Solved

Exchange 2013 - restrict remote connections based on certificate

Posted on 2014-12-10
2
31 Views
Last Modified: 2016-01-15
I have 4 Exchange Servers,  2 front end CAS Servers and 2 MBX servers.  All is up and has been running great for 14 months now.   I'm wanting to be able to manage what machines have remote access to exchange, Active Sync etc to prevent unauthorized or personal desktops from simply using the autodiscover service to connect to exchange.

 I'm seeing a lot about certificate based authentication which could be nice but what i would really like to do is generate a certificate from my domain controller and have Exchange simply check for this private certificate.   If the certificate is present on the desktop or mobile device users can still connect with their domain credentials just like they do today.   I can deploy this generated certificate to my mobile devices and laptops easily.   Can anyone get me started in the right direction to accomplish this?

Thank You,
0
Comment
Question by:DeltaMN
2 Comments
 
LVL 16

Accepted Solution

by:
Carol Chisholm earned 500 total points
ID: 40493234
I'd suggest using Web Application Proxy, the reverse proxy built into Server 2012 R2.
It's easy to configure.
Ideally you would do ADFS and Device Registration, which givey you really fine control but you can just do certificate based authentication:

Here are some the TechNet links:
http://technet.microsoft.com/en-us/library/dn280942.aspx
http://technet.microsoft.com/en-us/library/dn584098.aspx

Here's a link about doing fine grained authentication:
http://blog.auth360.net/category/web-application-proxy/

Here is one on SharePoint, but it's much the same thing
http://www.brightstarr.com/sharepoint-technology-and-application-insights/securely-publishing-sharepoint-externally-using-web-application-proxy
0
 

Author Comment

by:DeltaMN
ID: 40496103
Thank you for the direction.   I wasnt sure if i could require a certificate from the CAS Servers activesync website.  The Web Application Proxy sounds like a good solution, i'm going to leave this post opened and hopefully i get some additional ideas before i start investing my time.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question