Solved

How To Secure ActiveSync With a SSL Certificate

Posted on 2011-03-13
7
1,232 Views
Last Modified: 2012-05-11
Hi,

We're investigating using Activesync to connect iPhones to our Exchange 2003 server.
We want to use SSL Certificates to secure the connection to the devices

What is the process for setting up activesync to only communicate with devices that have the certificate installed?

We also want to be able to remotely wipe the phones, in order to do this do we just need to install the activesync administration tool?

Thanks
0
Comment
Question by:kswan_expert
7 Comments
 
LVL 16

Expert Comment

by:Malmensa
Comment Utility
Best thing to do here is to purchase & install a 3rd party certificate.  Although it is possible in theory to "roll your own" certificate & install it on each device, it is serious PITA to manage.  

Godaddy are good, an year SSL certificate is around $50 per year. Follow the instructions on the site to do the install. Once you get the certificate installed, everythig else gets really easy.
0
 
LVL 22

Expert Comment

by:chakko
Comment Utility

For phone security on Exchange 2003 there is an add-on you can download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Then modify the IIS settings so that SSL is required.
In the website properties, Directory Security tab, Secure Communications area click the Edit button.  
Put the checkbox in the Require Secure Channel (SSL)
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
If you install a self-issued SSL certificate - you can't stop users from configuring their iPhone on your server and syncing.  If you install a 3rd party SSL certificate, then any mobile phone with Activesync will be able to sync to your server as long as the right settings are configured.

Whatever certificate you install / configure, the best way to restrict access is to disable the Mobile Sync options from the users Active Directory Users and Computers account on the Exchange Features tab.  This will stop unauthorised mobiles from syncing.

If you do restrict access this way, then with 2003 - it makes no difference which type of certificate you install, but 3rd party ones can be easier to use longer term and you can secure your OWA site with a trusted SSL cert at the same time because it uses the default website, which is what Activesync uses.

Please have a read of my guide for details of how to configure your server to make sure Activesync is working properly (in case it isn't):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

In terms of remote wipe - you will need to force a minimum of a 4-number PIN if you want to be able to remote wipe them phones and you can configure that in Exchange System Manager> General> Mobile Services Properties.  Then, once you have installed the Mobile Admin pack, you can remotely wipe a phone if lost or stolen.

Alan
0
Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 

Author Comment

by:kswan_expert
Comment Utility
Hi,
Thanks for all  you're help on this so far.
We've got a few iPhones in to test I can get them to sync with Exchange perfectly but when i try and setup activesync to "require client certificates" the device can't connect anymore.
I've loaded the certificate from the server onto the iPhone and setup the credentials, it works when the "require client certificates" box isn't checked.

I think the problem is somewhere in IIS, there's alot of info on how to set this up but they all seem to be a slight bit different to how our environment is.

We've got exchange 2003 running on one server and OWA running on another, this is the server the I'm connecting to ( "webmail.domain.com")

How should both servers be setup to require SSL certicates only for activesync?

Thanks Again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You don't need "Client Certificates" - installing the certificate into IIS on the Default Website is enough to secure the iPhones (Activesync) and force it to use SSL (port 443).

If the test on the test site (https://testexchangeconnectivity.com) passes th Exchange Activesync test, then you are good to go.
0
 

Author Comment

by:kswan_expert
Comment Utility
Hi,
Thanks for your response.
What we want to do is restrict activesync so only devices that have the certificate installed are able to sync with exchange. from what I've read this requires  "require client certificates" in IIS, but this breaks the connection.

The only thing I can see that might be Causing this is our webmail server that the iphones connect to and that have the security certificate have port 443 open, but our exchange server (separate box) doesn't. i tested this with http://www.canyouseeme.org

Does port 443 need to be open on both servers?
Do i need to setup certificate security on both servers?

Many Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can restrict devices using Active Directory users and Computers - doing this with a certificate for the iPhone won't work because they don't need certificates installed on them - you just click on Continue and they are happy.

Port 443 needs to be open and forwarded the Exchange server (assuming you only have one), or the Front-End server if more than one.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now