Coronavirus (COVID-19) has fast-tracked alternatives to the way we work not just now but in the future as well. Remote work has always been frowned upon for many reasons, perhaps most of all because employers simply do not trust their employees. But as many are finding out, now that we are forced to stay at home, we can still be productive — in many ways as productive as we were at the office. This extends to any of us whose job is keeping Exchange up and running. For example, you open a web page and you do what you need to do from the Exchange Admin Center (EAC). So, the question now is, “How do I get into my environment to access the Exchange Management Shell (EMS) to run reports for managers or to check something on Exchange or build a new pair of servers for a new database availability group?” Or perhaps you need to troubleshoot a failed server or a database that won’t mount. Whatever the need is, you can connect to your Exchange environment and manage it remotely. Here are some of the ways:
- VPN connection
Other ways of connecting are:
- Remote Desktop. (Not recommended.)
- Exposing the Exchange Admin Center (EAC) to the Internet. (Not recommended.)
Manage Exchange remotely
With each of these options, you can connect using a browser or application to securely log in to pretty much anything that you publish. In Parallels, for example, you could publish the Exchange Management Shell (EMS) so you can easily run commands without having to connect to a server. Citrix does the same thing.
Let’s take a step back, first. Microsoft announced that the Exchange Admin Center is being actively attacked and you should first patch your Exchange 2016 or 2019 Server with the latest CU and security update but also disable external access to the Exchange Admin Center.
ScreenConnect is a web interface that allows you to log in securely, with 2FA and single sign-on if need be and you can access and manage your Exchange environment remotely with ease. Your home office is basically your work office, just from a different location so connecting to it shouldn’t be any different.
Perhaps your firewall team only allowed the Office public IPs to connect but you can’t connect from home. This should not hinder the fact that you cannot connect. A simple phone call or Microsoft Teams/Zoom session with the firewall folks will clear the air and you will be on your way to working without hindrance.
Collaborate and manage Exchange remotely
Working remotely does not mean you need to work in isolation. If you are mentoring a junior person in the company or a new hire, they can join any session of preference, whether it is Microsoft Teams or Zoom or ScreenConnect.
Working remotely should bring everyone closer as you will be collaborating more and using the tools to their full potential. It should be like the person is sitting in the room next to you when you collaborate.
Another way to connect is to use your VPN client, which allows you to securely access your environment and work like you are in the office. With a VPN connection, you can launch the Exchange Management Shell (EMS) or Active Directory snap-in to manage AD as you are virtually connected to the environment.
Now you will notice that above I mentioned two other ways but do not recommend them. The reason is that Remote Desktop has a big surface attack area and hackers generally brute force it. Then the next thing you know your servers are loaded with ransomware. From what I have seen, if you have public IPs, hackers are actively and constantly scanning them to look for a hole to get in. If this is your only means of getting into the environment, you should re-think your security strategy.
As mentioned above, the EAC is vulnerable and external access should be taken away.
What if Group Policy objects are locked down?
If you are using a company laptop with Group Policy Objects (GPO) locked down, you might find yourself in a bit of a predicament as the machine cannot contact to a domain controller. It will lock you out. You will need to use your VPN client to authenticate and allow access or the company will have to decide to lift the lock temporarily if they do not have enough VPN licenses for everyone to use as some of them do come at a cost.
Checking on your datacenter remotely
If you are responsible for doing checks in the datacenter, you can use your cameras to do the checks and you do not need to physically be there, even to do a power cycle. Yes, you might need to tune the cameras a bit so you can see temperate gauges or uninterruptible power supply (UPS) interfaces, but most of these can be monitored with appliances like NetBotz. So, what does this have to do with Exchange? Well if your UPS goes offline and your systems power down or the air conditioner stops working, your Exchange servers won’t be available and this means downtime for users, even though they are working remotely.
Lastly, if your company has restrictions on who can access Outlook on the Web (OWA) or Outlook externally, you will need to make adjustments while in quarantine so that all employees can access their email, whether it is with Outlook or webmail.
This is very likely the new norm where we will be working remotely more often than in the office. But at the end of the day, while the way we collaborate and do things will be different, the results might be the same — just as if everyone was in the office.
Featured image: Shutterstock