iPhone Exchange push email over Cisco VPN – IPSec or Anyconnect ?


Background: Why configure push email when you can set a very low fetch frequency?

Fetching email frequently helps achieves the affect of getting notified of an email earlier. The main problem is however, on a mobile device the more frequent you poll for new mail the faster the battery drains. Receiving pushed notification is the way to go as you are notified immediately of your email, consumes less bandwidth and drains your battery less. ActiveSync achieves this by performing a “long pull“. When the email client on your iPhone performs a HTTP request (using a small ping packet), instead of the server responding right away it tries to stall the client for as long as possible. If there is no new email this stall can last up to 900 seconds before the server closes the connection and the client makes a new one. This method helps reduces the frequent transfers that’s necessary when there is no new mail, if there was new mail, the server would respond right away allow the PUSH to occur.

Can ActiveSync push email to your iPhone over a Cisco VPN?

Here’s the catch, in order for ActiveSync to work, you must first expose your OWA to the internet. ActiveSync basically connects via HTTP to your exchange OWA in order to fetch email. If you are connecting over a Cisco VPN (ipsec or anyconnect), pushed notifications will NOT work (however polled email will). Cisco blames Apple for their bad implementation of ActiveSync.

“Push email notifications do not work via VPN because of Apple iOS constraints. However, one can use AnyConnect in parallel with externally accessible ActiveSync connections, which the tunnel policy can exclude from the session.”

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac09_admin_mobile.html

The last sentence there basically means other applications that support the push feature will work under the Cisco VPN, just not email. So please use our VPN concurrently with ActiveSync and OWA exposed to the internet. I’m inclined to think Apple Engineers need some spanking here.

Solution:Why send and receive email over VPN anyway?

Why send email over VPN anyway? If you are looking for security and encryption, OWA supports SSL certificates. It is no safer to connect over VPN. Besides, Cisco Anyconnect VPN uses SSL for encryption anyways. Some might argue that exposing an email server to the internet is a big no no. There are many methods for securing your exchange server by segregating your CAS (OWA server) and placing it in a DMZ. Install an IPS if you like. All internet banking sites utilize SSL for securing their web transactions, surely your OWA and iPhone emails can be protected using SSL.

How does Blackberry do it? Surely they are secure?

If routing your email via Blackberry’s servers via an encrypted tunnel back to your BES server feels much safer for you, Blackberry just launched their new Blackberry 10 (BES 10 Server) which supports the latest iPhones and Androids devices! I don’t really understand why you’d have to pay them just to receive email. Not to mention the recent worldwide crippling outages they had not long ago.

If you are interested in their other security features by all means ActiveSync offers most of the keys ones – remote wipe, enforce password lock, auto-locking etc. The BES server does however offer a single unified interface for managing all these devices. If someone from Apple is reading this, I hope they spend more resources on enterprise integration, there’s still quite a few important challenges IT departments need to overcome in order to deploy these iPhones.

Related Posts with Thumbnails

About the Author

Alfred Tong
Author and owner of this blog. A Networking enthusiast, full time networking and systems Engineer. Generally curious about all things IT.Certifications: GIAC GSEC, CCNP-S, CCNP, CCSP, CCDP, CCNA, RHCE, JNCIA - FWV