Exchange 2003 with Outlook Web Access must be deployed as Front-end/Back-end Architecture.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18858	EMG3-020 EMail	SV-43875r1_rule	DCBP-1	Medium

Description
Microsoft® Exchange 2003 supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each of these aspects of email technology using discrete security techniques that are appropriate for each. Exchange 2010 does not use this same architecture, instead using Client Access servers in the enclave and transaction proxies in the DMZ, and therefore this requirement does not apply. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and offloads the SSL encryption The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. In a multi-server environment, one or more back-end servers may be cast in the role of ‘Bridgehead’ server. Bridgehead servers are used in large domains that deploy mailbox servers in multiple locations, sometimes spanning wide area network (WAN) (or other slow) connections, or require careful bandwidth management for other reasons. Bridgehead servers work in pairs, one at each side of a location, to manage replication and distribution tasks. The primary advantage of the front-end/back-end server architecture is the ability to expose a single, consistent namespace to end users, for example, https://mail.mycompany.com. Without a front-end server, users must know the name of the server that stores their mailbox.

Description

Microsoft® Exchange 2003 supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each of these aspects of email technology using discrete security techniques that are appropriate for each. Exchange 2010 does not use this same architecture, instead using Client Access servers in the enclave and transaction proxies in the DMZ, and therefore this requirement does not apply. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and offloads the SSL encryption The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. In a multi-server environment, one or more back-end servers may be cast in the role of ‘Bridgehead’ server. Bridgehead servers are used in large domains that deploy mailbox servers in multiple locations, sometimes spanning wide area network (WAN) (or other slow) connections, or require careful bandwidth management for other reasons. Bridgehead servers work in pairs, one at each side of a location, to manage replication and distribution tasks. The primary advantage of the front-end/back-end server architecture is the ability to expose a single, consistent namespace to end users, for example, https://mail.mycompany.com. Without a front-end server, users must know the name of the server that stores their mailbox.

STIG	Date
Email Services Policy STIG	2014-03-11

Details

Check Text ( C-22790r2_chk )
If email system under review is not Microsoft Exchange 2003, this check is N/A. This check applies only to Exchange 2003. Interview the email administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and EDSP information. Sites offering Outlook Web Access (OWA) for remote email access from the Internet should have an Exchange 2003 front-end server. In email environments where OWA is not offered, front-end servers are not needed. If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.

Check Text ( C-22790r2_chk )

If email system under review is not Microsoft Exchange 2003, this check is N/A. This check applies only to Exchange 2003.

Interview the email administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and EDSP information.

Sites offering Outlook Web Access (OWA) for remote email access from the Internet should have an Exchange 2003 front-end server. In email environments where OWA is not offered, front-end servers are not needed.

If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.

Fix Text (F-19298r2_fix)
For Exchange 2003 OWA enabled systems, the environment should be re-engineered to add at least one front-end server. Consult with network and protocol requirements for additional requirements, such as perimeter protection, protocol paths and other configuration requirements that some Exchange configurations assume are in place.