Announcement

Collapse
No announcement yet.

Securely opening Activesync to the internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securely opening Activesync to the internet

    We run a single Exchange 2007 server with approximately 200 users.
    5 or so of these users now require Activesync from their mobile devices. All mobiles are running WinMo 6.1 so nothing curly there.

    Obviously we need to allow access from the internet to part of IIS on the exchange server. We have already setup and tested security on IIS itself (SSL, client certificates required) but I'm looking for some guidance as to how we should actually open up the server. Since this server is also running OWA for clients on the LAN we do NOT want to simply forward port 443 to the Exchange Server.

    From a bit of research I gather these are our options:
    1. Restrict access by IP at the "Default Web Site" level of IIS to just the LAN then explicitly allow internet IPs to access the Microsoft-Server-Activesync virtual directory
    2. Add a second IP address to the NIC, set up a separate site under IIS bound to the new IP, create a new Activesync VD under this new site then forward port 443 to this new site.
    3. Use Squid or Apache in the DMZ to do reverse proxying to the exchange server
    4. Shell out the cash for a new box with ISA 2006 on it to publish Activesync

    Any input very much appreciated!

  • #2
    Re: Securely opening Activesync to the internet

    I'd probably try the first option myself.

    Sure, ISA would give you more security, but this option would meet your needs in the most appropriate way.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Securely opening Activesync to the internet

      What specific worries do you have regarding allowing port 443 through the firewall to the Exchange server?

      Comment


      • #4
        Re: Securely opening Activesync to the internet

        It comes from a deep-rooted (although admittedly oldfashioned) mistrust in the security of IIS combined with the fact that this box also serves up OWA to the LAN. By necessity that part of it is only secured by NTLM and SSL - and despite the best efforts of 'require complex passwords' I know users are still using weak passwords. The nature of the data on this particular network somewhat mandates that we have something a bit stronger than a Windows password and a fairly strict lockout policy protecting it from the big evil internet...

        Comment


        • #5
          Re: Securely opening Activesync to the internet

          IMHO, it's not neccessarily old-fashioned but it might be overblown. Many, many companies allow access to OWA and Activesync through the internet to their Exchange server, either directly or via a DMZ\Proxy.

          Comment


          • #6
            Re: Securely opening Activesync to the internet

            Originally posted by joeqwerty View Post
            Many, many companies allow access to OWA and Activesync through the internet to their Exchange server, either directly or via a DMZ\Proxy.
            Absolutely - I've done it several times in small businesses with much less sensitive data.

            But let's say the data (even just in OWA) is of a 'national media coverage, lose your job and never work in IT again if it's compromised' type - would you be comfortable having the box that open?

            Initially I was just going to do the following:
            Add second IP to the NIC
            Create another website under IIS
            Restrict default website to LAN ips only
            Bind the new website to the secondary IP
            Create MSA virtual directory on new site
            Forward port 443 to secondary IP address
            Require client certificates

            And call it done at that... would you say that's an appropriate level of security? We have a strong leaning towards being paranoid around here

            EDIT: Maybe I need my tinfoil hat on here but I'm kinda envisioning something like an IIS flaw resulting in the box being compromised and all hell breaking loose. At present NOTHING inbound is forwarded to the LAN. We have more secure boxen in the DMZ to handle that kind of thing...
            Last edited by rozboon; 10th December 2009, 04:03.

            Comment


            • #7
              Re: Securely opening Activesync to the internet

              IMHO it all depends on the companies aversion to risk. It sounds like they err on the side of caution at the expense of usability. I think it's neither good nor bad, it's a matter of what the company is willing to accept in terms of risk to accomodate usability and productivity.

              I'm not so sure though that your plan is actually accomplishing what you want. Adding a second NIC and creating another Activesync virtual directory and forwaring port 443 to this new virtual directory may sound like a good idea, but's what's to stop me (or anyone else) from going there with my browser? You're adding complexity but I don't see that it's increasing your security posture.

              I need to think about it for a bit to see if I can think of what upsides, downsides exist with this plan and I'm sure others will chime in to offer their advice and two cents as well.

              Stay tuned...

              Comment


              • #8
                Re: Securely opening Activesync to the internet

                Swings and roundabouts, as always.

                If the data, even just in OWA, is of that level of importance then it requires appropriate protection. I'd be pushing for ISA Server, or Forefront TMG very shortly, to protect the server. IMHO it's a far greater risk allowing ActiveSync at all than publishing OWA to the Internet if the data is that valuable. Phones can and will get lost, stolen or left on trains, and although there are options for WinMo like remote wipe, not all phones that support ActiveSync support remote wipe AFAIK. Somewhere down the line someone will want an iPhone, or a Nokia because a WinMo isn't shiny enough.

                I work with a customer whose data is considered so critical that no remote access of any kind is allowed, no OWA, ActiveSync or Outlook Anywhere and although all users have email addresses only one email address is used to send and receive from the internet for all of those users.

                You need to decide what balance between security and functionality is appropriate, in conjunction with management, and implement procedures accordingly.

                Also, just out of curiosity, why are LAN users using OWA and not Oulook?
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Securely opening Activesync to the internet

                  Originally posted by cruachan View Post
                  IMHO it's a far greater risk allowing ActiveSync at all than publishing OWA to the Internet if the data is that valuable. Phones can and will get lost, stolen or left on trains, and although there are options for WinMo like remote wipe, not all phones that support ActiveSync support remote wipe AFAIK. Somewhere down the line someone will want an iPhone, or a Nokia because a WinMo isn't shiny enough.
                  Remote wipe is an absolute pre-requisite for any phone that will connect to this server. No WinMo, no connect basically. Although I understand the iPhone 3GS might support it - which is a bonus for the more 'fashionable' managers I guess...

                  Originally posted by cruachan View Post
                  Also, just out of curiosity, why are LAN users using OWA and not Oulook?
                  Because OWA is decidedly cheaper than Outlook and serves their needs pretty well

                  Thanks for the input everyone
                  Last edited by rozboon; 10th December 2009, 23:41.

                  Comment


                  • #10
                    Re: Securely opening Activesync to the internet

                    Thought that might be the reason. It was rather nasty of Microsoft to take away the free Outlook CAL that used to come with every Exchange CAL, something I only found out last week from Teiger in the SBS forum.

                    If Remote Wipe is a requirement I would personally get that kind of stuff in writing and signed off. Before somebody (usually in the marketing department IME) has an outbreak of shiny kit syndrome and wants a different phone. My MD has an iPhone and the sales director a Nokia running Mail for Exchange, as Windows Mobiles are for geeks as far as they are concerned.
                    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                    sigpic
                    Cruachan's Blog

                    Comment


                    • #11
                      Re: Securely opening Activesync to the internet

                      Yeah we're very big on written policy here, shiny-kit syndrome shouldn't be an issue.
                      I wonder if I could deliberately exclude the iPhone with some crafty use of policies... although I suspect this would have a marked effect on the IT budget next year

                      At this point it looks like we'll be going with something along these lines:
                      OpenBSD+Apache on ALIX device sitting in the DMZ running as a reverse proxy - at least this way a potential attacker doesn't know that there's a juicier prize behind it and hopefully any attacks would be targeted at the rather more secure BSD+Apache combination instead of IIS...

                      And we've added ISA2006 to the 2010 shopping list. So we'll eventually go that way but for now this will have to do. I'm not sure I want to go to management and tell them that they have to choose between having Activesync and having a few thousand dollars

                      Comment


                      • #12
                        Re: Securely opening Activesync to the Internet

                        You are aware that for this scenario that Apache is less secure than IIS?

                        I know that is a rather bold statement.

                        The combination of IIS and Exchange has never been compromised.

                        In fact I am pretty sure that IIS itself has never been compromised. All compromises of web sites on IIS have been caused by poor code being used on top of the server. The fact that IIS allows that code to be run in a way that it shouldn't (which apache does not) does create a weakness, but if the code is created correctly, then it is a very secure OS.

                        However if the server is dedicated to Exchange, is not running anything else that is inside IIS, I have no problems with directly exposing it to the Internet. Open just port 443 and nothing else.

                        I work a lot with financial services, as it is one of my specialist areas. I can't name most of my clients in that space. However what I can tell you is that the most popular thing to protect their Internet facing systems is ISA. They love it. Their network security people adore ISA server with its packet inspection stuff.

                        Therefore if you are totally paranoid about network security, ISA is the tool of choice.

                        Of course that doesn't stop the main weak point in the network security model - wetware.

                        Simon.
                        --
                        Simon Butler
                        Exchange MVP

                        Blog: http://blog.sembee.co.uk/
                        More Exchange Content: http://exchange.sembee.info/
                        Exchange Resources List: http://exbpa.com/
                        In the UK? Hire me: http://www.sembee.co.uk/

                        Sembee is a registered trademark, used here with permission.

                        Comment

                        Working...
                        X