How do you protect your exchange environment while using active sync?

My organization is looking into moving away from the Good Mobile Messaging platform to a windows mobile 5.0 platform, my question is how are organizations protecting their exchange environment while using active sync?
americanagAsked:
Who is Participating?
 
kieran_bConnect With a Mentor Commented:
You could also have an ISA server in the DMZ that is handling the requests.
0
 
Mikal613Commented:
Can you elaborate on "Protect"
0
 
SteveH_UKCommented:
Personally, I recommend a solution that relies on Exchange ActiveSync (as opposed to plain ActiveSync that is a desktop tool).  Then, you provide credentials over the wire through an SSL encrypted connection.

The protection is then down to allowed users having sufficiently good passwords, just as with Outlook Web Access.

After this, the next problem is managing the information stored on the devices.  That's a much harder problem to solve.  When I was investigating the market about a year ago, I found that there were no good solutions for a small market.  The one we did look at was Utimaco, but it failed when it actually came to encrypt a director's PDA.  So, unless you are a big player, that is a hard problem to solve.

The basic client is far more secure than any other solution since it doesn't allow for pollution of Exchange from the desktop.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
americanagAuthor Commented:
We are a large enterprise organization - and sorry i was not clear, we will be using exchange active sync. how do you protect the front end exchange server, i can not allow port 443 to be open to the internet.
0
 
SteveH_UKCommented:
See this link: http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_8.mspx.

It describes using an LT2P VPN to connect to Exchange ActiveSync.
0
 
SteveH_UKConnect With a Mentor Commented:
I agree with kieran_b that using ISA is a good choice.  ISA can provide a gateway for the VPN, or it can publish Exchange ActiveSync.  It has the advantage of performing protocol filtering before the data reaches the Exchange server.  However, without implementing the VPN you would still need to open port 443, but it would still be more secure than opening up Exchange directly.

Despite all of these comments, the Exchange FE server is designed to operate in an Internet facing mode, so really the choice is yours.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Agreed - 443 is a requirement regardless of whether you use the Activesync or RPC approach specifically. We looked at the Good Technology service but went Blackberry in the end as it provided better funtionality and encryption services. Just for my own interest, would you comment on why you would not open port 443?
0
 
kieran_bCommented:
>>Just for my own interest, would you comment on why you would not open port 443?

*prediction*

Any open port is a security violation as hackers can get in and take everything!

</sarcasm> :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
LOL - lets hope its a rational reason rather than that old chestnut.
0
 
americanagAuthor Commented:
Re: 443 - My organization gets audited heavily - thats as much as i am willing to say on that.
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
We are a UK Government organisation so we do too but its your network, so your call :)

There are a number of ways to do this, some of which are already noted above:

Standard SSL encryption over port 443;
ISA Server or an alternative reverse-proxy service so that no access actually takes place from the outside;
Additional protection through hard token/radius authentication to reverse-proxy service prior to access being granted to the ssl service.
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
All Courses

From novice to tech pro — start learning today.