iPhone Exchange 2007 deployment

My organization has decided to replace our Blackberry phones with iPhone 4S'. We are currently using BES express which I will be removing soon. Our Exchange server is behind our firewall (not in a DMZ) and email traffic is port forwarded to it. We are using Exchange Server 2007 SP2 which is installed on a Server 2008 64-bit Standard machine. Outlook web access is currently not accessible from outside our LAN. Our exchange server is using a self signed certificate which I created after the default certificate expired after one year. We want to use certificate based authentication instead of basic authentication.

It is my understanding that Outlook web access needs to be accessible from outside the domain (or at least TCP 443 which OWA utilizes) on the exchange server for these phones to communicate with the server. I have also read that the iPhones will receive certificate validation errors unless I use an SSL certificate from a CA in our domain or a third party CA. I'm considering purchasing an SSL certificate from godaddy.com for our exchange server. I've read that I will need to generate a certificate request using the exchange shell to send to the third party that we are requesting the certificate from. Afterwards, I will need to install the certificate on the exchange server.

So, after I have made the appropriate changes to the firewall to port forward traffic to our email server and I have purcahsed an SSL certificate from a trusted provider. What do I do next to intergrate the iPhone with our environment. I have read the documentation on Apple's website (if you can call it documentation, more like guidelines). I've read a little about enabling an Activesync policy, but I am still unsure of how to get the activesync policy onto the iPhone. Do I have to use the iPhone configuration utility or is this optional? Do I simply configure an activesync policy and then connect the iPhone to the exchange server via the "Mail" app on the phone?
LVL 3
cshell_1987Asked:
Who is Participating?
 
Alan HardistyCo-OwnerCommented:
Activesync Policies are Pushed to the iPhones when they first connect to the server via port 443.  You can create / amend / tweak these in the Exchange Management Console> Organization COnfig> Client Access> Exchange Activesync Mailbox Policies Tab.

Make sure you configure the policy with "Require Password" and "Allow Simple Password" (Password Tab) and set the "Refresh Interval" (General Tab) otherwise you can't remotely wipe the phones if lost and if you decide to change something in the policy, if you don't set the refresh interval, the phones won't check for policy changes ever.  The rest of the settings is up to you - those would be the bare minimum I would recommend is set by default.

Adding an SSL from GoDaddy is about the cheapest place to buy an SSL certificate and make sure you buy a SAN / UCC SSL certificate or you will get certificate errors.  Also include the following names in the certificate:

mail.domain.com (or whatever you prefer to use)
autodiscover.domain.com
internalservername.internaldomainname.local
internalservername

You can figure out what to put in the CSR by visiting the following site:

https://www.digicert.com/easy-csr/exchange2007.htm

Then copy / paste the output to your Exchange Management Shell.

Buy the cert - use the credit, request the cert, copy / paste the contents of the CSR into the request, complete the request.  Once approved (make sure the Admin Contact for the domain is an email address you can access before requesting the certificate).

Once the cert is approved and issued, download it, import it and enable it for use with Exchange.

Import Certificate:
http://technet.microsoft.com/en-us/library/bb124424(EXCHG.80).aspx

Enable Certificate:
http://technet.microsoft.com/en-us/library/aa997231(EXCHG.80).aspx

Once the certificate is installed, check all is well by visiting https://testexchangeconnectivity.com and run the Activesync test.

Make sure you have configured Autodiscover too (add an A record called Autodicsover to your External DNS records for your domain that points to the IP Address of your Exchange Server).

Job done hopefully.

Alan
0
 
SCarrisonCommented:
Hi

You are doing all the right things

Make OWA accessible on the internet with a public DNS entry and "real" cert.

On the iPhone you just need to go Settings > Mail > Add account > Exchange account and provide the requested details (username, password, domain & OWA server address)

It really is that simple.

If you want to force your phones to lock-out after a certain amount of time or require a PIN to unlock them to safeguard your company's e-mail data you can do that through the Ex2K7 admin console.  You can also remote wipe devices that have been stolen/lost through the admin console.

See: http://technet.microsoft.com/en-us/library/bb123783(EXCHG.80).aspx

p.s in Exchange 2010 the certificate generation etc. has been moved to the console as well, instead of having to use IIS/PowerShell
0
 
cshell_1987Author Commented:
By public DNS entry, I suppose you mean that we need to have an (A) and (PTR) record on our ISP's DNS server instead of just an mx record in order for us to be able to connect to the exchange server internally?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
cshell_1987Author Commented:
Make sure you have configured Autodiscover too (add an A record called Autodicsover to your External DNS records for your domain that points to the IP Address of your Exchange Server).

So I will need to add an (A) record for autodiscover and for the hostname of my exchange server on our public DNS server that points to the "private" IP address of the exchange server?
0
 
Alan HardistyCo-OwnerCommented:
A records require IP Addresses - not Hostnames, so add the A record and the IP Address that resolves to your Exchange server (Public IP Address).
0
 
cshell_1987Author Commented:
alanhardisty,

Thank you for your input. Just to verify, I will have two (A) records.

autodiscover.mydomain.net  (Public IP address)
mail.mydomain.net (Public IP address)
0
 
Alan HardistyCo-OwnerCommented:
Yes - that's perfect (you're welcome).
0
 
Alan HardistyCo-OwnerCommented:
Autodiscover will allow Out Of Office to work and The Offline Address Book to be located in Outlook 2007 / 2010 clients.  It will also mean setting up the iPhone is as simple as adding the email address and password.
0
 
Alan HardistyCo-OwnerCommented:
You can also control which users / devices can connect to your server (everyone / any device is enabled by default), so if you liked the control of the Blackberries, then you will need to tweak Exchange to not allow every user and any device to connect.
0
 
cshell_1987Author Commented:
If I require a client certificate, are there any additional steps that must be taken to configure the iPhone to use certificate based authentication rather than just entering the username and password for the exchange server in the "mail" app on the iPhone?

Thank you.
activesyncauthnetication.png
0
 
cshell_1987Author Commented:
Thank you alanhardisty.

I've already disabled Outlook web access for all of our users except for those who will be connecting with their iPhones. I may disable the activesync policy for those users as well since it's enabled by default.
0
 
Alan HardistyCo-OwnerCommented:
I have never deployed iPhones with Certificate Based Autentication - but the following Apple Guide should help in this respect:

http://support.apple.com/manuals/en_US/Enterprise_Deployment_Guide.pdf

0
 
Rob KnightConsultantCommented:
Hi,

Appreciate you're some way down the ActiveSync route, but have you considered a BES like solution such as Good for Enterprise?

Benefits are:

1. Support iOS Smartphones and Tablets as well as Android devices
2. Only outbound traffic from server to Good NOC
3. Integrated Mobile Device Management - with iOS MDM Certificate, full iOS control available to restrict functionality, application installs etc.
4. Aplication deployment
5. On iOS, Secure Browser for Intranet access - access internal sites using Good encrypted connection
6. FIPS 140-2 certified encryption for on device and OTA - Apple iOS has no assured encryption at this stage
7. Jailbreak and Root detection - wipe corporate data in the event that device is JailBroken or rooted - iOS has no native remote data wipe capability in this instance. In addition, a jailborken device can be compromised and data extracted even if passcode protected (ActiveSyn credentials, for example)
8. Full OTA wipe and policy control for password history, complexity etc, - assign policies to just the Good application or device itself.
9. Available from Telcos such as AT&T, Verizon, Vodafone etc.
10. Secure enough to be used by US Government and many others overseas.

Regards,


RobMobility.
0
 
cshell_1987Author Commented:
RobMobility,

I have read through some of the documentation on Good's website as well as reviews of the app from end users on the app store. After discussing with my IT manager, we decided to go with the Activesync route. We're about to start testing next week. I have some questions in regard to the SSL certificate if you guys don't mind to help me.

I just purchased an SSL certificate through godaddy which was a UCC certificate. It allows us to use 5 FQDNs. Our environment is a little bit tricky. We host our own exchange server (exchange.mybusiness.net, but our exchange server accepts mail from another domain (our website which is mybusinesswebsite.com) and even uses the website domain as the reply to email address. Our public DNS servers for our website's domain have mx records that point to our public DNS servers which have mx records that point to our exchange server. Emails that are sent to our exchange server are filtered by postini (which recognizes the website domain as an accepted domain).

So internally, our domain is mybusiness.net and mybusiness.local but anyone who receives an email from us sees the mybusinesswebsite.com as the sender because the default email address has been changed for each of our users. I hope I didn't just make things sound too confusing.

I want to make sure that I asked for the right FQDNs for the certificate.

exchange.mybusiness.local
mail.mybusiness.net
mail.mybusinesswebsite.com
autodiscover.mybusiness.net
autodiscover.mybusinesswebsite.com

We have a cname record on our internal DNS for mail which points to the host name (exchange) of the exchange server. We also have an A record for autodiscover which points to the IP address of the exchange server.
0
 
Alan HardistyCo-OwnerCommented:
The cert names you will need are as per my earlier comment:

mail.domain.com (or whatever you prefer to use)
autodiscover.domain.com
internalservername.internaldomainname.local
internalservername

You can host multiple domain names on your server without including the names in the certificate.  We have a customer with 60 domain names on their server with a 5-Name SAN / UCC SSL cert.

If you use any other names in the certificate - there will be errors.
0
 
cshell_1987Author Commented:
Thank you so much for your help.
0
 
Alan HardistyCo-OwnerCommented:
You are welcome - hope it all went smoothly for you.

Alan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.