Securing Exchange Active. Sync with Client Certificates LAN Access. Certificates is not only a recurring theme on this site, its also a recurring pain point from what I hear. Bon Secours Depaul Medical Center Cna Program. Getting it working is just down right confusing sometimes. With this in mind I thought Id walk us through a scenario where you want to secure your Exchange Active. There isnt a default Group Policy setting that will change this for you, but if you have a Windows 2008 or Higher Domain Controller you can deploy a registry. How to install Exchange Server 2010 Service Pack 3 to an existing environment. Sync deployment with the use of client certificates. Ok, I said a scenario, but it might be more correct to say a couple of scenarios because there are a couple of design choices you can make. But lets set the stage before we proceed why are we even discussing certificates in the first place What are they good for Lets be honest you will save yourself a lot of work and hassle if you go for the good old username password combo. But through using certificates you can achieve other goals which might not be met the same way without taking the route of yet more complex configurations Security User friendliness. Yes, these are normally two conflicting goals I know Security can be beefed up with certificates as a means of adding an extra factor to the authentication process, as something you need in addition to a password. User friendliness can be improved upon by removing the need for users typing in complex passwords every couple of weeks on their mobile device. Installing Forefront Tmg 2010 On Windows Server 2012' title='Installing Forefront Tmg 2010 On Windows Server 2012' />With that in mind lets see what we can do to get this train rolling. Oh, yes, one more word of advice since we are dealing with mobile devices do not hit the implement switch before you have checked out if there are any devices that are not able to handle it. Windows Mobile devices are ok, i. Phones are ok, possibly Symbian too. Dont know about Android it would be specific to the Active. Sync client used since its not provided by the OS. DigiCert SSL Certificate installation tutorial for Apache, Microsoft IIS, Sun, Novell, more. Call Toll Free 18008967973 for Live Support at No Charge. I was playing with TMG Exchange 2010 publishing and had to delete TMG associated SQL Express 2008 installation. When I tried deleting SQL Express 2008. Feature phones, also known colloquially as dumbphones are probably out of the loop. I assume that you have already installed an Exchange Server with the Client Access Server role functioning before following along here. I am using Exchange Server 2. RTM on Windows Server 2. R2, and Fore. Front TMG 2. Exchange 2. 00. 7 might be slightly different on some points, but pretty similar. Which OS youre running matters because part of the functionality is provided by the OS, so if youre running on Windows Server 2. I do on my servers. Well start out enabling client certificate authentication directly on the Exchange server assuming for the sake of the test that all mobile devices connect via the LAN In the Exchange Management Console go to. Server Configuration Client Access Exchange Active. Installing Forefront Tmg 2010 On Windows Server 2012' title='Installing Forefront Tmg 2010 On Windows Server 2012' />Sync. Your properties might look like this Youll want to switch this to Require client certificates like so Note that we have unchecked Basic authentication as well. As it says in the dialog box you need to configure SSL itself through the IIS manager. Often when I test and debug in my lab I disable SSL and run it through plain HTTP. This will not work if you want to use client certificates, and you should require SSL. If you havent messed around with this setting the defaults after installing Exchange 2. SSL. Actually you could change the client certificate requirement in IIS too And as long as we have the IIS console open. How about we configure the certificate mapping at the same time Mapping what you say While having a certificate is a nice thing in itself how does Exchange verify if your certificate is good If someone presented you with a hand written post it note with a doodled self portrait and drivers license written along the top would you trust it Wouldnt you rather have the laminated, or credit card version, with some official looking logos and stamps We need to define where Exchange should perform the lookup for verifying that your certificate is good, and this we call mapping the certificate. Rather than explain the process in detail Ill refer you to this link for the necessary steps http www. Config. Referenceclient. Certificate. Mapping. Authentication. Short version install the Client Certificate Mapping Authentication role service, and enable it to have Exchange use Active Directory as the source for certificate verification. Since we havent gotten to the part of enrolling certificates on devices yet you can use my Active. Sync emulator if youd like to test at this point http mobilitydojo. If all is good you should be able to run a Basic Connectivity Test even without specifying a password. You need to provide the username as thats used for other purposes behind the scenes. The. Im using is a certificate I have enrolled through AD directly to the Personal store on my development box, and exported to a file without a private key. Now, back to that Basic authentication bit again. I said there might be different scenarios to choose from, and technically you dont have to uncheck the box like I did. You have three possible combinations of client certificates and basic authentication Basic authentication enabled, ignoreaccept client certificates. This is the default. Will let you synchronize as long as you provide a valid username and password. Bipin Chandra History Of Modern India Pdf. Basic authentication disabled, require client certificate. Will let you synchronize as long as you provide a valid certificate. Basic authentication enabled, require client certificate. Will let you synchronize provided you supply both a valid certificate, and a username password combo. You can test out all combos with a device, andor my utility, but Im getting differing results testing in a browser. Which is not the recommended way to test EAS anyways. Pick your poison as to whether youd like to use a real device or my utility but at this point its easier to ignore real devices and get back to those later. What this means is that whether you enable or disable basic authentication, in addition to requiring certificates of course, dictates whether you require one or two factors for authenticating the users. Youll see the 4. I guess were doing fine so far arent we But so far we have concerned ourselves with the easy part of the equation. Play around with the settings and see if you can make it work, and in the next installment Ill have a crack at making it all work from outside your LAN.