Solved

BES10, Activesync and OWA securely?

Posted on 2013-06-07
8
1,482 Views
Last Modified: 2013-06-08
Help me brainstorm a solution to this one.
I have recently implemented a BES10 server to connect several Z10's. That part is working well. We also have several external users who use RSA tokens to access OWA. This requires port 443 to be forwarded into our single Exchange server. Prior to implementing the BES10 server, the ActiveSync feature was disabled on all accounts. Now, because BES10 talks to Exchange via ActiveSync and the feature needs to be turned on for the Z10 users, and because port 443 is directed to Exchange, we have only a single layer of credentials between the public network and the Z10 users on our Exchange server.

Potential solutions:
1. Change the port that ActiveSync uses on both the Exchange server as well as the BES10 server
2. Setup a 2nd exchange server to handle the ActiveSync role

Details:
Exchange 2010
Server 2008r2
BES10

May thanks (and points) to any helpers!
0
Comment
Question by:FuelSupport
  • 4
  • 4
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Firstly - you can't change the ports that Activesync uses. It is either port 80 (not recommended) or port 443.

Using port 443 with an SSL certificate is how all Activesync devices around the world work without any security issues, so there is no need for any second layer of security, unless you are thinking about ISA server or similar.

Alan
0
 

Author Comment

by:FuelSupport
Comment Utility
I didn't explain very carefully: I don't want ActiveSync open to the public Internet. The problem is that I still need 443 forwarded to our Exchange server for OWA, which requires RSA as well as AD authentication. How can I allow OWA while not allowing ActiveSync visibility from the outside world?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
With all the accounts disabled for Activesync, there really isn't any need to do anything else unless you want to start re-configuring IIS and the microsoft-server-activesync Virtual Directory.
0
 

Author Comment

by:FuelSupport
Comment Utility
Everyones account has AS disabled, except for the Blackberry Server 10 (BES10) users. Those accounts have AS open to the world. What would need to be reconfigured in IIS to permit our BES10 server to access AS, but not the outside world? Is there a way to restrict IIS ActiveSync to only a single allowed IP (our BES10 server)?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I don't imagine for a minute (but I could be wrong), that the BES users using Activesync will go to your BES server and then be redirected to the Exchange Server, that isn't how Activesync works.

If you only allowed Activesync from your BES server, then your BES AS devices would stop working.
0
 

Author Comment

by:FuelSupport
Comment Utility
No, it isnt a redirection. BES10 uses the AS mechanism, then send the data out to RIM's servers, then to the Carrier's network finally to the device. AS does not need to be open to the outside for this to function, just to the BES10 server. In fact, to the best of my knowledge, no firewall ports need to be open inbound to either BES10 or Exchange for this much to function. The problem is that we use OWA for travelling users, but that service is secured by RSA as well.

So I think we may be on to something: Can I specify, in IIS, which ip addresses can gain access to the ActiveSync site?
0
 

Author Comment

by:FuelSupport
Comment Utility
http://support.microsoft.com/kb/324066

It looks like this may be the best way to secure our AS users from everywhere except the BES10 server.

Thank you for your input!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now