We are conducting our lives and our businesses in an increasingly mobile world.  We need access to our critical business information from multiple locations and using multiple devices.

These needs often clash with the requirement to keep our data secure.  Exchange Servers are kept behind corporate firewalls which restrict who can access them and how they can connect to their mailboxes.

Secure mobile access to mailboxes on Exchange Servers is typically achieved through one or more of these methods:

• Virtual Private Network (VPN)
• Outlook Anywhere
• Outlook Web App (OWA)
• ActiveSync

Virtual Private Networks

A VPN is a secure communications tunnel established between two endpoints.  These endpoints can be two devices such as routers or firewalls, or can be between a client device such as a laptop and a firewall.

Mobile workers use VPNs to establish LAN-like network access to their corporate network.  This usually means that once connected to the VPN they have access to the same network resources they would be able to access when connected to the LAN from within the business premises.  In more security conscious environments this access is sometimes limited to just the few resources they need, but in a practical sense operates just as if they were on the LAN.

Using VPNs for access to Exchange Server makes sense when there are other needs for VPN access as well, such as access to application servers, file servers, or intranet sites.  Rather than each resource having its own independent access method, the VPN provides an “all in one” access solution.

However sometimes VPNs are not practical.  It is not uncommon for a mobile worker to find they are unable to establish a VPN tunnel because of restrictions on the foreign network they are currently working on.  This is mostly the case for IPSEC and PPTP VPN tunnels.  SSL VPN tunnels usually have no such problems because the SSL/HTTPS port is usually permitted out through firewalls.

Outlook Anywhere

Outlook Anywhere was formerly known as RPC-over-HTTPS, which accurately describes how it works.

The Outlook connection to a mailbox server over RPC is tunnelled through an SSL/HTTPS connection so that it can traverse firewalls, as well as to secure the communications over untrusted networks.

Outlook Anywhere is a good solution for secure access to email alone, but provides no access to other resources on the network that the mobile worker might need.

Outlook Web App

Outlook Web App (OWA), known as Outlook Web Access prior to Exchange Server 2010, provides a web-based interface to Exchange Server mailboxes over an SSL/HTTPS connection.  Because access is available via a web browser this makes it accessible for mobile workers who do not have access to the full Outlook software, such as on a home computer or an internet kiosk.

OWA communications are secured over SSL/HTTPS, however when using untrusted computers such as internet kiosks there is the risk of key loggers or other malicious software being used to compromise account passwords.

Because of this risk it is common to use multi-factor authentication with at least one of those being a biometric or a one-time password generated by a token, so that even if the username and password combination are compromised the account cannot be accessed without the additional authentication item.

ActiveSync

ActiveSync is the name of Microsoft’s technology for connecting devices such as smartphones to Exchange Server mailboxes.

The connection is once again secured over SSL/HTTPS and can be subject to numerous restrictions and security policies designed to mitigate the risk of loss due to theft or loss of the smartphone device (which is fairly high risk given their size and general lack of security features).

Those are the four most common secure remote access methods for Exchange Server mailboxes.  I’ve left out some other access methods such as POP and IMAP. Although these can be used securely they are not very common and don’t provide a full functionality experience with Exchange Server.  For most real world scenarios some or all of the above four methods are the solution for secure remote access.