Solved

BES10, Activesync and OWA securely?

Posted on 2013-06-07
8
1,487 Views
Last Modified: 2013-06-08
Help me brainstorm a solution to this one.
I have recently implemented a BES10 server to connect several Z10's. That part is working well. We also have several external users who use RSA tokens to access OWA. This requires port 443 to be forwarded into our single Exchange server. Prior to implementing the BES10 server, the ActiveSync feature was disabled on all accounts. Now, because BES10 talks to Exchange via ActiveSync and the feature needs to be turned on for the Z10 users, and because port 443 is directed to Exchange, we have only a single layer of credentials between the public network and the Z10 users on our Exchange server.

Potential solutions:
1. Change the port that ActiveSync uses on both the Exchange server as well as the BES10 server
2. Setup a 2nd exchange server to handle the ActiveSync role

Details:
Exchange 2010
Server 2008r2
BES10

May thanks (and points) to any helpers!
0
Comment
Question by:FuelSupport
  • 4
  • 4
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230367
Firstly - you can't change the ports that Activesync uses. It is either port 80 (not recommended) or port 443.

Using port 443 with an SSL certificate is how all Activesync devices around the world work without any security issues, so there is no need for any second layer of security, unless you are thinking about ISA server or similar.

Alan
0
 

Author Comment

by:FuelSupport
ID: 39230722
I didn't explain very carefully: I don't want ActiveSync open to the public Internet. The problem is that I still need 443 forwarded to our Exchange server for OWA, which requires RSA as well as AD authentication. How can I allow OWA while not allowing ActiveSync visibility from the outside world?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39230737
With all the accounts disabled for Activesync, there really isn't any need to do anything else unless you want to start re-configuring IIS and the microsoft-server-activesync Virtual Directory.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:FuelSupport
ID: 39230742
Everyones account has AS disabled, except for the Blackberry Server 10 (BES10) users. Those accounts have AS open to the world. What would need to be reconfigured in IIS to permit our BES10 server to access AS, but not the outside world? Is there a way to restrict IIS ActiveSync to only a single allowed IP (our BES10 server)?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39230752
I don't imagine for a minute (but I could be wrong), that the BES users using Activesync will go to your BES server and then be redirected to the Exchange Server, that isn't how Activesync works.

If you only allowed Activesync from your BES server, then your BES AS devices would stop working.
0
 

Author Comment

by:FuelSupport
ID: 39230788
No, it isnt a redirection. BES10 uses the AS mechanism, then send the data out to RIM's servers, then to the Carrier's network finally to the device. AS does not need to be open to the outside for this to function, just to the BES10 server. In fact, to the best of my knowledge, no firewall ports need to be open inbound to either BES10 or Exchange for this much to function. The problem is that we use OWA for travelling users, but that service is secured by RSA as well.

So I think we may be on to something: Can I specify, in IIS, which ip addresses can gain access to the ActiveSync site?
0
 

Author Comment

by:FuelSupport
ID: 39230812
http://support.microsoft.com/kb/324066

It looks like this may be the best way to secure our AS users from everywhere except the BES10 server.

Thank you for your input!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39231233
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question