Solved

Remote ActiveSync or e-mail w/Exchange (Server Security)

Posted on 2006-06-15
2
350 Views
Last Modified: 2008-03-03
Hello,

I am running a network of four Exchange 2000 servers in three locations, serving about 80 users. Four or five users in the company are requesting the ability to download e-mail from the exchange server to their portable devices (Smartphones running Windows Mobile 2003 & 5.0)

Obviously, because of network security implications, this is kind of going to be a pain. Up until now, I have dragged my feet about this, doing research and experimenting with different ideas without implenting a final solution, but now some of those users are higher up the ladder and something finally needs to be done.

Here are the solutions (and problems with each) I have looked at so far:

1) Set the Smartphones up to log into the corporate VPN and then ActiveSync as if they were on the local network. This would be the ideal solution, unfortunately, the Window Mobile 5.0 VPN solutions are anything but robust. I have yet to complete a working ActiveSync session. It's hard enough to tunnel between WinXP and the Cisco - doing it from a smartphone is a nightmare. In addition, I understand that some providers block PPTP (1723,GRE) packets.

2) Port forwarding 143 on the corporate firewalls to the Exchange servers, and forcing users to use IMAP e-mail access on the smartphones. This is probably the most workable solution I have so far, but it doesn't allow access to the rest of their Outlook (Calendar, etc), and it's also cumbersome to access any folder other than the Inbox (You have to manually tell it to sync each one) I'm not totally excited about leaving the IMAP server open to attack on the 'net, but you have to do what you have to do.

3) Set up an isolated Exchange server in a DMZ that is accessible from the internet, and can communicate only to other Exchange servers. This should work reasonably well, but still leaves the network pretty wide open (Especially since the server needs to access AS, etc. from the others) - I'm really only willing to do this as a last resort.

Maybe I'm making this more difficult than it ought to be, but I'm looking for a solution that from the users perspective is robust and easy to use, and from my perspective leaves the network safe and secure.

Full points will be awarded to anyone who has something similar to (1) working.

I'm also open to thoughts on (2) and (3), and any other workable solutions anyone may have.
0
Comment
Question by:matheweis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 16916197
Exchange 2000 doesn't really do mobile working. It has only really picked up with Exchange 2003 SP2 and Windows Mobile 5.0.

Probably the best solution using what you have is IMAP based. You could wrap it in to SSL - which will require an SSL certificate that is supported by the device, or importing the SSL certificate.

Exchange in a DMZ is not an idea if you care about security. The number of holes that you have to open in the firewall basically makes the DMZ pointless. I blogged on the subject here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

The ideal solution would be to go to Exchange 2003 on Windows 2003.
If that isn't on, then look at third party to provide the push capability. First instinct is Blackberry, but next is Good. http://www.good.com/ . Their product has a Windows Mobile client, so while it is a little more to deploy, it would work for you without exposing the network.

Simon.
0
 
LVL 3

Author Comment

by:matheweis
ID: 16948349
Thanks for the input - I didn't know remote ActiveSync only worked with Exchange 2003+

I understand Exchange in a DMZ is a very bad idea (As mentioned above - it leaves the network essentially wide open), and would only do that as a truly last resort, but I doubt it will be necessary.

I think I'm going to go with IMAP for now, and build on that as we go, maybe upgrading to Exch 2k3 in the future.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question