Securing remote Outlook client access to Exchange

As more businesses embrace the distributed workforce, moving more and more employees from the traditional cubicle farm into more of a work remotely arrangement (whether these employees are the classical road warriors, or simply working from their own home office) one of the most important resources they will need to access is of course email. As more and more companies embrace SharePoint as an Internet connected portal, and as other applications move to the cloud these remote users have less and less reason to come into the office to connect to the corporate network. This may present the Exchange administrator and/or architect of the next email system with the question of whether to design a solution that depends upon a VPN connection, or to deploy a solution using Outlook Anywhere.

Both are perfectly secure and valid solutions for connecting Outlook clients to Exchange, and both have definite advantages and disadvantages. This article will discuss both solutions, and present the pros and cons of each.

Decision Points

There are some decision points that may make your choice obvious. The first question to ask is, “What do clients need to access remotely?” If the answer is “email only,” then Outlook Anywhere will be a great fit. If the answer includes regular access to other corporate resources, then VPN is probably the right way to go.

Outlook Anywhere

Outlook Anywhere is the new name for RPC-over-HTTPS. Here, we connect Outlook to Exchange by tunneling the RPC connections through an HTTPS connection. The HTTPS connection is  secured by a certificate that can use a 1024, 2048, or larger public key to secure the exchange of the 128 bit symmetric session key, giving us what is essentially 128 bit encryption. When using Outlook Anywhere, only the traffic generated by the Outlook client accessing the Exchange server is sent over the encrypted connection. All other traffic goes out the client’s Internet connection, and is encrypted or not depending on the application. Let’s look at the pros of this access method.

• It’s easy to set up on the client. The client just needs to launch Outlook and authenticate.
• It’s easy to support in the data center. The firewall engineer needs only to permit TCP 443 through to Exchange, and the DNS admin only needs to support a couple of DNS entries for autodiscover.
• It’s secure. Using certificates from a trusted CA, Exchange offers a 128 bit encrypted connection to Outlook clients, or you can use 256 bit encryption with SSL offloading.
• Requires only standard protocols (HTTP, HTTPS, and DNS) from the client’s network, meaning that it should work from any hotspot or guest network that supports web surfing.

Of course, you can’t have pros without cons.

• Using Outlook Anywhere, clients only have access to Exchange.
• Some organisations do not permit connectivity to anything from the outside unless it goes through a VPN connection.
• Without SSL offloading, the encryption from Outlook Anywhere can place additional load on your Exchange CAS servers.
• Clients who only connect to Outlook Anywhere do not process login scripts or connect to your other internal servers, such as WSUS or your antivirus servers.

I have seen that last con present problems to a number of organisations with a large remote work force. If everything a remote user needs is accessible over the Internet, they don’t have a reason to connect to the VPN so that you can manage their machines, patch them, etc. Direct Access is a great way to work around this limitation, but only if all of your remote users run Windows 7.

VPN

There are dozens if not hundreds of different VPN solutions available, offering PPTP, IPSEC, or SSL connections. With the choice to route some or all traffic through the VPN, connected clients can access other internal network resources, and route all their traffic through the VPN to protect them when connecting from hotspots or other open networks. While connected to the VPN, clients can connect to WSUS for updates, or be polled by SCCM, etc. So to call out some of the pros:

• Full connectivity to all internal network resources (depending on configuration.)
• Support for stronger encryption, with some solutions including AES256.
• VPN connected clients can be polled/managed by other internal systems.

Of course, if it was the perfect solution, everyone would do it. Here are some of the more obvious cons.

• VPN solutions can be extremely expensive. If they are licensed by the concurrent connection, you may need to support more clients than you have licenses.
•  The bandwidth consumption will be much higher than for Outlook Anywhere clients. If you do not split tunnel, then all client traffic will traverse the VPN before going back out to the Internet.
•  Except for SSL VPNs, most require more outbound ports and ip types that web access alone, and many Internet hotspots don’t support outbound VPN access.

Consider the following points when trying to decide which solution to deploy.

1. They are not mutually exclusive solutions. You can offer Outlook Anywhere for users when they only need to access email, and also have VPN access for when they need the more connected experience.
2. If you have chosen to outsource email to a hosted service provider, you may be accessing Exchange using Outlook Anywhere anyway, unless you specify that you want access restricted to only your networks, and to have your clients first connect to your VPN before transiting the WAN to reach the hosted Exchange environment.