americanag
asked on
How do you protect your exchange environment while using active sync?
My organization is looking into moving away from the Good Mobile Messaging platform to a windows mobile 5.0 platform, my question is how are organizations protecting their exchange environment while using active sync?
Can you elaborate on "Protect"
Personally, I recommend a solution that relies on Exchange ActiveSync (as opposed to plain ActiveSync that is a desktop tool). Then, you provide credentials over the wire through an SSL encrypted connection.
The protection is then down to allowed users having sufficiently good passwords, just as with Outlook Web Access.
After this, the next problem is managing the information stored on the devices. That's a much harder problem to solve. When I was investigating the market about a year ago, I found that there were no good solutions for a small market. The one we did look at was Utimaco, but it failed when it actually came to encrypt a director's PDA. So, unless you are a big player, that is a hard problem to solve.
The basic client is far more secure than any other solution since it doesn't allow for pollution of Exchange from the desktop.
The protection is then down to allowed users having sufficiently good passwords, just as with Outlook Web Access.
After this, the next problem is managing the information stored on the devices. That's a much harder problem to solve. When I was investigating the market about a year ago, I found that there were no good solutions for a small market. The one we did look at was Utimaco, but it failed when it actually came to encrypt a director's PDA. So, unless you are a big player, that is a hard problem to solve.
The basic client is far more secure than any other solution since it doesn't allow for pollution of Exchange from the desktop.
ASKER
We are a large enterprise organization - and sorry i was not clear, we will be using exchange active sync. how do you protect the front end exchange server, i can not allow port 443 to be open to the internet.
See this link: http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_8.mspx.
It describes using an LT2P VPN to connect to Exchange ActiveSync.
It describes using an LT2P VPN to connect to Exchange ActiveSync.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreed - 443 is a requirement regardless of whether you use the Activesync or RPC approach specifically. We looked at the Good Technology service but went Blackberry in the end as it provided better funtionality and encryption services. Just for my own interest, would you comment on why you would not open port 443?
>>Just for my own interest, would you comment on why you would not open port 443?
*prediction*
Any open port is a security violation as hackers can get in and take everything!
</sarcasm> :)
*prediction*
Any open port is a security violation as hackers can get in and take everything!
</sarcasm> :)
LOL - lets hope its a rational reason rather than that old chestnut.
ASKER
Re: 443 - My organization gets audited heavily - thats as much as i am willing to say on that.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin