accessing exchange email securely

[born2golf]

Hi All, I'm in a bit of a bind. I work for a company that takes IT Security very seriously. They currently only support blackberry via BES for email. I am a remote worker, so 24x7 I am accessing my corporate email via VPN on my laptop or via my phone (formerly bberry). Because of our rigid security requirements they will not allow inbound IMAP connections into the network. And in a perfect world they would demand the ability to remote wipe our handhelds.

For the past 30 days we have been evaluating the goodlink enterprise server and I have been lucky enough to be on that eval. Generally speaking I thought that the experience was excellent, but unfortunately there is not enough critical mass of android/iphone users to get them to buy the goodlink server at the current price they received (note: I did some digging, and found that their were quoted LIST price with no discounts. If anyone on here is a goodlink reseller please PM me and let's make a deal).

OK, so considering all of that, my only available option is to access my email via outlook web access, which still requires multi-step authentications through an SSLVPN gateway. And the experience kinda sucks, a lot.

In the near future I'll be able to use an android VPN software client to access the network which would in theory allow me access to the exchange server as though I am on the network (just as my laptop), which is how a few iPhone users are doing it today. But the required software is in a long beta phase and I am not that patient. This solution sounds nice on paper, but in reality, there are some functional issues such as if I initiate a VPN from my droid it will kill the VPN connection on my laptop since we only permit a single tunnel per user. Also, in theory, while I'm trying to conserve battery strength I have juice defender killing my 3G connection when the screen is not in use, and this in turn would kill my VPN connection. That would require me to re-authenticate every time I want to check my mail and we do not permit the storing of credentials within the VPN client.

So my question to the group is what other options do I have? Can anyone offer me other routes to getting my exchange mail onto my droid 2?

 

[Ski-me]

My company recommends the Touchdown program to sync with their server. Secure data is a priority so I'm guessing they have tested it. Quite a few blackberrys here but using Touchdown lets us use the Droid 2 stuff. It syncs my work outlook calendar, tasks and emails almost instantly. Sometimes it hits the phone faster than Outlook!

Worth a trial run. $20 after a month if you like it.

 

[solar]

Touchdown will work perfectly as it support remote wipe. Any phone with 2.2 on it (droid 2 included) support secure exchange and remote wipe capabilities w/ policies also though. so even without touchdown, they should be able to allow it.

 

[born2golf]

My company recommends the Touchdown program to sync with their server. Secure data is a priority so I'm guessing they have tested it. Quite a few blackberrys here but using Touchdown lets us use the Droid 2 stuff. It syncs my work outlook calendar, tasks and emails almost instantly. Sometimes it hits the phone faster than Outlook!

Worth a trial run. $20 after a month if you like it.

Touchdown requires the corporate email server to be accessible via the internet, or for the phone to be on the same network as the exchange server with directly via WiFi or through a VPN. And requires the MSExchange server to be setup for activesync. Our current configuration fails to meet any of these requirements.

 

[pdoxsey]

You need to find a app that will keep a constant VPN connection. Or set up a sync to outlook and always leave your work PC on and Outlook running.

 

[solar]

My company recommends the Touchdown program to sync with their server. Secure data is a priority so I'm guessing they have tested it. Quite a few blackberrys here but using Touchdown lets us use the Droid 2 stuff. It syncs my work outlook calendar, tasks and emails almost instantly. Sometimes it hits the phone faster than Outlook!

Worth a trial run. $20 after a month if you like it.

Touchdown requires the corporate email server to be accessible via the internet, or for the phone to be on the same network as the exchange server with directly via WiFi or through a VPN. And requires the MSExchange server to be setup for activesync. Our current configuration fails to meet any of these requirements.

All mail server are accessable from the internet to some extent otherwise they would not be very good mail servers since they could receive no mail. Are you saying they you cannot get mail when you are outside of the office at all? It as to have an address to connect to for it to receive from either the Internet or a hosted mail gateway. Also, activesync is setup by default on most versions of exchange (If I remember correctly)

 

[born2golf]

@Solar, As I previously stated my company takes security VERY seriously. For anyone to expect the default settings on a microsoft exchange server (or any server for that matter) to be considered "secure" would fall far short of the truth. So No, activesync is not currently enabled.

As for your other observation, there is a big difference between an email server being "accessible from the internet" versus "having internet access". Obviously a mail server must have access to the internet in order to transport mail. Mail transport is done on a separate and somewhat open protocol (SMTP). But just because a mail sever can access the internet to transport mail does not mean ones mailbox is available via the internet. Mailboxes should only be available via secure protocols, such as activesync. Which operates on different TCP ports that would require configurations to be done on the firewall, at the very least.

 

[solar]

Firewalls don't commonly block activesync ports (Incoming: 990,999,5678, 5721,26675 Outgoing: 5697) It would have to have been done manually, just as activesync would have to been disabled manually. There is no reason to diable activesync unless they didn't want anyone to have access to the service. Activesync can be disabled and enabled on a per person basis. Its not all or nothing. Any good IT admin does not take a "block all ports and open as needed approach" as this causes nothing but headaches and it unnessessary.

You stated earlier that they don't allo IMAP, which is a lot different that what most devies use to connect to an exchange server with. If they have blocked all access expect VPN authenticated access, then i'm sorry to say you're likely SOL.

 

[ramtek]

Sorry, we good IT guys do precisely this. We allow unlimited outbound but only allow inbound access for what you need from where you need it. As for exchange access I set up active sync servers in a dmz (with no information stores mounted) for this purpose since a portion of the IIS configuration can't be SSL encrypted. It allows you to have one server for phones without sacrificing security by opening ports on you store hosting servers.

 

[born2golf]

Sorry, we good IT guys do precisely this. We allow unlimited outbound but only allow inbound access for what you need from where you need it. As for exchange access I set up active sync servers in a dmz (with no information stores mounted) for this purpose since a portion of the IIS configuration can't be SSL encrypted. It allows you to have one server for phones without sacrificing security by opening ports on you store hosting servers.

LOL...You are braver than me. I didn't even want to broach that subject since his post was so counter-intuitive to what it means to be secure in the first place. If his statement was true, why would you need a firewall? Apparently his security is not worth a few headaches.

Anyway, back to my original request. It appears my company is now budgeting to purchase Goodlink in 2011. So hopefully I only have a few months left working through outlook web access.