Category Archives: ActiveSync

Book Review: Citrix XenMobile Mobile Device Management by Akash Phoenix

ActiveSync, Client Access, Netscaler, Security, Xenmobile

I reviewed the book, Citrix XenMobile Mobile Device Management by Akash Phoenix, published by PACKT Publishing. The book is about one of the hot issues in the world of IT, BYOD and/or Mobile Device Management.  The appropriate audience for this book would be Director level’s, or Engineers who are brand new to XenMobile.  Engineers that are looking for a much deeper 300 level, technical deep dive will most likely be disappointed with the material however, as it serves as an introduction and 1,000 foot view of what Citrix XenMobile product can do. 

The book starts out with a good explanation of the different components that make of XenMobile, which frankly can be difficult to understand and grasp their function.  The book better explains in a concise, business fashion which components are required based on business needs than most of Citrix’s own materials do.

The author does a good job of explaining and walking through the basic installation, and also does a good job of explaining App Controller, which is generally a difficult topic to grasp for admins. I would have liked to see more info on the session policies for AppController with Netscaler but, the book is clearly a higher level overview versus the nitty gritty details.

Overall, Akash does a great job of explaining what XenMobile does, the components that make up the XenMobile solution, and how your individual business needs will drive your implementation design and requirements. It also does a good job of explaining the flexibility that XenMobile gives you, as well as an understanding of the overall capabilities of the system. For technical deep dives on each topic however, you may need to augment it with outside resources to get the complete picture.

 

Here is a link to the book so you can purchase it directly from Packt:

http://www.packtpub.com/citrix-xenmobile-mobile-device-management/book 

And here is a link to some of the XenMobile resources on the site:

http://port25guy.com/tag/xenmobile-2/

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 4

ActiveSync, Blackberry, Client Access, Exchange 2010, Exchange 2013, Hosting, Netscaler, Security, Xenmobile

See the previous posts in the series:

Part 1

Part 2

Part 3

 

In this post, we will configure the XenMobile Netscaler Connector and configure the Netscaler itself to query the Netscaler Connector on ActiveSync Connections. 

Lets download the Netscaler Connector from http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-mdm-edition.html

image_thumb1

Copy the installer to PHDC-XENNC01.  We need to ensure that we have Net Framework 3.5 installed before we install Netscaler Connector.  But once that is done, lets begin the install.

This is a very simple, next, next finish install:

image_thumb3

Next, lets run the XenMobile Connector Configuration:

On the Web Service Tab, select HTTP and leave it as the default port of 9080

image_thumb51

Next, go to the Config Providers tab and click add.  Fill out the information for your Device Manager Server:

image_thumb7

Leave everything else default and click save.

Next navigate to the Path Filters tab. Select the only path there, and select edit.

Change the policy to be Static + mobile.accessabacus.com : Block Mode

image_thumb10

What this does is tell the system that it will check local rules on the Netscaler Connector, then the Device Manager.  If neither of those rules apply, it will deny the connection. 

After you have made your changes, start up services.msc and manually start these three services:

image_thumb12

Next, we configure the Netscaler to check in with the Netscaler Connector during ActiveSync connections.

Log into the Netscaler and go to Service Groups.  Select Add.  Name it NETSCALER-CONNECTOR

Add in your netscaler connector IP and set the Port to 9080, and protocol HTTP

image_thumb17

Next go to Virtual Servers and click add to create a new one.

Name it NETSCALER-CONNECTOR, select the protocol as HTTP.  Also uncheck “Directory Addressable” which will clear the IP address and port.  This is completely expected.

Add the service group you created to the server:

image_thumb191

 

Next go to AppExpert->HTTP Callouts->Add

Create the name as active_sync_filter.  Set the virtual server to the NETSCALER CONNECTOR server you created earlier.

image_thumb241

Click on Configure Request Attributes:

Method –> get

Host Expression – > “callout.asfilter.internal”

URL Stem Expression-> “/services/ActiveSync/Authorize”

 

user-> HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic”).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE

agent –> HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE

ip –> CLIENT.IP.SRC

url –> (“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE

resultType->”json”

 

image_thumb31

image_thumb331

Under Server Response:

Return Type –> Text

Expression to extract data from the response –>HTTP.RES.BODY(20)

image_thumb35

Now, create a second callout called active_sync_filter_deviceid.  Create everything identical to the callout active_sync_filter, except under Parameters, add one additional

DeviceId-> HTTP.REQ.URL.QUERY.VALUE(“DeviceID”)

Next go to Responder->Policies->Add

Create a new policy named active_sync_filter

Select Action = Drop

Expression equals below:

 

HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT

image_thumb38

Create a second policy named active_sync_filter_deviceid

Again, set the Action = Drop

Expression equals below:

HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT 

 

image_thumb40

Okay, hang in there, we are almost done.  Now, we need to find our Exchange Load Balancer server in the Netscaler.

Navigate to the Policy tab, select Responder.  Add the policies so that active_sync_filter_deviceid is lower number priority than active_sync_filter

image_thumb42

Okay, that’s enough for now.  Next time we will configure Device Manager to deny certain devices based on set criteria and test it out!

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 3

ActiveSync, Client Access, Exchange 2010, Exchange 2013, Netscaler, Xenmobile

See the previous posts in the series:

Part 1

Part 2

Part 4

In the last article, we installed Device Manager.  Now we will configure basic policies and settings.  Log into your instance by going to http://servername/zdm

image_thumb84

You will get treated to a “Getting Started with Device Manager” screen which will allow you build the basic policies.

Select that you are not using App Controller:

image_thumb86

Leave the Base Package as the name:

image_thumb88

Select the Passcode bubble to add to the policy, then configure the passcode you want to configure:

image_thumb90

Select Yes, enroll in corporate credentials:

image_thumb92

This will bring you to the LDAP directory screen:

image_thumb94

Configure your active directory connection.  Ensure to enter a user account that can read from the directory, it only needs to be a Domain User:

image_thumb97

Select Next, accept the defaults for the LDAP attributes import:

image_thumb100

At the groups to add, you need to select two groups.  One that can be admins of the XenMobile Device Manager server. And the other that can enroll their devices.  We will use Domain Admins to Administrator, and Domain Users to users:

image_thumb102

Select Next and then Finish.  The Test Enrollment Screen will show you how you can test from mobile devices:

image_thumb105

Click Next->Next-> Go to Device Manager.

Now, we need to configure the Netscaler to present the Device Manager server to the internet as mobile.accessabacus.com.

Log into your Netscaler and go to Traffic Management->Load Balancing->Service Groups

Click Add.  Give a name for the service group, for example XENMOBILE-DEVICEMANAGER-443.  Choose Protocol as SSL Bridge.  Add PHDC-XENDM01 to the members, and select Port 443

image_thumb108

Save the group.  Make sure to do the same thing for port 8443:

image_thumb111

Finally, create one for HTTP as the protocol on port 80:

image_thumb114

Next go to Virtual Servers and click Add:

Create a name for the virtual server, and select Protocol as SSL Bridge, and the Port as 443.  Assign it an IP address.  On the service groups tab, select the service group you created above:

image_thumb130

Do the same thing for port 8443:

image_thumb126

Finally create the virtual server for HTTP and select the HTTP protocol and service group

image_thumb132

Next, point your DNS to the IP address you assigned the load balancer and see if you can resolve the web page.  Remember, you need ports 80, 443 and 8443 open from the external world to the Device Manager Server.

In the next article, we will install XenMobile Netscaler Connector and attach it to the XenMobile Device Manager.

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 2

ActiveSync, Exchange 2010, Exchange 2013, Netscaler, Xenmobile

See other articles in the series:

Part 1

Part 3

In the first article, we went over the basic architecture.  Now we are going to go about installing XenMobile Device Manager on our PHDC-XENDM01 server.

First, lets go to www.citrix.com and download the needed software:

http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-mdm-edition.html

image_thumb4

Besides that, we also need to install Java on the server.  At the time of this writing, I used Java version 7 Update 51:

image_thumb5

We also need to download a specific Java policy, Java Cryptography Extension Unlimited Strength from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Once, we have the software, lets log into PHDC-XENDM01, which is running Windows Server 2012 STD.

First, lets disable IPV6 on the server.  Run the following command from powershell:

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xffffffff

Also, run msconfig and disable UAC:

image_thumb71

After, reboot the server.

Once it comes back up, it’s time to install Java.  This is a simple, next, next finish install:

image_thumb11

Next, we need to go into UnlimitedJCEPolicy folder.  We need to copy the two files local_policy.jar and US_Export_policy.jar:

image_thumb13

To the following two locations:

C:\Program Files\Java\jdk1.7.0_51\jre\lib

C:\Program Files\Java\jre7\lib

If you don’t complete the above steps, you will get an error when you launch the Device Manager console, and iOS devices will not be able to register.

Next, lets get SQL ready.  We need to open SQL Management Studio on PHDC-SQL01.  Navigate to Security->Logins->New Login

image_thumb15

Make sure you create the login as SQL Server authentication.  We will use the login name xenmobile and set the password to whatever you like.  Next click the server roles tab, and we will select sysadmin.  Make sure that this security is allowed in your environment before making this setup.

image_thumb171

Before we start the install of Device Manager, if we are registering iOS devices, we need to request a certificate from Apple for an APNS certificate.  We then need to submit that request to XenMobile helpdesk for them to sign the request before completing the request with apple.

On a server with IIS installed (not the XenMobile Device Manager server, as IIS will break Device Manager), we need to create a certificate request for our Device Manager namespace, which in our case is mobile.accessabacus.com .  Open IIS Manager and click on Server Certificates:

image_thumb19

Then click on create Certificate Request, and fill out the certificate.  Ensure the common name is the one that devices will be hitting to register with Device Manager.  Again ours is mobile.accessabacus.com

image_thumb22

Select Next, and on Cryptographic Service Provider Properties, change the Bit Length to 2048:

image_thumb24

Select next, and save the request to your c drive:

image_thumb26

Next create an email to support@zenprise.com and request to have the certificate signed, ensure to attach the request you created above.  You will receive an email back with the signed request.

Take the file you get back, and log into https://identity.apple.com/pushcert.  If you don’t have a developer ID, create one, its free.

Click Create a Certificate:

image_thumb28

Accept the agreement, and upload the signed request file.  You can then download your complete certificate request:

image_thumb30

Now, log back into the same server where you created the certificate request and go back to IIS->Server Certificates.  Now click on Complete Server Certificate, and select the file you downloaded from the Apple website.  Give it a friendly name so you can easily identify it.  In my case I’ll call it iOS MDM.

image_thumb33

Next, open up MMC on the same server you completed the certificate request on. Click on File->Add/Remove Snap in, select certificates and add it, select local computer:

image_thumb351

Navigate to Certificates->Personal->Certificates.  Select the iOS MDM you created before, right click and select all tasks, export:

image_thumb37

Ensure you select Yes Export the private key:

image_thumb39

It will ask you to password protect the file, ensure you remember it as you will need it when you install Device Manager.

image_thumb401

Select a file name and save the file:

image_thumb421

Okay, we are FINALLY ready to install Device Manager.

Copy the PFX file you exported to PHDC-XENDM01.  Then, lets run the XenMobileDeviceManager Installer.

Select Next until you get to the component screen.  Unselect Database Server.  This will allow us to use Microsoft SQL and not the Postgres SQL that comes with Device Manager:

image_thumb45

Select the default install path and click next, let the installer begin.  It will ask you for the license file for the install, browse to it and select the file.  You can request free trials from Citrix as well:

image_thumb47

Next brings you to Configure Database Connection.  Select SQL Server/jTDS.  Fill out the info:

 

image_thumb52

The user name should be the user we created in SQL before.  The database name can be anything you want.  the installer will realize its missing and ask if you want to create it when you select Check the connection:

image_thumb54

Click create, and then next.

Leave this screen blank, and select next:

image_thumb56

Select next at the Configure iOS usage screen:

image_thumb58

Then click on next through all the IP configuration:

image_thumb60

image_thumb62

image_thumb64

Next we will come to the Define the Root Certification Authority.  This will create a self signed certificate store.  Enter a keystore password to create, to the same for the next three screens:

image_thumb66

image_thumb68

image_thumb71[1]

For the last one, define a certificate for HTTPS, you need to add the FQDN that users are connecting to this server on.  In our case, its mobile.accessabacus.com:

image_thumb73

**If after you want to replace this certificate with your own, complete the install and then follow my article here: http://port25guy.com/2013/11/18/import-a-3rd-party-certificate-into-xenmobile/**

Next page, browse to the PFX file that holds your Apple APNS certificate, and enter the password you used to protect it:

image_thumb75

Select next, leave the default port for Remote Support tunnels:

image_thumb77

Next, select the default admin username and password:

image_thumb80

Click Next, and then finish.

Next time, we will go over configuring the XenMobile Device Manager Server and publishing it using the Netscaler.

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 1

ActiveSync, Exchange 2010, Exchange 2013, Xenmobile

Read other articles in the series:

Part 2

Part 3

Citrix XenMobile is a Mobile Device Management software that allows you to control ActiveSync devices at the corporate level.  While many people assume this means pushing email profiles to the device and controlling ActiveSync access, it is in fact much more than that.  You have the ability to control and push applications to the devices, security on the devices among many other things.  That being said, there can be a lot of complexity and moving parts to get the solution working.  I thought it would be good, for my own sanity, but also for others to see the steps to set up a real world example.  I’ll do it in the style of a business case so we can outlay what the business requirements are, how the architecture looks, and then go about installing and configuring the necessary items.

Requirements:

There are several goals for the SOA Corporation that they want to achieve out of this Mobile Device Management implementation.

  1. Restrict unmanaged devices from being able to connect to the Exchange environment using ActiveSync.
  2. Force all devices, employee owned or not, to first be registered with XenMobile before they are allowed to receive corporate resources such as ActiveSync profiles and applications.
  3. Management wants to be able to wipe just the corporate data off of the devices and leave the rest of the employee owned device alone.
  4. Management would like to minimize the helpdesk from having to manually allow devices for users.

 

Existing Architecture:

The existing Exchange architecture is simple for this case.  We have a single, multi-role Exchange  server sitting in our datacenter.  We also are utilizing Citrix Netscalers to publish Exchange resources to the internet.  Users access ActiveSync currently by using the namespace mobilemail.accessabacus.com.

XenMobile---Part-1_thumb5

Now, after we implement the XenMobile Solution, are architecture will look like the following:

XenMobile---Part-1_thumb9

Now, there are a couple things to note.  First off, I stink at Visio, so I did the best that I could.  After our installation though, we will have the following servers:

  1. PHDC-SOAEXC1 – Exchange Multi Role Server
  2. PHDC-XENDM01 – XenMobile Device Manager Server
  3. PHDC-XENNC01 – XenMobile Netscaler Connector Server
  4. PHDC-XENMM01 – XenMobile Mail Manager Server
  5. PHDC-SQL01 – SQL Server to host the XenMobile Device Manager and XenMobile Mail Manager Databases

 

The external namespaces will be:

  1. Mobilemail.accessabacus.com – Exchange ActiveSync URL
  2. Mobile.accessabacus.com – XenMobile Device Registration Site

 

What Does Each Component Do?

XenMobile Device Manager Server

This is the “brains” of the XenMobile operation.  It is the management server where you device policies, manage user devices and have visibility into the environment.  This server hosts the Mobile.accessabacus.com web page, and is where we need to point our mobile devices at in order to register them with XenMobile.

XenMobile Netscaler Connector

This server runs a service that will be responsible for “intercepting” Exchange ActiveSync requests from end user devices.  It does this via HTTP callouts in the Netscaler (which we will explain and discuss later in the article).  When it intercepts, it will then ask the XenMobile Device Manager server about the device in question.  Based on the policies in place, the Device Manager server will tell the Netscaler Connector whether the ActiveSync device should be allowed or not.  If it shouldn’t be allowed, it will tell the Netscaler to drop the connection and the users device will get a “cannot connect to error” message.  If it should be allowed, the Netscaler Connector tells the Netscaler to allow the device to connect to the Exchange Server as normal.  Think of Netscaler Connector has a network level firewall for Exchange ActiveSync.

XenMobile Mail Manager

This server runs a service that interrogates Exchange through remote PowerShell.  It allows XenMobile to see all devices that have Exchange ActiveSync connections, regardless of if they are managed by XenMobile or not.  It essentially is running the Get-ActiveSyncDevice command for every mailbox in the environment and reporting back to XenMobile Device Manager. It also though will get updates from Device Manager about whether a device should be allowed or not.  For instance, a user device connects to ActiveSync, then violates a company rule, say removing the passcode from their device.  XenMobile Device Manager will realize this, and send a command to Mail Manager.  Mail Manager will then, using PowerShell, apply an Exchange ActiveSync block on this particular device for the user, stopping it from connecting to ActiveSync.  Just how the Netscaler Connector is a network level firewall for Exchange ActiveSync, think of Mail Manager as an application level firewall for Exchange ActiveSync.

Mail Manager also works with Exchange’s Quarantine functionality.  This means that you set Exchange to quarantine every new device that starts an ActiveSync relationship.  Usually, an admin needs to go in and manually allow each device.  In XenMobile, if that user registers their device with XenMobile Device Manager, Device Manager will then send a command to Mail Manager to create an ActiveSync allow rule for that user, automating the entire process!

As of this writing though, Mail Manager does not yet support Exchange 2013 so you need to point it to a server running the Exchange Management Tools for Exchange 2010.  Just an FYI.

Well, that is the basic architecture and overall goal of the project.  Next, we will jump into install XenMobile Device Manager.

Import a 3rd Party Certificate Into XenMobile

ActiveSync, Blackberry, Xenmobile

To replace the default certificate that comes with XenMobile with a 3rd party one, from say Digicert, there are a couple of steps that you need to take.  None of these are hard, but are not well documented anywhere.  First you need to have a PFX file that has your root CA, intermediate CA and regular certificate included in it.  It should also be protected by a password.  The easy way to create this is to use an existing windows server that has the certificate installed.  Open of the Certificate snapin and browse to the local computer.

The following was done with XenMobile 8.6 but also applies to XenMobile 8.5.  It was also done with a wildcard certificate but the process should be the same for a SAN or regular certificate.

 

Navigate to Personal->Certificates.  As you can see I have the following certificate that I want to export:

 

first 

Click on the Details tab, and select copy to file

second to last

Select Yes, export the private key

image

 

Select the option to Include all certificates in the certification path if possible

image

Enter in a password to secure the file, and finally export:

image

Copy that file to the XenMobile Device Manager Server.  In our example we will copy it to a folder on the C drive called ExternalSSL.  Rename the extension to be p12 instead of pfx:

image

Next, to make your life easy, download the certificate utility from Digicert at https://www.digicert.com/util/.  When you run it you’ll get the following screen, and select Import in the upper right:

image

Browse to, and select the certificate we copied over earlier:

image

Next you need to enter the same password you put in when you exported the certificate above:

image

Enter a friendly name for the certificate.  This is simply so you can better label it:

 

digit

Select Finish, and you should get a message that the import was successful:

image

 

Now on the device manager server, navigate to the tomcat directory, which if your on an x64 server is the following path:

C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat

We have to edit two files.  The first one is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm\WEB-INF\classes\pki.xml

Open the file in WordPad.  At the bottom of the file, but before the </beans> section paste the following info:

<bean id=”externalSslCert” class=”com.sparus.nps.pki.def.KeyStoreParams”

p:keyStoreType=”PKCS12″

p:keyStorePath=“C:\ExternalSSL\xenmobile.p12”

p:entryAlias=””

p:keyStorePass=“password”

p:publiclyTrusted=”true”

/>

Note the highlighted sections.  The first is the path to the certificate file, the next is the password from when we exported it. 

Save and close the file.

The next file we are going to edit is C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\server.xml

Again open the file in wordpad. 

Find the following section, and replace the highlighted section to match the same as above

<Connector
            port=”443″
            maxHttpHeaderSize=”8192″
            maxThreads=”400″
            enableLookups=”false”
            redirectPort=”-1″
            acceptCount=”100″
            connectionTimeout=”30000″
            disableUploadTimeout=”true”
            maxKeepAliveRequests=”-1″
            protocol=”org.apache.coyote.http11.Http11NioProtocol”
            scheme=”https”
            secure=”true”

            clientAuth=”want”
            SSLEnabled=”true”
            truststoreFile=”C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks”
            truststoreType=”JKS”
            truststorePass=”notMeaningFul”
            keystoreFile=”C:\ExternalSSL\xenmobile.p12″
            keystorePass=”password”
            keystoreType=”PKCS12″
            ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384″

        />

 

Still in server.xml, do the same with the following section:

<Connector
            port=”8443″
            maxHttpHeaderSize=”8192″
            maxThreads=”20″
            enableLookups=”false”
            redirectPort=”-1″
            acceptCount=”100″
            connectionTimeout=”30000″
            disableUploadTimeout=”true”
            maxKeepAliveRequests=”-1″
            protocol=”org.apache.coyote.http11.Http11NioProtocol”
            scheme=”https”
            secure=”true”

            clientAuth=”false”
            SSLEnabled=”true”
            truststoreFile=”C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\conf\cacerts.pem.jks”
            truststoreType=”JKS”
            truststorePass=”notMeaningFul”
           keystoreFile=”C:\ExternalSSL\xenmobile.p12″
            keystorePass=”password”

            keystoreType=”PKCS12″
            ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384″

        />

Save and close the file.

Now, restart the XenMobile Device Manager service:

image

After browse to https://localhost/zdm on the Device Manager and you should be able to validate that your certificate was installed.  Note that the tomcat service does spend some time with heavy CPU after a restart and it may be a minute or two until the page comes up:

image

Now all thats left is to publish it in DNS!

(UPDATED) How to Get a Report of Active Sync Devices in Exchange 2010/Exchange 2013

ActiveSync, Exchange 2010, Exchange 2013, Scripting

***UPDATE***

 

There was a lot of feedback from people who wanted extra items and fields added in so I edited the original script.  It will now also include the users Primary SMTP Address, LastSyncAttemptTime, and LastSyncSuccessTime.  Also edited it for environments with over a thousand mailboxes. Below is the updated script code:

The new output will look like this:

image

image

 

Ever had the need to get a nice report of all active sync devices in your Exchange organization?  Well then I have the script for you!

This script will get through all active sync devices, and match them up with their respective owners.  It will also output the Device Type, Device Model, and most importantly the Device OS.

Why is this important?  As some of you remember shortly back, there was an issue with Apple iOS devices causing excessive logging on Exchange Mailbox servers.  As part of the way to fix that you could block or quarantine those devices.  You most likely want to be able to see who you are blocking though, so you you know who your going to annoy and warn them preemptively.

The script requires 4 parameters to run, and should be run from an Exchange Management Shell:

  1. SMTPServer = SMTP server as the report will send you a copy of the report
  2. SMTPFrom = The FROM address of the email
  3. SMTPTo = The recipient of the email
  4. ExportPath = The folder location where you want the CSV export of the report. 

For example, to send the report to admin@port25guy.com using the SMTP server relay.port25guy.com, have the from address be reports@port25guy.com and export the CSV to C:\Reports:

Get-ActiveSyncReport.ps1 –exportpath C:\Reports –smtpserver relay.port25guy.com –smtpfrom reports@port25guy.com –smtpto admin@port25guy.com

After running that, if we check the C:\reports folder we should have a nice CSV export:

image

And a nice email report in your inbox:

 

image

You can download the script from the link below, just rename the file to extension .ps1

Here is the ***UPDATED** script block as well:

 

### BEGINNING OF SCRIPT

#####
#
# Get-ActiveSyncDeviceReport
# Author: Paul Ponzeka
# Website: port25guy.com
# email ponzekap2 at gmail dot com
#
######
param(
    [Parameter(Mandatory = $true)]
    [string] $SMTPServer = “”,
    [Parameter(Mandatory = $true)]
    [string] $SMTPFrom = “”,
    [Parameter(Mandatory = $true)]
    [string] $SMTPTo = “”,
    [Parameter(Mandatory = $true)]
    [string] $exportpath = “”
    )

#######
#
# HTML Formatting Section
# Thanks to Paul Cunningham at http://exchangeserverpro.com/
#
#######
#
#
#
######
$style = “<style>BODY{font-family: Arial; font-size: 10pt;}”
$style = $style + “TABLE{border: 1px solid black; border-collapse: collapse;}”
$style = $style + “TH{border: 1px solid black; background: #dddddd; padding: 5px; }”
$style = $style + “TD{border: 1px solid black; padding: 5px; }”
$style = $style + “</style>”

$messageSubject = “ActiveSync Device Report”

$message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $true

####  Get Mailbox

$EASDevices = “”
$AllEASDevices = @()

$EASDevices = “”| select ‘User’,’PrimarySMTPAddress’,’DeviceType’,’DeviceModel’,’DeviceOS’, ‘LastSyncAttemptTime’,’LastSuccessSync’
$EasMailboxes = Get-Mailbox -ResultSize unlimited
foreach ($EASUser in $EasMailboxes) {
$EASDevices.user = $EASUser.displayname
$EASDevices.PrimarySMTPAddress = $EASUser.PrimarySMTPAddress.tostring()
    foreach ($EASUserDevices in Get-ActiveSyncDevice -Mailbox $EasUser.alias) {
    $EASDeviceStatistics = $EASUserDevices | Get-ActiveSyncDeviceStatistics
    $EASDevices.devicetype = $EASUserDevices.devicetype
    $EASDevices.devicemodel = $EASUserDevices.devicemodel
    $EASDevices.deviceos = $EASUserDevices.deviceos
    $EASDevices.lastsyncattempttime = $EASDeviceStatistics.lastsyncattempttime
    $EASDevices.lastsuccesssync = $EASDeviceStatistics.lastsuccesssync
    $AllEASDevices += $EASDevices | select user,primarysmtpaddress,devicetype,devicemodel,deviceos,lastsyncattempttime,lastsuccesssync
    }
    }
$AllEASDevices = $AllEASDevices | sort user
$AllEASDevices
$AllEASDevices | Export-Csv $exportpath\ActiveSyncReport.csv

######
#
# Send Email Report
#
########

$message.Body = $AllEasDevices | ConvertTo-Html -Head $style

$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)

##END OF SCRIPT

Also, special thanks to Paul Cunningham at http://exchangeserverpro.com.  He wrote the HTML formatting section in the script that makes this look nice and pretty, versus my junky plain text (http://exchangeserverpro.com/powershell-html-email-formatting).  If you haven’t check out Paul’s site you should, he has great information on there. 

Hope you find the script helpful!

Users Are Unable to Use Activesync After Migration from Exchange 2007 to Exchange 2010

ActiveSync, exchange 2007, Exchange 2010, Threat Management Gateway

 

At a recent customer, we ran into an issue where a set of users were migrated from Exchange 2007 to Exchange 2010.  All of the users activesync worked without issue, but one user was unable to connect.  No matter what we tried, he would get”unable to connect to server” on his phone.  We checked the activesync logs, would see an initial connection but then nothing else.

Checking the event logs of one of the CAS servers, we found error event ID 1053: “Exchange Activesync doesn’t have sufficient permissions to create the container under Active Directory User”Untitled

So I opened Active Directory Users and Computers, selected View-Advanced Features:

image

Then I opened the user account, went to to the security tab->;Advanced:

23

Here, the “Include inheritable permissions from this objects parent” was UNCHECKED:

admin

I checked this box, hit apply, and boom active sync started working. Since this account was not a domain admin and just a standard user account, this was unexpected.

Migrating Exchange 2007 ActiveSync to Exchange 2010. And why your Android may work but your Apple iphone / ipad may not.

ActiveSync, Client Access, exchange 2007, Exchange 2010, Security

 

When doing a migration from Exchange 2007 to Exchange 2010, one of the biggest item’s you need to watch out for is the migration of the ActiveSync environment, and be aware of how it can affect your end users.  You should also be aware of potential issues depending on the TYPE of active sync device you are using, as some will work, and other’s will have issues.

First we’ll start with the migration.  Our current Exchange 2007 ActiveSync environment is as follows:

Exchange07as

Here, we have one internet facing site, the NY site.  There is a DNS record for the CAS server in NY, activesync.company.com that points to the IP of the CAS server on the internet.  We have set the –externalurl to activesync.company.com and the –internalurl to newyork2007.company.local.  Note that newyork2007 is the NETBIOS name of the CAS server in NY.  We set both of these values with the following command:

Set-ActiveSyncVirtualDirectory –Identity “newyork2007Microsoft-Server-ActiveSync” –InternalURL newyork2007.company.local –ExternalURL activesync.company.local

In London, we have set the InternalURL attribute to the local name of the server, but leave the ExternalURL attribute blank.  We do not populate the ExternalURL attribute because London is not accessible directly from the internet. 

Setting the –internalurl attribute updates the SCP in active directory, so that any system that query’s AD itself, will be able to return the internal URL the user should access.  For instance, in our above scenario, LON07 the user configures his active sync device from the internet.  He put’s in activesync.company.com as the server address, which is the external DNS name of the NY CAS server.  The NY CAS server, as part of the Active Sync process, query’s Active Directory for the home mailbox of LON07, and then determines which site LON07 is in.  Since LON07 is not in the same site as the NY CAS, the NY CAS then returns the value for ExternalURL.  If we had entered a value here, such as lonactivesync.company.com, the users device would be redirected to it (as long as the device supported auto discovery, more on that later), and the user would connect, as long as that was configured properly.  In our case, since there isn’t, the NY CAS uses the InternalURL entry to determine what address the NY CAS should use to proxy on behalf of the LON07 user.  Essentially the NY CAS connects to the London CAS, and returns the Active Sync info to the users device, all seamless to the LON07 user.

Now, we start to introduce Exchange 2010 to the equation.  Microsoft’s high level recommendation is to create a new namespace, called legacy.company.com and have this entry point to the 07 CAS, and slide the 2010 CAS into the existing activesync.company.com namespace.   See the below diagram:

Exchange2010as

So we would need to reconfigure the –ExternalURL and –InternalURL attributes of the NY 07 CAS servers, as well as the NY 2010 CAS servers.  They can all be done by changing the values of the command listed earlier in this article.  The logic here is the same as 07-07 proxy.  If the NYC07 user enters in activesync.company.com into his/hers server address on their ActiveSync device, the 2010 CAS server will query AD, and determine that he is a 2010 user, but in the same AD site.  It will then query to see if an ExternalURL setting is populated, in which case ours is.  That users device, if it supports activesync, will automatically be redirected to legacy.company.com and their profile loaded, all seamless to the end user.

If LON07 enters in activesync.company.com the NY 2010 CAS server query’s Active Directory, finds his mailbox is in another site, and checks to see if there is an ExternalURL entry.  Since their isn’t, like before, it proxies the connection to the London 07 CAS server, all seamless to the end user. 

Now, this is all great, but what happens if your device does not support auto discovery?  Some active sync devices don’t work properly with auto discovery, and in that case, Microsoft recommends that you manually change their profile to point to legacy.company.com.  Maybe not even that, but for security purposes you don’t allow external devices to use auto discover to determine the settings.  In this case, you again have to manually point those devices to legacy.company.com  If you have any significant number of users, this can be insanely time consuming. 

Let me show you an example.  I had configured everything as it was in the above diagram.  I was configuring his active sync on an Apple iPad, a device that supports activesync.  Problem was, his account wasn’t working.  The following log file was taken from the NY 2010 CAS server for the NYC07 user, they are located at c:inetpublogsLogFilesW3SVC1:

 

Sep. 2801 15.56 Here, we can see that the NY 2010 CAS server is telling the device that it has the wrong URL, and is redirecting it to legacy.company.com.  This is because the device has advertised that it can do auto discover.  In our example, since auto discover is disabled, or because the device doesn’t handle auto discover properly, the user was getting a connection to server error on the iPad.

Now, with NO changes, let’s try configuring the same user, but not using the iPAD, but using Touchdown for the Android.  Now, all work’s without issue, here is the log files:

 

Sep. 2802 15.56

In this case, the configuration worked without issue.  Notice how it also says PrxTo:newyork07.company.local.  This is because since Touchdown did not advertise to Exchange that it could do auto discovery, Exchange knew it would have to proxy the connection back to the NY 07 CAS server to allow this to complete successfully.

The funny thing is, if we were to configure LON07 on the iPAD it would work fine.  Why?  Because since the London 07 CAS server does NOT have a value for ExternalURL, Exchange knows it HAS to proxy to London 07 CAS for all London users.

So, we want the same behavior for the NY users on 07.  To do so, we simply need to clear the ExternalURLvalue on the NY 07 CAS server.  We would do so with the following command:

Set-ActiveSyncVirtualDirectory –Identity “newyork2007Microsoft-Server-ActiveSync” –InternalURL newyork2007.company.local –ExternalURL $null

This would wipe out the ExternalURL value.  The downside to this, is that auto discover for this URL would not be included, so if you used Outlook Anywhere, or other devices to connect using Auto discover, it would cause issues.  If you didn’t though, for instance you disable auto discover, this fixes all your issues.  Now when you try to connect NYC07’s mailbox to the iPad, since there is no ExternalURL entry for the NY 07 CAS server, the NY 2010 CAS server is forced to proxy:

 

Sep. 2803 15.56

Now, all existing 07 users will continue to have access to their mailbox’s via active sync and will not need any changes when their mailbox’s are moved to 2010.

How to Lock Down Activesync Users to Specific Device in Exchange 2010 or Exchange 2007

ActiveSync, Client Access, exchange 2007, Exchange 2010

 

With the recent release of the Apple iPad, the new iPhone, not to mention the numerous Google Android phones available, there has been a dramatic increase in interest in using Exchange ActiveSync along with Exchange Server 2010 or Exchange Server 2007. 

Along with using these devices, comes certain questions regarding security.  One of those topics, covered by this post, is how to restrict end users to a specific ActiveSync device.  Some ActiveSync devices do not support certain features, that Exchange Admins may want to ensure don’t connect to their systems.

For this example, we’ll run the Get-ActiveSyncDeviceStatistics –Mailbox pponzeka command to determine the DeviceID of the users current ActiveSync device:

 

Jun. 2310 08.55

Note the DeviceID listed, 413030303030313542354533744.  This is akin to a serial number for this particular active sync device, its unique per device.  We can lock down this use, so that he can only use THIS device to connect to his mailbox via activesync.

To do so, we simple run the command Set-CasMailbox pponzeka –ActiveSyncAllowedDeviceIDs number1,number2

Jun. 2314 09.16

If we had multiple devices, you would just list both numbers separated by a comma.

If you ever want to remove the restriction, simply enter the null value:

Set-CasMailbox pponzeka –ActiveSyncAllowedDeviceIDs:$null

image

This will set this users mailbox back to the default of allowing all activesync device’s to connect!