Solved

How To Secure ActiveSync With a SSL Certificate

Posted on 2011-03-13
7
1,240 Views
Last Modified: 2012-05-11
Hi,

We're investigating using Activesync to connect iPhones to our Exchange 2003 server.
We want to use SSL Certificates to secure the connection to the devices

What is the process for setting up activesync to only communicate with devices that have the certificate installed?

We also want to be able to remotely wipe the phones, in order to do this do we just need to install the activesync administration tool?

Thanks
0
Comment
Question by:kswan_expert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Expert Comment

by:Mal Osborne
ID: 35125443
Best thing to do here is to purchase & install a 3rd party certificate.  Although it is possible in theory to "roll your own" certificate & install it on each device, it is serious PITA to manage.  

Godaddy are good, an year SSL certificate is around $50 per year. Follow the instructions on the site to do the install. Once you get the certificate installed, everythig else gets really easy.
0
 
LVL 22

Expert Comment

by:chakko
ID: 35125458

For phone security on Exchange 2003 there is an add-on you can download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Then modify the IIS settings so that SSL is required.
In the website properties, Directory Security tab, Secure Communications area click the Edit button.  
Put the checkbox in the Require Secure Channel (SSL)
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35125975
If you install a self-issued SSL certificate - you can't stop users from configuring their iPhone on your server and syncing.  If you install a 3rd party SSL certificate, then any mobile phone with Activesync will be able to sync to your server as long as the right settings are configured.

Whatever certificate you install / configure, the best way to restrict access is to disable the Mobile Sync options from the users Active Directory Users and Computers account on the Exchange Features tab.  This will stop unauthorised mobiles from syncing.

If you do restrict access this way, then with 2003 - it makes no difference which type of certificate you install, but 3rd party ones can be easier to use longer term and you can secure your OWA site with a trusted SSL cert at the same time because it uses the default website, which is what Activesync uses.

Please have a read of my guide for details of how to configure your server to make sure Activesync is working properly (in case it isn't):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

In terms of remote wipe - you will need to force a minimum of a 4-number PIN if you want to be able to remote wipe them phones and you can configure that in Exchange System Manager> General> Mobile Services Properties.  Then, once you have installed the Mobile Admin pack, you can remotely wipe a phone if lost or stolen.

Alan
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:kswan_expert
ID: 35311682
Hi,
Thanks for all  you're help on this so far.
We've got a few iPhones in to test I can get them to sync with Exchange perfectly but when i try and setup activesync to "require client certificates" the device can't connect anymore.
I've loaded the certificate from the server onto the iPhone and setup the credentials, it works when the "require client certificates" box isn't checked.

I think the problem is somewhere in IIS, there's alot of info on how to set this up but they all seem to be a slight bit different to how our environment is.

We've got exchange 2003 running on one server and OWA running on another, this is the server the I'm connecting to ( "webmail.domain.com")

How should both servers be setup to require SSL certicates only for activesync?

Thanks Again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35312202
You don't need "Client Certificates" - installing the certificate into IIS on the Default Website is enough to secure the iPhones (Activesync) and force it to use SSL (port 443).

If the test on the test site (https://testexchangeconnectivity.com) passes th Exchange Activesync test, then you are good to go.
0
 

Author Comment

by:kswan_expert
ID: 35338260
Hi,
Thanks for your response.
What we want to do is restrict activesync so only devices that have the certificate installed are able to sync with exchange. from what I've read this requires  "require client certificates" in IIS, but this breaks the connection.

The only thing I can see that might be Causing this is our webmail server that the iphones connect to and that have the security certificate have port 443 open, but our exchange server (separate box) doesn't. i tested this with http://www.canyouseeme.org

Does port 443 need to be open on both servers?
Do i need to setup certificate security on both servers?

Many Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35352127
You can restrict devices using Active Directory users and Computers - doing this with a certificate for the iPhone won't work because they don't need certificates installed on them - you just click on Continue and they are happy.

Port 443 needs to be open and forwarded the Exchange server (assuming you only have one), or the Front-End server if more than one.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question