Multiple ActiveSync domains

Standalone Sentry supports multiple ActiveSync domains. You can configure multiple ActiveSync domains on the same Standalone Sentry to direct email traffic. You may want to configure multiple ActiveSync domains if your enterprise has multiple Exchange ActiveSync (EAS) domains and you want to use the same Standalone Sentry as the proxy to the ActiveSync domains.

Standalone Sentry gets the ActiveSync server information from the Host header in the HTTP request. The device populates the Host header with the value of the Server Name configured in the Exchange setting in MobileIron Core. Standalone Sentry matches the Host header value (Server Name in the Exchange setting) to the ActiveSync Service Name configured in the Standalone Sentry settings to determine which ActiveSync server to forward the traffic. If Standalone Sentry does not find a match, the traffic is forwarded to the ActiveSync server configured in the default service.

Additional setup on your domain name server (DNS) and on MobileIron Core is required to support multiple ActiveSync domains on Standalone Sentry. The additional setup is described in the following sections:

DNS setup
Standalone Sentry configuration
Exchange setting
Standalone Sentry certificate

DNS setup

Each EAS domain must have a separate Standalone Sentry DNS entry that points to the IP address for the Standalone Sentry on which you are configuring the EAS domain. For example, if you have two EAS domains, myenterprise1.com and myenterprise2.com, create two Standalone Sentry DNS entries, standalonesentry1.com and standalonesentry2.com. Point the Standalone Sentry DNS entries to the IP address of the Standalone Sentry on which you are configuring the EAS domains.

Standalone Sentry configuration

You configure multiple domains by creating separate ActiveSync services in the Standalone Sentry settings in Services > Sentry in the MobileIron Core Admin Portal. For more information, see Configure ActiveSync.

Note The Following:  

Settings in the Standalone Sentry configuration are applied to all ActiveSync services configured in the Standalone Sentry configuration.
For device and server authentication, Kerberos authentication to the ActiveSync server is not supported if multiple ActiveSync services are configured.

Exchange setting

For each Standalone Sentry DNS entry, create a corresponding Exchange setting on MobileIron Core. For Server Address in the Exchange setting, enter the DNS name for Standalone Sentry. For more information, see Configuring Exchange settings for Standalone Sentry for ActiveSync.

Standalone Sentry matches the hostname in the Exchange setting to the ActiveSync Service name in the Standalone Sentry configuration. The ActiveSync traffic is forwarded to the ActiveSync servers configured for that service. If the hostname entered in the Exchange setting does not match any ActiveSync service name configured on Standalone Sentry, the default service is used, and traffic is routed to the ActiveSync server associated with the default service.

Standalone Sentry certificate

Upload a separate Standalone Sentry certificate for each Standalone Sentry DNS entry, so that devices can trust the Standalone Sentry. Alternately, you can also do the following:

Upload a wild card certificate that covers the domains for all ActiveSync services on Standalone Sentry.

OR

Upload a certificate with one or more SAN names that cover the DNS Names of all ActiveSync services on Standalone Sentry.

You upload the Standalone Sentry certificate in the MobileIron Core Admin Portal. Go to Services > Sentry, and click the Manage Certificate link. For more information, see Uploading Sentry certificates.