A few months ago we published a Whitepaper detailing the steps required to securely publish Exchange to the Internet using TMG and UAG. (That document has recently been updated by the way, and the newest version is available here White Paper - Publishing Exchange Server 2010 with Forefront).

At the end of the last post I hinted at some related upcoming Whitepapers. The first two of them are ready. The first is about using IPsec to restrict access to OWA and Outlook Anywhere to machines you control or manage, and it is available here: Using IPsec to Secure Access to Exchange

The reason for this first paper is interesting; at least, I think so. Exchange has for a long time now offered many different ways to access a mailbox from any location - but some of our customers still do not allow Outlook Anywhere (and OWA, though less so as OWA has many multi factor authentication solutions in the market) connections from the Internet. These customer's security teams tend to think of these connection mechanisms as 'insecure' because any machine can connect, there is potential for Denial of Service (DoS) and brute force passwords attacks, their security policy states 'two factor authentication' is required, and so on.

Several options exist to solve some of these problems, some of which are available today, some others are in the works, and some are just not well documented. One important consideration when choosing a solution however is to think about the user experience; if the solution requires a lot of user action, it results in security happiness, but user unhappiness, and usually the reverse is also true.

Let's be clear here, it is not expected that these solutions should be adopted by every customer that deploys Exchange, but if a customer is particularly security conscious, then it helps if a well-documented and supported solution exists, enabling those customers to satisfy their security needs, and allow them to provide their users with an Anywhere Access solution.

The options generally available are;

  • VPN - establishing a VPN before connecting Outlook or OWA allows two factor authentication to be used, but the user experience can be poor - a user cannot simply launch their email application and get access to their email.
  • Direct Access - Direct Access provides Intranet like access from any location with no user experience issues, it's like a VPN without the need for the user to perform any actions - but the requirements for this are significant - Windows 7 Ultimate/Enterprise is the only supported client, and UAG is the preferred edge solution.
  • Security by obscurity - using private certificate authorities to generate SSL certs prevents machines without the root certificate from connecting - but is easy to bypass simply by installing the certificate as 'trusted'.
  • Using IPsec to secure the HTTPS connection - When IPsec is enabled and required on the endpoint used for publishing Exchange to the Internet, only machines with the right credentials can establish a connection. Outlook/OWA then authenticate as usual, as they have no visibility into, nor involvement with the network security layer.

If you want a solution that works with all versions of Exchange, and can be deployed today, without significant additional investment, IPsec is an attractive solution. And co-incidentally, that's what the Whitepaper explains how to set up!

--> The rest is on the Exchange Team Blog :