Solved

BES10, Activesync and OWA securely?

Posted on 2013-06-07
8
1,496 Views
Last Modified: 2013-06-08
Help me brainstorm a solution to this one.
I have recently implemented a BES10 server to connect several Z10's. That part is working well. We also have several external users who use RSA tokens to access OWA. This requires port 443 to be forwarded into our single Exchange server. Prior to implementing the BES10 server, the ActiveSync feature was disabled on all accounts. Now, because BES10 talks to Exchange via ActiveSync and the feature needs to be turned on for the Z10 users, and because port 443 is directed to Exchange, we have only a single layer of credentials between the public network and the Z10 users on our Exchange server.

Potential solutions:
1. Change the port that ActiveSync uses on both the Exchange server as well as the BES10 server
2. Setup a 2nd exchange server to handle the ActiveSync role

Details:
Exchange 2010
Server 2008r2
BES10

May thanks (and points) to any helpers!
0
Comment
Question by:FuelSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230367
Firstly - you can't change the ports that Activesync uses. It is either port 80 (not recommended) or port 443.

Using port 443 with an SSL certificate is how all Activesync devices around the world work without any security issues, so there is no need for any second layer of security, unless you are thinking about ISA server or similar.

Alan
0
 

Author Comment

by:FuelSupport
ID: 39230722
I didn't explain very carefully: I don't want ActiveSync open to the public Internet. The problem is that I still need 443 forwarded to our Exchange server for OWA, which requires RSA as well as AD authentication. How can I allow OWA while not allowing ActiveSync visibility from the outside world?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39230737
With all the accounts disabled for Activesync, there really isn't any need to do anything else unless you want to start re-configuring IIS and the microsoft-server-activesync Virtual Directory.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:FuelSupport
ID: 39230742
Everyones account has AS disabled, except for the Blackberry Server 10 (BES10) users. Those accounts have AS open to the world. What would need to be reconfigured in IIS to permit our BES10 server to access AS, but not the outside world? Is there a way to restrict IIS ActiveSync to only a single allowed IP (our BES10 server)?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230752
I don't imagine for a minute (but I could be wrong), that the BES users using Activesync will go to your BES server and then be redirected to the Exchange Server, that isn't how Activesync works.

If you only allowed Activesync from your BES server, then your BES AS devices would stop working.
0
 

Author Comment

by:FuelSupport
ID: 39230788
No, it isnt a redirection. BES10 uses the AS mechanism, then send the data out to RIM's servers, then to the Carrier's network finally to the device. AS does not need to be open to the outside for this to function, just to the BES10 server. In fact, to the best of my knowledge, no firewall ports need to be open inbound to either BES10 or Exchange for this much to function. The problem is that we use OWA for travelling users, but that service is secured by RSA as well.

So I think we may be on to something: Can I specify, in IIS, which ip addresses can gain access to the ActiveSync site?
0
 

Author Comment

by:FuelSupport
ID: 39230812
http://support.microsoft.com/kb/324066

It looks like this may be the best way to secure our AS users from everywhere except the BES10 server.

Thank you for your input!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39231233
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question