PERSPECTIVES. State of the Art. Mobile Single Sign-On to Microsoft Exchange with OWA and ActiveSync

Similar documents
Extranet Access Management Web Access Control for New Business Services

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

OVERVIEW. DIGIPASS Authentication for Office 365

SAS Agent for Outlook Web App

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Single Sign-on Frequently Asked Questions

Workday Mobile Security FAQ

Business mail 1 MS OUTLOOK CONFIGURATION... 2

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

1 Outlook Web Access. 1.1 Outlook Web Access (OWA) Foundation IT Written approximately Dec 2010

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Secure Web Access Solution

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

Building an identity repository is at the heart of identity and access management.

FileCloud Security FAQ

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Single Sign-On Portal User Reference (Okta Cloud SSO)

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Smart Phone App version

Agent Configuration Guide

Q. I use a MAC How do I change my password so I can send and receive my ?

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

Configuration Guide BES12. Version 12.2

MelbourneOnline Hosted Exchange Setup

Single Sign On for ShareFile with NetScaler. Deployment Guide

Flexible Identity Federation

BlackShield ID Agent for Remote Web Workplace

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

UNIFIED COMMUNICATIONS POST-MIGRATION INSTRUCTIONS

Business mail 1 MS OUTLOOK RECONFIGURATION DUE TO SYSTEM MIGRATION... 2

User Guide. Time Warner Cable Business Class Cloud Solutions Control Panel. Hosted Microsoft Exchange 2007 Hosted Microsoft SharePoint 2007

Ensuring the security of your mobile business intelligence

Two-Factor Authentication

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Configuration Guide BES12. Version 12.3

INTEGRATION GUIDE. General Radius Config

CA Performance Center

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Entrust IdentityGuard Comprehensive

Agenda. How to configure

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

HotSpot Enterprise Mobile Printing Solution. Security Whitepaper

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Integrating Hitachi ID Suite with WebSSO Systems

Bell Mobile Device Management (MDM)

Cortado Corporate Server

Hosted Microsoft Exchange Client Setup & Guide Book

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Office 365 deployment checklists

Centrify Cloud Management Suite

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

Office 365 deploym. ployment checklists. Chapter 27

Configuration Guide BES12. Version 12.1

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

VMware Identity Manager Administration

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

Proof of Concept Guide

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

FortiMail Server Mode SOLUCIÓN INTEGRAL DE CORREO SEGURO

SAS Agent for Outlook Web Access

How to configure your mobile devices post migrating to Microsoft Office 365

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Office of Information Technology Connecting to Microsoft Exchange User Guide

MaaS360 Mobile Enterprise Gateway

Toll Free: International:

Sophos Mobile Control User guide for Android

MaaS360 Mobile Enterprise Gateway

API-Security Gateway Dirk Krafzig

Guidelines to setup mobile devices to a UOITnet account Google Apps for Education. Information Technology Services

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Interact Intranet Version 7. Technical Requirements. August Interact

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

Information Technology Department. Exchange Migration

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

NeoMail Guide. Neotel (Pty) Ltd

Convenience and security

ID Director for Windows

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Lync SHIELD Product Suite

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

Administrator Guide. v 11

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

Hosted Exchange 2010

Single Sign-on (SSO) technologies for the Domino Web Server

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

STRONGER AUTHENTICATION for CA SiteMinder

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Strong Authentication for Microsoft TS Web / RD Web

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

BTC STUDENT GUIDE

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Exchange 2010 ActiveSync: Connection

2 Configuring GroupWise Mobility Service to Support Microsoft Outlook Clients

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

PostFiles. The file sharing and synchronization solution dedicated to professionals.

The increasing popularity of mobile devices is rapidly changing how and where we

Strong Authentication for Microsoft SharePoint

INTRODUCTION OF IPAD USE AT UT. Introduction of ipad use at the University of Twente Content Introduction... 2

Transcription:

State of the Art Mobile Single Sign-On to Microsoft Exchange with OWA and ActiveSync This document describes a secure single sign-on (SSO) solution for accessing Microsoft Exchange on tablets and smartphones. It is based on Evidian Web Access Manager PERSPECTIVES

White Paper > June 2014-2 -

Protecting Microsoft Exchange in a Cloud Environment An e-mailing system such as Microsoft Exchange is one of the most critical resources of any business. It is therefore essential that its access be protected. This is all the more important since most web applications now use email to transmit or reset passwords. The e-mailing system, if not adequately protected, thus becomes a weak link in the information system. To protect and simplify access to web applications, single sign-on (SSO) solutions are growing in popularity. After an initial sign-on (password, smart card, OTP token), the user accesses all the applications for which he or she has rights, without having to know the passwords of the applications themselves. How can Microsoft Exchange be easily integrated into an SSO access security system? In practice, there are obstacles to overcome: Web access to Microsoft Exchange is not natively compatible with most modern strong authentication mechanisms. Microsoft Exchange web access requires the Windows password, which the user may not know. The IT department must therefore ensure that the corporate web authentication system can effectively protect Microsoft Outlook. - 3 -

What are Microsoft Outlook Web App and Microsoft ActiveSync? Microsoft supplies two main solutions to access Microsoft Exchange from outside the Windows ecosystem. One solution makes it possible to consult a mailbox via a web browser; the other one directly connects a native mail reader to the Microsoft Exchange server. Microsoft Outlook Web App (OWA) is the web interface used to access Microsoft Exchange mailboxes. The ergonomics differs according to the browser, e.g. Internet Explorer (which supports ActiveX), Firefox or Chrome (which do not support ActiveX). Microsoft ActiveSync is the protocol that enables a Microsoft Exchange mailbox to be synchronized on a mobile phone or another mobile device, such as a tablet. This protocol is based on OWA and IIS 1 ; it uses a subset of the HTTP protocol. Organizations using Microsoft Exchange must generally activate both solutions at the same time in order to cover the various uses of their employees. What is Evidian Web Access Manager? Evidian Web Access Manager is a single sign-on (SSO) solution for web applications. It requires no installation on the workstation, which can be a tablet or a smartphone. Evidian Web Access Manager can be used alone or in cooperation with Evidian Enterprise SSO, a solution based on a local Windows client that provides access to web and non-web applications. Evidian 1 Microsoft Internet Information Services - 4 -

Enterprise SSO and Evidian Web Access Manager can share information about a web application s user account and login as well as Windows login. This document uses Evidian Web Access Manager to illustrate examples of web access to Microsoft Outlook via single sign-on mechanisms. - 5 -

Use Case: Single Sign-On to Microsoft Outlook Outlook Web App and ActiveSync are web applications that can be controlled by a single sign-on web solution such as Evidian Web Access Manager. Evidian Web Access Manager can control access to Outlook Web App just like it does for any traditional web application. Evidian Web Access Manager can also control mobile accesses to the e-mailing system, using the ActiveSync protocol. Use Case with Outlook Web App (OWA) A mobile user accesses his Outlook mailbox via the Outlook Web App interface. To log in to this interface, the Windows password must usually be entered. However, the user may not know the Windows password required by Outlook Web App: On his desktop PC, the user does not always use the Windows password. Access may be managed by a local tool, such as Evidian Enterprise SSO or Authentication Manager. Similarly, the user may enter a single-use password (One-Time Password, OTP RADIUS) or an X.509 certificate for remote web access via Evidian Web Access Manager. In this case, Evidian Web Access Manager uses the Windows password known by Evidian Enterprise SSO to authenticate on the OWA server. Result: once logged onto Evidian Web Access Manager, the user accesses OWA via his or her browser, without having to enter another password. - 6 -

Use Case with ActiveSync Via a mobile phone (iphone, Android, Windows Phone) or a tablet (ipad, Android, etc.), the user synchronizes his emails and calendar with his OWA email account via Wi-Fi or 3G. The ActiveSync client application must be able to authenticate and access the OWA resources using the ActiveSync protocol. However, as we have seen, the user does not necessarily know his Windows password. He may not therefore be able to use it to configure the ActiveSync client application. In this case, the user is provided with a password dedicated to ActiveSync authentication thanks to Evidian Web Access Manager. The ActiveSync client application, on the phone or tablet, is configured to use Evidian Web Access Manager as an e-mail server. Evidian Web Access Manager uses the dedicated Active Sync password to authenticate the user, then injects instead the Windows password known by Evidian Enterprise SSO for the authentication on the ActiveSync interface of the OWA server. Result: the e-mail client automatically logs on to Evidian Web Access Manager to access OWA, without de-synchronization risk when the Windows password is changed. - 7 -

Architecture Principles with Outlook Web App The figure below shows a typical architecture to enable access via the web to mailboxes under Outlook Web App (OWA). Figure 1: Architecture for Outlook Web App The nomad user authenticates thanks to an OTP (one-time-password) type method, via a device or application synchronized with an OTP server. When he/she accesses the Evidian Web Access Manager portal, authentication is checked by the OTP server using RADIUS protocol. Then Evidian Web Access Manager identifies the user in the Active Directory. Evidian Web Access Manager can obtain the user s application passwords and Windows password from Evidian Enterprise SSO, if it is present. The Windows password is thus used to authenticate on the OWA servers. The authentication type may be integrated Microsoft authentication (NTLMv2), form-based authentication or basic HTTP authentication. - 8 -

Principles and Architecture with Microsoft ActiveSync The ActiveSync protocol is a sub-set of the HTTP protocol; it does not support: 301 and 302 redirections HTTP/HTTPS ports other than 80 and 443 ActiveSync therefore imposes constraints in its portalization via a web single sign-on solution such as Evidian Web Access Manager: It is not possible to redirect to an Evidian Web Access Manager authentication server or an external authentication server. Primary authentication must therefore be carried by the Web Access Manager gateway. Authentication to an external RADIUS or Kerberos server is not possible. The gateway must run on port 80 (HTTP) or 443 (HTTPS). URL translation is not possible. The Web Access Manager gateway must be a remote web agent. ActiveSync email clients provide only one login and password field to manage authentication. The login and password values are sent for each HTTP Basic Authentication connection. There can be no further dialog between the gateway and the email client to manage a one-time authentication. For ease-of-use reasons, it is not likely to frequently change the ActiveSync password saved in the smartphone. ActiveSync protocol constraints therefore prevent the use of an OTP server. But it is not possible to use the Windows password either if the user does not know it. In the architecture described here, the primary passwords are stored in a different LDAP directory than the Active Directory. The latter contains the real users/passwords. - 9 -

The user will enter a password that is not his actual Windows password, but that will be checked by Evidian Web Access Manager. Evidian Web Access Manager then injects the actual Windows password into the flow of data exchanged with the ActiveSync server. The false Windows password can then be modified independently from the change frequency of the Windows password. The figure below presents an Evidian Web Access Manager architecture that enables access to ActiveSync mailboxes via a mobile phone. Figure 2: Web Access Manager Architecture for ActiveSync This is what happens for an ActiveSync connection from a mobile phone: The user has a user1 login and a password The user1@domain.com email account is configured on the mobile phone. The e-mailing server is set as wam.domain.com, either encrypted (HTTPS) or not (HTTP) An ActiveSync connection towards the Evidian Web Access Manager server is activated and the ActiveSync client will automatically issue the user1 login and its password for each request. - 10 -

Evidian Web Access Manager intercepts the user login to perform the following: 1. User identification - i.e. determining the user s original directory. 2. Authenticating the user in his identification directory. 3. Identification in the directory containing the real reference to the user. 4. Recovery of primary and secondary passwords associated with the user identified in step (3). Evidian Web Access Manager then connects to the ActiveSync server and injects the user name and password expected by the OWA e-mailing server. The user is then authenticated by the OWA server (5) in the Active Directory of the Windows domain. Authorization Management for ActiveSync Authorizations to access applications can be calculated dynamically using simple and, or, not rules applied to the user s attributes in the LDAP directory. These rules apply to the ActiveSync connections as well as to all other connections transiting via Evidian Web Access Manager. Static or dynamic groups can thus be created to authorize access to mailboxes on a mobile phone according to the users duties. Changing Passwords for ActiveSync The passwords used on mobile phones are separate from the Windows passwords. They can therefore be changed independently: Using a provisioning tool (such as Evidian Identity & Access Manager or Evidian ID Synchronization) which modifies the passwords in the LDAP directory. The new passwords must - 11 -

then be sent to users so that they can configure their mobile phones. By the users themselves, using Web Access Manager to modify their own passwords. Filtering based on the Phone Identifier for ActiveSync For each ActiveSync request, the mobile phone issues an identifier which syntax is specific to each manufacturer. The OWA server makes it possible to declare, register and filter ActiveSync connections according to these unique identifiers. Filtering enables a user email account to be strongly associated with one or more mobile devices. This prevents fraudulent access based on the duplication of device content. Tracing all User Activity All access management policies require control. Evidian Web Access Manager logs all user access attempts. Administrators therefore know who accessed which application and when. Evidian Web Access Manager is compatible with web traffic analysis tools, such as Webtrends. This simplifies the analysis of security audit reports. Audit events are transmitted to Evidian Identity & Access Manager centralized audit database for each authentication and password transmission. - 12 -

Encryption of Confidential Data With Evidian Web Access Manager, all OWA and ActiveSync communications can be encrypted. The Evidian Web Access Manager gateway encrypts data itself using SSL. Users can therefore be sure of security when they consult their emails, since they are protected by Evidian Web Access Manager. Protecting Web Resources against Attacks Evidian Web Access Manager helps you prevent attacks on web resources exposed on the Internet. The Evidian Web Access Manager gateway can mask the actual address of web resources. It modifies the URL of the web applications ( URL translation ), thus preventing hackers from finding out the network topology. Evidian Web Access Manager controls inputs for all web accesses. This facilitates the protection of web applications against attacks via the Internet. High Availability and Load Sharing The Evidian Web Access Manager gateway can be installed on two or more servers. In this case, the servers share the web traffic load and ensure disaster recovery if either server fails. This high availability solution is purely software-based. It therefore requires neither appliances nor shared disks; it works with standard servers. Similarly, load increases are managed by simply adding extra Evidian Web Access Manager gateways. - 13 -

39 A2 22LY 00 Evidian IAM Suite Our IAM solution is recognized by customers and analysts for its completeness. The Evidian IAM Suite offers the following components to make a fully integrated solution: Evidian Identity & Access Manager allows authorization governance and a full lifecycle management of identities and access to services, driven by a security policy combined with approval workflows. Evidian Web Access Manager is designed to manage access federation to Web applications, secure remote access for mobile users and replace all user passwords with a single and strong authentication method. Evidian Enterprise SSO facilitates access to enterprise and personal applications from workstations, mobile devices and smartphone and frees users from the password constraints. Evidian Authentication Manager provides strong authentication on workstations and mobile devices: smartcard or token, X509 certificate, contactless RFID cards, biometrics, one time password. Evidian SafeKit brings high availability, failover, file replication and load balancing to applications. For more information, please consult our website: www.evidian.com 2012-2014 Evidian The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication. This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. We acknowledge the rights of the proprietors of trademarks mentioned in this book. This white paper is printed on paper combining 40% eco-certified fibers from sustainable forests management and 60% recycled fibers in line with current environment standards (ISO 14001). (ISO 14001).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information