This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EAS proxy in powershell mode for onpremise exchange server secure enough?

Hi Community,

we are evaluating sophos mobile central for securing exchange active sync access to onpremise exchange server.

Question 1: Is EAS proxy in powershell mode for onpremise exchange server secure enough?

As noted in documentation in powershell mode there is direct connection to exchange server. So only authentication is controlled by EAS proxy and there is no additional security wall/shield between internet and exchange server. I think about vulnerabilities can exploited without authentication.

I think this powershell mode is secure enough with exchange 365 in microsoft cloud, but is it secure enough in connection with onpremise exchange server.

Are there some opinions? Is real proxy mode more secure at all?

Question 2: Is it possible for internal unmanaged devices to connect directly to exchange server by exchange active sync when using EAS proxy in powershell mode?

Thank you.

Kind regards,

Chris



This thread was automatically locked due to age.
Parents
  • there is no additional security wall/shield between internet and exchange server.

    Could you elaborate on this a bit further? 

    The EAS Proxy will ensure the connections established with the Exchange Server are secure in terms of the mobile devices or workstations that connect to it to retrieve mail. If you wish to have additional protection on the server locally, you will need to have Sophos' Server Protection deployed on the system as well. 

    If you wish to prevent any unmanaged devices from connecting to the exchange server, you can also use the steps mentioned in the following article. 
    - Block email access for unmanaged devices

    If you are in the early stages of trying out Sophos Mobile, I'd also suggest trying to connect with your regional Sophos Sales Engineer to see if they can work with you to demo out the features you're interested in. You can engage with your Sales Engineer by first reaching out to your Account Manager. If you'd like assistance in finding out who that may be, please send me a private message and I'd be happy to help. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • there is no additional security wall/shield between internet and exchange server.

    Could you elaborate on this a bit further? 

    The EAS Proxy will ensure the connections established with the Exchange Server are secure in terms of the mobile devices or workstations that connect to it to retrieve mail. If you wish to have additional protection on the server locally, you will need to have Sophos' Server Protection deployed on the system as well. 

    If you wish to prevent any unmanaged devices from connecting to the exchange server, you can also use the steps mentioned in the following article. 
    - Block email access for unmanaged devices

    If you are in the early stages of trying out Sophos Mobile, I'd also suggest trying to connect with your regional Sophos Sales Engineer to see if they can work with you to demo out the features you're interested in. You can engage with your Sales Engineer by first reaching out to your Account Manager. If you'd like assistance in finding out who that may be, please send me a private message and I'd be happy to help. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • there is no additional security wall/shield between internet and exchange server.

    Could you elaborate on this a bit further? 

    As I understand Sophos EAS proxy in powershell mode ONLY uses Exchange built-in mechanisms to control if device is allowed to access Exchange active sync service. You can say Exchange asks Sophos EAS proxy if device is allowed. But in the very first step of connection the device can connect to Exchange server to provide for example his device id, which Sophos EAS proxy validate.

    So there is no additional security in very first stages of connection attempt?

    I think about pre-authenticated vulnerabilites like ProxyLogon.