Exchange 2019 - MSFT Office Client vs Mobile users

CWARMAN
Comes here often

Exchange 2019 - MSFT Office Client vs Mobile users

So we are trying to allow our mobile users to get email on the their phone - this is currently working fine using  a firewall layer7 rule (limited to only a few management employees).

 

We do NOT want to allow our employees to be able to have MSFT office on a laptop and have outlook client connecting to exchange on the laptop.  But because of the rule above its allowing outlook clients to connect outside our network.

 

We have a VPN that our users connect to to get mail to the client etc.

 

Is there a way to allow our mobile user to connect (that we allow via activesync) while not allowing any devices or clients connect to exchange outside our network ?

 

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

I will re-state the problem to make sure I understand.

  • You want mobile devices to be able to get email from Exchange over the Internet.
  • You want computers to only be able to get email when they are connected via VPN.

This is not an easy problem to solve.

 

The easiest and cheapest way I can think of is to use AnyConnect - and only allow VPN access, even for mobile devices (you would need to install AnyConnect on those mobile devices).  For mobile, the VPN would be started - and then left running.  You would never disconnect.
I have not tried on mobile - but at least on desktop you can configured AnyConnect to start automatically, so users don't even need to do anything.  If this is supported on mobile you could make it pretty seamless.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

 

If I was giving advise strategtically - I would say get rid of on-premise Exchange as quick as you can and migrate to Office 365.  Exchange on-premise is an ongoing security nightmare.  Note that Microsoft is deprecating Exchange on-premise - so you will be moving off it - either when you choose on your own terms - or forcibly by Microsoft.  You get to choose the timeframe for that shift at the moment.

 

The next option I can think of is to change your thinking, and move to zero trust.  Implement Cisco Duo and use the "Beyond" plan.  Configure Cisco Duo to only allow authorised company devices to be able to connect to Exchange (if can do this for lots of apps).  Then only allow authorised mobile devices, and every device that is an AD member, to connect to Exchange over the Internet.  For bonus points implement a security restriction so devices have to first pass a health check (such as having antimalware, that antimalware is not reporting that the device is compromised, has recent patches installed, etc).

Get notified when there are additional replies to this discussion.