KB19325 - How to configure Pulse Connect Secure to perform an additional check for a client certificate for ActiveSync connections on an iPhone

This article shows  How to configure Pulse Connect Secure to perform an additional check for a client certificate for ActiveSync connections on an iPhone before providing username/password credentials to the ActiveSync server.

Note

• Certificate authentication to an ActiveSync server is not supported. In the following scenario, the initial connection to Pulse Connect Secure gateway requires a client certificate. If successful, username/password credentials are provided to the ActiveSync server.

Prerequisites

• Certificate Authority Services must be installed on a member server/domain controller in your domain.
• A device certificate for the Pulse Connect Secure device and client certificate must be generated using your certificate authority server. 
• The iPhone Configuration Utility (iPCU) is installed on a Windows or Mac OS X machine

Pulse Connect Secure Gateway Configuration

Create a Virtual port on the Pulse Connect Secure device:

1. Navigate to Network > Internal Port or External Port > Virtual Port.

2. Click New Port.
3. Provide a virtual port name and IP information. Click Save Changes.
4. Navigate to Configuration > Certificates > Trusted Client CAs > Import CA certificate. Select the certificate authority (who signed the client certificate).
5. Navigate to Configuration > Certificates > Trusted Server CAs > Import CA certificate. Select the certificate authority (who signed the server certificate installed on the ActiveSync server).  

Note: In the example below, the same certificate authority signed both the client and server certificate.

6. Navigate to System > Security > SSL Options and scroll to the bottom. Under Require client certificate on these ports, select the virtual port (either internal or external port) and click Add.
   
   

7. Navigate to Authentication > Signing In > New Sign-in Policy > New URL.
8. From User Type, select Authorization only Access.
9. For the Virtual host name, enter the URL that mobile devices will be accessing (for example, exch.ssl.com).  

ActiveSync Profile Configuration for iPhone

For client configuration, see KB17857 - How to configure ActiveSync on IVE for mobile clients.

The iPhone Configuration Utility helps create/manage configuration profiles. For more details, refer to the vendor link: http://www.apple.com/support/iphone/enterprise/.

Perform the steps below to create the ActiveSync profile with the iPhone Configuration Utility:

1. For Backend URL, enter the URL of the ActiveSync server.  

   Optional: select Allow Active Sync traffic only to perform additional validation. When enabled, the Pulse Connect Secure device validates whether incoming traffic has the proper header information for ActiveSync.

   

    

2. Open the iPhone Configuration Utility.
3. Click New > Configuration Profiles.
4. Select Exchange ActiveSync option and configure the user account.  
5. In Exchange ActiveSync Host, enter the URL configured on the Pulse Connect Secure in Virtual Hostname (for example, exch.ssl.com).
6. In the User and Password, enter the corresponding credentials to authenticate to the ActiveSync server.  
7. Under Identity Certificate, select the client certificate from the drop-down menu.  

iPhone Configuration

1. From the taskbar, click File > Export. This will create a <filename>.mobileconfig.
   • The configuration file can be accessed on the iPhone using email. Check the vendor website for more details: http://images.apple.com/iphone/business/docs/iPhone_Device_Configuration_Overview.pdf.
2.  Import the ActiveSync profile on the mobile device by clicking the mobile configuration file attachment.  

3. After the configuration is successfully imported, open the mail client to access emails.