Restricting access to Exchange ActiveSync

Originally published at:

Introduction By default, Exchange allows connections to ActiveSync from anywhere in the world. While this is great for new Exchange admins, small businesses who don’t want to do much configuration and those who want things to just work, it poses a security risk on par with any other service openly accessible over the internet. As Enterprise Mobility continues to grow and management platforms become more prevalent within the industry, leaving ActiveSync completely open is making less and less sense both from a security and management perspective. Once devices are fully managed and ActiveSync profiles have been configured and deployed, limiting access to ActiveSync externally will prevent devices circumventing MDM in order to access email on their mobile devices. With circumvention impossible, end-users are required to enroll their devices onto the corporate MDM platform in order to get their email, enabling greater control over the devices in general; a benefit in its own right. The aim of this guide is to provide directions for restricting access to ActiveSync to only specified, whitelisted IP addresses; these may be for a MobileIron Sentry, an AirWatch SEG or any other ActiveSync proxy that may be in use in the business. When finished, it will only be possible to connect to ActiveSync through the specified, whitelisted service, whether on-site or remote. Before you begin Note: – This guide uses Microsoft IIS configurations to restrict access. For firewall configuration this guide is not suitable. – The directions outlined below will only restrict access to ActiveSync, leaving OWA (Outlook Web Access) traffic untouched. –…

I appreciate the article! The topic you are addressing is exactly what I need the answer to for my EMM deployment. However, being somewhat unfamiliar with Exchange I was not able to deduce whether the IIS server you are referencing in your article is your O365 Hybrid server, Main IIS for your organization or some other type of intermediary. Could you specify what your deployment depicted here is? If not O365, would you have a recommendation for accomplishing the same in an O365 environment? Thanks so much for your consideration.

Hi @Jsipes, the server in question is the on-prem Exchange. If you have a more complex setup than a simple Exchange server deployment, then you’ll need to locate where the ActiveSync connection is being managed and perform these steps there.

For 365 you’ll need to explore claims rules or lock A/S down with cert based authentication, neither of which I have a guide for I’m afraid!

Thanks for your nice article, I have a question about it…
Is it possible to activate ActiveSync for Users where {$_.DeviceType -match “good”}
We want to allow ActiveSync just for the DeviceType good by each user.

That’s something I’d have to research as I don’t know off-hand, and if you’re actively working with an exchange environment you’ll likely find the answer faster than me :slight_smile: