FE/BE Servers
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 21 Mar 2003 12:04:46 -0600
Hey folks,
Note that the FE/BE server config is not specifically noted to be a
security solution. Although they mention you can put the FE in front of
the firewall, the advantage they explicate is that it prevents DoS'ing
the BE. You would realize the same advantage if both the FE and BE are
behind the ISA Server.
CONCLUSION: There is no reason to put the FE in front of the ISA Server.
You decide:
==========================================
=========================================
Using a front-end and back-end deployment has the following advantages:
* Single namespace The primary advantage of a front-end and
back-end server architecture is the ability to expose a single,
consistent namespace. You can define a single namespace for users to
access their mailboxes (for example, http://mail for Outlook Web
Access). Without a front-end server, each user must know the name of the
server that stores their mailbox. This complicates administration and
compromises flexibility, because every time your organization grows or
changes and you move some or all mailboxes to another server, you must
inform the users. With a single namespace, users can use the same URL or
POP and IMAP client configuration, even if you add or remove servers or
move mailboxes from server to server. In addition, creating a single
namespace ensures that Outlook Web Access, POP, or IMAP access remains
scalable as your organization grows.
* Ability to balance processing tasks between servers You can
configure servers running Exchange 2000 to support Secure Sockets Layer
(SSL) traffic between the client and the server to protect the traffic
from third-party interception. However, encrypting and decrypting
message traffic uses processor time. When SSL encryption is in use,
front-end and back-end server architecture provides an advantage because
the front-end servers can handle all encryption and decryption
processing. In addition, you can use an SSL accelerator to further
mitigate the impact encryption and decryption has on the server. An SSL
accelerator improves performance by removing processing tasks from
back-end servers, while still allowing data to be encrypted between the
client and the server running Exchange.
* Firewalls You can position the front-end server as the single
point of access on or behind an Internet firewall that is configured to
allow only traffic to the front-end from the Internet. Because the
front-end server has no user information stored on it, it provides an
additional layer of security for the organization. In addition, you can
configure the front-end server to authenticate requests before proxying
them, protecting the back-end servers from denial-of-service attacks.
* Increased IMAP access to public folders The IMAP protocol allows
a server to refer a client to another server. Exchange 2000 supports
this referral functionality in cases where a public folder store on a
particular server does not contain the content requested and the client
needs to be referred to another server. However, this requires a client
that supports IMAP referrals, and most clients do not support referrals.
(The University of Washington Pine client and toolkit is one example of
a client that supports referrals.) When a non referral-enabled IMAP
client connects through a front-end server, the client has access to the
entire public folder hierarchy. When a front-end server proxies a
command to a back-end server, it automatically handles any referral
response that is passed back when attempting to access a folder that is
not available on the back-end server. This makes the referral
transparent to the client. For more information about
nonreferral-enabled IMAP clients, see Request for Comments (RFC) 2221
and RFC 2193.
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1>
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
Other related posts:
