locked
Need technical expertise to solve this issue... RRS feed

  • Question

  • User-1618761934 posted
    Here's the problem:  We have a Windows 2000 active directory environment running exchange 2000 as well.  We have developed a small website for our customers to access their data and now management wants a way for them to communicate to us (thru the website) using email or some other method (forum style, "Contact Us" forms, etc...).  It has been brought up by one member of our team to use OUR current Exchange server (we have only 1) and give them access to Outlook Web Mail.  Well, in order to do this we have to create them as users in our Active Directory.  I oppose this idea on the basis of security and management overhead of some 300 extra accounts, possibly more.  All simply for email access.  Not only that, now you're talking about bringing in 300+ user (non-employee) accounts into the security schema of your Active Directory.  His argument is that he believes that "that what Active Directory is for" and that is a Microsoft best practice AND that it's simple (another one of my arguments is that simple isn't always right) to do AND it's not any harder to manage.    Aside from the fact that the Outlook Web Mail takes the user away from our site (no consistency - you should feel like you haven't left the site), I find it hard to believe that companies in the "real world" add customers to their active directory for email and authentication purposes.  Now we might be able to add another exchange server separate from ours but then that becomes a money issue which management wants to avoid.  I guess I need to know if his way is how it is done and if it is even recommended, or if my way (by letting the website manage that and forwarding it on to the right employee in our domain) is the better way.  I still don't agree that we should let customers into our Active Directory (thereby becoming actual users in our domain), especially for email only.  Am I wrong on this thinking?  What is a recommended way?  Isn't Active Directory primarily to manage an internal domain?  Why would you NOT add customers to your Active Directory?  I appreciate any information I could get on this from all you experienced users.  Thanks!
    Wednesday, July 19, 2006 1:30 AM

All replies

  • User1354132231 posted
    I think you will get different answers depending on who you ask.  Based on what you say, my personal take is that I would not put external users into my internal domain.  Since the domain is the security boundary in AD, I would want them in another domain or external forest if I had to have AD.  I actually would want them held in ADAM personally, but that won't help you with Exchange.  It is possible with careful planning to put external users into your domain and segregate them such that they would have very limited access to anything if they were to actually login locally.  Personally, I would not do it still.  Too much of a PITA to get it all setup and it is easier to put an external forest or ADAM instance up.  Without a separate security boundary you are allowing unknown users into your castle.  Nothing is ever perfectly secure, but you are lowering the bar significantly when you have external users that can login to your internal domain.

    That being said, I think Exchange is waaaaay overkill for a 'Contact Us' type of feature.  You can programmatically send emails from the web or allow the user to click a link, launch their own email app, and send you an email.  You can also buy and integrate forums like this one into your own site.  All of this would be cheaper and easier to manage than licensing more Exchange Users and bringing in external users into your org.

    The question you have to ask yourself is, are you trying to host your client's email, or are you trying to allow them to contact you?  If you give them Exchange, they can send email to more than just you.  If I was an application architect at your organization, I would veto this idea.  Not just for the security implications and the fact that it will make your administrator's life more difficult, but for the fact that Exchange does not sound like a good fit here anyway.
    Wednesday, July 19, 2006 9:22 AM