How to secure exchange active sync from external hackers

Posted on 2006-06-15
Medium Priority
Last Modified: 2010-05-18
I was just told today that all the VPs of the company were receiving smartphone/PDAs that are capable of receiving e-mail via exchange active sync.  Unfortunately the phones are arriving today and I have to have them functioning by the end of the day.

 I’ve scrambled through the Internet and found all the info I need to get this to work but I am missing one piece…securing my exchange.  In order for the phone to communicate back to the exchange server I need to have it exposed to the Internet.  Could someone please give me a suggestion for the best way to secure my exchange server with what I have in my current environment?  I know that I can use Microsoft ISA server or I can install a front-end exchange server and place that in my DNZ but I don’t currently have either in my network.  What I’m looking for is a solution I can do today with what I have so I can have the phones working by the end of the day without my exchange server being totally exposed to hackers.

This is my environment:  I have an exchange server 2003 SP2. I have a checkpoint firewall (NGX R60) that protects my internal network from the outside.  Currently my exchange server is not directly exposed to the outside world.  All of my incoming and outgoing e-mails go through a Sonicwall e-mail gateway located in our DMZ.

Not all the phone/pdas we are receiving support MSFP so that means some of the phones can take advantage of the new direct push that comes with SP2 and other phones still have to respond to an sms message sent by the provider.  Whatever security solution has to take that into consideration.

This is what I know to do so far: I can NAT my exchange server to an external IP address through the firewall.  I can create a rule in checkpoint to only allow traffic to that IP on port 80 – I believe port 80 is the port with which active synch uses.  I know it also uses 443 if your using SSL but I will not be using that for now.  

Also the smartphones will be using dynamic Ips so there is no way to set up a rule that will allow only certain external IP address to the exchange server so I will have to set my firewall rule to allow all external traffic access to my server on port 80.

I’m nervous about the security risk so I would like to know what is the best way to secure my exchange server using the technology I currently have.

Also I would appreciate if anyone could comment on what they currently use as a security solution for their exchange active sync setup.

Thanks in advance
Question by:SHAX
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

sgh_aba earned 672 total points
ID: 16911864

You can setup your SonicWall to port forward, port 80, to the Internal Exchange server.  Then open up incoming port 80 on the checkpoint to the SonicWall (for the one IP).



Assisted Solution

Kumar_Jayant123 earned 664 total points
ID: 16912312

Using the certs would be the Best way to secure the Exchange Server No Doubts.

As you said your mails are coming through Sonicwall e-mail gateway, does it supports your OWA too? The OWA (HTTP) and the Active sync work in the same manner and if it does you dont need to worry.

Other way of doing it would be do a port forwarding on your Firewall to the Exchange server on port 80.

One more thing... There are two ways in which your Mobile Device synchronize with Exchange
1. Active sync
2. Hot Sync

For active Sync there is no need to make any changes but i am not very sure abt the HOTSYNC.

Have a look of this article


Hope this helps..

Assisted Solution

securityresearch earned 664 total points
ID: 16972980

I run quite the same setup, but use another firewall. Port 80 or 443 musst be enabled. You need a valid certificate for 443 so you either buy a really good one which is included in the store of the devices (http://www.ssl-certificates.com and use True Business ID) or you create your own and import it into the device store. If your devices support push mail and security feature pack you are ready to go. if not set up a short poll intervall or condsider the sms solution. since loosing this devices is a big risk i would consider upgrading them all so you can delete mail stores remotely in case of a theft.
Also set up a password policy for the devices. If you are paranoid you can also consider setting up this services behind vpn and instructing the user to make a vpn connection but then push mail wont work.

hope that helps!

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question