So Microsoft has posted this article for those who want to deploy Push email but this is interesting that I've noticed this today almost immediately after going through an online discussion with some of the security team at my end that has seen us decide (read - me capitulate under overwhelming numbers??) to try using Nokia's Intellisync to achieve push email.
OK, I'm gutted, and not just because I've spent so much spare time over the last 9 months or so trying to line this up but the reality of it is that some stage I have to liaise with the security team to establish the path that is to be traversed by the Mobile Devices to connect with the Exchange Server.
Now I'm sure that in some ways we are almost indicative of most of the small to medium companies out there in that I'm trying to get this working around a single Checkpoint Firewall and talk to a single Exchange Server without upsetting the present Production System.
So this is what I've come up with so far, and I hope it's useful for others? Essentially what I have done is talk this through with Jason Langridge as to the most secure method of deploying the push email while trying to work within what is going to be the typical constraints of a production environment - if you have any questions please drop me a line?
What makes this somewhat tricky is that we only have the one Exchange Server, and that also does justice for the Regular Outlook Clients, OWA, OMA and ActiveSync as it stands today and whatever changes we introduce will have to be done in such a way as to cause no impact what so ever on the normal Production System?
So what I'm trying to do here is *introduce* ActiveSync Push as securely as possible without it impacting the regular OWA.
Separate the Production Exchange usage from the new ActiveSync?
Given this constraint - what I am proposing is to create an additional Virtual Folder/Server on the IIS component of the Exchange 2003 server for the ActiveSync to point at (this could be called EAS? for Exchange ActiveSync?) This way we could leave the existing OWA setup as it is, and create a separate and independent FW rule for the new ActiveSync?
Allowing ActiveSync Securely:
After a healthy discussion with Jason at MS (who deals primarily with the Mobility side of things) I believe I have managed to understand the possible scenarios of how we could implement Active Sync for Push email.
- Continue to use FW-1 as it is - create a rule allowing direct ActiveSync traffic thru to the Exchange (new Virtual Server?) - BUT only allowing Certificate based Authentication.
- Use ISA 2004 - with User Authentication on/from the device (no Certificate based Authentication is possibly from this)
- Use ISA 2006 - with Certificate based Authentication
My understanding of why it's preferable to use ISA is that it enables far greater control over checking the ActiveSync traffic is what it says it is before allowing to even be passed to the Exchange Server, as well as:
- SSL to SSL bridging (SSL termination)
- Advanced HTTP Security Filtering
- OWA/OMA/ActiveSync wizards that create secure publishing rule by default
- Secure Exchange RPC filtering
However the limitation with ISA 2004 is that you cannot combine this with Certificate Based Authentication for the devices. This is something that our Admin would like to implement as an additional layer of security and control, as well as making Administration easier. With the release of ISA 2006 there is much more support for Certificates in general, as well as allowing Certificate Based Authentication when using ActiveSync to connect to Exchange.