jhuntii
asked on
Secure Client Recommendations for MS Exchange
Hello experts:
I need some recommendations on how to implement remote Exchange clients. I have a client who has about 22 workstation with some remote offices. The main office has about about 18 workstations, then there are 3 remote offices with one or two PCs. The remote offices are connected over a site-site VPN using Netscreen 5GT's. I have also setup some remote VPNs for client access from home or away. We had the web site and POP3 email hosted with a third-party provider. Users can access email from work, home, etc. The owner wants some of the features available with Exchange. We installed a new server (SBS 2003), changed the MX record to point to our server and implemented Exchange. This works great in the office, (although I wonder if I should stay with PST delivery or switch everyone to the Mailbox) and I have some other questions. This is a medical equipment company, so I need to maintain a high level of security. I try to keep the firewall pretty tight. The only port that's currently open is 25 for SMTP email.
First, for the remote offices, since these are connected over VPNs, I haven't really worried about the security, but I don't want to saturate the bandwidth. (We have a fractional T1 (768k) at the main office with DSL at each remove office.) Should I use the regular Outlook client configured for MS Exchange in the offices or stay with POP3, or use IMAP??? We would like to share tasks and calendars.
Second - and more troublesome for me - is what is the best model for the remote clients, especially those without a VPN connection. I could configure all remote clients with a VPN, but the Netscreen 5GT only has 10 tunnels max (too few for their price IMHO) and I have to maintain the site-site connections for Point-of-Sale transactions. I could use Outlook Web Access, but I don't want to open port 80. (Is opening port 80 more vulnerable than opening port 25????) Would POP3 or IMAP over SSL be a good solution? Several remote users have a PC at work, plus check their email from home.
Any help or explanations would be helpful.
Thanks,
Jon
I need some recommendations on how to implement remote Exchange clients. I have a client who has about 22 workstation with some remote offices. The main office has about about 18 workstations, then there are 3 remote offices with one or two PCs. The remote offices are connected over a site-site VPN using Netscreen 5GT's. I have also setup some remote VPNs for client access from home or away. We had the web site and POP3 email hosted with a third-party provider. Users can access email from work, home, etc. The owner wants some of the features available with Exchange. We installed a new server (SBS 2003), changed the MX record to point to our server and implemented Exchange. This works great in the office, (although I wonder if I should stay with PST delivery or switch everyone to the Mailbox) and I have some other questions. This is a medical equipment company, so I need to maintain a high level of security. I try to keep the firewall pretty tight. The only port that's currently open is 25 for SMTP email.
First, for the remote offices, since these are connected over VPNs, I haven't really worried about the security, but I don't want to saturate the bandwidth. (We have a fractional T1 (768k) at the main office with DSL at each remove office.) Should I use the regular Outlook client configured for MS Exchange in the offices or stay with POP3, or use IMAP??? We would like to share tasks and calendars.
Second - and more troublesome for me - is what is the best model for the remote clients, especially those without a VPN connection. I could configure all remote clients with a VPN, but the Netscreen 5GT only has 10 tunnels max (too few for their price IMHO) and I have to maintain the site-site connections for Point-of-Sale transactions. I could use Outlook Web Access, but I don't want to open port 80. (Is opening port 80 more vulnerable than opening port 25????) Would POP3 or IMAP over SSL be a good solution? Several remote users have a PC at work, plus check their email from home.
Any help or explanations would be helpful.
Thanks,
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can create your own CA's.
anyone can create their own CA's.
The thing with CA's are the reputation of the Authoring Agent/Company ... their trustworthiness that is the key factor for things such as ecommerce and banking and so on.
http://www.openca.org/
http://www.onlamp.com/pub/a/onlamp/2003/02/06/linuxhacks.html
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29
http://sandbox.rulemaker.net/ngps/m2/howto.ca.html
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html
http://www.openssl.org/
LOTS of other info on it in google too:
http://www.google.com/search?hl=en&ie=UTF-8&q=Create+SSL+certificate&btnG=Google+Search
http://www.google.com/search?hl=en&lr=&q=%22make+my+own+CA%22
http://www.google.com/search?hl=en&lr=&q=%22make+my+own+ssl+certificate%22&btnG=Search
anyone can create their own CA's.
The thing with CA's are the reputation of the Authoring Agent/Company ... their trustworthiness that is the key factor for things such as ecommerce and banking and so on.
http://www.openca.org/
http://www.onlamp.com/pub/a/onlamp/2003/02/06/linuxhacks.html
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29
http://sandbox.rulemaker.net/ngps/m2/howto.ca.html
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html
http://www.openssl.org/
LOTS of other info on it in google too:
http://www.google.com/search?hl=en&ie=UTF-8&q=Create+SSL+certificate&btnG=Google+Search
http://www.google.com/search?hl=en&lr=&q=%22make+my+own+CA%22
http://www.google.com/search?hl=en&lr=&q=%22make+my+own+ssl+certificate%22&btnG=Search
ASKER
Thanks very much for all your help! I really appreciate it.
Jon
Jon
ASKER
Question - do I need to get an SSL from a commercial vendor or can I create the certificate myself on the 2003 SBS server? I have no idea how much they cost, but I'm not really using this for customers, just employees right now, so we can tell them to trust the certificate.
Thanks,
Jon