Firewall in Workgroup in perimeter network
ISA Server 2006 recommended
|
All of the Exchange servers are within the corporate network.
FBA or Basic authentication
SSL configured for Exchange ActiveSync to encrypt all messaging traffic
ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.
ISA Server 2006 directly communicates with LDAP and RADIUS servers
LDAP Authentication
LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.
Every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials.
Because each domain controller can only authenticate the users in its domain, ISA Server by default queries the global catalog for a forest to validate user credentials
Radius Authentication
RADIUS provides credentials validation.
ISA Server is the RADIUS client, depending upon RADIUS authentication response
Password changes are not possible
|
All Exchange traffic is preauthenticated, reducing surface area and risk.
Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID
Requires port 443 opened on the firewall for inbound and outbound Internet traffic.
Requires a digital certificate in order to connect to Configuration Storage server.
Limited to one Configuration Storage Server (ADAM limitation)
Domain administrators do not have access to the firewall array
Workgroup clients cannot use Windows authentication.
Requires management of mirrored accounts for monitoring arrays.
|
ISA Server 2006 domain-joined in perimeter network
|
Exchange FE in the Enterprise forest
As a domain member, ISA Server 2006 integrates with Active Directory.
|
Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory
IPSec can be configured between the ISA server and Exchange server to eliminate the need for additional open ports
Simplified deployment and administration of ISA Server arrays within the domain.
See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109217.
|
Firewall in separate domain with one-way trust
|
Exchange FE in the Enterprise forest
ISA Server 2006 as domain controller of its own DMZ forest
One-way trust created, so the DMZ forest trusts the Enterprise forest accounts.
ISA Server 2006 authenticates requests at the ISA edge
|
All Exchange traffic is preauthenticated, reducing surface area and risk.
Complex to configure
Scales well across an Enterprise solution.
For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109215.
|
Single Exchange 2003 Server
|
Single Exchange Server within the corporate network, behind a firewall.
Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication.
|
Simple deployment for small to medium business.
Requires the following setup steps:
If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology.
For details, see Deployment on a Single Server in the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2.
See Also: Microsoft KB article, "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.
|
Windows Small Business Server 2003
|
Exchange traffic is routed to the server running Windows SBS with port 443 open inbound.
Exchange FE is behind the following firewalls:
Certificates installed on devices provide SSL encryption and access.
|
Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment
Requires desktop ActiveSync installed on a client computer
See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109220.
|
Exchange FE in the perimeter network
(This option is not recommended for new mobile messaging solutions.)
|
Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network.
|
Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:
See "Deployment with the Front End Server in a Perimeter Network" section of the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=81200
|
ISA Server as an advanced firewall in a workgroup in perimeter network
|
All of the Exchange servers are within the corporate network.
Set up FBA or Basic authentication for Exchange ActiveSync, so all clients negotiate an SSL link before connecting.
ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.
ISA Server 2006 directly communicates with LDAP and RADIUS servers
LDAP Authentication
LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.
Every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials.
Because each domain controller can only authenticate the users in its domain, ISA Server by default queries the global catalog for a forest to validate user credentials
Radius Authentication
RADIUS provides credentials validation.
ISA Server is the RADIUS client, depending upon RADIUS authentication response
Password changes are not possible
|
Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID
Requires port 443 opened on the firewall for inbound and outbound Internet traffic.
Requires a digital certificate in order to connect to Configuration Storage server.
In case of firewall failure, domain and Active Directory are inaccessible
Domain administrators do not have access to the firewall array
Workgroup clients cannot use Windows authentication.
Requires management of mirrored accounts for monitoring arrays.
For an overview of the process, see Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices
|
ISA Server 2006 domain-joined in perimeter network
|
Exchange FE in the Enterprise forest
As a domain member, ISA Server 2006 integrates with Active Directory.
|
Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory
Simplified deployment and administration of ISA Server arrays within the domain.
Vulnerability of access across the domain in case of firewall failure
See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109217.
|
Firewall in separate domain with one-way trust
|
Exchange FE in the Enterprise forest
ISA Server 2006 as domain controller of its own DMZ forest
One-way trust created, so the DMZ forest trusts the Enterprise forest accounts.
ISA Server 2006 authenticates requests at the ISA edge
|
All Exchange traffic is preauthenticated, reducing surface area and risk.
Scales well across an Enterprise solution.
For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109215.
|
Third Party Firewall
|
Configure as an advanced firewall or surrounding a perimeter network.
Encrypt all traffic between the mobile device and Exchange Server with SSL.
Open port 443 inbound on each firewall between the mobile device and Exchange Server.
Set Idle Session Timeout time to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange FE server to facilitate direct push technology.
|
Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout time.
|
Single Exchange 2003 Server
|
Single Exchange Server within the corporate network, behind a firewall.
Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication.
|
Simple deployment for small to medium business.
Requires the following setup steps on the ExAdmin virtual directory:
If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology.
For more information, see "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.
|
Windows Small Business Server 2003
|
Exchange traffic is routed to the server running Windows SBS with port 443 open inbound.
Exchange FE is behind the following firewalls:
ISA Server, which is included in Windows SBS Premium Edition
The built-in Routing and Remote Access firewall in Windows SBS
The UPnP™ hardware firewall
Certificates installed on devices provide SSL encryption and access.
|
Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment:
Requires desktop ActiveSync installed on a client computer
See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109220.
|
Exchange FE in the perimeter network
(This option is not recommended for new mobile messaging solutions.)
|
Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network.
|
Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:
|
