How to allow mobile phone access to Exchange on local network without using vpn?

podvox232021-03-19 09:03:40

podvox23, 2021-03-19 09:03:40

Access to our Exchange server is open only within the local network. Mobile clients knock on it inside the VPN using the IMAP protocol. But we have one employee who can do anything, he refuses to set up a VPN on his phone.
What are the ways to give Exchange access to a mobile phone with ios without installing any applications on it and without using vpn? I would not want to forward mail ports to the Internet for the sake of one person.

Answer the question

In order to leave comments, you need to log in

8 answer(s)

Sergey Ryzhkin, 2021-03-19
@Franciz

I would not want to forward mail ports to the Internet

Then no way.

Alexey Dmitriev, 2021-03-19
@SignFinder

1. Port forwarding (DNAT).
2. Load balancer of Haproxy type.
3. Exchange Client Access
role like https://www.microsoft.com/security/blog/2021/03/02...

salavec, 2021-03-19
@salavec

Create a record in dns according to the external name on the local ip of the server or DAG if used

Mnemonic0, 2021-03-19
@Mnemonic0

Task: to give access to Exchange outside without VPN c IOS without port forwarding.
Answer:
none You want to grant access. There are several options:
Access in the browser through OWA - DNS,NAT
Access through IMAP - NAT
Full configuration with autodiscover, without any junk ala IMAP / POP3 - DNS, NAT, certs
Grant access only from a specific device: Allow
only a certain version of
IOS ActiveSync for everyone except this user
Disable the use of OWA for everyone except this user

Nicholas, 2021-03-21
@romancelover

The idea is this: we take IPv6 from the provider, from the one who wants to connect without VPN, IPv6 is also set (it’s good if he has an MTS operator, otherwise you can’t do without a VPN), and he connects to a host with Exchange or some other local services . To restrict access, you can put a firewall in front of the host that blocks connections to Exchange. Before connecting, the client performs some action that requires authentication (for example, accesses the HTTPS link with the specified certificate or username and password, or logs in via SSH with a specific key, just logs in, does not enter any command), port knocking is also possible ' It's easy to contact (although it's not so safe anymore if someone can view the client's traffic), and by this action, access to services is allowed from the client's address for a certain time.
Although you can simply forward ports and not use IPv6, with control according to the same principle (by default, access is closed, by some action with authentication for a certain time from the client address is opened). Without IPv6, it is possible that the client has a shared IP, and someone else from the same IP will come in, but this is unlikely.

res2001, 2021-03-19
@res2001

Use IMAPS, but you still have to forward ports.

ky0, 2021-03-19
@ky0

he refuses to set up VPN on his phone

Write a letter to the person's manager explaining the options and reasons why VPN is better than port forwarding.

Roman Bezrukov, 2021-03-19
@NortheR73

Poke to start Remote Connectivity Analyzer to check connections and/or errors.
iOS can ask for autodiscover and set up a mobile client.
How does your Exchange go online?
Is the autodiscover service (autodiscover.yourdomain.yourtld) published to the Internet somehow?
And what do you have with ActiveSync?