Travel Technology - How To Set-Up VPN & Exchange Server for E-Mail

The answer to this question is likely far beyond what someone could post, but I am hopeful that someone can tell me if I am on the right track and point me in the right direction (perhaps a detailed web site or book) that will explain how to set-up what I want to do.

I am on the road about half of the year and rely very heavily on e-mail through my laptop. As a lawyer, a lot of my e-mails contain sensitive information and I have become increasingly concerned about sending and receiving e-mails, particularly through unsecured wireless hotspots, but also through dial-up connections in certain countries where the possibility (probability) of government evesdropping exists (e.g., France, China, and Vietnam).

What I want to achieve is a secure means of uploading and downloading e-mails, and I would also like to have a way to back-up/sync my e-mail to another computer.

I use Outlook 2003 on a WinXP Pro platform.

My very ignorant thoughts on the subject idea are to set-up my home computer, which has a UPS, and which is on a Cox cable connection, as a server with Microsoft Small Business Server with a Microsoft Exchange Server. I could then set-up a VPN to that server, and upload and download my e-mail through the Exchange Server. That should theoretically achieve my goals.

Now that may sound like I know what I am doing, but I really don't. I am rather computer savvy and am the computer support guy to all my friends, but this is a big step beyond what I have done in the past.

Questions:

Is this feasible? Is there a better solution?

My Cox cable connection likely does not have a static IP address. Does that matter?

I have Microsoft SBS already (but have not installed it). I believe it includes Exchange Server. There would not be more than two or three people using this set-up.

I have never set-up a VPN. I think a software solution is part of Win XP Pro (on the laptops) and Microsoft SBS. Is that right?

And the big one: How do I set all this up?

No red flags went up for me about how you technically proposed to implement this. However, after working through all the issues in this post, I've come up with a recommendation different from your proposal. A few comments:

As a lawyer, a lot of my e-mails contain sensitive information and I have become increasingly concerned about sending and receiving e-mails, particularly through unsecured wireless hotspots, but also through dial-up connections in certain countries where the possibility (probability) of government evesdropping exists (e.g., France, China, and Vietnam).

Let's just get started on the right track... first of all, e-mails are not private / suitable for sensitive information. Unless you're just sending e-mails to others on your same server or are using message encryption, messages are transmitted over the Internet between servers "in the clear". Granted, this hasn't really stopped anyone from pretending that e-mail is secure enough, but I just thought I should throw out that little disclaimer... e-mail as we commonly enjoy it is not secure.

What I want to achieve is a secure means of uploading and downloading e-mails, and I would also like to have a way to back-up/sync my e-mail to another computer.

You mention setting up Exchange server... if you're going to do that, you would probably be better off using Exchange as your message store... this would mean that all your messages/folders would live on your exchange server and you would access them / cache remote copies from your outlook client. Instead of POPing the messages off the server, if you leave everything in exchange, you can do backups of all your e-mails/accounts there, and be able to access your mailbox from multiple computers without having to worry about syncing issues / what e-mails are on what computers / backing up your .pst file from your laptop.

I use Outlook 2003 on a WinXP Pro platform.

Now if you listen to Microsoft, you can set this up without doing a VPN. See http://office.microsoft.com/en-us/assistance/HA011402731033.aspx for more. However, this article also mentions a good point -- you can force the outlook client to use SSL / encrypted connections to communicate with the server. For me, using exchange server (not POP/SMTP), where I go into setup account profiles on your client computer, on the screen where you specify the mail server and mailbox name, there is a "More Settings" button which brings up a windows with a "security" tab, where you can specify "Encrypt data between microsoft outlook and exchange server".

My very ignorant thoughts on the subject idea are to set-up my home computer, which has a UPS, and which is on a Cox cable connection, as a server with Microsoft Small Business Server with a Microsoft Exchange Server. I could then set-up a VPN to that server, and upload and download my e-mail through the Exchange Server. That should theoretically achieve my goals.

Now that may sound like I know what I am doing, but I really don't. I am rather computer savvy and am the computer support guy to all my friends, but this is a big step beyond what I have done in the past.

Questions:

Is this feasible? Is there a better solution?

My Cox cable connection likely does not have a static IP address. Does that matter?

I have Microsoft SBS already (but have not installed it). I believe it includes Exchange Server. There would not be more than two or three people using this set-up.

I have never set-up a VPN. I think a software solution is part of Win XP Pro (on the laptops) and Microsoft SBS. Is that right?

And the big one: How do I set all this up?

As for your IP address not being static, you can setup a variety of methods for having a dynamic IP address be resolved by a DNS name. http://www.dyndns.com/ is one example, and I think even my linksys router has a built-in feature where it registers itself automatically with this type of service.

However, back to the cable connection in general, many spam filters identify messages sent from clients on cable/dsl internet connections as spam, and if you saw how many messages I get each day that fall under this criteria and are spam, you would agree that it is a very effective metric. Unfortunately, for the rest of us, it means "home" internet service is not really good enough for "professional" needs like e-mail servers, etc. Granted, you probably could rig something up where the exchange server forwards messages to a more reputable smtp host, but I'm not entirely sure myself whether that "erases" the marks of being sent from a cable modem, and it will definitely increase the complexity of your configuration.

Back to your VPN question. From what I remember, setting up RAS with the wizards is fairly easy. Configuring your router/firewall to make sure everything gets passed can be more of a challenge, especially if your router/firewall doesn't support it. If you're lucky, maybe your router/firewall can act as a VPN server itself and you can ignore the whole "powerful" microsoft config options maze.

Another thing worth mentioning, since you specifically mentioned hotspots and Internet snooping by foreign governments, is a service called publicvpn. For $5.95/mo, you can VPN into their server so that you can be "secured" from public wifi, shared media at hotels, unscrupulous corporate hosts, or in your case, prying foreign governments. Granted, nothing is encrypted from their site to the clients you're hitting, but you aren't really seeking total end-to-end encryption, it seems. http://publicvpn.com/

So, with all the pitfalls I've mentioned here, you might want to look at paying for exchange hosting service... these are companies that run exchange servers and resell access to full-featured exchange accounts. You can have 3 people all in your "organization" and you can share calendars, contacts, all that good stuff (with the full-featured hosts). Also, many of them have goodies like Blackberry enterprise server, or are configured to allow encrypted communication, etc, because it makes sense for them to invest the time/money/configuration complexity since they can spread it out across all their customers. You can google Microsoft Exchange hosting, or you can look at this list http://www.msexchange.org/services/Exchange-Hosting/ ... remember, also look for things like spam filters, outlook web access, backups, etc. This can be as low as $5/mo, though expect to pay $10-20, or more, depending on how much space you want.

So, after mushing all this around in my head a bit, I think that if I were in your position, I would sign up for a hosted exchange account (especially if I could write it off as a business expense) and depending on how you felt, the publicvpn service, too (which if nifty if you're often finding yourself on shared networks like wifi or hubs etc and you don't trust your neighbors). I think the $15/mo you'd be spending /user would be more valuable spent this way than the time it would take for you to configure, maintain (and backup), and troubleshoot your own server. I think this even though you are already licensed for SBS, and if you weren't, then definitely this would be more cost effective.

P.S.: Two DIY vpn links with Microsoft:
http://www.microsoft.com/technet/prodtechnol/sbs/2000/reskit/sbrk0013.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;305550&sd=tech

Another thought if you use a hosted MS Exchange. You can use MS Outlook webmail (eg http://webmail.yourdomain.com), which can be configured (IFAIK) for 128 bit SSL. An elegant, and probably easy to implement, first step.

No red flags went up for me about how you technically proposed to implement this. However, after working through all the issues in this post, I've come up with a recommendation different from your proposal. A few comments:

Let's just get started on the right track... first of all, e-mails are not private / suitable for sensitive information. Unless you're just sending e-mails to others on your same server or are using message encryption, messages are transmitted over the Internet between servers "in the clear". Granted, this hasn't really stopped anyone from pretending that e-mail is secure enough, but I just thought I should throw out that little disclaimer... e-mail as we commonly enjoy it is not secure.

Understood, and I agree. I'm not dealing with government classified data, but sensitive business information and privileged communications with clients. It is not the type of data that would be catastrophic if compromised, but is the type of data that I should take reasonable measures to safeguard.

Frankly, it's usually the clients sending me more sensitive stuff than I am sending them.


You mention setting up Exchange server... if you're going to do that, you would probably be better off using Exchange as your message store... this would mean that all your messages/folders would live on your exchange server and you would access them / cache remote copies from your outlook client. Instead of POPing the messages off the server, if you leave everything in exchange, you can do backups of all your e-mails/accounts there, and be able to access your mailbox from multiple computers without having to worry about syncing issues / what e-mails are on what computers / backing up your .pst file from your laptop.

That was exactly the idea I had.


Now if you listen to Microsoft, you can set this up without doing a VPN. See http://office.microsoft.com/en-us/assistance/HA011402731033.aspx for more. However, this article also mentions a good point -- you can force the outlook client to use SSL / encrypted connections to communicate with the server. For me, using exchange server (not POP/SMTP), where I go into setup account profiles on your client computer, on the screen where you specify the mail server and mailbox name, there is a "More Settings" button which brings up a windows with a "security" tab, where you can specify "Encrypt data between microsoft outlook and exchange server".

The problem I have now is that a lot of hotspots, commercial and private, have not opened the ports for SSL connections. The United lounges in Tokyo don't even allow IMAP access. I was trying to avoid those kind of restrictions.


As for your IP address not being static, you can setup a variety of methods for having a dynamic IP address be resolved by a DNS name. http://www.dyndns.com/ is one example, and I think even my linksys router has a built-in feature where it registers itself automatically with this type of service.

However, back to the cable connection in general, many spam filters identify messages sent from clients on cable/dsl internet connections as spam, and if you saw how many messages I get each day that fall under this criteria and are spam, you would agree that it is a very effective metric. Unfortunately, for the rest of us, it means "home" internet service is not really good enough for "professional" needs like e-mail servers, etc. Granted, you probably could rig something up where the exchange server forwards messages to a more reputable smtp host, but I'm not entirely sure myself whether that "erases" the marks of being sent from a cable modem, and it will definitely increase the complexity of your configuration.

Hmm. Yeah, I remember reading something about that in the past.

I use Fastmail (www.fastmail.fm) as my e-mail provider. I do have a couple of registered domain names that I can use as well.

My thought was to communicate with the server through the VPN, and then have the server send/receive the e-mails through an SSL connection with Fastmail, which has been a very good service, by the way.

Back to your VPN question. From what I remember, setting up RAS with the wizards is fairly easy. Configuring your router/firewall to make sure everything gets passed can be more of a challenge, especially if your router/firewall doesn't support it. If you're lucky, maybe your router/firewall can act as a VPN server itself and you can ignore the whole "powerful" microsoft config options maze.

It's a combination cable modem/Wireless G router sold by Motorola. Works well, but not all that sophisticated. It is easy to open ports on it, however.

Another thing worth mentioning, since you specifically mentioned hotspots and Internet snooping by foreign governments, is a service called publicvpn. For $5.95/mo, you can VPN into their server so that you can be "secured" from public wifi, shared media at hotels, unscrupulous corporate hosts, or in your case, prying foreign governments. Granted, nothing is encrypted from their site to the clients you're hitting, but you aren't really seeking total end-to-end encryption, it seems. http://publicvpn.com/

True, but I was kinda looking forward (in a sick) way of setting something like this up rather than using a third party service. Sort of a challenge.

So, with all the pitfalls I've mentioned here, you might want to look at paying for exchange hosting service... these are companies that run exchange servers and resell access to full-featured exchange accounts. You can have 3 people all in your "organization" and you can share calendars, contacts, all that good stuff (with the full-featured hosts). Also, many of them have goodies like Blackberry enterprise server, or are configured to allow encrypted communication, etc, because it makes sense for them to invest the time/money/configuration complexity since they can spread it out across all their customers. You can google Microsoft Exchange hosting, or you can look at this list http://www.msexchange.org/services/Exchange-Hosting/ ... remember, also look for things like spam filters, outlook web access, backups, etc. This can be as low as $5/mo, though expect to pay $10-20, or more, depending on how much space you want.

So, after mushing all this around in my head a bit, I think that if I were in your position, I would sign up for a hosted exchange account (especially if I could write it off as a business expense) and depending on how you felt, the publicvpn service, too (which if nifty if you're often finding yourself on shared networks like wifi or hubs etc and you don't trust your neighbors). I think the $15/mo you'd be spending /user would be more valuable spent this way than the time it would take for you to configure, maintain (and backup), and troubleshoot your own server. I think this even though you are already licensed for SBS, and if you weren't, then definitely this would be more cost effective.

I sincerely appreciate the thoughts. I obviously have some more reading to do and some decisions to make.

Another thought if you use a hosted MS Exchange. You can use MS Outlook webmail (eg http://webmail.yourdomain.com), which can be configured (IFAIK) for 128 bit SSL. An elegant, and probably easy to implement, first step.

Webmail hasn't been an option for me in the past. When on the road, I don't work in real time on the internet. I download my e-mails into Outlook, work on them, and then upload the replies later.

But it would be nice to know that I can access the Exchange mail boxes from the web if the need arises.

Thanks for both the provocative original post and the excellent responses. We use outlook, have 3 computers, and travel. To date we use logmein to access our own outlook when on one of the other 2 home computers. We backup outlook to the laptop when travelling. If we don't take laptop or can't plug it in (like in foreign countries where our isp has no numbers), we use our host's webmail, and since we've configured that to leave mail on the host server, that mail gets sent to outlook when next we use it.

This isn't a great solution. I like the idea the hosted exchange server, and am going to next log in to my hosting company and see if they have it.

Thanks again!

I see three potential problems:

1) I'm not familiar with Cox cable modems, and how often they change your IP, but if your IP changes then you have to update your MX record, or any assoicated record to flect the change in IP address.

2) What happens if you are in a hot spot that filters out PPTP traffic? I would suggest going with Outlook Web Access as a backup since it comes w/Exchange (each version has increased improvements).

3) If you are on the road as much as you say, you may want to look into a hosting service, you don't want to be fixing an exchange server from afar and have critical email not get through.

-Colby

I see three potential problems:

1) I'm not familiar with Cox cable modems, and how often they change your IP, but if your IP changes then you have to update your MX record, or any assoicated record to flect the change in IP address.

I haven't looked at this in depth, but I believe that there is a method whereby the changing IP address is constantly updated so the VPN can see the MAC address of the server. I think this is what jdn was referring to in his very helpful initial response to my ideas.

2) What happens if you are in a hot spot that filters out PPTP traffic? I would suggest going with Outlook Web Access as a backup since it comes w/Exchange (each version has increased improvements).

I would implement Web Access since there are times when I quickly want to check e-mail at an internet cafe. I just hope I don't have to use it often!

3) If you are on the road as much as you say, you may want to look into a hosting service, you don't want to be fixing an exchange server from afar and have critical email not get through.

-Colby

True! Just not as fun for me (I actually like the satisfaction of setting something like this up since most people can't do it).

My thought has been that if the server goes down and I can't fix it remotely, I can switch to using Outlook as I am now with IMAP access to Fastmail.