A few months ago I wrote a post listing fourteen online resources for email admins that included several of my favourite troubleshooting resources. In this post, I want to take you for a closer look at the best one of the lot for testing remote connectivity to Exchange, the Microsoft Exchange Server Remote Connectivity Analyzer. You can access this test suite by clicking the link above, or directly at its URL, https://www.testexchangeconnectivity.com/. There are several great tests this tool can run through to ensure that you have properly set up remote access to your Exchange infrastructure, and you will want to bookmark this site and refer to it whenever you setup, or change, the external connectivity to Exchange.

Before you begin, create an unprivileged test account in your Active Directory, and make sure it has a valid Exchange mailbox. You can of course use your own account or anyone else’s, but this site requires that you enter valid user credentials, and it’s a best practice not to submit valid credentials for a ‘real’ user to an external site outside of your complete control. If you want to skip that step, that’s on you, but I always keep a test account handy for things like this.

Once you have your test account ready, take a look at the site to see what it offers. There are four categories with two tests each:

1. Microsoft Exchange ActiveSync Connectivity Tests
   Exchange ActiveSync
   Exchange ActiveSync Autodiscover
2. Microsoft Exchange Web Services Connectivity Tests
   Synchronization, Notification, Availability, and Automatic Replies (OOF)
   Service Account Access (Developers)
3. Microsoft Office Outlook Connectivity Tests
   Outlook Anywhere (RPC over HTTP)
   Outlook Autodiscover
4. Internet E-Mail Tests
   Inbound SMTP E-Mail
   Outbound SMTP E-Mail

The ActiveSync Connectivity tests can validate your DNS records, as well as how you have exposed EAS connections to the Internet (through Microsoft TMG or other reverse proxy, or by passing HTTPS traffic through to your CAS server directly). Both of these tests will in essence configure a mail client using EAS, and requires that valid test account to connect all the way through. In case you are using self-signed certificates, it even gives you the option to not validate certificates.

The EWS tests are useful for admins who need to support Entourage or other applications that require access through Exchange Web Services, and can verify the ability to create/delete messages and other service activities.

The Outlook Connectivity tests basically configure an Outlook client using the RPC over HTTP protocol. It can also validate all your DNS records, whether you are using A or SRV for autodiscovery. See this post for more on Autodiscover.

The Internet E-Mail tests can send a test message to your account from an external sender, and can also confirm your DNS records for MX, PTR, and Sender ID, and make sure your host is not listed on any DNS Reverse Blacklist service.

While all of these could be done using your external Hotmail account, and one or more systems connected to a DSL circuit external to your corporate network, it’s really useful and a great timesaver to have all eight tests available to you with nothing more required than a web browser and a test account. Even if you have a working system now, take these eight tests for a spin to see how things you might not be able to test, like Mac clients, would function, and also to see how your DNS records test. You might be surprised at what you find out. If you pass all eight the first time through, you’ve earned bragging rights; leave a comment and let me know.

How to troubleshoot remote connectivity to Exchange

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Malware

According to Secure List malicious files were found in 3.18% of all emails sent during the month of February showing a rise in .43% when compared to January’s numbers of this year. While this may look insignificant, the Radicati Group estimates that 294 billion emails are sent every day so that equates to almost 10 billion malicious emails sent on a daily basis.

While this doesn’t represent the numbers seen in the early days of commercial email when email messages were the primary methods used to spread malware, it does show that this trend is rising again. And if there is an increase over time then it can only mean that this method of spreading malware must be working on a significant enough level for attackers to use it in such numbers.

As we know, malware can be sent to users as a malicious attachment that infects a computer when the file is opened or through a link that takes the user to a malicious web site when the link is followed. The ten most common malicious programs spread through email are as follows:

1. Trojan-Spy.HTML.Fraud.gen
   This malicious program uses spoofing to trick victims into visiting a fraudulent web page under the premise that the email is coming from a bank, store or financial institution. Once there anyone who enters private account information will most likely fall victim to theft whether it be identity or financial
2. Worm.Win32.Mydoom.m
   Mydoom, once the quickest spreading worm, falls into the number two spot and opens a backdoor that listens on TCP port 1034, which is used primarily by ActiveSync, and will send itself to email addresses it finds on the host using its own STMP engine. This can be used in concert with other malware further infect computers.
3. Worm.Win32.Mabezat.b
   Mabezat was commonly spread through removable drives and network shares but can also be spread through email attachments. Its payload will single out files with certain extensions and encrypt them then demands payment to have the files restored.
4. Trojan-Banker.Win32.Banker.bgsd
   This is a new addition to the Banker family of Trojans that is used to steal financial information such as passwords, usernames and account information by scanning the keylog and sending information it finds back to the attacker.
5. Worm.Win32.Agent.gnd
   According to Microsoft’s security portal, “Malicious files detected as variants of Win32/Agent can have virtually any purpose.” Commonly these are used to terminate security software and open a backdoor on the computer to allow future attacks.
6. Worm.Win32.NetSky.q
   NetSky’s code originally had comments that insulted the authors of the Bagle and Mydoom worms. For those infected, NetSky will email itself as an attachment to email addresses it finds on the host computer and can be used to perform other actions. Most notably, NetSky was used to launch Denial of Service attacks against certain peer to peer file sharing websites.
7. Trojan-Spy.Win32.SpyEyes.ffc
   SpyEyes is another Trojan that in addition to opening a backdoor will steal confidential information by capturing keystrokes and makes use of the form grabbing technique to steal user authentication information. This Trojan also uses a rootkit to help hide any malicious activity from the user.
8. Worm.Win32.Bagle.qt
   Bagle is a mass mailing work that can also be spread through peer to peer networks. It will open a backdoor on the host computer allowing the attacker access and control of the infected machine.
9. Trojan-Ransom.Win32.PornoBlocker.efo
   Like Mabezat, PornoBlocker is another form of ransomware. This malicious program takes control over the victim’s computer and locks the screen to prevent access. The victim is told to send an text message via SMS to a premium number for the code to unlock the desktop.
10. Trojan-Banker.Win32.Banker.bghb
    This is another variant of the Trojan-Banker family and performs the same actions as mentioned earlier under Trojan-Banker.Win32.Banker.bgsd.

While these malicious programs are indicative of the ones most frequently spread over a certain period of time they do provide us with three things of note:

• Email is still a viable method of transporting malware
• Malware spread through email can be used to launch further attacks against an organization’s network through backdoors
• Malware that is used for identity and financial theft can be applied to theft of confidential and proprietary information at a corporate level

As mail administrators, we can expect to see these programs and their continued variants being sent to our addresses and it is up to us to work with our security teams to put effective tools in place to stop them.

10 Most Common Malicious Programs Sent By Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

One of my favourite features within Microsoft Exchange’s Client Access Server role is ActiveSync. This practically foolproof method of providing email access from a variety of mobile devices makes it quick and painless to connect the various phones to your Exchange system, and doesn’t require anything beyond the CALs you already purchased.

While many a manager might argue that a Blackberry is the only serious business phone, the multitude of business apps for iPhones and iPads makes the platform my first choice. Droids can also get in on the action, and the growing number of Windows smartphones makes it inevitable that you will be asked to support ActiveSync connections.

Because once your CAS server is set up and accessible over the Internet, ActiveSync is almost completely self-configuring. You may still run into those who believe that only corporate owned (and therefore corporate controlled) devices should be permitted to connect to the corporate email system, but unless company policy forbids access to web mail from personal computers, the horse may have already left the barn. Several programs can interpret Outlook Web Access’ html and present email to client, and unless you parse your logs for the user agent you may never know about this. ActiveSync devices, even those that are personally owned, can be managed to a degree which should meet most organisations’ security requirements.

With that in mind, here are five reasons why you want to support ActiveSync connections from personal devices.

1. ActiveSync policies can require device encryption
   When you set up an ActiveSync policy, one of the things you can do is require the device to use encryption on its local storage. This ensures that, should the user lose control of the device, its new owner won’t have access to sensitive data.
2. ActiveSync policies can enforce password settings
   To ensure that a device left unattended doesn’t cause issues, you can force a personally owned device to have a password, with complexity, expiry, and timeout settings to meet the needs of your organisation; just like you can do on a Blackberry.
3. You can remotely wipe a lost device
   Devices that support ActiveSync can be remotely wiped, either by an admin through the Exchange Management Console, or by a user through Outlook Web Access. That way, if a lost device falls into curious hands and is powered on, pffft, all data can be wiped.
4. ActiveSync clients don’t require an additional license
   While smaller businesses can take advantage of the free Blackberry Enterprise Server, larger organisations may find that BES licenses take up a significant portion of their budget. These licenses are above and beyond the Exchange CALs, and will probably also require another server license. ActiveSync is supported on the CAS server you already have, and access is covered under the CALs you purchased already for your users, making this a very cost-effective solution.
5. You can save money on the corporate cell phone bill
   In many organisations, I have found that the only reason certain individuals get company phones is so that they will have 24×7 access to email, and the mindset is that only a Blackberry can do this, so the company must buy them a phone and pay the monthly bill. If you support ActiveSync, many users already will own phones that can connect to email.

If you are looking for a way to convince the boss to open up access to ActiveSync, I hope one or more of the reasons above are just the thing to get it done. With a well worded policy that makes it clear that ActiveSync access from a personal device is a courtesy, and that devices will be wiped at the end of the employment relationship, you should be set, but make sure you run that, and all other IT policies, past your HR and legal departments to make sure all is well.

For more on ActiveSync, see this excellent article by my colleague Paul Mah on some of the limitations with different implementations of ActiveSync.  To see exactly what works and what doesn’t with an Apple device like an iPhone or iPad, click here.  If you want to see just how to connect an iPhone/iPad/iPod to Exchange using ActiveSync, click here, and finally, click here to see how to set up an ActiveSync policy on your Exchange server.

5 reasons to support ActiveSync from personal devices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The increasing number of smartphones and tablets that connect to Microsoft Exchange is placing pressure on the email administrator to also diagnose and troubleshoot issues related to the Exchange ActiveSync protocol.  On this front, I’ve listed a number of tips in Troubleshooting Exchange ActiveSync that I hope will help administrators resolve problems that originate from a range of trouble vectors related to it.

It was in the course of writing my previous article on Exchange ActiveSync that I realized just how scarce resources are on this topic.  Moreover, the different versions of Exchange ActiveSync in use can only contribute to the confusion for a new administrator.  As such, I’ve decided to compile a list of reading resources to help you get quickly up to speed on this important topic.

1. Understanding Exchange ActiveSync: An excellent starting point from Microsoft that summarizes the key capabilities of Exchange ActiveSync.  This includes a section of the various security features and how they work, as well as new information pertaining to the synchronizing of Windows Phone 7 devices.  In addition, you can find another great introduction from the perspective of mobile phone devices here.
2. Understanding the Different Implementations of Exchange ActiveSync: I wrote this primer on TheEmailAdmin just a couple of months back, where I discussed the various versions of Exchange ActiveSync in relation to Exchange Server.  I also highlighted some examples of how certain limited implementations of the protocol on client devices can result in “server problems” – but which are not related to Microsoft Exchange.
3. Understanding Direct Push: This is an older (but recently updated) resource from Microsoft that highlights how the protocol works behind the scene to enable Exchange ActiveSync without the need for a NOC (Network Operating Center) – unlike the RIM BlackBerry platform.  While some networking knowledge pertaining to the HTTP protocol is required to fully understand it; I consider this understanding to be central to properly appreciating the strengths – as well as the quirks – of how Exchange ActiveSync works. And yes, Direct Push is the name of the enabling technology that Microsoft created to deliver push email to mobile devices over a cellular network connection.  Of course, Exchange ActiveSync is the favored term used by Microsoft these days.  If the version on TechNet proves too daunting a read however, you can also check out a more concise summary that I wrote some years back in How does Direct Push really work?
4. How to troubleshoot server ActiveSync HTTP error codes: You can find a list of standard error codes that could be generated by Exchange ActiveSync clients and what they mean here.  Again, networking knowledge will help in understanding this topic, as would an overview of how Direct Push works in the first place.  Regardless of client devices, administrators should be able to better decipher the various errors; be the error due to configuration mistakes on the client end, network-centric, or an issue that can only be rectified on Microsoft Exchange itself.
5. Understanding Exchange ActiveSync Mailbox Policies: This resource contains an exhaustive list of Exchange ActiveSync mailbox policy settings that can be enforced on a deployed Exchange ActiveSync client.  To be clear, not all client devices support all policies, though a quick read through the list will allow a seasoned administrator to quickly determine the limitations and capabilities of Exchange ActiveSync.
6. Exchange ActiveSync: Frequently Asked Questions: I suppose this resource is pretty self-explanatory.  Do note that some parts of this page are a tad out-of-date, though many basic but important questions are also addressed, such as whether it is possible to configure Exchange ActiveSync to support multiple SMTP domains? How to selectively disable users from having access to Exchange ActiveSync? As well as how to schedule synchronization (as opposed to having “push” updates)?
7. Which uses less traffic: BlackBerry Push or Microsoft Direct Push: I wrote this guide a few years ago to compare the difference between RIM’s NOC-centric push system to Microsoft’s Direct Push.  While the relative capabilities of both technologies have dramatically increased since then, the fundamental technical workings have remained consistent.  As it is, I consider the differences in both approaches to be important, as email administrators could well find themselves having to implement both (they are able to co-exist), or to explain the merits of both to senior executives.

While we’re on this topic, I shall be exploring the various other services and platforms that implement the Exchange ActiveSync protocol next week.  Stay tuned!

7 Exchange ActiveSync Resources for the Email Administrator

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The other day, my boss noticed that another VP had configured his personal iPhone to connect to Exchange. Concerned about the security of a device not controlled by IT, he asked me if we should turn off ActiveSync, or at least publish a policy forbidding employees connecting their personal devices to the corporate Exchange system. This is a question many of you have either also encountered, or may encounter soon.

Without ActiveSync, you will probably find some users forwarding their company email to a webmail account, and configuring that account to allow them to “send as” so that they can use their device. Other devices can take advantage of Outlook Web Access, formatting the web based email to render nicely on a mobile device. Rather than fighting this, or creating a situation that might tempt users to violate policy, I recommend you embrace ActiveSync. If you would like to know more, please read on.

With the number of iPads, iPhones, Android based phones and tablets, and Windows Smartphones that will be sold this Christmas you will almost certainly find users connecting their devices to your Exchange system, if they haven’t already. That is the biggest concern most security-minded decision makers will have with personal devices and ActiveSync. It’s so easy for an end user to do this without any IT involvement; it feels like it should be banned. But that is exactly the wrong way to look at this.

Consider this – users are purchasing their own hardware and data plans, and want to access corporate email. They want to work, for free. You don’t have to do much, if anything, to support this; you don’t have to pay for the hardware or the monthly carrier fees, and yet, you can still secure the devices and enforce policy upon them. It’s a win-win any way you slice it. So why would you want to ban this?

While the preceding paragraph was written with tongue-in-cheek, I am very serious about allowing users to connect their own devices to the corporate Exchange system. It helps them to stay in contact and be available to the company without hitting the IT budget. Microsoft built Exchange’s ActiveSync to be easy to use (and set up) and with a simple security policy in place, you can reassure your boss that you have the situation well in hand, and that a lost device will not become a problem. ‘How?’ you ask?

What you want to do is configure an ActiveSync policy that sets some reasonable precautions so that when a device does go missing (what I like to refer to as ‘growing wings,’) you can ensure that whoever finds the device cannot access corporate email. Here is how to set up a policy that protects the company, while still allowing maximum flexibility for your users.

1. Access your Exchange Management Console, browse down to Organisation Configuration, and then to the Client Access section.
2. From the Actions menu, choose “New Exchange ActiveSync Mailbox Policy…” which launches the new policy wizard.
3. Give the policy a name.
4. Check the box to Allow non-provisionable devices. If you don’t do this, you will block most non-MS devices.
5. Make sure that you allow attachments to be downloaded.
6. Require a password, and tick the settings that meet your company’s existing policy, including length, age, and complexity.
7. Notice the option “Require encryption on device.” You will almost certainly want to check this, but Apple devices manufactured before the Fall of 2009 don’t support this, and will not be able to connect if this is checked. Be prepared to explain this, and make sure if anyone is tasked with helping users connect their devices to Exchange, that they know to check this early if there are any problems.
8. Click New.

That’s all there is to it. Doing this at the Organisation level will apply to all your CAS servers, but if you really want to have different policies, you can. You can also go into the newly created policy and set other restrictions, like what applications to allow, limits on the size of emails or attachments, etc.

Frankly, if you wish to make these settings restricting how a device can be used or what programs it can or cannot run, you probably don’t want to allow personal devices to connect to Exchange. Publish a security policy prohibiting personal devices, configure your ActiveSync policy to not allow non-provisionable devices, and issue corporate phones to all users who need access to email while away from a computer. 

What happens when a user loses their phone?

You can remotely wipe the device if you determine that it is irretrievably lost. A user can wipe their own device using OWA, or you can do this using the Exchange Management console, and accessing the Manage Mobile Phone… menu option for the user. But be warned! This wipes the entire device, so make sure your written policy that allows personal devices to connect to Exchange makes this clear to the user. We don’t want them to blame you when their boot-leg mp3 collection of the Spinal Tap reunion tour get wiped and they didn’t sync their iPhone to their PC.

You should also keep in mind that not all implementations of ActiveSync are created equal. RIM’s Blackberry will still remain a significant player for years to come, as long as companies wish to exert complete control over their users’ mobile devices. See this excellent article by my colleague Paul Mah on some of the limitations with different implementations of ActiveSync. And to see exactly what works and what doesn’t with an Apple device, click here.  And if you want to see just how to connect an iPhone/iPad/iPod to Exchange using ActiveSync, click here.

Block ActiveSync? Inconceivable!

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In my previous post I described four features and reasons for administrators to try Exchange Server 2010. Those features and reasons included “Personal Archive” for email archiving, “Legal Hold” for retention purposes, e-Discovery for compliance requests and ActiveSync for mobility.

Here are six more of the ten reasons to try Exchange Server 2010.

5. Exchange Server 2010 includes new self-service and administrative capabilities that can help reduce the amount of time an administrator spends on management tasks. It has been estimated that an IT staff can lower their operational costs by 15 to 20 percent by leveraging these new features. Using a web-based Exchange Control Panel and a role-based security model email administrators can now delegate their job functions to other members of their team based on skills and authorizations. Basic tasks can also be delegated to the end users. This can help to further reduce the administrator’s management burden as users will be able to perform their own administrative actions. Some of the administrative tasks that users can perform are the ability to create and delete distribution groups, track delivery receipt information and manage memberships and ownership. And to facilitate these actions all work can be performed through a convenient web-based interface.

6. I’ve already spoken previously about the benefits of “ActiveSync” as it applies to mobile communications. But there are other benefits as well which include reduced licensing costs for third-party tools. A further enhancement to the mobile communications capability is the new “Unified Messaging Card” feature. Users can now access their email while on the go using this new feature which adds a speech-to-text preview mode. This can be important to mobile employees who require “24×7” access to all their business communications. Using this feature users can now playback their voicemail messages or initiate return phone calls while on the run.

7. Exchange Server 2010 has enhanced their high availability (HA) offering which can now be implemented without having to reinstall servers. And improvements to their disaster recovery approach also help to keep server downtime to a minimum and thus increase availability. Costs have also been lowered in terms of fewer and lower-cost disk drives are needed to support the increase in higher availability and shorter disaster recovery time. Exchange Server 2010 now supports all HA administrative tasks giving users greater access to their emails and less downtime. Database level recovery is now completely automatic and can be configured for database availability groups of up to 16 mailboxes. Failover times have been reduced to less than 30 seconds adding to the disaster recovery story. The increased uptime is further enhanced with the ability to switch database copies during hardware failures. A new Online Mailbox Move feature that allow users access to their email communications even as their mailboxes are being relocated also increases availability of email communications.

8. Exchange Server 2010 has increased its information security processing by making it easier to encrypt, control and manage any companies’ email communications. Automatic inspection and processing of email messages further increases the secure distribution of email. Email messages can be prioritized for different levels of security controls to be applied. Automatic alerts can be sent to users warning them about potential security risks and policy violations. When higher security is needed, transport rules can be applied that can block, modify or even re-route emails based on pre-defined policies. Prior to delivery, email messages can be protected with Information Rights Management (IRM) and also reviewed according to transport rules defined by administrators. Once email messages have been protected via IRM then they can also be searched and journaling applied for extra levels of security.

9. A universal inbox increases accessibility to all business communications from a single point of access. And with a Conversation View mode available end users can more easily manage large volumes of email. The communication mode with other users can be selected based on their presence on the internet such as communicating with them view email, instant messaging or Short Messaging Service (SMS). The enhanced conversation view allows email messages to be automatically arranged into threads for easy grouping for better organization.

10. User email addresses can be referenced much easier with the use of the Nickname Cache. The nickname cache stores the email addresses of recent recipients sent by the user. This can later be used as a suggested name list which is automatically populated as the user begins to type in an email address.  The result is increased productivity.

10 Reasons to Try Exchange Server 2010 – Part 2

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Windows=based smartphones work best with Exchange.

Let’s face it, your users are going to want to connect  to your organization’s Exchange services with their mobile phones. Rather than allow that activity to grow willy nilly, you may want to impose some controls on the process. So it might make sense to know what smartphones play nicely with Exchange.

Smartphone makers have been steadily improving their handsets’ Exchange capabilities. What’s more, Microsoft has also moved, with the release of Exchange 2010, to better accommodate phone warriors. For example, with Exchange 2010 and ActiveSync, members of your organization get real-time access to their communications on literally hundreds of devices. Email, contacts and calendar items can be automatically synchronized over the air quickly.

What’s more, a user’s inbox becomes truly universal. Barriers to all forms of communication–email, voicemail, rights-protected messages, calendar requests, RSS feeds and saved instant messages–have been removed allowing one-stop access for members of your organization.

In addition, versatility and productivity of mobile email has been boosted with features like previewing messages with speech-to-text voicemail and creating a contest for messages with a conversation view.

Microsoft didn’t leave administrators out of the equation either. They have greater control over device access. They can create lists of devices to block, quarantine or permit access to their network. And budget-strapped IT departments will be glad to hear that the additional mobile support is included at no additional cost in Exchange 2010. Some of that cost, no doubt, is unloaded on smartphone makers, who have to pay a licensing fee to use ActiveSync.

If your users are interested in ho-hum tasks–synchronizing email, contacts and calendars between a phone and a computer–then most phones will fit the bill. Of course, users are never content with ho-hum, are they? They want to search all their messages on your organization’s mail server, look up addresses in the server address list, make appointments that are for their eyes only and reply to meeting requests sent from other people’s phones. For those tasks, a phone’s capabilities can vary.

Understandably, phones based on Microsoft’s Windows mobile operating system play best with Exchange. They have the most complete feature set and they are the most faithful in look and feel to Outlook on the desktop. The downside to these phones, though, is they lack pizzazz.

Worse yet, the operating system is clumsy. Although Microsoft has made some improvements in the OS in recent months, it still has a desktop feel. It has too many nested menus. Nested menus get more and more irksome as screen sizes shrink. Even Microsoft’s own employees have been tepid toward the phones, so much so that Microsoft started offering them free Windows mobiles last month.

In addition, selection is more limited for Windows mobile phones than other hotter models.

Next to a Windows-based phone, Research In Motion’s Blackberry line is the most compatible with Exchange. At its inception, the Blackberry was designed for business users. Since many business users work with Exchange, the RIM folks have worked diligently to make their hardware work effectively with Microsoft’s software. The back end of the Blackberry network also supports a version of Exchange 2010′s Direct Push feature. Direct Push allows email to be “pushed” to a user’s phone at scheduled times. What’s nice about the Blackberry is that there’s a wide selection of models and the platform is supported by all four of the major wireless carriers in the United States.

Certainly the smartphone with the most cachet in the market is Apple’s iPhone. It does have some drawbacks, though. It can’t create private appointments, for instance, nor can it synchronize tasks from the hardware itself. What’s worse, it’s only offered by a single carrier, AT&T, and one that’s been maligned for its service quality and coverage. However, because of the iPhone’s ability to expand its capabilities through downloadable applications, some Exchange issues can be resolved. For example, RERLSoft makes a suite of apps for performing tasks such as over-the-air access to Outlook tasks, notes and contacts, as well as Exchange notes and tasks.

The smartphones that are least compatible with Exchange out of the box are those based on Google’s Android operating system. That deficiency, though, doesn’t seem to have hurt the phone’s popularity among enterprise users. That’s not to say that you can’t get an Android phone that plays nice with Exchange. Verizon’s Droid Incredible has ActiveSync built into it. In addition, as with the iPhone, Exchange capabilities can be added to the phones through apps like TouchDown Exchange. However, you need to make sure that your phone carrier supports the downloading of apps from Google’s Android App Marketplace. AT&T, for example, doesn’t support downloads from the marketplace, but it does have its own Android apps store.

Smartphones that play nicely with Exchange

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

We are conducting our lives and our businesses in an increasingly mobile world.  We need access to our critical business information from multiple locations and using multiple devices.

These needs often clash with the requirement to keep our data secure.  Exchange Servers are kept behind corporate firewalls which restrict who can access them and how they can connect to their mailboxes.

Secure mobile access to mailboxes on Exchange Servers is typically achieved through one or more of these methods:

• Virtual Private Network (VPN)
• Outlook Anywhere
• Outlook Web App (OWA)
• ActiveSync

Virtual Private Networks

A VPN is a secure communications tunnel established between two endpoints.  These endpoints can be two devices such as routers or firewalls, or can be between a client device such as a laptop and a firewall.

Mobile workers use VPNs to establish LAN-like network access to their corporate network.  This usually means that once connected to the VPN they have access to the same network resources they would be able to access when connected to the LAN from within the business premises.  In more security conscious environments this access is sometimes limited to just the few resources they need, but in a practical sense operates just as if they were on the LAN.

Using VPNs for access to Exchange Server makes sense when there are other needs for VPN access as well, such as access to application servers, file servers, or intranet sites.  Rather than each resource having its own independent access method, the VPN provides an “all in one” access solution.

However sometimes VPNs are not practical.  It is not uncommon for a mobile worker to find they are unable to establish a VPN tunnel because of restrictions on the foreign network they are currently working on.  This is mostly the case for IPSEC and PPTP VPN tunnels.  SSL VPN tunnels usually have no such problems because the SSL/HTTPS port is usually permitted out through firewalls.

Outlook Anywhere

Outlook Anywhere was formerly known as RPC-over-HTTPS, which accurately describes how it works.

The Outlook connection to a mailbox server over RPC is tunnelled through an SSL/HTTPS connection so that it can traverse firewalls, as well as to secure the communications over untrusted networks.

Outlook Anywhere is a good solution for secure access to email alone, but provides no access to other resources on the network that the mobile worker might need.

Outlook Web App

Outlook Web App (OWA), known as Outlook Web Access prior to Exchange Server 2010, provides a web-based interface to Exchange Server mailboxes over an SSL/HTTPS connection.  Because access is available via a web browser this makes it accessible for mobile workers who do not have access to the full Outlook software, such as on a home computer or an internet kiosk.

OWA communications are secured over SSL/HTTPS, however when using untrusted computers such as internet kiosks there is the risk of key loggers or other malicious software being used to compromise account passwords.

Because of this risk it is common to use multi-factor authentication with at least one of those being a biometric or a one-time password generated by a token, so that even if the username and password combination are compromised the account cannot be accessed without the additional authentication item.

ActiveSync

ActiveSync is the name of Microsoft’s technology for connecting devices such as smartphones to Exchange Server mailboxes.

The connection is once again secured over SSL/HTTPS and can be subject to numerous restrictions and security policies designed to mitigate the risk of loss due to theft or loss of the smartphone device (which is fairly high risk given their size and general lack of security features).

Those are the four most common secure remote access methods for Exchange Server mailboxes.  I’ve left out some other access methods such as POP and IMAP. Although these can be used securely they are not very common and don’t provide a full functionality experience with Exchange Server.  For most real world scenarios some or all of the above four methods are the solution for secure remote access.

4 Ways to Access Exchange Server Mailboxes through Firewalls

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There have been many times in the past when I have started a project for a new customer and discovered that they are not using SSL for their email servers.  Usually after a brief discussion they agree to implement SSL in the new system we are installing for them.

Occasionally they agree but insist on doing it in a less than ideal manner.  And sometimes, although rarely, they decline our advice and continue without SSL.

What is SSL?

SSL stands for Secure Socket Layer and is an encryption protocol that secures communications between two parties over insecure networks such as the internet.  Although still commonly referred to as SSL its new name is actually TLS (Transport Layer Security) which more accurately describes its role of securing communications at the Transport layer of the OSI model (eg, the TCP protocol).

In an SSL/TLS secured communication the two parties (e.g. a web server and a web browser) agree on how to secure the connection they are establishing.The server sends the client its public encryption key (sometimes known as an SSL certificate) which the client then verifies against its own list of trusted certification authorities.  Once it has verified the key the client will generate a random number, encrypt it with the server’s public key, and send it to the server.  The public key encryption ensures that only the server can read the random number.

Contrary to popular assumption it is not the server’s public key (or SSL certificate) that is used for the encrypted connection, rather it is only used to secure the initial exchange of the random number.  The random number is then used to encrypt and decrypt the actual connection traffic.

Why is SSL important for Exchange Servers?

Exchange servers come with useful remote access features such as Outlook Web Access, Outlook Anywhere, and ActiveSync.  These features allow your users to access their email from any location with an internet connection by using a web browser, their laptop, or a mobile device such as a smartphone.

This convenience carries with it some security risks, the most obvious being the risk of password credentials being compromised.

Operating any of these remote access services without SSL means that the connection, including password credentials, occurs over an unsecured HTTP connection.  HTTP is the protocol that most websites use.  It is fast, stable, and works through just about any firewall.  But HTTP has no built in security.  Every bit of data sent over HTTP is unencrypted, so when passwords are sent over HTTP they are sent “in the clear”, vulnerable to network sniffers.

Because so much of this remote access occurs from untrusted locations such as free wireless hotspots, it is critical that SSL be used to protect this traffic.

Recommendations for using SSL

Here are some recommendations for using SSL to secure your Exchange server’s remote access features.

• Make it mandatory, not optional.  If you enable SSL but also still allow unencrypted HTTP you make it possible for an unwitting user to connect over the insecure method.
• Use it internally as well as externally.  It is tempting to allow non-SSL connections from locations within your own corporate network but this is still risky.  Some security professionals consider all network segments to be untrusted.
• Use a commercial Certificate Authority instead of a private one.  You may be tempted to save money on SSL certificates by installing a private CA and issuing your own, but this causes more headaches than it is worth.  Your private CA will not be trusted by devices such as smartphones or non-corporate computers, and will result in SSL warning messages that confuse users and can make some applications refuse to connect at all.  Because the SSL warning messages are also often found with phishing sites like fake banking sites it is not a good idea to get your users used to ignoring them.

The Importance of SSL for Exchange Servers

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Some Exchange Server 2007 and Exchange Server 2010 roles require Internet Information Services (IIS) to function.   On these servers Exchange will install a series of IIS virtual directories.  In this post I will describe the Exchange Server virtual directories and their purpose.

/owa – This is the directory for OWA (Outlook Web Access on Exchange 2007, and now called Outlook Web App on Exchange 2010), which is the web browser version of Outlook that is usually accessed by remote workers.  The /owa directory is for access to Exchange 2007 or 2010 mailboxes.

/Public – This is the directory used by OWA users when accessing any Public Folders in the organization.

/Exchweb – This directory is used for OWA access for Exchange 2003 or 2000 users but is not usually accessed directly by the end user.  The OWA session will automatically refer the connect to this virtual directory when necessary.

/Exchange – This directory is again used for OWA access.  When an Exchange 2003 or 2000 mailbox user access the /Exchange virtual directory they are proxied to their mailbox.  For Exchange 2007 or 2010 mailbox users they are redirected to the /owa directory for their mailbox access.

This is useful during the transition from legacy Exchange versions to 2007 or 2010, because users can continue to connect to the /Exchange directory and the result will always be that they connect to their mailbox, as long as the server does not run the Mailbox Server role.  In other words, the /Exchange directory only works for legacy mailbox users if the server is a dedicated Client Access Server (though it can also contain the Hub Transport Server role without a problem)./Exadmin – this directory is for administrative purposes only.  Normal users cannot access this directory.

/Microsoft-Server-ActiveSync – this directory is for ActiveSync clients to connect to mailboxes.  These are typically mobile phones or smart phones that have an ActiveSync-compatible email application.

/OAB – this directory publishes the Offline Address Book for clients running Outlook 2007 and above.  Earlier versions of Outlook download the OAB from Public Folders instead.

/Autodiscover – this directory publishes Autodiscover information.  Clients running Outlook 2007 and above, and some ActiveSync clients, can query Autodiscover for a user’s mailbox configuration and automatically set up the mail profile without the end user needing to enter details such as server names.

/EWS – this directory publishes Exchange Web Services, a new programming API that makes Exchange data available to third party applications.

/Rpc and /RpcWithCert – these directories are for Outlook Anywhere, which was formerly known as RPC-over-HTTPS.  As the name suggests, this allowed Outlook clients to make an RPC connection to the Exchange server over an SSL encrypted tunnel from anywhere, making it possible for staff on the road to continue using Outlook without interruption.

/UnifiedMessaging – this directory allows access to Unified Messaging Web Services.  Unified Messaging is Exchange Server’s telephony integration, with features such as voicemail, auto attendants, and Outlook Voice Access.  This virtual directory allows the integration of Outlook and OWA with Unified Messaging for features such as voice mailbox PIN resets and playing voicemail messages within OWA.

/PowerShell – this directory, appearing only in Exchange 2010, allows remote management sessions from the Exchange Management Shell.

/ecp – this directory, again new to Exchange 2010, publishes a self-service control panel for administrators and users.  A broad range of administrative tasks can be delegated to power users and made accessible through the Exchange Control Panel, such as creating new distribution groups and managing SMTP addresses for mailbox users.  Normal users can also access self-service options such as updating their personal information.

Overview of Exchange Server Virtual Directories

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators