VMware AirWatch Certificate Authentication for EAS with SEG and TMG. For VMware AirWatch

Transcription

1 VMware AirWatch Certificate Authenticatin fr EAS with SEG and TMG Fr VMware AirWatch H a v e d c u m e n t a t i n f e e d b a c k? S u b m it a D c u m e n t a t i n F e e d b a c k s u p p r t t ic k e t u s in g t h e S u p p r t W iz a r d n s u p p r t. a ir - w a t c h. c m. C p y r ig h t V M w a r e, I n c. A ll r ig h t s r e s e r v e d. T h is p r d u c t is p r t e c t e d b y c p y r ig h t a n d in t e lle c t u a l p r p e r t y la w s in t h e U n it e d S t a t e s a n d t h e r c u n t r ie s a s w e ll a s b y in t e r n a t i n a l t r e a t ie s. V M w a r e p r d u c t s a r e c v e r e d b y n e r m r e p a t e n t s lis t e d a t h t t p : / / w w w. v m w a r e. c m / g / p a t e n t s. V M w a r e is a r e g is t e r e d t r a d e m a r k r t r a d e m a r k f V M w a r e, I n c. in t h e U n it e d S t a t e s a n d t h e r j u r is d ic t i n s. A ll t h e r 1

2 Table f Cntents Chapter 1: Overview 3 Exchange ActiveSync with Secure Gateway and Threat Management Gateway 4 System Requirements fr EAS with SEG and TMG 4 High Level Design fr EAS with SEG and TMG 6 Implementatin Apprach fr EAS with SEG and TMG 7 Chapter 2: Exchange ActiveSync with SEG and TMG Installatin, Setup, and Cnfiguratin 12 Create a Web Listener n the TMG, EAS with SEG and TMG 13 Create a Web Publishing Rule n TMG t Publish Traffic t EAS r SEG 14 Enable Delegatin frm Active Directry when using a TMG, EAS with SEG and TMG 16 Enable Delegatin frm Active Directry when using a SEG, EAS with SEG and TMG 19 Create a Service Principal Name (SPN) fr the EAS Server, EAS with SEG and TMG 19 Create a Service Principal Name (SPN) fr the SEG, EAS with SEG and TMG 21 Cnfigure Service Accunt Delegatin Rights n TMG, EAS with SEG and TMG 21 Cnfigure Service Accunt Delegatin Rights n SEG, EAS with SEG and TMG 23 Cnfigure IIS fr Certificate Authenticatin with TMG, EAS with SEG and TMG 25 Cnfigure IIS fr Certificate Authenticatin with SEG, EAS with SEG and TMG 29 Chapter 3: Testing and Trubleshting 30 Trubleshting Overview fr EAS with SEG and TMG 31 Trubleshting Checks 31 2

3 Chapter 1: Overview Exchange ActiveSync with Secure Gateway and Threat Management Gateway 4 System Requirements fr EAS with SEG and TMG 4 High Level Design fr EAS with SEG and TMG 6 Implementatin Apprach fr EAS with SEG and TMG 7 3

4 C h a p t e r 1 : O v e r v i e w Exchange ActiveSync with Secure Gateway and Threat Management Gateway The implementatin f certificate distributin thrugh Wrkspace ONE UEM allws fr the authenticatin f devices thrugh client authenticatin certificates. Utilizing certificate authenticatin eliminates the need fr the device user t supply user credentials t authenticate fr access. Organizatins can use reverse prxies such as Micrsft s Threat Management Gateway (TMG) t authenticate users and pass the traffic alng t backend Exchange ActiveSync (EAS) servers. In rder t accmplish this, Kerbers cnstrained delegatin (KCD) is used t allw the TMG t delegate authenticatin t servers n the backend. The Wrkspace ONE UEM Secure Gateway (SEG) can be further harnessed t allw fr additinal cntrls in regards t which devices are allwed t sync mail. The intent f this dcument is t discuss tw cnfiguratins TMG t EAS server and TMG t SEG t EAS server and define the cnfiguratins required in rder t setup certificate authenticatin n a TMG t prxy request t backend EAS r SEG servers. Threat Management Gateway Frefrnt Threat Management Gateway is a secure web gateway that prvides cmprehensive prtectin against webbased threats by integrating multiple layers f prtectin. Frefrnt TMG acts as a reverse prxy in frnt f the EAS r SEG server and publishes traffic t the internal endpints. Kerbers Cnstrained Delegatin The Kerbers authenticatin prtcl is used t cnfirm the identity f users that are attempting t access resurces n a netwrk. Kerbers authenticatin uses tickets that are encrypted and decrypted by secret keys and d nt cntain user passwrds. These tickets are requested and delivered in Kerbers messages. Tw types f tickets are used: Ticket- Granting Tickets (TGTs) and Service tickets. Kerbers cnstrained delegatin prvides a way fr dmain administratrs t limit the netwrk resurces that a service trusted fr delegatin can access. This is accmplished by cnfiguring the accunt (cmputer r dmain accunt) under which the service is running t be trusted fr delegatin t a specific instance f a service running n a specific cmputer. Such a trust can als be applied t a set f specific instances f delegated services running n specific cmputers. Each instance f a service that uses Kerbers authenticatin needs t have a Service Principal Name (SPN) defined fr it s that clients can identify that instance f the service n the netwrk. The SPN is registered in the Active Directry Service-Principal-Name attribute f the Windws accunt under which the instance f the service is running. This way, the SPN is assciated with the accunt under which the instance f the service specified by the SPN is running. When a service needs t authenticate t anther service running n a specific cmputer, it uses that service's SPN t differentiate it frm ther services running n that cmputer. System Requirements fr EAS with SEG and TMG The fllwing is required in rder t cmplete the cnfiguratins utlined in this dcument. 4

5 C h a p t e r 1 : O v e r v i e w Ability t pass thrugh all firewalls used t islate the TMG and SEG frm the AD and EAS servers. An external certificate authrity (CA) cannt be used (e.g., VeriSign, etc.) t create user s certificates. An internal certificate authrity (CA) server must be used t create user s certificates. If yu need guidance as t the methdlgy f setting up an internal CA, cntact Wrkspace ONE UEM Supprt. Imprtant: CAs can be set up n servers running a variety f perating systems, including Windws 2000 Server, Windws Server 2003, and Windws Server Hwever, nt all perating systems supprt all features r design requirements. Creating an ptimal design requires careful planning and lab testing befre yu deply it in a prductin envirnment. The internal CA, TMG, and SEG must be cnfigured within the same enterprise dmain in rder t pass user certificates. Administrative access privileges t the Active Directry, Micrsft TMG, Wrkspace ONE UEM Secure Gateway (SEG) if installed, and EAS servers. Internet Infrmatin Services (IIS) with the Client Certificate Mapping Authenticatin ptin installed n the: TMG fr TMG t EAS cnfiguratins SEG fr TMG t SEG t EAS cnfiguratins 80% f the current resurces n the Exchange ActiveSync (EAS) server. Cnnectivity frm TMG and SEG t the AD and EAS servers. Other Prerequisites Befre cnfiguring the Threat Management Gateway (TMG) and Secure Gateway (SEG) t use certificate authenticatin, yu must have the fllwing. Fr TMG t EAS Installed and peratinal Threat Management Gateway (TMG). Windws Server 2003 r 2008 Standard with latest service packs and recmmended updates frm Micrsft. A device with an Exchange ActiveSync (EAS) prfile and certificate frm a dmain enterprise certificate authrity (CA). A TMG that is cnfigured as a member f the same dmain as the enterprise certificate authrity. Administrative permissins t cnfigure yur enterprise. Threat Management Gateway (TMG) Active Directry (AD) Exchange ActiveSync (EAS) server A certificate authrity prperly cnfigured t issue certificates thrugh Wrkspace ONE UEM. 5

6 C h a p t e r 1 : O v e r v i e w Fr TMG t SEG t EAS Everything included in the previus sectin. Installed and peratinal Secure Gateway (SEG). A SEG that is cnfigured as a member f the same dmain as the enterprise certificate authrity. Administrative permissins t be able t cnfigure yur enterprise SEG. High Level Design fr EAS with SEG and TMG The diagrams belw highlight the cmmunicatins flw fr a device attempting t cnnect t the Exchange ActiveSync (EAS) server using a certificate fr authenticatin. The first diagram shws the cnnectin thrugh the Micrsft TMG and the secnd diagram shws the same as the first with the additin f the Wrkspace ONE UEM Secure Gateway (SEG). The TMG and SEG reside in a Demilitarize Zne (DMZ) t prtect enterprise servers frm utside intruders. As such, certificate authenticatin is handled indirectly using Kerbers. TMG t EAS Server A request is made by Wrkspace ONE UEM t the enterprise dmain certificate authrity (can nly be issued by an internal CA) t prduce a certificate fr the user that cntains User Principal Name (UPN) mapping and their address in the Subject Alternative Name (SAN) f the certificate. Since the TMG is a member f the same enterprise dmain as the internal CA, it receives the certificate frm the CA and authenticates the certificate against Active Directry (AD). Once authenticated with AD, Kerbers issues a ticket t TMG with the user s credentials allwing the TMG t impersnate (authenticate) the user s device t the EAS server. EAS accepts the TMG s impersnatin (authenticatin) and allws the user t access . 6

7 C h a p t e r 1 : O v e r v i e w Implementatin Apprach fr EAS with SEG and TMG Befre yur enterprise server can securely pass t the user s device, yu need t cnfigure yur server t perfrm the fllwing tasks. Recgnize the user s device Trust the end-user is the authrized user f the device. This is accmplished by authenticating that user and their device with a certificate. Regardless f the enterprise server being used, the methdlgy f certificate authenticatin is basically the same. If yu understand the methdlgy, have the technical expertise, and have a strng understanding f the hardware and sftware required, then it is much easier t cnfigure a certificate and ensures the user has a seamless experience receiving their . The fllwing sectins discuss tw different implementatin appraches. TMG t EAS TMG t SEG t EAS. The first sectin describes the apprach fr bth cnfiguratins and the next tw sectins describe the apprach fr the cnfiguratin invlving Secure Gateway. In all sectins, steps are referenced, which crrelate t the steps that prvide detailed infrmatin. 7

8 C h a p t e r 1 : O v e r v i e w Cnfigure Either TMG t EAS r TMG t SEG t EAS Server This implementatin includes steps 1 and 2, which are required fr cnfiguring either TMG t EAS r TMG t SEG t EAS servers. After yu cmplete these steps, yu need t advance t either Cnfigure TMG t EAS Server n page 9 r Cnfigure TMG t SEG t EAS Server n page 10. 8

9 C h a p t e r 1 : O v e r v i e w Step 1: Create a Web Listener n the TMG First, regardless f the cnfiguratin, the web listener is always created n the TMG s the first step is t create a web listener n the TMG in rder fr it t pre-authenticate the cnnectin and incming requests frm clients, and then allw thse devices t securely access the user s by: Creating a Name fr the Web Listener Setting Up Secure Scket Layer (SSL) Setting Up an External IP Address fr the Web Listener Assciating a Certificate t the Web Listener Selecting SSL fr Client Certificate Authenticatin Cmpleting the Wizard Step 2: Create a Web Publishing Rule n TMG t Publish Traffic t EAS r SEG Next, regardless f the cnfiguratin, the web publishing rule is always created n the TMG. Depending n the cnfiguratin, the TMG pints t either the EAS r SEG server. If yur cnfiguratin is a TMG t EAS, yu need t create a web publishing rule n the TMG server t publish Exchange Client Access traffic directly t an EAS server, whereas if yur cnfiguratin is TMG t SEG t EAS, yu must use the SEG server as the published website instead f the EAS server. Yu can create a web publishing rule fr either cnfiguratin by: Creating a Name fr the Web Publishing Rule. Yu can use mre than ne web publishing rule fr each web listener. Selecting the Versin f Exchange Server Publishing the Rule t a Single Web Site r Lad Balancer Selecting SSL t Cnnect t a Published Web Server Cnfiguring the Internal Dmain Name fr the EAS r SEG Server Cnfiguring the Public Name Dmain fr the Published Site Assciating the Publishing Rule t the Web Listener A web publishing rule is assciated with the web listener yu created in Create a Web Listener n the TMG. When applying a web publishing rule, yu need t specify the web listener t be used alng with it in the TMG. Selecting Kerbers Cnstrained Delegatin and Service Principal Name Applying the Publishing Rule t All Authenticated Users Saving the Cnfiguratins fr the Exchange Publishing Rule Advance t either Cnfiguring TMG t EAS Server r Cnfigure TMG t SEG t EAS Server n page 10 Cnfigure TMG t EAS Server This implementatin is nly fr TMG t EAS cnfiguratins. It includes steps 3a thrugh 6a fr cnfiguring a TMG t EAS server. 9

10 C h a p t e r 1 : O v e r v i e w Step 3a: Enable Delegatin frm Active Directry when using a TMG After creating the listener and rule, yu need t enable delegatin frm AD. In rder fr the TMG t impersnate a device user when authenticating n an EAS server, the TMG server must be given the apprpriate permissins in the Active Directry (AD) server by ding the fllwing: Cnfiguring AD t enable the TMG fr delegatin Enabling the TMG t delegate HTTP EAS traffic t the EAS server Step 4a: Create a Service Principal Name (SPN) fr the EAS Server Nw that delegatin is enabled, yu need t create a Service Principal Name (SPN) fr the EAS server, if needed. This can smetimes depend n the custmer cnfiguratin and server (i.e. if an internal web address is referenced in the Authenticatin Delegatin page), but by default with a single server, yu nly need t specify the server name with the http service. Use ne f the fllwing tw methds t add an SPN. Bth f the fllwing methds require a dmain accunt that has access t write t the Active Directry: frm the cmmand line r frm ADSIedit. Step 5a: Cnfigure Service Accunt Delegatin Rights n TMG After creating an SPN, yu first need t cnfigure delegatin rights n the TMG server and then give permissins t the service accunt that is attached t the TMG Applicatin Pl by ding the fllwing: Cnfiguring lcal security plicy fr TMG t act as part f the Operating System Cnfiguring lcal security plicy fr TMG t impersnate a client after authenticatin Step 6a: Cnfigure IIS fr Certificate Authenticatin with TMG The last step is t authenticate the user s device that is assigned t a particular certificate by cnfiguring Internet Infrmatin Services (IIS) n the EAS server t accept that certificate by ding the fllwing: Enabling Active Directry client certificate authenticatin in IIS Enabling client certificate mapping authenticatin Requiring SSL fr authenticatin Adjusting upladreadaheadsize memry size Cnfigure TMG t SEG t EAS Server This implementatin includes steps 3a thrugh 6a in Cnfigure TMG t EAS Server n page 9 with the additin f the fllwing steps (3b thrugh 6b) that are related t adding a SEG between the TMG and EAS servers. Step 3b: Enable Delegatin frm Active Directry when using a SEG After creating the listener and rule, yu need t enable delegatin frm AD. In rder fr the TMG and SEG t impersnate a device user when authenticating n an EAS server, first yu must give the apprpriate permissins in the Active Directry (AD) server frm the TMG t SEG servers, and then give the same permissins frm the SEG t EAS servers by ding the fllwing: Cnfiguring AD t enable the TMG fr delegatin Enabling the TMG t delegate HTTP EAS traffic t the SEG server 1 0

11 C h a p t e r 1 : O v e r v i e w Cnfiguring AD t enable the SEG fr delegatin Enabling the SEG t delegate HTTP EAS traffic t the EAS server Step 4b: Create a Service Principal Name (SPN) fr the SEG Nw that delegatin is enabled, yu need t first create a Service Principal Name (SPN) fr the EAS server, and then create an SPN n the SEG. Use ne f the fllwing tw methds t add an SPN fr the EAS server and then d it again fr the SEG. Bth f the fllwing methds require a dmain accunt that has access t write t the Active Directry: Frm the cmmand line Frm ADSIedit Step 5b: Cnfigure Service Accunt Delegatin Rights n SEG After creating an SPN, yu first need t cnfigure delegatin rights n the TMG server and then give permissins t the service accunt that is attached t the TMG Applicatin Pl. Once that is dne, yu need t fllw the same prcedure and cnfigure delegatin rights n the SEG and then give permissins t the service accunt that is attached t the SEG Applicatin Pl. Yu can perfrm all these steps by ding the fllwing: Cnfiguring lcal security plicy fr TMG t act as part f the Operating System Cnfiguring lcal security plicy fr TMG t impersnate a client after authenticatin Verifying the identity f the SEG Cnfiguring lcal security plicy fr SEG t Act as Part f the Operating System Cnfiguring lcal security plicy fr SEG t Impersnate a Client after Authenticatin Step 6b: Cnfigure IIS fr Certificate Authenticatin with SEG The last step is t authenticate the user s device that is assigned t a particular certificate by cnfiguring Internet Infrmatin Services (IIS) n the SEG server t accept that certificate by ding the fllwing: Enabling Active Directry Client Certificate Authenticatin in IIS Enabling Client Certificate Mapping Authenticatin Requiring SSL fr Authenticatin Adjusting upladreadaheadsize Memry Size 1 1

12 Chapter 2: Exchange ActiveSync with SEG and TMG Installatin, Setup, and Cnfiguratin Create a Web Listener n the TMG, EAS with SEG and TMG 13 Create a Web Publishing Rule n TMG t Publish Traffic t EAS r SEG 14 Enable Delegatin frm Active Directry when using a TMG, EAS with SEG and TMG 16 Enable Delegatin frm Active Directry when using a SEG, EAS with SEG and TMG 19 Create a Service Principal Name (SPN) fr the EAS Server, EAS with SEG and TMG 19 Create a Service Principal Name (SPN) fr the SEG, EAS with SEG and TMG 21 Cnfigure Service Accunt Delegatin Rights n TMG, EAS with SEG and TMG 21 Cnfigure Service Accunt Delegatin Rights n SEG, EAS with SEG and TMG 23 Cnfigure IIS fr Certificate Authenticatin with TMG, EAS with SEG and TMG 25 Cnfigure IIS fr Certificate Authenticatin with SEG, EAS with SEG and TMG

13 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d Create a Web Listener n the TMG, EAS with SEG and TMG Regardless f the cnfiguratin (TMG t EAS r TMG t SEG t EAS), the first step is t create a web listener n the Threat Management Gateway (TMG). In rder fr devices t securely access mail thrugh the TMG, the TMG must have a web listener created t accept incming cmmunicatins frm devices. It als enables TMG t pre-authenticate the cnnectin and incming requests frm the clients. First, yu must create a name fr the Web Listener. 1. In the Frefrnt TMG Management cnsle tree, select Firewall Plicy. 2. On the task pane, select the Tlbx tab and then select Netwrk Objects >New. 3. Select the Web Listener ptin. 4. In the New Web Listener Definitin Wizard windw, enter the Web listener name with an apprpriate descriptin. 5. Click Next. Next, yu must set up Secure Scket Layer (SSL) 6. On the Client Cnnectin Security page, select Require SSL secured cnnectins with clients. 7. Click Next. Next, yu must set up an external IP address fr the Web listener. 8. On the Web Listener IP Addresses page, select the External netwrk checkbx. Or if yu have multiple IP addresses assciated with this netwrk, select ne f thse IP addresses. 9. Click Next. The selectin can be changed based n a client s specific cnfiguratin; but generally, yu have t select the External netwrk. 10. Click the Select IP Addresses buttn and then select Specified IP Addresses n the Frefrnt TMG cmputer in the selected netwrk. 11. Belw Available IP Addresses, select the IP address fr the website. 12. Click Add. 13. Click OK. 14. Click Next. Next, yu must assciate a certificate t the Web listener. 15. On the Listener SSL Certificate page, select Select Certificate. 16. Select the respective certificate and select Select. The selected certificate is used with this listener and is the URL that the TMG is ruting. Click Next. Next, yu must select the SSL fr client certificate authenticatin. 17. On the Authenticatin Settings page, select SSL Client Certificate Authenticatin frm the drp-dwn menu. 1 3

14 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 18. Click Next. Next, yu must cmplete the wizard. 19. On the Single Sign n Settings page, an errr message appears stating SSO is nt available fr the currently selected client authenticatin methd. SSO is nly available fr HTML Frm Authenticatin. 20. Ignre the message and select Next. 21. Click Finish. Next, see the tpic entitled Create a Web Publishing Rule n TMG t Publish Traffic t EAS r SEG n the fllwing page. Create a Web Publishing Rule n TMG t Publish Traffic t EAS r SEG Regardless f the cnfiguratin, the web publishing rule is always created n the Threat Management Gateway (TMG). Depending n yur cnfiguratin, the TMG pints t either the EAS r SEG server. If yur cnfiguratin is a TMG t EAS, yu need t create a web publishing rule n the TMG server t publish Exchange Client Access traffic directly t an EAS server. If yur cnfiguratin is TMG t SEG t EAS, yu must use the SEG server as the published website instead f the EAS server. A web publishing rule is assciated with the web listener yu created in the previus tpic Create a Web Listener n the TMG. When applying a web publishing rule, yu specify the web listener t be used alng with it in the TMG. Yu can use mre than ne web publishing rule fr each web listener. The fllwing prcedure explains hw t create a web publishing rule fr bth cnfiguratins. If yu are adding a SEG t an existing TMG t EAS cnfiguratin, make sure the web publishing rule is n lnger cnfigured t publish Exchange Client Access traffic t the EAS server befre cnfiguring it t publish t the SEG server. First, yu must create a name fr the Web publishing rule. 1. In the Frefrnt TMG Management cnsle tree, expand the Server nde and then select Firewall Plicy. 2. On the task pane, select Tasks tab, and then select Publish Exchange Web Client Access. 3. In the New Exchange Publishing Rule Wizard windw, enter the Exchange Publishing rule name with an apprpriate descriptin t identify the website being published. 4. Click Next. Next, yu must select the versin f the Exchange server. 5. On the Select Services page, select the Exchange versin drp-dwn menu and select the versin f the Exchange server being used. 6. Check the Exchange ActiveSync client checkbx. 7. Click Next. Next, yu must publish the rule t a single Web site r lad balancer. 8. On the Publishing Type page, select Publish a single Web site r lad balancer. 1 4

15 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 9. Click Next. If there are multiple EAS servers, yu have the ptin f selecting the secnd ptin which allws the TMG t act as a lad balancer. Next, yu must select SSL t cnnect t a published Web server. 10. On the Server Cnnectin Security page, select Use SSL t cnnect t the published Web server r server farm. 11. Click Next. Next, yu must cnfigure the internal dmain name fr the EAS r SEG server. 12. On the Internal Publishing Details page, enter the internal dmain name in the Internal site name field. 13. Click Next. If this cnfiguratin is being used t setup an EAS server, put the EAS server name in the field. If this is t setup a Wrkspace ONE UEM SEG, put the SEG server infrmatin in the field. Next, yu must cnfigure the public name dmain fr the published site. 14. On the Public Name Details page, select the Accept requests fr drp-dwn arrw and select This dmain name (type belw) ptin. 15. Enter the public dmain name f the EAS r SEG server in the Public Name. The public DNS recrd infrmatin used fr this website is that being published. Next, yu must assciate the publishing rule t the Web listener. 16. On the Select the Web listener page, select the Web Listener drp-dwn arrw and select the name f the web listener yu created in the previus step. 17. Click Next. Next, yu must select Kerbers Cnstrained Delegatin and enter the Service Principal Name. 18. On the Authenticatin Delegatin page, select the drp-dwn arrw and select Kerbers cnstrained delegatin. 19. Enter the Service Principal Name in the field. Enter the same name as the name that will be used in the next step. 20. Click Next. The Kerbers cnstrained delegatin ptin is selected fr authenticatin. The Service Principal Name sectin can vary depending n custmer cnfiguratin, but by default with a single server, yu can just specify the server name with the http service. If the TMG is t be used as a lad balancer acrss multiple servers, then the SPN value here shuld be set t http//*. Next, yu must apply the publishing rule t all authenticated users. 21. On the User Sets page, select All Authenticated Users. 22. Click Next. Nte: This is selected t make sure nly users with the apprpriate credentials are allwed t access. Next, yu must save the cnfiguratin fr the Exchange publishing rule. 1 5

16 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 23. Click Finish t cmplete the Exchange Publishing Rule wizard. A prmpt appears t infrm yu that yu may have t cnfigure the SPNs fr the services. If yu are using the server name as the SPN in the previus step, there is n further cnfiguratin necessary. If yu are referencing an internal URL then yu need t add the SPN and assciate it with the server accunt in Active Directry. Next, prceed t Enable Delegatin frm Active Directry when using a TMG. Enable Delegatin frm Active Directry when using a TMG, EAS with SEG and TMG In rder fr the Threat Management Gateway (TMG) t impersnate a device user when authenticating n an EAS server, the TMG server must be given the apprpriate permissins in the Active Directry (AD) server. This step must be cmpleted whether r nt yu are emplying the use f a Secure Gateway (SEG). There are instructins at the end f this tpic that direct yu t the next step, SEG r n SEG. First, yu must cnfigure AD t enable the TMG fr delegatin. 1. On the AD server, select Active Directry Users and Cmputers. 2. In the left-hand pane, select the flder where the TMG server is lcated (e.g., Cmputers). The available TMG servers display in the right-hand pane as shw belw. 3. Right-click the TMG server name and select Prperties. The Prperties windw fr the TMG server displays. 1 6

17 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 4. Click the Delegatin tab. 5. Select the Trust this cmputer fr delegatin t specified services nly. 6. Select Use any authenticatin prtcl. 7. Click Add. The Add Services windw displays. Next, yu must enable the TMG t delegate HTTP EAS traffic t the EAS server. 8. Click Users r Cmputers 9. The Select Users r Cmputers windw displays. Enter the name f the EAS server. 1 7

18 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 10. Click OK. The Add Services windw displays. 11. Under Available services, select http Service Type. 12. Click OK. 13. Yu nw see n the Delegatin tab, a listing fr the http Service Type and the name f yur EAS server under the User r Cmputer clumn. 14. Click OK. If yu are nt emplying the use f a SEG, then skip ahead t the tpic Create a Service Principal Name (SPN) fr the EAS Server. Otherwise, prceed t Enable Delegatin frm Active Directry when using a SEG. 1 8

19 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d Enable Delegatin frm Active Directry when using a SEG, EAS with SEG and TMG As mentined previusly, whenever a SEG is inserted between the TMG and EAS servers, yu need t enable delegatin frm bth the TMG and SEG servers. T enable delegatin frm active directry, yu need t repeat all the steps in Enable Delegatin frm Active Directry when using a TMG when using a TMG fr the TMG t SEG servers, and then again frm the SEG t the EAS servers. Cnfigure AD t Enable TMG fr Delegatin Enable TMG t Delegate HTTP EAS Traffic t SEG Cnfigure AD t Enable SEG fr Delegatin Enable SEG t Delegate HTTP EAS Traffic t EAS Next, see Create a Service Principal Name (SPN) fr the EAS Server. Create a Service Principal Name (SPN) fr the EAS Server, EAS with SEG and TMG Service Principal Names are used t supprt mutual authenticatin between a client applicatin and a service. In rder fr the EAS service t deliver t the device, the EAS server must be furnished with an SPN frm the Active Directry (AD) server. This step must be cmpleted whether r nt yu are emplying the use f a Secure Gateway (SEG). There are instructins at the end f this tpic that direct yu t the next step, SEG r n SEG. First, yu must create an SPN fr the EAS server. There are tw methds t add SPNs. Bth require a dmain accunt that has access t write t the Active Directry. Cmmand line prmpt. The ADSIedit mdule. Frm the Cmmand Line Setspn A http/<internaladdress> dmain/cmputeraccuntname Frm ADSIedit 1. Frm the dmain cntrller, pen ADSI Edit. a. Open MMC and add ADSIedit snap-in, r b. Run menu and type adsiedit.msc mdule. 2. Right-click ADSI Edit. 3. In the Cnnectins Settings windw, select Select a well knwn Naming Cntext. 4. Click the drp-dwn arrw and select Default naming cntext. 1 9

20 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 5. Select Default (Dmain r server that yu lgged in t). 6. Click OK. 7. Click the + bx t expand the directry f flders. 8. In the right pane, lcate the server where SPN is set, right-click it and select Prperties. The Prperties windw fr the SPN server displays. 9. In the Attribute Editr tab, lcate and select serviceprincipalname. 10. Click Edit. A Multi-valued String Editr dialg bx pens. 2 0

21 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 11. In the Value t add field, type the required SPN, select Add after each entry, and then select OK twice t clse the dialg bx. 12. Clse ADSI Edit. If yu are nt emplying the use f a SEG, then skip ahead t the tpic Cnfigure Service Accunt Delegatin Rights n TMG. Otherwise, see Create a Service Principal Name (SPN) fr the SEG. Create a Service Principal Name (SPN) fr the SEG, EAS with SEG and TMG As mentined previusly, whenever a SEG is inserted between the TMG and EAS servers, yu need t first create a Service Principal Name (SPN) fr the EAS server. Then yu need t create an SPN n the SEG by repeating all the steps in Create a Service Principal Name (SPN) fr the EAS Server and replacing all references t EAS server with SEG. The SEG als needs t have a dmain accunt that has access t write t the Active Directry. The final result after using either the Cmmand Line r ADSIedit shuld be... Yu created an SPN fr the EAS server, Yu created an SPN fr the SEG. Next, yu must Cnfigure Service Accunt Delegatin Rights n TMG. Cnfigure Service Accunt Delegatin Rights n TMG, EAS with SEG and TMG In additin t cnfiguring delegatin rights n the TMG server, the service accunt that is attached t the TMG Applicatin Pl must als be given delegatin permissins. This step must be cmpleted whether r nt yu are emplying the use f a Secure Gateway (SEG). There are instructins at the end f this tpic that direct yu t the next step, SEG r n SEG. 2 1

22 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d First, yu must cnfigure the lcal security plicy fr TMG t act as part f the perating system. 1. On the TMG server, pen a cmmand prmpt by selecting Start > Run. 2. Type cmd and then select OK. 3. In the cmmand prmpt, type secpl.msc and then select OK. A Lcal Security Plicy windw displays. 4. In the left-hand pane, select Security Settings > Lcal Plicies > User Rights Assignments. 5. In the right-hand pane, under Plicy, select Act as part f the perating system. A dialg windw appears. 6. Click Add User r Grup. 7. Type the name f the Service Accunt attached t the Applicatin Pl. The name must be the same as the name assciated t the TMG (i.e., Netwrk Service). 8. Click OK. The Lcal Security Plicy windw displays. Next, yu must cnfigure the lcal security plicy fr TMG t impersnate a client after authenticatin. 9. In the right-hand pane, under Plicy, duble-click Impersnate a client after authenticatin. A Prperties dialg bx appears. 2 2

23 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 10. The Service Accunt that is attached t the Applicatin Pl must be the same as the name assciated t the TMG (i.e., Netwrk Service). Verify that name displays in the list. If nt, d the fllwing: a. Click Add User r Grup. b. Add the name f the Service Accunt. 11. Select the Service Accunt in the list (i.e., Netwrk Service). 12. Click OK. If yu are nt emplying the use f a SEG, then skip t Cnfigure IIS fr Certificate Authenticatin with TMG. Otherwise, prceed t Create a Service Principal Name (SPN) fr the SEG. Cnfigure Service Accunt Delegatin Rights n SEG, EAS with SEG and TMG Whenever a SEG is inserted between the TMG and EAS servers, yu need t enable delegatin rights and permissins n the SEG by repeating all the steps belw, fllwed by Cnfigure Service Accunt Delegatin Rights n TMG and 2 3

24 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d replacing all references t TMG with SEG. The final result is yu shuld have cmpleted the fllwing. Cnfigure Service Accunt Delegatin Rights n TMG by... Cnfiguring Lcal Security Plicy fr TMG t Act as Part f OS, Cnfiguring Lcal Security Plicy fr TMG t Impersnate a Client after Authenticatin. Verify the Identity f the SEG Cnfigure Service Accunt Delegatin Rights n SEG by... Cnfiguring Lcal Security Plicy fr SEG t Act as Part f OS, Cnfiguring Lcal Security Plicy fr SEG t Impersnate a Client after Authenticatin. In rder t verify the service accunt that needs t be enabled with delegatin rights, yu can pen IIS n the SEG server and fllw this prcedure. If yu are already aware f the SEG service accunt, prceed with replacing all references t TMG with SEG. 1. Launch Internet Infrmatin Services (IIS) Manager by selecting Start > Run. 2. Type inetmgr and select OK. The IIS Manager windw appears. 3. In the left-hand Cnnectins pane, select the SEG server. 4. Click the Applicatin Pls flder. 5. In the right-hand Applicatin Pls pane, lcate the Secure Gateway. 6. Under the Identity clumn, verify the identity f the Secure Gateway is Netwrk Service. Next, yu must Cnfigure IIS fr Certificate Authenticatin with SEG. 2 4

25 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d Cnfigure IIS fr Certificate Authenticatin with TMG, EAS with SEG and TMG In rder t authenticate the user s device that is assigned t a particular certificate, Internet Infrmatin Services (IIS) must be cnfigured t accept that certificate. Fr the cnfiguratins shwn in this dcument, IIS can nly be cnfigured n either a SEG r EAS server. Where IIS resides is dependent n the cnfiguratin as fllws. If the cnfiguratin is TMG t EAS then yu can cnfigure IIS n the EAS server. If the cnfiguratin is TMG t SEG t EAS then yu can cnfigure IIS n the SEG server. This sectin discusses cnfiguring IIS n the EAS server. If a SEG is included in yur cnfiguratin, skip this step and see the tpic Cnfigure IIS fr Certificate Authenticatin with SEG. First, yu must enable Active Directry client certificate authenticatin in IIS. 1. On the EAS server, launch Internet Infrmatin Services (IIS) by selecting Start > Run. In the dialg bx type inetmgr and select OK. The IIS Manager windw appears. 2. In the left-hand Cnnectins pane, select the EAS server. 3. In the main pane, under the IIS sectin, duble-click the Authenticatin icn. 4. Select Active Directry Client Certificate Authenticatin. 5. In the right-hand pane, select Enable. 6. Once the abve step is cmplete, restart the IIS Admin service frm the Services cnsle. Next, yu must enable the client certificate in the Exchange Management Cnsle. 7. In the Exchange Management Cnsle, expand Server Cnfiguratin and then select the Client Access Server that yu want t cnfigure. 8. On the Exchange ActiveSync tab, right-click the Micrsft-Server-ActiveSync directry and chse Prperties. 9. On the Authenticatin tab, clear the Basic authenticatin (passwrd is sent in clear text) checkbx and select the ptin Require client certificates. Next, yu must enable client certificate mapping authenticatin. 10. Click the + sign t expand the Sites flder. 2 5

26 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 11. Click the + sign t expand the Default Web Site and display the sever yu want t cnfigure. a. If yu are using MS Server 2008 R2 r later, the Cnfiguratin Editr icn appears as shwn in the screen belw. This icn des nt appear in lder versins f MS Server. Select Micrsft-Server-ActiveSync and duble-click the Cnfiguratin Editr icn. Skip step b & c, and g t step 3. b. If yu are using Exchange ActiveSync (EAS) servers lder than 2008 R2, yu need t be familiar with the use f appcmd.exe and run it frm the cmmand prmpt. c. Open a cmmand prmpt by selecting Start > Run. In the dialg bx type cmd and select OK. In the cmmand prmpt, type the fllwing cmmand. appcmd.exe set cnfig Micrsft-Server-ActiveSync - sectin:system.webserver/security/authenticatin/clientcertificatemappinga uthenticatin /enabled:true /cmmit:apphst 12. In the Sectin drp-dwn, navigate t system.webserver/security/authenticatin. 13. Select clientcertificatemappingauthenticatin. 14. On the Enabled ptin, select True frm the drp-dwn bx. 2 6

27 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 15. In the right-hand pane, select Apply. If nly certificate authenticatin is being used then yu must cnfigure Secure Scket Layer (SSL). Otherwise, if authenticatin ther than certificates is used then yu d nt need t cnfigure SSL. 16. Select Micrsft-Server-ActiveSync, and then duble-click the SSL Settings icn. 2 7

28 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d 17. If nly certificate authenticatin is allwed, then select Require SSL and select Required. If ther types f authenticatin are allwed, select Accept. 18. In the right-hand pane, select Apply. Next, yu must adjust the upladreadaheadsize memry size. Since certificate based authenticatin uses a larger amunt f data during the authenticatin prcess, sme adjustments must be made in IIS cnfiguratin t accunt fr the increased amunt f data. This is accmplished by increasing the value f the upladreadaheadsize. The fllwing steps guide yu thrugh the cnfiguratin. 19. Open a cmmand prmpt by selecting Start > Run. 20. Type cmd and select OK. A text editr windw appears. 21. Increase the value f the upladreadaheadsize frm the default f 48KB t 10MB by entering the fllwing 2 8

29 C h a p t e r 2 : E x c h a n g e A c t i v e S y n c w i t h S E G a n d T M G In s t a l l a t i n, S e t u p, a n d cmmands: C:\Windws\System32\inetsrv\appcmd.exe set cnfig - sectin:system.webserver/serverruntime /upladreadaheadsize: /cmmit:apphst C:\Windws\System32\inetsrv\appcmd.exe set cnfig Default Web Site - sectin:system.webserver/serverruntime /upladreadaheadsize: /cmmit:apphst The Default Web Site is used. If the name f the site has been changed in IIS then the new name needs t replace Default Web Site in the secnd cmmand. 22. Type the fllwing cmmand t reset the IIS. iisreset Cnfigure IIS fr Certificate Authenticatin with SEG, EAS with SEG and TMG As mentined previusly, whenever a SEG is inserted between the TMG and EAS servers, IIS is n lnger cnfigured n the EAS server, it is cnfigured n the SEG server. The prcedure fr cnfiguring IIS is exactly the same n matter where IIS resides. Fr that reasn, rather than duplicate the same prcedure in Cnfigure IIS fr Certificate Authenticatin with TMG, g back t that sectin and whenever it mentins perfrming a step n the EAS server, replace that reference t the EAS server with the SEG server. 2 9

30 Chapter 3 : Testing and Trubleshting Trubleshting Overview fr EAS with SEG and TMG 31 Trubleshting Checks

31 C h a p t e r 3 : T e s t i n g a n d T r u b l e s h t i n g Trubleshting O verview fr EAS with SEG and TMG Yu can cnfirm that the SEG is perfrming certificate authenticatin by pushing a user s prfile t the device and testing whether r nt the device is able t cnnect and sync with the cnfigured SEG end-pint. If the device des nt cnnect and displays a message that the certificate cannt be authenticated r the accunt cannt cnnect t EAS, then the prblem is related t the cnfiguratin. Trubleshting Check s Make sure that a certificate is being issued by the CA t the device by checking the fllwing infrmatin. If Exchange server returns a 401, add NTLM and Negtiate as prviders t Windws Authenticatin. G t the internal CA Server, launch the certificatin authrity applicatin, and brwse t the issued certificates sectin. Find the last certificate that was issued and it shuld have a subject that matches the ne created in the certificate template sectin earlier in this dcument. If there is n certificate, then there is an issue with the CA, client access server (e.g., SCEP), r with the Wrkspace ONE UEM cnnectin t client access server. Check that the permissins f the client access server (e.g., SCEP) Admin Accunt are applied crrectly t the CA, and the template n the CA. Check that the accunt infrmatin is entered crrectly in the Wrkspace ONE UEM cnfiguratin. 3 1

32 C h a p t e r 3 : T e s t i n g a n d T r u b l e s h t i n g Verify the Server URL and the SCEP Challenge URL cntain the crrect infrmatin and end with a /. Launch a brwser and enter the SCEP Challenge URL. The website shuld prmpt yu fr credentials. After entering the SCEP Admin Accunt username and passwrd, it shuld return with the challenge passphrase. If the certificate is being issued, make sure that it is in the Prfile Paylad and n the device. Navigate t Devices >Prfiles >List View. Click the actin icn fr the device and select < / > View X ML t view the prfile X ML. There is certificate infrmatin that appears as a large sectin f text in the paylad. On the device, g t the prfiles list, select details and see if the certificate is present. Cnfirm that the certificate cntains the Subject Alternative Name (r SAN) sectin and that in that sectin there is an and Principal name with the apprpriate data. If this sectin is nt in the certificate then either the template is incrrect f the certificate authrity has nt been cnfigured t accept SAN. Refer t the sectin n cnfiguring the certificate authrity. Cnfirm that the certificate cntains the Client Authenticatin in the Enhanced Key Usage sectin. If this is nt present, then the template is nt cnfigured crrectly. If the certificate is n the device and cntains the crrect infrmatin, then the prblem is mst likely with the security settings n the SEG server. Cnfirm that the address f the SEG server is crrect in the Wrkspace ONE UEM prfile and that all the security settings have been adjusted fr allwing certificate authenticatin n the SEG server. A very gd test t run is t manually cnfigure a single device t cnnect t the SEG/ EAS server using certificate authenticatin. This shuld wrk utside f Wrkspace ONE UEM and until this wrks prperly, Wrkspace ONE UEM cannt cnfigure a device t cnnect t EAS with a certificate. Refer t the External References and Dcuments sectin fr a link t a step by step guide fr cnfiguring a device t cnnect t EAS using a certificate. If yu are adding a SEG t an existing TMG t EAS cnfiguratin (i.e., TMG t SEG t EAS), make sure the web publishing rule is n lnger cnfigured t publish Exchange Client Access traffic t the EAS server befre cnfiguring it t publish t the SEG server. If yu are adding a SEG t an existing TMG t EAS cnfiguratin (i.e., TMG t SEG t EAS), make sure the TMG is n lnger cnfigured t perfrm certificate authenticatin befre yu cnfigure the SEG t handle certificate authenticatin. If nne f the steps abve reslve the prblem, try authenticating independent f Wrkspace ONE UEM. This is dne by eliminating the Wrkspace ONE UEM (e.g., SEG) and nly using a certificate t authenticate the device. If this desn t wrk then there are ther prblems ccurring. Until thse prblems are reslved, yu will nt be able t use the SEG t handle certificate authenticatin. If yu cannt authenticate, verify the clcks n the SEG and Kerbers. Kerbers prduces a ticket fr the SEG t authenticate the user n the mail server. The timestamp n that ticket must be n mre than five minutes apart frm the SEG s time clck. Verify the time clck n the SEG and Kerbers are within five minutes apart. Yu als might want t cnsider the use f Netwrk Time Prtcl daemns t keep all time clcks synchrnized. 3 2

33 C h a p t e r 3 : T e s t i n g a n d T r u b l e s h t i n g If yu cannt authenticate, evaluate yur netwrk. If yu nly have ne Kerbers server cnfigured, it is pssible the server is nt peratinal. Withut it, n ne can lg in. T stp this frm ccurring, yu might cnsider using multiple Kerbers servers and fallback authenticatin mechanisms. 3 3