Secure Client Recommendations for MS Exchange

Posted on 2006-04-03
Last Modified: 2010-04-11
Hello experts:

   I need some recommendations on how to implement remote Exchange clients.  I have a client who has about 22 workstation with some remote offices.  The main office has about about 18 workstations, then there are 3 remote offices with one or two PCs.  The remote offices are connected over a site-site VPN using Netscreen 5GT's.  I have also setup some remote VPNs for client access from home or away.  We had the web site and POP3 email hosted with a third-party provider.  Users can access email from work, home, etc.  The owner wants some of the features available with Exchange.  We installed a new server (SBS 2003), changed the MX record to point to our server and implemented Exchange.  This works great in the office, (although I wonder if I should stay with PST delivery or switch everyone to the Mailbox) and I have some other questions.  This is a medical equipment company, so I need to maintain a high level of security.  I try to keep the firewall pretty tight.  The only port that's currently open is 25 for SMTP email.

   First, for the remote offices, since these are connected over VPNs, I haven't really worried about the security, but I don't want to saturate the bandwidth.  (We have a fractional T1 (768k) at the main office with DSL at each remove office.)  Should I use the regular Outlook client configured for MS Exchange in the offices or stay with POP3, or use IMAP???  We would like to share tasks and calendars.

Second - and more troublesome for me - is what is the best model for the remote clients, especially those without a VPN connection.  I could configure all remote clients with a VPN, but the Netscreen 5GT only has 10 tunnels max (too few for their price IMHO) and I have to maintain the site-site connections for Point-of-Sale transactions.  I could use Outlook Web Access, but I don't want to open port 80.  (Is opening port 80 more vulnerable than opening port 25????)  Would POP3 or IMAP over SSL be a good solution?  Several remote users have a PC at work, plus check their email from home.

Any help or explanations would be helpful.

Question by:jhuntii
    LVL 5

    Accepted Solution

    first off, port vulnerability is directly dependent upon two factors ... one being the router and packet filtration technology (known exploits/syn floods--alerts and filtration, etc), and two being the server serving that port and its own security. With *standard* ports, you will see attempted traffic regardless, but that doesnt necessarily mean you are more or less vulerable or someone is trying to hack you. Barring any DoS/DDoS specific attention, i dont think you have alot to worry about if your security is up to snuff and the server you are using are well managed and enterprise class.

    SSL is definately the way to go with sensative information, especially when beiing accessed over questionable connections you arent in control of.

    As to saturation of the Fractional T ... you need to do what you ahve to in order to give your management what they require ... if they requires a wider pipe for the servies they need, so b it, but i dont see that being a huge issue either with the limited user laod youa re talkinga bout here.

    from the sounds of things you got a good grasp on it already.

    LVL 13

    Assisted Solution

    Secure certififcates are inexpensive and pretty much open up the world to you in terms of what you can do.  Outlook Web Access is pretty feature rich under Exchange 2003 although there are obvious limitations to the interface.  If your clients are all running Outlook 2003, you could implement RPC over HTTPS allowing your Outlook 2003 clients to connect to Exchange over port 443.

    As for the overseas offices, Outlook 2003 running in cached mode performs pretty well for us and improves the user experience for staff at the other end of a limited bandwidth connection.

    IMAP and POP3 are too much hassle IMHO.  POP3 is a big no no because mail can easily be downloaded from the mailbox inadvertantly.  Also, POP3 amd IMAP are less secure and it is muich easier to sniff for those kinds of passwords.  The user experience isn;t great either - you have to manually configure inbound and outbound servers. If you have remote staff using them, then you have to configure your SMTP gateway to allow them to send, etc... and you have to use LDAP for name lookups.

    So, if you have Outlook 2003 everywhere, then think about RPC over HTTPS.  IF not, then OWA might be the way to go.

    Author Comment

    Well, I think I may do two options - OWA SSL and perhaps RPC over HTTPS.  If I keep port 80 closed, maybe I'll feel more secure... :)

    Question - do I need to get an SSL from a commercial vendor or can I create the certificate myself on the 2003 SBS server?  I have no idea how much they cost, but I'm not really using this for customers, just employees right now, so we can tell them to trust the certificate.  

    LVL 5

    Expert Comment


    Author Comment

    Thanks very much for all your help!   I really appreciate it.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now