Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos
Accepted Solution

Does Anyone have Clientless Activesync working?

I ask only because I have yet to see a clear guide, other than the one in the IVE, and it doesn't work with OWA.

 

I have performed the instructions at the bottom of this post, which are the ones right from the SSL Help menu.  Now, this works for a basic hyperlink, but not OWA.  When you request OWA, it redirects you to the internal FQDN of the host in question.

 

For instance:  I go to owa.company.com/exchange, and my requests end up exchange.company.local/exchange, which obviously doesn't work.  In looking at the session, the request from OWA passes a "base" tag that is the internal fqdn of the server.  I'm assuming this needs to get rewritten somehow in the IVE, but dont know what to do for that to happen.

 

 

 





Instructions from IVE:

Enabling Activesync

Using Activesync, you can synchronize data between a Windows-based desktop computer and handheld devices. The IVE can be used as a reverse proxy to allow users to synchronize their data without installing an additional client application, such as WSAM, on their handheld devices. For more information on using the IVE as a reverse proxy, see Defining authorization-only access policies.

Please note the following:

    * Supports Windows Mobile 5.0 and 6.0 only
    * Supports Exchange Server 2003 and 2007
    * Both NTLM & Basic Auth on the Exchange server are supported
    * Both HTTP and HTTPS between IVE and Exchange server are supported
    * If the IVE is used for OWA & Activesync, the hostnames for OWA access and Activesync must be different
    * No endpoint checking is supported.

To configure the IVE as a reverse proxy for use with Activesync:

   1. In the admin console, choose Authentication > Signing In > Sign-in Policies.
   2. To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.
   3. In the Virtual Hostname field, enter the name that maps to the IVE’s IP address. The name must be unique among all virtual host names used in pass-through proxy’s hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, httpSmiley Happy in this field.

      For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 via the IVE is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.
   4. In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.

      When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.
   5. Enter a Description for this policy (optional).
   6. Select No Authorization from the Authorization Server drop down menu.
   7. Select a user role from the Role Option drop down menu.

      Only the following user role options are applicable for Autosync.
          * HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)
          * Allow browsing un-trusted SSL websites (Users > User Roles > RoleName > Web > Options > View advanced options)
          * Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
          * Browser restrictions (Users > User Roles > RoleName > General > Restrictions)

      For more information on these role options, see Configuring Advanced Web Browsing Options, Specifying Source IP Access Restrictions and Specifying Browser Access Restrictions.
   8. Click Save Changes.
 

Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

Got it working.  The instructions provided do work.  Don't test via https on your desktop - the exchange virtual directory doesn't come through but it somehow works on an iPhone and Windows Mobile.
Trusted Contributor
Posts: 186
Registered: ‎12-04-2007
0 Kudos

Re: Does Anyone have Clientless Activesync working?

Hi,

 

I wonder if you can answer a question for me on this, a customer is asking me about this but has a large number of phones; does each active phone use a concurrent license?

 

Sorry for being cheeky! Smiley Tongue

 

Thanks

 

Kendal

Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I only have one user right now; I just looked and my logged on users are "0."

 

Perhaps it increments when an actual sync is happening, but I see no licenses in use at the moment.

Trusted Contributor
Posts: 186
Registered: ‎12-04-2007
0 Kudos

Re: Does Anyone have Clientless Activesync working?

Hi, That is good news, given that the IVE is just "passing through" and not doing any active intermediation, Juniper may have been nice and not added it to the concurrent user license count; however, we may have just highlighted a previously unknown "feature" which will be "corrected" in the next version; I'd better raise a TAC case and find out what the official answer is then..

 

Thanks for your assistance..

 

Kendal

Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I followed the same instructions and point it to our OWA servers (using https and 443), but I get certificate errors on the remote devices. Which cert is an issue?

 

I currently have an external Verisign cert for the external IVE interface, and internal assigned cert for the internal interface, and our OWA servers have a Verisign cert. All certs seem to be good.

 

 

Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I suspect the SSL cert on your server is causing the problem, as you are probably using the internal fqdn on the SA config to communicate with the server.  I would simply use standard http if possible between the SA and your server, and that should clear it up.

 

Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I've made the change to point to http and port 80, but now I get server not found.. looking at the user logs, it appears that it sends data? Any ideas? (I'm now testing by accessing the Virtual Hostname FQDN, using IE on an external laptop).

 

 

Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

Do the OWA frames show up?  Does the virtual directory require SSL?

 

When I tested with a desktop (server/exchange), OWA frames would show up, but the content would not.  I assumed it wasn't working for the longest time but then tested Activesync with an iPhone and it worked.

Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

[ Edited ]

When I test with a desktop, I get the login page, then I sign in, and get the frame, but page not found. I'm using a Verisgn TRIAL cert to the FQDN of the Virtual Port/Host of the IVE.

 

When I try with the ActiveSync phone, I get certificate errors: Support code: 0x80072F0D on the Motorola Q.

 

Thanks for you help.

Message Edited by imtravis on 08-05-2008 10:16 AM
Highlighted
Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

So you have two certs for the SA, correct?  One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com?  Is this a wildcard cert?  What version of Windows Mobile are you running? Windows Mobile 5 and below don't support wildcard certs.

 

Also, I wonder if the Verisign Trial certs use a different root CA that might not be trusted on your phone.  Just a guess.

Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

It's single certs for normal, and for activesynce (like your example: One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com). No wildcard certs. We're running WM 5/6 (multiple phones), and iPhones (the main driving force behind this implementation). We're using the Verisign Trial Cert, which requires a Verisign Trial CA to be added (which the phones don't seem to like).

 

I did, however, try the trick of unchecking SSL required and once I did that, the cert issue cleared up (so now I'm not sure if I'm encrypted or not at that point, but thinking not), instead now I get server not found (Error code: 0x80072F78).

 

Again, I appreciate your help.

 

Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I have a self signed cert associated with the activesync.domain.com url, and the iPhone doesn't seem to mind after initial setup.  Do you get the same message with the iPhone?
Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

I spoke with JTAC, and the only way to do the self signed cert is by resetting the configs (which I did), and used the self signed cert. I then imported the system/user configs minus the certs, and then manually installed the certs again (from configs), so it wouldnt' overwrite the new self signed cert. Once I did that, I was able to download the self signed cert, and the phones now work, and the iPhone sends a warning, which you choose to accept the cert, then lets ActiveSync work..

 

 

Thanks again for your help privatepile.

Contributor
Posts: 29
Registered: ‎01-27-2009
0 Kudos

Re: Does Anyone have Clientless Activesync working?

i had the same problem today with not being able to see the content. Any fix for this at all ?
Contributor
Posts: 42
Registered: ‎05-15-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

Can you elaborate?  Are you trying to browse the virtual hostname from your PC and are not seeing content?
Contributor
Posts: 38
Registered: ‎04-01-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

If you're not able to see content, that's by design.
New User
Posts: 1
Registered: ‎09-02-2009
0 Kudos

Re: Does Anyone have Clientless Activesync working?

It works but I have a problem understanding the security implications.

The instructions say "No Authorization" for the reverse proxy.

In my understanding that basically means that your whole internal IIS Default Web site is now exposed to the Internet.

You basically send all requests directed at the reverse proxy name unfiltered/unauthenticated to the backend server.

 

I would prefer e.g. a certificate authentication at the IVE as a first line of defense. Is that possible? Getting a certificate onto the iPhone doesn't seem to be too hard.

Contributor
Posts: 113
Registered: ‎01-21-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

On IVE 6.5R1
1. Create a new role ("iphone")
  a. Check Web / Options
  Under advanced:
    allow untrusted ssl websites
    set http timeout  - mine is 240.
2. Create a new resource policy
 a. Add new Web policy of type Custom
   1. Add Base url to exchange activesync   http://hostname.domain.com  (or https)
   2. Check that Web ACL AutoPolicy is created. 
  b. Hit roles tab and add "iphone" role created in step 1.
3. Create a new sign-in policy
  a. Add new URL to the external Activesync URL
  b. Click Authorization Only Access button
   1. Virtual hostname is the outside hostname
   2. Backend url to exchange activesync   http://hostname.domain.com:80/  (or https/443)
   3. Auth Server is "No Authorization"
   4. Role --> role from step 1
   5. Check Allow ActiveSync Traffic Only
4. Optional - Create a new virtual host ip for activesync
    This allows you to add a proper certificate for the domain name that activesync will be using.
   a. Add new external virtual host under networks.
   b. Create in install new device cert
    1. Click the name of the new cert to assign to the virtual host.
-=Dan=-
Contributor
Posts: 113
Registered: ‎01-21-2008
0 Kudos

Re: Does Anyone have Clientless Activesync working?

On iPhone

Go to Settings/Mail,Contacts,Calendars

 

Accouts--> Add Account
Exchange Activesync
  external hostname of activesync virtual port (async.company.com)
  emailname@company.com
  ADdomain\username 
  ADpassword    

-=Dan=-