8200v SMA Restrict ActiveSync

ASTech2020

We have a pair of Sonicwall SMA 8200v appliances behind a CMS. We're looking to tighten security to the Exchange Server that is on the LAN behind these appliances. We already have our remote users' smartphones going to the SMA's instead of directly to the Exchange Server. Is it possible to use the SMA's to restrict ActiveSync to a list of allowed devices so that only the allowed devices actually get forwarded to the Exchange Server and anything else is dropped at the SMA?

Viveks

@ASTech2020 , you can allow/restrict ActiveSync access based on Device IDs too. For this, you need to configure a Device Profile with all the devices (IDs) that you want to allow. Steps are,

On AMC, navigate to End Point Control (left pane) -> Profiles -> Edit -> New -> Exchange ActiveSync.

On CMC, navigate to Managed Appliances (left pane) -> Configure -> Define Policy -> End Point Control -> (Follow above steps)

1. The Attribute type "Equipment ID" should be selected already.
2. If the Device ID of users is stored in AD/LDAP for all users, you can mention the AD/LDAP attribute name.
3. If not, you can enter the Device IDs under "Device identifier" textbox. One entry for each Device ID.
4. Click "Add to Current Attributes" button.
5. Repeat step 3 and 4 for all users.

Once all are added, you can save this device profile and assign it to a Device Zone. Use the zone under Community -> End Point Control as needed.

ASTech2020

That seems to have pointed me in the right direction. I entered all our device ID's and have a separate profile for each user. It looks as though it should fly, but can you suggest a way to test this without actually enforcing it? I'd at least like to see something in a log that shows that the devices are passing the test for the Device ID before I actually enforce it. Perhaps we could have a policy for the failed ones that still lets them through but shows me which ones are failing? We have about 50 users and I'd rather not have them all calling at once if it doesn't work-- and if it fails, I may not get a second chance to do it again.

ASTech2020

The other problem that I'm having is that Autodiscover isn't working from behind the SMA. It works fine with a dirrect connection to the Exchange Server. I'll need to get that working before I can use the SMA exclusively. If I go to https://autodiscover.domain.com/autodiscover/autodiscover.xml in a browser, I generally get the SMA web page that says I don't have access, though sometimes it shows a logon prompt-- but I never actually get to see the actual autodiscover XML file.

Viveks

@ASTech2020 - you can create one device profile with multiple device IDs which will be much more easier to maintain compared to multiple device profiles, unless you have specific reason to do so.

In order to test whether the device IDs are being effective or not, you can create new ActiveSync device profile without any device IDs and use it with a new zone. On Community settings page, this new zone should be placed below the zone with all device IDs . Here, since you are creating a ActiveSync device profile with no device IDs, all the ActiveSync devices will match that profile. This can serve as fallback to until your testing is done. To know whether it matched or not, you can check User session details.

Steps to do above changes,

Am assuming following things - you already have placed all the ActiveSync device profiles with know device IDs under a zone, say, named as "Known ActiveSync devices zone". You are using a realm named "ActiveSync" for this and the community name as "ActiveSync community".

1 - Create a new ActiveSync device profile without any device IDs. On AMC/CMC, navigate to End Point Control configuration page. Profiles -> Edit -> New -> Exchange ActiveSync. Here, do not add any device IDs, just name the profile (Say, "All ActiveSync devices profile") and save it.

2- Navigate to Zones configuration page and create a new Device zone. Select the "All ActiveSync devices profile" profile from left pane and use it (it should appear on right pane). Name this as "All ActiveSync devices zone" and save it.

3 - Go to Realms and click on ActiveSync realm to edit it. Click on Communities tab -> community name -> End Point Control tab. Am assuming you are already using your ActiveSync devices zone with device ID (called here as "Known ActiveSync devices zone") for this community.

4 - Under "Devices zone" section, select the "All ActiveSync devices zone" from left pane and add it (should appear on the right pane under "In use").

5 - Make sure "All ActiveSync devices zone" is placed at the bottom of the list as the last item (you can move up and down using UI buttons). This ensures if a device is not matching "Known ActiveSync devices zone", it will still be matched by "All ActiveSync devices zone" (because this zone matches all activesync devices irrespective of the device IDs).

6 - Click Ok and Save buttons to save this community configuration changes.

7 - Make sure your Access control rules are **not** distinguishing between these two device zones (because I think you dont want any difference in user experience between known and unknown devices during testing phase). If there are any rules with "Known ActiveSync devices zone" edit it and add "All ActiveSync devices zone" too.

After applying above changes, to check if the device ID is actually working, check the user session details. Navigate to User Sessions and edit the filters to list the particular session. On Session details page, you can find the Device zone being classified for the session under "Device zone" column. If it shows "Known ActiveSync devices zone" it means device ID matched and so classified into known devices zone. If you see "All ActiveSync devices zone" for Device zone it means device ID is not matching your configured profile/list. On the same page, check "Zone classification" tab to see how the zone classification worked. To know why a certain zone failed to match, expand the line to see the reason.

To know which device ID is being used by the user, you can check Unregistered device log on CMC and AMC. On AMC, navigate to Logging ->. View Logs tab -> Select the Log file as "Unregistered device log" (clear the filters if needed). Locate the user from list and expand it to find the device ID. Copy and use it under device profile if you trust the device.

Once you are done with the testing and device ID matching is satisfactory, you can remove the zone "All ActiveSync devices zone" from configuration.

Viveks

If you have configured "autodiscover.domain.com" as the "Exchange autodiscover FQDN" and public DNS is resolving "autodiscover.domain.com" to SMA, you can test the Autodiscover response using the testing tools provided by Microsoft. Just accessing autodiscover URL (HTTP GET method) will not give you the autodiscover response; you will see the authentication prompt and an error page from IIS/Exchange (because the IIS is expected POST method for this URL.

If you want to use Exchange Autodiscover service for ActiveSync access, you will need to update configuration at Exchange server to set appliance FQDN (the one under "Exchange server FQDN" field) as external URL. And, on AMC, you will need to update the URL field of Exchange URL resource to use same FQDN (so that Exchange knows the user is accessing over External URL). So, public DNS will resolve ActiveSync FQDN to appliance while internal DNS configured on appliance will resolve it to Exchange/IIS.

If you want to use Autodiscover for other Exchange services too (MAPI/HTTP, MSRPC, EWS) through SMA, you will need to update the external URL on Exchange server for each of those services.

But in general, ActiveSync access can work without Autodiscover service and just entering the FQDN manually during Email profile creation is enough. This is also common practice among our ActiveSync customers.