Thursday, February 25, 2010

How to Securely Deploy iPhones with Exchange ActiveSync - Phase 2 - Configuring ActiveSync and Active Directory

This is the third post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will configure ActiveSync on the Exchange CAS and Mailbox servers and make the necessary changes in Active Directory.

Securing Exchange ActiveSync
Exchange ActiveSync is enabled by default for all Exchange users in a normal installation.  It can be disabled for select users using Active Directory Users and Computers (ADUC) for Exchange 2003 users or the Exchange 2007/2010 management tools for those mailbox users.

Since our solution requires that ActiveSync be available for only specific users, we could use a script that disables Activesync for all users who are not a member of an ActiveSync Users security group.  While this would work, it would be clumsy and new users could access ActiveSync until the script runs again.  It also wouldn't solve the requirement that only authorized devices can access ActiveSync.

In order to fulfill the requirements that only authorized users can access ActiveSync using authorized devices, we will configure ActiveSync to require user certificates.  The iPhones will receive a unique iPhone Configuration Profile that includes the user certificate we generated in Phase 1.  That profile can be loaded on one, and only one, iPhone.  More on that in a later phase.

Configuring Exchange ActiveSync
As mentioned earlier, ActiveSync is enabled by default in a normal Exchange installation.  It is configured by default to use only Basic authentication.  We need to configure the CAS servers to require user certificates.  This is only configured on the CAS servers, not the Mailbox servers.

To do this using the Exchange Management Console (EMC), expand Microsoft Exchange > Server Configuration > Client Access.  Select the Client Access Server to configure and click the Exchange ActiveSync tab in the work pane.  Double-click Microsoft-Server-ActiveSync to view its properties.  Click the Authentication tab and select Require client certificates, as shown below.

Repeat these steps for each CAS server.

To do the same thing using the Exchange Management Shell (EMS), use the following cmdlet to require client certificates for each CAS server:
Set-ActiveSyncVirtualDirectory -identity "CASservername\Microsoft-Server-ActiveSync (Default Web Site)" -ClientCertAuth Required
Finally, we need to make an adjustment to the uploadReadAheadSize value in the IIS metabase.  This is required when you use certificate-based authentication.  Run the following commands from a CMD prompt on the CAS server, replacing the value in quotes with the maximum message size (in bytes) allowed by your organization.

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost

C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost
The commands above set uploadReadAheadSize to 10MB (the default is 48KB).  1024 * 1024 * 10 = 10MB.  You then need to restart the IISAdmin service to affect the change.

That's all there is to it. You may also want to configure Remote File Servers at this time, but I won't be covering that in this series.

A Note About Exchange 2003 Mailbox Servers
I mentioned in the introduction that this scenario has some Exchange 2003 mailbox servers, just to spice things up.  If you use Exchange 2007 or 2010 CAS servers to front-end ActiveSync for Exchange 2003 mailboxes, you need to configure ActiveSync on the Exchange 2003 mailbox servers to allow Integrated Windows Authentication.  This is because the Exchange 2007/2010 CAS servers use Kerberos pass-through authentication to the E2K3 mailbox servers.

The trouble is, you can't configure this using Exchange ESM and if you try to modify the Microsoft-Server-ActiveSync virtual directory in IIS Manager, the Exchange DS2MB process will overwrite your changes in a few minutes.  This is detailed on the Exchange Team blog here.

To overcome this, download and install Microsoft KB 937031.  The hotfix normally does not require a reboot, but will prompt for one if a scheduled reboot has been deferred.  This hotfix will enable the Authentication button on the Access tab of the Microsoft-Server-ActiveSync object.  This object is found in ESM under Servers > servername > Protocols > HTTP > Exchange Virtual Server > Microsoft-Server-ActiveSync.  Simply enable Basic authentication and Integrated Windows Authentication, as shown.

Configuring Active Directory
Now we need to configure Active Directory for the solution by creating the necessary user groups and publishing the self-signed CA Root certificate.
Create Security Groups
Create two universal security groups, ActiveSync Users and ActiveSync Admins.  Populate the groups with the appropriate users.  By using security groups, we can easily manage the solution using roles based security.
Configure Group Policy
Since our root CA is is not trusted by an external trusted CA like VeriSign or Entrust, we need to install the root certificate in the Trusted Root Certification Authorities certificate store on the Exchange CAS servers.  While we can do this manually using the Certificates MMC, I'm going to show you how to publish it to all computers in AD using Group Policy, which is my best practice.
Using appropriate credentials (usually Domain Admin), open the Group Policy Management Console (GPMC).  Edit the Default Domain Policy and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities, as show below.

Right-click Trusted Root Certification Authorities and select Import.  Run through the Certificate Import Wizard to import the RootCA.cer certificate file we exported at the end of Phase 1.  Be sure to place the certificate in the Trusted Root Certification Authorities store.  You should now see the certificate in the Default Domain Policy.
After AD replication completes, logon to a CAS server and run GPUpdate to refresh Group Policy and import the root certificate.  Confirm that the certificate is installed using Internet Explorer.  Click Tools > Internet Options > Content > Certificates.  The root certificate should show under the Trusted Root Certification Authorities tab, as shown.


We have completed securing and configuring Exchange ActiveSync, and configured Active Directory by creating the necessary groups and importing the root certificate into the Default Domain Group Policy.


This concludes Phase 2 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. The next phase will cover how to publish the user certificates to user accounts who are members of the ActiveSync Users security group.

Other articles in this series:
3:55 PM