Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
active sync, ISA 2004 & exchange 2003 sp2
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
active sync, ISA 2004 & exchange 2003 sp2 - 19.Mar.2008 1:45:15 PM
|
|
|
Jay1025
Posts: 20
Joined: 11.Sep.2007
Status: offline
|
Has anyone successfully implemented SecurId, ISA 2004 and exchange 2003, sp2?
The above is currently working now, minus RSA SecurId but management wants to enforce 2 factor. Once done the user expierience stinks because...
"Let me briefly elaborate on that. The key point is that if you have SecurID enabled when the device issues a request to the server it will be challenged to enter the SecurID. From the user perspective this is a familiar form where you can just type in the SecurID, click OK and the device can sync. This is a somewhat ok experience if you manually sync every once in a while. But, if you have DirectPush you are pretty much challenged to enter the SecurID token every time you get an email...you get the point: it really becomes extremely annoying for users."
There is an RSA authentication agent that is direct push friendly....but it's a separate agent and designed to be used on top of IIS..and it is not bundled into ISA.
All idea's are appreciated,
Jay
|
|
|
|
|
RE: active sync, ISA 2004 & exchange 2003 sp2 - 20.Mar.2008 6:23:15 AM
|
|
|
Jason Jones
Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Unfortunately, I think this is a security vs. functioanlity decision and how the current technology works.
Have you considered looking at an alternate solution maybe using certificates instead of tokens - this may be a better compromise for users and still eliminates some of the risks of single factor authentication.
Playing devils advocate, is SecurID really required for ActiveSync? If so, I assume your phones/PDA are also running other security elements like encryption of PIM data and storage cards to protect the data once it reaches the mobile device?
I very much agree that SecurID is a good option for some services, but I often recommend that customers use it where it is most needed and where there is most risk. Not sure that ActiveSync would be high on my list, but I guess it depends on the importance of you email data.
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: active sync, ISA 2004 & exchange 2003 sp2 - 20.Mar.2008 8:47:50 AM
|
|
|
Jay1025
Posts: 20
Joined: 11.Sep.2007
Status: offline
|
RSA has an agent that addresses these problems and allows control of the timeout via registry keys..the problem is this version of the ace agent isn't bundled into ISA 2004 or the latest version of ISA.
Agreed this may not be the spot for securid...asking users to now carry a hard fob lessens the user experience. Soft fobs & seed files on the mobile device raise other issues..allowing savy users to move them etc
My boss wants securid..not me..I think if I got it to work feedback wouldn't be positive because the users would have to carry 2 devices.
On the other hand, we do use AD group membership to limit who can come in via a mobile device. I have questions in to our exchange team asking do we use secure lock out & secure wipe. Encryption is also an open question.
thanks for the response,
Jay
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
