iPhone Exchange 2007 deployment
My organization has decided to replace our Blackberry phones with iPhone 4S'. We are currently using BES express which I will be removing soon. Our Exchange server is behind our firewall (not in a DMZ) and email traffic is port forwarded to it. We are using Exchange Server 2007 SP2 which is installed on a Server 2008 64-bit Standard machine. Outlook web access is currently not accessible from outside our LAN. Our exchange server is using a self signed certificate which I created after the default certificate expired after one year. We want to use certificate based authentication instead of basic authentication.
It is my understanding that Outlook web access needs to be accessible from outside the domain (or at least TCP 443 which OWA utilizes) on the exchange server for these phones to communicate with the server. I have also read that the iPhones will receive certificate validation errors unless I use an SSL certificate from a CA in our domain or a third party CA. I'm considering purchasing an SSL certificate from godaddy.com for our exchange server. I've read that I will need to generate a certificate request using the exchange shell to send to the third party that we are requesting the certificate from. Afterwards, I will need to install the certificate on the exchange server.
So, after I have made the appropriate changes to the firewall to port forward traffic to our email server and I have purcahsed an SSL certificate from a trusted provider. What do I do next to intergrate the iPhone with our environment. I have read the documentation on Apple's website (if you can call it documentation, more like guidelines). I've read a little about enabling an Activesync policy, but I am still unsure of how to get the activesync policy onto the iPhone. Do I have to use the iPhone configuration utility or is this optional? Do I simply configure an activesync policy and then connect the iPhone to the exchange server via the "Mail" app on the phone?
It is my understanding that Outlook web access needs to be accessible from outside the domain (or at least TCP 443 which OWA utilizes) on the exchange server for these phones to communicate with the server. I have also read that the iPhones will receive certificate validation errors unless I use an SSL certificate from a CA in our domain or a third party CA. I'm considering purchasing an SSL certificate from godaddy.com for our exchange server. I've read that I will need to generate a certificate request using the exchange shell to send to the third party that we are requesting the certificate from. Afterwards, I will need to install the certificate on the exchange server.
So, after I have made the appropriate changes to the firewall to port forward traffic to our email server and I have purcahsed an SSL certificate from a trusted provider. What do I do next to intergrate the iPhone with our environment. I have read the documentation on Apple's website (if you can call it documentation, more like guidelines). I've read a little about enabling an Activesync policy, but I am still unsure of how to get the activesync policy onto the iPhone. Do I have to use the iPhone configuration utility or is this optional? Do I simply configure an activesync policy and then connect the iPhone to the exchange server via the "Mail" app on the phone?
ASKER
By public DNS entry, I suppose you mean that we need to have an (A) and (PTR) record on our ISP's DNS server instead of just an mx record in order for us to be able to connect to the exchange server internally?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Make sure you have configured Autodiscover too (add an A record called Autodicsover to your External DNS records for your domain that points to the IP Address of your Exchange Server).
So I will need to add an (A) record for autodiscover and for the hostname of my exchange server on our public DNS server that points to the "private" IP address of the exchange server?
So I will need to add an (A) record for autodiscover and for the hostname of my exchange server on our public DNS server that points to the "private" IP address of the exchange server?
A records require IP Addresses - not Hostnames, so add the A record and the IP Address that resolves to your Exchange server (Public IP Address).
ASKER
alanhardisty,
Thank you for your input. Just to verify, I will have two (A) records.
autodiscover.mydomain.net (Public IP address)
mail.mydomain.net (Public IP address)
Thank you for your input. Just to verify, I will have two (A) records.
autodiscover.mydomain.net (Public IP address)
mail.mydomain.net (Public IP address)
Yes - that's perfect (you're welcome).
Autodiscover will allow Out Of Office to work and The Offline Address Book to be located in Outlook 2007 / 2010 clients. It will also mean setting up the iPhone is as simple as adding the email address and password.
You can also control which users / devices can connect to your server (everyone / any device is enabled by default), so if you liked the control of the Blackberries, then you will need to tweak Exchange to not allow every user and any device to connect.
ASKER
If I require a client certificate, are there any additional steps that must be taken to configure the iPhone to use certificate based authentication rather than just entering the username and password for the exchange server in the "mail" app on the iPhone?
Thank you.
activesyncauthnetication.png
Thank you.
activesyncauthnetication.png
ASKER
Thank you alanhardisty.
I've already disabled Outlook web access for all of our users except for those who will be connecting with their iPhones. I may disable the activesync policy for those users as well since it's enabled by default.
I've already disabled Outlook web access for all of our users except for those who will be connecting with their iPhones. I may disable the activesync policy for those users as well since it's enabled by default.
I have never deployed iPhones with Certificate Based Autentication - but the following Apple Guide should help in this respect:
http://support.apple.com/manuals/en_US/Enterprise_Deployment_Guide.pdf
http://support.apple.com/manuals/en_US/Enterprise_Deployment_Guide.pdf
Hi,
Appreciate you're some way down the ActiveSync route, but have you considered a BES like solution such as Good for Enterprise?
Benefits are:
1. Support iOS Smartphones and Tablets as well as Android devices
2. Only outbound traffic from server to Good NOC
3. Integrated Mobile Device Management - with iOS MDM Certificate, full iOS control available to restrict functionality, application installs etc.
4. Aplication deployment
5. On iOS, Secure Browser for Intranet access - access internal sites using Good encrypted connection
6. FIPS 140-2 certified encryption for on device and OTA - Apple iOS has no assured encryption at this stage
7. Jailbreak and Root detection - wipe corporate data in the event that device is JailBroken or rooted - iOS has no native remote data wipe capability in this instance. In addition, a jailborken device can be compromised and data extracted even if passcode protected (ActiveSyn credentials, for example)
8. Full OTA wipe and policy control for password history, complexity etc, - assign policies to just the Good application or device itself.
9. Available from Telcos such as AT&T, Verizon, Vodafone etc.
10. Secure enough to be used by US Government and many others overseas.
Regards,
RobMobility.
Appreciate you're some way down the ActiveSync route, but have you considered a BES like solution such as Good for Enterprise?
Benefits are:
1. Support iOS Smartphones and Tablets as well as Android devices
2. Only outbound traffic from server to Good NOC
3. Integrated Mobile Device Management - with iOS MDM Certificate, full iOS control available to restrict functionality, application installs etc.
4. Aplication deployment
5. On iOS, Secure Browser for Intranet access - access internal sites using Good encrypted connection
6. FIPS 140-2 certified encryption for on device and OTA - Apple iOS has no assured encryption at this stage
7. Jailbreak and Root detection - wipe corporate data in the event that device is JailBroken or rooted - iOS has no native remote data wipe capability in this instance. In addition, a jailborken device can be compromised and data extracted even if passcode protected (ActiveSyn credentials, for example)
8. Full OTA wipe and policy control for password history, complexity etc, - assign policies to just the Good application or device itself.
9. Available from Telcos such as AT&T, Verizon, Vodafone etc.
10. Secure enough to be used by US Government and many others overseas.
Regards,
RobMobility.
ASKER
RobMobility,
I have read through some of the documentation on Good's website as well as reviews of the app from end users on the app store. After discussing with my IT manager, we decided to go with the Activesync route. We're about to start testing next week. I have some questions in regard to the SSL certificate if you guys don't mind to help me.
I just purchased an SSL certificate through godaddy which was a UCC certificate. It allows us to use 5 FQDNs. Our environment is a little bit tricky. We host our own exchange server (exchange.mybusiness.net, but our exchange server accepts mail from another domain (our website which is mybusinesswebsite.com) and even uses the website domain as the reply to email address. Our public DNS servers for our website's domain have mx records that point to our public DNS servers which have mx records that point to our exchange server. Emails that are sent to our exchange server are filtered by postini (which recognizes the website domain as an accepted domain).
So internally, our domain is mybusiness.net and mybusiness.local but anyone who receives an email from us sees the mybusinesswebsite.com as the sender because the default email address has been changed for each of our users. I hope I didn't just make things sound too confusing.
I want to make sure that I asked for the right FQDNs for the certificate.
exchange.mybusiness.local
mail.mybusiness.net
mail.mybusinesswebsite.com
autodiscover.mybusiness.ne
autodiscover.mybusinessweb
We have a cname record on our internal DNS for mail which points to the host name (exchange) of the exchange server. We also have an A record for autodiscover which points to the IP address of the exchange server.
I have read through some of the documentation on Good's website as well as reviews of the app from end users on the app store. After discussing with my IT manager, we decided to go with the Activesync route. We're about to start testing next week. I have some questions in regard to the SSL certificate if you guys don't mind to help me.
I just purchased an SSL certificate through godaddy which was a UCC certificate. It allows us to use 5 FQDNs. Our environment is a little bit tricky. We host our own exchange server (exchange.mybusiness.net, but our exchange server accepts mail from another domain (our website which is mybusinesswebsite.com) and even uses the website domain as the reply to email address. Our public DNS servers for our website's domain have mx records that point to our public DNS servers which have mx records that point to our exchange server. Emails that are sent to our exchange server are filtered by postini (which recognizes the website domain as an accepted domain).
So internally, our domain is mybusiness.net and mybusiness.local but anyone who receives an email from us sees the mybusinesswebsite.com as the sender because the default email address has been changed for each of our users. I hope I didn't just make things sound too confusing.
I want to make sure that I asked for the right FQDNs for the certificate.
exchange.mybusiness.local
mail.mybusiness.net
mail.mybusinesswebsite.com
autodiscover.mybusiness.ne
autodiscover.mybusinessweb
We have a cname record on our internal DNS for mail which points to the host name (exchange) of the exchange server. We also have an A record for autodiscover which points to the IP address of the exchange server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for your help.
You are welcome - hope it all went smoothly for you.
Alan
Alan
You are doing all the right things
Make OWA accessible on the internet with a public DNS entry and "real" cert.
On the iPhone you just need to go Settings > Mail > Add account > Exchange account and provide the requested details (username, password, domain & OWA server address)
It really is that simple.
If you want to force your phones to lock-out after a certain amount of time or require a PIN to unlock them to safeguard your company's e-mail data you can do that through the Ex2K7 admin console. You can also remote wipe devices that have been stolen/lost through the admin console.
See: http://technet.microsoft.com/en-us/library/bb123783(EXCHG.80).aspx
p.s in Exchange 2010 the certificate generation etc. has been moved to the console as well, instead of having to use IIS/PowerShell