In a network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network (LAN). Due to the increased potential for being compromised, these hosts may be placed into their own sub-network in order to protect the rest of the network should an intruder successfully attack and infiltrate the service providing host. The sub-network is often referred to as a demilitarized zone (DMZ). In some instances, the DMZ may also be referred to as a demarcation zone or a perimeter network.
A DMZ is a physical or logical sub-network that contains an organization's external services as proffered over a larger, un-trusted network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organizational LAN. Hosts in the DMZ are generally not able to establish communication directly with any other host in the internal network although communication with other hosts in the DMZ and to the external network is allowed. This network configuration allows hosts in the DMZ to provide services to both the internal and external network while protecting the internal network from attack and infiltration.
Services provided to users in an external network are usually hosted in the DMZ. Common services may be provided by web servers. Other servers, such as database servers or e-mail servers, are not included in the DMZ because they may contain sensitive or confidential information. For example, e-mail may be stored on an internal e-mail server. A mail server in the DMZ passes incoming e-mail to the internal e-mail server; the internal e-mail server then passes outgoing e-mail to the mail server in the DMZ.
Common e-mail applications that may utilize a configuration with a mail server in the DMZ include Microsoft Exchange and Lotus Domino. These enterprise e-mail applications allow a user to view and manage their e-mail using a computing device with the respective e-mail client software installed (e.g., Microsoft Outlook or Lotus Notes). Using an intermediate mail server that is independent from the protected mail server allows for access to e-mail without having to be ‘on’ the protected network (e.g., during non-work hours when a user is away from a work computer).
FIG. 1 illustrates network architecture 100 as known in the prior art. Communication in network 100 may utilize a variety of communication networks including the Global System for Mobile communications (GSM), the General Packet Radio Service (GPRS), Enhanced Data rates for GSM Evolution (EDGE), Code Division Multiple Access (CDMA), or networks using the 3G mobile network standard. Network 100 may further include landline or satellite networks.
Network 100 may further include various computing devices hosting and executing any variety of connection applications (e.g., connection management application 120). These applications may be distributed across multiple devices, hosted on a single device, or integrated with various other applications at a data store (e.g., data store 110). Connector applications may be built for specific applications, data, data stores, and services.
In the network 100 illustrated in FIG. 1, e-mail arrives and resides at data store 110 (e.g., a Microsoft Exchange Server). This data store 110 may be located behind a firewall 130 in certain networks (e.g., a corporate LAN) as illustrated in FIG. 1. In some instances, however, a firewall may not be present.
Connection management application 120 is software installed at the data store 110. Execution of the application 120 by a processing device at this data store 110 provides for notifications to be delivered to e-mail account holders at, for example, a mobile device 150. These notifications may indicate the arrival of new e-mail at the data store 110. In some prior art systems, the connector application 120 may be installed on an enterprise server (e.g., an Exchange Server) or a personal computing device operating in conjunction with data store 110 (e.g., a desktop computer communicatively coupled to an Exchange Server).
Some e-mail account holders may wish to access e-mail at data store 110 through mobile device 150. Mobile device 150 is inclusive of any variety of mobile devices that are capable of communicating over the Internet. Such communication may also include the use of a wireless or landline network. Mobile device 150 is inclusive of cellular telephones, smart phones, personal digital assistants (PDAs), wireless e-mail devices, and handheld computing devices. A variety of mobile networks and communications channels for allowing Internet access are well known in the art.
Notifications, in FIG. 1, may be delivered to mobile device 150 via an intermediate relay server 140 (e.g., a store-and-forward device such as a Blackberry Server) located outside the firewall 130. This relay server 140 may be hosted by a network service provider. Mobile device 150 receives notification that new e-mail has arrived at the data store 110. In some prior art systems, a copy of the message may be delivered to the mobile device 150 instead of a notification. Relay server 140 includes one or more network interfaces to allow for communications over a network including the receipt and transmission of authentication information as well as the receipt and transmission of information from data store 110.
E-mail delivery in the prior art network 100 of FIG. 1 may be initiated in various ways. For example, e-mail may be pushed to the mobile device 150. For enterprises in which there are multiple users, many of whom will have different mobile devices, mobile operating systems, and e-mail applications, multiple server installations or connection management applications may be required. Such a solution may be complex, time-consuming, and costly with respect to not only equipment but also with respect to costs related to training and management for IT professionals tasks with keeping a network up and running.
Alternatively, a user may access e-mail through the Internet. Optional web access server 160, which may be located on the network DMZ, provides a user with remote access to e-mail stored at data store 110 and behind the firewall 130. One common example of such remote, web-based access is Outlook Web Access (OWA). OWA is a web-mail service found in Microsoft Exchange Server 5.0 and later. OWA provides users with access to e-mail received in the Microsoft Outlook e-mail application via a web browser.
Web access server 160, such as one used to provide OWA, allows for access to e-mail (including support for S/MIME), as well as calendars, contacts, tasks, and other content when the respective desktop application is unavailable. For example, a user may be using a public computing device (e.g., a public computer at an Internet cafe (170)) without the required mail client applications installed (e.g., Microsoft Outlook). If the computing device 170 has Internet access, however, users at device 170 may interface with data store 110 and review electronic mail or other data through a web-page associated with the web access server 160.
Contrary to a pure “push” based e-mail or notification system, web-based access generally requires that the user log in and initiate a web-based session each time the user wishes to view e-mail. To log in, the user provides certain credentials to authenticate user identity (e.g., a user name and password). For security purposes, after a period of inactivity, the session may time out thereby requiring the user to once again provide credentials for the purpose of re-authentication. Such operations may be especially time-consuming for mobile devices, since user interfaces on mobile device are generally much more limited than those on desktop computing devices.