[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

BES10, Activesync and OWA securely?

Posted on 2013-06-07
8
Medium Priority
?
1,508 Views
Last Modified: 2013-06-08
Help me brainstorm a solution to this one.
I have recently implemented a BES10 server to connect several Z10's. That part is working well. We also have several external users who use RSA tokens to access OWA. This requires port 443 to be forwarded into our single Exchange server. Prior to implementing the BES10 server, the ActiveSync feature was disabled on all accounts. Now, because BES10 talks to Exchange via ActiveSync and the feature needs to be turned on for the Z10 users, and because port 443 is directed to Exchange, we have only a single layer of credentials between the public network and the Z10 users on our Exchange server.

Potential solutions:
1. Change the port that ActiveSync uses on both the Exchange server as well as the BES10 server
2. Setup a 2nd exchange server to handle the ActiveSync role

Details:
Exchange 2010
Server 2008r2
BES10

May thanks (and points) to any helpers!
0
Comment
Question by:FuelSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230367
Firstly - you can't change the ports that Activesync uses. It is either port 80 (not recommended) or port 443.

Using port 443 with an SSL certificate is how all Activesync devices around the world work without any security issues, so there is no need for any second layer of security, unless you are thinking about ISA server or similar.

Alan
0
 

Author Comment

by:FuelSupport
ID: 39230722
I didn't explain very carefully: I don't want ActiveSync open to the public Internet. The problem is that I still need 443 forwarded to our Exchange server for OWA, which requires RSA as well as AD authentication. How can I allow OWA while not allowing ActiveSync visibility from the outside world?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1500 total points
ID: 39230737
With all the accounts disabled for Activesync, there really isn't any need to do anything else unless you want to start re-configuring IIS and the microsoft-server-activesync Virtual Directory.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:FuelSupport
ID: 39230742
Everyones account has AS disabled, except for the Blackberry Server 10 (BES10) users. Those accounts have AS open to the world. What would need to be reconfigured in IIS to permit our BES10 server to access AS, but not the outside world? Is there a way to restrict IIS ActiveSync to only a single allowed IP (our BES10 server)?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230752
I don't imagine for a minute (but I could be wrong), that the BES users using Activesync will go to your BES server and then be redirected to the Exchange Server, that isn't how Activesync works.

If you only allowed Activesync from your BES server, then your BES AS devices would stop working.
0
 

Author Comment

by:FuelSupport
ID: 39230788
No, it isnt a redirection. BES10 uses the AS mechanism, then send the data out to RIM's servers, then to the Carrier's network finally to the device. AS does not need to be open to the outside for this to function, just to the BES10 server. In fact, to the best of my knowledge, no firewall ports need to be open inbound to either BES10 or Exchange for this much to function. The problem is that we use OWA for travelling users, but that service is secured by RSA as well.

So I think we may be on to something: Can I specify, in IIS, which ip addresses can gain access to the ActiveSync site?
0
 

Author Comment

by:FuelSupport
ID: 39230812
http://support.microsoft.com/kb/324066

It looks like this may be the best way to secure our AS users from everywhere except the BES10 server.

Thank you for your input!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39231233
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question