E-mail near and far

Managing an agency's e-mail system is challenging. But when you've got remote workers and people in the field who need to access their office e-mail accounts, the management and security challenges multiply. The three most popular e-mail products — IBM Lotus Notes, Microsoft Exchange and Novell GroupWise — offer built-in options for remote access via several avenues.

First, all the products enable access through Web browsers. And although Web access offers much of the functionality of standard desktop clients, Web clients tend to lack desktop clients' snappy response time. Second, each system supports the implementation of remote access for wireless devices, though the necessary tools will have to be installed and configured separately.

Third, you can use the desktop client version of all three products for remote access if your organization's security policies permit it. That option requires a computer security group willing to open one or more ports on its firewall. An alternative you may want to consider is implementing another remote access solution that is not limited to e-mail, such as Citrix Systems' MetaFrame.

One common method of remotely accessing e-mail and other applications has been the virtual private network (VPN). Traditional VPN methods have recently fallen into disfavor with many computer security managers because of their vulnerability to worm attacks. When a remote computer connects using a fully trusted VPN connection, it appears to be locally connected to the network. If a remote VPN connection is established with a computer infected with the Blaster virus, for example, it could in turn infect other computers on the network that have not been appropriately patched.

Finally, users can potentially access any e-mail system open to Web access via a mobile device such as a personal digital assistant (PDA) or a wireless phone. The two primary problems they will encounter using those devices are reduced functionality caused by the small display and difficulty in composing replies (see sidebar, "Fitting big words into small places").

Web access integration

All three of the popular e-mail systems provide a Web experience that nearly replicates what you get with the full desktop client. So what don't you get? The answer comes down to integration.

The Lotus Notes environment is probably the best integrated of the three. The IBM Lotus Domino Web Access client offers much of the functionality of its desktop cousin. The missing pieces consist mainly of advanced editing tools and integration with other desktop applications. Additionally, the Notes desktop client offers a greater level of personal customization of views and window arrangements than the Web client does. Finally, Web users will miss out on some of the inherent security and replication features built into Notes. Most notably, users will not be under the umbrella of Notes' encryption and rights management tools.

Microsoft's Outlook Web Access, a component of Exchange Server 2003, works best with Internet Explorer, though it will work with other browsers such as Mozilla Firefox. The user interface looks almost identical to the standard version of Outlook and delivers much of the same functionality. However, the Web client's level of integration with other applications is not as strong as with the desktop Outlook client. Although most of Microsoft's productivity tools such as Word, Excel and PowerPoint have a "send to" option on the file menu that works with Outlook, that functionality will be not be available when you're using a Web mail application.

On the plus side, the latest version of Outlook Web Access has better capabilities for managing mail folders. Previous versions wouldn't allow you to access folders when working remotely. GroupWise and Lotus Notes have offered such features for some time.

Unfortunately, most Defense Department workers can't take advantage of the latest version of the Outlook Web Access client because of Defense Message System requirements. Exchange 5.5 is the most recent version that meets the system's security requirements, though efforts are under way to get Exchange 2003 approved.

Novell's GroupWise also delivers essentially the same functionality in its Web client as it does in its desktop client. On the native client side, GroupWise offers versions for Microsoft Windows, Mac OS X and various types of Linux, and it supports other browsers better than Exchange does. As with Exchange, all you need for remote access from GroupWise's native client is an Internet connection and the proper port open on the firewall. By comparison, Lotus Notes requires at least three open ports.

Securing the enterprise

All three products use encrypted authentication to protect the user name/password combination and HTTPS to connect to the server. It is important to educate users working in insecure environments about closing the browser after e-mail sessions to help prevent unauthorized access to a cached page using the browser's back button.

Viruses and server attacks are the primary security risks organizations encounter when users access e-mail remotely. Regarding server attacks, the issue boils down to controlling ports. Microsoft's latest versions of Outlook and Exchange communicate via the standard HTTP Port 80. This requires you to configure Remote Procedure Call (RPC) over HTTP on the server and client. This makes the firewall administrator's job much easier because another port doesn't have to be opened for remote e-mail access.

GroupWise requires a single port for access and defaults to Internet Port 1677. Users sign in through a log-in screen to Novell's eDirectory. Once authenticated, you can access all the GroupWise functions without the need for a VPN connection.

The IBM Lotus Notes client uses multiple ports to connect to the server and typically requires a VPN connection to work properly. You could configure a message-forwarding or middleware server in the network's demilitarized zone, but it's probably more trouble than it's worth.

The risk of viruses is perpetual, although remote access to e-mail does not significantly increase it. In fact, most organizations have adopted an e-mail attachment filter to catch the bulk of e-mail viruses before they get to a user's inbox. Likewise, all outgoing mail and mail from in-house clients is processed through the in-house servers.

Nothing can replace good user education. Remote and in-house users must be warned not to open an e-mail attachment if they don't know and trust the sender. And virus protection for the client machine is also mandatory, although it can be more difficult to ensure for those working remotely. Viruses have more recently made their way to wireless devices and could also present a threat in the reverse direction.

Wireless access

Novell's GroupWise product has provided support since Version 5.5 for accessing your address book, calendar, inbox and tasks from any device with a Handheld Device Markup Language microbrowser. The product has recently added full support for Research in Motion BlackBerry devices, including two-way synchronization with the complete GroupWise environment. Future support includes Wireless Markup Language for worldwide access, simple HTML for Windows CE and Pocket PC devices, and compact HTML for iMode devices in Japan. A list of supported phones, which are somewhat limited, can be found on Novell's Web site (www.novell.com/products/wireless/supported_phones.html).

Microsoft Exchange Server 2003 offers support for Windows Mobile-based devices, browser-equipped mobile phones and Exchange ActiveSync-enabled devices. Exchange ActiveSync provides the same syncing functionality that you normally get when you dock your PDA in its cradle. There's also a phone-enhanced version of Outlook Web Access that does a good job of presenting information in the limited amount of screen space found on most mobile devices.

Lotus Notes users have the Lotus Domino Everyplace software for wireless access to their information. Everyplace makes all Personal Information Manager data accessible to supported mobile or wireless devices. Support for Notes applications makes it possible to extend the classic Notes desktop client to virtually any mobile device. You'll need a mobile device capable of supporting Wireless Acess Protocol 1.1 or higher. Connectivity through specific wireless vendors is supported through the use of gateway addresses and can be configured by systems administrators.

Administration and configuration

From an administrator's perspective, the biggest challenge in implementing remote access to e-mail is in the initial setup and configuration. For many government agencies, overcoming the political challenges of working with different organizations responsible for server applications and computer security is often more difficult than dealing with the technical issues.

An ever-changing regulatory environment adds a new dimension to the overall administration burden. Fortunately, all three products integrate remote access into the core functionality of the systems — messages generated from a mobile device travel the same path through the system as one from a desktop workstation would. So if you're implementing solutions in support of the Health Insurance Portability and Accountability or Sarbanes-Oxley acts, they should cover mobile users as well.

Setting up Web access for all three products requires integration with a Web server. If you use Microsoft Exchange, you must use the company's Internet Information Services. In the case of Novell's GroupWise, you are not restricted to one type of server, but you must install the GroupWise WebAccess Application, WebPublisher Application and WebAccess Agent.

Likewise, Lotus Notes integrates with the Domino server and requires Domino Everyplace for wireless support, but administrators have a choice of Web servers to use.

Both Microsoft and Novell offer an integrated security model that will link a user's e-mail and system information using either Active Directory or eDirectory. Administration takes place from a single application, including remote access authorization. With Exchange, all administration takes place using the Microsoft Management Console. Novell's ConsoleOne application facilitates all GroupWise administration and user configuration.

For user authentication, Lotus Notes will integrate with a Lightweight Directory Access Protocol server, including Microsoft's Active Directory. On a Windows server, that means you can use the same Microsoft Management Console to administer users and groups in Windows and IBM Lotus Notes. In a Unix/Linux environment, you'll have to configure users in two applications.

Once you have things set up, users will be able to take advantage of single sign-on for extra convenience.

Firewall configuration may present a major challenge for Exchange administrators. If you're in a Microsoft environment with the company's Internet Security and Acceleration (ISA) Server, for example you'll need to perform a number of additional configuration steps to get the RPC-over-HTTP feature to work.

This includes establishing secure Exchange RPC Server publishing rules on the ISA Server and creating a split Domain Name System environment. This step exists only for people using both Microsoft Exchange and ISA Server, though other firewall products will have similar problems.

Administrators of Notes and GroupWise avoid this challenge. GroupWise needs a single port open, while Notes requires a VPN connection, a challenge of a different sort.

The bottom line

It is unlikely that an organization would change its e-mail system based on remote access capabilities. More often, you make do with what you've got.

If you're setting up a new system, however, remote access is becoming an increasingly important factor in the selection process.

Microsoft's Exchange Server 2003 offers a wide variety of features and options that cater to organizations that use mostly Microsoft products. Novell and IBM support a wider range of client/server platforms with comparable features.

IBM Lotus Everyplace supports the most mobile devices. Exchange Server 2003 offers more out-of-the-box wireless capabilities than Lotus and GroupWise without needing to add products, and it integrates better with the Windows platform.

Coming up with the solution that works best for your agency or department requires a careful analysis of user needs and the existing infrastructure.

You might also want to consider third-party solutions that integrate with these e-mail systems. For example, a number of vendors offer voice-recognition products that allow users to access in-house e-mail messages via a standard telephone.

Such solutions, however, involve the purchase of hardware and software, and potentially add security risks.

Ferrill, based in Lancaster, Calif., has been writing about computers and software for more than 18 years. He can be reached at Paul.Ferrill@verizon.net.