Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Non-ISA server secure remote access to Exchange 2003

Posted on 2006-03-23
Medium Priority
Last Modified: 2008-02-07
I have seen a lot of good posts about remote email access to an internal (behind firewall) Exchange 2003 server.  Thank you all for your excellent input!

I am faced with the same thing.  I am bringing small business email from a hosted solution to on-site Exchange 2003 box.

The facts are:

1. Remote access is only by 3-4 out of 30 users. This remote access is part time (home and when travelling)
2. They prefer POP3, as it is the current method to acces ISP hosted server.  I would leave messages on the server.
3. I do not think adding ISA 2004 is justifiable. It could sit between DMZ and internal.
4. This leaves me with incoming remote connections to an internal server behind firewall. (not my first choice).
5. I understand that RPC over HTTP is an option.
6. I understand that Secure POP3 is an option

With 5 or 6 does the SSL provide authentication protection, or just transport encryption?  I assume if this was done with a pre-shared key then more authentication protection would be present?  I am trying to determine the best way to mitigate risk of having the Secure POP3 port accept connects from the world.


Question by:banjo1960
  • 2
  • 2
LVL 104

Expert Comment

ID: 16276306
I would strongly advise against using POP3 in any context. There are too many opportunities for email to be sucked off the server as the POP3 leave on server setting is client side. You cannot control it from the server.

SSL on RPC over HTTPS provides a secure connection all the way. It is just like using your bank - uses the same technology. Outlook makes a call on SSL to the server, is asked to authenticate and then makes the connection. If you are using a machine that is a member of the domain then you will get pass through authentication making it totally transparent to the users.

Don't forget that you get OWA, OMA and handheld support with Exchange 2003, so you have lots of remote options.

From a ports point of view, I have no issue with 443 coming straight in. Ditto for 25 (SMTP). Secure POP3 should be ok as well. You probably want to avoid using straight POP3 as that sends the username and password across in the clear.


Author Comment

ID: 16276796

Thanks for the clear explanation.  I agree with straight POP3.

When using SSL for any of these methods, would I then distribute the cert to the clients "privately?"  This situation only applies to a few users in a fairly static environment.

I am trying to understand how the SSL helps with authentication, other than just encrypting the username and password. I would like to use it to increase trust of who is connecting.

LVL 104

Accepted Solution

Sembee earned 1000 total points
ID: 16284106
There are two types of certificate - client and server.
Server SSL support is very widespread, and that is what I tend to deploy most. In fact I haven't done a client certificate installation for quite some time.
What the server SSL certificate does is prove to the calling device that the server is who it says it is. An encrypted session is then established and authentication credentials passed over that encrypted session. It doesn't actually aid the authentication process in any way, other than allowing the credentials to be sent over in a manner where they cannot be sniffed.

Think bank, ecommerce sites - same technology.

The certificate would not be deployed to the users, in much the same way that you don't have the certificate from Amazon on your machine. What is deployed to the users is the root certificate that signed your certificate. The main root certificates are already in the browser.

Client certificates are a lot more complex to manage. Each user has their own. It fits in with the two factor authentication model - something you have (the certificate) and something you know (password). Authentication still takes place.
Client certificate support would be required from the application. Outside of a web browser session client certificates are usually used in custom applications.


Author Comment

ID: 16303565

Thanks for the good information. You explained the certificates very well.

I think now I will push the users to use OWA, which would be the best long-term solution. I  will use certificates as you describe above.

Have a good day,


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month13 days, 7 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question