Exchange Server 2007 : Securing Access to ActiveSync with Secure Sockets Layer Encryption (part 1) - Installing a Third-Party CA on a CAS

10/24/2011 9:11:11 AM

By default, ActiveSync is configured to use Integrated Windows authentication. This form of authentication works fine if access to the server is over a trusted internal network, but is not feasible for access over the Internet, which is where most Mobile devices originate from.

Because of this limitation, a form of authentication that can be sent across the Internet must be used. This effectively limits the ActiveSync server to using Basic authentication, which is supported by most web browsers and devices. The problem with Basic authentication, however, is that the username and password that the user sends is effectively sent in clear text, and can be intercepted and stolen in transit. In addition, mail messages and other confidential information are transmitted in clear text, a huge security issue.

The solution to this problem is to use what is known as Secure Sockets Layer (SSL) encryption on the traffic. SSL encryption is performed using Public Key Infrastructure (PKI) certificates, which work through the principle of shared-key encryption. PKI SSL certificates are widely used on the Internet today, any website starting with an https:// uses them, and the entire online merchant community is dependent upon the security of the system.

For ActiveSync, the key is to install a certificate on the server so that the traffic between the device and the server is protected from prying eyes. There are effectively two options to this approach as follows:

Use a third-party certificate authority— A common option for many organizations is to purchase a certificate for ActiveSync (and other Exchange HTTP access methods such as OWA) from a third-party trusted certificate authority (CA), such as VeriSign, Thawte, or others. These CAs are already trusted by a vast number of devices, so no additional configuration is required. The downside to this option is that the certificates must be purchased and the organization doesn’t have as much flexibility to change certificate options.
Install and use your own certificate authority— Another common approach is to install and configure Windows Server 2003 Certificate Services to create your own CA within an organization. This gives you the flexibility to create new certificates, revoke existing ones, and not have to pay immediate costs. The downside to this approach is that no browsers or mobile devices will recognize the CA, and error messages to that effect will be encountered on the devices unless the certificates are trusted.

Installing a Third-Party CA on a CAS

If a third-party certificate authority will be used to enable SSL on a CAS, a certificate request must first be generated directly from the CAS. After this request has been generated, it can be sent to the third-party CA, who will then verify the identity of the organization and send it back, where it can be installed on the server.

When deciding which CA to use, keep in mind that Windows Mobile devices automatically trust the certificate authorities of the following organizations:

VeriSign
Thawte
GTE CyberTrust
GlobalSign
RSA
Equifax
Entrust.net
Valicert (Windows Mobile 5.0 and up only)

If an internal CA will be utilized, this section and its procedures can be skipped, and you can proceed directly to the subsequent section titled “Using an Internal Certificate Authority for OWA Certificates.”

To generate an SSL certificate request for use with a third-party CA, perform the following steps:

1.	From the CAS, open IIS Manager (Start, All Programs, Administrative Tools, Internet Information Services [IIS] Manager).
2.	In the console tree, expand SERVERNAME (local computer) – Web Sites, right-click the OWA Virtual Server (typically named Default Web Site), and click Properties on the shortcut menu.
3.	Select the Directory Security tab.
4.	Under Secure Communications, click the Server Certificate button.
5.	On the welcome screen, click Next to continue.
6.	From the list of options displayed, select Create a New Certificate, and click Next to continue.
7.	From the Delayed or Immediate Request dialog box, select Prepare the Request Now, But Send It Later, and then click Next.
8.	Type a descriptive name for the certificate, such as the one shown in Figure 1, leave the bit length at 1024, and click Next to continue. Figure 1. Generating an SSL certificate request for an OWA virtual server.
9.	Enter the name of the organization and what OU will be associated with the certificate. These fields will be viewable by external users, and should accurately reflect the organizational structure of the requestor.
10.	Enter a common name for the OWA website in the form of the FQDN. An example of this is mail.companyabc.com. Click Next to continue. Note If the ActiveSync site will be made accessible from the Internet, the common name of the site needs to be made accessible from the Internet via a DNS A record.
11.	Enter the appropriate information into the Geographical Information dialog box, such as state, city, and country. Abbreviations are not allowed. Click Next to continue.
12.	Enter a filename for the certificate request, such as C:\owacert.txt, and click Next to continue.
13.	In the Request File Summary dialog box, review the summary page for accuracy, and click Next to continue.
14.	Click Finish to end the Web Server Certificate Wizard.

After the certificate request has been generated, the text file, which will look similar to the one shown in Figure 2 , can then be emailed or otherwise transmitted to the certificate authority via their individual process. Each CA has a different procedure, and the exact steps need to follow the individual CA’s process. After an organization’s identity has been proven by the CA, they will send back the server certificate, typically in the form of a file, or as part of the body of an email message.

Figure 2. Viewing a certificate request file.

The certificate then needs to be installed on the server itself. If it was sent in the form of a .cer file, it can simply be imported via the process described next. If it was included in the body of an email, the certificate itself needs to be cut and pasted into a text editor such as Notepad and saved as a .cer file. After the .cer file has been obtained, it can be installed on the CAS using the following process:

1.	From the CAS, open IIS Manager (Start, All Programs, Administrative Tools, Internet Information Services [IIS] Manager).
2.	In the console tree, expand SERVERNAME (local computer) – Web Sites, right-click the OWA Virtual Server (typically named Default Web Site), and then click Properties on the shortcut menu.
3.	Select the Directory Security tab.
4.	Under Secure Communications, click the Server Certificate button.
5.	On the welcome screen, click Next to continue.
6.	From the Pending Certificate Request dialog box, select Process the Pending Request and Install the Certificate, and click Next to continue.
7.	Enter the path and filename where the .cer file was saved to (the Browse button can be used to locate the file), and click Next to continue.
8.	Click Finish to finalize the certificate installation.

At this point in the process, SSL communication to the CAS can be allowed, but forcing SSL encryption for the ActiveSync traffic requires more configuration.