Solved

Remote ActiveSync or e-mail w/Exchange (Server Security)

Posted on 2006-06-15
2
347 Views
Last Modified: 2008-03-03
Hello,

I am running a network of four Exchange 2000 servers in three locations, serving about 80 users. Four or five users in the company are requesting the ability to download e-mail from the exchange server to their portable devices (Smartphones running Windows Mobile 2003 & 5.0)

Obviously, because of network security implications, this is kind of going to be a pain. Up until now, I have dragged my feet about this, doing research and experimenting with different ideas without implenting a final solution, but now some of those users are higher up the ladder and something finally needs to be done.

Here are the solutions (and problems with each) I have looked at so far:

1) Set the Smartphones up to log into the corporate VPN and then ActiveSync as if they were on the local network. This would be the ideal solution, unfortunately, the Window Mobile 5.0 VPN solutions are anything but robust. I have yet to complete a working ActiveSync session. It's hard enough to tunnel between WinXP and the Cisco - doing it from a smartphone is a nightmare. In addition, I understand that some providers block PPTP (1723,GRE) packets.

2) Port forwarding 143 on the corporate firewalls to the Exchange servers, and forcing users to use IMAP e-mail access on the smartphones. This is probably the most workable solution I have so far, but it doesn't allow access to the rest of their Outlook (Calendar, etc), and it's also cumbersome to access any folder other than the Inbox (You have to manually tell it to sync each one) I'm not totally excited about leaving the IMAP server open to attack on the 'net, but you have to do what you have to do.

3) Set up an isolated Exchange server in a DMZ that is accessible from the internet, and can communicate only to other Exchange servers. This should work reasonably well, but still leaves the network pretty wide open (Especially since the server needs to access AS, etc. from the others) - I'm really only willing to do this as a last resort.

Maybe I'm making this more difficult than it ought to be, but I'm looking for a solution that from the users perspective is robust and easy to use, and from my perspective leaves the network safe and secure.

Full points will be awarded to anyone who has something similar to (1) working.

I'm also open to thoughts on (2) and (3), and any other workable solutions anyone may have.
0
Comment
Question by:matheweis
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 16916197
Exchange 2000 doesn't really do mobile working. It has only really picked up with Exchange 2003 SP2 and Windows Mobile 5.0.

Probably the best solution using what you have is IMAP based. You could wrap it in to SSL - which will require an SSL certificate that is supported by the device, or importing the SSL certificate.

Exchange in a DMZ is not an idea if you care about security. The number of holes that you have to open in the firewall basically makes the DMZ pointless. I blogged on the subject here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

The ideal solution would be to go to Exchange 2003 on Windows 2003.
If that isn't on, then look at third party to provide the push capability. First instinct is Blackberry, but next is Good. http://www.good.com/ . Their product has a Windows Mobile client, so while it is a little more to deploy, it would work for you without exposing the network.

Simon.
0
 
LVL 3

Author Comment

by:matheweis
ID: 16948349
Thanks for the input - I didn't know remote ActiveSync only worked with Exchange 2003+

I understand Exchange in a DMZ is a very bad idea (As mentioned above - it leaves the network essentially wide open), and would only do that as a truly last resort, but I doubt it will be necessary.

I think I'm going to go with IMAP for now, and build on that as we go, maybe upgrading to Exch 2k3 in the future.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question