Configuring Standalone Sentry for ActiveSync

You configure a Standalone Setnry for ActiveSync by configuring the Standalone Sentry profile with an ActiveSync Service in MobileIron Cloud.

Procedure 

1. In MobileIron Cloud, go to Admin > Sentry.
2. Click +Add Sentry Profile or click on an existing profile to Edit.
3. Depending on the device authentication you will configure, select one of the following:
- ActiveSync with basic auth
- ActiveSync and/or App Tunnel with certificates
- ActiveSync and/or App Tunnel with Kerberos
4. Use the guidelines provided in the following sections to configure Standalone Sentry for ActiveSync.
- Configuring Standalone Sentry connectivity settings
- Device Authentication
- Default unmanaged devices behavior
- Passive health check options
- Scheduling options
- Default HTTP/TCP timeouts
- Sentry server configuration
- ActiveSync service
5. Click Save.
6. Create an Exchange setting that points to the Standalone Sentry.

See Configuring Exchange settings for Standalone Sentry.

Configuring Standalone Sentry connectivity settings

The following table describes the Standalone Sentry connectivity settings.

Table 1. Standalone Sentry connectivity settings

Item

Description

Sentry Host / IP

Enter the host name (FQDN) or IP address of the server on which the Standalone Sentry is installed.

The host name or IP address must be external so that apps that are tunneling data are able to access the Sentry.

Sentry Port

Enter the port where mobile devices will connect to Standalone Sentry.

Enter 443.

Device Authentication

Device authentication determines how users attempting to connect to the ActiveSync server or backend resource authenticate with Standalone Sentry. AppTunnel setup requires an Identity certificate or a Kerberos setup.

See Device and server authentication for information on selecting and configuring a method of device authentication.

Default unmanaged devices behavior

By default, Sentry blocks unregistered devices from accessing backend resources. Use this setting to change Sentry’s behavior to allow unregistered devices access to backend resources. Irrespective of this setting, you will be able to allow or block devices on a per-device basis.

Table 2. Default unmanaged devices behavior field description

Item

Description

Allow unmanaged devices to receive email and data

Check to allow unregistered devices access to backend resources.

Passive health check options

These settings determine when a Sentry is marked as ‘dead’. If a server fails more than the number set in Dead Threshold within the time set in Failure Window, then it is marked as dead for the time set in Dead Time.

Table 3. Passive health check field description

Item

Description

Dead Threshold

Specify the number of times that a server connection can fail before the server will be marked “dead”. The valid range is 1 through 1000.

Failure Window

Specify the time interval in milliseconds during which the specified number of server connection failures must occur in order for the server to be marked “dead”. The valid range is 1 though 86400000 milliseconds (24 hours).

Dead Time

Specify the amount of time in milliseconds that the server should be marked “dead” after the specified number of connection failures. The valid range is 1 through 172800000 milliseconds (48 hours).

Scheduling options

The options provide additional flexibility in managing multiple Sentrys. Specify Priority or Round Robin scheduling if multiple servers are specified.

Table 4. Scheduling options field description

Item

Description

Priority

The first available server in the specified list will be used, with the first server in the list having highest priority. So if the first server in the list is never unavailable, then the other servers will never be used.

Round Robin

Each server in the list will be used in turn.

By default, Round Robin is enabled.

Default HTTP/TCP timeouts

These settings provide additional flexibility to configure Standalone Sentry session timeouts. You may want to configure the session timeouts to manage server resources.

WARNING: Do not make changes to the settings unless specifically instructed in the documentation or by MobileIron Professional Services.

Table 5. Default HTTP/TCP timeouts field description

Item

Description

Socket read/write timeout

Specify the time in milliseconds, the Sentry should check for the socket read/write time out from either the device or the server.

Enter a valid integer.

The default setting is 10000, and the minimum is 1.

Server connection timeout

Specify the time in milliseconds after which the Sentry will time out when connecting to the server.

Enter a valid integer.

The default setting is 10000, and the minimum is 1.

Server response timeout

Specify the time in milliseconds after which the Sentry will time out when waiting for an HTTP response from the server.

Enter a valid integer.

The default setting is 60000, and the minimum is 1.

Device request timeout

Specify the time in milliseconds after which the Sentry will time out when waiting for an HTTP request from the device on a new or existing connection.

Enter a valid integer.

The default setting is 10000, and the minimum is 1.

Sentry server configuration

Configure the Sentry port, certificate, protocols and cipher suites.

HTTPS Port
Certificate/Key
Protocols and cipher suites
Load balancers and ciphers
Supported protocols

HTTPS Port

The default is 443. This is the port Sentry listens on for connections from the mobile devices.

Certificate/Key

When you first install Standalone Sentry, a self-signed certificate is also installed. MobileIron strongly recommends that you replace the default certificate with a publicly trusted certificate.

Protocols and cipher suites

Standalone Sentry uses the ciphers and protocols defined here for incoming traffic from device to Standalone Sentry and outgoing traffic from Standalone Sentry to backend resources. Ciphers and protocols for incoming traffic is set in the Incoming tab. Ciphers and protocols for outgoing traffic is set in the Outgoing tab.

You can do the following:

View the available and selected protocols and cipher suites.
Setup custom protocol and cipher suite configuration.
Enable SNI. (Outgoing only)

A default set of cipher suites and protocols are selected. You can customize the selected list of ciphers and protocols to match the security and system needs for your enterprise.

The available and default set of cipher suites and protocols may be updated in a release. Some cipher suites and protocols may be added, while others may be removed. Cipher suites and protocols may be removed if the platform no longer supports these cipher suites and protocols.

If you are set up to use the default cipher suites and protocols, these will be updated to the latest defaults. If you are set up to use a custom list of selected cipher suites and protocols, the custom list is preserved. However, any cipher suites or protocols that are not supported by Standalone Sentry are ignored and noted in Monitoring in Standalone Sentry System Manager.

WARNING: Making changes to the default list of cipher suites may impact the performance and security of traffic through Standalone Sentry. Therefore, before making any changes to the selected cipher suites, MobileIron recommends that you understand both the performance and security impact of the changes.

Load balancers and ciphers

If you use a load balancer to perform HTTPS/GET checks against your Sentry and your Sentry uses strong ciphers, do the following:

Make sure the ciphers enabled in your HTTPS/GET check match one of Sentry’s strong ciphers.
If you cannot change the ciphers that your HTTPS/GET check uses, you can change your check to use HTTP/GET to accomplish the same monitoring.

Supported protocols

TLSv1
TLSv1.2
TLSv1.1
SSLv2Hello

Note The Following:  

SSLv2Hello is a pseudo-protocol that allows Java to initiate the handshake with an SSLv2 'hello message.' This does not cause the use of the SSLv2 protocol, which is not supported by Java. SSLv2Hello requires that TLSv1 protocol is also selected.

SSLv2Hello is required by some load balancers and SSL off loaders for proper functioning. If your environment does not need it, it is recommended to remove this from the protocol list for improved security.

SNI

Server Name Indication (SNI) is an extension to TLS. SNI allows multiple hostnames to be served over HTTPS from one IP address. By default, SNI is disabled on Standalone Sentry for outgoing connections.

SNI allows a load balancer to direct incoming traffic to the correct backend server based on the hostname provided by the client, in this case, Standalone Sentry. Some backend server may require that SNI is enabled in the client.

Your Active Directory Federation Services (ADFS) may require SNI for all client communications.

NOTE: If SNI is enabled for Outgoing SSL connections, in some cases health check may fail if the backend server does not also support SNI. The workaround is to disable health check for the impacted server.

Advanced Traffic Control and server-side explicit proxy

These settings are not applicable for configuring an ActiveSync service on Standalone Sentry.

ActiveSync service

In the Sentry profile, in Manage Services, configure Exchange ActiveSync to set up an ActiveSync service.

The following table describes the settings for configuring an ActiveSync service.

Table 6. Field descriptions for ActiveSync service

Item

Description

Service Name

The Service Name identifies the ActiveSync service.

A service name cannot contain these characters: 'space' \ ; * ? < > " |.

Limit Protocol Version

Choose the ActiveSync protocol version that the device and the ActiveSync server use to communicate with Standalone Sentry.

If the device is already registered, you have to push the Exchange profile to the device to force the device to use the new protocol. Alternately, device users can go to iOS device Settings > Mail > Accounts, select the enterprise mail account, and toggle to disable and re-enable the mail account.

Server Authentication

Select how the Standalone Sentry authenticates the user to the ActiveSync server.

Select Pass Through or Kerberos.

The Kerberos option is only available if you selected ActiveSync and/or App Tunnel with Kerberos.

If you select Kerberos, additional fields are displayed. See Authentication using an Identity certificate and Kerberos constrained delegation.

ActiveSync Servers

Enter the ActiveSync server FQDN and port.

You can add multiple ActiveSync servers.

For Microsoft Office 365, enter outlook.office365.com.

For Gmail, enter m.google.com.

Enable Server TLS

Specify whether the ActiveSync servers require SSL (i.e., port 443).

NOTE: If you are using Google Apps via Standalone Sentry, you must check Enable Server TLS.

Enable Redirect Processing (451)

To disable redirect processing, clear the check box.

If Enable Redirect Processing (451) is disabled, the Standalone Sentry does not handle redirection, and passes the redirect URL to the device.

See also 451 redirect processing.

Enable Active Health Check

The default setting is enabled.

Clear the check box to disable the ActiveSync server health check.

If enabled, when the ActiveSync server fails for the number of times configured in the Dead Threshold setting and within the number configured in the Failure Window, then the ActiveSync server status shows Unreachable.

When the background health check determines that the server is live for the number configured for Live Threshold, the ActiveSync server status shows Reachable.

Configuring Exchange settings for Standalone Sentry

The Exchange setting is pushed to the device and points to the Standalone Sentry.

Procedure 

1. In the MobileIron Cloud, go to Configurations.
2. Click +Add > Exchange.
3. For Server address, enter one of the following:
- When using Standalone Sentry, set the server address to the Standalone Sentry’s address.
- When using Standalone Sentry with Lotus Domino server 8.5.3.1 Upgrade Pack 1, set the server address to <Standalone Sentry’s fully qualified domain name>/traveler.
- When using Standalone Sentry with a Lotus Domino server earlier than 8.5.3.1 Upgrade Pack 1, set the server address to <Standalone Sentry’s fully qualified domain name>/servlet/traveler.
- If you are using load balancers, contact MobileIron Professional Services.
4. Enter the variable for the ActiveSync User.
5. Enter the variable for the ActiveSync user Email.
6. Enter the ActiveSync user Account Password.
7. If Standalone Sentry is using Identity or Group certificate for device authentication, select the Identity Certificate configuration to generate the identity certificate for the device.
8. After completing the form, click Next.
9. Select the distribution option and click Done.

See “Exchange Configuration” in the MobileIron Cloud Guide or help to complete the fields in the form.