My question is about using ISA server to control Internet access on Windows Mobile 5.0 PDA devices that will use the ISA proxy to access the Internet.
The scenario is that we're giving about 50-75 PDAs to company engineers to give them on the go access to company email. These devices are set up to use Exchange ActiveSync for the email and use the mobile provider's GPRS service to connect to the Internet. I need to keep them from using the GPRS to browse other irrelevant websites so the device can only connect to the company server for email.
I have a solution in mind but I'm not very sure how to implement it. This involves setting up the mobile devices to use the ISA server as their proxy server to access the Internet and setting access rules on the ISA box to allow access to the company email server only and deny all other sites.
Things I'm not sure about are:
How to correctly set up the mobile device as a web proxy client for the ISA box? It does have an option to set up a proxy server and asks for server address, port, user name, password and domain. What's the default port used? What configuration needs to be done to make this work.
If I create a user account specifically for the purpose of accessing the web proxy service from the mobile devices and use that account when setting up the device as a web proxy client, is that okay? Then onwards I should be able to configure access rules for that user account to deny access to everything except access to the company server. Is this ok? Any steps to go about doing this.
I need this set up urgently. Any help will be very much appreciated. Thank you all.
Ummmm... is this a boring topic? Somebody pour some thoughts please.
Let me rephrase the scenario and make it simple.
I need some external clients (not on the local network) to be set up to use my ISA 2004 box as their web proxy just like my internal network clients.
Once this is set up and external clients can use my ISA 2004 box as their web proxy, then on it doesn't really matter if its a PDA device with Internet Explorer mobile or an Intel box with IE6 or IE7 using ISA for its web proxy. I'm just taking the PDAs out of the picture to make things simpler.
There's an article here on isaserver.org by T. Shinder about setting this up for ISA 2000 but I haven't found any help for 2004.
RE: Access control on Windows Mobile PDA clients - 17.Jan.2007 5:12:37 AM
Hi mohsindabomb, the network setup described by you above is unsecure and should not be used. the only solution will be to use VPN. create a security policy at your company which forces those users with PDA to use VPN connection to access Internet(or what you need). if they are not doing so, sanctions should be applied. Create a trust level with security policies in place to make sure the trust level is working in both ways.
Thanks for you reply. I've considered this option. Let me quote Dr. Tom on this,
"My typical response to this kind of request is to have the external network clients connect to the ISA Server and the internal network via a VPN connection. The Web browser on the VPN client is then configured to use the internal interface of the ISA Server as its Web Proxy after the VPN client connects. This solution works well, but it does expose your internal network to anyone given VPN access. What if you just wanted to allow users to use your Web Proxy without allow them access to your internal network resources?"
I don't want to give them vpn access also because then I have to worry about allowing or denying access to local network resource. Not that this is a security issue but more of a cost issue. Let me explain.
What we're trying to do here is give PDAs to company engineers so they'll be connected to office helpdesk all the time via ActiveSync and a web application (under development) to be hosted on the company server.
Now these engineer guys, once given free Internet access on the PDAs, would love to use it for hotmail, instant messages, checking the weather forecast and all sorts of things which not only defeats the purpose of increasing efficiency by introducing these PDAs but also comes as a major blow as the company is charged by the mobile operator for their FREE internet browsing.
Accessing the office network also adds to mobile network traffic. We're looking to keep that to a minimum by allowing access only to the Exchange server for ActiveSync and the web server for access to company's web application. For reference, the PDAs are using Windows Mobile 5.0.
Could you go a bit more in detail about what sanctions you're referring to? I'm happy to apply any solution that works on a technical level and helps what we're trying to achieve. And I really appreciate your help.
RE: Access control on Windows Mobile PDA clients - 17.Jan.2007 9:23:34 AM
As I see it from your description the connection between the GPRS network and your company is done through the Internet. this means an unsecure connection. also the lack of a simple authentication mechanism for proxy(for security issues you cannot use basic or windows integrated: the first one sents password in clear text and the second one uses ntlm or kerberos hashes which are prone to craking through some types of attacks) will probably mean to use it as un anonymous proxy: not a good option.
external network clients connect to the ISA Server and the internal network via a VPN connection. The Web browser on the VPN client is then configured to use the internal interface of the ISA Server as its Web Proxy after the VPN client connects.
It does not have to be like so(you are using ISA 2004 now not ISA 2000). your ISA VPN server serves as an end-point to the vpn tunnel. This simply means that if a user is connecting to ISA VPN server and you don't specify a rule to allow something for the vpn clients he will not be able to go anywhere or to access anything. Based on the rules define by you he will have access to the resources. for example if you give him access to the mail server this is the only thing he will be able to access. if you are allowing them Internet access they don't have to use the proxy server if you do not require so. for example if I'm setting my IE 7 to use as proxy ISA's internal ip address and I add a rule to allow http access from vpn clients to external with all authenticated users I will only be able to access Internet only when I'm connected through VPN(because of the proxy) and this is going to be the only thing I will be able to do when I'm connected like above. You can allow with arule only http access let's say to microsoft.com and with another rule allow access to the mail server. These two locations will be opened for them. Also as said before because of that proxy setting the web will be unavailable to them before using the VPN to connect to ISA and if you don't allow that, they will note have any web access. With ISA's VPN you can have a granular control very very easy. The VPN solution looks quite simple because of ISA's design and in my opinion it suits very nice your needs. The sanctions I'm reffering are part of your overall security design. Securing a company's network isn't all about putting a firewall in front of its internal network. You will have to force strong security policies that must be respected by users. Here comes in action a level of trust between the company and the people that are working for it. In your case for example you are expecting them to use the pda only for the activity needed. So you are going to create such a policy in which you will state very clear for what they are allowed to use for example the Internet connection. In case that they are not doing so based on their actions you can cut a part from their monthly revenue or you can take more drastic measures like fired them if they did something really bad(all these will be part of that policy). Doing so you will make the trust to work in both ways. Also the level of trust is important for other reasons: giving them a mobile device to which they will have access to important data(like) e-mail one thing they can do is to give that device to another person or loose it or it is possible that someone will stole it. So before of any security policies your company will have to make good decisions about the people that are hired to work as engineers(in your case) because a certain level of trust is expected to exist from the beginning.
< Message edited by adrian_dimcev -- 17.Jan.2007 10:53:12 AM >
Thanks for your reply in detail and all the suggestions. I am going the VPN route.
I have it working at the moment for PPTP clients however I'm having a bit of trouble with L2TP/IPSec which I want to use.
The trouble area is passing vpn traffic through a NAT device which is sitting in front of the server whereas the server sits behind it on a private ip. I've managed to pass PPTP through it but L2TP won't get through. Apparently its an IPSec NAT Traversal issue. I'm looking up information on it and sorting it out. Could you point me in the right direction if you know about this or if you've set up L2TP/IPSec behind a NAT device before.
Or anyone else who knows and is willing to help is welcome. I'd really appreciate that. Thanks again for your help Adrian.
Also if anybody has been in the situation of having to apply group policy or other security permissions to Windows Mobile devices, they could be very helpful. I need to apply such policies and need to force users to use the VPN and also not be able to change certain other settings. Any ideas anyone?
Business LAN is a secure solution from end to end. Data is routed between your LAN and Orange's 3G or GPRS network over a dedicated leased line connection. So you have fixed, guaranteed bandwidth for your data, and dedicated privacy and security. And with full access control, only authorised users and devices can connect to your network. Since it does not require a VPN client to be installed on the user device, it is easy to connect 3G/GPRS handheld devices as well as data cards such as our 3G/GPRS Business Everywhere data card.
< Message edited by adrian_dimcev -- 21.Jan.2007 9:39:36 AM >
Thanks so much for the reply. I've been working on this like anything. Due to the urgency of the issue, I've settled with PPTP so far and have rolled out 20 PDAs. We're using this first batch for testing and fixing any bumps in the road so then we can roll out all the rest.
I've had one problem so far. The PDA devices keep dropping the connection. Sometimes only the VPN is lost. Sometimes VPN as well as GPRS/3G is lost.
Vodafone support said their network purges the VPN tunnel after a period of time with no traffic going through. However, the longest VPN session I've had from one device is over 18 hours.
The users have to reconnect the VPN every time it disconnects. Its a huge nuisance. Adrian... anyone else... any ideas on how to make the VPN connection persistent (or even a third party software to reconnect it automatically... a compromise as it is but happily acceptable for now).
RE: Access control on Windows Mobile PDA clients - 26.Jan.2007 3:26:57 AM
Ho Mo, Since your are having such a high number of pda users(according to the number of pda devices 50-75) I still don't see why you are not switching to a dedicated line between the GPRS network and your company LAN. Regards, Adrian.