How can I secure Exchange 2007 with Active Sync

Posted on 2009-02-09
Last Modified: 2013-11-16
Ok here is the scenario. Right now in our current email configuration we have the following setup:
Outside email gets sent from the internet to our sendmail boxes, then to barracuda spam firewall, then to our checkpoint firewall, then to esafe where they get scanned and then finally sent to our Exchange 2007 server.  We are trying to implement ActiveSync securely into this configuration. We are having a bit of disagreement over how to properly secure our internal email server. In our configuration we already have the same setup as an edge server with our barracuda firewall in place. This does all our mail scrubbing and forwards it to our email server. I am correct that this is all the edge server does? Do we need an edge transport server for ActiveSync to function? I was under the assumption that The Edge server only works with SMTP traffice and nothing else. I thought all we needed was an SSL Cert from a trusted root authority that points to an outside FQDN "" and that nats to the internal address of our email server. My boss is worried that we are then going to be vulnerable to outside attacks on our firewall and our email server. Is he correct in his assumption? Is this the most secure way to go? In microsoft's example they are passing port 443 to the internal email server. Please help to shed some light on the situation.

Thanks in advance
Question by:MGS-TECH
    LVL 9

    Expert Comment

    I am not an expert with multi-exchange server setups as you have - but ActiveSync does run over https (port 443) and you would escentially secure it the same way you would RPC over HTTP or OWA.

    Author Comment

    Currently we don't have muliple exchange servers. It is just the one exchange 2007 server with the Client Access Server Role installed on it. How would i properly secure active sync to connect to this internal email server?

    LVL 65

    Accepted Solution

    You have two choices.
    1. Open port 443 directly to the CAS server.
    2. Install a separate server with ISA installed and publish ActiveSync, OWA etc through it.

    Neither of those requires an Edge.

    As for attacks - to date, neither Exchange nor IIS has been compromised. It has always been a third party application installed on top that was used as the compromise. Therefore if the server is dedicated to Exchange and is kept up to date with patches you are pretty safe.
    If you want the additional security then ISA is the only way to go, as it is designed to inspect the traffic.


    Author Comment

    Do you have an alternate configuration setup other than ISA for ports and protocols for this? For example Sonicwall or Checkpoint? I cannot use an ISA firewall because it is a Microsoft product. I know this sounds stupid, but this is the scenario I was given.

    LVL 65

    Expert Comment

    As far as I am aware ISA is the only way that you can publish ActiveSync without directly exposing the CAS server to the internet.

    You don't have to use ISA as the firewall if you don't want to. It is perfectly possible to have a firewall in front of ISA with the ports open. So you would have two firewalls in place....

    Internet --> FW 1 --> ISA Server --> FW2 --> CAS Server.

    As long as the ISA server is NOT a member of the domain then the ports required to be open between CAS and ISA are limited.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free book by J.Peter Bruzzese, Microsoft MVP

    Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

    Email statistics and Mailbox database quotas You might have an interest in attaining information such as mailbox details, mailbox statistics and mailbox database details from Exchange server. At that point, knowing how to retrieve this information …
    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now