Front-End and Back-End Topology Checklist
Topic Last Modified: 2005-05-24
The following checklist summarizes the steps required to configure front-end servers, back-end servers, and firewalls.
|The following procedures contain information about editing your registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Information" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. You should also update your Emergency Repair Disk (ERD).|
|The following tables present the front-end and back-end topology tasks in a tabular, checklist format.|
Configuring the front-end servers
Step 1. Install Exchange Server:
Install Exchange Server on the front-end server.
Step 2. Configure HTTP virtual servers or directories on the front-end server for access to mailbox and public stores as required:
For additional virtual servers, specify the SMTP domain, IP address, and host headers or ports. Leave the Basic authentication check box selected.
For additional virtual directories for public stores, specify the appropriate public store root.
For additional virtual directories for mailbox stores, specify the SMTP domain.
Step 3. Disable unnecessary services:
Stop any services that are not required for the protocols being used.
Step 4. Dismount and delete stores if necessary:
If you are not running SMTP, dismount and delete all mailbox stores.
If you are running SMTP, leave a mailbox store mounted, but make sure the mailbox store does not contain any mailboxes. If you receive large amounts of external e-mail for public folders, you can mount a public store, as this will improve mail delivery to public folders.
Step 5. Set up front-end server load balancing if necessary:
Install load balancing on all front-end servers.
(Recommended) Enable client affinity.
Step 6. Configure SSL (recommended):
Option 1: Configure SSL on the front-end server.
Option 2: Set up a server between the client and the front-end server to offload SSL decryption.
Step 7. If you use a perimeter network:
Create the DisableNetlogonCheck registry key and set the REG_DWORD value to 1.
Create the LdapKeepAliveSecs registry key and set the REG_DWORD value to 0.
To restrict the front-end to only contacting certain domain controllers and global catalog servers, specify them in Exchange System Manager on the front-end server
Step 8. If you use a perimeter network and do not want to allow RPCs across the intranet firewall:
Disable authentication on the front-end server.
Step 9. If required, create an IPSec policy on the front-end servers.
Configuring the back-end servers
Step 1. Configure the Internet firewall (between the Internet and the front-end servers):
Open TCP ports on the Internet firewall for the mail protocols:
443 for HTTPS
993 for SSL-enabled IMAP
995 for SSL-enabled POP
25 for SMTP (including TLS)
Step 2. (continued) If using ISA Server, configure as follows:
Configure a listener for SSL.
Create a destination set that contains the external IP address of the ISA server. This destination set will be used in the Web publishing rule.
Create a Web publishing rule that redirects requests to the internal front-end server.
Create protocol rules to open ports in ISA Server for outgoing traffic.
Configure the ISA server for Outlook Web Access (for more information about how to configure an ISA server for Outlook Web Access, see Microsoft Knowledge Base article 307347, "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header."
Step 3. If using a front-end server in a perimeter network, configure the intranet firewall:
Open TCP ports on the intranet firewall for the protocols you are using:
Open ports for Active Directory Communication:
Open the ports required for access to the DNS server:
Open the appropriate ports for RPC communication:
(Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall:
If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa.