Goal: To implement a mobile device management server (MDM) by Air Watch for authentication and not to allow Mobile devices to pass ActiveSync traffic to the published CAS server using 443 from the internet directly, but at the same time keep OWA & Outlook Anywhere continue using port 443 so we can’t block it from the premier firewall. What this means is that all the devices should connect to the MDM server which will proxy the request to the exchange 2010 ActiveSync.
Result already achieved: All the internet devices connect to the MDM server using port 443, then the MDM server proxies the device’s connection to Exchange Active Sync Server using 443.
Issue: Some of the users know that they can still connect to the CAS server via 443 and access ActiveSync and hence by pass the MDM server. If we remove the sub-URL from the public DNS or block the 443 access from the firewall to the CAS servers then the users will also not be able to use OWA and outlook anywhere.
Question: Do you think creating new website just for the Active Sync service on the 2010 CAS to listen on port 444 but keep the rest of the services on the default website and port 443 and then remove Active Sync working on 443 would work? Our firewall does not do reverse proxy, we know implementing and only publishing OWA through TMG solves this is not an option here.
Thoughts?
