and +ac%$End #opolo&
=4o to Enable *orms$+ased Authentication= in the Exchane !er"er 200- Client
Access uide'
Securing #o''unication% Front-End to.ther Servers
4##P, P5P, and /MAP communication beteen the front$end ser"er and an& ser"er ith
hich the front$end ser"er communicates ?such as bac%$end ser"ers, domain controllers, and
lobal catalo ser"ers@ is not encr&pted' hen the front$end and bac%$end ser"ers are in a
trusted ph&sical or sitched netor%, this is not a concern' 4oe"er, if front$end and bac%$
end ser"ers are %ept in separate subnets, netor% traffic ma& pass o"er unsecured areas of
the netor%' #he securit& ris% increases hen there is reater ph&sical distance beteen the
front$end and bac%$end ser"ers' /n this case, it is recommended that this traffic be encr&pted
to protect passords and data'
&+ Security 8&+Sec9indos supports /P!ec, hich is an /nternet standard that allos a ser"er to encr&pt an& /P
traffic, except traffic that uses broadcast or multicast /P addresses' enerall&, &ou use /P!ec
to encr&pt 4##P trafficH hoe"er, &ou can also use /P!ec to encr&pt all traffic'
ith /P!ec &ou can:
Confiure to ser"ers that are runnin indos to reuire trusted netor% access'
Exchane data that is protected from modification ?usin a cr&ptoraphic chec%sum on
e"er& pac%et@'
Encr&pt an& traffic beteen the to ser"ers at the /P la&er'
/n a front$end and bac%$end topolo&, &ou can use /P!ec to encr&pt traffic beteen the front$
end and bac%$end ser"ers that ould otherise not be encr&pted'
3
http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568http://go.microsoft.com/fwlink/?LinkId=47568 -
8/11/2019 Fontend_backend Exchage Mail
44/100
&+Sec +rotocols#he method in hich data is secured usin /P!ec depends on hich protocol is used:
Authentication 4eader ?A4@ or Encapsulatin !ecurit& Pa&load ?E!P@' ith A4, the pac%ets
are not encr&ptedH A4 adds a chec%sum to the /P pac%et' A4 uarantees that the pac%et
came from the expected host, as not impersonated, and as not modified in transit' A4
uses /P protocol 1' E!P, hich uses /P protocol 0, encr&pts the entire contents of the /P
pac%et' +oth forms of /P!ec pro"ide a reliable and trusted communication channel that an
attac%er cannot easil& insert data into or interrupt'
/P!ec encr&ption affects the performance on both the front$end and bac%$end ser"ersH the
precise extent to hich it affects performance, hoe"er, depends on the t&pe of encr&ption
used'
&+Sec +olicy>ou should confiure /P!ec on the bac%$end ser"ers so that the& respond appropriatel& hen
the& recei"e a reuest for /P!ec communication' 4oe"er, the bac%$end ser"ers should not
reuire that all communication from all clients be encr&pted usin /P!ec'
indos has three /P!ec policies installed b& default' !elect the =Client ?respond onl&@=
polic& for the bac%$end ser"er' ith this polic& enabled on the bac%$end ser"er, the front$end
ser"er can use /P!ec to communicate safel& ith the bac%$end ser"er, hile other clients
?includin earlier "ersions of MAP/ clients li%e Microsoft 5ffice 5utloo%2002@ and ser"ers
can communicate ith the bac%$end ser"er ithout needin to use /P!ec'
&+Sec )ith Fire)alls and Filtering *outershen a fireall or filterin router is used beteen the front$end and bac%$end ser"ers, the
filters must allo /P!ec to pass throuh it'
$ote%
/P!ec does not or% if there is a etor% Address #ranslation ?A#@ ser"er beteen
the perimeter netor% and the corporate netor%'
hen usin /P!ec, confiure the ports as follos:
,TT+ 8T#+ port
-
8/11/2019 Fontend_backend Exchage Mail
45/100
for the neotiation data pac%ets' /t establishes and maintains the /P!ec connections,
named securit& associations'
&+ protocol 40 or 4 Allo either /P protocol 0 ?A4@ or /P protocol 1 ?E!P@,dependin on the protocol &ou are usin'
7+ port
-
8/11/2019 Fontend_backend Exchage Mail
46/100
-
8/11/2019 Fontend_backend Exchage Mail
47/100
Scenarios for eploying a Front-End and
Back-End Topology#his topic discusses common scenarios here Exchane front$end and bac%$end topolo& is
deplo&ed' #he scenarios can be broadl& di"ided into intranet and extranet scenarios, ith the
intranet scenarios focused on performance and scalabilit& and the extranet scenarios focused
on securit&'
/n each scenario, the folloin topics are discussed:
!cenario hat is the scenario, and hen does it appl&(
!etup instructions 4o to set up the scenario, in eneral terms' ?!pecific confiuration
instructions are co"ered later in this uide'@
Discussion hat is special about this scenario( 4o does it or%( hat additional
information is reuired to ma%e decisions about this scenario(
/ssues Ca"eats or limitations of this scenario'
Each of the folloin four scenarios reuires a fireall' >ou can use softare and hardare
solutions as a fireall' Port filterin is the minimum reuirement for a fireall that protects the
ser"er from the /nternet'
!dvanced Fire)all in a +eri'eter $et)ork
#he folloin fiure illustrates an ad"anced fireall scenario, in hich an ad"anced fireall is
put inside the perimeter netor%, beteen the /nternet fireall and the internal fireall' *ront$
end and bac%$end ser"ers are put in the same netor% behind the internal fireall' #his is the
recommended topolo& for the folloin reasons:
/t pro"ides securit& b& isolatin intruders from the rest of the netor%'
/t pro"ides application protocol filterin'
/t performs additional "erification on reuests before it proxies them to the internal
netor%'
$ote%
As an alternati"e to placin the ad"anced fireall ser"er ithin a perimeter netor%
behind a separate /nternet fireall, the ad"anced fireall ser"er itself can function as
the /nternet fireall'
36
-
8/11/2019 Fontend_backend Exchage Mail
48/100
Exchange front-end server "ehind an advanced fire)all
ScenarioA corporation places an ad"anced fireall such as /!A !er"er beteen to separated
firealls' #he corporationFs decision to set up this ad"anced fireall topolo& is based on the
folloin benefits:
Ad"anced firealls pro"ide additional securit& to the netor% b& protectin aainst
unauthoriBed access, inspectin traffic, and alertin the netor% administrator to attac%s'
Ad"anced firealls enable &ou to use such methods as port filterin and /P filterin to
control traffic'
Ad"anced firealls allo &ou to restrict access b& users and roups, application t&pe,
time of da&, content t&pe, and destination sets'
Setup &nstructions*or detailed setup instructions, see 4o to !et
-
8/11/2019 Fontend_backend Exchage Mail
49/100
iscussion/!A !er"er contains to t&pes of rules:
!er"er publishin rules #hese rules, hich can appl& to an& protocol, inspect incomin
reuests at the recei"in port' /f an incomin reuest is alloed, the protocol rule
forards it from the recei"in port to an internal /P address'
eb publishin rules #hese rules appl& to 4##P or 4##P! ?0G88-@ reuests onl&' >ou
can set up eb publishin rules to filter incomin reuests based on the ser"ice t&pe,
port, source computer name, and destination computer name' >ou can also allo onl&
specific ser"ers or den& hih$ris% ser"ers'
/f &ou are supportin 4##P clients, create a eb publishin rule to handle 4##P or 4##P!
traffic' /f &ou are supportin P5P or /MAP clients, create ser"er publishin rules to handle
these protocols'
-
8/11/2019 Fontend_backend Exchage Mail
50/100
the reuest to the front$end ser"er must match the name or /P address of the front$end
ser"er'
#o confiure !!9 in /!A !er"er, use the Bridgingtab in the eb publishin ser"er rule todirect !!9 traffic' /f &ou are hostin multiple domains and ant to use !!9, &ou must set up a
listener and a different /P address for each domain' #his is because the certificates must be
named so that the& match the destination names or /P addresses'
,o) to Set 7p a Front-End and Back-EndTopology )ith an !dvanced Fire)all in a+eri'eter $et)ork
>ou can create a front$end and bac%$end topolo& ith an ad"anced fireall' #he folloin
fiure illustrates the front$end and bac%$end scenario ith an ad"anced fireall' /n this
scenario, &ou place the ad"anced fireall ser"er inside the perimeter netor% and beteen
the /nternet fireall and the internal fireall' >ou place front$end and bac%$end ser"ers in the
same netor% behind the internal fireall'
Exchange front-end server "ehind an advanced fire)all
40
-
8/11/2019 Fontend_backend Exchage Mail
51/100
Before ?ou Begin+efore &ou perform the procedure in this topic, it is important that &ou first read the folloin:
!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&
-
8/11/2019 Fontend_backend Exchage Mail
52/100
nolede +ase article -0;-8;, =!ecure 5A Publishin +ehind /!A !er"er Ma&
3euire Custom 4##P 4eader'=@
Front-End Server "ehind a Fire)all
#he folloin fiure illustrates a front$end and bac%$end topolo& here the front$end ser"er
is behind the fireall'
! si'ple Exchange fire)all topology
Scenario#o achie"e securit& and still pro"ide access to 5utloo% eb Access, P5P, or /MAP from the
/nternet, a corporation ants to put the Exchane s&stem behind the corporate fireall'
Setup &nstructions*or detailed setup instructions, see 4o to !et
-
8/11/2019 Fontend_backend Exchage Mail
53/100
iscussion+ecause the hole confiuration is inside the fireall, Exchane does not reuire an& special
confiuration' After a reuest comes throuh the fireall to the front$end ser"er, the front$end
ser"er returns a response ithout an& confiuration chanes'
/P address filterin is hihl& recommended to limit reuests throuh the fireall to onl& those
oin to the front$end ser"er ?or ser"ers@ that are runnin Exchane and bloc% reuests
throuh the fireall to other ser"ers in the oraniBation'
,o) to Set 7p a Front-End and Back-EndTopology )ith a Front-End Server
Behind a Fire)all
>ou can create a front$end and bac%$end topolo& ith a front$end ser"er behind fireall' #he
folloin fiure illustrates the front$end and bac%$end scenario ith a front$end ser"er behind
a fireall'
! si'ple Exchange fire)all topology
Before ?ou Begin+efore &ou perform the procedure in this topic, it is important that &ou first read the folloin:
!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&
4
-
8/11/2019 Fontend_backend Exchage Mail
54/100
-
8/11/2019 Fontend_backend Exchage Mail
55/100
ScenarioA corporation is deplo&in 5utloo% eb Access to 200,000 users' #he oal is to ha"e a sinle
namespace ?for example, https:GGmail@ in hich users can reach their mailboxes' Additionall&,
for performance reasons, the corporation ants to a"oid ha"in a bottlenec% at the front$end
ser"er or a sinle point$of$failure, so the& ant to spread the load o"er multiple front$end
ser"ers b& usin etor% 9oad +alancin ?9+@' #his scenario is referred to as a =eb
*arm'=
$ote%
Althouh this is the onl& scenario that depicts 9+, &ou can use 9+ to distribute
load amon front$end ser"ers in an& of the scenarios described in this uide'
Setup &nstructions*or detailed setup instructions, see 4o to !et
ou place multiple front$end ser"ers behind a fireall'
44
-
8/11/2019 Fontend_backend Exchage Mail
56/100
Front-end and "ack-end topology in a /e" far'
Before ?ou Begin+efore &ou perform the procedure in this topic, it is important that &ou first read the folloin:
!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&
-
8/11/2019 Fontend_backend Exchage Mail
57/100
Exchange front-end server in a peri'eter net)ork
Scenario/n this fiure, the corporation places the front$end ser"er beteen to separated firealls'
#he first fireall separates the front$end ser"er from the /nternet and allos reuests onl& to
that front$end ser"er' #he second fireall separates the front$end ser"er from the internal
netor%' #he s&stems beteen the to firealls lie in hat is %non as a perimeter netor%
?also %non as a DMT, demilitariBed Bone, and screened subnet@' A perimeter netor%
confiuration pro"ides more securit& because if the front$end ser"er is compromised, there is
still another barrier beteen the intruder and the rest of the netor%'
$ote%
Placin front$end ser"ers inside the perimeter netor% is one approach to deplo&in
front$end and bac%$end topolo& ithin a perimeter netor%' 4oe"er, the
recommended approach is depicted in the first scenario,Ad"anced *ireall in a
Perimeter etor%' #his approach in"ol"es placin the front$end and bac%$end
ser"ers inside the intranet and placin an ad"anced fireall ?such as /!A !er"er@ in
the perimeter netor%' #he ad"anced fireall can pro"ide application protocol filterin
and perform additional authentication on reuests before it proxies them to the
internal netor%'
Setup &nstructions*or detailed setup instructions, see 4o to !et
-
8/11/2019 Fontend_backend Exchage Mail
58/100
-
8/11/2019 Fontend_backend Exchage Mail
59/100
,o) to Set 7p a Front-End and Back-End
Topology )ith a Front-End Server in a+eri'eter $et)ork
>ou can create a front$end and bac%$end topolo& ith a front$end ser"er in a perimeter
netor%' #he folloin fiure illustrates the front$end and bac%$end scenario ith a front$end
ser"er in a perimeter netor%' /n this scenario, &ou place the front$end ser"er beteen the
/nternet fireall and the internal fireall'
Exchange front-end server in a peri'eter net)ork
Before ?ou Begin+efore &ou perform the procedure in this topic, it is important that &ou first read the folloin:
!cenarios for Deplo&in a *ront$End and +ac%$End #opolo&
-
8/11/2019 Fontend_backend Exchage Mail
60/100
to onl& the ports reuired and to onl& the desinated front$end ser"er'
2' Confiure the inner ?intranet@ fireall to ha"e certain ports open to support
authentication, D!, and Acti"e Director& access' #he exact list depends on thebalance of securit& and features that each corporation chooses'
For More &nfor'ation*or information about ho to confiure /nternet and intranet firealls, see Confiurin
*irealls'
#onfiguring Exchange Front-End Servers
A front$end ser"er is an ordinar& Exchane ser"er until it is confiured as a front$end ser"er'
A front$end ser"er must not host an& users or public folders'
A front$end ser"er must be a member of the same Exchane oraniBation as the bac%$end
ser"ers ?therefore, a member of the same indos forest@'
*or detailed instructions about ho to desinate an Exchane ser"er as a front$end ser"er,
see 4o to Desinate a *ront$End !er"er'
,o) to esignate a Front-End ServerA front$end ser"er is an Exchane ser"er that accepts reuests from clients and proxies
them to the appropriate bac%$end ser"er for processin'
Before ?ou Begin#o successfull& complete the procedures in this topic, confirm the folloin:
#he ser"er that &ou ill desinate as a front$end ser"er is a member of the same
Microsoft indos forest as the bac%$end ser"ers'
#he ser"er that &ou ill desinate as a front$end ser"er is a member of the same
Exchane oraniBation as the bac%$end ser"ers'
50
-
8/11/2019 Fontend_backend Exchage Mail
61/100
+rocedure
To designate a front-end server
1' /nstall the ser"er that ill be runnin Exchane !er"er in the oraniBation'
$ote%
ith Exchane2000 !er"er, onl& Enterprise Edition ser"ers can be
confiured as front$end ser"ers' /n Exchane !er"er 200-, both !tandard
Edition and Enterprise Edition can be confiured as front$end ser"ers'
2'
-
8/11/2019 Fontend_backend Exchage Mail
62/100
#reating ,TT+ irtual Servers
>ou must use Exchane !&stem Manaer, not /nternet !er"ices Manaer hen &ou create"irtual ser"ers' hen &ou create "irtual ser"ers in Exchane !&stem Manaer, &ou do not
need to simplif& the
-
8/11/2019 Fontend_backend Exchage Mail
63/100
/f the "irtual ser"er points to a public folder, select the appropriate public folder to
act as the root public folder for this "irtual ser"er'
-' Clic% !dvanced, and then add host headers that define all the names a client mihtuse to contact this front$end ser"er'
$ote%
/f a front$end ser"er is used internall& and externall&, it is recommended that
&ou list both a hostname and a full& ualified domain name'
#onfiguring !uthentication
/t is hihl& recommended that &ou use dual authentication, in hich both front$end and bac%$
end ser"ers are confiured to authenticate users' +& default, front$end ser"ers are c