This article applies to Riva On-Premise.
Riva uses the Microsoft-provided data-access API, primarily the "Exchange Web Services" (EWS) technology, using HTTP with TLS/SSL to provide secure communication with Microsoft Exchange for Office 365, hosted Exchange, and Exchange on-premises.
Note: EWS is also used by Outlook for Mac and Mail apps to be able to access end-users mailbox contents.
Note: Microsoft Exchange Online will soon disable support for Basic Authentication, details on how to mitigate impacts for Riva can be found in this article.
Connecting and Communicating with Exchange
Exchange is a multi-layered communication system with a typical deployment that includes
Riva connects to Exchange "edge services". Based on best practices, Riva is not installed on Exchange servers, nor does it connect directly to Exchange mailbox servers. All data access is performed via network communications.
During each sync cycle, Riva establishes a secure connection to the edge Exchange services responsible for the data-access service (EWS).
After the secure connection is established and the authentication confirmed, data synchronization is carried out for each user mailbox that is assigned to an enabled Riva sync policy.
When negotiating TLS/SSL versions, the Exchange "edge services" are responsible for advertising the supported versions as well as the supported cipher suite.
Safeguards to prevent MITM-style attacks can be configured by using the "Certificate Verification" option. This can be configured to require a trusted certificate or to ensure that a specific destination "edge service" always provides the expected certificate thumbprint — thereby preventing connections to unauthorized end-points. "Certificate Verification" provides additional safeguards for reducing MITM attacks where DNS hijacking, DNS spoofing (DNS poisoning), or other TCP redirection methods are used. This configuration option is recommended. See HTTPS communication certification validation.
Authenticating with Exchange
Riva does not require Exchange administrator role credentials and does not require the credentials for the individual mailboxes being accessed.
The connection established by Riva must be configured with the credentials of an Exchange "service user" that has been assigned permissions to access the mailboxes for the services that will be processed. These permissions can be provided using Application Impersonation (via Role-Based Access Control) or Delegate Access (either Full Access or per-folder permissions).
Different authentication mechanisms are supported by Exchange. These can work in conjunction with built-in Exchange security controls or in addition to using third-party security gateway devices.
For Exchange on-premises / hosted, Riva supports:
For Exchange Office 365, Riva supports:
For instructions on how to prepare to create an Exchange connection with Riva, see Prepare for a Riva Server Exchange Web Services connection.
Example: Exchange Configuration
Microsoft best practices for a secure internet-facing environment reflect the following:
Load Balancer > Security Gateway > Load Balancers > Exchange “Edge Services” > Exchange “Mailbox Services”
In the above flow,
Many of our large deployments in the financial services space use complex multi-layered deployments that include additional “network zones”. These are fully supported.
Riva On-Premise does not connect directly to any Exchange mail servers.
Each customer environment is different based on the complexity, compliance, and security needs of the specific target environment. Our team can work with each customer's risk, security, and messaging teams to ensure that all communication and system access complies with the customer's needs.
Your Exchange messaging team is likely already familiar with the technologies and processes used by Riva. If you have questions or require additional information, contact the Riva Success Team.
Article ID: 1450
Last updated: 06 Jan, 2021