external source from MS Exchange team blog : View article...

 

A few months ago MS Exchange team  published a Whitepaper detailing the steps required to securely publish Exchange to the Internet using TMG and UAG.

This document has recently been updated  and the newest version is available here White Paper - Publishing Exchange Server 2010 with Forefront).

Additional a new whitepaper, about using IPsec to restrict access to OWA and Outlook Anywhere to machines has been released and it is available here: Using IPsec to Secure Access to Exchange

Exchange has for a long time now offered many different ways to access a mailbox from any location - but some of our customers still do not allow Outlook Anywhere (and OWA, though less so as OWA has many multi factor authentication solutions in the market) connections from the Internet. These customer's security teams tend to think of these connection mechanisms as 'insecure' because any machine can connect, there is potential for Denial of Service (DoS) and brute force passwords attacks, their security policy states 'two factor authentication' is required, and so on.

  • VPN - establishing a VPN before connecting Outlook or OWA allows two factor authentication to be used, but the user experience can be poor - a user cannot simply launch their email application and get access to their email.
  • Direct Access - Direct Access provides Intranet like access from any location with no user experience issues, it's like a VPN without the need for the user to perform any actions - but the requirements for this are significant - Windows 7 Ultimate/Enterprise is the only supported client, and UAG is the preferred edge solution.
  • Security by obscurity - using private certificate authorities to generate SSL certs prevents machines without the root certificate from connecting - but is easy to bypass simply by installing the certificate as 'trusted'.
  • Using IPsec to secure the HTTPS connection - When IPsec is enabled and required on the endpoint used for publishing Exchange to the Internet, only machines with the right credentials can establish a connection. Outlook/OWA then authenticate as usual, as they have no visibility into, nor involvement with the network security layer.

If you want a solution that works with all versions of Exchange, and can be deployed today, without significant additional investment, IPsec is an attractive solution. And co-incidentally, that's what the Whitepaper explains how to set up!

How IPSec Works - The Science Bit

IPSec at the Machine Level

Computer to Computer

View article...