Exchange ActiveSync configuration
The Exchange ActiveSync module is used to filter the Exchange ActiveSync traffic that goes through the Pointsharp Access Gateway.
ActiveSync is a protocol used by Microsoft Exchange Services to transfer email, calendar, contacts, and more, from and to the Microsoft Exchange Server. This module uses the Pointsharp ID and its API to determine whether to filter the traffic or not.
For more information of how to configure the filter, please refer to the Device tab in the Pointsharp ID Admin GUI.
| Property | Description |
|---|---|
Name |
The name of the module configuration. |
Use Authorization |
Indicates whether to use authorization or not. Default: checked, the authorization will always be performed |
Authorization Cache Timeout |
The timeout interval in seconds, to use when requesting for authorization (device access and content set) towards the Pointsharp Web API. Default: 60 seconds |
Use ActiveSync Redirect |
Indicates whether to follow the ActiveSync protocol by considering an HTTP 451 response from the Exchange Server as a redirect. Default: checked, will obey the ActiveSync protocol definition of HTTP 451 |
Exchange device
Settings related to the device representation on the Exchange Server.
| Property | Description |
|---|---|
Prefix |
Prefix applied to a device when registered on the Exchange Server. This prefix is always applied to distinguish the service adding the device to the Exchange Server. Default: Empty, no prefix is added to the device |
Quarantine Prefix |
Prefix applied to a device when registered on the Exchange Server. This prefix is only applied when device state is changed to be in quarantine. Default: Q |
Content Wipe Prefix |
Prefix applied to a device when registered on the Exchange Server. This prefix is only applied when device state is changed to be content wiped. Default: W |
EAS Protocol Version
Specify list of allowed EAS versions (Whitelist).
| Property | Description |
|---|---|
Enabled |
Enable version check. Versions not specified will not be sent to client as available protocol. |
Version List |
List of accepted EAS versions. |
ICAP Settings
Configuration of the optional service supporting Internet Content Adaptation Protocol (ICAP) used to validate device data.
Pointsharp Access Gateway can be configured to use an ICAP server to validate data from incoming devices. The main purpose is to scan for mischievous content in ActiveSync traffic by contacting a virus scanning server.
| Property | Description |
|---|---|
Is Enabled |
Decides whether to use the defined ICAP Server to scan device data. Default: Unchecked, the ICAP Server will not be requested. |
ICAP Server URI |
The URI to the ICAP Server. Example: icap://server:1344/interscan |
I/O Timeout |
The interval in seconds of the timeout to use when connecting the ICAP Server. Default: 3 seconds |
Use ICAP Preview |
Enable if ICAP Server supports preview. |
Queue ICAP requests |
Perform multiple ICAP requests on the same connection. Some ICAP Servers do not support "Keep-Alive" between requests. Enable this to perform all ICAP requests from one client operation on the same connection. |
Incoming Security Settings
The security settings for the traffic sent from the client.
The security settings define whether to allow an email depending on its signature and encryption status. A signature and encryption status of an email can either be Signed, Encrypted, or Plaintext (neither signed, nor encrypted).
| Property | Description |
|---|---|
Block Signed Mail |
Indicates whether to block emails that are signed or not. Default: Unchecked, allow signed emails. |
Block Encrypted Mail |
Indicates whether to block emails that are encrypted or not. Default: Unchecked, allow encrypted emails. |
Block Plaintext Mail |
Indicates whether to block plaintext emails or not. Default: Unchecked, allow plaintext emails. |
Incoming Signature Settings
The settings deciding whether to add a digital signature to the data sent from the client. The signature settings defines the digital signature to apply to emails sent from the client. This feature is used to prove that an email has passed this Pointsharp Access Gateway before it was sent to the back-end Server.
| Property | Description |
|---|---|
Add Signature |
Indicates whether to add a digital signature to emails sent from the client or not. Default: Unchecked, no signature will be added to the client data. |
Certificate File Path |
The path to the certificate file containing the private key to create digital signature with. Has to be a PFX-file containing the certificate chain. |
Certificate Password |
The password used when reading the certificate. Leave empty if not required. |
Digest Algorithm |
The algorithm used when creating the message digest to be used when creating the digital signature. Default: SHA-256 |
Incoming Signature Validation
The settings define the validation of digital signature(s) in data from the client. The signature validation settings defines the validation of the signature(s) applied to emails sent from the client.
The validation procedure is taking two main steps: first verification of the digital signature, then verification of the certificate data that it was signed with, to ensure that we trust it and that it is valid.
The digital signature is verified by extracting the certificate data and digest algorithm, used when creating the digital signature, from the email data. It then retrieves the message digest from the digital signature using the public key from the certificate data. The message digest is then compared with the message digest retrieved, using the data in the email hashed using the digest algorithm.
The certificate data is validated against today’s date, the configured trusted roots, and the Certificate Revocation List (CRL). See RFC 5280 for further details about certificate validation.
| Property | Description |
|---|---|
Use Signature Validation |
Indicates whether to validate the digital signature(s) applied to emails sent from the client or not. Default: Unchecked, the signature(s) will not be validated. |
Trusted Root Certificates |
The list of trusted roots. Needs to contain at least one certificate to be able to validate the certificate. |
Custom CRL Distribution Point |
The default URL pointing to a CRL to always be included in the validation procedure. Default: Disabled, no default CRL will be used. |
Use CRL Distribution Point |
Indicates whether any CRL should be retrieved using the CRL Distribution Point in the certificate or not. Default: Checked, the CRL distribution point in the root certificates, and certificates, will be used when validating certificates. |
Ignore Unhandled Extensions |
Indicates whether the critical extensions in the certificate should be ignored if they are not supported by the current implementation. Default: Unchecked, if any critical extensions are not supported, the signature will be invalidated. |
Outgoing Security Settings
The security settings for the traffic sent from the back-end Server. The security settings define whether to allow an email depending on its signature and encryption status. A signature and encryption status of an email can either be Signed, Encrypted, or Plaintext (neither signed, nor encrypted).
| Property | Description |
|---|---|
Block Signed Mail |
Indicates whether to block emails that are signed or not. Default: Unchecked, allow signed emails. |
Block Encrypted Mail |
Indicates whether to block emails that are encrypted or not. Default: Unchecked, allow encrypted emails. |
Block Plaintext Mail |
Indicates whether to block plaintext emails or not. Default: Unchecked, allow plaintext emails. |
Outgoing Signature Replacement Settings
The settings deciding whether to replace a digital signature to the data sent from the back-end Server. If a policy for mail body data manipulation is in use, the new content is used for the new signature. The signature settings define the digital signature to replace to signed emails sent from the back-end Server.
This feature is used to prove that an email has passed this Pointsharp Access Gateway before it was sent to the client.
| Property | Description |
|---|---|
Add Signature |
Indicates whether to replace a digital signature to emails sent from the back-end Server or not. Default: Unchecked, no signature will be replaced to the backend server data |
Certificate File Path |
The path to the certificate file containing the private key to create digital signature with. Has to be a PFX-file containing the certificate chain. |
Certificate Password |
The password used when reading the certificate. Leave empty if not required. |
Digest Algorithm |
The algorithm used when creating the message digest to be used when creating the digital signature. Default: SHA-256 |
Outgoing Signature Validation
The settings defining the validation of digital signature(s) in data from the back-end Server. The signature validation settings defines the validation of the signature(s) applied to emails sent from the back-end Server.
The validation procedure is taking two main steps: first verification of the digital signature, then verification of the certificate data that it was signed with, to ensure that we trust it and that it is valid.
The digital signature is verified by extracting the certificate data and digest algorithm, used when creating the digital signature, from the email data. It then retrieves the message digest from the digital signature using the public key from the certificate data. The message digest is then compared with the message digest retrieved, using the data in the email hashed using the digest algorithm.
The certificate data is validated against today’s date, the configured trusted roots, and the Certificate Revocation List (CRL). See RFC 5280 for further details about certificate validation.
| Property | Description |
|---|---|
Use Signature Validation |
Indicates whether to validate the digital signature(s) applied to emails sent from the back-end Server or not. Default: Unchecked, the signature(s) will not be validated. |
Trusted Root Certificates |
The list of trusted roots. Needs to contain at least one certificate to be able to validate the certificate. |
Custom CRL Distribution Point |
The default URL pointing to a CRL to always be included in the validation procedure. Default: Disabled, no default CRL will be used. |
Use CRL Distribution Point |
Indicates whether any CRL should be retrieved using the CRL Distribution Point in the certificate or not. Default: Checked, the CRL distribution point in the root certificates, and certificates, will be used when validating certificates. |
Ignore Unhandled Extensions |
Indicates whether the critical extensions in the certificate should be ignored if they are not supported by the current implementation. Default: Unchecked, if any critical extensions are not supported, the signature will be invalidated. |
ActiveSync Protocol Filter
Validation of fields in the MS-ASHTTP protocol. (Microsoft ActiveSync)
Microsoft Document description of fields:
[MS-ASCNTC] - Contact Class Protocol
[MS-ASCAL] - Calendar Class Protocol
[MS-ASTASK] - Tasks Class Protocol
| Property | Description |
|---|---|
Outgoing Protocol Filter |
Enables field checks when data arrives from Exchange to client. |
Protocol Filter Rule List |
Add fields for inspection. If the field length exceeds configured value, the item will be blocked. If a field length check triggered in a contact object, that contact will not be synced. (If an earlier version of the contact did exist on device with valid fields, it will be deleted.) |
Use Alternative Transfer Encoding
ActiveSync has the option to send large data as Transfer-Encoding: chunked to the back-end Server. "chunked" Transfer Encoding was used in earlier versions, but could cause problem on the Exchange server. Default is using Content Length Header.
| Property | Description |
|---|---|
Use Alternative Transfer Encoding |
Unchecked: Using Content Length Header (Preferred) |