Have you received a powerpoint this week making (false) claims about direct push?

This week it seems some of our competitors have been busy on email – sending a Powerpoint round to customers and mobile operators scare mongering about the architecture of Direct Push claiming that implementing it is ‘opening thousands of firewall ports and connections’

So let’s be really clear here:

1) Exchange 2003 Mobile Messaging requires you to open 1 port – port 443 for SSL.  (So 1 port is considerable less than thousands)

2) The secondary concern is around potential for Denial of Service Attacks (DoS).  A DoS attack could be mounted against IIS by opening a larger number of TCP connections but never actually issuing an HTTP request.  IIS mitigates this threat by requiring that a client submit a fully-formed HTTP request within a certain time before dropping the connection.

Sami Khoury over on the Exchange team blog posted a great article in August on this very topic which is definately worth a read:


The other area that our ‘competitors’ are claiming is that you have to implement ISA Server, SMS and a whole bunch of other technology to make our solution work….

Again – this is incorrect.  When we (Microsoft) talk about our Mobile Messaging solution we often ‘recommend’ ISA Server but it is not ‘required’.  The solution will work with any reverse proxy/firewall.  The reason why we recommend ISA Server is because it has :

  • The ability to pre-authenticate all SSL traffic before it reaches your Exchange Front End Server.
  • The option to inspect Exchange Activesync traffic passing through it and validate it is genuine.

The secondary point is critically important as many other solutions in the market do not allow you to inspect traffic so there is no way to protect against Trojan attacks.  

Whilst I’m all up for competition I do get frustrated with some organisations making completely unsubstantiated attacks on our products. 

Comments (3)
  1. Bob says:

    The ISA bit could be clarified if the Microsoft documentation for configuring Exchange for direct push was not so ISA centric.  Reading through that documentation, all I wanted to see was a quick blurb on firewall requirements — ports to open, protocols used, etc.  We just enabled forwarding of ports 80 and 443 on our firewall and hoped it worked.

  2. How Big Is "Larger"? Have you received a powerpoint this week making (false) claims about direct

  3. Fixer says:

    We use the reverse proxy/firewall solution at work for Activesync over https and it works perfectly. Personally I’d prefer the ISA route but nevermind

Comments are closed.