I was just told today that all the VPs of the company were receiving smartphone/PDAs that are capable of receiving e-mail via exchange active sync. Unfortunately the phones are arriving today and I have to have them functioning by the end of the day.
I’ve scrambled through the Internet and found all the info I need to get this to work but I am missing one piece…securing my exchange. In order for the phone to communicate back to the exchange server I need to have it exposed to the Internet. Could someone please give me a suggestion for the best way to secure my exchange server with what I have in my current environment? I know that I can use Microsoft ISA server or I can install a front-end exchange server and place that in my DNZ but I don’t currently have either in my network. What I’m looking for is a solution I can do today with what I have so I can have the phones working by the end of the day without my exchange server being totally exposed to hackers.
This is my environment: I have an exchange server 2003 SP2. I have a checkpoint firewall (NGX R60) that protects my internal network from the outside. Currently my exchange server is not directly exposed to the outside world. All of my incoming and outgoing e-mails go through a Sonicwall e-mail gateway located in our DMZ.
Not all the phone/pdas we are receiving support MSFP so that means some of the phones can take advantage of the new direct push that comes with SP2 and other phones still have to respond to an sms message sent by the provider. Whatever security solution has to take that into consideration.
This is what I know to do so far: I can NAT my exchange server to an external IP address through the firewall. I can create a rule in checkpoint to only allow traffic to that IP on port 80 – I believe port 80 is the port with which active synch uses. I know it also uses 443 if your using SSL but I will not be using that for now.
Also the smartphones will be using dynamic Ips so there is no way to set up a rule that will allow only certain external IP address to the exchange server so I will have to set my firewall rule to allow all external traffic access to my server on port 80.
I’m nervous about the security risk so I would like to know what is the best way to secure my exchange server using the technology I currently have.
Also I would appreciate if anyone could comment on what they currently use as a security solution for their exchange active sync setup.
Thanks in advance