The mobile phone contracts at work are up, so I have been investigating alternatives. We were previously using Blackberrys, but I've been investigating more cost effective options. Since the Blackberry server was installed, we have upgraded to Exchange 2007, which gives us the aability to us Push Mail/ActiveSync, something that was not an option on our previous mail server.
I was given a couple of test phones to trail ActiveSync on a Windows Mobile and a Nokia device.
First off, I had to ensure ActiveSync was enable on the Exchange server, and fortunately a "vanilla" build of Exchange 2007 haas it enable on install.
The thing was the create a NAT rule on my firewall to allow the ActiveSync traffic from the intenet to the Exchange server. This was only a temporary rule while I was testing ActiveSync worked, before the rule was removed again.
My security/paranoia head would not allow me to leave this rule in place, as I would not recommend to anyone to have a rule that allows direct connectivity from the internet to any mail server. (BTW that also includes email, as there are plenty of mail relay options, such as a Barracuda Spam Firewall - Blog post for another day!)
Here at e92plus as the saying goes "We eat our own dog food", where we use a Celestix WSA IAG appliance as a remote access solution.
The next step was for me to create way for the mobile device to connect to my Exchange server, without a direct connection. I configured one of our external IP addresses to NAT into the DMZ of our firewall. I then had to add an additional IP address on the external adapter of the Celestix WSA appliance to match the DMZ IP address of the NAT rule. I also created a new prefix for our domain, and mapped that to the external IP address I'm using.
Now on to IAG, create a new webmail trunk and selected ActiveSync. I defined the domain, selected the DMZ IP address, defined the details of my Exchange server, aand then activated the configuration.
I took the Trusted Root Certificate from my Exchange server and applied that to the IAG appliance.
From the mobile devices, I defined the domain, username and password. For the server address, I use the new IAG portal address.
It worked perfectly on the demo Nokia E63 and the HTC Touch, although the interfaces were different the information required to login was the same. This allows the devices to sync up emails, contacts, calendar and tasks.
After much deliberation, I decided that I wanted an iPhone as my mobile device. Although I am still waiting for the SIM to be activated, ActiveSync is syncing my email, contacts and calendar via my wireless network, so once the iPhone can get onto the O2 3G network, it will be working as it should!
For added security/paranoia, on the Exchange server I have also enabled mandatory passwords on the device, madatory encryption of the storage and the ability to remote wipe the devices, so pretty much the core features of a Blackberry server, at a much lower cost!
A Cyber Security professional, who currently holds EU GDPR Practitioner, CISSP, MCSE:Security and MCTS certifications.
No comments:
Post a Comment