Non-ISA server secure remote access to Exchange 2003

Posted on 2006-03-23
Last Modified: 2008-02-07
I have seen a lot of good posts about remote email access to an internal (behind firewall) Exchange 2003 server.  Thank you all for your excellent input!

I am faced with the same thing.  I am bringing small business email from a hosted solution to on-site Exchange 2003 box.

The facts are:

1. Remote access is only by 3-4 out of 30 users. This remote access is part time (home and when travelling)
2. They prefer POP3, as it is the current method to acces ISP hosted server.  I would leave messages on the server.
3. I do not think adding ISA 2004 is justifiable. It could sit between DMZ and internal.
4. This leaves me with incoming remote connections to an internal server behind firewall. (not my first choice).
5. I understand that RPC over HTTP is an option.
6. I understand that Secure POP3 is an option

With 5 or 6 does the SSL provide authentication protection, or just transport encryption?  I assume if this was done with a pre-shared key then more authentication protection would be present?  I am trying to determine the best way to mitigate risk of having the Secure POP3 port accept connects from the world.


Question by:banjo1960
    LVL 104

    Expert Comment

    I would strongly advise against using POP3 in any context. There are too many opportunities for email to be sucked off the server as the POP3 leave on server setting is client side. You cannot control it from the server.

    SSL on RPC over HTTPS provides a secure connection all the way. It is just like using your bank - uses the same technology. Outlook makes a call on SSL to the server, is asked to authenticate and then makes the connection. If you are using a machine that is a member of the domain then you will get pass through authentication making it totally transparent to the users.

    Don't forget that you get OWA, OMA and handheld support with Exchange 2003, so you have lots of remote options.

    From a ports point of view, I have no issue with 443 coming straight in. Ditto for 25 (SMTP). Secure POP3 should be ok as well. You probably want to avoid using straight POP3 as that sends the username and password across in the clear.

    LVL 1

    Author Comment


    Thanks for the clear explanation.  I agree with straight POP3.

    When using SSL for any of these methods, would I then distribute the cert to the clients "privately?"  This situation only applies to a few users in a fairly static environment.

    I am trying to understand how the SSL helps with authentication, other than just encrypting the username and password. I would like to use it to increase trust of who is connecting.

    LVL 104

    Accepted Solution

    There are two types of certificate - client and server.
    Server SSL support is very widespread, and that is what I tend to deploy most. In fact I haven't done a client certificate installation for quite some time.
    What the server SSL certificate does is prove to the calling device that the server is who it says it is. An encrypted session is then established and authentication credentials passed over that encrypted session. It doesn't actually aid the authentication process in any way, other than allowing the credentials to be sent over in a manner where they cannot be sniffed.

    Think bank, ecommerce sites - same technology.

    The certificate would not be deployed to the users, in much the same way that you don't have the certificate from Amazon on your machine. What is deployed to the users is the root certificate that signed your certificate. The main root certificates are already in the browser.

    Client certificates are a lot more complex to manage. Each user has their own. It fits in with the two factor authentication model - something you have (the certificate) and something you know (password). Authentication still takes place.
    Client certificate support would be required from the application. Outside of a web browser session client certificates are usually used in custom applications.

    LVL 1

    Author Comment


    Thanks for the good information. You explained the certificates very well.

    I think now I will push the users to use OWA, which would be the best long-term solution. I  will use certificates as you describe above.

    Have a good day,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Promote certifications in your email signature

    Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Use email signature images to promote corporate certifications and industry awards.
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now