[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1252
  • Last Modified:

How To Secure ActiveSync With a SSL Certificate

Hi,

We're investigating using Activesync to connect iPhones to our Exchange 2003 server.
We want to use SSL Certificates to secure the connection to the devices

What is the process for setting up activesync to only communicate with devices that have the certificate installed?

We also want to be able to remotely wipe the phones, in order to do this do we just need to install the activesync administration tool?

Thanks
0
kswan_expert
Asked:
kswan_expert
1 Solution
 
Mal OsborneAlpha GeekCommented:
Best thing to do here is to purchase & install a 3rd party certificate.  Although it is possible in theory to "roll your own" certificate & install it on each device, it is serious PITA to manage.  

Godaddy are good, an year SSL certificate is around $50 per year. Follow the instructions on the site to do the install. Once you get the certificate installed, everythig else gets really easy.
0
 
chakkoCommented:

For phone security on Exchange 2003 there is an add-on you can download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Then modify the IIS settings so that SSL is required.
In the website properties, Directory Security tab, Secure Communications area click the Edit button.  
Put the checkbox in the Require Secure Channel (SSL)
0
 
Alan HardistyCo-OwnerCommented:
If you install a self-issued SSL certificate - you can't stop users from configuring their iPhone on your server and syncing.  If you install a 3rd party SSL certificate, then any mobile phone with Activesync will be able to sync to your server as long as the right settings are configured.

Whatever certificate you install / configure, the best way to restrict access is to disable the Mobile Sync options from the users Active Directory Users and Computers account on the Exchange Features tab.  This will stop unauthorised mobiles from syncing.

If you do restrict access this way, then with 2003 - it makes no difference which type of certificate you install, but 3rd party ones can be easier to use longer term and you can secure your OWA site with a trusted SSL cert at the same time because it uses the default website, which is what Activesync uses.

Please have a read of my guide for details of how to configure your server to make sure Activesync is working properly (in case it isn't):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

In terms of remote wipe - you will need to force a minimum of a 4-number PIN if you want to be able to remote wipe them phones and you can configure that in Exchange System Manager> General> Mobile Services Properties.  Then, once you have installed the Mobile Admin pack, you can remotely wipe a phone if lost or stolen.

Alan
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
kswan_expertAuthor Commented:
Hi,
Thanks for all  you're help on this so far.
We've got a few iPhones in to test I can get them to sync with Exchange perfectly but when i try and setup activesync to "require client certificates" the device can't connect anymore.
I've loaded the certificate from the server onto the iPhone and setup the credentials, it works when the "require client certificates" box isn't checked.

I think the problem is somewhere in IIS, there's alot of info on how to set this up but they all seem to be a slight bit different to how our environment is.

We've got exchange 2003 running on one server and OWA running on another, this is the server the I'm connecting to ( "webmail.domain.com")

How should both servers be setup to require SSL certicates only for activesync?

Thanks Again
0
 
Alan HardistyCo-OwnerCommented:
You don't need "Client Certificates" - installing the certificate into IIS on the Default Website is enough to secure the iPhones (Activesync) and force it to use SSL (port 443).

If the test on the test site (https://testexchangeconnectivity.com) passes th Exchange Activesync test, then you are good to go.
0
 
kswan_expertAuthor Commented:
Hi,
Thanks for your response.
What we want to do is restrict activesync so only devices that have the certificate installed are able to sync with exchange. from what I've read this requires  "require client certificates" in IIS, but this breaks the connection.

The only thing I can see that might be Causing this is our webmail server that the iphones connect to and that have the security certificate have port 443 open, but our exchange server (separate box) doesn't. i tested this with http://www.canyouseeme.org

Does port 443 need to be open on both servers?
Do i need to setup certificate security on both servers?

Many Thanks.
0
 
Alan HardistyCo-OwnerCommented:
You can restrict devices using Active Directory users and Computers - doing this with a certificate for the iPhone won't work because they don't need certificates installed on them - you just click on Continue and they are happy.

Port 443 needs to be open and forwarded the Exchange server (assuming you only have one), or the Front-End server if more than one.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now