We kept it simple because it's really just Outlook-type traffic for us. We used the Apple iPhone Configuration Utiity to set some minor restrictions like no iCloud, require a passcode and encrypted backups. We then set up a virtual port on the SA and require a client certificate to connect to the SA. The client certificate is distributed with the Apple .mobileconfig file. We then direct all ActiveSynctraffic through the virtual port to a Websense "Mobile Agent". It's not really an agent because it's a virtual server in our data center and it runs as an ActiveSync proxy. We apply our normal DLP policies to the ActiveSync traffic via the Websense Mobile Agent. If something gets blocked by DLP, the iPad user gets an email telling them to use their laptop or desktop to read the email. ... View more

I'm not sure what the XML export is for. When we've replaced hardware we were told we did not need it and we didn't. We just imported the Users and System and everything came back. Ray ... View more

What exactly does this mean: 'I tried generating a certificate from rapidssl.com" ? Did you go to their website and try to create the CSR there? If so, what is the precise URL?I wouldn't ever do that because it could mean that website has a copy of your private key. Ray ... View more

Going here: http://www.thawte.nl/en/support/test+your+csr/ shows your CSR as below. So however you think you're entering the data is not as it is really working. Are you using a Microsoft product to generate the CSR? If so, that's the problem. They show "Name" on the form when it's really "Common name" that should be entered. I've never seen Thawte return a CSR result that looks like this one. Ray Country: US Common name: - JN108FABBADA - 8087301706 - rsa-key - ive.acmegizmo.local - George Location: sdb9 Company name: Itac OU: Java Province: CA ... View more

We set up an SA2000 for ActiveSync using the v7R2 firmware. You must use a different URL than the one for regular remote access, maybe an A record or a CNAME record pointing to the same public IP address as used for remote access. Apple's iOS configuration can be set to ignore SSL certificate errors. You also need to create a separate URL that the one you use for Outlook Web Access. Even though it's the same internal server, the rewrite mechanism will break OWA if you use the same URL for ActiveSync. Since we don't have an SA700, your experience may vary. For our final configuration, we used a separate public IP address because we have a web application firewall in front of the SA2000 and we wanted to keep the rules as tight as possible. We also created a new Virtual Port and set it to require a client certificate to connect to the virtual port. The client certificate is ussued by our internal certificate authority. FWIW, Ray ... View more

We ended up giving up on the Android devices because we couldn't use the Pulse client since it doesn't really do anything on Android for ActiveSync. We decided to try the Apple devices and have had great success without the Pulse client. That thing was clobbering the battery life. We added a virtual port that requires a client-side certificate, a port we use solely for ActiveSync. We set up our internal Certificate Authority as trusted for Client Certificates. So now we can use an iPhone or iPad for ActiveSync "always on" and have a reasonable assurance that it is one of our devices connecting because it requires one of our certificates to even get past the new virtual port. Topping it off with a web application firewall watching the virtual port's HTTPS traffic has given even me a warm and fuzzy. :-) We did try setting up the original Motorola Droid the same way but it doesn't work with client certificates. As soon as we turn off the requirement for a client certificate on the virtual port it works, so we know everything else is OK. We were able to use a third-party Exchange client on the Droid, a product named Touchdown, but it is far more complicated to use than the built-in Droid client so we gave up on it. Maybe a later Android product would work; I don't know. Supporting Android will be far more challenging because of the different vendors making their own changes. Ray ... View more

I'm not sure you understood his question. He asked whether someone on the hotel LAN could access the iPad and route through it to their corporate network. Encryption between the iPad and the corporate network is irrelevant. I don't know whether it's possible or not. Ray ... View more

There is a major drawback to generating the Certificate Signing Request from the Juniper box itself; you cannot export the private key. If you want to put a web application firewall (WAF) in front of the Juniper box, you need to add the SSL certificate public and private keys to the WAF. If this will ever be a need, generate the CSR some other way, like from IIS. Then export the certificate from IIS as a PFX and use OpenSSL or another utility to convert it to the .PEM format that is importable into the Juniper box. (As I recall it's .PEM) This way you have the public and private keys that you can import into the WAF. Ray PS We used Verisign and it works well. ... View more

Thanks for the reply. OWA is already in use but it's seriously clunky compared to a real email client. We also noticed that the Pulse client is a serious battery drain. I messed around with the Authorization Only proxy and while it works well, it still leaves us with just AD credentials exposed to the Internet. We passed the traffic through a web app firewall for added protection but it still doesn't give me a warm and fuzzy. Do you know if there is a way to use a client certificate? I was able to get it installed but it doesn't do anything. The docs barely mention that you can configure an authentication server and the drop-down seems to support it, but it says something about an "msession" cookie or something similar. Do you know anything about this? Ray ... View more

While that may put in the correct date, if it's a SEPM managed system it will show as out of date there and end users may get the "Your defs are out of date" warning depending on where you have that set. They still don'thave a fix yet so we shut off the def date check. "Access with possibly old defs" or "No access for anyone" - Which is worse? Does anyone know what "updates out of date" really means in 6.4? I sure wish Juniper had just left it at "days out of date". Ray ... View more

October 22nd is for retail availability. Symantec had the same policy until someone pointed out that corporate volume licensing subscribers have had it since August. They then released the version of endpoint protection that supports Windows 7. That was around a month ago and it allowed us to continue testing Windows 7. Ray ... View more

Hi Kevin, I have no clue who that is and don't know how I would find out. They must not think we have a lot of money to spend. :-) Ray ... View more

Which precise version are you using? There are several supported major versions. Which ESAP version are you using? Ray ... View more

I can tell you that Firefox 3.0.6 seems to work OK with 6.2 R4.0, but we haven't done anything other than simply trying it. Ray ... View more

One royal pain is the anti-virus host checker being changed from "xx days old" to "xx updates old". Whereas fourteen days was acceptable to us before, the new setting only allows up to 10 updates old. Our anti-virus vendor sometimes kicks out a minor update every day or two, sometimes not, and setting the host checker to 3 updates old caused major problems for people who connect their computer to the Internet only once a week. Our executives a use desktop as their primary computer but have a laptop for weekend use or travelling only. I had to reset it to the maximum of 10 and I really have no idea how long that is in days. Potentially it could be ten weeks. <sigh> It looks like this change was introduced in v6.2. Ray ... View more

In this case, yes. The intermediate certificate has nothing to do with the certificate you bought. It allows the certificate you bought to be recognized properly. IE doesn't seem to care but Firefox will give a certificate error if you have not imported the intermediate certificate. On the Device Certificate page you'll see a link to import the intermediate certificate. Also see http://www.verisign.com/support/advisories/page_040611.html Ray ... View more

"B". We had to set the idle timeout to one minute less than the session timeout to stop this. My guess is the RDP traffic is below some threshold we cannot configure. It also is seriously annoying if someone is using OWA and composing a mesage. At least the session stays running when you log back in. When we were on Novell, reconnecting caused a logoff of the previous session. If someone was doing a long job, like copying files or mailboxes, they were very unhappy. Ray ... View more

v6.2R2.1 works fine with FireFox 3 for us. It's listed as "compatible" in one of the docs. For some reason, v6.2R3.0 has been yanked. It was present as a download for a few days but I noticed it was gone yesterday. Ray ... View more

Other than not getting too far out of date, is there a good reason to make the move? If the details in the release notes don't show anything that might affect you negatively and may help you, go for it. I'm running SA-2000's and 2500's on 6.1R4 and 6.2R2.1 respectively. We're not seeing anything odd but you may be using pieces-parts we aren't. Ray ... View more

You may have inadvertently just argued against the deployment practive of having the internal port on the LAN when using both ports. :-) If you use only the internal port, the traffic flow is this way: Internet HTTPS -> firewall -> internal port -> decrypted HTTP (and the IVE does its thing) decrypted HTTP/NC/Whatever -> Internal port -> firewall -> LAN Routing on the firewall and IVE control the flow of traffic even though we're just using one port. I then use firewall rules to inspect and control the traffic between the IVE and the LAN, something that is impossible if you put the internal port on the LAN. Ray ... View more

No gotchas at all. Only the internal interface is in use and that is the management interface also. I don't know if it's documented anywhere but it's been in use for almost two years with zero issues. Ray ... View more

We do ours using just the internal interface on a DMZ. That way we can monitor and control where the box can go on the internal network. Multi-homed stuff crossing security boundaries are always a concern to me. Ray ... View more