VMware AirWatch Certificate Authentication for EAS with SEG

Similar documents
VMware AirWatch Certificate Authentication for EAS with SEG and TMG. For VMware AirWatch

Meaningful Use - Menu Measure 4 Family History Configuration Guide

Technical Paper. Securing SAS Business Intelligence Content That Is Managed in Metadata

IT222 Microsoft Network Operating System II [Onsite]

Down Payment Online Manual

Key Points for Approving Officers Regarding Electronic Filing

Work Instruction Patient Visits

Scheduling and Registration (Specialty Hospital) Training Guide

CMS Change Request User Guide. Required April 1, Consolo Services CMS Change Request 8358 User Guide P a g e 1

Florida Department of Financial Services Florida Accountability Contract Tracking System (FACTS)

Growing Enterprise ERDF GRANT FUNDING PROCEDURES

For purposes of this Security Agreement, the use of the terms you and your includes both the Oil and Gas Operator and the EFA when appropriate.

GRANT APPLICATION. Sustainable Agricultural Land Strategy Grants SUSTAINABLE AGRICULTURAL LANDS CONSERVATION PROGRAM

LSU HEALTH SHREVEPORT NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION

Service Description: Cisco ACI Implementation Review Service (CON-AS-ACI-IMP-REV)

Department of Teacher Education Tentative Admission

Champions for Healthy Kids Grants

Medicaid EHR Incentive Program Eligible Professionals

Smart Energy GB in Communities Fund Small grants. Grant Guidelines May 2016

Medical Assistance in Dying: Update Stakeholder Presentation

Choose Pharmacy Application Frequently Asked Questions (FAQs)

PLACEMENT POLICIES FOR WORK & TRAVEL AND TRAINEE/INTERN PROGRAMS

Denver Public Schools. Financial Services. Financial Services Manual. Grants

Quincy University Grants Development & Management Guide

2018 HBS New Venture Competition Student Social Enterprise Track

ICD-10 Provider Frequently Asked Questions Online Specialty Education

Original Date: January 27, 2010 Reviewed/Last Modified Date: September 15, 2015

Wireless Nurse Calling System Technical Document

SAMPLE- Visit FirehouseSubsFoundation.org to apply online. Firehouse Subs Public Safety Foundation Grant Application

EXPLANATORY NOTES. (applicable from 1 July 2015) STAGE 1 DESKTOP ASSESSMENT. for the RECOGNITION OF OVERSEAS OCCUPATIONAL THERAPY QUALIFICATIONS

YOUTH What is Heads Up Football? What are the benefits of a youth football organization adopting Heads Up Football?

Our Epic Project Frequently Asked Questions

FAQs: ARC PARTICIPATION & ELIGIBILITY CRITERIA

About this guide 5 Section 1: Meeting VET sector requirements 7

State of Florida Department of Children and Families

AMBULATORY SURGICAL CENTER (ASC) REGISTRATION INSTRUCTIONS for 2013

Council Camp Staff and the Annual Health & Medical Record. CampDoc FAQs

IHSS In Home Support Services

Frequently asked questions about health identifiers August 2015

Terminating the Provider- Patient Relationship. Provided by Coverys Risk Management

Health Commerce System (HCS)

Each Home Instead Senior Care franchise office is independently owned and operated Home Instead, Inc.

SEQOHS Accreditation Assessor Job Description

Government of Ontario IT Standard (GO-ITS) GO-ITS Number 56.5 OPS Grants Management Reference Model

LOGISTICS SECTION CHIEF

Geofencing in ehealth

Guidelines for Analysis of Credentials to be Included on COOL

Pre-shift Meeting Procedure

Changes in the Scope of Practice Environment for Nurse Practitioners in Michigan

THE FOX THEATRE INSTITUTE

Community Development Small Grants Fund. Guidelines 2018

Financial Officer 18 Applicant Inventory

p so January 16, 2014

Inpatient Rehab/LTLD Discharge Planning Practices Pre- and Post-Implementation Survey Results of TC LHIN Hospitals

1. CIMA S SEEDCORN RESEARCH APPLICATION PROCESS: FEASIBILITY STUDIES

Obtain an official copy of your PN transcript to submit with this packet.

The information and instructions below are for College of Business Administration [Departmental] Scholarships only.

Archive and Destruction of Patient Records

American Diabetes Association Scientific Sessions Abstract Submission Guidelines

Patient Instructions for Home Medical Equipment

Outbreak Investigation Team Roles and Responsibilities

JOB DESCRIPTION. Director of Corporate Affairs and Governance. Corporate Affairs and Governance (1.0 WTE)

Regional Sports and Recreation Grants Programme Application Guidelines

EMPLOYEE FAMILY CARE UNIT LEADER

Award and Description. Inspire Award. Think Award. Removing engineering obstacles through creative thinking. 1 P a g e. Updated

Patient Portal Introduction and Overview

MONASH Special Developmental School

Love My Neighbor! Grant Application

PRIVACY IMPACT ASSESSMENT (PIA) For the

Vantel Pearls International, Inc. 46 Eastman Street, South Easton, MA Tel Compensation Plan.

Instructions. Important Dates. Application Deadline: May 15, 2013 at 5:00 p.m. Grant Awards Announced: July 15, 2013

APPLICATION FOR REGISTERED NURSING PROGRAM FALL 2017 (Filing deadline: February 10, 2017, 4:00 PM) PLEASE TYPE OR PRINT NEATLY

Black Country BeActive Partnership Inspired Coaches Application Form

A Grant Program for Neighborhood Residents

Advanced Resume Writing:

Tourism Events Grants. FY 2019 (July 1, 2018 June 30, 2019)

BEHAVIORAL HEALTH STAFF COVERAGE PROTOCOL. Psychiatrist and Psychologist Coverage Plan...4. Telemedicine.7

ABI Forum of the CT Community Nonprofit Alliance

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

2019 IGP Faculty Research Initiation Grant

FWO Guide for Applicants. 1 Content

2017 TOURISM DEVELOPMENT MATCHING GRANT PROGRAM PROGRAM GUIDELINES

FM 101-5: Staff Organization and Operations

Client and Health Coach Support System

The Fact-Finding portion of the Deep End System Assessment is a two-part process that helps lay the foundation for a deeper analysis:

Home Modifications Enrolment Form

GRANT GUIDELINES FOR ORGANIZATIONS 2017 CYCLE

CLINICAL PLACEMENT SHIFT and ROSTERING GUIDELINES: Nursing and Midwifery

ARMTEC POSITION DESCRIPTION

VANDERBILT PROFESSIONAL NURSING PRACTICE PROGRAM Interview Questions for Registered Nurse 3 and 4 Candidates

Supervisor Checklist for Health Facility Visits Post IPC Skills Training

Yolo County Homeless and Poverty Action Coalition (HPAC)

SICK LEAVE - PANEL MEMBERS

Emergency and Evacuation.

PLANNING SECTION CHIEF

1. CIMA S SEEDCORN RESEARCH APPLICATION PROCESS: FEASIBILITY STUDIES

Guidelines: Printing. Instructions: Model Parts: print on both. every-day printer. prefer to print on. (each have their own preferences).

International Officer (Mobility and Exchange)

Establishing the Northern Australian Tourism Initiative

Patient Instructions for Home Medical Equipment

Transcription:

VMware AirWatch Certificate Authenticatin fr EAS with SEG Fr VMware AirWatch Have dcumentatin feedback? Submit a Dcumentatin Feedback supprt ticket using the Supprt Wizard n supprt.air-watch.cm. This prduct is prtected by cpyright and intellectual prperty laws in the United States and ther cuntries as well as by internatinal treaties. VMware prducts are cvered by ne r mre patents listed at http://www.vmware.cm/g/patents. VMware is a registered trademark r trademark f VMware, Inc. in the United States and ther jurisdictins. All ther marks and names mentined herein may be trademarks f their respective cmpanies. 1

Table f Cntents Chapter 1: Overview 3 AirWatch Certificate Authenticatin fr EAS with SEG 4 Prerequisites, EAS with SEG 4 Cmmunicatins Flw, EAS with SEG 5 Implementatin Methdlgy, EAS with SEG 5 Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 7 Step 1: Register Target Service, EAS with SEG 8 Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG 10 Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG 11 Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG 12 Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG 17 Chapter 3: Testing and Trubleshting 20 Trubleshting Overview, EAS with SEG 21 Additinal SETSPN Cmmands, EAS with SEG 23 Install the Rle in IIS, EAS with SEG 25 Accessing Other Dcuments 26 2

Chapter 1: Overview AirWatch Certificate Authenticatin fr EAS with SEG 4 Prerequisites, EAS with SEG 4 Cmmunicatins Flw, EAS with SEG 5 Implementatin Methdlgy, EAS with SEG 5 3

Chapter 1: Overview AirWatch Certificate Authenticatin fr EAS with SEG The Secure Email Gateway by AirWatch prvides an added layer f management visibility t mbile email and prvides enfrceable access-cntrl based n security plicies fr crpratins that are serius abut mbile email management and security. Hwever, fr maximum security and cntrl, crpratins may cuple the Secure Email Gateway with certificate-based authenticatin t their email infrastructure. In rder t accmmdate the additin f certificate-based authenticatin, Kerbers Delegatin must be utilized. This dcument discusses hw t cnfigure yur infrastructure fr Kerbers Delegatin t enable EAS certificate authenticatin with the SEG. Prerequisites, EAS with SEG Befre cnfiguring the Secure Email Gateway (SEG) t use certificate authenticatin, yu must have the fllwing. An internal certificate authrity (CA) server must be used t create user s certificates. An external CA cannt be used (e.g., VeriSign, etc.) t create user s certificates. Installed and peratinal Secure Email Gateway (SEG). Fr mre infrmatin, see the VMware AirWatch Secure Email Gateway Guide, available n Accessing Other Dcuments n page 26. Windws Server 2003 r 2008 Standard with latest service packs and recmmended updates frm Micrsft (http://www.update.micrsft.cm/). A device with an Exchange ActiveSync (EAS) prfile and certificate frm a dmain enterprise certificate authrity. A SEG that is cnfigured as a member f the same dmain as the enterprise certificate authrity. Administrative permissins t be able t cnfigure yur enterprise. Secure Email Gateway (SEG) Active Directry (AD) Exchange ActiveSync (EAS) server A certificate authrity prperly cnfigured t issue certificates thrughut AirWatch thrugh MSCEP/NDES r DCOM. A trust relatinship between the certificate authrity (CA) prviding the certificates and the directry services server. This will entail: Exprt the rt CA certificate t a.cer file. At the cmmand prmpt, type the fllwing cmmand and press ENTER: Certutil -dspublish -f <filename> NTAuthCA certutil -enterprise -addstre NTAuth CA_CertFilename.cer 4

Chapter 1: Overview Cmmunicatins Flw, EAS with SEG This diagram highlights the cmmunicatins flw fr a device attempting t cnnect t the Exchange ActiveSync (EAS) server thrugh the AirWatch Secure Email Gateway (SEG) using a certificate fr authenticatin. A detailed accunt f this interactin is shwn belw in the legend. Legend 1. The device cntacts the SEG with a certificate that cntains UPN and email in the Subject Alternative Name sectin f the cert. 2. The SEG authenticates the user with Active Directry frm the infrmatin in the cert. 3. The Active Directry server (KDC) issues a ticket t the SEG with the user's credentials. 4. The SEG sends the user's credentials t Exchange ActiveSync (EAS) with the mail request. 5. The EAS respnds t the SEG with the mail infrmatin. 6. The SEG respnds t the device with the mail infrmatin. Implementatin Methdlgy, EAS with SEG Regardless f the enterprise infrastructure being used, the implementatin methdlgy is basically the same. If yu understand the methdlgy, have the technical expertise, and have a strng understanding f the hardware and sftware required, then it is much easier t cnfigure and ensures the user has a seamless experience receiving their email. Registering Target Service Initially, yu need t identify the service fr which SEG will delegate the traffic t EAS server. This can be accmplished by creating the SPN (Service Principal Name). Permitting the SEG Server fr Kerbers Delegatin t the EAS Server By default, n infrastructure is permitted t grant access t ther servers using Kerbers delegatin. Therefre, administratrs must first cnfigure security settings n the directry server s that the SEG server can delegate access t 5

Chapter 1: Overview the EAS server using HTTP (fr EAS traffic). Specifically fr Micrsft Active Directry infrastructure, this entails: Cnfiguring AD t give permissins t SEG t impersnate a user. Enabling SEG t delegate HTTP EAS traffic t the EAS server. Enabling EAS Server t Accept Kerbers Tickets The EAS server requires Windws Authenticatin enabled in rder t analyze the Kerbers ticket received frm the SEG server. Cnfiguring the SEG Server fr Certificate Authenticatin Once the dmain security settings have been adjusted, the SEG server must be cnfigured fr certificate authenticatin. In rder fr the SEG t authenticate the user s device that is assigned t a particular certificate, Internet Infrmatin Services (IIS) n the SEG server must be cnfigured t accept that certificate. Specifically this can be accmplished by: Setting up Active Directry t Authenticate Using the Cnfiguratin Editr t Set Up Email Authenticatin Setting Up Secure Scket Layer (SSL) Adjusting upladreadaheadsize Memry Size Enabling the SEG EAS Service Accunt t Begin Kerbers Delegatin Lastly, administratrs must enable the SEG EAS Service accunt t start granting access t the EAS server thrugh user impersnatin. This effectively cmpletes the setup and users may begin authenticating with certificates t receive their crprate mail. Administratrs can cmplete this by: Verifying the identity f the SEG Cnfiguring lcal security plicy fr SEG t act as part f the perating system Cnfiguring lcal security plicy fr SEG t impersnate a client after authenticatin 6

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Step 1: Register Target Service, EAS with SEG 8 Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG 10 Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG 11 Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG 12 Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG 17 7

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Step 1: Register Target Service, EAS with SEG In rder fr the SEG server t be able t delegate traffic t a specific service, yu need t identify and register the service. The target service must match the Exchange server Hstname n the web.cnfig file f the Web Listener flder n SEG. The SETSPN cmmand is used t register the service and this can be executed n AD server r EAS server. SETSPN -s HTTP/<target service name> <target cmputer name> If yur envirnment has multiple Client Access Servers (CAS) r multiple Exchange ActiveSync (EAS) servers, then yu must specify the dmain name with the target cmputer name. Fr example, {dmain}/{asa_accunt} r {dmain}/ {exchangebx}. An alternate service accunt needs t be created t represent the Client Access Services. Create an ASA Credential Type Yu can create a cmputer accunt r a user accunt fr the alternate service accunt. Because a cmputer accunt des nt allw interactive lgn, it may have simpler security plicies than a user accunt and therefre is the preferred slutin fr the ASA credential. If yu create a cmputer accunt, the passwrd desn't actually expire hwever AirWatch still recmmends updating the passwrd peridically. Lcal grup plicy can specify a maximum accunt age fr cmputer accunts and there might be scripts scheduled t peridically delete cmputer accunts that d nt meet current plicies. Peridically updating the passwrd fr cmputer accunts ensures that yur cmputer accunts are nt deleted fr nt meeting lcal plicy. Yur lcal security plicy determines when the passwrd needs t be changed. Credential Name There are n particular requirements fr the name f the ASA credential. Yu can use any name that cnfrms t yur naming scheme. Grups and Rles The ASA credential des nt need special security privileges. If yu are deplying a cmputer accunt fr the ASA credential, this means that the accunt nly needs t be a member f the Dmain Cmputers security grup. If yu are deplying a user accunt fr the ASA credential, this means that the accunt nly needs t be a member f the Dmain Users security grup. Passwrd The passwrd yu prvide when yu create the accunt is actually never used. Instead, the script resets the passwrd. S when yu create the accunt, yu can use any passwrd that cnfrms t yur rganizatin s passwrd requirements. All cmputers within the Client Access Services must share the same service accunt. In additin, any Client Access servers that may be called n in a datacenter activatin scenari must als share the same service accunt. 8

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Create the alternate service accunt (ASA) fr the CAS in the dmain by pening the Active Directry User and Cmputers and creating new cmputer accunt. Type a name fr the ASA, using CASARRAY- ASA as example. Verify that the accunt has replicated t all Dmain Cntrllers befre prceeding. 2. Verify the CAS's FQDN, since this name is used fr the SPN that is attached t the ASA. In rder t check the CAS s FQDN, run the next cmmand in PwerShell. Get-ClientAccessArray 3. Create the SPN using the setspn cmmand. setspn -s http/<target service name> {ASA_ACCOUNT}$ 4. Verify that all relevant SPNs have been assigned by running the fllwing cmmand frm PwerShell. setspn L {ASA_ACCOUNT} 5. T set ASA t the CAS servers, run the Alternate Service Accunt credential script in the Exchange Management Shell RllAlternateserviceAccuntPasswrd.ps1.\RllAlternateserviceAccuntPasswrd.ps1 -TArrayMembers {CAS-FQDN} -GenerateNewPasswrdFr {DOMAIN}\{ASA_ACCOUNT}$ -Verbse 6. Yu can see a Success message when the script has cmpleted running. T verify that the ASA credentials have been deplyed prperly, use the fllwing cmmand. 9

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Get-ClientAccessServer -IncludeAlternateServiceAccuntCredentialStatus fl name,*alter* Next, yu must Cnfigure Delegatin Settings n the SEG Server. Step 2: Cnfigure Delegatin Settings n the SEG Server, EAS with SEG In rder fr the Secure Email Gateway (SEG) t impersnate a user when authenticating n an Exchange ActiveSync (EAS) server, the SEG server must be given the apprpriate permissins in the Active Directry (AD) server. Yu must als enable SEG t delegate HTTP EAS traffic t the EAS server. Cnfigure AD t Give Permissins t SEG t Impersnate a User 1. Select Active Directry Users and Cmputers n the AD server. 2. In the left-hand pane, select the flder where the SEG server is lcated (e.g., Cmputers). The available SEG servers display in the right-hand pane as shwn belw. 3. Right-click n the SEG server name and then select Prperties. 10

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 4. The Prperties windw fr the SEG server displays. Click n the Delegatin tab. 5. Select the Trust this cmputer fr delegatin t specified services nly. 6. Select Use any authenticatin prtcl. 7. Click Add. Enable SEG t delegate HTTP EAS traffic t the EAS server 1. Click Users r Cmputers n the Add Services windw. The Select Users r Cmputers windw displays. 2. Enter the name f the Exchange ActiveSync Server r ASA accunt (if applicable) and select OK. The Add Services windw displays. 3. Select the http service registered in step 1 under Available services and select OK. A list displaying http and yur EAS server n the Delegatin tab appears. 4. Click OK. Next, yu must Enable EAS Server t Accept Kerbers Tickets. Step 3: Enable EAS Server t Accept Kerbers Tickets, EAS with SEG Cnfigure EAS server t accept Kerbers tickets. 1. Open IIS manager n the EAS server. 2. On the left hand Cnnectins pane, expand Sites and select Micrsft-server-activesync. 11

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 3. In the main pane, under IIS, select Authenticatin and enable Windws Authenticatin. Next, yu must Cnfigure IIS fr Certificate Authenticatin n the SEG. Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG In rder fr the SEG t authenticate the user s device that is assigned t a particular certificate, Internet Infrmatin Services (IIS) n the SEG server must be cnfigured t accept that certificate. Set up Active Directry t Authenticate 1. On the SEG Server, launch Internet Infrmatin Services (IIS) by selecting Start > Run. 2. Type inetmgr and select OK. The IIS Manager windw appears. 3. In the left-hand Cnnectins pane select the SEG server 4. In the main pane, under the IIS sectin, duble-click the Authenticatin icn. 12

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 5. Select Active Directry Client Certificate Authenticatin. If this ptin is nt available, see Install the Rle in IIS in VMware AirWatch Certificate Authenticatin fr EAS with SEG available n AirWatch Resurces. 6. In the right-hand pane, select Enable. Use the Cnfiguratin Editr t Set Up Email Authenticatin 1. Click + t expand the Sites flder. 2. Click + t expand the Default Web Site and display the email sever yu want t cnfigure. a. If yu are using MS Server 2008 R2 r later, the Cnfiguratin Editr icn appears as shwn in the screen belw. This icn des nt appear in lder versins f MS Server. Select Micrsft-Server-ActiveSync and duble-click the Cnfiguratin Editr icn. If applicable, prceed directly t step 3. 13

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin b. If yu are using Exchange ActiveSync (EAS) servers lder than 2008 R2, yu will need t be familiar with the use f appcmd.exe and run it frm the cmmand prmpt. c. Open a cmmand prmpt by selecting Start > Run. In the dialg bx type cmd and select OK. In the cmmand prmpt, type the fllwing cmmand: appcmd.exe set cnfig "Micrsft-Server-ActiveSync" - sectin:system.webserver/security/authenticatin/clientcertificatemappinga uthenticatin /enabled:"true" /cmmit:apphst If yu perfrmed this step, then skip the remaining steps and advance t Setting up Secure Scket Layer (SSL). 3. Navigate t system.webserver/security/authenticatin under Sectin. 4. Select clientcertificatemappingauthenticatin. 5. Select True frm the Enabled drp-dwn menu. 14

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 6. Click Apply. Set Up Secure Scket Layer (SSL) If nly certificate authenticatin is being used then yu must cnfigure Secure Scket Layer (SSL). Otherwise, if authenticatin ther than certificates is used then yu d nt need t cnfigure SSL. 15

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Select Micrsft-Server-ActiveSync, and then duble-click SSL Settings. 2. If nly certificate authenticatin is allwed, select Require SSL and then Required. If ther types f authenticatin are allwed, select Accept. 3. Click Apply. Adjust upladreadaheadsize Memry Size Since certificate based authenticatin uses a larger amunt f data during the authenticatin prcess, sme adjustments must be made in IIS cnfiguratin t accunt fr the increased amunt f data. This is accmplished by increasing the value f the upladreadaheadsize. The fllwing steps guide yu thrugh the cnfiguratin: 16

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 1. Open a cmmand prmpt by selecting Start > Run. 2. Type cmd and select OK. A text editr windw appears. 3. Increase the value f the upladreadaheadsize frm the default f 48KB t 10MB by entering the fllwing cmmands: C:\Windws\System32\inetsrv\appcmd.exe set cnfig - sectin:system.webserver/serverruntime /upladreadaheadsize:"10485760" /cmmit:apphst C:\Windws\System32\inetsrv\appcmd.exe set cnfig "Default Web Site" - sectin:system.webserver/serverruntime /upladreadaheadsize:"10485760" /cmmit:apphst Default Web Site is used in the sample cde abve. If the name f the site has been changed in IIS then the new name needs t replace Default Web Site in the secnd cmmand. 4. Type the fllwing cmmand t reset the IIS: iisreset Lastly, yu must Cnfigure Delegatin Rights n the SEG Service Accunt. Step 5: Cnfigure Delegatin Rights n the SEG Service Accunt, EAS with SEG In additin t cnfiguring delegatin rights n the SEG server, the service accunt attached t the SEG Applicatin Pl must als be given delegatin permissins. Verify the Identity f the SEG 1. Launch Internet Infrmatin Services (IIS) Manager by selecting Start > Run. In the dialg bx type inetmgr and select OK. The IIS Manager windw appears. 2. In the left-hand Cnnectins pane, select the SEG server. 3. Click the Applicatin Pls flder. 4. In the right-hand Applicatin Pls pane, lcate the SecureEmailGateway. 17

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin 5. Under the Identity clumn, verify the identity f the SecureEmailGateway is Netwrk Service. Cnfigure Lcal Security Plicy fr SEG t Act as Part f the Operating System 1. On the SEG server, pen a cmmand prmpt by selecting Start > Run. 2. Type cmd and then select OK. 3. In the cmmand prmpt, type secpl.msc and then select OK. A Lcal Security Plicy windw displays. 4. In the left-hand pane, select Security Settings > Lcal Plicies > User Rights Assignments. 5. In the right-hand pane, under Plicy, select Act as part f the perating system. A dialg windw appears. 6. Click Add User r Grup. 7. Type the name f the Service Accunt attached t the Applicatin Pl. The name must be the same as the name assciated t the SEG (i.e., Netwrk Service). 8. Click OK. The Lcal Security Plicy windw displays. 18

Chapter 2: Exchange ActiveSync with SEG Installatin, Setup, and Cnfiguratin Cnfigure Lcal Security Plicy fr SEG t Impersnate a Client after Authenticatin 1. In the right-hand pane, under Plicy, duble-click n Impersnate a client after authenticatin. 2. The Service Accunt attached t the Applicatin Pl must be the same as the name assciated t the SEG (i.e., Netwrk Service). Verify that name displays in the list. If nt, d the fllwing: a. Click Add User r Grup. b. Add the name f the Service Accunt. 3. Select the Service Accunt in the list (i.e., Netwrk Service). 4. Click OK. 19

Chapter 3: Testing and Trubleshting Trubleshting Overview, EAS with SEG 21 20

Chapter 3: Testing and Trubleshting Trubleshting Overview, EAS with SEG Yu can cnfirm that the SEG is perfrming certificate authenticatin by pushing a user s prfile t the device and testing whether r nt the device is able t cnnect and sync with the cnfigured SEG end-pint. If the device des nt cnnect and displays a message that the certificate cannt be authenticated r the accunt cannt cnnect t EAS, then the prblem is related t the cnfiguratin. Trubleshting Checks If Exchange server returns a 401, add NTLM and Negtiate as prviders t Windws Authenticatin. Make sure that a certificate is being issued by the CA t the device by checking the fllwing infrmatin. G t the internal CA Server, launch the certificatin authrity applicatin, and brwse t the issued certificates sectin. Find the last certificate that was issued and it shuld have a subject that matches the ne created in the certificate template sectin earlier in this dcument. If there is n certificate then there is an issue with the CA, client access server (e.g., SCEP), r with the AirWatch cnnectin t client access server. Check that the permissins f the client access server (e.g., SCEP) Admin Accunt are applied crrectly t the CA, and the template n the CA. Check that the accunt infrmatin is entered crrectly in the AirWatch cnfiguratin. Verify the Server URL and the SCEP Challenge URL cntain the crrect infrmatin and end with a /. 21

Chapter 3: Testing and Trubleshting Launch a brwser and enter the SCEP Challenge URL. The website shuld prmpt yu fr credentials. After entering the SCEP Admin Accunt username and passwrd, it shuld return with the challenge passphrase. If the certificate is being issued, make sure that it is in the Prfile Paylad and n the device. Navigate t Devices >Prfiles >List View. Click the actin icn fr the device and select </> View XML t view the prfile XML. There is certificate infrmatin that appears as a large sectin f text in the paylad. On the device, g t the prfiles list, select Details and see if the certificate is present. Cnfirm that the certificate cntains the Subject Alternative Name (r SAN) sectin and that in that sectin there is an Email and Principal name with the apprpriate data. If this sectin is nt in the certificate then either the template is incrrect f the certificate authrity has nt been cnfigured t accept SAN. Refer t Step 4: Cnfigure IIS fr Certificate Authenticatin n the SEG, EAS with SEG n page 12. Cnfirm that the certificate cntains the Client Authenticatin in the Enhanced Key Usage sectin. If this is nt present, then the template is nt cnfigured crrectly. If the certificate is n the device and cntains the crrect infrmatin, then the prblem is mst likely with the security settings n the SEG server. Cnfirm that the address f the SEG server is crrect in the AirWatch prfile and that all the security settings have been adjusted fr allwing certificate authenticatin n the SEG server. A very gd test t run is t manually cnfigure a single device t cnnect t the SEG/EAS server using certificate authenticatin. This shuld wrk utside f AirWatch and until this wrks prperly, AirWatch will nt be able t cnfigure a device t cnnect t EAS with a certificate. Refer t the External References and Dcuments sectin fr a link t a step by step guide fr cnfiguring a device t cnnect t EAS using a certificate. If nne f the steps abve reslve the prblem, try authenticating independent f AirWatch. This is dne by eliminating the AirWatch (e.g., SEG) and nly using a certificate t authenticate the device. If this desn t wrk then there are ther prblems ccurring. Until thse prblems are reslved, yu will nt be able t use the SEG t handle certificate authenticatin. If yu cannt authenticate, verify the clcks n the SEG and Kerbers. Kerbers prduces a ticket fr the SEG t authenticate the user n the mail server. The timestamp n that ticket must be n mre than five minutes apart frm the SEG s time clck. Verify the time clck n the SEG and Kerbers are within five minutes apart. Yu als might want t cnsider the use f Netwrk Time Prtcl daemns t keep all time clcks synchrnized. If yu cannt authenticate, evaluate yur netwrk. If yu nly have ne Kerbers server cnfigured, it is pssible the server is nt peratinal. Withut it, n ne can lg in. T stp this frm ccurring, yu might cnsider using multiple Kerbers servers and fallback authenticatin mechanisms. 22

Additinal SETSPN Cmmands, EAS with SEG View SPN: SETSPN l <cmputername Add SPN: SETSPN s <service>/<targetname> <cmputername> Remve SPN: SETSPN d <service>/<targetname> <cmputername> Query fr existing SPN: SETSPN Q <service>/<targetname> <cmputername> 23

Check fr duplicate SPN in the entire frest: SETSPN X 24

Install the Rle in IIS, EAS with SEG Windws Server 2008 r Windws Server 2008 R2 1. On the taskbar, select Start, pint t Administrative Tls, and then select Server Manager. 2. In the Server Manager hierarchy pane, expand Rles, and then select Web Server (IIS). 3. In the Web Server (IIS) pane, scrll t the Rle Services sectin, and then select Add Rle Services. 4. On the Select Rle Services page f the Add Rle Services Wizard, select Client Certificate Mapping Authenticatin, and then select Next. 5. On the Cnfirm Installatin Selectins page, select Install. 6. On the Results page, select Clse. Windws Server 2012 r Windws Server 2012 R2 1. On the taskbar, select Server Manager. 2. In Server Manager, select the Manage menu, and then select Add Rles and Features. 3. In the Add Rles and Features wizard, select Next. Select the installatin type and select Next. Select the destinatin server and select Next. 4. On the Server Rles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Client Certificate Mapping Authenticatin. select Next. 5. On the Select features page, select Next. 6. On the Cnfirm installatin selectins page, select Install. 7. On the Results page, select Clse. 25

Accessing Other Dcuments Accessing Other Dcuments While reading this dcumentatin yu may encunter references t dcuments that are nt included here. The quickest and easiest way t find a particular dcument is t navigate t https://my.airwatch.cm/help/9.2/en/cntent/release_ntes/dc_list_pdfs.htm and search fr the dcument yu need. Each release-specific dcument has a link t its PDF cpy n AirWatch Resurces. Alternatively, yu can navigate t AirWatch Resurces n myairwatch (resurces.air-watch.cm) and search. When searching fr dcumentatin n Resurces, be sure t select yur AirWatch versin. Yu can use the filters t srt by PDF file type and Fr VMware AirWatch. 26

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback