Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SBS 2003 Exchange Access While Abroad

Status
Not open for further replies.
kennycad

kennycad

Technical User
Jan 26, 2005
52
AU

Hi,

Small company with SBS2003 installed. Currently have two out of office PC's which VPN in an access shared drives, exchange server etc.

I will be travelling abroad for a month and want to access my office email account. I wont be taking a Laptop and will only have access to public internet PC's. I do however have a PDA with WIFI.

It is better to:

Setup OWA so i can acces it using SSL via the internet. (Are there any further things i can do to make this secure, eg listening on port other than 443? I also assume lengthy password would be beneficial.

or

Setup VPN on the PDA. When i have acces to WIFI signal, VPN to work and check email using OMA or Activesync with server mailbox.

Is one more secure than the other. I get the impression that the OWA will be easier to setup, but it is less or more secure than the PDA option.

thanks
 
Sort by date Sort by votes
OWA should already be set up by default on your SBS... so it shouldn't be that difficult to use. This is done when you ran the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > To-Do List). Of course, you did need to tick the box next to Outlook Web Access on the web services selection screen... but if you didn't or aren't sure, just run the CEICW again.

A visual how-to is here:
As for
kennycad said:
"(Are there any further things i can do to make this secure, eg listening on port other than 443"
Click to expand...
I'm not sure where you got the idea that NOT using 443 would or could be MORE secure... but that just doesn't make any sense. The whole concept of SSL is that the information travels between your SBS and the machine you are accessing it with as ENCRYPTED text, meaning it's gibberish to anyone who would attempt to intercept the traffic. So, it doesn't matter whether you are using port 443, 448, or 52847 for that matter... because the "secure" issue pertains to how the traffic flows over various Internet servers as it hops from your server to your remote destination. What keeps that secure is using an SSL certificate and a strong password. Self signed is JUST as secure as 3rd party... the only difference is that the browser doesn't recognize the validity of a self signed certificate so it puts that responsibility on you which you obviously would have no problem with so just accept the warning and move forward.

For passwords, LENGTH = STRENGTH. ie, any password which has at least 15 characters long is strong. Of course, interjecting spaces, special characters, numerals etc would only make a long password even stronger.

Regarding the choice between PDA or OWA? The truth is that either one is probably equally secure. So it's really personal preference. You could easily use both if you like.



Jeffrey B. Kane
TechSoEasy
 
Upvote 0 Downvote
Jeffrey, he wasn't referring to not using SSL. He wanted to run SSL on an alternate port. He was talking about a common security practice known as "security through obscurity" in which you shift standard ports to non-standard ports to make them less likely to be subject to newly developed exploits.

But I agree with your general conclusions: there isn't a compelling argument that businesses need to be using alternate SSL ports. The added security doesn't outweigh the added complexity and hassle of using the new ports. I've used alternate ports for OWA users many times, and I've decided that I didn't really need to have done it. As the businesses grew it was just a hassle telling users that not only did they need to remember to use HTTPS, they also had to tack on :13009 or something to the end of the initial FQDN.

The best thing Kennycad could do for security is make sure that all the user accounts in the domain user strong passwords. Passwords with mixed case and some sort of punctuation. I used to even use alt-keys with my passwords, but that got to be a pain when I'd occasionally sit down at a Win98 system or a PDA that didn't support them.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote

Thanks for the tips.

Ill come up with an strong password and open OWA up to the web.

Is it worth setting up this "security through obscurity" using the router. Eg. Port forward an obscure WAN port to the internal LAN port 443 ?

Just out of interest, is there any easy/free way to implement basic "two factor authentication".

Say a scheduled task on the server changes the user password every hour using a formula. The user that wants to login has a password generation program on their PDA which using the same formula generates the same password.

thanks again.
 
Upvote 0 Downvote
I'm quite aware of Security through Obscurity, but I guess I thought that the question was focused on the security of the email messages themselves, not the overall network. If you re-read my initial answer, I think you'll see that's what I was talking about.

But if the issue was a concern about security of the overall network, then kennycad, you really should be running SBS 2003 Premium with ISA Server 2004. With ISA Server, there's really not much worry about using obscure ports.

Truth be told, on a Small Business Server you can't run OWA on an alternate port without breaking the wizards, and breaking the wizards would absolutely put your server in a much less secure position. As always... security has to be balanced with usability. There's a great article about this that you can read here:
With regard to Two Factor Authentication, check out:



Jeffrey B. Kane
TechSoEasy
 
Upvote 0 Downvote

Thanks for the tips, very usefull.

Once additional query, my current user name and password are not "strong". I know how to change my password but not my user name. Is it a simple exercise?

thanks
 
Upvote 0 Downvote

No it is not "administrator", however as i will be accessing OWA via internet cafes etc am i correct in thinking a more obscure username would be more secure? or does it not matter because it is an SSL connection.

thanks
 
Upvote 0 Downvote
It doesn't matter. The complete logon, including username, is encrypted. Just make sure that you choose the "public" version of OWA when you are at the logon screen so that it doesn't cache anything locally.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
Thanks shockdaddy.

One more query prior to heading off.

All is setup however i get a certificate error when go to the OWA via the internet.

address/exchange

If i choose proceed to website anyway, i get the OWA login. Is it still protected by SSL despite the certificate error, where the padlock is usually shown, the cert error sign exists.

thanks again
 
Upvote 0 Downvote
It's still protected, it is just letting you know that the client isn't %100 positive that the server is who it says it is, since it isn't protected by a 3rd-party cert provider. Don't worry about it. If you had a company that needed to be a more official about its access and you had people with Windows Mobile phones that needed to use Exchange ActiveSync, then you'd probably want to stop now and buy a cheap cert from GoDaddy, but for your purposes, you're fine: your traffic is encrypted.

ShackDaddy
Shackelford Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
327
hairlessupportmonkey
hairlessupportmonkey
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
277
StevenFromSouth
StevenFromSouth
DTGMI
  • Locked
  • Question
Win 2003 & IBM X3350 M2 Server (7946AC1)
Replies
1
Views
214
technome
technome
iCDT
  • Locked
  • Question
Remote Desktop Web Access ( No application available)
Replies
2
Views
277
hairlessupportmonkey
hairlessupportmonkey
Dave60608
  • Locked
  • Question
Accessing shared folders via a network
Replies
5
Views
580
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top