Exchange admins, is it time to retire your VPN?

VPNs have proven a solid way to safely access Exchange mailboxes remotely, but are they still necessary? That depends on your company's needs.

Back in 2003, VPNs were all the rage. For the first time, it was possible for remote users to connect to their corporate networks via the Internet. Almost overnight, VPNs became the new must-have item for IT departments.

Virtual private networks (VPNs) have now been in existence for more than a decade. Though, as with any other aging technology, it's safe to wonder if VPNs will eventually go the way of the dinosaurs. In 2003, VPNs and direct-dial were the primary solutions for remotely accessing a corporate network. Today, a number of technologies exist that may allow you to ditch your VPN -- depending on your business's needs of course.

If you have users that only need to access Exchange mailboxes and not other resources, then allowing them access to a VPN is overkill, right?

Microsoft's DirectAccess, for example, has received a lot of attention recently. DirectAccess was first introduced in Windows 7 as a way to let remote users access resources on a corporate network without a VPN connection. The moment a user connects to the Internet, a DirectAccess session is established. The user doesn't have to do anything to initiate the connection.

DirectAccess is an appealing idea for obvious reasons, but implementing it is challenging to say the least; never mind the fact that it requires IPv6. Microsoft, however, improved DirectAccess in Windows 8, and the new version is much easier to configure. It also provides all the same benefits as the Windows 7 version.

DirectAccess is an interesting alternative to traditional VPN connections because users don't have to establish connectivity manually. However, there are drawbacks. DirectAccess is a proprietary technology; therefore, users can't establish a DirectAccess session using non-Windows mobile devices. Similarly, older versions of Windows desktop operating systems do not work with DirectAccess.

Security is another deterrent when using DirectAccess. The Windows 7 version of DirectAccess is difficult to secure, but the Windows 8 version has improved in that regard. Even so, DirectAccess lets users remotely access the same network resources that they can access from a corporate desktop.

That said, it might not always be in an organization's best interest to give remote users access to the entire network. Many companies have resources that are so sensitive, they should never be accessed from beyond the network perimeter. In these organizations, remote users are often given access to email, but not to network shares or applications.

That brings up an interesting point. If you have users that only need to access Exchange mailboxes and not other resources, then allowing them access to a VPN is overkill, right? Exchange Server offers several different mechanisms that make it possible to provide remote users access to their Exchange mail without exposing other network resources in the process.

  • Outlook Anywhere -- Outlook Anywhere lets users connect Outlook to a remote Exchange Server over the Internet without a VPN connection. This approach works extremely well. In fact, it's the technology that Microsoft uses to connect Outlook users with Office 365 mailboxes.
  • Outlook Web App -- OWA has been around for almost as long as Exchange and lets users access their mailboxes through a Web portal.

In the past, OWA has drawn criticism because it lacked much of the functionality found in full versions of Outlook and didn't work very well with certain browsers. OWA in Exchange Server 2013 has been rewritten and is based on HTML5. This means that it can work with the latest versions of Safari, Firefox and, of course, Internet Explorer. More important, OWA 2013 is quite close to full parity with the Microsoft Outlook desktop client.

  • Exchange ActiveSync -- Exchange ActiveSync is another technology that allows users to access messaging data. Traditionally, ActiveSync has been used to synchronize mobile devices like iPhones, Androids and or Windows Phones with Exchange mailboxes.

Although ActiveSync is still considered to be a mobile messaging protocol, Microsoft includes native support for ActiveSync in Windows 8. This is the first time a Windows desktop operating system has supported ActiveSync, which means that Windows 8 users can access their Exchange mailboxes natively through the operating system, without Outlook. Additionally, configuring ActiveSync connectivity is quite simple.

Final thoughts

It's still a bit early to proclaim the VPN as dead. There are still various situations where using a VPN is the best option. For example, if you need to provide remote access to various network resources and need those resources to be accessible to a variety of client types. However, if your goal is to simply provide access to Exchange mailbox data, there are easier ways of doing so than via a VPN.

About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Exchange Server setup and troubleshooting