Yes I have but I had a nightmare with the certificicates. As we were just using self certification the N80 complained everytime it wanted to connect that the certificate was untrusted no matter how I imported it. In theory you can set it to use HTTP rather than HTTPS which will obviously be less secure, however I couldn't persuade the phone to accept that as a valid choice.
If you've got a certificate from a proper root authority such as Verisign I think you'll find it a doddle, otherwise you may struggle slightly.
Hmm. I've read up on the Exchange tech note and its a bit complicated to set up. So far I've installed an Exchange Front End server. I still have to set up SSL. The other thing I'm worried about is I have to poke holes through our firewall to allow ssl http, ssl imap and ssl pop. That might not fly past our security audits :(
SSL IMAP and POP only need to be opened if you're planning on using those connectors. If you're just using ActiveSync and connections for Outlook then you can get away with just the HTTP ports and a transit for the X400 stuff.
Provided you have end points for any open ports and remeber to keep your Exchange patched then you have minimal risk.
That would be great if all I have to open up is 443 for SSL just to get https to work. Can you elaborate on the "transit" for X400?
The x.400 stuff is to do with MAPI, the way in which Exchange communicates with Outlook to give access to additional features such as the Global Address book and the calendar stuff.
If you don't use Outlook in your company then it's not something you need to worry about. If you do then I'd recommend leaving the x.400/MAPI stuff in tact otherwise you're only using a very small portion of Exchanges potential.
I already have a SSL web server that I use to access Citrix Nfuse from the Internet. Is it possible to somehow configure my exchange front end to use that for SSL?
Yes it's quite possible to share the HTTPS connection for multiple applications. How easy that is depends largely on how the other website is set up. If the NFuse website is hosted by IIS then it's a doddle. You simply use the same IIS server to deal with your Exchange and Nfuse websites. If you either don't wish to move the Nfuse site to the Exchange box or if the Nfuse site is hosted on another web platform such as Apache then it's a little harder (but not too much). Basically all you do is set it so that IIS is the primary site and have it redirect traffic for the Nfuse addresses to the Nfuse webserver. Can't remeber quite how to do this just off the top of my head but I can look it up for you if needed.
A final point to consider is that if you REALLY just want to have HTTPS open and no other ports then you could offer the Exchange web interface as your in-house e-mail client. The web interface has become quite powerful over the last few years and would have the added advantage of not requiring any real user involvement for them to be able to access it outside of work.