This is a basic walk-through to show a Juniper SA device can be used to reverse proxy ActiveSync traffic.
Test lab setup:
- Exchange 2010 DAG consisting of x2 Exchange Servers running the client access role
- Juniper SA Device running 7.0R2
- ActiveSync capable device – in this case I’ve used an Apple iPhone running IOS 4.2
To successfully complete this you’ll have to have the basics already setup. This includes the following:
- A SA with the basic networking setup of internal, external and/or VIP(s)
- A certificate assigned to the SA on the internal and/or external interfaces
- An existing or new role to link with the new sign in policy that will be created
- ActiveSync enabled on the Exchange Server and for the user in question
1. On the SA navigate to Authentication > Signing in > Sign-in Policies and select ‘New URL’
2. Change the user type selection to ‘Authorisation Only Access’
3. Enter a hostname – You’ll probably want to enter a ‘mobile specific’ domain i.e. mobile.mydomain.com so traffic is split from the usual user activity and can be easily monitored/restricted
4. Enter the URL of the Exchange Server (or CAS array) in the form of https://exchange.mydomain.local:443/* or https://192.168.0.1:443/* depending on if you have DNS/hostname resolution setup on your SA
5. Select ‘No Authorisation’ from the drop-down box
6. Choose a relevant Role Option from the selection given – it’s probably best to create a role specific to ActiveSync
The below has been taken from Junipers website to describe the role settings that affect an Authorisation Only Policy:
- Allow browsing un-trusted SSL (Users > User Roles > RoleName > Web > Options )
- HTTP connection timeout (Users > User Roles > RoleName > Web > Options)
- Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
- Browser restrictions (Users > User Roles > RoleName > General > Restrictions)
7. Select the ‘Allow ActiveSync Traffic Only’ check box as this will perform a very basic check of the HTTP header to make sure it matches with that of ActiveSync traffic.
Before setting up your mobile device it is worth mentioning, as it can be easily overlooked, that you’ll need to alter your firewall settings accordingly to account for these changes.
Once the above steps have been performed and the URL is reachable, i.e. the domain becomes live and resolves to the correct IP, you can begin the setup of the ActiveSync client. As stated above, this example uses an iPhone running IOS 4.2.
1. Open Settings > Mail, Contacts, Calendars > Add Account > Microsoft Exchange
2. Enter the email address, domain, username & password for the account and a description if you wish to do so
3. Select Next
4. Enter the URL previously created in step 4 above
5. The account will be created on the device – this may take some time if on the mobile network. Once the account is created you can go back into settings and select which items you wish to sync, i.e. mail, contacts and calendars. Also make sure (this is the default) that SSL is enabled.
Well that’s all there is to it really. I’ll be delving into deploying authentication via client certification using ActiveSync in a blog post shortly, one to look out for!