ActiveSync Authentication

Application Offloading now supports authentication for ActiveSync. Application Offloading technology delivers Web applications using Virtual Hosting and Reverse Proxy. Users still need to authenticate with the SRA appliance before accessing the backend Web application. However, the proxy avoids URL rewriting in order to deliver the Web applications seamlessly.

ActiveSync is a protocol used by a mobile phone’s email client to synchronize with an Exchange server. The Administrator can create an offloading portal and set the application server host to the backend Exchange server. Then, a user can use the new virtual host name in a mobile phone’s email client, and synchronize with the backend Exchange server through the SRA appliance. Before SRA 6.0, users had to disable authentication for ActiveSync offloading portals, because ActiveSync requests are different from requests sent from the browser.


	NOTE: On iPhones/iPads running versions earlier than iOS 6.1.2, initial account synchronization may fail if a calendar contains a recurring invite.

ActiveSync is managed through the Portals > Offload Web Application > Offloading > Security Settings page:

To configure ActiveSync authentication, clear the Disable Authentication Controls check box to display the authentication fields. Select the Enable ActiveSync authentication check box and then type the default domain name. The default domain name will not be used when the domain name is set in the email client’s setting.

ActiveSync Log Entries

The Log > View page is updated when a Web application is offloaded. Most mobile systems (iPhone, Android, etc.) support ActiveSync. These log entries identify when the client began to use ActiveSync through the offloading portal. The ActiveSync message identifies the device ID (ActiveSync: Device Id is…) for an ActiveSync request unless a client sets up the account and the request does not contain a device ID. The ActiveSync label is not used in log entries for anonymous users who use ActiveSync.


	NOTE: A user’s credential in the Exchange server must be the same as the one in the SRA. Many authentication types are available for each domain in the SRA. If using the Local User Database, make sure the user name and password is the same as the one for the Exchange server. Fortunately, other authentication types like Active Directory can share credentials for both the Exchange server and SRA appliance. However, authentication using authentication types that share credentials may take longer and the first ActiveSync request may time out. Once authentication succeeds, a session is created and other requests won’t need to be authenticated again.

Configuring a Portal to Check Email From an Android Device

The following example shows how to set up ActiveSync to check emails from an Android device. Be sure to replace entries shown in the examples with entries for your environment, and be careful to input the correct password. Otherwise, the account will be blocked.

Create a Domain name of webmail.example.com. Set the Active Directory domain and Server address to webmail.example.com. Set the Portal name to webmail.

In the SRA appliance, create an offloading portal with the name webmail.

Set the Scheme to Secure Web (HTTPS).

Set the Application Server Host to your Exchange server, for example webmail.example.com.

Set the virtual host name, for example, webmail.example.com. The virtual host name should be resolved by the DNS server. Otherwise, modify the hosts file in the Android phone.

Select the Enable ActiveSync Authentication check box. Leave the default domain name blank or input webmail.example.com.

Turn on the Android phone, open the Email application, and type your email address and password. Click Next.

Choose Exchange.

Input your Domain\Username, Password, and Server. No domain name is displayed, so use the default domain name specified in the offloading portal’s setting. Select Accept all SSL certificates and click Next.

If the AD authentication times out, the Setup could not finish message is displayed. Wait about 20 seconds and try again. You can also check the SRA log to see if the user logged in successfully. You may not encounter this problem if the AD authentication is fast.

When the authentication finishes, a security warning appears. Click OK to continue, modify your account settings, and click Next.

Try to send and receive emails, and ensure that ActiveSync entries are included in the SRA log.