ActiveSync Public Deployment sans OWA
We currently host an Exchange 2007 OWA site internally and would like to keep it that way for security reasons. Can ActiveSync be made publicly accessible without making the OWA site available? Would we also need to make the autodiscover site access too? I'm really uncertain what the interdepencies are between all of the services/sites.We also do not have and ISA server, so prefered architectures would not include an ISA server. I'm hoping that we could add another CAS server to our farm that only hosts the ActiveSync site, or we add another website that only hosts the ActiveSync site on a different IP/hostname which could be made publicly routable. If this is possible, should we consider hosting the service using a seperate name vs our internal owa server. Our public and private DNS name spaces are seperate, but if we use the same names I'm concerned it may cause issue for remote clients that connect via VPN.Any info is much appreciated, links to articles are also very much appreciated!!! I've been searching for this very specific information but have been coming up short.Thanks much!
February 11th, 2010 11:05pm
Hi,Instead of installing one more CAS server it would be better and more secure to install an application aware device (like an ISA server). With this you can publish active sync only.There is no need to the autodiscover site if you have another way of configuring your mobile devices.Leif
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2010 7:05pm
Thanks Leif,The more I learn about the role of an ISA server, the more I wish we had such a server!At this point I think we are considering the following shoestring solution:1. Register an external ip and hostname (owa.domain.com) using the same name as the internal host so that the ssl check is valid.2. The firewall will proxy external requests to our internal owa server.3. The internal owa server will restict access to the all virtual directories, except the ActiveSync virtual directory, that come from the IP of our firewall/proxy.I hope to sell the idea of purchasing an ISA host, but for now i hope this configuration will work. Please feel free provide any feedback!Thanks again Leif!
February 16th, 2010 9:28pm
I would do it in slightly different way:* Add a new static IP to your current CAS server.* Remove the current ActiveSync virtual directory from the Default Web Site.* Create a new IIS Web Site and change the IP binding to the new IP.* Create a new ActiveSync virtual directory under the new IIS Web Site using the New-ActiveSyncVirtualDirectory cmdlet.* NAT your external IP and dns to the new IIS Virtual directory.As your external clients are not connecting to owa, you can use the same DNS and certificate for both services as your external clients will never reach the OWA virtual directory.This solution should cut down on additional hardware but, I still highly recommend you go the ISA route. For around $1,000 in licensing, it is not the worlds most expensive piece of software.Thanks,Casper Pieterse,
Principle Consultant - UC,
Dimension Data South Africa,
Microsoft Certified Master: Exchange 2007
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2010 10:30am
Thanks Casper,I forgot that the ActiveSync installation commandlet asks which website to install the ActiveSync virtual directory. One of my initial thoughts was to create a new website and manually provision the virtual directory. I fiigured the manual approach would work but was a bit apprehensive in taking this approach because I feared we may venture off into an unsupported configuration. Thanks for reminding me that the commandlet asks for the website!!!This approach nullifes our need to resticting access to our other virtual directories.Thanks again!
February 17th, 2010 10:21pm