Monday, April 02, 2007

Using a Front-end / Back-end to secure Microsoft Exchange 2003

One of the best practices often talked about is the "Front-end / Back-end" topology, where by the Front-end server sits outside of the main network separated by a firewall (known as the "internal firewall"), but protected from the Internet by a separate firewall. The Back-end server meanwhile is within the confines of the internal network.

This configuration allows more ports opened on the external firewall and fewer ports opened on the internal firewall. Also, the data and log files that Exchange needs are keep more secure behind two firewall and no direct access from the Internet. The front-end server will then respond to all Internet SMTP requests and then forward them on to the back-end servers for delivery to users mailboxes.

While this method may be a "Best Practice" it requires at least twice as much hardware and software. You now need at least two servers, two firewalls, and two copies of Windows Server 2003 and Exchange server 2003. To allow this setup to withstand even more abuse you should then also Cluster the Exchange back-end server requiring Windows 2003 Enterprise Edition and Exchange Enterprise edition on the two back-end servers.

A heavily suggested setup is to have the Front-end server running Outlook Web Access (OWA) with a widely know Certificate Authority SSL certificate to provide data encryption to the clients over the public Internet. This requires TCP port 443 (for default installs). Also since the whole reason to have Microsoft Exchange is to send and recieve email with other organizations via the Internet you will need SMTP running over TCP port 25, with Anonymous Access allowed. These would then be the only two ports open on the public/external firewall. On the internal firewall you would need to open TCP port 80 to allow OWA access to the back-end servers, TCP/UDP ports 389 for LDAP (Lightweight Directory Access Protocol), TCP port 3268 for LDAPGC (Global Catalog), and all of this is running with in the confines of IPSEC which would need IP Protocol 51 for Authenticating Header, IP Protocol 50 for Encapsulating Security Protocol, UDP port 500 for the key exchange and TCP/UDP port 88 for KERBEROS.

No comments: