RE: FE/BE Servers
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 22 Mar 2003 22:33:37 -0600
Hi Jason,
There has been a number a posts on the FE/BE issue over on the Web
boards, so it got me to thinking about this again. FE/BE would be a
great topic! Maybe I could do a LAT-based DMZ article to satisfy the
people who want to put the FE into a DMZ.
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jason Ballard [mailto:jasonb54@xxxxxxxxx]
Sent: Friday, March 21, 2003 12:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FE/BE Servers
http://www.ISAserver.org
Hey Tom,
What is this post in reference to? Just curious because I
remember this being mentioned in the Feature Pack documentation.
Are you getting ready to do an article on configuring a FE/BE
configuration? That would be a great upcoming topic!
Have a good weekend,
Jason
_____
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Friday, March 21, 2003 1:05 PM
To: [ISAserver.org Discussion List]
http://www.ISAserver.org
Hey folks,
Note that the FE/BE server config is not specifically noted to
be a security solution. Although they mention you can put the FE in
front of the firewall, the advantage they explicate is that it prevents
DoS'ing the BE. You would realize the same advantage if both the FE and
BE are behind the ISA Server.
CONCLUSION: There is no reason to put the FE in front of the ISA
Server.
You decide:
==========================================
=========================================
Using a front-end and back-end deployment has the following
advantages:
* Single namespace The primary advantage of a front-end
and back-end server architecture is the ability to expose a single,
consistent namespace. You can define a single namespace for users to
access their mailboxes (for example, http://mail for Outlook Web
Access). Without a front-end server, each user must know the name of the
server that stores their mailbox. This complicates administration and
compromises flexibility, because every time your organization grows or
changes and you move some or all mailboxes to another server, you must
inform the users. With a single namespace, users can use the same URL or
POP and IMAP client configuration, even if you add or remove servers or
move mailboxes from server to server. In addition, creating a single
namespace ensures that Outlook Web Access, POP, or IMAP access remains
scalable as your organization grows.
* Ability to balance processing tasks between servers You
can configure servers running Exchange 2000 to support Secure Sockets
Layer (SSL) traffic between the client and the server to protect the
traffic from third-party interception. However, encrypting and
decrypting message traffic uses processor time. When SSL encryption is
in use, front-end and back-end server architecture provides an advantage
because the front-end servers can handle all encryption and decryption
processing. In addition, you can use an SSL accelerator to further
mitigate the impact encryption and decryption has on the server. An SSL
accelerator improves performance by removing processing tasks from
back-end servers, while still allowing data to be encrypted between the
client and the server running Exchange.
* Firewalls You can position the front-end server as the
single point of access on or behind an Internet firewall that is
configured to allow only traffic to the front-end from the Internet.
Because the front-end server has no user information stored on it, it
provides an additional layer of security for the organization. In
addition, you can configure the front-end server to authenticate
requests before proxying them, protecting the back-end servers from
denial-of-service attacks.
* Increased IMAP access to public folders The IMAP
protocol allows a server to refer a client to another server. Exchange
2000 supports this referral functionality in cases where a public folder
store on a particular server does not contain the content requested and
the client needs to be referred to another server. However, this
requires a client that supports IMAP referrals, and most clients do not
support referrals. (The University of Washington Pine client and toolkit
is one example of a client that supports referrals.) When a non
referral-enabled IMAP client connects through a front-end server, the
client has access to the entire public folder hierarchy. When a
front-end server proxies a command to a back-end server, it
automatically handles any referral response that is passed back when
attempting to access a folder that is not available on the back-end
server. This makes the referral transparent to the client. For more
information about nonreferral-enabled IMAP clients, see Request for
Comments (RFC) 2221 and RFC 2193.
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
<http://tinyurl.com/1jq1>
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: jasonb54@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
