Exchange Mail Applications for Smartphones and Tablets

Introduction to Exchange Mail Applications

Mobile Mail and Active Sync Applications are applications for smartphone and tablet users to connect to email, calendar, contacts, and notes through an Exchange server. Web applications and File shares can also be available on smartphones and tablets.

Mobile Mail Applications

Mobile Mail Applications work with Exchange servers to make business email available on mobile devices with a Capsule Workspace App. The application is in a secure area on the Mobile Device that is usually protected with a passcode. All data in Capsule Workspace is encrypted.

During the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Wizard, if you select Mobile Devices > Capsule Workspace, and enter an Exchange server, a Mobile Mail Application is automatically created. Make sure that users have access to the Mobile Mail Application in your Mobile Access policy.

Configuring Mobile Mail Applications

To create and configure a new Mobile Mail application:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Objects > Object Explorer (Ctrl+E).

  2. Click New Custom Application/Site > Mobile Application > Business Mail.

    The Mobile Mail Application window opens.

  3. In the General Properties page:

  4. In the Exchange Access page, in the Define access settings area:

    • Use encryption (https) - By default, traffic to the Exchange server works with HTTPS.

    • Use non-default path - If the Exchange Web Services path on the Exchange server to the application is not the default, enter the path here.

      The default path is EWS/Exchange.asmx and the URL is https://<IP address of the Exchange Server>/EWS/Exchange.asmx

    • Use specific domain - If you want users to authenticate to a specified domain on the Exchange server, enter it here.

  5. In the Exchange Access page, in the Proxy Settings area, if there is a proxy server between the Exchange Server and the Security Gateway, configure these settings:

    • Use gateway proxy settings - By default the proxy settings configured for the Security Gateway are used.

    • Do not use proxy server - Select if no proxy server is required.

    • Use specific proxy server - Configure a proxy server that the Security Gateway communicates with to reach the Exchange Server.

    1. Select the Host and Service.

    2. If credentials are required to access the proxy server, select Use credentials for accessing the proxy server and enter the Username and Password.

  6. In the Display Link page:

    • Title - The name of the application that users will see on their mobile devices.

    • Description - The description of the application that users will see on their mobile devices.

  7. In the Single Sign On page, select the source of the credentials used for Single Sign-On for this application:

    • Login to Exchange with the application credentials - By default, use the same credentials that users use to log in to the Business Secure Container. This only applies if the authentication method configured for them on the Security Gateway is Username/Password (Gateway Properties > Mobile Access > Authentication).

    • Prompt for user credentials and store them locally for reuse - Use different credentials for the Business Secure Container.

      • Show the user the following message on the credentials prompt - Select this and enter a message that users see when prompted to enter the credentials required for the Business Secure Container.

  8. In the Periodic Test page, select which tests are run regularly on the Security Gateways to make sure they can connect to the Exchange server. If there is a connectivity problem, a System Alert log generated.

    • Run periodic test from gateways that have access to this application - A test makes sure there is connectivity between the Security Gateway and Exchange server. The test runs at the interval that you enter.

    • Perform extensive test using the following account - Periodically run a test to make sure that a user can authenticate to the Exchange server. To run this test you must enter a valid Username and Password.

    Note - If the account password changes, you must enter the new password here.

  9. Click OK.

  10. Install the policy.

ActiveSync Applications

An ActiveSync application is an email application that works with ActiveSync, which is native in most Mobile devices. Mobile devices that can use the ActiveSync protocol and connect to an Exchange server can access ActiveSync applications.

As opposed to Mobile Mail applications, ActiveSync applications are not located in the Business Secure Container and are not protected. If you use the ActiveSync application, make sure that your mobile device is protected in other ways so that your sensitive business data and Exchange user credentials stay safe.

Make sure to give users access to the ActiveSync application in your Mobile Access policy.

Configuring ActiveSync Applications

To create a new ActiveSync application:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Click New Custom Application/Site > Mobile Application > ActiveSync Application.

    The ActiveSync Application window opens.

To configure an ActiveSync application:

  1. In SmartConsole, click Objects > Object Explorer (Ctrl+E).

  2. Search for the Mobile Access application.

  3. Double-click the application.

    The ActiveSync Application window opens.

  4. In the General Properties page:

    • Enter a Name for the application in SmartDashboard

    • Enter the name of the Exchange Server that will communicate with the Security Gateway and the Port. For example, ad. example.com

  5. In the Exchange Access page, in the Define access settings area:

    • Use encryption (https) - By default, traffic to the Exchange server works with HTTPS.

    • Use non-default path - If the ActiveSync path on the Exchange server to the application is not the default, enter the path here.

    • Use specific domain - If you want users to authenticate to a specified domain on the Exchange server, enter it here.

  6. In the Exchange Access page, in the Proxy Settings area, if there is a proxy server between the Exchange Server and the Security Gateway, configure the settings here.

    • Use gateway proxy settings - By default the proxy settings configured for the Security Gateway are used.

    • Do not use proxy server - Select if no proxy server is required.

    • Use specific proxy server - Configure a proxy server that the Security Gateway communicates with to reach the Exchange Server.

    1. Select the Host and Service.

    2. If credentials are required to access the proxy server, select Use credentials for accessing the proxy server and enter the Username and Password.

  7. In the Display Link page:

    • Title - The name of the application that users will see on their mobile devices.

    • Description - The description of the application that users will see on their mobile devices.

  8. In the Periodic Test page, select which tests are run regularly on the Security Gateways to make sure they can connect to the Exchange server. If there is a connectivity problem, a System Alert log generated.

    • Run periodic test from gateways that have access to this application - A test makes sure there is connectivity between the Security Gateway and Exchange server. The test runs at the interval that you enter.

    • Perform extensive test using the following account - Periodically run a test to make sure that a user can authenticate to the Exchange server. To run this test you must enter a valid Username and Password.

    Note - If the account password changes, you must enter the new password here.

  9. Click OK.

  10. Install the policy.

Configuring a TLS/SSL Version for an Application

You can configure which SSL protocol to use on the internal server for Web applications and Exchange Mail applications. For example, you can configure that a Mobile Mail application always uses TLS 1.0. If you do not configure this, Mobile Access uses the default version that the organizational server recommends.

Configure the feature for each application in GuiDBedit Tool (see sk13009).

To configure an SSL version for an application:

  1. Close all SmartConsole windows connected to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

  2. Connect with GuiDBedit Tool to the Management Server.

  3. Go to Other > network_applications > APPLICATION NAME > internal_resource_ssl_version.

  4. Select a version. The options are:

    • auto (default) - Uses the version that the organizational server recommends

    • SSLv3 (SSL 3.0)

    • TLSv1 (TLS 1.0)

    • TLSv1.1 (TLS 1.1)

    • TLSv1.2 (TLS 1.2)

  5. Save the changes and close GuiDBedit Tool.

  6. Connect with SmartConsole to the Management Server.

  7. Install policy.

Policy Requirements for ActiveSync Applications

  • To access ActiveSync, users must belong to a user group that is allowed to access ActiveSync applications.

  • Each user must have an email address defined the Email Address field in the properties of an internal user object, or on an LDAP server (for LDAP users).

  • If users are internal, their Check Point client passwords must be the same as their Exchange passwords, otherwise ActiveSync will not work.