LDAP Authentication
LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.
Every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials.
Because each domain controller can only authenticate the users in its domain, ISA Server by default queries the global catalog for a forest to validate user credentials
Radius Authentication
RADIUS provides credentials validation.
ISA Server is the RADIUS client, depending upon RADIUS authentication response
Password changes are not possible
|
Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID
Requires port 443 opened on the firewall for inbound and outbound Internet traffic.
Requires a digital certificate in order to connect to Configuration Storage server.
In case of firewall failure, domain and Active Directory are inaccessible
Domain administrators do not have access to the firewall array
Workgroup clients cannot use Windows authentication.
Requires management of mirrored accounts for monitoring arrays.
For an overview of the process, see Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices
|
ISA Server 2006 domain-joined in perimeter network
|
Exchange FE in the Enterprise forest
As a domain member, ISA Server 2006 integrates with Active Directory.
|
Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory
Simplified deployment and administration of ISA Server arrays within the domain.
Vulnerability of access across the domain in case of firewall failure
See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109217.
|
Firewall in separate domain with one-way trust
|
Exchange FE in the Enterprise forest
ISA Server 2006 as domain controller of its own DMZ forest
One-way trust created, so the DMZ forest trusts the Enterprise forest accounts.
ISA Server 2006 authenticates requests at the ISA edge
|
All Exchange traffic is preauthenticated, reducing surface area and risk.
Scales well across an Enterprise solution.
For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109215.
|
Third Party Firewall
|
Configure as an advanced firewall or surrounding a perimeter network.
Encrypt all traffic between the mobile device and Exchange Server with SSL.
Open port 443 inbound on each firewall between the mobile device and Exchange Server.
Set Idle Session Timeout time to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange FE server to facilitate direct push technology.
|
Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout time.
|
Single Exchange 2003 Server
|
Single Exchange Server within the corporate network, behind a firewall.
Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication.
|
Simple deployment for small to medium business.
Requires the following setup steps on the ExAdmin virtual directory:
If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology.
For more information, see "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.
|
Windows Small Business Server 2003
|
Exchange traffic is routed to the server running Windows SBS with port 443 open inbound.
Exchange FE is behind the following firewalls:
ISA Server, which is included in Windows SBS Premium Edition
The built-in Routing and Remote Access firewall in Windows SBS
The UPnP™ hardware firewall
Certificates installed on devices provide SSL encryption and access.
|
Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment:
Requires desktop ActiveSync installed on a client computer
See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109220.
|
Exchange FE in the perimeter network
(This option is not recommended for new mobile messaging solutions.)
|
Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network.
|
Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:
|