BES10, Activesync and OWA securely?

Help me brainstorm a solution to this one.
I have recently implemented a BES10 server to connect several Z10's. That part is working well. We also have several external users who use RSA tokens to access OWA. This requires port 443 to be forwarded into our single Exchange server. Prior to implementing the BES10 server, the ActiveSync feature was disabled on all accounts. Now, because BES10 talks to Exchange via ActiveSync and the feature needs to be turned on for the Z10 users, and because port 443 is directed to Exchange, we have only a single layer of credentials between the public network and the Z10 users on our Exchange server.

Potential solutions:
1. Change the port that ActiveSync uses on both the Exchange server as well as the BES10 server
2. Setup a 2nd exchange server to handle the ActiveSync role

Details:
Exchange 2010
Server 2008r2
BES10

May thanks (and points) to any helpers!
FuelSupportAsked:
Who is Participating?
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
With all the accounts disabled for Activesync, there really isn't any need to do anything else unless you want to start re-configuring IIS and the microsoft-server-activesync Virtual Directory.
0
 
Alan HardistyCo-OwnerCommented:
Firstly - you can't change the ports that Activesync uses. It is either port 80 (not recommended) or port 443.

Using port 443 with an SSL certificate is how all Activesync devices around the world work without any security issues, so there is no need for any second layer of security, unless you are thinking about ISA server or similar.

Alan
0
 
FuelSupportAuthor Commented:
I didn't explain very carefully: I don't want ActiveSync open to the public Internet. The problem is that I still need 443 forwarded to our Exchange server for OWA, which requires RSA as well as AD authentication. How can I allow OWA while not allowing ActiveSync visibility from the outside world?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
FuelSupportAuthor Commented:
Everyones account has AS disabled, except for the Blackberry Server 10 (BES10) users. Those accounts have AS open to the world. What would need to be reconfigured in IIS to permit our BES10 server to access AS, but not the outside world? Is there a way to restrict IIS ActiveSync to only a single allowed IP (our BES10 server)?
0
 
Alan HardistyCo-OwnerCommented:
I don't imagine for a minute (but I could be wrong), that the BES users using Activesync will go to your BES server and then be redirected to the Exchange Server, that isn't how Activesync works.

If you only allowed Activesync from your BES server, then your BES AS devices would stop working.
0
 
FuelSupportAuthor Commented:
No, it isnt a redirection. BES10 uses the AS mechanism, then send the data out to RIM's servers, then to the Carrier's network finally to the device. AS does not need to be open to the outside for this to function, just to the BES10 server. In fact, to the best of my knowledge, no firewall ports need to be open inbound to either BES10 or Exchange for this much to function. The problem is that we use OWA for travelling users, but that service is secured by RSA as well.

So I think we may be on to something: Can I specify, in IIS, which ip addresses can gain access to the ActiveSync site?
0
 
FuelSupportAuthor Commented:
http://support.microsoft.com/kb/324066

It looks like this may be the best way to secure our AS users from everywhere except the BES10 server.

Thank you for your input!
0
 
Alan HardistyCo-OwnerCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.