(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)
Exchange Active Sync (EAS) Support Monitor and control/restrict access (by using the EAS protocol) from mobile devices to Exchange mailboxes. Goal: No unidentified device is allowed to access the Exchange mailbox. The Application Gateway intercepts the EAS traffic and builds a user/device database. There is no manual configuration necessary. Then the specific entries can be blocked/unblocked. User authentication by certificates can be enforced. Integration with Active Directory (AD) can be configured. See schema.
Here are sample configuration files for EAS: routing.csv and groups.csv These files are written during install when the switch /install:EAS is used.
Following keywords are used:
EAS:mode[:OUlist][!OUposition[!ou1name[!ou2name]]] ... Exchange Active Sync (EAS) support mode ... Following three different operation modes can be specified: ... Block: Devices will be blocked if they are marked as locked or a new device exceeds the number of allowed devices (locked devices count!), includes "ADblk". ... ADblk: Block only if the EAS request is without user or the user could not be found within AD. ... Learn: Learning mode. No blocking takes place. ........Note: If client certificate is requested and email address does not match: device will be blocked independent of EAS mode. OUlist ... optional list of OUs (OU1 as described below, separated by |) where blocking should be active. If not specified: Users in any OU will be blocked. OUposition ... OU of this position (OU1) and next OU (OU2) will be shown at EAS user listing, if 0 or this parameter is missing: no OU will be shown .... e.g. if there is following DN field in ADusers.csv and OUposition is 2: .... CN=Mueller Max,OU=Users,OU=LNZT,OU=AT,OU=AGC,DC=abc,DC=company,DC=net .... then AT (country code in this example) and LNZT (site code in this example) will be shown in the EAS user list as OU1 and OU2 ou1name ... name for OU1 for display, default is OU1, if blank: OU1 will not be displayed ou2name ... name for OU2 for display, default is OU2, if blank: OU2 will not be displayed
Example: EAS:Learn!2!Country!Site
EAS user and device information can be retrived via statea$ or statea
To map sAMAccountname to UserPrincipalName the file ADusers.csv (in the default directory) must exist. It will be loaded during program start if the keyword EAS has been specified. Load can be triggered via loadad. Header of this file must be "DN,sAMAccountName,userPrincipalName" or "DN,userPrincipalName,sAMAccountName". as e.g. exported by csvde.exe. If the file ADusers.csv is uploaded via POST, the keyword/parameter "START:loadad" can be used to trigger loading of this file
Usage of certificates: Prerequisite are the keywords CCR and CCRNQ (only if not all smartphones provide certificates) to tell the smartphone to send client certificates. If the user is configured for certificate use and if the email address of the client certificate does not match the userPrincipalName the connection will be terminated.
EASBLK:grouplist ... to define EAS DeviceTypes to be blocked grouplist is a list of special groups (group name must start with "B_") separated by | Example: EASACL:B_Dev1|B_Dev2 each group may contain one or more DeviceTypes(separated by ,) that should be blocked (e.g. Outlook,SAMSUNGGTI9300) Note: Device will be blocked independent of EAS mode. This keyword is valid for all EAS rules, first occurrence of keyword EASBLK will be used.
EASACL:grouplist ... to define access for managing EAS users and devices, required for status links, optional for manage links grouplist is a list of special groups (group name must start with "A_") separated by | Example: EASACL:A_EAS1|A_EAS2 each group may contain one or more ACLs (separated by ,) with following format: list of email addresses (separated by |) : accessType : list of OU names (separated by |) - email addresses may contain one or more * for wildcard, e.g. *@aon.at, ab*x@mycompany.com, *.mgmt.*@x.com. - accessType may contain following characters: -- W ... write access -- R ... read access -- I ... display IP adddress of mobile device -- N ... notification by email if device is locked because allowed number of devices exceeded -- X ... notification by email if there is a new EAS user with no AD entry (OU must be *, only for EAS modes ADblk and Block) - OU name: if * is specified, any entry can be accessed. e.g.: a@abc.com|b@cde.com:W:AT|US|VIE, mm@fgh.com:R:* This means that a connection authenticated via client certificate with email a@abc.com or b@cde.com can manage any EAS user and device entries where OU1 or OU2 is AT, US or VIE. User mm@fgh.com will see all entries but cannot write. Example with wildcards in email: *:R:* ... any user has read access *@domain.com:W:* ... any user from domain.com has write access
Note: "A_" groups can be used also with other keywords where a list of email addresses is required such as CCR. If any ACL contains the accessType N or X: - To enable notification of admins this group must be used as parameter of the NOTIFYT keyword at rules with keyword EAS. - User defined mail templates can be referenced via the keyword TEAS in group Notify.
EASMDD:numberOfDays ... minumum number of days to allow mass delete (for status routing entries). In "List EAS Entries" the value "Last used before (days)" must be equal or higher than numberOf Days to show the "Delete" button. The default value of numberOfDays is 60 if EASMDD is not specified or invalid . This is a security measure. Deletion of specific entries is not affected by this keyword.
EASNDA:NumberofDevicesAllowed ... sets the initial number of devices allowed (default is 1, for routing entries with keyword EAS).
Notes on EAS connections: If a user connects to the Exchange server the first time: - Active Directory (AD) data will be checked if the user exists and to find the sAMAccountName or userPrincipalName - If the AD lookup fails and we are in EAS mode ADblk or Block: -- The connection will be blocked and the administrator will be notified (all ACL entries with accessType X and OU *) - Otherwise an EAS user object will be created within ApplicGate (sAMAccountName and userPrincipalName will be stored if available). - If we are in EAS Learn mode and the AD lookup failed: The incomplete EAS user objects can be manged via commands shown
