We help IT Professionals succeed at work.

How can I secure Exchange 2007 with Active Sync

Medium Priority
462 Views
Last Modified: 2013-11-16
Ok here is the scenario. Right now in our current email configuration we have the following setup:
Outside email gets sent from the internet to our sendmail boxes, then to barracuda spam firewall, then to our checkpoint firewall, then to esafe where they get scanned and then finally sent to our Exchange 2007 server.  We are trying to implement ActiveSync securely into this configuration. We are having a bit of disagreement over how to properly secure our internal email server. In our configuration we already have the same setup as an edge server with our barracuda firewall in place. This does all our mail scrubbing and forwards it to our email server. I am correct that this is all the edge server does? Do we need an edge transport server for ActiveSync to function? I was under the assumption that The Edge server only works with SMTP traffice and nothing else. I thought all we needed was an SSL Cert from a trusted root authority that points to an outside FQDN "mail.company.com" and that nats to the internal address of our email server. My boss is worried that we are then going to be vulnerable to outside attacks on our firewall and our email server. Is he correct in his assumption? Is this the most secure way to go? In microsoft's example they are passing port 443 to the internal email server. Please help to shed some light on the situation.

Thanks in advance
Comment
Watch Question

Commented:
I am not an expert with multi-exchange server setups as you have - but ActiveSync does run over https (port 443) and you would escentially secure it the same way you would RPC over HTTP or OWA.

Author

Commented:
Currently we don't have muliple exchange servers. It is just the one exchange 2007 server with the Client Access Server Role installed on it. How would i properly secure active sync to connect to this internal email server?

Thanks,
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
You have two choices.
1. Open port 443 directly to the CAS server.
2. Install a separate server with ISA installed and publish ActiveSync, OWA etc through it.

Neither of those requires an Edge.

As for attacks - to date, neither Exchange nor IIS has been compromised. It has always been a third party application installed on top that was used as the compromise. Therefore if the server is dedicated to Exchange and is kept up to date with patches you are pretty safe.
If you want the additional security then ISA is the only way to go, as it is designed to inspect the traffic.

-M

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Do you have an alternate configuration setup other than ISA for ports and protocols for this? For example Sonicwall or Checkpoint? I cannot use an ISA firewall because it is a Microsoft product. I know this sounds stupid, but this is the scenario I was given.

Thanks,
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
As far as I am aware ISA is the only way that you can publish ActiveSync without directly exposing the CAS server to the internet.

You don't have to use ISA as the firewall if you don't want to. It is perfectly possible to have a firewall in front of ISA with the ports open. So you would have two firewalls in place....

Internet --> FW 1 --> ISA Server --> FW2 --> CAS Server.

As long as the ISA server is NOT a member of the domain then the ports required to be open between CAS and ISA are limited.

-M
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.