0

Reading Microsoft's Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010, it looks like encryption is baked in for client access in all flavors (OWA, EAS, etc). 2FA is available with Forefront TMG.

Why would an organization require a VPN client like Cisco Anyconnect, for example, in order to connect to Exchange for email? What does it provide that a pure MS Exchange 2010/Forefront TMG 2010 based architecture build does not?

Ronnie Royston
  • 209
  • 1
  • 2
  • 7
  • 3
    Organizational policy, layered security, audit requirements for regulatory reasons, etc. are all valid reasons to require VPN before application access. – EEAA Oct 31 '16 at 01:22
  • You saying Organizational policy is not available without Anyconnect, for example? Specifically, what audit or regulatory body would require double 2-factor authorization for email? PCI, HIPPA? Who requires such a thing? Can you name any regulatory body that would require that? I would greatly appreciate it. – Ronnie Royston Oct 31 '16 at 01:32
  • I don't know if any that would require double 2FA, but that's not what you were asking about. – EEAA Oct 31 '16 at 01:35
  • 1
    This question doesn't seem to be about email at all. It seems to be just: Why do companies require the use of VPNs? – Michael Hampton Oct 31 '16 at 01:47
  • 2
    It may not have anything to do with any formal legal requirement, audit policy, regulatory body, etc. This is what your client requires. As a contractor for that client you have a responsibility and an obligation to abide by it. We have no way of knowing why they require it, and as such, this is a question best asked of them, not the internet community. – joeqwerty Oct 31 '16 at 01:47
  • @MichaelHampton enterprise email server / applications are distinct and usually have remote access and MDM solutions baked in as part of their value offering. There are several servers/applications that are not architected with remote access or MDM in mind. My question is specific to Exchange / Forefront TMG. – Ronnie Royston Oct 31 '16 at 02:58
  • @EEAA, your comments boil down to "because they decide to, that's all." However I am looking for an answer. My hunch is that some organizations try and turn email into something it was never designed to be, [per rfc2821](http://www.rfc-editor.org/rfc/rfc2821.txt), for example, Image heavy email signatures are erroneously used by many organizations as well as worthless legal disclosures appended to all messages. – Ronnie Royston Oct 31 '16 at 03:18
  • 1
    Actually, "because they decide to, for reasons like organizational policy, desire for layered security, regulatory reasons, etc". I agree with Joe's comment: why do you care? This is your client. Abide by their requirements or don't take contracts from them. It's not like connecting to a VPN is difficult or time consuming to do. – EEAA Oct 31 '16 at 03:23
  • 1
    `However I am looking for an answer.` - That's fine, but you're looking for it in the wrong place. We have no idea why your client has this policy. Why aren't you asking them? Any opinions we might have on it would be purely conjecture. – joeqwerty Oct 31 '16 at 04:06
  • I have no reason why _any_ organization has such a policy. The reason I asked here is because I thought some security expert would tell me why. I personally think it's a poor, misguided, and overengineered policy. – Ronnie Royston Oct 31 '16 at 14:33

1 Answers1

1

Quite simply: they don't want their email server exposed to the Internet. By placing it behind their perimeter, they reduce the threat exposure.

Encryption protects the content of communication, but not the communicators themselves.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • The email server requires connectivity to the Internet. – Ronnie Royston Oct 31 '16 at 14:29
  • But only for certain functions, right? Server-to-server connectivity. This lowers the threat surface. – schroeder Oct 31 '16 at 17:08
  • True but one could also isolate a Web server; in each case, it seems like the server/application is then fundamentally distorted and out of line with it's pedigree. – Ronnie Royston Oct 31 '16 at 19:15
  • 1
    You are asking about valid reasons to require a VPN for email. This is one. I'm not sure what else to tell you unless you were hoping that we would tell you that your critique of their policy was correct. – schroeder Oct 31 '16 at 20:20