How can I secure Exchange 2007 with Active Sync

Ok here is the scenario. Right now in our current email configuration we have the following setup:
Outside email gets sent from the internet to our sendmail boxes, then to barracuda spam firewall, then to our checkpoint firewall, then to esafe where they get scanned and then finally sent to our Exchange 2007 server.  We are trying to implement ActiveSync securely into this configuration. We are having a bit of disagreement over how to properly secure our internal email server. In our configuration we already have the same setup as an edge server with our barracuda firewall in place. This does all our mail scrubbing and forwards it to our email server. I am correct that this is all the edge server does? Do we need an edge transport server for ActiveSync to function? I was under the assumption that The Edge server only works with SMTP traffice and nothing else. I thought all we needed was an SSL Cert from a trusted root authority that points to an outside FQDN "" and that nats to the internal address of our email server. My boss is worried that we are then going to be vulnerable to outside attacks on our firewall and our email server. Is he correct in his assumption? Is this the most secure way to go? In microsoft's example they are passing port 443 to the internal email server. Please help to shed some light on the situation.

Thanks in advance
Who is Participating?
MesthaConnect With a Mentor Commented:
You have two choices.
1. Open port 443 directly to the CAS server.
2. Install a separate server with ISA installed and publish ActiveSync, OWA etc through it.

Neither of those requires an Edge.

As for attacks - to date, neither Exchange nor IIS has been compromised. It has always been a third party application installed on top that was used as the compromise. Therefore if the server is dedicated to Exchange and is kept up to date with patches you are pretty safe.
If you want the additional security then ISA is the only way to go, as it is designed to inspect the traffic.

I am not an expert with multi-exchange server setups as you have - but ActiveSync does run over https (port 443) and you would escentially secure it the same way you would RPC over HTTP or OWA.
MGS-TECHAuthor Commented:
Currently we don't have muliple exchange servers. It is just the one exchange 2007 server with the Client Access Server Role installed on it. How would i properly secure active sync to connect to this internal email server?

MGS-TECHAuthor Commented:
Do you have an alternate configuration setup other than ISA for ports and protocols for this? For example Sonicwall or Checkpoint? I cannot use an ISA firewall because it is a Microsoft product. I know this sounds stupid, but this is the scenario I was given.

As far as I am aware ISA is the only way that you can publish ActiveSync without directly exposing the CAS server to the internet.

You don't have to use ISA as the firewall if you don't want to. It is perfectly possible to have a firewall in front of ISA with the ports open. So you would have two firewalls in place....

Internet --> FW 1 --> ISA Server --> FW2 --> CAS Server.

As long as the ISA server is NOT a member of the domain then the ports required to be open between CAS and ISA are limited.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.