EXPERT RESPONSE
You have fallen subject to a common misconception. That is that enabling SSL on a front-end server secures not only client to front-end server communications, but that it also secures front-end to back-end communication. As you have discovered, that is not how it works.
There are a few things that I want to share with you that I think will help you on your way.
- The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.
- The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.
As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.
Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.
- Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Learning Guide: A primer on server roles and Exchange hardware
Reference Center: Permissions and passwords
|
