I currently running a Front –end / Back-end scenario in a DMZ and have been for two years. It’s worked well… but has been compromised so it’s not full proof, although that was down to other circumstances. The Front-end / Back-end configuration is available in both Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 and the basic principal is to divide server roles. The distinction is made between a front-end server that accepts requests from clients and then proxies them to an appropriate server for processing, making this effectively a Back-end server.
According to the Microsoft documentation a Front-end / Back-end scenario comes to play when you experience or foresee experiencing performance, scalability or security issues with Microsoft Exchange:
From a performance point of view you can deploy Front-end servers to lift the burden of SSL securing your Outlook Web Access (OWA) and Outlook Mobile Access (OMA), POP3 and IMAP from your Back-end server. Blocking Unsolicited Bulk E-mail (UBE or Spam) at the Front-End might speed up your Back-end to Outlook clients connected to the Back-end server.
From a scalability point of view you can use the configuration to make a neat Network Load Balanced (NLB) cluster of Front-end servers. Don’t use Clustering Services though to scale your Front-end servers, it won’t work.
Despite the performance and scalability improvements you can gain from implementing a Front-end / Back-end configuration you cannot use it by itself in any security scenario. Encrypting traffic with IPSec, Using the Security Configuration Wizard in Windows Server 2003 SP1 and even pinning down RPC ports will get you far, but in my opinion not far enough.
In my opinion the security design flaw in the current Front-end / Back-end configuration is you actually install a fully fledged Exchange Server, which you afterwards strip of its databases and configure to relay everything to the back-end Exchange Server. It stays an Exchange Server however, which needs access to the Active Directory, DNS and other Exchange Servers. If you implement your Front-end server inside a DMZ you’ll be required to open up a whole lot of UDP and TCP ports, eventually rendering your DMZ pretty useless if the box gets compromised.
Yes I’m knocking it and Yes it works. In my next post I’ll look at the new flavours from Exchange Server2007