cancel
Showing results for 
Search instead for 
Did you mean: 

Risks security with active sync configuration?

Highlighted
Occasional Contributor

Risks security with active sync configuration?

Hi!

We are testing the IVE's activesync solution to use exchange in IPhone mobile.

However, we think that this solution have little security because anybody can access to exchange server directly without authentication in the IVE. If anybody is able to encapsulate any traffic over SSL this traffic would arrive to exchange server and could take control of this machine and from there jump to any machine in intranet. Have the exchange server enough security to avoid this problem? Would we have risk security with this architecture?

Do you think about that? Is weak? 

PD: Will active Sync solution have authentication option in the IVE?

Regards,

Andrelo

3 REPLIES 3
Highlighted
Occasional Contributor

Re: Risks security with active sync configuration?

Your only option is to use certificates to protect your static passwords. You will find many entries in the documentation and kb about this.

Highlighted
Frequent Contributor

Re: Risks security with active sync configuration?

That is why you select active sync only protocol from the sign in page.

Highlighted
Respected Contributor

Re: Risks security with active sync configuration?

As mentioned earlier, you can require certificates for users and only allow ActiveSync traffic. In addition, if they were to hit the Exchange server, an attacker would still need to authenticate in order to do anything on the server. As long as IIS is secured, there should be no additional attack vector opened by proxying this through the SA