With Microsoft Exchange Server 2007 comes a new security model to publish your servers to the Internet: Microsoft Exchange Server 2007 boxes configured with the Edge Transport Server Role. This new model replaces the current Front-End / Back-end model.
Front-ends and Back-ends (2000-2003)
In the last year two of my projectteams implemented Microsoft Exchange Server 2003 Front-end / Back-end configurations. In the Front-end / Back-end configuration, available in both Microsoft Exchange 2000 Server and Microsoft Exchange Server 2003 the basic principal is to divide server roles. The distinction is made between a front-end server that accepts requests from clients and then proxies them to an appropriate server for processing, making this effectively a Back-end server.
According to the documentation a Front-end / Back-end scenario comes to play when you experience or foresee experiencing performance, scalability or security issues with Microsoft Exchange:
From a performance point of view you can deploy Front-end servers to lift the burden of SSL securing your Outlook Web Access (OWA) and Outlook Mobile Access (OMA), POP3 and IMAP from your Back-end server. Blocking Unsolicited Bulk E-mail (UBE or Spam) at the Front-End might speed up your Back-end to Outlook clients connected to the Back-end server.
From a scalability point of view you can use the configuration to make a neat Network Load Balanced (NLB) cluster of Front-end servers. Don’t use Clustering Services though to scale your Front-end servers, it won’t work.
Despite the performance and scalability improvements you can gain from implementing a Front-end / Back-end configuration you can not use it by itself in any security scenario. Encrypting traffic with IPSec, Using the Security Configuration Wizard in Windows Server 2003 SP1 and even pinning down RPC ports will get you far, but in my opinion not far enough.
In my opinion the security design flaw in the current Front-end / Back-end configuration is you actually install a full fledged Exchange Server, which you afterwards strip of its databases and configure to relay everything to the back-end Exchange Server. It stays an Exchange Server however, which needs access to the Active Directory, DNS and other Exchange Servers. If you implement your Front-end server inside a DMZ you’ll be required to open up a whole lot of UDP and TCP ports, eventually rendering your DMZ pretty useless if the box gets compromised.
“Real” Server Roles (2007)
Exchange Server 2007 introduces real server roles. As you might have read in my previous posts and other resources Exchange Server 2007 offers the following roles:
- Edge Transport Server Role
- Client Access Server Role
- Hub Transport Server Role
- Mailbox Server Role
- Unified Messaging (UM) Server Role
The Edge Transport Role
The Edge Transport Role is the replacement for a Front-end server in the scalability and security scenarios. With two big distinctions:
- It’s safe because of the Active Directory and the Active Directory Application Mode. (now really, didn’t you see that one coming?)
- It only does message hygiene and routing (no Client access stuff)
You can’t install the Edge Transport Server Role on a server with other Exchange Server roles and selecting the Edge Transport Server Role will make it an isolated host, with limited communications and collaboration possibilities. This means it has a minimal attack surface by default. (but you can secure it further)
Of course every Exchange Server needs access to the Active Directory. A Microsoft Exchange Server 2007 box configured with the Edge Transport Server Role is no different, but it uses a new way to communicate with the Active Directory: It utilizes Active Directory Application Mode (ADAM) to get information from the Active Directory through Edge subscriptions.
Edge Subscriptions get Active Directory information from the Hub Transport Server (on your internal network) to the Active Directory Application Mode (ADAM) database on the Edge Transport Server (in your DMZ). The component responsible for the information is the Microsoft Exchange EdgeSync service on the Hub Transport Server in the same Active Directory Site as the Edge Transport Server.
Both ends of the Edge Subscription encrypt the information based on an account in the ADAM database on the Edge Transport server. The direction of the Edge Subscription is one-way from Active Directory to Active Directory Application Mode (ADAM) and only the information that is necessary for message routing and message hygiene is being transferred:
- Accepted domains
- Recipients (Hashed)
- Safe Senders Lists (Hashed)
- Send Connectors
- Hub Transport server list (for dynamic connector generation)
The Client Access Role
Since the Edge Transport Server Role is a transport role for messages you can’t benefit from it to provide your colleagues with Outlook Web Access, Outlook Mobile Access, Outlook Voice Access, Outlook Everywhere or one of the other nifty “road warrior” features Exchange 2007 provides to more easily work together. In this scenario you need a Microsoft Exchange Server 2007 box with the Client Access Server Role applied to it. Although enhancements were made to Client Access Servers security the face-off between security and functionality remains. The only real way to secure it: Use Microsoft Internet Security and Acceleration (ISA) Server.
You can’t go wrong if you shield your dong
Front-end / Back-end and separate Client Access Servers in a DMZ are not very wise choices. Unless you secure these servers with Microsoft Internet Security and Acceleration (ISA) Server. Publishing the Client Access Servers (in Exchange 2007) or the Front-End server (in Exchange 2003) from within Microsoft ISA Server is your best choice if your users really need access to their mailbox wherever they are. Check the ISA Server website for the features that protect your servers.
The Edge Transport Role is an Exchange Server 2007 Role that can help you secure and scale your Internet mail flow. I find it a good replacement for a Front-end server equipped with message routing and message hygiene tasks.
Microsoft Internet Security and Acceleration (ISA) Server adds the security you need to secure your Client Access Roles and Microsoft Exchange 2003 Front-end servers.
You can’t place the Client Access Server Role and the Edge Transport Role on one server and you can’t place Exchange 2007 Server Roles on the same server as Microsoft Internet Security and Acceleration (ISA) Server 2006. If you want to do it right, you’ll need at least three servers.
Microsoft Exchange Server 2007 Home
Microsoft ISA Server 2006 Home
Front-End and Back-End Server Topology Guide for Exchange 200x
Windows Clustering is not supported on front-end servers
Planning for Edge Transport Servers
Securing Exchange 2007 Edge Transport Servers
Introduction to the Exchange 2007 Edge Transport server role
Preparing to Run the Microsoft Exchange EdgeSync Service
Exchange 2007 Edge Server Role
Exchange 2007 Edge and ISA 2006 on the same box???
Front-end Back-end Exchange / ISA Server Trihomed DMZ
Publishing Exchange 2007 OWA with ISA Server 2006
Edge Transport Server port requirements
Microsoft Exchange Server 2007 Transport Server Role Architecture Diagrams
Disclaimer Beta Software
The information on this webpage applies to software from Microsoft that was in testing phase but utilizable by experienced users by the time the webpage was written. This software has not been released for sale, distribution or usage for the general public. The information on this webpage and the beta software are provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.