ActiveSync Without OWA

OWA uses HTTPS - Activesync uses HTTPS (TCP Port 443).

If you want Activesync without opening TCP Port 443 or 80), then you will need 3rd party software.

Why is there a security risk? HTTPS is secure, or at least all the online banks seem to think so!

Apparently a network auditor that works for the NSA doesn't think so.

They have actually said it's insecure or that it's a potential "flaw"?

Sadly with these types of audits they always see access to your network from the outside as a "security flaw".

I would answer that by saying, its only as secure or insecure as your users make it.  If they all have passwords that are "Password1" and they are set to never expire with no lockouts then yes that is pretty insecure.  

Or of they write their passwords on a post-it note stuck under their keyboard, or in the back of their diary then yes it's insecure.

But in all honesty, however you open your network to allow the use of mobile devices it's going to be insecure.  And seeing as OWA and ActiveSync both use port 443 this is likely to be a "flaw" if your users don't password protect their devices.

I would definitely rather have my 443 port secured with a valid 3rd party 2048bit SSL certificate.  Have a look at: http://en.m.wikipedia.org/wiki/RSA

Not only that, billions of companies, including banks use this type of encryption, if it's good enough for them....

What does your company do? Or is that top secret?

I have never had a server that I manage that has port 443 open to the Internet compromised as a result of the port being opened to allow HTTPS through and neither would Demazter and all the servers he looks after, so whilst your security audit has raised it as a flaw, it is not one that the vast majority of the world worries about, so I would doubt that you would need to worry about it either, unless you are doing something of National Importance!!

I completely agree with the comments above concerning the supposed security vulnerabilities of OWA.  Our company has set up hundreds of networks without ever having a problem with OWA and that's why I'm a bit out of my element trying to find a way to break OWA while maintaining ActiveSync.  For those of you familiar with security audits, you know that no matter how secure your network, they will always dig until they find something.  
Of course, in the consulting world, if the client is willing to pay for it, we're willing to try to make it happen.  I don't know of a way to do this and have found nothing so far indicating that it is possible.  EE has many sharp engineers so I thought it was worth a shot.  Thanks for your input!!

Just to confirm, we implement a strong password policy, use a 3rd party encryted certificate and only allow acces on port 443.  We work with banks, hospitals, city and county governments but this is the first time I've ever heard an auditor mention OWA as a risk.  I have spoken with other respected professionals who all echo the sentiments listed above.
If I can find a solution, I'll be sure to post it here.  Thanks again.