?
Solved

Remote ActiveSync or e-mail w/Exchange (Server Security)

Posted on 2006-06-15
2
Medium Priority
?
351 Views
Last Modified: 2008-03-03
Hello,

I am running a network of four Exchange 2000 servers in three locations, serving about 80 users. Four or five users in the company are requesting the ability to download e-mail from the exchange server to their portable devices (Smartphones running Windows Mobile 2003 & 5.0)

Obviously, because of network security implications, this is kind of going to be a pain. Up until now, I have dragged my feet about this, doing research and experimenting with different ideas without implenting a final solution, but now some of those users are higher up the ladder and something finally needs to be done.

Here are the solutions (and problems with each) I have looked at so far:

1) Set the Smartphones up to log into the corporate VPN and then ActiveSync as if they were on the local network. This would be the ideal solution, unfortunately, the Window Mobile 5.0 VPN solutions are anything but robust. I have yet to complete a working ActiveSync session. It's hard enough to tunnel between WinXP and the Cisco - doing it from a smartphone is a nightmare. In addition, I understand that some providers block PPTP (1723,GRE) packets.

2) Port forwarding 143 on the corporate firewalls to the Exchange servers, and forcing users to use IMAP e-mail access on the smartphones. This is probably the most workable solution I have so far, but it doesn't allow access to the rest of their Outlook (Calendar, etc), and it's also cumbersome to access any folder other than the Inbox (You have to manually tell it to sync each one) I'm not totally excited about leaving the IMAP server open to attack on the 'net, but you have to do what you have to do.

3) Set up an isolated Exchange server in a DMZ that is accessible from the internet, and can communicate only to other Exchange servers. This should work reasonably well, but still leaves the network pretty wide open (Especially since the server needs to access AS, etc. from the others) - I'm really only willing to do this as a last resort.

Maybe I'm making this more difficult than it ought to be, but I'm looking for a solution that from the users perspective is robust and easy to use, and from my perspective leaves the network safe and secure.

Full points will be awarded to anyone who has something similar to (1) working.

I'm also open to thoughts on (2) and (3), and any other workable solutions anyone may have.
0
Comment
Question by:matheweis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 1200 total points
ID: 16916197
Exchange 2000 doesn't really do mobile working. It has only really picked up with Exchange 2003 SP2 and Windows Mobile 5.0.

Probably the best solution using what you have is IMAP based. You could wrap it in to SSL - which will require an SSL certificate that is supported by the device, or importing the SSL certificate.

Exchange in a DMZ is not an idea if you care about security. The number of holes that you have to open in the firewall basically makes the DMZ pointless. I blogged on the subject here: http://www.sembee.co.uk/archive/2006/02/23/3.aspx

The ideal solution would be to go to Exchange 2003 on Windows 2003.
If that isn't on, then look at third party to provide the push capability. First instinct is Blackberry, but next is Good. http://www.good.com/ . Their product has a Windows Mobile client, so while it is a little more to deploy, it would work for you without exposing the network.

Simon.
0
 
LVL 3

Author Comment

by:matheweis
ID: 16948349
Thanks for the input - I didn't know remote ActiveSync only worked with Exchange 2003+

I understand Exchange in a DMZ is a very bad idea (As mentioned above - it leaves the network essentially wide open), and would only do that as a truly last resort, but I doubt it will be necessary.

I think I'm going to go with IMAP for now, and build on that as we go, maybe upgrading to Exch 2k3 in the future.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question