There are a few things that I want to share with you that I think will help you on your way.
- The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.
- The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.
As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.
Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.
- Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Related Q&A from Richard Luckett
Exchange was running low on space, and Outlook asked if I wanted to archive my email messages. What will happen if I do that?continue reading
We need to move more than 20,000 Exchange 2010 public folders to Exchange 2013. What's the best way to do this?continue reading
I'm migrating Exchange 2010 mailboxes to Exchange 2013. How will Outlook clients know the mailboxes moved after the migration?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.