Network Architecture Alternatives
6/2/2010
The choices that you have made in your network configuration and network design may impact the steps that you will need to take to upgrade your system to accommodate direct push technology and the Messaging & Security Feature Pack management features.
Deployment Options
The following table introduces some of the most common deployment configurations with the unique considerations for each.
Follow the links to deployment documentation for each configuration.
| Setup Type | Description | Consideration |
|---|---|---|
Firewall in Workgroup in perimeter network ISA Server 2006 recommended |
All of the Exchange servers are within the corporate network. FBA or Basic authentication SSL configured for Exchange ActiveSync to encrypt all messaging traffic ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. ISA Server 2006 directly communicates with LDAP and RADIUS servers LDAP Authentication
Radius Authentication
|
All Exchange traffic is preauthenticated, reducing surface area and risk. Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID Requires port 443 opened on the firewall for inbound and outbound Internet traffic. Requires a digital certificate in order to connect to Configuration Storage server. Limited to one Configuration Storage Server (ADAM limitation) Domain administrators do not have access to the firewall array Workgroup clients cannot use Windows authentication. Requires management of mirrored accounts for monitoring arrays. |
ISA Server 2006 domain-joined in perimeter network |
Exchange FE in the Enterprise forest As a domain member, ISA Server 2006 integrates with Active Directory. |
Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory IPSec can be configured between the ISA server and Exchange server to eliminate the need for additional open ports Simplified deployment and administration of ISA Server arrays within the domain. See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109217. |
Firewall in separate domain with one-way trust |
Exchange FE in the Enterprise forest ISA Server 2006 as domain controller of its own DMZ forest One-way trust created, so the DMZ forest trusts the Enterprise forest accounts. ISA Server 2006 authenticates requests at the ISA edge |
All Exchange traffic is preauthenticated, reducing surface area and risk. Complex to configure Scales well across an Enterprise solution. For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109215. |
Single Exchange 2003 Server |
Single Exchange Server within the corporate network, behind a firewall. Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication. |
Simple deployment for small to medium business. Requires the following setup steps:
If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology. For details, see Deployment on a Single Server in the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2. See Also: Microsoft KB article, "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." https://go.microsoft.com/fwlink/?LinkId=62660. |
Windows Small Business Server 2003 |
Exchange traffic is routed to the server running Windows SBS with port 443 open inbound. Exchange FE is behind the following firewalls:
Certificates installed on devices provide SSL encryption and access. |
Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment Requires desktop ActiveSync installed on a client computer See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109220. |
Exchange FE in the perimeter network (This option is not recommended for new mobile messaging solutions.) |
Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network. |
Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:
See "Deployment with the Front End Server in a Perimeter Network" section of the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=81200 |
Setup Type |
Description |
Consideration |
ISA Server as an advanced firewall in a workgroup in perimeter network |
All of the Exchange servers are within the corporate network. Set up FBA or Basic authentication for Exchange ActiveSync, so all clients negotiate an SSL link before connecting. ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. ISA Server 2006 directly communicates with LDAP and RADIUS servers LDAP Authentication
Radius Authentication
|
Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID Requires port 443 opened on the firewall for inbound and outbound Internet traffic. Requires a digital certificate in order to connect to Configuration Storage server. In case of firewall failure, domain and Active Directory are inaccessible Domain administrators do not have access to the firewall array Workgroup clients cannot use Windows authentication. Requires management of mirrored accounts for monitoring arrays. For an overview of the process, see Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices |
ISA Server 2006 domain-joined in perimeter network |
Exchange FE in the Enterprise forest As a domain member, ISA Server 2006 integrates with Active Directory. |
Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory Simplified deployment and administration of ISA Server arrays within the domain. Vulnerability of access across the domain in case of firewall failure See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109217. |
Firewall in separate domain with one-way trust |
Exchange FE in the Enterprise forest ISA Server 2006 as domain controller of its own DMZ forest One-way trust created, so the DMZ forest trusts the Enterprise forest accounts. ISA Server 2006 authenticates requests at the ISA edge |
All Exchange traffic is preauthenticated, reducing surface area and risk. Scales well across an Enterprise solution. For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109215. |
Third Party Firewall |
Configure as an advanced firewall or surrounding a perimeter network. Encrypt all traffic between the mobile device and Exchange Server with SSL. Open port 443 inbound on each firewall between the mobile device and Exchange Server. Set Idle Session Timeout time to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange FE server to facilitate direct push technology. |
Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout time. |
Single Exchange 2003 Server |
Single Exchange Server within the corporate network, behind a firewall. Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication. |
Simple deployment for small to medium business. Requires the following setup steps on the ExAdmin virtual directory:
If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology. For more information, see "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." https://go.microsoft.com/fwlink/?LinkId=62660. |
Windows Small Business Server 2003 |
Exchange traffic is routed to the server running Windows SBS with port 443 open inbound. Exchange FE is behind the following firewalls:
Certificates installed on devices provide SSL encryption and access. |
Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment:
See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109220. |
Exchange FE in the perimeter network (This option is not recommended for new mobile messaging solutions.) |
Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network. |
Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:
|
ISA Server 2006 as an Advanced Firewall in a Perimeter Network
In this configuration, all of the Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. This adds an additional layer of security to your network.
All incoming Internet traffic bound to your Exchange servers – for example, Microsoft Office OWA and remote procedure call (RPC) over HTTP communication from Microsoft Office Outlook 2003 clients – is processed by the ISA server. When the ISA server receives a request from an Exchange server, the ISA server terminates the connection and then proxies the request to the appropriate Exchange servers that are on your internal network. The Exchange servers on your network then return the requested data to the ISA server, which sends the information to the client through the Internet.
During installation of the ISA server, Microsoft recommends that you enable Secure Sockets Layer (SSL) encryption, and designate 443 as the SSL port. This leaves the 443 port open as the “Web Listener” to receive Internet traffic. Microsoft also recommends that you set up basic authentication for Exchange ActiveSync, and that you require all clients to successfully negotiate an SSL link before connecting to the Exchange ActiveSync site directories. If you follow these recommendations, the Internet traffic that flows into and out of the 443 port will be more protected.
When configured in Web-publishing mode, ISA Server 2006 will provide protocol filtering and hygiene, denial of service (DoS) and distributed denial of service (DDoS) protection, and pre-authentication.
The following illustration shows the recommended Exchange Server 2003 deployment for mobile messaging with ISA Server 2006.
.gif)
Authentication in ISA Server 2006
Users can be authenticated using built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace.
For most Enterprise installations, ISA Server 2006 with LDAP authentication is recommended. In addition, ISA Server 2006 enables certificate-based authentication with Web publishing. For more information, see Authentication in ISA Server 2006 on Microsoft TechNet Web site: https://go.microsoft.com/fwlink/?LinkID=87068.
The following table summarizes some of the features of ISA Server 2006:
| Feature | Description |
|---|---|
Support for LDAP authentication |
LDAP authentication allows ISA Server to authenticate to Active Directory without being a member of the domain. See this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=87069 |
Delegation of Basic authentication |
Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server. |
SecurID authentication for Web Proxy clients |
ISA Server 2006 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server. |
RADIUS support for Web Proxy client authentication |
With ISA Server 2006, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections. |
Session management |
ISA Server 2006 includes improved control of cookie-based sessions to provide for better security. |
Certificate Management |
ISA Server 2006 is improved to simplify certificate management and reduce the total cost of ownership associated with using certificates when publishing Web sites. It is possible to utilize multiple certificates per Web listener and to use different certificates per array member. |
LDAP Authentication with ISA Server 2006
ISA Server 2006 supports Lightweight Directory Access Protocol (LDAP) authentication. LDAP authentication is similar to Active Directory® directory service authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server, by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:
- A server running ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition array members in workgroup mode. When ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
- Authentication of users in a domain with which there is no trust relationship.
Instructions for configuring ISA Server for LDAP authentication are included in this document in Step 5: Install and Configure ISA Server 2006 or Other Firewall. For more information about configuring ISA Server for LDAP authentication, see "Secure Application Publishing" at the Microsoft TechNet Web site.
Deployment with ISA Server in a Perimeter Network
In this configuration, the mobile device utilizes the mobile operator’s cellular data network to communicate using the Internet to an outer firewall that the organization uses to restrict traffic. The outer firewall port forwards the EAS traffic (via SSL port 443) inbound to the inner third party device to forward to the Exchange Server 2003 for processing.
The figure below illustrates an end-to-end example of a typical over the air Exchange ActiveSync deployment.
.gif)
To ensure that Microsoft Exchange ActiveSync functions correctly in this scenario, Microsoft recommends that port 443 inbound be opened on both third party firewall products so that the Windows Mobile device can communicate directly with the Exchange Server. This is a network requirement for Exchange ActiveSync to work properly whether using Microsoft direct push technology (default setting) and/or Always Up-to-Date Notifications (optional).
Deployment on a Single-Server
If your mobile messaging solution uses a single Exchange server, you may have to establish some special configurations to avoid conflicts on the virtual directory.
SSL Requirements and Forms-based Authentication
In a single-server configuration, Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 by using Kerberos authentication. Exchange ActiveSync cannot access the Exchange virtual directory if either of the following conditions is true:
- The Exchange virtual directory is configured to require SSL.
- Forms-based authentication is configured.
For more information about, and workarounds for, these configurations, see the following article in the Microsoft Knowledge Base:
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003. https://go.microsoft.com/fwlink/?LinkId=62660
Settings Required for Exchange ActiveSync Mobile Administration Web Tool Installation
When deployed in a single-server configuration, the Exchange ActiveSync Mobile Administration Web tool requires the default configuration on the ExAdmin virtual directory. By default, SSL is not turned on and the virtual directory has Windows Integrated authentication.
In a single-server configuration, we recommend that you do the following on the ExAdmin virtual directory:
- Turn off SSL Required
- Use Windows Integrated authentication
Note
The Exchange ActiveSync Mobile Administration Web tool should run in the ExchangeAppPool.
For more information, see the following article in the Microsoft Knowledge Base:
Error message when you try to use the Microsoft Exchange Server ActiveSync Web Administration tool to delete a partnership or to perform a Remote Wipe operation on a mobile device in Exchange Server 2003 SP2: "(401) Unauthorized". [Add link to https://support.microsoft.com/kb/916960/en-us\]
RSA SecurID Compatibility
RSA SecurID provides token-based authentication that requires user input and was not compatible with direct push technology, in which the device synchronizes automatically. RSA has updated the RSA Authentication Agent for Windows so that direct push technology and scheduled synchronization features function smoothly.
ISA Server 2006 works with SecurID token authentication. See the ISA Server 2006 documentation.
If you are using the RSA SecurID product, be sure to get the latest RSA SecurID software from the RSA Security Web site: https://go.microsoft.com/fwlink/?LinkId=63273.
Forms-based Authentication
If you have forms-based authentication set up on an Exchange organization for Exchange ActiveSync on an Exchange Server with no back-end, additional configurations may be required. For more information about these configurations, see the following article in the Microsoft Knowledge Base: https://go.microsoft.com/fwlink/?LinkId=109221
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
Note
Exchange Server 2003 SP2 forms-based authentication does not allow you to set the default domain setting in IIS to anything other than the default domain setting of . This restriction is in place in order to support user logons that use the User Principle Name format. If the default domain setting in IIS is changed, Exchange System Manager resets the default domain setting to "" on the server. You can change this behavior by customizing the Logon.asp page in the OWA virtual directory in IIS to specify your domain or to include a list of domain names. However, if you customize the Logon.asp page in the OWA virtual directory in IIS, your changes may be overwritten if you upgrade to, or re-install, Exchange Server 2003 SP2.
Deployment with the Exchange Front End Server in a Perimeter Network
If your deployment configuration has the Front-End Exchange server inside the DMZ or perimeter network, you may have to change the firewall settings to facilitate the direct push technology.
Note
This option is not recommended for new mobile messaging solutions.
With direct push technology, whenever the back end server receives e-mail or data to be transmitted to a mobile device, it sends a UDP notification to the front-end server. This transmission requires that UDP port 2883 be open on the firewall to allow one-way traffic from the back-end server to the front-end server.
For more information about the deployment of direct push technology and its impact on firewall configuration, see the Exchange Server blog article "Direct push is just a heartbeat away" at https://go.microsoft.com/fwlink/?LinkId=67080.
For more information about configuring a front-end server in the DMZ, see "Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" at https://go.microsoft.com/fwlink/?LinkId=62643.
VPN Configuration
Windows Mobile 5.0-based devices provide native support for Virtual Private Network (VPN) access to a corporate network based on PPTP or L2TP/IPSec VPN protocols.
Microsoft recommends using L2TP/IPSec connections, as these connections require both device-level authentication through certificates and user-level authentication through a PPP authentication protocol. L2TP/IPSec relies on the existing infrastructure for Windows Mobile-based devices to connect to internal company resources such as file shares, Web servers, and mobile line of business applications. For an example deployment of VPN with Windows Server 2003, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109222.
For more information about securing VPN access, see “How ISA Server 2004 Provides SSL VPN Functionality for Outlook Web Access and RPC over HTTP” at https://go.microsoft.com/fwlink/?LinkID=67445.
For more information about the sign on process from a Windows Mobile 5.0-based device, see “Accessing a Corporate Network by using a VPN Connection” in Step 8, Manage and Configure Mobile Devices.