[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


How can I secure Exchange 2007 with Active Sync

Posted on 2009-02-09
Medium Priority
Last Modified: 2013-11-16
Ok here is the scenario. Right now in our current email configuration we have the following setup:
Outside email gets sent from the internet to our sendmail boxes, then to barracuda spam firewall, then to our checkpoint firewall, then to esafe where they get scanned and then finally sent to our Exchange 2007 server.  We are trying to implement ActiveSync securely into this configuration. We are having a bit of disagreement over how to properly secure our internal email server. In our configuration we already have the same setup as an edge server with our barracuda firewall in place. This does all our mail scrubbing and forwards it to our email server. I am correct that this is all the edge server does? Do we need an edge transport server for ActiveSync to function? I was under the assumption that The Edge server only works with SMTP traffice and nothing else. I thought all we needed was an SSL Cert from a trusted root authority that points to an outside FQDN "mail.company.com" and that nats to the internal address of our email server. My boss is worried that we are then going to be vulnerable to outside attacks on our firewall and our email server. Is he correct in his assumption? Is this the most secure way to go? In microsoft's example they are passing port 443 to the internal email server. Please help to shed some light on the situation.

Thanks in advance
Question by:MGS-TECH
  • 2
  • 2

Expert Comment

ID: 23591849
I am not an expert with multi-exchange server setups as you have - but ActiveSync does run over https (port 443) and you would escentially secure it the same way you would RPC over HTTP or OWA.

Author Comment

ID: 23591905
Currently we don't have muliple exchange servers. It is just the one exchange 2007 server with the Client Access Server Role installed on it. How would i properly secure active sync to connect to this internal email server?

LVL 65

Accepted Solution

Mestha earned 2000 total points
ID: 23594266
You have two choices.
1. Open port 443 directly to the CAS server.
2. Install a separate server with ISA installed and publish ActiveSync, OWA etc through it.

Neither of those requires an Edge.

As for attacks - to date, neither Exchange nor IIS has been compromised. It has always been a third party application installed on top that was used as the compromise. Therefore if the server is dedicated to Exchange and is kept up to date with patches you are pretty safe.
If you want the additional security then ISA is the only way to go, as it is designed to inspect the traffic.


Author Comment

ID: 23613213
Do you have an alternate configuration setup other than ISA for ports and protocols for this? For example Sonicwall or Checkpoint? I cannot use an ISA firewall because it is a Microsoft product. I know this sounds stupid, but this is the scenario I was given.

LVL 65

Expert Comment

ID: 23614220
As far as I am aware ISA is the only way that you can publish ActiveSync without directly exposing the CAS server to the internet.

You don't have to use ISA as the firewall if you don't want to. It is perfectly possible to have a firewall in front of ISA with the ports open. So you would have two firewalls in place....

Internet --> FW 1 --> ISA Server --> FW2 --> CAS Server.

As long as the ISA server is NOT a member of the domain then the ports required to be open between CAS and ISA are limited.


Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question