How do you protect your exchange environment while using active sync?

My organization is looking into moving away from the Good Mobile Messaging platform to a windows mobile 5.0 platform, my question is how are organizations protecting their exchange environment while using active sync?
americanagAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mikal613Commented:
Can you elaborate on "Protect"
0
SteveH_UKCommented:
Personally, I recommend a solution that relies on Exchange ActiveSync (as opposed to plain ActiveSync that is a desktop tool).  Then, you provide credentials over the wire through an SSL encrypted connection.

The protection is then down to allowed users having sufficiently good passwords, just as with Outlook Web Access.

After this, the next problem is managing the information stored on the devices.  That's a much harder problem to solve.  When I was investigating the market about a year ago, I found that there were no good solutions for a small market.  The one we did look at was Utimaco, but it failed when it actually came to encrypt a director's PDA.  So, unless you are a big player, that is a hard problem to solve.

The basic client is far more secure than any other solution since it doesn't allow for pollution of Exchange from the desktop.
0
americanagAuthor Commented:
We are a large enterprise organization - and sorry i was not clear, we will be using exchange active sync. how do you protect the front end exchange server, i can not allow port 443 to be open to the internet.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

SteveH_UKCommented:
See this link: http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_8.mspx.

It describes using an LT2P VPN to connect to Exchange ActiveSync.
0
kieran_bCommented:
You could also have an ISA server in the DMZ that is handling the requests.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveH_UKCommented:
I agree with kieran_b that using ISA is a good choice.  ISA can provide a gateway for the VPN, or it can publish Exchange ActiveSync.  It has the advantage of performing protocol filtering before the data reaches the Exchange server.  However, without implementing the VPN you would still need to open port 443, but it would still be more secure than opening up Exchange directly.

Despite all of these comments, the Exchange FE server is designed to operate in an Internet facing mode, so really the choice is yours.
0
Keith AlabasterEnterprise ArchitectCommented:
Agreed - 443 is a requirement regardless of whether you use the Activesync or RPC approach specifically. We looked at the Good Technology service but went Blackberry in the end as it provided better funtionality and encryption services. Just for my own interest, would you comment on why you would not open port 443?
0
kieran_bCommented:
>>Just for my own interest, would you comment on why you would not open port 443?

*prediction*

Any open port is a security violation as hackers can get in and take everything!

</sarcasm> :)
0
Keith AlabasterEnterprise ArchitectCommented:
LOL - lets hope its a rational reason rather than that old chestnut.
0
americanagAuthor Commented:
Re: 443 - My organization gets audited heavily - thats as much as i am willing to say on that.
0
Keith AlabasterEnterprise ArchitectCommented:
We are a UK Government organisation so we do too but its your network, so your call :)

There are a number of ways to do this, some of which are already noted above:

Standard SSL encryption over port 443;
ISA Server or an alternative reverse-proxy service so that no access actually takes place from the outside;
Additional protection through hard token/radius authentication to reverse-proxy service prior to access being granted to the ssl service.
0
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.