Introduction
When using Exchange Server 2003 in a front-end/back-end (FE/BE) setup you have to make some important decisions as regards to Outlook Web Access (OWA) user authentication. One is whether or not you’re going to make use of forms-based authentication. As many of you already know forms-based authentication (cookie authentication) provides several benefits, such as an OWA logon page where you can select between using a Private or Public computer (each having their own cookie timeout), as well as whether you want to use the premium (rich) or basic (reach) OWA version (see Figure 1 below).
Figure 1: Exchange 2003 Forms-based Authentication
If you choose not to use forms-based authentication you can still have the FE server authenticate the OWA users (dual authentication), instead of forwarding the authentication requests to the BE servers (pass-through authentication) in the organization.
Figure 2: Dual Authentication in an FE/BE Setup
No matter which method you choose the BE servers will always be involved in authenticating the users. Microsoft recommends you use dual authentication meaning that both the FE and BE servers authenticate the users. And this makes sense since users this way won’t be allowed access to the BE servers, unless they already have authenticated themselves to a FE server. If you choose to implement dual authentication you must enable basic authentication both on the FE and BE servers, but only if the FE server is located on the perimeter network (aka DMZ, demilitarized zone or screened subnet). If they are located on your internal network this isn’t necessary.
Note:
If you don’t use dual authentication, implicit logons will not work. This means that any user will need to specify the full URL including their user name to log on to their mailbox. Explicit logons will work no matter which type of authentication method is chosen. Another disadvantage of using pass-through authentication is that public folder requests cannot be load-balanced.
If the front-end server is located on a perimeter network and you don’t allow RPC traffic from your perimeter network to travel through your intranet firewall, you are forced to forward the authentication requests directly to your BE servers (pass-through authentication). Needless to say you should only use pass-through authentication if you don’t have the choice of using dual authentication. As it’s considered more secure to allow RPC traffic through your intranet firewall then it is to allow anonymous requests to go directly to the BE servers, you should – if your security policy doesn’t allow RPC through the intranet firewall from the perimeter network – re-evaluate them.
Figure 3: Pass-Through Authentication in an FE/BE Setup
Note:
It’s not recommended to place your FE Servers on a perimeter network; you should instead place any it on the internal network, and if possible publish the required Exchange services trough an ISA Server located on the perimeter network. In the past, it was popular to place the FE server on the perimeter network, and then open all required ports in the intranet firewall. Since the FE server needed to be able to communicate with both the Exchange BE servers as well as Global Catalog servers on the internal network, quite a few ports needed to be allowed through. I know an alternative is to configure IPSec, but this solution is a bit complex. Even though you may not have an ISA Server in your organization, you still should place the FE server on the internal network, and then open the required ports on the intranet firewall.
Another important thing worth noting is that client authentication by FE servers only supports the Basic authentication method. This is also true between FE and BE servers. It’s, therefore, absolutely mandatory to use SSL encryption between the clients and the FE server. If not, anybody with a sniffer utility attached to your Internet firewall could sit and watch the content of your inbound/outbound e-mail messages sent via the OWA client. The intruder could also see any usernames and password sent between the client and the FE server.
Configuring Dual Authentication
In order to use Dual authentication, you will need to enable Basic authentication on the FE server. The below, step by step instructions, will show you how to enable this authentication method.
- Open the Exchange System Manager
- Drill down to Servers | Server | Protocols | HTTP | Exchange Virtual Server
- Right-click the Exchange virtual folder, then choose Properties
- Click the Access tab, then Authentication
- Enable Basic authentication (password is sent in clear text)
Figure 4: Authentication Settings of Exchange Virtual Folder
- Click OK twice and close the Exchange System Manager
As you can see in Figure 3, it’s possible to specify a default domain. It’s recommended you type in your Default domain in this field as this will let your user’s logon to OWA without specifying the domain name as part of their username (domain\username). You could also let your user’s login with their User Principal Name (UPN) instead, if you want to do so, you need to type a backslash “\” in the Default domain field. When UPN login has been configured users will be able to login by typing [email protected] in the username field.
Note:
When using UPN logins users can still login using the format domain\username.
If you choose to enable forms-based authentication, UPN logins will be enabled automatically.
Configuring Pass-Through Authentication
To configure an FE server to forward the authentication requests directly to your BE servers, also known as (Pass-through authentication), you would need to do the following:
- Open the Exchange System Manager
- Drill down to Servers | Server | Protocols | HTTP | Exchange Virtual Server
- Right-click the Exchange virtual folder, then choose Properties
- Click the Access tab, then Authentication (see Figure 4)
Figure 5: Configuring an Exchange 2003 Front-End to use Pass-through Authentication
- Enable Anonymous access, and then remove the check mark in Basic authentication (password is sent in clear text)
- Click OK twice and close the Exchange System Manager
Summary
In this article, I explained which authentication method is recommended in an FE/BE setup, where forms-based authentication hasn’t been configured, and where you don’t make use of ISA Server. I also showed you, step by step, how you configure each authentication method. Although you get some additional security by using dual authentication in an FE/BE setup, I highly recommend you think about investing in an ISA Server instead, as using an ISA Server is the optimal way of protecting your Exchange environment. Among many other things an ISA server provides application layer filtering, as well as gives you the possibility of pre-authenticating your OWA users (using forms-based authentication very similar to the Exchange forms-based authentication method) while keeping Single Sign-On (SSO) intact. Actually you can eliminate the Exchange FE server completely by introducing an ISA Server, as you can publish the Exchange back-end servers directly.
