Solved

Concerns over security having fixed Exchange ActiveSync Problems

Posted on 2007-11-29
9
447 Views
Last Modified: 2013-12-05
Hi Guy's.

I had all sorts of problem getting ActiveSync for exchange set up and working. I found Sembee's very helpful article here: http://www.amset.info/exchange/mobile-85010014.asp I followed it, and it worked a treat - thank you very much Sembee :)

However, the one thing I can't do, having run through all the instructions, is that I cannot turn encryption back on on the newly created virtual directory, mentioned in the article as "exchange-oma", and keep things working. All the other Exchange related folders have encryption turned on. If I turn the encryption back on on the "exchange-oma" folder though, ActiveSync stops working. Turn it back off, and everything is happy straight away.

Is it important to have on, or is the encryption on the other folders enough to guarantee encryption across all access? Also, what exactly is in / linked to the "exchange-oma" folder? As it was created from meta data gathered from the original "exchange" virtual directory, and registry key was added, does it not contain content that needs encrypting?

Sorry to waffle, I look forward to any input.

Many thanks,

Bluemercury
0
Comment
Question by:bluemercury
  • 5
  • 4
9 Comments
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
Adding on, am I ok because I have 'form based authentication' switched on?
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
Do you have port 80 open to the internet? If not then everything will be SSL secured anyway. I never open port 80 on my deployments and then I don't need to worry about whether it is secure or not because the SSL certificate will be used.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
This is a good call, and had accured to me also. The only problem is that we have port 80 open so that people can just type webmail.company.com into their browser. It then loads a web page from our IIS server root that redirects to https://webmail.company.com (our OWA site). Is there a better way of doing this, whilst still using the same host name for the both of these, as our certificate is all linked up with this?

Many thanks,

Bluemercury
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
I am actually one of those cruel people who do not allow the users to enter the http variant. I find they quickly learn. I do not want http traffic coming anywhere near the Exchange server. Too many people in IT now who don't remember the Code Red worm which spread on port 80.

Simon.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 1

Author Comment

by:bluemercury
Comment Utility
You know Sembee, I think you've got a good point. I never did open port 80 before recently - it's only this firm I'm at which I've opened up this port. There's some people here that, let's say, need it made as simple as possible. I think I'm going to take your 'cruel' line though, and tell them to learn!

Of course, an alternative is that I direct port 80 to one of our other internal servers that has no Exchange on it, and a clean install of IIS, that simple hosts the forwarding page.

Back to the question, do you know whether "exchange-oma" needs to be secured anyway, and what exactly is in it? If I browse to the virtual directory from a browser, it doesn't load up correctly in the way the original "exchange" folder does.... Logic tells me they should be same, so I don't quite get how it is configured.

Many thanks for your input.

Best wishes,

Bobby
0
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
exchange-oma directory should be identical in operation to the main /exchange virtual directory just without the forms based authentication setting. It should load OWA. You don't want to enable require SSL or anything like that on it because it is used by OMA and EAS to get their data for the PDA devices. That is an internal call on port 80.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
You're right - it is loading up now. So am I right in thinking that in order to get ActiveSync working and to have a secure link, you would always need to setup this additional "exchange-oma" virtual folder? I have always ticked the require encyption / 128 bit settings on the "Exchange" folder, so in fitting with this does it mean you have to create this replica folder for all Exchange Servers that you want ActiveSync on? (this would explain why I've always experienced this problem with ActiveSync)

Many thanks,

Bluemercury
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
Comment Utility
The reason the additional folder is required is when you are using forms based authentication and/or require SSL.
The internal call is on port 80 and uses integrated authentication. When you enable forms based authentication integrated authentication is disabled. Require SSL basically generates an error in the browser, which also stops the internal process.

However don't forget that require SSL is NOT a required setting to make the connection secure. If you only open port 443 and have an SSL certificate in place then the certificate will work. Require SSL is only to protect something that has both http and https access.  

As with many things and Microsoft, they want you to use a frontend/backend scenario. In that case you don't need to make any changes. Same goes for RPC over HTTPS. In FE/BE you get a nice GUI to setup, single server you have to make the manual registry changes.

SBS R2 of course makes the exchange-oma and related changes for you.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
Comment Utility
This is very insightful. So you're saying that the tick box to require encryption and set the required security level at 128-bit (on a virtual directory in IIS) is simply not required if I have the certificate in place (therefore simply making it a method of enforcement only)? It will all happen automatically if users coming in on 443? Presumably an internal call to port 80 is still achievable given this setup.

Your internal call point is understood. Does integrated authentication use the Kerberos protocol?

I hold an MCSE in the current (and last) syllabus with Exchange electives, and on occasion it surprises me (well not too much, being Microsoft) that Microsoft miss these little details out.

It is also helpful to know that SBS creates the "exchange-oma" folder for users. Looks like every single server installation of Exhange 2003 I do, I shall implement using your clearly defined method.

Many thanks,

Bluemercury
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now