Geeks With Blogs

News Clicky Web Analytics

web stats View David Caddick ('s profile on LinkedIn

Search this Site!

Locations of visitors to this page
View My Stats eXTReMe Tracker
This posting is provided "AS IS" with no warranties, and confers no rights. The opinions expressed within are my own and should not be attributed to any other Individual, Company or the one I work for. I just happen to be a classic techie who is passionate about getting things to work as they should do (and are sometimes advertised and marketed as being able to?) and when I can I drop notes here to help others falling in to the same traps that I have fallen in to. If this has helped then please pass it on - if you feel that I have commented in error or disagree then please feel free to discuss with me either publically or privately? Cheers, Dave
Thin Clients, VDI and Linux integration from the front lines.... Raw and sometimes unedited notes based on my experiences with VMware, Thin Clients, Linux etc.

So Microsoft has posted this article for those who want to deploy Push email but this is interesting that I've noticed this today almost immediately after going through an online discussion with some of the security team at my end that has seen us decide (read - me capitulate under overwhelming numbers??) to try using Nokia's Intellisync to achieve push email.

OK, I'm gutted, and not just because I've spent so much spare time over the last 9 months or so trying to line this up but the reality of it is that some stage I have to liaise with the security team to establish the path that is to be traversed by the Mobile Devices to connect with the Exchange Server.

Now I'm sure that in some ways we are almost indicative of most of the small to medium companies out there in that I'm trying to get this working around a single Checkpoint Firewall and talk to a single Exchange Server without upsetting the present Production System.

So this is what I've come up with so far, and I hope it's useful for others? Essentially what I have done is talk this through with Jason Langridge as to the most secure method of deploying the push email while trying to work within what is going to be the typical constraints of a production environment - if you have any questions please drop me a line? 

Cheers, Dave

What makes this somewhat tricky is that we only have the one Exchange Server, and that also does justice for the Regular Outlook Clients, OWA, OMA and ActiveSync as it stands today and whatever changes we introduce will have to be done in such a way as to cause no impact what so ever on the normal Production System?

So what I'm trying to do here is *introduce* ActiveSync Push as securely as possible without it impacting the regular OWA.

Separate the Production Exchange usage from the new ActiveSync?
Given this constraint - what I am proposing is to create an additional Virtual Folder/Server on the IIS component of the Exchange 2003 server for the ActiveSync to point at (this could be called EAS? for Exchange ActiveSync?) This way we could leave the existing OWA setup as it is, and create a separate and independent FW rule for the new ActiveSync?

Allowing ActiveSync Securely:
After a healthy discussion with Jason at MS (who deals primarily with the Mobility side of things) I believe I have managed to understand the possible scenarios of how we could implement Active Sync for Push email.

The options are:

  • Continue to use FW-1 as it is - create a rule allowing direct ActiveSync traffic thru to the Exchange (new Virtual Server?) - BUT only allowing Certificate based Authentication.
  • Use ISA 2004 - with User Authentication on/from the device (no Certificate based Authentication is possibly from this)
  • Use ISA 2006 - with Certificate based Authentication

My understanding of why it's preferable to use ISA is that it enables far greater control over checking the ActiveSync traffic is what it says it is before allowing to even be passed to the Exchange Server, as well as:

  • SSL to SSL bridging (SSL termination)
  • Advanced HTTP Security Filtering
  • OWA/OMA/ActiveSync wizards that create secure publishing rule by default
  • Secure Exchange RPC filtering

However the limitation with ISA 2004 is that you cannot combine this with Certificate Based Authentication for the devices. This is something that our Admin would like to implement as an additional layer of security and control, as well as making Administration easier. With the release of ISA 2006 there is much more support for Certificates in general, as well as allowing Certificate Based Authentication when using ActiveSync to connect to Exchange.

Posted on Friday, April 7, 2006 6:42 PM C500/C600 SmartPhone (or replacement) , Citrix , Exchange and Push Email , IT Management , Real Cool Stuff , Microsoft Tips , VMware and other Virtualization tools , Security | Back to top

Comments on this post: Step-by-Step Guide to Deploying Push email with MSFP enabled WM5 Devices - while working with existing Firewalls like Checkpoint, etc.

# Weekend reading
Requesting Gravatar...
Since there was no "weekend reading" last week, today's list is abnormally long. If you don't have the...
Left by subject: exchange on May 05, 2006 10:03 AM

# re: Step-by-Step Guide to Deploying Push email with MSFP enabled WM5 Devices - while working with existing Firewalls like Checkpoint, etc.
Requesting Gravatar...
You talked about creating a rule to allow Activesync traffic through. Does it mean just allow a port forwarding to the exchange server?

And what security implications does it have to run a port 443 forwarded to an exchange server with SP2.
Left by kksh on Jul 03, 2006 2:42 AM

# Direct Push Guide
Requesting Gravatar...
I wrote a Direct Push Guide at that explains a lot of what happens in the background of Microsoft's push mail implementation. Do check it out for a read.
Left by Paul Mah on Oct 23, 2006 3:58 AM

# Emansio: Push E-mail for your mobile.
Requesting Gravatar...

Emansio is a Windows Mobile plug-in for pocket Outlook that enables push mail for most email providers like Google etc…

A free fully functional trial is available for download from .


Sankalp (Emansio Team)
Left by sankalp on May 09, 2008 4:17 AM

Your comment:
 (will show your gravatar)

Copyright © Dave Caddick | Powered by: