Non-ISA server secure remote access to Exchange 2003

I have seen a lot of good posts about remote email access to an internal (behind firewall) Exchange 2003 server.  Thank you all for your excellent input!

I am faced with the same thing.  I am bringing small business email from a hosted solution to on-site Exchange 2003 box.

The facts are:

1. Remote access is only by 3-4 out of 30 users. This remote access is part time (home and when travelling)
2. They prefer POP3, as it is the current method to acces ISP hosted server.  I would leave messages on the server.
3. I do not think adding ISA 2004 is justifiable. It could sit between DMZ and internal.
4. This leaves me with incoming remote connections to an internal server behind firewall. (not my first choice).
5. I understand that RPC over HTTP is an option.
6. I understand that Secure POP3 is an option

With 5 or 6 does the SSL provide authentication protection, or just transport encryption?  I assume if this was done with a pre-shared key then more authentication protection would be present?  I am trying to determine the best way to mitigate risk of having the Secure POP3 port accept connects from the world.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would strongly advise against using POP3 in any context. There are too many opportunities for email to be sucked off the server as the POP3 leave on server setting is client side. You cannot control it from the server.

SSL on RPC over HTTPS provides a secure connection all the way. It is just like using your bank - uses the same technology. Outlook makes a call on SSL to the server, is asked to authenticate and then makes the connection. If you are using a machine that is a member of the domain then you will get pass through authentication making it totally transparent to the users.

Don't forget that you get OWA, OMA and handheld support with Exchange 2003, so you have lots of remote options.

From a ports point of view, I have no issue with 443 coming straight in. Ditto for 25 (SMTP). Secure POP3 should be ok as well. You probably want to avoid using straight POP3 as that sends the username and password across in the clear.

banjo1960Author Commented:

Thanks for the clear explanation.  I agree with straight POP3.

When using SSL for any of these methods, would I then distribute the cert to the clients "privately?"  This situation only applies to a few users in a fairly static environment.

I am trying to understand how the SSL helps with authentication, other than just encrypting the username and password. I would like to use it to increase trust of who is connecting.

There are two types of certificate - client and server.
Server SSL support is very widespread, and that is what I tend to deploy most. In fact I haven't done a client certificate installation for quite some time.
What the server SSL certificate does is prove to the calling device that the server is who it says it is. An encrypted session is then established and authentication credentials passed over that encrypted session. It doesn't actually aid the authentication process in any way, other than allowing the credentials to be sent over in a manner where they cannot be sniffed.

Think bank, ecommerce sites - same technology.

The certificate would not be deployed to the users, in much the same way that you don't have the certificate from Amazon on your machine. What is deployed to the users is the root certificate that signed your certificate. The main root certificates are already in the browser.

Client certificates are a lot more complex to manage. Each user has their own. It fits in with the two factor authentication model - something you have (the certificate) and something you know (password). Authentication still takes place.
Client certificate support would be required from the application. Outside of a web browser session client certificates are usually used in custom applications.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
banjo1960Author Commented:

Thanks for the good information. You explained the certificates very well.

I think now I will push the users to use OWA, which would be the best long-term solution. I  will use certificates as you describe above.

Have a good day,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.