Running an SA-2000 with v7.0R2 firmware. We used the iPhone Pulse client and got ActiveSync working flawlessly in just a few hours while still being able to use SecurID for the login.
The Droid doesn't work and it appears to be that Pulse uses Network Connect in the background or has a network Connect-like functionality. In any event, the iPad and iPhone show with a source IP address of the private network range we assigned to the pool. The Droid just doesn't do anything except login.
We must retain SecurID logins for regulatory reasons. Is there any way at all to do this with an SA appliance? I really, really do not want to have to put in a second access method.
The SA can act as an ActiveSync proxy using the Authorization Only URL; however, if I am reading your description correctly, you are not wanting to do this as it relies on the backend Exchange infrastructure for auth and not SecurID.
You are correct that with Junos Pulse on iOS that there is an L3 VPN and you are able to connect to your internal servers directly (if that is what you are doing). Android does not allow for L3 VPN connectivity; this functionality is not present with the Junos Pulse for Android application.
Is using webmail an option inside Pulse (you should be able to have an email button configured)?
Thanks for the reply. OWA is already in use but it's seriously clunky compared to a real email client. We also noticed that the Pulse client is a serious battery drain.
I messed around with the Authorization Only proxy and while it works well, it still leaves us with just AD credentials exposed to the Internet. We passed the traffic through a web app firewall for added protection but it still doesn't give me a warm and fuzzy.
Do you know if there is a way to use a client certificate? I was able to get it installed but it doesn't do anything. The docs barely mention that you can configure an authentication server and the drop-down seems to support it, but it says something about an "msession" cookie or something similar. Do you know anything about this?
We ended up giving up on the Android devices because we couldn't use the Pulse client since it doesn't really do anything on Android for ActiveSync.
We decided to try the Apple devices and have had great success without the Pulse client. That thing was clobbering the battery life.
We added a virtual port that requires a client-side certificate, a port we use solely for ActiveSync. We set up our internal Certificate Authority as trusted for Client Certificates. So now we can use an iPhone or iPad for ActiveSync "always on" and have a reasonable assurance that it is one of our devices connecting because it requires one of our certificates to even get past the new virtual port. Topping it off with a web application firewall watching the virtual port's HTTPS traffic has given even me a warm and fuzzy. :-)
We did try setting up the original Motorola Droid the same way but it doesn't work with client certificates. As soon as we turn off the requirement for a client certificate on the virtual port it works, so we know everything else is OK. We were able to use a third-party Exchange client on the Droid, a product named Touchdown, but it is far more complicated to use than the built-in Droid client so we gave up on it. Maybe a later Android product would work; I don't know. Supporting Android will be far more challenging because of the different vendors making their own changes.