> However, what other access do remote clients have - is there a VPN in > place for remote/mobile individuals? If so, the same hole effectively > exists anyway. They can install (or configure natively) the VPN > client, and then use Outlook remotely anyway. Most of the users that have VPN really only use it to connect in and then open up Outlook, so in those instances once RPC over HTTPS is rolled out the vast majority of them will not be provided VPN access. We have played with SSL Explorer and other SSL VPN solutions (Watchguard, etc...) and will weigh them as well. Thanks!
"Kurt Buff" <[EMAIL PROTECTED]> 02/06/2008 08:38 PM Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> cc Subject Re: RPC over HTTPS No way I know of to stop this. However, what other access do remote clients have - is there a VPN in place for remote/mobile individuals? If so, the same hole effectively exists anyway. They can install (or configure natively) the VPN client, and then use Outlook remotely anyway. If you're truly concerned about this, I can suggest an alternative: ssl-explorer. Google for it- I don't have the link in front of me. It's an SSL VPN that uses a web interface - they browse to your external host port, and are presented with a web page that gives them a set of pre-defined applications, such as relevant TS sessions to a TS server or their desktop, or an internal web app that you publish through SSL, or a file share presented in a web page. Kinda hard to slurp an entire mailbox over a TS session. Kurt On Feb 6, 2008 4:52 PM, <[EMAIL PROTECTED]> wrote: > > > We are getting ready to roll out RPC over HTTPS for email. For quite awhile > we have had most of our users internal to the company and have just used the > Outlook client to access Exchange natively. As we have brought remote > offices online the VPN tunnels enabled similar access. Then we had a few > roaming users that we gave VPN access to for their email. And of course > everyone has OWA for access from home, and ActiveSync for access from their > mobile devices. > > There is one overwhelming concern we have with enabling RPC over HTTPS > though, and I am wondering if anyone has any commentary on this, or > suggestions. By allowing RPC over HTTPS we are enabling our staff to > download all of their company email on a machine which may or may not be > within our control. Sure, with OWA they can access their email from home and > selectively grab a message here and there, but with RPC over HTTPS they can > grab an entire mailbox and do whatever they want with it. This is definitely > one of those areas that could come back to haunt us later. > > For the short term we would only set it up on company laptops of course, > however there is nothing stopping someone from copying those settings to > their own personal machine. Or is there? Is there any solution that can be > implemented so we control which computers can access our Exchange over RPC? > > Thanks, > Jeff > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
