Solved

How To Secure ActiveSync With a SSL Certificate

Posted on 2011-03-13
7
1,235 Views
Last Modified: 2012-05-11
Hi,

We're investigating using Activesync to connect iPhones to our Exchange 2003 server.
We want to use SSL Certificates to secure the connection to the devices

What is the process for setting up activesync to only communicate with devices that have the certificate installed?

We also want to be able to remotely wipe the phones, in order to do this do we just need to install the activesync administration tool?

Thanks
0
Comment
Question by:kswan_expert
7 Comments
 
LVL 17

Expert Comment

by:Malmensa
ID: 35125443
Best thing to do here is to purchase & install a 3rd party certificate.  Although it is possible in theory to "roll your own" certificate & install it on each device, it is serious PITA to manage.  

Godaddy are good, an year SSL certificate is around $50 per year. Follow the instructions on the site to do the install. Once you get the certificate installed, everythig else gets really easy.
0
 
LVL 22

Expert Comment

by:chakko
ID: 35125458

For phone security on Exchange 2003 there is an add-on you can download
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en

Then modify the IIS settings so that SSL is required.
In the website properties, Directory Security tab, Secure Communications area click the Edit button.  
Put the checkbox in the Require Secure Channel (SSL)
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35125975
If you install a self-issued SSL certificate - you can't stop users from configuring their iPhone on your server and syncing.  If you install a 3rd party SSL certificate, then any mobile phone with Activesync will be able to sync to your server as long as the right settings are configured.

Whatever certificate you install / configure, the best way to restrict access is to disable the Mobile Sync options from the users Active Directory Users and Computers account on the Exchange Features tab.  This will stop unauthorised mobiles from syncing.

If you do restrict access this way, then with 2003 - it makes no difference which type of certificate you install, but 3rd party ones can be easier to use longer term and you can secure your OWA site with a trusted SSL cert at the same time because it uses the default website, which is what Activesync uses.

Please have a read of my guide for details of how to configure your server to make sure Activesync is working properly (in case it isn't):

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

In terms of remote wipe - you will need to force a minimum of a 4-number PIN if you want to be able to remote wipe them phones and you can configure that in Exchange System Manager> General> Mobile Services Properties.  Then, once you have installed the Mobile Admin pack, you can remotely wipe a phone if lost or stolen.

Alan
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:kswan_expert
ID: 35311682
Hi,
Thanks for all  you're help on this so far.
We've got a few iPhones in to test I can get them to sync with Exchange perfectly but when i try and setup activesync to "require client certificates" the device can't connect anymore.
I've loaded the certificate from the server onto the iPhone and setup the credentials, it works when the "require client certificates" box isn't checked.

I think the problem is somewhere in IIS, there's alot of info on how to set this up but they all seem to be a slight bit different to how our environment is.

We've got exchange 2003 running on one server and OWA running on another, this is the server the I'm connecting to ( "webmail.domain.com")

How should both servers be setup to require SSL certicates only for activesync?

Thanks Again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35312202
You don't need "Client Certificates" - installing the certificate into IIS on the Default Website is enough to secure the iPhones (Activesync) and force it to use SSL (port 443).

If the test on the test site (https://testexchangeconnectivity.com) passes th Exchange Activesync test, then you are good to go.
0
 

Author Comment

by:kswan_expert
ID: 35338260
Hi,
Thanks for your response.
What we want to do is restrict activesync so only devices that have the certificate installed are able to sync with exchange. from what I've read this requires  "require client certificates" in IIS, but this breaks the connection.

The only thing I can see that might be Causing this is our webmail server that the iphones connect to and that have the security certificate have port 443 open, but our exchange server (separate box) doesn't. i tested this with http://www.canyouseeme.org

Does port 443 need to be open on both servers?
Do i need to setup certificate security on both servers?

Many Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35352127
You can restrict devices using Active Directory users and Computers - doing this with a certificate for the iPhone won't work because they don't need certificates installed on them - you just click on Continue and they are happy.

Port 443 needs to be open and forwarded the Exchange server (assuming you only have one), or the Front-End server if more than one.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Email is way too noisy, prone to hiding the important stuff, and really becoming unreliable for critical/timely communications. There are better ways to communicate.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question