Set up Active-Sync on WM5 devices using self signed SSL certificates to enable Microsoft ‘Direct Push’ synchronisation.
The problem of using self signed certificates is that WM5 devices make it very difficult to install self signed certs.
Furthermore our Exchange server resides on the LAN behind an apache reverse proxy server which is in the DMZ.
Clients (WM5 devices) connect externally to the reverse proxy server via https, which then proxies the requests to the LAN again using https.
This document does not tell you how to create SSL certificates, nor how to set up a reverse proxy with apache. It is assumed you have already done this, or are comfortable doing this.
Reverse Proxying with apache:
Create SSL certificates using openSSL – Debian Forum -
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Step 1 – Ensure that you have a SSL cert on the mail server for internal SSL connections.
-> Use microsoft’s selfSSL tool to easily achieve this.
-> Ensure that the CN name on the cert matches the external (FQDN) name used by clients to remotely connect. Ie: “webmail.mycompany.com.au” NOT “mail01” (The netbios name of your mail server)
Step 2 – Initiate connection to internal server using SSL
Two Parts are required:
Part 1.
Set up active-sync:
-> Create a partnership
-> Select synchronise directly with the exchange server
-> Enter the FQDN name of the server that you would use to connect reomotely with. Ie: webmail.mycompany.com.au
-> Ensure SSL is selected.
-> Click Next – This will give you an error message stating that the certificate on the server is invalid or is expired. Ignore this by pressing continue and continuing onto part 2 to resolve the SSL cert problem.
NB: At this stage you can ignore any sync issues specifically:
The server could not be reached . This can be caused by temporary network conditions. Support Code 85002003.
Part 2.
Initial sync will fail as you need to import your mailservers SSL certificate onto the device. The easiest way to do this is to export the certificate from internet explorer.
Open internet explorer.
Go to webpage – ‘webmail.mycompany.com.au’
It should ask you to accept a certificate.
-> At this point select ‘View Certificate’
-> Click the details tab and click the ‘Copy to file’ button.
-> This opens the certificate export wizard
-> Click next
-> Select ‘der encoded binary X.509 (.cer) and click next
-> Choose a filename such as ‘mailserver_internal_SSL_cert’
This will save the file to the desktop.
Copy this file across to your mobile device using windows explorer, then locate the file from the device using ‘file explorer’, click once on it and select install.
You should now be able to sync direct with your exchange server using activesync and a USB cable.
Note
For some reason – presumably to do with not being able to access NATed services behind a F/W (??), the wildcard domain “*.mycompany.com.au” needs to be configured in the device as a local/intranet site.
Settings->Connections->Advanced->Exceptions
Add “*.mycompany.com.au” minus the quotes.
Step 3 – Test the OTA sync
The USB sync should now be working so what we want to do is enable the ‘Over the Air’ (OTA) sync, which involves a GPRS data connection between the WM5 device and the apache reverse proxy server.
If you unplug the USB cord, and select ‘ActiveSync’ from the device’s programs, and try and do a manual sync, you will receive the error message:
Support Code: 0x80072F0D
What this means is that it does not like your SSL certificate on the reverse proxy. You might ask why you can’t simply import the apache browser cert onto your device in the same manner in which you imported the mailserver’s cert.
The short answer is that your apache (openSSL) cert is certified by ‘you’ (Untrusted by your WM5 device), where as the Microsoft selfSSL cert seems to be trusted by the WM5 device.
**Interesting would be to export the Microsoft selfSSL cert to the apache box, and it should just ‘work’ as if the cert was from a major vendor (Verisign/Thwate etc..) – I am unsure how to do this, though I believe it is possible to convert a ‘.der’ (exported from IE cert) into a ‘.pem’ cert which is used by apache…
What you need to do to get this running (Make the WM5 device ‘trust’ you as a CA) is to install your own ‘ROOT CA’ certificate onto the device. Many forums suggest that this is not possible, and from what I understand the ability to do this is dependant on the firmware, which may have been locked by the phone company. I am Australian, have an iMate JAMin, and am a customer of Telstra, whom provided the handsets.
One of the first things I did when I started setting this all up was to flash the firmware with the latest build.
There is a Telstra specific flash, and there is the generic iMate flash. I stuck with the generic iMate flash as it was version X.X.22 whereas the Telstra flash was X.X.12 (And the Telstra flash seemed to install even more cr*p..).
For the firmware updates:
In summation: my phone was not locked to install root certificates when I used the method below (in section 4).
Step 4 – Install apache’s (openSSL) CA onto device
There is a shortcut which apparently allows you to hack the registry so it does not check that the cert is from a ‘trusted vendor’. Ie you could simply install your cert without worrying about installing the root CA.
See this post from ‘Ben Winzenz’ on his blog to show you how: NB: This did not work for me, so I did the following:
Get CA Root cert from webserver into workstation’s IE
When you created your selfSSL certificate on the apache proxy/webserver it should have created a file called ‘cacert.pem’ though this name may differ dependant on your distro, or should you have edited the openssl.cnf file and changed it to a different name.
Copy the cacert.pem file from the ssl directory of the webserver to your workstation’s desktop.
Open IE -> Tools -> Internet Options -> Content -> Certificates -> Import -> Next -> Browse (Select all files *.* as the mask and locate your cacert.pem file)
Now it will prompt you for the store in which to save it in. Select ‘Browse’ -> ‘Trusted Root Certification Authorities’ -> OK -> Next -> Finish.
You have just installed the root CA into your workstation’s browser. This is strictly speaking not necessary, though by doing so, you can follow the instructions in the following article (How to add your own root cert via CAB file).
Install root cert on device
How to add your own root cert via CAB file.
After you have done this it should all work – It did for me anyway!
HTH - Chris.
The problem of using self signed certificates is that WM5 devices make it very difficult to install self signed certs.
Furthermore our Exchange server resides on the LAN behind an apache reverse proxy server which is in the DMZ.
Clients (WM5 devices) connect externally to the reverse proxy server via https, which then proxies the requests to the LAN again using https.
This document does not tell you how to create SSL certificates, nor how to set up a reverse proxy with apache. It is assumed you have already done this, or are comfortable doing this.
Reverse Proxying with apache:
Create SSL certificates using openSSL – Debian Forum -
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Step 1 – Ensure that you have a SSL cert on the mail server for internal SSL connections.
-> Use microsoft’s selfSSL tool to easily achieve this.
-> Ensure that the CN name on the cert matches the external (FQDN) name used by clients to remotely connect. Ie: “webmail.mycompany.com.au” NOT “mail01” (The netbios name of your mail server)
Step 2 – Initiate connection to internal server using SSL
Two Parts are required:
Part 1.
Set up active-sync:
-> Create a partnership
-> Select synchronise directly with the exchange server
-> Enter the FQDN name of the server that you would use to connect reomotely with. Ie: webmail.mycompany.com.au
-> Ensure SSL is selected.
-> Click Next – This will give you an error message stating that the certificate on the server is invalid or is expired. Ignore this by pressing continue and continuing onto part 2 to resolve the SSL cert problem.
NB: At this stage you can ignore any sync issues specifically:
The server could not be reached . This can be caused by temporary network conditions. Support Code 85002003.
Part 2.
Initial sync will fail as you need to import your mailservers SSL certificate onto the device. The easiest way to do this is to export the certificate from internet explorer.
Open internet explorer.
Go to webpage – ‘webmail.mycompany.com.au’
It should ask you to accept a certificate.
-> At this point select ‘View Certificate’
-> Click the details tab and click the ‘Copy to file’ button.
-> This opens the certificate export wizard
-> Click next
-> Select ‘der encoded binary X.509 (.cer) and click next
-> Choose a filename such as ‘mailserver_internal_SSL_cert’
This will save the file to the desktop.
Copy this file across to your mobile device using windows explorer, then locate the file from the device using ‘file explorer’, click once on it and select install.
You should now be able to sync direct with your exchange server using activesync and a USB cable.
Note
For some reason – presumably to do with not being able to access NATed services behind a F/W (??), the wildcard domain “*.mycompany.com.au” needs to be configured in the device as a local/intranet site.
Settings->Connections->Advanced->Exceptions
Add “*.mycompany.com.au” minus the quotes.
Step 3 – Test the OTA sync
The USB sync should now be working so what we want to do is enable the ‘Over the Air’ (OTA) sync, which involves a GPRS data connection between the WM5 device and the apache reverse proxy server.
If you unplug the USB cord, and select ‘ActiveSync’ from the device’s programs, and try and do a manual sync, you will receive the error message:
Support Code: 0x80072F0D
What this means is that it does not like your SSL certificate on the reverse proxy. You might ask why you can’t simply import the apache browser cert onto your device in the same manner in which you imported the mailserver’s cert.
The short answer is that your apache (openSSL) cert is certified by ‘you’ (Untrusted by your WM5 device), where as the Microsoft selfSSL cert seems to be trusted by the WM5 device.
**Interesting would be to export the Microsoft selfSSL cert to the apache box, and it should just ‘work’ as if the cert was from a major vendor (Verisign/Thwate etc..) – I am unsure how to do this, though I believe it is possible to convert a ‘.der’ (exported from IE cert) into a ‘.pem’ cert which is used by apache…
What you need to do to get this running (Make the WM5 device ‘trust’ you as a CA) is to install your own ‘ROOT CA’ certificate onto the device. Many forums suggest that this is not possible, and from what I understand the ability to do this is dependant on the firmware, which may have been locked by the phone company. I am Australian, have an iMate JAMin, and am a customer of Telstra, whom provided the handsets.
One of the first things I did when I started setting this all up was to flash the firmware with the latest build.
There is a Telstra specific flash, and there is the generic iMate flash. I stuck with the generic iMate flash as it was version X.X.22 whereas the Telstra flash was X.X.12 (And the Telstra flash seemed to install even more cr*p..).
For the firmware updates:
In summation: my phone was not locked to install root certificates when I used the method below (in section 4).
Step 4 – Install apache’s (openSSL) CA onto device
There is a shortcut which apparently allows you to hack the registry so it does not check that the cert is from a ‘trusted vendor’. Ie you could simply install your cert without worrying about installing the root CA.
See this post from ‘Ben Winzenz’ on his blog to show you how: NB: This did not work for me, so I did the following:
Get CA Root cert from webserver into workstation’s IE
When you created your selfSSL certificate on the apache proxy/webserver it should have created a file called ‘cacert.pem’ though this name may differ dependant on your distro, or should you have edited the openssl.cnf file and changed it to a different name.
Copy the cacert.pem file from the ssl directory of the webserver to your workstation’s desktop.
Open IE -> Tools -> Internet Options -> Content -> Certificates -> Import -> Next -> Browse (Select all files *.* as the mask and locate your cacert.pem file)
Now it will prompt you for the store in which to save it in. Select ‘Browse’ -> ‘Trusted Root Certification Authorities’ -> OK -> Next -> Finish.
You have just installed the root CA into your workstation’s browser. This is strictly speaking not necessary, though by doing so, you can follow the instructions in the following article (How to add your own root cert via CAB file).
Install root cert on device
How to add your own root cert via CAB file.
After you have done this it should all work – It did for me anyway!
HTH - Chris.
