We are conducting our lives and our businesses in an increasingly mobile world.  We need access to our critical business information from multiple locations and using multiple devices.

These needs often clash with the requirement to keep our data secure.  Exchange Servers are kept behind corporate firewalls which restrict who can access them and how they can connect to their mailboxes.

Secure mobile access to mailboxes on Exchange Servers is typically achieved through one or more of these methods:

• Virtual Private Network (VPN)
• Outlook Anywhere
• Outlook Web App (OWA)
• ActiveSync

Virtual Private Networks

A VPN is a secure communications tunnel established between two endpoints.  These endpoints can be two devices such as routers or firewalls, or can be between a client device such as a laptop and a firewall.

Mobile workers use VPNs to establish LAN-like network access to their corporate network.  This usually means that once connected to the VPN they have access to the same network resources they would be able to access when connected to the LAN from within the business premises.  In more security conscious environments this access is sometimes limited to just the few resources they need, but in a practical sense operates just as if they were on the LAN.

Using VPNs for access to Exchange Server makes sense when there are other needs for VPN access as well, such as access to application servers, file servers, or intranet sites.  Rather than each resource having its own independent access method, the VPN provides an “all in one” access solution.

However sometimes VPNs are not practical.  It is not uncommon for a mobile worker to find they are unable to establish a VPN tunnel because of restrictions on the foreign network they are currently working on.  This is mostly the case for IPSEC and PPTP VPN tunnels.  SSL VPN tunnels usually have no such problems because the SSL/HTTPS port is usually permitted out through firewalls.

Outlook Anywhere

Outlook Anywhere was formerly known as RPC-over-HTTPS, which accurately describes how it works.

The Outlook connection to a mailbox server over RPC is tunnelled through an SSL/HTTPS connection so that it can traverse firewalls, as well as to secure the communications over untrusted networks.

Outlook Anywhere is a good solution for secure access to email alone, but provides no access to other resources on the network that the mobile worker might need.

Outlook Web App

Outlook Web App (OWA), known as Outlook Web Access prior to Exchange Server 2010, provides a web-based interface to Exchange Server mailboxes over an SSL/HTTPS connection.  Because access is available via a web browser this makes it accessible for mobile workers who do not have access to the full Outlook software, such as on a home computer or an internet kiosk.

OWA communications are secured over SSL/HTTPS, however when using untrusted computers such as internet kiosks there is the risk of key loggers or other malicious software being used to compromise account passwords.

Because of this risk it is common to use multi-factor authentication with at least one of those being a biometric or a one-time password generated by a token, so that even if the username and password combination are compromised the account cannot be accessed without the additional authentication item.

ActiveSync

ActiveSync is the name of Microsoft’s technology for connecting devices such as smartphones to Exchange Server mailboxes.

The connection is once again secured over SSL/HTTPS and can be subject to numerous restrictions and security policies designed to mitigate the risk of loss due to theft or loss of the smartphone device (which is fairly high risk given their size and general lack of security features).

Those are the four most common secure remote access methods for Exchange Server mailboxes.  I’ve left out some other access methods such as POP and IMAP. Although these can be used securely they are not very common and don’t provide a full functionality experience with Exchange Server.  For most real world scenarios some or all of the above four methods are the solution for secure remote access.

4 Ways to Access Exchange Server Mailboxes through Firewalls

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Virtual Desktop Interfaces like GoToMyPC can be more secure than VPNs for remote workers.

As workers become increasingly mobile, they’re demanding access to their computers–both at home and in the office–from whereever they can connect to the Internet. Cube rats want to access their home computers. Road warriors need to connect to their office desktops to maintain their productivity while traveling. Linking to headquarters is essential for telecommuters.

Over the last decade or so, the vehicle for establishing secure connections outside a company’s firewalls has been the Virtual Private Network, or VPN. It allows a remote computer to tap into a corporate network by creating a secure tunnel to it through the Internet. This method, though, can have security risks. That’s opened a market for alternatives to the hoary VPN.

Because VPNs originate with a company’s IT department, their operation is unquestioned by their users. After all, the reason users are told they need to use the VPN is so they can connect to headquarters securely. That creates a false sense of safety among users so they’re likely to transfer sensitive data through the VPN without using additional encryption and deploy protocols that transmit authentication credentials without any protection at all.

In addition, the VPN can serve to protect an intruder’s mischief rather than block it. In many networks, the Intrusion Detection System (IDS) is located outside the VPN server. Because traffic through the VPN is encrypted, the IDS can’t see it. So if a cracker gains contol of the VPN, he or she can attack the internal systems without being picked up by the IDS.

Here’s another problem with a VPN. When a VPN is established from a remote computer to a host computer, the remote computer essentially becomes part of the corporate network. Data moves between the two computers. If a document is opened up on the host computer, that data is sent to the remote computer. If changes are made to that document on the remote computer, the document is changed on the host computer.

“If the remote computer is already compromised by malware or viruses or anything like that, then the data that you exchange with your host computer could get infected,” Kishore V. Kalidindi, director of engineering at the The Tolly Group Companies in Boca Raton, Fla. explained to me.

“Another thing,” he continued, “if you have a Trojan or keylogger on your local PC and it connects to your corporate network, then the malware can start spreading on your corporate network.”

“That’s a risk that administrators have to protect against before granting access from someone through a VPN,” he added. “They have to decide, do we need to do Security Posture Evaluation before letting a remote computer connect to our corporate network? That poses additional challenges for the administrator.”

Some Virtual Desktop Interface solutions, though, like GoToMyPC from Citrix Online, offer an alternative way to connect to a corporate network without a remote computer becoming part of that network. They do that by delivering a screen image to the remote computer, not the actual data from the host. Whatever is displayed on the host computer’s screen is being digitized, encrypted, compressed and transmitted to the remote computer. The host computer sees keyboard and mouse actions at the remote as if they were being executed on a keyboard and mouse connected to the host. “It doesn’t make the remote computer physically part of the corporate network, so certain security risks are mitigated by solutions like those,” Kalidindi explained. “Actual file data doesn’t get transmitted from your local computer to the corporate network.”

“That is a more secure approach of doing things,” he added.

Managing remote users has always been challenging to system administrators, although it’s more challenging now than it was when the only network access available to out-of-office workers was a phone and modem. Access can be less challenging with Virtual Desktop Interfaces. They can make an administrator’s life simpler, not only because sensitive information need not leave the network and their bandwidth requirements are modest, but VDIs will often function in situations where VPNs won’t. Moreover, they remove the burden of the admin acting as Big Brother monitoring what mobile jocks can and can’t do with their laptops. In addition, should a user complain of unsavory happenings on his or her remote computer, the VDI can be used to quickly assess the situation. While VDIs may not be a viable substitute for a VPN in all cases, if they are viable, they can reduce the security concerns  of administrators opening up their networks to remote access by their company’s workforce.

More secure alternative to VPN

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators