Remote ActiveSync or e-mail w/Exchange (Server Security)

Hello,

I am running a network of four Exchange 2000 servers in three locations, serving about 80 users. Four or five users in the company are requesting the ability to download e-mail from the exchange server to their portable devices (Smartphones running Windows Mobile 2003 & 5.0)

Obviously, because of network security implications, this is kind of going to be a pain. Up until now, I have dragged my feet about this, doing research and experimenting with different ideas without implenting a final solution, but now some of those users are higher up the ladder and something finally needs to be done.

Here are the solutions (and problems with each) I have looked at so far:

1) Set the Smartphones up to log into the corporate VPN and then ActiveSync as if they were on the local network. This would be the ideal solution, unfortunately, the Window Mobile 5.0 VPN solutions are anything but robust. I have yet to complete a working ActiveSync session. It's hard enough to tunnel between WinXP and the Cisco - doing it from a smartphone is a nightmare. In addition, I understand that some providers block PPTP (1723,GRE) packets.

2) Port forwarding 143 on the corporate firewalls to the Exchange servers, and forcing users to use IMAP e-mail access on the smartphones. This is probably the most workable solution I have so far, but it doesn't allow access to the rest of their Outlook (Calendar, etc), and it's also cumbersome to access any folder other than the Inbox (You have to manually tell it to sync each one) I'm not totally excited about leaving the IMAP server open to attack on the 'net, but you have to do what you have to do.

3) Set up an isolated Exchange server in a DMZ that is accessible from the internet, and can communicate only to other Exchange servers. This should work reasonably well, but still leaves the network pretty wide open (Especially since the server needs to access AS, etc. from the others) - I'm really only willing to do this as a last resort.

Maybe I'm making this more difficult than it ought to be, but I'm looking for a solution that from the users perspective is robust and easy to use, and from my perspective leaves the network safe and secure.

Full points will be awarded to anyone who has something similar to (1) working.

I'm also open to thoughts on (2) and (3), and any other workable solutions anyone may have.
LVL 3
matheweisAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SembeeConnect With a Mentor Commented:
Exchange 2000 doesn't really do mobile working. It has only really picked up with Exchange 2003 SP2 and Windows Mobile 5.0.

Probably the best solution using what you have is IMAP based. You could wrap it in to SSL - which will require an SSL certificate that is supported by the device, or importing the SSL certificate.

Exchange in a DMZ is not an idea if you care about security. The number of holes that you have to open in the firewall basically makes the DMZ pointless. I blogged on the subject here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

The ideal solution would be to go to Exchange 2003 on Windows 2003.
If that isn't on, then look at third party to provide the push capability. First instinct is Blackberry, but next is Good. http://www.good.com/ . Their product has a Windows Mobile client, so while it is a little more to deploy, it would work for you without exposing the network.

Simon.
0
 
matheweisAuthor Commented:
Thanks for the input - I didn't know remote ActiveSync only worked with Exchange 2003+

I understand Exchange in a DMZ is a very bad idea (As mentioned above - it leaves the network essentially wide open), and would only do that as a truly last resort, but I doubt it will be necessary.

I think I'm going to go with IMAP for now, and build on that as we go, maybe upgrading to Exch 2k3 in the future.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.