Solved

Remote ActiveSync or e-mail w/Exchange (Server Security)

Posted on 2006-06-15
2
343 Views
Last Modified: 2008-03-03
Hello,

I am running a network of four Exchange 2000 servers in three locations, serving about 80 users. Four or five users in the company are requesting the ability to download e-mail from the exchange server to their portable devices (Smartphones running Windows Mobile 2003 & 5.0)

Obviously, because of network security implications, this is kind of going to be a pain. Up until now, I have dragged my feet about this, doing research and experimenting with different ideas without implenting a final solution, but now some of those users are higher up the ladder and something finally needs to be done.

Here are the solutions (and problems with each) I have looked at so far:

1) Set the Smartphones up to log into the corporate VPN and then ActiveSync as if they were on the local network. This would be the ideal solution, unfortunately, the Window Mobile 5.0 VPN solutions are anything but robust. I have yet to complete a working ActiveSync session. It's hard enough to tunnel between WinXP and the Cisco - doing it from a smartphone is a nightmare. In addition, I understand that some providers block PPTP (1723,GRE) packets.

2) Port forwarding 143 on the corporate firewalls to the Exchange servers, and forcing users to use IMAP e-mail access on the smartphones. This is probably the most workable solution I have so far, but it doesn't allow access to the rest of their Outlook (Calendar, etc), and it's also cumbersome to access any folder other than the Inbox (You have to manually tell it to sync each one) I'm not totally excited about leaving the IMAP server open to attack on the 'net, but you have to do what you have to do.

3) Set up an isolated Exchange server in a DMZ that is accessible from the internet, and can communicate only to other Exchange servers. This should work reasonably well, but still leaves the network pretty wide open (Especially since the server needs to access AS, etc. from the others) - I'm really only willing to do this as a last resort.

Maybe I'm making this more difficult than it ought to be, but I'm looking for a solution that from the users perspective is robust and easy to use, and from my perspective leaves the network safe and secure.

Full points will be awarded to anyone who has something similar to (1) working.

I'm also open to thoughts on (2) and (3), and any other workable solutions anyone may have.
0
Comment
Question by:matheweis
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 300 total points
ID: 16916197
Exchange 2000 doesn't really do mobile working. It has only really picked up with Exchange 2003 SP2 and Windows Mobile 5.0.

Probably the best solution using what you have is IMAP based. You could wrap it in to SSL - which will require an SSL certificate that is supported by the device, or importing the SSL certificate.

Exchange in a DMZ is not an idea if you care about security. The number of holes that you have to open in the firewall basically makes the DMZ pointless. I blogged on the subject here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

The ideal solution would be to go to Exchange 2003 on Windows 2003.
If that isn't on, then look at third party to provide the push capability. First instinct is Blackberry, but next is Good. http://www.good.com/ . Their product has a Windows Mobile client, so while it is a little more to deploy, it would work for you without exposing the network.

Simon.
0
 
LVL 3

Author Comment

by:matheweis
ID: 16948349
Thanks for the input - I didn't know remote ActiveSync only worked with Exchange 2003+

I understand Exchange in a DMZ is a very bad idea (As mentioned above - it leaves the network essentially wide open), and would only do that as a truly last resort, but I doubt it will be necessary.

I think I'm going to go with IMAP for now, and build on that as we go, maybe upgrading to Exch 2k3 in the future.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now