activesync protector manual agat security suite …...activesync protector manual agat security...
TRANSCRIPT
WWWAGATSOLUTIONSCOM
Page 1 of 31
ActiveSync Protector Manual
AGAT Security Suite
Version 1519
WWWAGATSOLUTIONSCOM
Page 2 of 31
1 Introduction 4
11 AG ActiveSync Filter - Features 5
12 AG ActiveSync Filter ndash Architecture 6
2 UAG IAG install 6
3 TMG ISA Install 8
31 Installing on ISA array members 9
32 Removing installation 9
4 Configuration 10
41 Starting up the GUI 10
42 Rules 10
43 Users 11
44 Servers 13
45 Defining web publishing (ISATMG only) 14
46 Configuring a rule 15
47 Known issues 18
48 Device types 19
5 AG Mobile Access Controller - introduction 19
6 Mobile Access Control installation 20
61 Database 22
62 Site 22
63 WEB Service 23
64 ActiveSync filter configuration 24
65 Mobile Access Control Filter 24
7 Mobile access control configuration 24
WWWAGATSOLUTIONSCOM
Page 3 of 31
71 Automatic Self Enrollment 24
72 Self-Enrollment Registration 25
73 Smart Card Enrollment 27
8 Mobile Access Control site admin 28
9 Troubleshooting 31
WWWAGATSOLUTIONSCOM
Page 4 of 31
1 Introduction
AG ActiveSync Filter is a solution for controlling who and what to Sync when users connect
to Exchange server with mobile devices
More and more companies encourage their employees to work with their mobile devices
implementing Bring Your Own (BYO) strategy to save money and improve efficiency
Typically the Exchange is configured to support OTA ActiveSync (Over The Air)
But from a security point of view mobile smart phones are in fact mini computers and should be
treated from a security aspect as a potential threat
The filter offers both content filtering and access control features
An optional component offered with the filter is the Mobile Access Controller
This component is needed in two cases
a When enterprise enrollment requires a self-registered process to avoid admin overhead
b Certificate authentication is used instead of AD credentials
WWWAGATSOLUTIONSCOM
Page 5 of 31
11 AG ActiveSync Filter - Features
Content Filtering
1 Managing filter rules configuration by device type (iPhone windows mobile etc) andor by
users active directory group membership
2 Allowing or blocking synchronization of the following objects Mail messages Contacts
Tasks and calendar events
3 Allowing or blocking synchronization of attachments in mails messages or events
4 Managing specific file types to be synced
5 Filtering by words in subject of mail and calendar events
6 Allowing meeting requests to be published even when mail is blocked
7 Filtering by the senders domain name
Access Control
1 Verify that user and device ID match (Two Factor Authentication)
2 Managing a white list of allowed users
3 Allowing or blocking by device type andor by users active directory group membership
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 2 of 31
1 Introduction 4
11 AG ActiveSync Filter - Features 5
12 AG ActiveSync Filter ndash Architecture 6
2 UAG IAG install 6
3 TMG ISA Install 8
31 Installing on ISA array members 9
32 Removing installation 9
4 Configuration 10
41 Starting up the GUI 10
42 Rules 10
43 Users 11
44 Servers 13
45 Defining web publishing (ISATMG only) 14
46 Configuring a rule 15
47 Known issues 18
48 Device types 19
5 AG Mobile Access Controller - introduction 19
6 Mobile Access Control installation 20
61 Database 22
62 Site 22
63 WEB Service 23
64 ActiveSync filter configuration 24
65 Mobile Access Control Filter 24
7 Mobile access control configuration 24
WWWAGATSOLUTIONSCOM
Page 3 of 31
71 Automatic Self Enrollment 24
72 Self-Enrollment Registration 25
73 Smart Card Enrollment 27
8 Mobile Access Control site admin 28
9 Troubleshooting 31
WWWAGATSOLUTIONSCOM
Page 4 of 31
1 Introduction
AG ActiveSync Filter is a solution for controlling who and what to Sync when users connect
to Exchange server with mobile devices
More and more companies encourage their employees to work with their mobile devices
implementing Bring Your Own (BYO) strategy to save money and improve efficiency
Typically the Exchange is configured to support OTA ActiveSync (Over The Air)
But from a security point of view mobile smart phones are in fact mini computers and should be
treated from a security aspect as a potential threat
The filter offers both content filtering and access control features
An optional component offered with the filter is the Mobile Access Controller
This component is needed in two cases
a When enterprise enrollment requires a self-registered process to avoid admin overhead
b Certificate authentication is used instead of AD credentials
WWWAGATSOLUTIONSCOM
Page 5 of 31
11 AG ActiveSync Filter - Features
Content Filtering
1 Managing filter rules configuration by device type (iPhone windows mobile etc) andor by
users active directory group membership
2 Allowing or blocking synchronization of the following objects Mail messages Contacts
Tasks and calendar events
3 Allowing or blocking synchronization of attachments in mails messages or events
4 Managing specific file types to be synced
5 Filtering by words in subject of mail and calendar events
6 Allowing meeting requests to be published even when mail is blocked
7 Filtering by the senders domain name
Access Control
1 Verify that user and device ID match (Two Factor Authentication)
2 Managing a white list of allowed users
3 Allowing or blocking by device type andor by users active directory group membership
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 3 of 31
71 Automatic Self Enrollment 24
72 Self-Enrollment Registration 25
73 Smart Card Enrollment 27
8 Mobile Access Control site admin 28
9 Troubleshooting 31
WWWAGATSOLUTIONSCOM
Page 4 of 31
1 Introduction
AG ActiveSync Filter is a solution for controlling who and what to Sync when users connect
to Exchange server with mobile devices
More and more companies encourage their employees to work with their mobile devices
implementing Bring Your Own (BYO) strategy to save money and improve efficiency
Typically the Exchange is configured to support OTA ActiveSync (Over The Air)
But from a security point of view mobile smart phones are in fact mini computers and should be
treated from a security aspect as a potential threat
The filter offers both content filtering and access control features
An optional component offered with the filter is the Mobile Access Controller
This component is needed in two cases
a When enterprise enrollment requires a self-registered process to avoid admin overhead
b Certificate authentication is used instead of AD credentials
WWWAGATSOLUTIONSCOM
Page 5 of 31
11 AG ActiveSync Filter - Features
Content Filtering
1 Managing filter rules configuration by device type (iPhone windows mobile etc) andor by
users active directory group membership
2 Allowing or blocking synchronization of the following objects Mail messages Contacts
Tasks and calendar events
3 Allowing or blocking synchronization of attachments in mails messages or events
4 Managing specific file types to be synced
5 Filtering by words in subject of mail and calendar events
6 Allowing meeting requests to be published even when mail is blocked
7 Filtering by the senders domain name
Access Control
1 Verify that user and device ID match (Two Factor Authentication)
2 Managing a white list of allowed users
3 Allowing or blocking by device type andor by users active directory group membership
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 4 of 31
1 Introduction
AG ActiveSync Filter is a solution for controlling who and what to Sync when users connect
to Exchange server with mobile devices
More and more companies encourage their employees to work with their mobile devices
implementing Bring Your Own (BYO) strategy to save money and improve efficiency
Typically the Exchange is configured to support OTA ActiveSync (Over The Air)
But from a security point of view mobile smart phones are in fact mini computers and should be
treated from a security aspect as a potential threat
The filter offers both content filtering and access control features
An optional component offered with the filter is the Mobile Access Controller
This component is needed in two cases
a When enterprise enrollment requires a self-registered process to avoid admin overhead
b Certificate authentication is used instead of AD credentials
WWWAGATSOLUTIONSCOM
Page 5 of 31
11 AG ActiveSync Filter - Features
Content Filtering
1 Managing filter rules configuration by device type (iPhone windows mobile etc) andor by
users active directory group membership
2 Allowing or blocking synchronization of the following objects Mail messages Contacts
Tasks and calendar events
3 Allowing or blocking synchronization of attachments in mails messages or events
4 Managing specific file types to be synced
5 Filtering by words in subject of mail and calendar events
6 Allowing meeting requests to be published even when mail is blocked
7 Filtering by the senders domain name
Access Control
1 Verify that user and device ID match (Two Factor Authentication)
2 Managing a white list of allowed users
3 Allowing or blocking by device type andor by users active directory group membership
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 5 of 31
11 AG ActiveSync Filter - Features
Content Filtering
1 Managing filter rules configuration by device type (iPhone windows mobile etc) andor by
users active directory group membership
2 Allowing or blocking synchronization of the following objects Mail messages Contacts
Tasks and calendar events
3 Allowing or blocking synchronization of attachments in mails messages or events
4 Managing specific file types to be synced
5 Filtering by words in subject of mail and calendar events
6 Allowing meeting requests to be published even when mail is blocked
7 Filtering by the senders domain name
Access Control
1 Verify that user and device ID match (Two Factor Authentication)
2 Managing a white list of allowed users
3 Allowing or blocking by device type andor by users active directory group membership
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 6 of 31
12 AG ActiveSync Filter ndash Architecture
The following diagram displays a typical architecture of implementing the ActiveSync filter
2 UAG IAG install
1 Make sure MSXML 60 is installed on the system (Check that the file
windirsystem32msxml6dll exists)
You can download MSXML 60 from Microsofts website if necessary
2 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
3 Place the following DLLs in a folder which appears in the PATH such as
windirsystem32
wbxml2dll
libexpatdll
(Make sure there are no other versions of the DLLs in the system path)
4 Place the setup admin folder content ( ActiveSyncAdminexe FPCLibdll start-IAG-
UAG-ActiveSyncAdminbat ) to the following folder
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 7 of 31
5 Place the ActiveSyncWFEdll DLL from the setup filter folder to
UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEBin
6 In the folder UAG-INSTALLATIONvonconfWebSitesTRUNK-NAMEConf create a
subfolder named CustomUpdate if it doesnt exist
7 Copy WFEListxml from the conf parent folder into the CustomUpdate subfolder and edit
it as follows
Add a new ltDLLgt node as a child node of ltDLL_NAMESgt node with the dll_name
attribute set accordingly
8 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
9 Put the license file (lic) you received from supportagatsolutionscom in the Conf folder
Make sure it is named WhlFiltActiveSyncExlic
10 Run the configuration utility using the shortcut in the Conf folder and adjust filter settings
as needed When youre done click Save The configuration file will be created if it didnt
exist before
11 You can modify the message displayed when user is blocked in the first two lines of the
following file
CWhale-Come-GapvonInternalSiteLanguagessample_defaultxml
12 Restart IIS
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 8 of 31
3 TMG ISA Install
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISATMG folder usually CProgram FilesMicrosoft ISA
Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
ActiveSyncWebFilterAdminexe
start-TMG ISA-ActiveSyncAdminbat
FPCLibdll
3 Make sure that ISATMG has permission to access these files
4 Run regsvr32 on ActiveSyncWebFilterdll (Click on Start -gt Run Type regsvr32 drag
ActiveSyncWebFilterdll into the text box and press Enter)
Note
Seeing a configuration error issued by the filter at this point is normal since the filter
configuration is not saved until the next step
5 Send the full computer name to supportagatsolutionscom and receive a license file (lic)
6 Put the license file (lic) you received from supportagatsolutionscom in the ISATMG
folder Make sure it is named ActiveSyncWebFilterlic
7 Put the license file (lic) you received from Agat in the ISATMG folder Make sure it is
named ActiveSyncWebFilterlic
8 Run the configuration utility according to the instructions under Configuration and save
the configuration
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 9 of 31
9 If you have other ISATMG servers in the array follow the steps described under
Installing on ISA array members
31 Installing on ISA array members
Following the instructions in the Installation section installs the filter in the ISA array member
where you ran the commands However if you have more than one member in the ISA array you
still need to install the filter on the other array members
On each array member other than the one where you ran the Installation commands follow
these steps
1 Run vcredist_x86exe (on 32-bit machines) or vcredist_x64exe (on 64-bit machines) to
install the Visual C++ 2008 runtime
2 Copy the following files to the ISA folder usually CProgram FilesMicrosoft ISA Server
ActiveSyncWebFilterdll
wbxml2dll
libexpatdll
3 Make sure that ISA server has permission to access these files
4 Run the included RegisterFilterInArrayMemberjs script
32 Removing installation
Follow these steps to remove Agat ActiveSync Web Filter from the computer
1 If you have other ISA servers in the array run the included
UnregisterFilterInArrayMemberjs script on each of the servers
2 Run the following command regsvr32 u cProgram FilesMicrosoft ISA
ServerActiveSyncWebFilterdll
3 Delete the DLLs and exe files that you copied during installations (You may need to
restart ISA before it will let you delete all the DLLs)
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 10 of 31
4 Configuration
41 Starting up the GUI
Simply run the start-TMG ISA-ActiveSyncAdminbat or the start-UAG IAG-ActiveSyncAdminbat
Note for ISATMG - After you click Save ISA may take some time to reload and apply the
new configuration depending on its Array Configuration Storage settings
Note for IAGUAG - Make sure the current working directory is UAG-
INSTALLATIONvonconfWebSitesTRUNK-NAMEConf
Note for IAGUAG ndash restart IIS after changing configuration settings
42 Rules
Rules are defined for Device type (PPC iPhone etc) and or active directory group membership
The rule defines how to handle the content request
Main rule window
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 11 of 31
Note The web publishing rule tab and the advanced options are relevant only to TMG ISA
Use the arrows to re-order the rules to fit your needs
Top rules are processed first and once a request fits a rule processing is stopped and the rule is
applied
Devices that dont match any rule are rejected ie they have no access to the Exchange server
After you save the configuration file restart IIS to apply the new configuration
43 Users
The users tab handles the users that have access to perform ActiveSync and verifies that they do so
with the registered device ID
Verifying that the device ID matches the user prevents someone with access to the users
credentials from syncing using a different phone (device ID)
This feature provides a Two Factor Authentication (TFA) using something you know and
something you have
The ActiveSync filter includes basic support of this feature using a text file containing the
username and the device ID approved for this user
For more advanced and enterprise enrollment options it is recommended to use the mobile access
control module
To use the basic enrollment- check the Each use canhellip and choose the file based enrollment
option Then click on the User file settings button
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 12 of 31
Creating a user list file can be done in two ways (Manually)
a Running in Training mode - selecting this option will allow performing ActiveSync but will
write to the Rejects file the username and device ID that preformed the request
b Using the rejects file list - this file stores all the requests that were rejected by the filter
The rejects file is in the same format as the users file so you can cut-and-paste between the files
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 13 of 31
44 Servers
The servers tab is used to define the LDAP connection to be used for the Group filtering option in
the first general tab
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 14 of 31
45 Defining web publishing (ISATMG only)
For the ISATMG you can define the web publishing rules that you want the filter to run on
This is done in the Web Publishing tab
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 15 of 31
46 Configuring a rule
General tab
In the general tab of the rule you can set the device type that the rule applies to and or the users
active directory group membership
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 16 of 31
Action tab
In the mail handling section you can choose the mail handling method
Dont filter calendar related mail - do not block meeting requests
Block all mails - block all mails both as regular emails and meeting requests
In the non-mail section you can choose whether to block calendar Tasks or Contacts
In the attachment section you can define to remove attachments
This option applies to mail objects and and meeting requests calendar objects
In the list below you can define exceptions by files types
Tip To add a file type ndash right click on the available list area to add a new value
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 17 of 31
Extension tab
In the extensions tab you can
Block mails by Origin - blocking for example internal mails only
Truncate mail with specific words in subject
Define length to truncate If set to zero the body is completely blocked
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 18 of 31
47 XML-only tweaks
This section includes features not supported by the admin UI that shold be configured by editing
manually edit the config XML
In UAGIAG it is located in the conf folder
In ISATMG ndash you must export the XML(from the advanced menu at top right corner of the
admin) and then import it back
Importing an XML can be done by running the following command in the admin folder where the
importConfigjs is located
cscript importConfigjs ActiveSyncWebFilterdll ltPath to XML
Configuration Filegt
471 Blocking Inline message
This option prevents sending messages within messages These are shown as attachments in
outlook with an outlook message
472 Filtering by custom mail headers
This option allows filtering messages by custom mail headers added by other software
For each header you want to block add the following child element to the mail element (inside the
appropriate rule)
ltblockHeader name=Header Name contains=Block Value gt
The contains attribute can be either a plain string or a regular expression (with Perl syntax) If the
string or regular expression is found (contained) in the header the message will be blocked If
you need an exact match start the contains attribute with a ^ character and end it with a $
character eg ltblockHeader name=Header Name contains=^Exact$ gt
The matching is case-insensetive
Full example
ltmail allow=true onlyCalendarMessages=false allowAttachments=falsegt
ltblockHeader name=Confidential Level contains=Secret gt
ltblockHeader name=Project Name contains=Top Information gt
ltmailgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 19 of 31
The ability to request mail headers depends on the client
Some devices (eg iPhone) will display the message title but not its contents while other might
not request the header and therefore the message will not be blocked
48 Known issues
IAG doesnt give any indication if the filter fails to load for some reason (eg missing DLLs)
If theres an error while loading the configuration the filter terminates the containing IIS process
49 Device types
When a mobile device attempts to synchronize data using the Exchange ActiveSync protocol it
sends its Device Type to the server The ActiveSync filter uses this string to handle different
devices in different ways based on their types
Here are the Device Types for common mobile devices
Apple iPhone - iPhone
Windows Mobile - PPC PocketPC (note both Device Types are used by the same device in
different phases of the protocol)
Nokia - IMEI where the stands for a device-specific string That is different devices
of the same model have different Device Types but they all begin with the IMEI prefix The
configuration utility allows you to match Device Types by prefix so you can select IMEI as the
prefix to match Nokia devices
5 AG Mobile Access Controller - introduction
To cut down admin and help desk overhead and for more advanced enrollment options it is
recommended to add the Mobile Access Control module to the solution
The module uses a DB amp web site to support the following enrollment options
Automatic Self Enrollment ndash Device ID is registered upon first use In this case the web site is
only for admin usage and is used to allow deleting users and tracking the registration process
This enrollment is done transparently by the user
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 20 of 31
Self-Enrollment Registration ndash A tighter attitude is that the user must first register on an internal
site and then must Sync within a defined time frame to complete registration
Smart Card Enrollment ndash This enrollment is needed to allow a solution when customer works
with strong authentication rather than user name and password or when different credentials are
needed in order to protect the real AD account from being locked due to too many failures
User creates credentials on internal site (using strong login to view the site) The credentials
created are then used for authenticating against the filter and the filter preforms the logon
Kerberos) to the exchange on behalf of the user
6 Mobile Access Control installation
Note Product development name for Mobile Access Control is Angel
Typical architecture
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 21 of 31
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 22 of 31
Certificate enrollment architecture
61 Database
1 Create a new MSSQL database or use an existing one
2 Open attached SQL script (SQLCreatesql)
3 In settings (last) section of script set values according to your needs
Note Only users listed in the Admins value will see the link for the setting from the web site
4 Run the script
62 Site
1 Copy Angel folder to your webfolder (ex cinetpubwwwroot)
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 23 of 31
2 Change AngelConnectionString in webconfig to fit your system settings
If you choose to use integrated connection string- please verify that the user running the
application pool of the site has access to DB
3 Create virtual directory in IIS for Angel Site
4 Disable anonymous authentication in the site
5 For windows authentication ndash make sure the site if configured
6 If you use Smart Card Authentication configure your site to ltRequire User Certificategt
and also provide valid certificate for server
7 Users should browse to http[hostname]angeldefaultaspx
8 Admin should browse to http[hostname]angeladminuserslistaspx
63 WEB Service
Note The web services are required only if the ForeFront machines do not have direct
SQL access to the Mobile Access Control DB
1 please publish a Web Service to provide data to ActiveSyncFilter
2 Copy AngelServicesWebHost folder to your webfolder (ex cinetpubwwwroot)
3 Change AngelConnectionString in webconfig to fit your system settings
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 24 of 31
4 Create virtual directory in IIS for AngelServicesWebHost site
5 Provide path to
ActiveSyncFilter ltyour server pathgt AngelServicesWebHostAngelSrvsvc
64 ActiveSync filter configuration
Enter the connection string in the following screen and verify that it is correct by pressing the test
connection button
65 Mobile Access Control Filter
Only for scenario of smart card enrollment ndash another set of filters are required
Mobile Access Control Filter (on the ForeFront machine) and a back consumer on the Exchange
For detailed installation ndash please contact supportagatsolutionscom
7 Mobile access control configuration
71 Automatic Self Enrollment
Select the following options for this enrollment process
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 25 of 31
72 Self-Enrollment Registration
For enrollment based on active directory username and password the web site is configured to use
windows authentication
The user logs into the site and starts the registering process by clicking on the Register button
Once the button is clicked within the defined time frame the user must perform an ActiveSync
operation from his device The filter then registers the device ID in the DB linked to the user for
the ongoing authentication
Select the following options for this enrollment
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 26 of 31
In this case the user should log in to the following URL http[severname]angel and see this site
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 27 of 31
73 Smart Card Enrollment
For enrollment based on certificate authentication where username and password are not managed
in the active directory and it is impossible or complex to install certificates on the devices the site
is configured to require certificate authentication
In this scenario once the user logs into the site he creates (or auto-generates) a username and
password Once clicking the Create button he must perform an ActiveSync operation within a
defined time frame During the first operation the device ID is registered and linked to the user
During the ongoing authentication the user enters the credentials created on site The AG mobile
access control filter verifies the credentials and verifies that the device ID matches the user The
AG mobile access control filter then performs a login to the Exchange server using the AG Auth
consumer filter installed on the Exchange
To configure Smart card enrollment select the same options as the self-enrollment registration
and change the site settings mode to SCA ( smart Card Logon)
When the user browses the Angel site URL he will see something like this
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 28 of 31
8 Mobile Access Control site admin
The admin is located in the following URL
http[serverName]angeladminuserslistaspx
From the page the admin can delete users by clicking the delete button
Every admin user that has access to the admin page will see only the users from his admin
Only the user listed in the webconfigltappSettingsgtadmin value will see all users
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 29 of 31
Pressing the Edit Settings will display the following window
Enrollment type Relevance Description Name
All Users that are allowed to
access the EDIT tab in the
admin site
Enter as domainuser or just
enter the string Everyone to
allow anyone with access to
the admin site to change
settings
Admins
Self enrollment Windows Authentication Type
Smart Card SCA= Smart Card
Authenticaion
Smart Card SCASimulation- simulates the
smart card enrollment without
needing to define the site as
smart card Good for just using
different credentials than AD
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 30 of 31
Enrollment type Relevance Description Name
All en
heb
DefaultLanguage
Smart Card Length of user name LoginLength
Smart Card Password length PassLength
Smart Card
Self-enrollment
Minutes to sync from
registration
Timeout
Smart Card
Self-enrollment
Enter yes to allow displaying
users only from your domain
Usedomain
Smart Card Adds a prefix to user name UserNamePrefix
You can also manage uses from the filter consul by pressing the manage users button
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt
WWWAGATSOLUTIONSCOM
Page 31 of 31
9 Troubleshooting
The filter will write debugging traces into CWhlFiltActiveSyncExlogtxt if that file exists
You can also view these traces in real time using the DebugView program (available for free from
Microsoft)
Extended information for HTTP requests is logged for IAGUAG only when the trace level is
ALL Requests are logged in the Caslogs directory if it exists and set up with the correct
permissions
For further help please contact ltsupportagatsolutionscomgt