Q

Securing a front-end certificate server

I have set up a front-end server to be the certificate server. How do I set up the back-end server to use this certificate, and make the requests on the main server go to the back-end server? The back-end server's Internet Information Server Exchange site has the red stop sign. What does that mean? It seems to work for HTTP traffic directly, just not from the front-end server, which is configured to require SSL.
You have fallen subject to a common misconception. That is that enabling SSL on a front-end server secures not only client to front-end server communications, but that it also secures front-end to back-end communication. As you have discovered, that is not how it works.

There are a few things that I want to share with you that I think will help you on your way.

  1. The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.

  2. The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.

    As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.

    Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.

  3. Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Learning Guide: A primer on server roles and Exchange hardware
  • Reference Center: Permissions and passwords


  • This was first published in July 2005

    Dig deeper on Exchange Server Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close