Juniper Secure Access Gateway: ActiveSync für mobile Geräte erlauben

Der ganze Artikel:

http://www.juniper.net/techpubs/en_US/sa7.2/topics/task/operational/secure-access-handheld-pdas-activesync-enabling.html

Enabling ActiveSync For Handheld Devices

Using ActiveSync, you can synchronize data between a Windows-based desktop computer and handheld devices. The Secure Access Service can be used as a reverse proxy to allow users to synchronize their data without installing an additional client application, such as WSAM, on their handheld devices. More than 1000 concurrent connections is supported on an SA 6500.

Please note the following:

  • Supports Windows Mobile 5.0 and 6.0 only.
  • Supports Exchange Server 2003, 2007 and 2010.
  • ActiveSync does not use up concurrent user licenses, even when configured with certificate authentication.
  • Both NTLM & Basic Auth on the Exchange server are supported.
  • Both HTTP and HTTPS between the Secure Access Service and Exchange server are supported.
  • If the Secure Access Service is used for OWA & ActiveSync, the hostnames for OWA access and ActiveSync must be different.
  • Direct Push is supported with ActiveSync, however you must set HTTPServerTimeout to 20 minutes or less. Direct Push is a feature built into Exchange Server 2007.
  • ActiveSync does not work through a back-end web proxy.
  • VIP sourcing settings are ignored for ActiveSync sessions. ActiveSync traffic from the Secure Access Service to a backend server is always sent with the Internal Port’s source IP address.

To configure the Secure Access Service as a reverse proxy for use with ActiveSync:

  1. In the admin console, choose Authentication > Signing In > Sign-in Policies.
  2. To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.
  3. In the Virtual Hostname field, enter the name that maps to the Secure Access Service IP address. The name must be unique among all virtual host names used in pass-through proxy’s hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, http:) in this field.

    For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 via the Secure Access Service is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.

  4. In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.

    When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.

  5. Enter a Description for this policy (optional).
  6. Select the server name or No Authorization from the Authorization Server drop down menu. If you select a server, ensure that the front-end server provides the SMSESSION cookie otherwise you will receive an error.
  7. Select a user role from the Role Option drop down menu.

    Only the following user role options are applicable for Autosync.

    • HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)
    • Allow browsing un-trusted SSL websites (Users > User Roles > RoleName > Web > Options > View advanced options)
    • Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
    • Browser restrictions (Users > User Roles > RoleName > General > Restrictions)

    Ensure the user role you select has an associated Web Access policy.

  8. Select the Allow ActiveSync Traffic only option to perform a basic of validation of the HTTP header to ensure the request is consistent with ActiveSync protocol. If you select this option only ActiveSync protocol requests can be processed. If validation fails, a message is created in the user’s event log. If you do not select this option, both ActiveSync and non-ActiveSync requests are processed.
  9. Click Save Changes.

The System Status Overview page displays the number of current active concurrent connections and a histogram of the active concurrent connections (Authorization Only Access Active Connections plot in the Concurrent SSL Connections graph).

To enable certificate authentication for handheld devices like, for example, an iPhone, see Client Certificate Validation on the External and Virtual Ports.