Front-End and Back-End Topology Checklist

Article
07/25/2014

The following checklist summarizes the steps required to configure front-end servers, back-end servers, and firewalls.

Note

The following procedures contain information about editing your registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Information" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. You should also update your Emergency Repair Disk (ERD).

Note

The following tables present the front-end and back-end topology tasks in a tabular, checklist format.

Configuring the front-end servers

Task
Step 1. Install Exchange Server: Install Exchange Server on the front-end server.
Step 2. Configure HTTP virtual servers or directories on the front-end server for access to mailbox and public stores as required: For additional virtual servers, specify the SMTP domain, IP address, and host headers or ports. Leave the Basic authentication check box selected. For additional virtual directories for public stores, specify the appropriate public store root. For additional virtual directories for mailbox stores, specify the SMTP domain.
Step 3. Disable unnecessary services: Stop any services that are not required for the protocols being used.
Step 4. Dismount and delete stores if necessary: If you are not running SMTP, dismount and delete all mailbox stores. If you are running SMTP, leave a mailbox store mounted, but make sure the mailbox store does not contain any mailboxes. If you receive large amounts of external e-mail for public folders, you can mount a public store, as this will improve mail delivery to public folders.
Step 5. Set up front-end server load balancing if necessary: Install load balancing on all front-end servers. (Recommended) Enable client affinity.
Step 6. Configure SSL (recommended): Option 1: Configure SSL on the front-end server. Option 2: Set up a server between the client and the front-end server to offload SSL decryption.
Step 7. If you use a perimeter network: Note It is recommended that you use an advanced firewall server (such as ISA Server) rather than the front-end server in the perimeter network. For more information, see Advanced Firewall in a Perimeter Network. Create the DisableNetlogonCheck registry key and set the REG_DWORD value to 1. Create the LdapKeepAliveSecs registry key and set the REG_DWORD value to 0. To restrict the front-end to only contacting certain domain controllers and global catalog servers, specify them in Exchange System Manager on the front-end server
Step 8. If you use a perimeter network and do not want to allow RPCs across the intranet firewall: Note If you disable authentication on the front-end server, you allow anonymous requests to reach your back-end servers. Disable authentication on the front-end server.
Step 9. If required, create an IPSec policy on the front-end servers.

Step 1. Install Exchange Server:

Install Exchange Server on the front-end server.

Step 2. Configure HTTP virtual servers or directories on the front-end server for access to mailbox and public stores as required:

For additional virtual servers, specify the SMTP domain, IP address, and host headers or ports. Leave the Basic authentication check box selected.

For additional virtual directories for public stores, specify the appropriate public store root.

For additional virtual directories for mailbox stores, specify the SMTP domain.

Step 3. Disable unnecessary services:

Stop any services that are not required for the protocols being used.

Step 4. Dismount and delete stores if necessary:

If you are not running SMTP, dismount and delete all mailbox stores.

If you are running SMTP, leave a mailbox store mounted, but make sure the mailbox store does not contain any mailboxes. If you receive large amounts of external e-mail for public folders, you can mount a public store, as this will improve mail delivery to public folders.

Step 5. Set up front-end server load balancing if necessary:

Install load balancing on all front-end servers.

(Recommended) Enable client affinity.

Step 6. Configure SSL (recommended):

Option 1: Configure SSL on the front-end server.

Option 2: Set up a server between the client and the front-end server to offload SSL decryption.

Step 7. If you use a perimeter network:

Note

It is recommended that you use an advanced firewall server (such as ISA Server) rather than the front-end server in the perimeter network. For more information, see Advanced Firewall in a Perimeter Network.

Create the DisableNetlogonCheck registry key and set the REG_DWORD value to 1.

Create the LdapKeepAliveSecs registry key and set the REG_DWORD value to 0.

To restrict the front-end to only contacting certain domain controllers and global catalog servers, specify them in Exchange System Manager on the front-end server

Step 8. If you use a perimeter network and do not want to allow RPCs across the intranet firewall:

Note

If you disable authentication on the front-end server, you allow anonymous requests to reach your back-end servers.

Disable authentication on the front-end server.

Step 9. If required, create an IPSec policy on the front-end servers.

Configuring the back-end servers

Tasks
Create and configure HTTP virtual servers or directories to match the front-end: For additional virtual servers, set the host headers and IP addresses as appropriate. The TCP port must be left at 80. Make sure the Basic authentication and Integrated Windows Authentication check boxes are both selected. For additional virtual directories for public folder stores, specify the appropriate public folder store root, to match the root configured on the front-end server. For additional virtual directories for mailbox stores, specify the SMTP domain.

Create and configure HTTP virtual servers or directories to match the front-end:
For additional virtual servers, set the host headers and IP addresses as appropriate. The TCP port must be left at 80. Make sure the Basic authentication and Integrated Windows Authentication check boxes are both selected.
For additional virtual directories for public folder stores, specify the appropriate public folder store root, to match the root configured on the front-end server.
For additional virtual directories for mailbox stores, specify the SMTP domain.

Configuring firewalls

Task
Step 1. Configure the Internet firewall (between the Internet and the front-end servers): Open TCP ports on the Internet firewall for the mail protocols: 443 for HTTPS 993 for SSL-enabled IMAP 995 for SSL-enabled POP 25 for SMTP (including TLS)
Step 2. (continued) If using ISA Server, configure as follows: Configure a listener for SSL. Create a destination set that contains the external IP address of the ISA server. This destination set will be used in the Web publishing rule. Create a Web publishing rule that redirects requests to the internal front-end server. Create protocol rules to open ports in ISA Server for outgoing traffic. Configure the ISA server for Outlook Web Access (for more information about how to configure an ISA server for Outlook Web Access, see Microsoft Knowledge Base article 307347, "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header."
Step 3. If using a front-end server in a perimeter network, configure the intranet firewall: Open TCP ports on the intranet firewall for the protocols you are using: 80 for HTTP 143 for IMAP 110 for POP 25 for SMTP 691 for Link State Algorithm routing protocol Open ports for Active Directory Communication: TCP port 389 for LDAP to Directory Service UDP port 389 for LDAP to Directory Service TCP port 3268 for LDAP to Global Catalog Server TCP port 88 for Kerberos authentication UDP port 88 for Kerberos authentication Open the ports required for access to the DNS server: TCP port 53 UDP port 53 Open the appropriate ports for RPC communication: TCP port 135 - RPC endpoint mapper TCP ports 1024+ - random RPC service ports (Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall: TCP port 135 – RPC endpoint mapper TCP port 1600 (example) – RPC service port If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa. UDP port 500 – IKE IP protocol 51 – AH IP protocol 50 – ESP UDP port 88 and TCP port 88 – Kerberos

Step 1. Configure the Internet firewall (between the Internet and the front-end servers):

Open TCP ports on the Internet firewall for the mail protocols:

443 for HTTPS

993 for SSL-enabled IMAP

995 for SSL-enabled POP

25 for SMTP (including TLS)

Step 2. (continued) If using ISA Server, configure as follows:

Configure a listener for SSL.

Create a destination set that contains the external IP address of the ISA server. This destination set will be used in the Web publishing rule.

Create a Web publishing rule that redirects requests to the internal front-end server.

Create protocol rules to open ports in ISA Server for outgoing traffic.

Configure the ISA server for Outlook Web Access (for more information about how to configure an ISA server for Outlook Web Access, see Microsoft Knowledge Base article 307347, "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header."

Step 3. If using a front-end server in a perimeter network, configure the intranet firewall:

Open TCP ports on the intranet firewall for the protocols you are using:

80 for HTTP
143 for IMAP
110 for POP
25 for SMTP
691 for Link State Algorithm routing protocol

Open ports for Active Directory Communication:

TCP port 389 for LDAP to Directory Service
UDP port 389 for LDAP to Directory Service
TCP port 3268 for LDAP to Global Catalog Server
TCP port 88 for Kerberos authentication
UDP port 88 for Kerberos authentication

Open the ports required for access to the DNS server:

TCP port 53
UDP port 53

Open the appropriate ports for RPC communication:

TCP port 135 - RPC endpoint mapper
TCP ports 1024+ - random RPC service ports

(Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall:

TCP port 135 – RPC endpoint mapper
TCP port 1600 (example) – RPC service port

If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa.

UDP port 500 – IKE
IP protocol 51 – AH
IP protocol 50 – ESP
UDP port 88 and TCP port 88 – Kerberos

Front-End and Back-End Topology Checklist

Configuring the front-end servers

Configuring the back-end servers

Configuring firewalls

Additional resources