Replace the Exchange 2003 Frontend OWA server

Markus Klein

In this article we will show you the advantages and disadvantages of implementing an Exchange 2003 Front-End OWA server with Exchange Server 2007 Client Access.

Introduce

Many companies still use the Exchange Server 2003 environment (the environment has been deployed a few years ago), so its design features and qualities are only suitable for residential needs. at that moment. That said, companies need to implement Front-End server solutions directly placed in the DMZ.

If these companies plan to migrate to Exchange Server 2007, then they need to check if they need to leave their front-end server to use it or replace it with a new server with Exchange installed. Server 2007, completely changing the design of the solution. This article will introduce you to the advantages and disadvantages of migration and which solution would be best for future requirements.

In general, there are two possible solutions for designing an Exchange Server 2007 front-end server:

Here is an introduction to these two types of solutions:

Replace the existing server with Exchange Server 2007 CAS

The easiest way to migrate an Exchange Server 2003 front-end to Exchange Server 2007 is to install a new server with Windows Server operating system - 64 bit and newer, in addition to the Exchange Server 2007 client access service role. You then migrate all functions from the old server to the new server.

This means that you will not change the design itself but only replace this server with another server but still run and provide the same functionality. Also do not change any security settings or configure the firewall because the ports you need for Exchange Server 2003 are exactly the same as Exchange Server 2007.

Therefore, this solution is quite easy and can be deployed smoothly without interruption in use.

Replace the existing server with the reverse proxy server

The second way to migrate is to consider the whole solution again. With Exchange Server 2007, you won't need any front-end servers, just a reverse proxy server (like ISA Server 2006) placed in the DMZ and to put all Exchange Server 2007 on a LAN.

Figure 1: ISA Server as Reverse Proxy for OWA and Push Mail

In addition, this means that there is no need to add any Exchange servers to your DMZ, making your solution safer (from a reverse proxy server you just have to open HTTPS to communicate with the DMZ). Exchange server in LAN). This also allows you to open up to two ports (based on configuration) from DMZ to the internal network and without opening ports 8 to 11, however this problem depends on your design.

If you choose this design, you need to implement the reverse proxy server solution. Many firewalls allow this capability to help you configure a proxy or reverse proxy server on them. Therefore, in many designs, you will have to choose a new server solution with a new product. Without a reverse proxy server at the current time, you need to consider a new solution like ISA Server 2006, which is available as a software solution or hardware device. The decision to choose between hardware or software is entirely up to you, it does not depend on the function you need.

We will use the solution to use ISA Server as a reverse proxy server because of the following issues:

If you choose to resolve the reverse proxy server, then the project itself needs to be planned in more detail due to the fact that interruptions from mail solutions (OWA and Active Server Sync) may appear. .

Migration itself can be well prepared because there are many things that can be replaced before you disable your existing Exchange Server 2003 front-end server and switch to the new server. Here are some points to help you do that:

It is possible to test the new configuration before putting it into the production system, this is the order to be taken:

This seems to be quite easy, but it also means that if you are running Active Server Sync, it is only easy if you use a digital certificate on each mobile device with a trusted root certificate installed. in the certificate store. Otherwise, you will also have to deploy a newly certified root for all mobile devices.

Choose the best solution

From a security standpoint, the second solution described above is the safest solution. Configuring servers in the DMZ, direct access to servers in the LAN will not be secure. If a hacker can forge as a server in your DMZ, this name can successfully access your internal servers and hack inside easily.

If you are using a proxy server in the DMZ, it is also possible to work as a reverse proxy server, so you should consider using this reverse proxy server. Without any proxy that can act as a reverse proxy, you need to consider ISA Server 2006 solution on a Windows Server 2003 server, since this server does not work with Windows Server 2008 today.