ActiveSync on IAG, with iPhones

The mobile phone contracts at work are up, so I have been investigating alternatives. We were previously using Blackberrys, but I've been investigating more cost effective options. Since the Blackberry server was installed, we have upgraded to Exchange 2007, which gives us the aability to us Push Mail/ActiveSync, something that was not an option on our previous mail server.

I was given a couple of test phones to trail ActiveSync on a Windows Mobile and a Nokia device.

First off, I had to ensure ActiveSync was enable on the Exchange server, and fortunately a "vanilla" build of Exchange 2007 haas it enable on install.

The thing was the create a NAT rule on my firewall to allow the ActiveSync traffic from the intenet to the Exchange server. This was only a temporary rule while I was testing ActiveSync worked, before the rule was removed again.

My security/paranoia head would not allow me to leave this rule in place, as I would not recommend to anyone to have a rule that allows direct connectivity from the internet to any mail server. (BTW that also includes email, as there are plenty of mail relay options, such as a Barracuda Spam Firewall - Blog post for another day!)

Here at e92plus as the saying goes "We eat our own dog food", where we use a Celestix WSA IAG appliance as a remote access solution.

The next step was for me to create way for the mobile device to connect to my Exchange server, without a direct connection. I configured one of our external IP addresses to NAT into the DMZ of our firewall. I then had to add an additional IP address on the external adapter of the Celestix WSA appliance to match the DMZ IP address of the NAT rule. I also created a new prefix for our domain, and mapped that to the external IP address I'm using.

Now on to IAG, create a new webmail trunk and selected ActiveSync. I defined the domain, selected the DMZ IP address, defined the details of my Exchange server, aand then activated the configuration.

I took the Trusted Root Certificate from my Exchange server and applied that to the IAG appliance.

From the mobile devices, I defined the domain, username and password. For the server address, I use the new IAG portal address.

It worked perfectly on the demo Nokia E63 and the HTC Touch, although the interfaces were different the information required to login was the same. This allows the devices to sync up emails, contacts, calendar and tasks.

After much deliberation, I decided that I wanted an iPhone as my mobile device. Although I am still waiting for the SIM to be activated, ActiveSync is syncing my email, contacts and calendar via my wireless network, so once the iPhone can get onto the O2 3G network, it will be working as it should!

For added security/paranoia, on the Exchange server I have also enabled mandatory passwords on the device, madatory encryption of the storage and the ability to remote wipe the devices, so pretty much the core features of a Blackberry server, at a much lower cost!

ActiveSync on IAG - Certificate Issues

I realised the other day that I hadn't updated the issue that was encountered within this blog post about ActiveSync on IAG.

Well the issue turned out to be certificate related. The Exchange server was using a self signed certificate, so the trusted root certificate had to be added to the mobile devices.

There is some well documented information with regards to configuring Exchange 2003 ActiveSync using a self-signed SSL certificate.

Export the root certificate

1. On the Certificate Authority that issued the certificate to the Exchange server, open the Control Panel and double click Internet Options. NOTE - this guide assumes that you are using a Microsoft CA.
2. Click on the Content tab and then on the Certificates button.
3. Click on the Trusted Root Certification Authorities tab.
4. Locate the trusted root certificate for your domain. It is vital that the certificate be trusted rather than be listed under any other tab. Select the certificate and click on the Export button.
5. The Export Certificate Wizard will be displayed, click Next.
6. Select the option to export the certificate in DER encoded binary X.509 (.CER) format and click Next.
7. Enter a name for the certificate and specify where you would like the file saved. Click Next,
8. Finish and then OK.

Install the root certificate onto the client device

1. Now locate the .cer file created and copy it to your PDA via Microsoft ActiveSync to any folder on the device (for a Windows Mobile device), or using the appropriate synchronisation software for your device. Alternatively the file could also be saved to a memory card or transferred via Bluetooth.
2. On the PDA, open File Explorer and browse to the folder where you saved the certificate.
3. Tap on the icon for the certificate and tap Yes to install it when prompted.
4. On a Windows Mobile device, tap on Start → Settings → System → Certificates → Root and verify that the certificate is listed.
5. You are now ready to use Server ActiveSync securely, using your own SSL certificate.

There is also some useful troubleshooting information here: http://blogs.technet.com/edgeaccessblog/archive/2008/07/29/publishing-microsoft-activesync-through-iag-2007-part-2-of-2.aspx

ActiveSync on IAG

ActiveSync is a pretty straight forward component to activate on IAG.... or at least it normally is, but I got an support question about it today.

Probably best to start with the basics first, and some more useful information gathered along the way.

The starting point with most application should be this document regarding applications that IAG is aware of: IAG Application Aware [1.0Mb]

Someone pointed me towards these Microsoft blog entries, which gives a little more detail:
Publishing Microsoft Activesync through IAG2007 - Part 1 of 2
Publishing Microsoft Activesync through IAG2007 - Part 2 of 2

Another useful component is this Microsoft Exchange Server Remote Connectivity Analyser, which can test the connections to ensure your configuration works. (Thanks Andrew for showing me this, it will be very useful!)

The analyser will allow you to check the connection including SSL certificates and server name, connection to the trunk, AD authentication, connection to the Exchange server and the OPTIONS commands.

The issues we had today were regarding the OPTIONS commands, as everything else seems to work. More investigation to follow..... and hopefully an answer!