Q

Securing a front-end certificate server

I have set up a front-end server to be the certificate server. How do I set up the back-end server to use this certificate, and make the requests on the main server go to the back-end server? The back-end server's Internet Information Server Exchange site has the red stop sign. What does that mean? It seems to work for HTTP traffic directly, just not from the front-end server, which is configured to require SSL.
You have fallen subject to a common misconception. That is that enabling SSL on a front-end server secures not only client to front-end server communications, but that it also secures front-end to back-end communication. As you have discovered, that is not how it works.

There are a few things that I want to share with you that I think will help you on your way.

  1. The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.

  2. The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.

    As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.

    Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.

  3. Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Learning Guide: A primer on server roles and Exchange hardware
  • Reference Center: Permissions and passwords


  • This was last published in July 2005

    Dig Deeper on Exchange Server Security

    PRO+

    Content

    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close