There are a few things that I want to share with you that I think will help you on your way.
- The front-end server is probably not the best place to install a certificate authority (CA). A better, more secure place would be a dedicated server; however, a more common location is a domain controller. There is a huge security risk placing the CA on a front-end server, especially if it will be located in a DMZ.
- The front-end server is the place to install the certificate, not the back-end server -- and you only need to install the certificate on the front-end server or servers. The only time you would need to install a certificate on the back-end server is if you are not deploying front-end servers.
As far as getting the front-end server to communicate with the back-end server, you need to allow port 80 communications if there is a firewall in between them. They will not communicate with each other over port 443 as you might have expected.
Note: There are additional ports I have not listed here that must be opened between if a firewall separates the front-end server from the internal network.
- Finally, to secure your front-end to back-end communications, you can implement IPsec policies on your front-end and back-end servers. If you use the default policies, I would enable the "Server (Request Security)" on both servers. This will encrypt all traffic between the two servers but will still allowed non-IPsec communications with other servers and clients.
Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:
Dig Deeper on Exchange Server Security
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.