E-mail near and far

A look at three vendors' capabilities for accessing e-mail remotely.

Managing an agency's e-mail system is challenging. But when you've got remote workers and people in the field who need to access their office e-mail accounts, the management and security challenges multiply. The three most popular e-mail products — IBM Lotus Notes, Microsoft Exchange and Novell GroupWise — offer built-in options for remote access via several avenues.

First, all the products enable access through Web browsers. And although Web access offers much of the functionality of standard desktop clients, Web clients tend to lack desktop clients' snappy response time. Second, each system supports the implementation of remote access for wireless devices, though the necessary tools will have to be installed and configured separately.

Third, you can use the desktop client version of all three products for remote access if your organization's security policies permit it. That option requires a computer security group willing to open one or more ports on its firewall. An alternative you may want to consider is implementing another remote access solution that is not limited to e-mail, such as Citrix Systems' MetaFrame.

One common method of remotely accessing e-mail and other applications has been the virtual private network (VPN). Traditional VPN methods have recently fallen into disfavor with many computer security managers because of their vulnerability to worm attacks. When a remote computer connects using a fully trusted VPN connection, it appears to be locally connected to the network. If a remote VPN connection is established with a computer infected with the Blaster virus, for example, it could in turn infect other computers on the network that have not been appropriately patched.

Finally, users can potentially access any e-mail system open to Web access via a mobile device such as a personal digital assistant (PDA) or a wireless phone. The two primary problems they will encounter using those devices are reduced functionality caused by the small display and difficulty in composing replies (see sidebar, "Fitting big words into small places").

Web access integration

All three of the popular e-mail systems provide a Web experience that nearly replicates what you get with the full desktop client. So what don't you get? The answer comes down to integration.

The Lotus Notes environment is probably the best integrated of the three. The IBM Lotus Domino Web Access client offers much of the functionality of its desktop cousin. The missing pieces consist mainly of advanced editing tools and integration with other desktop applications. Additionally, the Notes desktop client offers a greater level of personal customization of views and window arrangements than the Web client does. Finally, Web users will miss out on some of the inherent security and replication features built into Notes. Most notably, users will not be under the umbrella of Notes' encryption and rights management tools.

Microsoft's Outlook Web Access, a component of Exchange Server 2003, works best with Internet Explorer, though it will work with other browsers such as Mozilla Firefox. The user interface looks almost identical to the standard version of Outlook and delivers much of the same functionality. However, the Web client's level of integration with other applications is not as strong as with the desktop Outlook client. Although most of Microsoft's productivity tools such as Word, Excel and PowerPoint have a "send to" option on the file menu that works with Outlook, that functionality will be not be available when you're using a Web mail application.

On the plus side, the latest version of Outlook Web Access has better capabilities for managing mail folders. Previous versions wouldn't allow you to access folders when working remotely. GroupWise and Lotus Notes have offered such features for some time.

Unfortunately, most Defense Department workers can't take advantage of the latest version of the Outlook Web Access client because of Defense Message System requirements. Exchange 5.5 is the most recent version that meets the system's security requirements, though efforts are under way to get Exchange 2003 approved.

Novell's GroupWise also delivers essentially the same functionality in its Web client as it does in its desktop client. On the native client side, GroupWise offers versions for Microsoft Windows, Mac OS X and various types of Linux, and it supports other browsers better than Exchange does. As with Exchange, all you need for remote access from GroupWise's native client is an Internet connection and the proper port open on the firewall. By comparison, Lotus Notes requires at least three open ports.

Securing the enterprise

All three products use encrypted authentication to protect the user name/password combination and HTTPS to connect to the server. It is important to educate users working in insecure environments about closing the browser after e-mail sessions to help prevent unauthorized access to a cached page using the browser's back button.

Viruses and server attacks are the primary security risks organizations encounter when users access e-mail remotely. Regarding server attacks, the issue boils down to controlling ports. Microsoft's latest versions of Outlook and Exchange communicate via the standard HTTP Port 80. This requires you to configure Remote Procedure Call (RPC) over HTTP on the server and client. This makes the firewall administrator's job much easier because another port doesn't have to be opened for remote e-mail access.

GroupWise requires a single port for access and defaults to Internet Port 1677. Users sign in through a log-in screen to Novell's eDirectory. Once authenticated, you can access all the GroupWise functions without the need for a VPN connection.

The IBM Lotus Notes client uses multiple ports to connect to the server and typically requires a VPN connection to work properly. You could configure a message-forwarding or middleware server in the network's demilitarized zone, but it's probably more trouble than it's worth.

The risk of viruses is perpetual, although remote access to e-mail does not significantly increase it. In fact, most organizations have adopted an e-mail attachment filter to catch the bulk of e-mail viruses before they get to a user's inbox. Likewise, all outgoing mail and mail from in-house clients is processed through the in-house servers.

Nothing can replace good user education. Remote and in-house users must be warned not to open an e-mail attachment if they don't know and trust the sender. And virus protection for the client machine is also mandatory, although it can be more difficult to ensure for those working remotely. Viruses have more recently made their way to wireless devices and could also present a threat in the reverse direction.

Wireless access

Novell's GroupWise product has provided support since Version 5.5 for accessing your address book, calendar, inbox and tasks from any device with a Handheld Device Markup Language microbrowser. The product has recently added full support for Research in Motion BlackBerry devices, including two-way synchronization with the complete GroupWise environment. Future support includes Wireless Markup Language for worldwide access, simple HTML for Windows CE and Pocket PC devices, and compact HTML for iMode devices in Japan. A list of supported phones, which are somewhat limited, can be found on Novell's Web site (www.novell.com/products/wireless/supported_phones.html).

Microsoft Exchange Server 2003 offers support for Windows Mobile-based devices, browser-equipped mobile phones and Exchange ActiveSync-enabled devices. Exchange ActiveSync provides the same syncing functionality that you normally get when you dock your PDA in its cradle. There's also a phone-enhanced version of Outlook Web Access that does a good job of presenting information in the limited amount of screen space found on most mobile devices.

Lotus Notes users have the Lotus Domino Everyplace software for wireless access to their information. Everyplace makes all Personal Information Manager data accessible to supported mobile or wireless devices. Support for Notes applications makes it possible to extend the classic Notes desktop client to virtually any mobile device. You'll need a mobile device capable of supporting Wireless Acess Protocol 1.1 or higher. Connectivity through specific wireless vendors is supported through the use of gateway addresses and can be configured by systems administrators.

Administration and configuration

From an administrator's perspective, the biggest challenge in implementing remote access to e-mail is in the initial setup and configuration. For many government agencies, overcoming the political challenges of working with different organizations responsible for server applications and computer security is often more difficult than dealing with the technical issues.

An ever-changing regulatory environment adds a new dimension to the overall administration burden. Fortunately, all three products integrate remote access into the core functionality of the systems — messages generated from a mobile device travel the same path through the system as one from a desktop workstation would. So if you're implementing solutions in support of the Health Insurance Portability and Accountability or Sarbanes-Oxley acts, they should cover mobile users as well.

Setting up Web access for all three products requires integration with a Web server. If you use Microsoft Exchange, you must use the company's Internet Information Services. In the case of Novell's GroupWise, you are not restricted to one type of server, but you must install the GroupWise WebAccess Application, WebPublisher Application and WebAccess Agent.

Likewise, Lotus Notes integrates with the Domino server and requires Domino Everyplace for wireless support, but administrators have a choice of Web servers to use.

Both Microsoft and Novell offer an integrated security model that will link a user's e-mail and system information using either Active Directory or eDirectory. Administration takes place from a single application, including remote access authorization. With Exchange, all administration takes place using the Microsoft Management Console. Novell's ConsoleOne application facilitates all GroupWise administration and user configuration.

For user authentication, Lotus Notes will integrate with a Lightweight Directory Access Protocol server, including Microsoft's Active Directory. On a Windows server, that means you can use the same Microsoft Management Console to administer users and groups in Windows and IBM Lotus Notes. In a Unix/Linux environment, you'll have to configure users in two applications.

Once you have things set up, users will be able to take advantage of single sign-on for extra convenience.

Firewall configuration may present a major challenge for Exchange administrators. If you're in a Microsoft environment with the company's Internet Security and Acceleration (ISA) Server, for example you'll need to perform a number of additional configuration steps to get the RPC-over-HTTP feature to work.

This includes establishing secure Exchange RPC Server publishing rules on the ISA Server and creating a split Domain Name System environment. This step exists only for people using both Microsoft Exchange and ISA Server, though other firewall products will have similar problems.

Administrators of Notes and GroupWise avoid this challenge. GroupWise needs a single port open, while Notes requires a VPN connection, a challenge of a different sort.

The bottom line

It is unlikely that an organization would change its e-mail system based on remote access capabilities. More often, you make do with what you've got.

If you're setting up a new system, however, remote access is becoming an increasingly important factor in the selection process.

Microsoft's Exchange Server 2003 offers a wide variety of features and options that cater to organizations that use mostly Microsoft products. Novell and IBM support a wider range of client/server platforms with comparable features.

IBM Lotus Everyplace supports the most mobile devices. Exchange Server 2003 offers more out-of-the-box wireless capabilities than Lotus and GroupWise without needing to add products, and it integrates better with the Windows platform.

Coming up with the solution that works best for your agency or department requires a careful analysis of user needs and the existing infrastructure.

You might also want to consider third-party solutions that integrate with these e-mail systems. For example, a number of vendors offer voice-recognition products that allow users to access in-house e-mail messages via a standard telephone.

Such solutions, however, involve the purchase of hardware and software, and potentially add security risks.

Ferrill, based in Lancaster, Calif., has been writing about computers and software for more than 18 years. He can be reached at Paul.Ferrill@verizon.net.

Fitting big words into small places

Wireless phones and other handheld devices are making it possible for users to access their e-mail accounts on the road without lugging around a laptop computer or finding an Internet kiosk. However, there's a big difference between making it possible and making it easy.

Vendors have not yet found a standard way to deliver e-mail to handheld devices. Some support connections to any Post Office Protocol (POP) 3 and Simple Mail Transfer Protocol (SMTP) e-mail server, for example. But others only support connections to services compatible with Wireless Application Protocol. Regardless of connectivity, we encountered a variety of other limitations imposed by the diminutive size of the devices.

Using a Samsung i600 SmartPhone, for example, we were able to connect to any POP3 server for downloading e-mail. By default, the device downloads only headers, and you must mark any messages for download and then reconnect. We found reading messages, even on the tiny screen of the i600, to be relatively easy. A bigger problem was trying to write e-mails using the phone's keypad. Fortunately, portable keyboards are available that allow touch typing.

We immediately noticed that spam was a more difficult problem. The mail client has no spam filter, so if your mail server isn't filtering spam, you're going to be deluged with irrelevant mail. That bogs down an already slow e-mail connection.

One nice feature of the i600 is that, because it runs the mobile version of Microsoft Windows, you can configure the phone to automatically synchronize your e-mail store if your e-mail is on an Exchange server. You can also synchronize contact and calendar information with Microsoft Outlook.

We also tried accessing e-mail using the Samsung a790 on Verizon's MobileWeb service. The MobileWeb offers slick access to Hotmail, America Online and Yahoo e-mail systems. Unfortunately, there's no way to configure access to other POP3 and SMTP servers.

Those who are most serious about handheld access to e-mail, however, generally turn to the Research in Motion BlackBerry. The device is as nimble as a gymnast when it comes to e-mail. Its always-on, push technology means you receive e-mail in real time, and lots of it because the devices can connect to as many as 10 e-mail accounts, both corporate and personal.

The device can work with any POP3 or Internet Message Access Protocol e-mail account, which covers most, if not all, of the e-mail providers in existence. BlackBerry also has its own enterprise server that can be used for e-mail.

Spam filtering occurs at the server level. If you use the BlackBerry enterprise server, you can set spam filters that will intercept e-mail before it gets to the device. If you use a corporate or personal account, the spam filters already in place apply to the BlackBerry, too, because the device only receives e-mail accepted into your regular inbox.

Of course, if your agency or department expects spam to be filtered at the client level, be prepared for a deluge of irrelevant messages.

Hardware innovations are making BlackBerry devices easier to use for composing messages. Although many models use a standard QWERTY thumb keyboard, newer models with phone functionality now come with a new type of keypad called SureType.

This keypad is smaller and requires fewer keystrokes than standard thumb keyboards because it condenses multiple characters onto each key. However, no external keyboard is available for BlackBerries, so input is limited to what you can do on the device itself.

— Michelle Speir

Novell GroupWise 6.5


(888) 321-4272


Features: Four out of five stars

Performance: Four stars

Ease of use: Four stars

Price: Four stars

Price: GroupWise 6.5 costs $130 per user for network, Web and wireless access. It costs $30 per user for only Web and wireless access.

Pros: GroupWise supports multiple platforms for servers and clients. The product also has multiple browser support for Web-based access. Plus, it integrates well with Research in Motion BlackBerries.

Cons: The number of wireless devices supported is somewhat limited.

IBM Lotus Notes/Domino Server 6.5


(888) 746-7426


Features: Five out of five stars

Performance: Four stars

Ease of use: Four stars

Price: Three stars

Price: One copy of Domino Server costs $2,964. The basic Notes client with instant messaging is $101 per client, and the Notes client with collaboration features is $140 per client. Volume discounts are available based on the amount of other IBM software that customers use.

Pros: Notes' Web-based interface delivers essentially the same functionality as the Windows client. Wireless additions provide access to a wide range of Notes applications from virtually any mobile device.

Cons: The product's wireless support requires an additional component.

Microsoft Exchange Server 2003


(800) 426-9400


Features: Four out of five stars

Performance: Four stars

Ease of use: Five stars

Price: Three stars

Price: Exchange Server is $699 for standard and $3,999 for enterprise edition. Client licenses are $67 each.

Pros: Exchange integrates with the Windows family of servers and software. The basic package includes wireless tools.

Cons: It has almost no support for other platforms and requires Internet Explorer for some operations.