Can we use a unique identifier to only allow certain devices to connect to our Exchange server? What's the best solution for us to stay secure while not opening too many holes in our firewall?
In Exchange Server 2003 there aren't as many native configuration options for what is and isn't allowed to connect to the server. You can only really prevent devices that don't support password policies from connecting. However, you can control which users are able to connect with ActiveSync by changing the Exchange properties on each user account.
Exchange Server 2007 and higher have a feature that allows administrators to only allow a specific device to be used by each user. This requires a bit of management on your part however, as each provisioned device would need to be manually inspected, then each mailbox configured to use the device before it can actually be configured for use.
BlackBerry devices are a little different. In a corporate environment it's recommended that a dedicated server be installed to provide mobile services. However, end users can either install software on their desktops that act as a personal BlackBerry server or they can use BlackBerry Internet Services (BIS) that will retrieve email via IMAP, POP or OWA to perform redirection to the device.
To prevent these sorts of redirections you'll want to make it part of the corporate policy, then possibly deny access to and from the Blackberry services using firewall rules. If you choose to support BlackBerry devices and implement a BlackBerry Enterprise Server (BES), there are a number of outbound TCP ports you'll need to establish services to, while no inbound ports are required. The administration aspects enable administrators to dictate the BlackBerry devices used.
Do you have comments on this Ask the Expert Q&A? Let us know.
This was first published in March 2010