Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA Front Edn Server Issues 4

Status
Not open for further replies.
thelke

thelke

MIS
Apr 9, 2002
84
Here is my topology

Firewall
Web Server W/ Front End Exchange 2003 Enterprise and OWA
Back end Exchange 2003 Enterprise w/ the mailboxes

The firewall NATs all web traffic to the web server, when someone goes to log into OWA, it weants to redirect the user to the backend server, but I do not allow that to be live on the web through the firewall. Is there a way for the front end to pass traffic back, and the back end to do the opposite?

Did this make sense?

Thank,

Tad
 
Sort by date Sort by votes
Is your front-end server in a DMZ? If so, you'll have to open up some ports between the DMZ system and your back-end Exchange server. Unfortunately no way around it, but at least in this situation, your back-end server isn't directly open to the Internet. For a little added security, you can set up an IPSec policy to encrypt all the HTTP traffic between your front-end and back-end too.

If your situation is like this, let me know and I'll post a bunch of good links to help you get up and running.

-S-
 
Upvote 0 Downvote
Silmeron, I'd like to see those links for setting up OWA in a DMZ. Do you consider OWA on 2003 a good remote access tool vs the hassle of a vpn?
 
Upvote 0 Downvote
Your front end needs to talk to the backend, as well as the GC, on the following ports:

53 TCP & UDP DNS
80 TCP HTTP
88 TCP & UDP Kerberos
123 UDP NTP
135 TCP Endpoint Mapper
389 TCP & UDP LDAP
445 TCP SMB direct hosting
3268 TCP LDAP for GC
1024 - 1026 TCP DS port

You can set DS for a specific port with the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024



Alternately, you could use IPSEC between the frontend and backend.

 
Upvote 0 Downvote
I love having our employees use OWA instead of VPN. For them, it looks and feels much like their Outlook 2003's in the office, and for me it removes the support of teaching people how to properly configure their machines to log in through VPN (e.g. making sure they have a good firewall and are anal about updating their virus defs among other things...). I would highly recommend it - just make sure to get yourself an SSL certificate so you can protect your user's logon credentials.

I used FreeSSL since it's nice and cheap and is trusted by Internet Explorer, so no weird certificate dialog box, and I don't need the insurance protection of the bigger (and thus more expensive) SSL certs. They're all the same tech.

To get started, you'll need to have *two* copies of Exchange 2003 for this to be legal. With EX2003, you can buy Standard editions for both. There might be a way to just install OWA on a DMZ server legally, but at the moment I'm not aware of it.

First install your backend server and get everything working happily. Then set up your front-end server inside your network. It'll make getting everything up much easier; once everything is properly configured, you can then move it to the DMZ and start your hack tests to make sure all the traffic goes (and not goes) where it's supposed to.

I found a great deal of information about this from the folks at MSExchange.org and on the Microsoft newsgroups for Exchange. Doing searches on Google Groups is invaluable. Here's some helpful links:

First, get yourself on Microsoft's free TechNet update service so you know when critical updates for Exchange are available:

Go and Read the Tutorials at MSExchange.org


Setting up your Front-End Server


Installing your SSL Certificate


Eventid.net - Great spot to troubleshoot Event errors:


Lastly if you want to secure internal traffic between your front-end and back-end server, use IPSec. This is for EX2000, but is still relevant here.

Good luck!
 
Upvote 0 Downvote
thank you, those vpn troubles are exactly what i'm dealing with. the advantage of OWA obviously is that you can link it to a web site or extranet, but what about RPC over HTTP? i'm nervous about jumping that MS bandwagon after all the recent exploits of RPC in window's systems.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
3K
microsGuy16
microsGuy16
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
3K
ponoodle
ponoodle
Edu001
  • Locked
  • Question
Exchange 2016 Installing a simple Second server
Replies
6
Views
1K
Edu001
Edu001
hirussellsmith
  • Locked
  • Question
Unable to Backup data after Exchange Server Down
Replies
1
Views
750
ralphmiller
ralphmiller
phadobas
  • Locked
  • Question
Need Blackberry Enterprise Server (BES 5) install file
Replies
0
Views
191
phadobas
phadobas

Part and Inventory Search

Sponsor

Back
Top