ActiveSync is a Microsoft technology that has brought data synchronization and server access to hundreds of millions of mobile devices since its introduction. In over 20 years it has evolved to be the foundation of mobile access to today’s latest email and server products, including Microsoft Exchange, Office 365, and IBM Notes. Chances are you’re using ActiveSync if your organization uses Microsoft Exchange and you’re accessing your email on an iOS, Android, Windows Mobile, or BlackBerry device.
Along with ActiveSync, Outlook on the Web is the standard for browser based access to Exchange and Office 365 for email, contacts, tasks, and other services managed by these servers. Outlook for the Web has had many previous names including Exchange Web Connect, Outlook Web Access, and Outlook Web App. Most people know it as OWA for Outlook Web Access. Both ActiveSync and OWA are widely used; however, they present a security challenge to IT teams, as the data sent from a mobile device or a web browser could bypass traditional threat detection systems in certain situations.
The security loophole with ActiveSync and OWA
When remote users send and receive emails using ActiveSync or OWA, the server directly communicates with the devices, bypassing email protection services that scan SMTP traffic. Secure Email Gateways (SEGs) only scan inbound and outbound emails from users that are external to the communications server using SMTP.
The ActiveSync protocol is based on XML and uses HTTPS to communicate to the server. OWA is a browser-based method that communicates to the server using HTTP and HTTPS. SEGs have no visibility to this traffic and can’t intercept threats that may be hidden inside.
Using Microsoft Exchange as an example, if a remote user sends an email infected with malware using their mobile device or OWA to a recipient outside the organization’s Exchange Server, the email would be flagged and acted upon by the SEG. However, recipients on the same Exchange Server as the mobile or OWA user would receive the infected email, spreading the threat or possibly sending it to other users on the Exchange Server.
Many organizations need to control, secure, and protect ActiveSync and OWA communications for many reasons ranging from basic security hygiene to compliance. For example, ActiveSync and OWA email must be scanned for threats as part of ISO 27001 certification.
The following figure shows that remote users send email and attachments directly to the Exchange Server, bypassing traditional email security.
FortiWeb ActiveSync and OWA scanning
In addition to its core web application firewall functionality, FortiWeb can be deployed to publish applications, provide SSO, and manage authentication delegation. Many Fortinet customers use FortiWeb as a replacement for the discontinued Microsoft Threat Management Gateway to publish Microsoft Exchange and other Microsoft applications.
Using this functionality, FortiWeb can be deployed as a proxy for ActiveSync and OWA. This means that any remote mobile user or email client would be directed to FortiWeb. Here FortiWeb would inspect the traffic and intercept any attachments sent from the device or web browser. These attachments are then processed by FortiWeb’s antivirus engine to check for threats. FortiWeb can also be configured to send attachments to Fortinet’s sandboxing solutions for additional scans to detect advanced persistent threats or zero-day attacks.
The following figure shows that FortiWeb is deployed in front of Exchange Server to intercept email traffic from remote devices to scan for threats.
By using FortiWeb to protect your ActiveSync-based applications and users accessing email with OWA, you get:
- Proven protection against threats hidden in ActiveSync and OWA attachments
- Mobile Attachment Scanning for Office 365
- Flexible deployment options including VMs, Cloud, and Appliances
- Easy-to-deploy antivirus for Exchange, IBM Notes, and other ActiveSync-based applications
- Integration with FortiSandbox and FortiSandbox Cloud for protection from advanced persistent threats
- Integrated single platform for publishing Microsoft Exchange Server applications and services