A lot of companies are still running on an Exchange Server 2003 environment (which has been deployed some years ago now) and the design aspects and recommendations that have been issued were only suitable at that time. This means that many may be running an Exchange Server Front-End Solution that has been placed directly into the DMZ.
If these companies are planning to migrate to Exchange Server 2007, they need to check whether to leave their front-end server there or replace it with a new machine with Exchange Server 2007 installed on it, or to completely rethink the design of their solution. This article will talk about the pros and cons for the migration and what solution will be best for future requirements.
Two possible solutions
In general, there are two different types of solutions that are possible for an Exchange Server 2007 front-end Server design:
- Replace the existing Exchange 2003 front-end with Exchange 2007 client access service (CAS) role.
- Replace the existing Exchange 2003 front-end with a reverse proxy server like ISA Server 2006.
These two types will be discussed in this article.
Replacing the existing Server with Exchange Server 2007 CAS
The easiest way to migrate the existing Exchange Server 2003 front-end to Exchange Server 2007 is to install a new server with a 64 bit based Windows Server operating system and afterwards, add an Exchange Server 2007 client access service role on it. You then have successfully migrated all functionality from the old to the new server and you can proceed to demote and decommission Exchange Server 2003.
This will mean that you would not change the design itself; it would just replace the server with a new one running exactly the same features and providing the same functionality. It would also not change any security settings or firewall configurations because the ports you needed for Exchange Server 2003 are exactly the same with Exchange Server 2007.
The required ports for communication between CAS Server and the internal servers are defined in one of my older articles, and may be found here.
So, this solution is quite easy and could be smoothly deployed without any usage interruptions.
Replacing the existing Server with a reverse Proxy Server
The second way to migrate is to completely rethink the existing solution. With Exchange Server 2007 you will not need a front-end server anymore. You would only need a reverse proxy server (like ISA Server 2006) placed in the DMZ and to place the complete Exchange Server 2007 into the LAN.
Figure 1: ISA Server as Reverse Proxy for OWA and Push Mail
Furthermore, this would mean that there are no Exchange Servers anymore in any of your DMZ, leading to a more secure solution (from a reverse proxy server you would only have to open HTTPS to communicate with your Exchange server(s) in the LAN). This, would also lead you to open up to two ports (upon your configuration) from the DMZ to the internal network and not about 8 to 11 ports that need to be opened, but this depends on your design.
If you choose this design, you would need to implement a reverse proxy server solution. A lot of firewalls give the possibility to configure a proxy and/or reverse proxy server on them. So in a lot of designs you will not have to choose a new server solution with a new product. If you do not have an existing reverse proxy server, you need to think of a new solution like ISA Server 2006 which is available as software solution or hardware appliance. The decision to choose between software or hardware appliance is up to you, it does not matter when it comes to the functionality we need here.
I would suggest using ISA Server as reverse proxy solution because of the following:
- Best integration within your Exchange solution
- Logon would occur directly on your ISA Server box and not internally; ISA Server would then behave as authentication and authorization in addition, too
- ISA Server 2006 provides an application filter out of the box that filters the traffic for Outlook Web Access and/or Outlook Mobile Access to make sure that no other unwanted traffic would cross your firewall
- ISA Server 2006 can act as RADIUS or LDAP proxy to ensure secure authentication with Active Directory Services internally to your LAN
- As of today ISA Server is the only solution that provides this enhanced functionality
If you choose to implement a reverse proxy server solution, the project itself needs to be planned in more detail due to the fact that interruption from your internet mail solutions (OWA and Active Server Sync) may occur.
The migration itself can be prepared well since a lot of things can be prepared before you disable your existing Exchange Server 2003 front-end server and switch to your new server. Here are a couple of points to help you do so:
- Installation of operating system and ISA Server on your physical hardware
- Prepare firewall configuration for ISA Server solution (with new IP address running both solutions at one time is even possible)
- Configure publishing rules for Outlook Web Access and/or Active Server Sync
It is possible to test the new configuration before you put them into production, this would entail:
- using another IP-address and external DNS name
- using a new digital certificate for the ISA Server
This sounds quite easy, but, it also means that if you are running Active Server Sync, it is only this easy if you use a digital certificate on each mobile device that has a trusted root certificate already installed in its certificate store. Otherwise, you would have to deploy the new root certificated to all of your mobile devices, too.
Choosing the best solution
From a security point of view, the second solution described above is the most complex yet secure solution. Configuring servers in the DMZ, with direct access to servers in the LAN, is not as secure as it should be. If a hacker is able to act as your server in the DMZ, he can successfully access your internal servers too and hack into them without additional steps.
If you are already running a proxy server in your DMZ that is able to work as reverse proxy server too, you should think about using that one. If you currently do not have any proxies that might act as reverse proxy you should think about implementing ISA Server 2006 on a Windows Server 2003 machine, due to this server does not work with Windows Server 2008 at present. If you want that solution, you should have to wait some more months for the availability of Microsoft Forefront code named “Stirling”.
For further questions please do not hesitate to contact me.