Make the Email Archive Available to Staff Working From Home

Whether on the go or in the home office – MailStore Server enables secure access to archived emails.

Like most of you, we at MailStore are also having to adapt to new working conditions due to the Covid-19 situation. For safety reasons, many companies are currently allowing staff to work remotely from home. I, for one, am currently operating from my temporary workspace at home. But to be as productive as I am on company premises, I need to have full and equal access to my resources. That includes managing calendars and folders, various tools and communication services, telephony functions, and, of course, my mailboxes and the MailStore email archive. In this blog post, I’ll explain how you, as an administrator, can configure MailStore Server so that your colleagues can access archived emails when working from home.

Access the Email Archive While Working From Home

With just a few minor tweaks, you can make the email archive available to staff working remotely. This is because the MailStore Server software was designed from ground-up to be a networking service. Within your corporate network, it’s already freely accessible from the desktop PCs at the workstations. But that probably doesn’t apply to remote workstations because the Internet – the transmission medium – stands in the way. As might be expected, any router or Internet gateway in a company will have been configured so as to prevent requests coming from outside the company (i.e. those arriving via the Internet) from being directed to on-premises PCs and servers.

Technical background: this involves a process known as masquerading. The router or internet gateway transfers requests from the PCs to the outside world and routes the corresponding responses back to the PCs. From the outside, it looks as if the gateway itself had generated the requests.

Direct requests from outside the company that are not responses to sessions already in progress within the company will be rigorously rejected in the first instance. However, a request to access MailStore Server from the home environment is an external communication request, and it needs to be explicitly permitted in our case.

Two Ways to Make an On-Premises Service Accessible From Outside the Company

Making an on-premises service accessible from outside the company can be done in two ways:
You can use a Virtual Private Network (VPN) tunnel to the company network to enable client PCs to establish a virtual presence within the company, or you can make MailStore Server publicly accessible in the router and the firewall.

Let’s look at the pros and cons of each method.

Availability via a VPN

Here, the external client PC uses a VPN client to set up a connection to the VPN server in the company. If the connection is successful, an encrypted tunnel is created. For both sides, the tunnel is like a virtual network cable that allows the client PC to connect to the company’s local network in a pre-defined context. Now, the email archive, for example, can also be accessed – either with MailStore Client, the Outlook Add-in, the integrated IMAP Server, or via WebAccess.

In order to use a VPN, the company needs to have a VPN server. This can be a service installed separately on a server. Today, however, many routers and Internet gateways have their own native VPN services.
In order now to address the VPN server, the Internet connection itself must either have been allocated a fixed IPv4 address by the provider, or a reliable, dynamic DNS service must continuously point a selected name to the correct, public IPv4 address of the company. Accordingly, the router and the firewall must also be configured to permit requests from outside the company.
If these services are integrated in the router, this usually takes place when the VPN is configured; in the case of a separate VPN server, port forwarding and firewall rules will be necessary.

Pros and Cons:
+ A VPN connection can be made available to individuals on a highly specific basis
+ An existing VPN tunnel can be used by very many other corporate IT services at the same time
+ A VPN will also conceal the actual services being provided “behind the scenes”
+ Depending on the product, a VPN will offer a free choice of leading-edge encryption methods
+ The encrypted connection to the MailStore server is encrypted a second time by the VPN
– Since the VPN must be set up and maintained on clients for specific employees, this can mean extra work for the administrator in the case of spontaneous accesses and changes to staffing

Making MailStore Server Publicly Available With Port Forwarding

Alternatively, MailStore Server can be made publicly available without a VPN.
With this approach, the ports required for the MailStore server are forwarded in the router/gateway (so-called port forwarding) so that requests made to the public address are directed to the in-house server. If this is configured automatically by the router, permissions for these ports may have to be set up in the firewall as well.
In this case, the client PC accesses the public address directly without additional software and then reaches MailStore Server via port forwarding.
In order to guarantee optimum security, MailStore Server communicates exclusively via SSL-encrypted connections, which means that not only internal but also internet-based communications remain tap-proof.
Ideally, as with the VPN, a fixed IPv4 address is needed or at least a fixed DNS name that uses dynamic DNS to continuously point to the correct IP address.

We advise using an official, trusted certificate for MailStore Server so that the client can verify that it is really communicating with the desired MailStore server and has not been re-routed by fraudulent means.
If you already have a public DNS name, just a few tweaks will allow you to use Let’s Encrypt™-certificates, which, unlike many paid certificates, is both free of charge and officially trusted.

Pros and Cons:

+ Once set up, everyone has access to their own personal archive
+ No special set-up is necessary on the client PC, just the login data of the MailStore Server user and the server URL
+ Accessible from various end devices without the need for specific VPN clients (i.e. potential devices in the company network such as smartphones, tablets, Linux and MacOS X PCs)
– Individuals connecting to MailStore WebAccess from outside the company can see which service is responding via the user interface (even if an actual login is not possible without user data)
– The machine running MailStore Server is publicly accessible via the selected ports

Conclusion:

Both roads lead to Rome! Whichever you choose, both achieve the fundamental goal of enabling employees to access their archives from outside the company. Whereas VPN is a more stringent solution that allows administrators considerable leverage, the direct, public approach is more flexible and, once set up, requires less maintenance on the part of the administrator.
Both cases use encryption to optimize tap-proof communications between clients and MailStore Server.

By implementing one of the above solutions, you can provide colleagues currently facing a lengthier spell of WFH (working from home) with a secure means of accessing their archives remotely. Should you have any technical queries during the configuration of remote access, we in the support team are always on hand to provide you with advice and assistance both during the trial phase and after purchasing MailStore Server.

About the author:
This article was written by Rebecca Rommelrath. An IT specialist in system integration, she has been working as a Technical Support Engineer at MailStore since 2018. Prior to this, she spent several years with other companies working in the field of IT system administration.

Sharing


Leave a Reply