|
06/08/2009, 10:36 AM
#114
Being VP of Systems/Security for a Fortune 1000 company, I think I can FYI some things about Exchange 2007 and ActiveSync. This doesn't exactly guide the end user to get his/her Pre in sync with Exchange, but it does explain how complicated Ex2007 and EAS is to setup CORRECLTY so you DO NOT have all of these problems at the end user level.
Using a self signed certificate with Ex2007 would ONLY be used if you are LAZY and most likely, out of your league when it comes to configuring the server. Furthermore, if you don't know EXACTLY how to use powershell commands, applying the cert will only apply it to certain areas. Self signed certificated should ONLY be used server side if the box never touches the Internet. The whole point of using a cert is to verify the identity of the server against a repository on the Internet. Simply copying a server cert to the client is like putting on a blind fold. Sure you saw who gave it to you, but going forward, you have no idea who you are talking to becuase you cannot verify the idenity.
Depending on how you built your EAS policy on your Ex2007 server, that would determine if you even need a CLIENT SIDE certificate for your handheld device. I see a lot of you saying you need to get a cert for your device. NOT THE CASE UNLESS YOUR SERVER REQUIRES IT!
Furthermore, just because you get a cert for your device, it DOES NOT mean that the devices license for ActiveSync even supports CLIENT SIDE certificates for authentication! Apple, for whatever reason, does NOT support client side certs for authentication! So if an IT guy wants to super secure his EAS policy by requiring client side certs to prove identity, it becomes device dependant. I can put a cert on my WinMo phone and authenticate with that cert, however, one of my employee's iPhone cannot. Apple simply decided not to utilize that part of the suite. Why? Who knows.
Do we have confirmation anywhere that the Pre supports client side certificates for authentication in EAS? Just becuase it has a "certificate store" it doesn't mean that apps on it are tuned to actually make use of the certs available.
Any IT guy running their Ex2007 server WITHOUT using HTTPS should be fired and turn in their stripes. You are the reason IT people get a bad rap. People steal information and eavesdrop simply becuase they CAN and thinks its fun. Do yourself and your employees a favor and get a new profession. 
One of the requirements of the Ex2007 is to have multiple hostnames for the box and the certificate in order to get Outlook Anywhere, Outlook Web Access, and Autodiscover to work from the Internet as well as the Intranet. You need the FQDN for outside contact (mail.domain.com), EAS (mobile.domain.com), autodiscover free/busy scheduling (autodiscover.domain.com) as well as all the FQDN for you inside Active Directory (mail.domain.local), and also your simple host name (mail). This requires multiple hostnames applied to your certicate generation when submitting it to Verisign, GoDaddy, etc. I use GoDaddy and you can get a 3 year cert for about $600. If you want to use Ex2007 correctly, this is price of doing business. Get use to it.
When you get that cert, you need to apply it to ALL of these apps CORRECTLY from the power shell AND edit the URLS correclty so Ex2007 knows what URLS inside or outside users will need in order to reach the server. Otherwise end users get the dreaded "SSL mismatch" and in most cases, end the connection process.
In essence, anything you knew about how Exchange 2000/2003 worked is pretty much useless in configuring 2007.
|
|
|