locked
Reroute mobile device access RRS feed

  • Question

  • Greetings,

    I am running Exch 2010 SP1 on a single server and have been for awhile now.  AciveSync has been configured and running allowing anyone with an account to sync with their box.  No policies, no A/B/Q.  Recently we had a company security policy change and installed a MDM server (not SCMDM).  Now all mobile devices need to register/connect with the MDM server and will not be allowed to directly connect with Exchange.

    Exchange Active Sync URL is mail.company.com/Microsoft-Active-Sync (internal and external).  The MDM server acts as a proxy to ActiveSync.  Any suggestions on how I can block/limit users from using the ActiveSync URL without breaking ActiveSync?  I already tried removing the external URL but somehow (autodiscover maybe?) my phone was still able to connect with that URL.  Maybe I missed a step?

    I've read about ISA and reverse proxies but we don't have anything like that in place.  I'm checking in here because the third party company isn't any help on this - obviously not happy about it but the money is spent, the system is installed and I have to make it work.  Is this possible without adding ISA or a reverse proxy server, etc. to control access?

    Thanks

    Friday, August 24, 2012 3:26 PM

Answers

All replies

  • Hi there,

    As you said it is a third party product that is independent of Microsoft, we have no sufficient information about this product. Maybe it is not suitable for ActiveSync management. Your understanding would be appreciated. 

    If there no a firewall that can proxy the ActiveSync request to the third party product, I would suggest you limit the ActiveSync via Exchange ActiveSync Policy.

    Refer to:

    http://technet.microsoft.com/en-us/library/bb123484.aspx

    http://technet.microsoft.com/en-us/library/bb123783.aspx

    Hope it is helpful.


    Fiona Liao

    TechNet Community Support

    • Marked as answer by Fiona_Liao Tuesday, September 4, 2012 3:37 AM
    Monday, August 27, 2012 8:56 AM
  • Thank you for the response.

    This MDM solution is Internet facing.  Mobile devices register through a web site (like SecureDevice.domain.com).  Once registered and the device passes policy checks, the MDM server acts as a proxy for the device to Exchange using ActiveSync.  All of this works fine.

    We have been using mail.domain.com to connect mobile devices to Exchange and that is also the URL for OWA.  Now I need to block mobile devices from using mail.domain.com in their ActiveSync configuration.

    Sorry if this isn't clear.  It took me awhile to understand the configuration of the MDM solution with ActiveSync.

    Is there a way to use an ActiveSync policy to quarenteen a user's device unless they are a member of a particular Active Directory group?

    Monday, August 27, 2012 8:00 PM
  • Do you mean disable activesync access based on user account?

    yes, Microsoft Exchange Server 2010 lets you restrict access to Exchange ActiveSync by using the device ID. This feature prevents users from synchronizing unauthorized devices with Exchange 2010. You can configure this restriction on each user's mailbox. see http://technet.microsoft.com/en-us/library/bb232080.aspx

    Or you may run Set-CASMailbox -ActiveSyncEnabled $false see http://technet.microsoft.com/en-us/library/bb125264.aspx


    Fiona Liao

    TechNet Community Support

    • Proposed as answer by Fiona_Liao Wednesday, August 29, 2012 8:52 AM
    • Marked as answer by Fiona_Liao Tuesday, September 4, 2012 3:37 AM
    Wednesday, August 29, 2012 8:52 AM