EN
Service Hotline
Secure smartphone access to Exchange servers
The security gateway from Switzerland supplements the AppTec EMM solution with secure access to Exchange servers for all managed mobile devices.
For security reasons, Exchange servers are usually operated behind the firewall. This is practicable as long as no roaming users request access to Exchange services while on the move. Allowing users with smartphones access from outside then represents a security risk and is sometimes not permitted at all. AppTec, the Swiss provider of EMM software, provides a security solution for this scenario. The “AppTec Universal Gateway” ensures that Exchange users have secure access to the mail system from outside.
Reverse proxy architecture
The Universal Gateway connects to the network as a reverse proxy and acts as a single access point for mobile devices. It is supplied by AppTec as a virtual appliance and is typically installed in the DMZ (“demilitarized zone”). In conjunction with the EMM solution “AppTec Enterprise Mobility Management“, only managed smartphones are granted external access to the Exchange server. The EMM software ensures fully automatic configuration of the mobile devices.
Setup as a virtual appliance
The gateway system is quickly installed. It can be operated in a virtual machine (VM) with any standard virtualization software. Configuration is carried out via a simple text menu at console level. Essentially, only passwords need to be assigned for administration and the network configuration needs to be carried out. Optionally, the connection to the AppTec EMM server can be tested via ping.
The overall system is modular. This means that the Universal Gateway can be set up regardless of whether AppTec EMM is operated in the cloud or on-premises. Only various firewall ports need to be enabled for communication between the gateway and Exchange and between the gateway and the EMM server.
Configuration via EMM web console
Once the server software has been set up, the gateway configuration is carried out via the AppTec EMM web console. The Universal Gateway is activated in the “Add Gateway” menu item. To do this, enter the network address of the appliance and store an SSL certificate. In the next step, the connection to the Exchange server is defined via “Add Gateway Configuration”. Here you need to decide whether managed devices should be automatically enabled for access to Exchange or whether they should initially end up in a quarantine list and be enabled manually by the Exchange administrator.
Kerberos ensures security and user convenience
Administrators can activate Kerberos for communication between the smartphone and gateway. It increases system security and eliminates the need for users to enter or periodically change passwords, as it turns their mobile devices into hardware tokens. To be able to use Kerberos, either a Kerberos keytab file must be provided during configuration or, alternatively, a delegation user must be created in the Active Directory.
In the configuration for ActiveSync, the administrator can also make settings for the communication protocol between Exchange and the mobile devices. The configuration for Kerberos and ActiveSync is then automatically rolled out to the end devices. From this point on, they will only connect to the Universal Gateway for mail communication. There is no direct connection to the Exchange server.
VPN for Android smartphones
Android users can also be equipped with a VPN connection to the company network via the Universal Gateway. This is defined via an additional gateway configuration profile and ensures that the AppTec VPN client is automatically installed on the end device.
The administrator can view the connection status of all devices in the EMM console. Using the “Always on” option, he can specify that the mobile device always communicates with the outside world via VPN. The default setting is for the app to automatically detect whether a connection to the Internet is to be established – for example, because the user opens a browser – and then automatically starts the VPN connection on demand.
Conclusion
In addition to the security aspect, AppTec’s Universal Gateway also provides users with additional benefits. Smartphone users do not have to carry out any configuration. They can use the Exchange services as usual and, thanks to Kerberos, do not have to enter a password or make any annoying password changes.
Prices and availability
The Universal Gateway can only be used in conjunction with the AppTec EMM system. This costs €0.79 per device per month, in addition to the usage fee for the EMM. On request, the Swiss manufacturer will install and configure the system for the customer (subject to a charge).
Source: https://www.computerwoche.de/a/smartphone-zugriff-auf-exchange-server-absichern,3544683
