SSL VPN
Reply
Contributor
privatepile
Posts: 42
Registered: ‎05-15-2008
0

Re: Does Anyone have Clientless Activesync working?

So you have two certs for the SA, correct?  One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com?  Is this a wildcard cert?  What version of Windows Mobile are you running? Windows Mobile 5 and below don't support wildcard certs.

 

Also, I wonder if the Verisign Trial certs use a different root CA that might not be trusted on your phone.  Just a guess.

Contributor
imtravis
Posts: 38
Registered: ‎04-01-2008
0

Re: Does Anyone have Clientless Activesync working?

It's single certs for normal, and for activesynce (like your example: One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com). No wildcard certs. We're running WM 5/6 (multiple phones), and iPhones (the main driving force behind this implementation). We're using the Verisign Trial Cert, which requires a Verisign Trial CA to be added (which the phones don't seem to like).

 

I did, however, try the trick of unchecking SSL required and once I did that, the cert issue cleared up (so now I'm not sure if I'm encrypted or not at that point, but thinking not), instead now I get server not found (Error code: 0x80072F78).

 

Again, I appreciate your help.

 

Contributor
privatepile
Posts: 42
Registered: ‎05-15-2008
0

Re: Does Anyone have Clientless Activesync working?

I have a self signed cert associated with the activesync.domain.com url, and the iPhone doesn't seem to mind after initial setup.  Do you get the same message with the iPhone?
Contributor
imtravis
Posts: 38
Registered: ‎04-01-2008
0

Re: Does Anyone have Clientless Activesync working?

I spoke with JTAC, and the only way to do the self signed cert is by resetting the configs (which I did), and used the self signed cert. I then imported the system/user configs minus the certs, and then manually installed the certs again (from configs), so it wouldnt' overwrite the new self signed cert. Once I did that, I was able to download the self signed cert, and the phones now work, and the iPhone sends a warning, which you choose to accept the cert, then lets ActiveSync work..

 

 

Thanks again for your help privatepile.

Contributor
KevinW
Posts: 29
Registered: ‎01-27-2009
0

Re: Does Anyone have Clientless Activesync working?

i had the same problem today with not being able to see the content. Any fix for this at all ?
Contributor
privatepile
Posts: 42
Registered: ‎05-15-2008
0

Re: Does Anyone have Clientless Activesync working?

Can you elaborate?  Are you trying to browse the virtual hostname from your PC and are not seeing content?
Contributor
imtravis
Posts: 38
Registered: ‎04-01-2008
0

Re: Does Anyone have Clientless Activesync working?

If you're not able to see content, that's by design.
New User
andreasB
Posts: 1
Registered: ‎09-02-2009
0

Re: Does Anyone have Clientless Activesync working?

It works but I have a problem understanding the security implications.

The instructions say "No Authorization" for the reverse proxy.

In my understanding that basically means that your whole internal IIS Default Web site is now exposed to the Internet.

You basically send all requests directed at the reverse proxy name unfiltered/unauthenticated to the backend server.

 

I would prefer e.g. a certificate authentication at the IVE as a first line of defense. Is that possible? Getting a certificate onto the iPhone doesn't seem to be too hard.

Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

Re: Does Anyone have Clientless Activesync working?

On IVE 6.5R1
1. Create a new role ("iphone")
  a. Check Web / Options
  Under advanced:
    allow untrusted ssl websites
    set http timeout  - mine is 240.
2. Create a new resource policy
 a. Add new Web policy of type Custom
   1. Add Base url to exchange activesync   http://hostname.domain.com  (or https)
   2. Check that Web ACL AutoPolicy is created. 
  b. Hit roles tab and add "iphone" role created in step 1.
3. Create a new sign-in policy
  a. Add new URL to the external Activesync URL
  b. Click Authorization Only Access button
   1. Virtual hostname is the outside hostname
   2. Backend url to exchange activesync   http://hostname.domain.com:80/  (or https/443)
   3. Auth Server is "No Authorization"
   4. Role --> role from step 1
   5. Check Allow ActiveSync Traffic Only
4. Optional - Create a new virtual host ip for activesync
    This allows you to add a proper certificate for the domain name that activesync will be using.
   a. Add new external virtual host under networks.
   b. Create in install new device cert
    1. Click the name of the new cert to assign to the virtual host.
-=Dan=-
Contributor
DanSmart
Posts: 108
Registered: ‎01-21-2008
0

Re: Does Anyone have Clientless Activesync working?

On iPhone

Go to Settings/Mail,Contacts,Calendars

 

Accouts--> Add Account
Exchange Activesync
  external hostname of activesync virtual port (async.company.com)
  emailname@company.com
  ADdomain\username 
  ADpassword    

-=Dan=-
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.