Requesting data from front-end exchange server

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have 1 front-end server in the DMZ for OWA and 1 back-end server with all
mailboxes.

When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the front-end
server which will fail due to firewall settings. I don't want the Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?
 
I have 1 front-end server in the DMZ for OWA and 1 back-end server with all
mailboxes.

When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the front-end
server which will fail due to firewall settings. I don't want the Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?

1. The Fe should not be in the DMZ, not ever, not no how.
2. The OL2K2 boxes shouldn't be talking to the FE for F/B info.
 
1. Not having a front-end server in a DMZ when access from the Internet is
allowed is a good way to eventually commit career suicide. You should study
non-Microsoft security principles and practices.

2. His question was how to stop OL2K from connecting to the FE server, not a
reaffirmation that it shouldn't be happening.
 
1. Having an FE in a DMZ is a good way to get him the sack, especially
if i'm his manager. If he wants something in a DMZ, which I certainly
advocate then an ISA is your man, not an FE.
2. He was talking about 2002 not 2000, neither of which talk to an FE,
especially one in a DMZ.

Sorting an infrastructure out to match competence and best practice is
the solution. Patching and messing about to make something work that
is both against best practice and a security risk is not the solution.

I am a great advocate of guiding people towards the right solution,
then, and only then, are any remaining problems properly resolvable.
 
1. Having an FE in a DMZ is a good way to get him the sack, especially
if i'm his manager. If he wants something in a DMZ, which I certainly
advocate then an ISA is your man, not an FE.

Apparently you put up DMZs that aren't behind a firewall.

Ah yes, ISA and it's ability to publish internal servers "securely." Code
Red II went through ISA without bothering to pause and infected published
internal web servers. Had to install URLScan on ISA so it could, well,
securely publish...
2. He was talking about 2002 not 2000, neither of which talk to an FE,
especially one in a DMZ.

Sorting an infrastructure out to match competence and best practice is
the solution. Patching and messing about to make something work that
is both against best practice and a security risk is not the solution.

I am a great advocate of guiding people towards the right solution,
then, and only then, are any remaining problems properly resolvable.



1. Not having a front-end server in a DMZ when access from the Internet is
allowed is a good way to eventually commit career suicide. You should study
non-Microsoft security principles and practices.

2. His question was how to stop OL2K from connecting to the FE server, not a
reaffirmation that it shouldn't be happening.

Mark Arnold said:
On Wed, 10 Nov 2004 09:31:06 -0800, David McCue [MCSE]

I have 1 front-end server in the DMZ for OWA and 1 back-end server
with
all
mailboxes.

When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the front-end
server which will fail due to firewall settings. I don't want the Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?

1. The Fe should not be in the DMZ, not ever, not no how.
2. The OL2K2 boxes shouldn't be talking to the FE for F/B info.
 
I speak
Get off your high horse and come and have a drink with me in
Copenhagen next week, I'm paying, and if not, Steve Reilly is paying!
Apparently you put up DMZs that aren't behind a firewall.

I speak
Certainly not, ISA behind a perimiter firewall is an absolute must.
Ah yes, ISA and it's ability to publish internal servers "securely." Code
Red II went through ISA without bothering to pause and infected published
internal web servers. Had to install URLScan on ISA so it could, well,
securely publish...

I speak
Now, i'm not an ISA guru, ahh, you'd guessed. ISA 2004 does a combi of
isa 2000, FR1, URLSCAN and a whole lot more. I can't guarantee any
product will keep anything new out but what I can say is that ISA 2004
does not require the same amount of holes in the firewall that an FE
requires. I think the main point is that an FE in the DMZ makes the
DMZ into Swiss cheese instead of cheap Tesco cheddar.

If you have a firewall with URL scanning capabilities on the perimiter
then deploy it, ISA is a good 2nd line of defence, did I mention
defence in depth? in order to authenticate the user in the DMZ rather
than risk a DDOS or other attack on the inside and/or expose a domain
member in the DMZ.
2. He was talking about 2002 not 2000, neither of which talk to an FE,
especially one in a DMZ.

Sorting an infrastructure out to match competence and best practice is
the solution. Patching and messing about to make something work that
is both against best practice and a security risk is not the solution.

I am a great advocate of guiding people towards the right solution,
then, and only then, are any remaining problems properly resolvable.



1. Not having a front-end server in a DMZ when access from the Internet is
allowed is a good way to eventually commit career suicide. You should study
non-Microsoft security principles and practices.

2. His question was how to stop OL2K from connecting to the FE server, not a
reaffirmation that it shouldn't be happening.

On Wed, 10 Nov 2004 09:31:06 -0800, David McCue [MCSE]

I have 1 front-end server in the DMZ for OWA and 1 back-end server with
all
mailboxes.

When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the
front-end
server which will fail due to firewall settings. I don't want the
Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?

1. The Fe should not be in the DMZ, not ever, not no how.
2. The OL2K2 boxes shouldn't be talking to the FE for F/B info.
 
Thank you for your comments, I should have pointed out that I'm running EX2K3
in native mode on both servers and have no mailboxes on the FE. Also there
is no public folder store on the FE server. I'm trying to understand why the
internal client would requesting any info from the FE server. The FE server
is only for OWA.


Mark Arnold said:
I speak
Get off your high horse and come and have a drink with me in
Copenhagen next week, I'm paying, and if not, Steve Reilly is paying!
Apparently you put up DMZs that aren't behind a firewall.

I speak
Certainly not, ISA behind a perimiter firewall is an absolute must.
Ah yes, ISA and it's ability to publish internal servers "securely." Code
Red II went through ISA without bothering to pause and infected published
internal web servers. Had to install URLScan on ISA so it could, well,
securely publish...

I speak
Now, i'm not an ISA guru, ahh, you'd guessed. ISA 2004 does a combi of
isa 2000, FR1, URLSCAN and a whole lot more. I can't guarantee any
product will keep anything new out but what I can say is that ISA 2004
does not require the same amount of holes in the firewall that an FE
requires. I think the main point is that an FE in the DMZ makes the
DMZ into Swiss cheese instead of cheap Tesco cheddar.

If you have a firewall with URL scanning capabilities on the perimiter
then deploy it, ISA is a good 2nd line of defence, did I mention
defence in depth? in order to authenticate the user in the DMZ rather
than risk a DDOS or other attack on the inside and/or expose a domain
member in the DMZ.
2. He was talking about 2002 not 2000, neither of which talk to an FE,
especially one in a DMZ.

Sorting an infrastructure out to match competence and best practice is
the solution. Patching and messing about to make something work that
is both against best practice and a security risk is not the solution.

I am a great advocate of guiding people towards the right solution,
then, and only then, are any remaining problems properly resolvable.



1. Not having a front-end server in a DMZ when access from the Internet is
allowed is a good way to eventually commit career suicide. You should study
non-Microsoft security principles and practices.

2. His question was how to stop OL2K from connecting to the FE server, not a
reaffirmation that it shouldn't be happening.

On Wed, 10 Nov 2004 09:31:06 -0800, David McCue [MCSE]

I have 1 front-end server in the DMZ for OWA and 1 back-end server with
all
mailboxes.

When some internal ol2k2 users are creating or updating a meeting and
Outlook is checking the free/busy information, they get the "Requesting
data..." message. This message references the Netbios name of the
front-end
server which will fail due to firewall settings. I don't want the
Outlook
client to use this front-end server, how do I direct it to use only the
back-end server?

1. The Fe should not be in the DMZ, not ever, not no how.
2. The OL2K2 boxes shouldn't be talking to the FE for F/B info.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top