Solved

How To Secure ActiveSync With a SSL Certificate

Posted on 2011-03-13
7
1,233 Views
Last Modified: 2012-05-11
Hi,

We're investigating using Activesync to connect iPhones to our Exchange 2003 server.
We want to use SSL Certificates to secure the connection to the devices

What is the process for setting up activesync to only communicate with devices that have the certificate installed?

We also want to be able to remotely wipe the phones, in order to do this do we just need to install the activesync administration tool?

Thanks
0
Comment
Question by:kswan_expert
7 Comments
 
LVL 17

Expert Comment

by:Malmensa
ID: 35125443
Best thing to do here is to purchase & install a 3rd party certificate.  Although it is possible in theory to "roll your own" certificate & install it on each device, it is serious PITA to manage.  

Godaddy are good, an year SSL certificate is around $50 per year. Follow the instructions on the site to do the install. Once you get the certificate installed, everythig else gets really easy.
0
 
LVL 22

Expert Comment

by:chakko
ID: 35125458

For phone security on Exchange 2003 there is an add-on you can download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Then modify the IIS settings so that SSL is required.
In the website properties, Directory Security tab, Secure Communications area click the Edit button.  
Put the checkbox in the Require Secure Channel (SSL)
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35125975
If you install a self-issued SSL certificate - you can't stop users from configuring their iPhone on your server and syncing.  If you install a 3rd party SSL certificate, then any mobile phone with Activesync will be able to sync to your server as long as the right settings are configured.

Whatever certificate you install / configure, the best way to restrict access is to disable the Mobile Sync options from the users Active Directory Users and Computers account on the Exchange Features tab.  This will stop unauthorised mobiles from syncing.

If you do restrict access this way, then with 2003 - it makes no difference which type of certificate you install, but 3rd party ones can be easier to use longer term and you can secure your OWA site with a trusted SSL cert at the same time because it uses the default website, which is what Activesync uses.

Please have a read of my guide for details of how to configure your server to make sure Activesync is working properly (in case it isn't):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

In terms of remote wipe - you will need to force a minimum of a 4-number PIN if you want to be able to remote wipe them phones and you can configure that in Exchange System Manager> General> Mobile Services Properties.  Then, once you have installed the Mobile Admin pack, you can remotely wipe a phone if lost or stolen.

Alan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:kswan_expert
ID: 35311682
Hi,
Thanks for all  you're help on this so far.
We've got a few iPhones in to test I can get them to sync with Exchange perfectly but when i try and setup activesync to "require client certificates" the device can't connect anymore.
I've loaded the certificate from the server onto the iPhone and setup the credentials, it works when the "require client certificates" box isn't checked.

I think the problem is somewhere in IIS, there's alot of info on how to set this up but they all seem to be a slight bit different to how our environment is.

We've got exchange 2003 running on one server and OWA running on another, this is the server the I'm connecting to ( "webmail.domain.com")

How should both servers be setup to require SSL certicates only for activesync?

Thanks Again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35312202
You don't need "Client Certificates" - installing the certificate into IIS on the Default Website is enough to secure the iPhones (Activesync) and force it to use SSL (port 443).

If the test on the test site (https://testexchangeconnectivity.com) passes th Exchange Activesync test, then you are good to go.
0
 

Author Comment

by:kswan_expert
ID: 35338260
Hi,
Thanks for your response.
What we want to do is restrict activesync so only devices that have the certificate installed are able to sync with exchange. from what I've read this requires  "require client certificates" in IIS, but this breaks the connection.

The only thing I can see that might be Causing this is our webmail server that the iphones connect to and that have the security certificate have port 443 open, but our exchange server (separate box) doesn't. i tested this with http://www.canyouseeme.org

Does port 443 need to be open on both servers?
Do i need to setup certificate security on both servers?

Many Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35352127
You can restrict devices using Active Directory users and Computers - doing this with a certificate for the iPhone won't work because they don't need certificates installed on them - you just click on Continue and they are happy.

Port 443 needs to be open and forwarded the Exchange server (assuming you only have one), or the Front-End server if more than one.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now