Announcement

Collapse
No announcement yet.

Mobile User and SSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mobile User and SSL

    I read the article:

    http://www.petri.com/problems_with_f...activesync.htm

    I did option # 3.

    My question is, since SSL is disabled for mobile phone. How secure is the email from the mobile phone since it is not SSL enabled? I have end users with windows mobile sending emails from their phone. I would love for their email to be secure.

    I do have our owa as SSL. I was reading an article on how to make mobile phone work with SSL in this link:

    http://www.howardforums.com/printthr...&page=12&pp=15

  • #2
    Re: Mobile User and SSL

    If you aren't using SSL then everything is going across in the clear. Username, password, data.
    If you have a working external certificate for OWA then you can use SSL with Windows Mobile devices as well. That is the only way I deploy Windows Mobile devices.

    What you have to do very much depends on who issued the certificate and whether you are using forms based authentication. It also depends on whether you are on a single server or a frontend/backend scenario.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Mobile User and SSL

      If you aren't using SSL then everything is going across in the clear. Username, password, data.
      If you have a working external certificate for OWA then you can use SSL with Windows Mobile devices as well.

      For the Treo 700wx, in order for me to make it work, I had to go into my firewall settings and make two connection...1 for my owa (https) and 1 for my Treo user (http)

      That is the only way I deploy Windows Mobile devices.

      Our OWA is SSL, but I cannot get the certificate to be valid when I use it at home. My owa is https:// owa DOT Advtg DOT com/exchange

      What you have to do very much depends on who issued the certificate and whether you are using forms based authentication.

      I do have form based

      It also depends on whether you are on a single server or a frontend/backend scenario.

      I have a single server

      Trying to fix this whole thing....P.S I created my own certificate using this site: http://www.msexchange.org/tutorials/..._OWA_2003.html

      Internet Explorer 6 won't ask for invalid cert, but IE 7 does...aawwwww
      Last edited by slyaii; 17th April 2008, 23:13.

      Comment


      • #4
        Re: Mobile User and SSL

        That link shows you created your own Certificate Authority. Your certificate isn't valid if your device doesn't trust the root certificate. If you open http://localhost/certsrv on the server you should see the certificate services web page. You can download the certificate chain from here and use that file to install onto your device as well.

        On that link look at the
        Getting the Pending Request accepted by our Certificate Authority
        bit, the picture beneath that shows the page, you want the final link marked "Download a CA Certificate, Certificate Chain etc"
        then download the chain. If you do this you are basically giving the device the permission to trust certificates made by your CA.
        Thawte/Verisign etc already have trusted root certificates within popular browsers for example and these then trust any certificates generated by them.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Mobile User and SSL

          The fact that you are getting SSL prompts from Internet Explorer should show you that there is a problem. If the certificate was issued by a commercial provider then you wouldn't have the issue. Exchange ActiveSync cannot cope with any prompts other than the username/password prompt. Therefore certificate prompts stop SSL from working.

          My main suggestion would be to replace the self generated SSL certificate with a commercial certificate. You can pick these up from US$30 a year from places such as GoDaddy (http://DomainsForExchange.net/) or RapidSSL (http://www.rapidssl.com) or InstantSSL (http://www.instantssl.com). Do note that RapidSSL is not supported by Windows Mobile natively, you have to import their root in to the device (take about two minutes to setup and five seconds to import). Instant SSL have a number of roots and you may have to ask for it to be issued on another root for Windows Mobile support. GoDaddy roots are in most Windows Mobile devices - some Motorolas don't have them, but most others do.

          When you are using forms based authentication and a single server, for this feature to work over SSL you have to make some changes to the IIS configuration. http://exchange.sembee.info/2003/act...c/85010014.asp
          This is because FBA disables a function that EAS needs to work.

          Simon.
          Last edited by Sembee; 15th July 2011, 11:54. Reason: URL Correction
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Mobile User and SSL

            That link shows you created your own Certificate Authority. Your certificate isn't valid if your device doesn't trust the root certificate. If you open http://localhost/certsrv

            I did that and saved the file with the extension .p7b

            I opened the .p7b file and located a child folder labled Certificates. From there, I hightlighted my certificate and right click All Tasks >> Export. I then chose DER encoded binary x.509 (.CER). Browse to save on my desktop. Within the wizard, I found the

            File Name: filename.cer
            Export Keys: NO
            Included all cert in the cert path: NO
            File Format: DER Encoded Binary x.509 (*.cer)

            I now have a .cer file. What can I do with it?


            on the server you should see the certificate services web page. You can download the certificate chain from here and use that file to install onto your device as well.

            On that link look at the
            Getting the Pending Request accepted by our Certificate Authority
            bit, the picture beneath that shows the page, you want the final link marked "Download a CA Certificate, Certificate Chain etc"
            then download the chain. If you do this you are basically giving the device the permission to trust certificates made by your CA.

            Attached is the image of where I went to and downloaded
            Thawte/Verisign etc already have trusted root certificates within popular browsers for example and these then trust any certificates generated by them.

            Should I import this certificate to each end-users by opening IE >> Tools >> Internet Options >> Content >> Certificate >> Import to Trusted Root Cert Auth?
            Attached Files
            Last edited by slyaii; 18th April 2008, 00:45.

            Comment


            • #7
              Re: Mobile User and SSL

              simon, link is dead

              http://www.amset.info/exchange/mobile-85010014.asp

              Comment


              • #8
                Re: Mobile User and SSL

                You should buy a public cert as per Sembee's recommendation. If you want to use your self gen one then you can publish it via a gpo to all of your client machines (should you want to). For your Mobile device just install it by copying to the device and clicking on it.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Mobile User and SSL

                  You should buy a public cert as per Sembee's recommendation.

                  I will look into buying one

                  If you want to use your self gen one then you can publish it via a gpo to all of your client machines (should you want to).

                  For some odd reason, if my end user vpn in, they do not get that warning message in IE7

                  For your Mobile device just install it by copying to the device and clicking on it.

                  I zip up the cert and email it to my phone. Unzip it and stored the cert in My Device >> My documents and clicking on the cert gave me an error saying Run the program first....

                  Comment


                  • #10
                    Re: Mobile User and SSL

                    Just by observation. I went to into my certification on my Exchange Server under IIS and discover that it is different than the one that you download from IE to install in the cert.

                    in Exchanger Server:

                    Click Start >> Admin tools >> IIS Manager >> Expand Website >> Right Click Exhange >> Properties >> Directory Security >> Under Secure Comm >> View Certificate

                    it shows under Certification Path:

                    Root = owa Dot Domain Dot Com
                    Child = A Child cert with a description that I typed earlier in my creation of the cert

                    If you go to IE and download the cert and save it. To view it, Go to IE >> Tools > Internet Options >> Content >> Certification or Publishers buttons.

                    Click the cert and find out that

                    Root = owa Dot Domain Dot Com
                    Child = owa Dot Domain Dot Com

                    I install the cert into so many folders: Intermediate Cert Author, Trusted Root Cert Auth, Other people. Found out that some cert only has one root or just one child if that's possible of

                    owa Dot Domain Dot Com

                    After playing with IE7 found out if your cert does not belong in the Trusted Root Cert Author and does not have both

                    Root = owa Dot Domain Dot Com
                    Child = owa Dot Domain Dot Com

                    It will not work.

                    If your Root shows an X Click on the X and click View, then install. Install it manually, to the Trusted Root Cert Auth. Close IE7, and open it again to your OWA. It will work now.

                    My next task is to buy a cert or play with it some more to make IE7 accept it. Also, when I initial install in the cert and place it in my Trusted Root Cert Author location, that cert does not get install to it. I had to move it to another folder and from there, did what I did Above.

                    By the way, what is the difference in IIS if you click Web sites and expand it then Right click Default Web Site >> Properties >> Directory Security >> Under Secure Comm >> Edit and setting Require SSL and enabled 128 then to simply:

                    Right click Exchange under Default Web Site and checking SSL and enabling 128?

                    I set my SSL and enabling 128 in my Exchange folder and not doing it to Default Web Site. I guess, doing at the Default Web Site will apply to all whild doing at a folder will only apply to it there....correct me if i'm wrong

                    Comment


                    • #11
                      Re: Mobile User and SSL

                      If you have set "require 128 bit" or require SSL options on the entire web site, then you have broken the functionality of Exchange. Neither of those settings needs to be set to use SSL. Many people seem to go looking for a switch to turn SSL on or off, but there isn't one. The simple fact of an SSL certificate being installed on the web site will mean that it can be used. For the most secure deployment, simply do not open port 80 on the firewall. Force the users to use https:// URL.

                      Furthermore, setting require 128 bit or require SSL will stop the Windows Mobile devices from working, as an internal call is made by Exchange on port 80, which cannot be changed, which you have just broken.

                      If you have changed the configuration of the virtual directories, then reset it. That is the quickest way: http://support.microsoft.com/default.aspx?kbid=883380

                      When you install the SSL certificate - do not make any further changes.

                      The only way to get web browsers to accept your certificate without a prompt is to purchase an SSL certificate. No other way is possible as you cannot control every browser that is going to access your server.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment

                      Working...
                      X