Secure Client Recommendations for MS Exchange

Hello experts:

   I need some recommendations on how to implement remote Exchange clients.  I have a client who has about 22 workstation with some remote offices.  The main office has about about 18 workstations, then there are 3 remote offices with one or two PCs.  The remote offices are connected over a site-site VPN using Netscreen 5GT's.  I have also setup some remote VPNs for client access from home or away.  We had the web site and POP3 email hosted with a third-party provider.  Users can access email from work, home, etc.  The owner wants some of the features available with Exchange.  We installed a new server (SBS 2003), changed the MX record to point to our server and implemented Exchange.  This works great in the office, (although I wonder if I should stay with PST delivery or switch everyone to the Mailbox) and I have some other questions.  This is a medical equipment company, so I need to maintain a high level of security.  I try to keep the firewall pretty tight.  The only port that's currently open is 25 for SMTP email.

   First, for the remote offices, since these are connected over VPNs, I haven't really worried about the security, but I don't want to saturate the bandwidth.  (We have a fractional T1 (768k) at the main office with DSL at each remove office.)  Should I use the regular Outlook client configured for MS Exchange in the offices or stay with POP3, or use IMAP???  We would like to share tasks and calendars.

Second - and more troublesome for me - is what is the best model for the remote clients, especially those without a VPN connection.  I could configure all remote clients with a VPN, but the Netscreen 5GT only has 10 tunnels max (too few for their price IMHO) and I have to maintain the site-site connections for Point-of-Sale transactions.  I could use Outlook Web Access, but I don't want to open port 80.  (Is opening port 80 more vulnerable than opening port 25????)  Would POP3 or IMAP over SSL be a good solution?  Several remote users have a PC at work, plus check their email from home.

Any help or explanations would be helpful.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

first off, port vulnerability is directly dependent upon two factors ... one being the router and packet filtration technology (known exploits/syn floods--alerts and filtration, etc), and two being the server serving that port and its own security. With *standard* ports, you will see attempted traffic regardless, but that doesnt necessarily mean you are more or less vulerable or someone is trying to hack you. Barring any DoS/DDoS specific attention, i dont think you have alot to worry about if your security is up to snuff and the server you are using are well managed and enterprise class.

SSL is definately the way to go with sensative information, especially when beiing accessed over questionable connections you arent in control of.

As to saturation of the Fractional T ... you need to do what you ahve to in order to give your management what they require ... if they requires a wider pipe for the servies they need, so b it, but i dont see that being a huge issue either with the limited user laod youa re talkinga bout here.

from the sounds of things you got a good grasp on it already.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Secure certififcates are inexpensive and pretty much open up the world to you in terms of what you can do.  Outlook Web Access is pretty feature rich under Exchange 2003 although there are obvious limitations to the interface.  If your clients are all running Outlook 2003, you could implement RPC over HTTPS allowing your Outlook 2003 clients to connect to Exchange over port 443.

As for the overseas offices, Outlook 2003 running in cached mode performs pretty well for us and improves the user experience for staff at the other end of a limited bandwidth connection.

IMAP and POP3 are too much hassle IMHO.  POP3 is a big no no because mail can easily be downloaded from the mailbox inadvertantly.  Also, POP3 amd IMAP are less secure and it is muich easier to sniff for those kinds of passwords.  The user experience isn;t great either - you have to manually configure inbound and outbound servers. If you have remote staff using them, then you have to configure your SMTP gateway to allow them to send, etc... and you have to use LDAP for name lookups.

So, if you have Outlook 2003 everywhere, then think about RPC over HTTPS.  IF not, then OWA might be the way to go.
jhuntiiAuthor Commented:
Well, I think I may do two options - OWA SSL and perhaps RPC over HTTPS.  If I keep port 80 closed, maybe I'll feel more secure... :)

Question - do I need to get an SSL from a commercial vendor or can I create the certificate myself on the 2003 SBS server?  I have no idea how much they cost, but I'm not really using this for customers, just employees right now, so we can tell them to trust the certificate.  

jhuntiiAuthor Commented:
Thanks very much for all your help!   I really appreciate it.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.