iPad in Business

Deployment Scenarios and Device Configuration Overview

April 2010

Learn how iPad integrates seamlessly into enterprise environments with these deployment scenarios and the device configuration overview.

•

Microsoft Exchange

•

IMAP, CalDAV, and LDAP

•

Virtual Private Network (VPN)

•

WPA2 Enterprise/802.1X

•

Digital Certificates

•

Device Configuration Overview

•

Over-the-Air Enrollment and Configuration

2

iPad in Business Microsoft Exchange

iPad communicates directly with Microsoft Exchange Server via Microsoft Exchange ActiveSync (EAS), enabling push email, calendar, and contacts. Exchange ActiveSync also provides users with access to the Global Address Lookup (GAL) and administrators with passcode policy enforcement and remote wipe capabilities. iPad supports both basic and certificate-based authentication for Exchange ActiveSync. If your company currently enables Exchange ActiveSync, you have the necessary services in place to support iPad—no additional configuration is required. If you have Exchange Server 2003 or 2007 but your company is new to Exchange ActiveSync, review the following steps.

Exchange ActiveSync Setup

•

Network Check to configuration overview

ensure port 443 is open on the firewall. If your company allows Outlook Web Access, port 443 is most likely already open.

•

On the front-end server, verify that a server certificate is installed and enable SSL for the Exchange ActiveSync virtual directory in IIS.

•

If you're using Microsoft Internet Security and Acceleration (ISA) Server, verify that a server certificate is installed and update the public DNS to resolve incoming connections.

•

•

•

•

•

Make sure the DNS for your network returns a single, externally routable address to the Exchange ActiveSync server for both intranet and Internet clients. This is required so the device can use the same IP address for communicating with the server when both types of connections are active.

•

If you're using Microsoft ISA Server, create a web listener as well as an Exchange web

•

•

Require Inactivity both time numbers in minutes and (1 letters to 60 minutes)

client access publishing rule. See Microsoft documentation for details.

•

For all firewalls and network appliances, set the Idle Session Timeout to 30 minutes. Additional Exchange ActiveSync policies For information about heartbeat and timeout intervals, refer to the Microsoft Exchange

•

•

•

•

•

(for Exchange Server 2007 only) documentation at http://technet.microsoft.com/en-us/library/cc182270.aspx.

•

Exchange ActiveSync security policies Remote wipe Enforce password on device Minimum password length Maximum failed password attempts (before local wipe)

Allow or prohibit simple password Password expiration Password history Policy refresh interval Minimum number of complex characters

•

Configure mobile features, policies, and device security settings using the Exchange System Manager. For Exchange Server 2007, this is done in the Exchange Management Console.

•

Download and install the Exchange ActiveSync Mobile Administration Web tool, which in password Require manual syncing while roaming

is necessary to initiate a remote wipe. For Exchange Server 2007, remote wipe can also be initiated using Outlook Web Access or the Exchange Management Console.

3

•

Basic Enable authentication Exchange ActiveSync (user name for specific and password)

users or groups using the Active Directory service. These are enabled by default for all mobile devices at the organizational level in Exchange Server 2003 and 2007. For Exchange Server 2007, see Recipient Configuration in the Exchange Management Console.

•

By default, Exchange ActiveSync is configured for basic user authentication. It's recommended that you enable SSL for basic authentication to ensure credentials are encrypted during authentication.

•

Certificate-based Install enterprise certificate authentication

services on a member server or domain controller in your domain (this will be your certificate authority server). For more information on certificate services, refer to resources available from Microsoft.

•

Configure IIS on your Exchange front-end server or Client Access server to accept certificate-based authentication for the Exchange ActiveSync virtual directory.

•

To allow or require certificates for all users, turn of "Basic authentication" and select either "Accept client certificates" or "Require client certificates."

•

Generate client certificates using your certificate authority server. Export the public

•

•

•

•

•

•

Other Exchange ActiveSync services Mail search on Exchange Server 2007 Accept and create calendar invitations Global Address List lookup Certificate-based authentication Email push to selected folders Autodiscovery

key and configure IIS to use this key. Export the private key and use the iPhone Configuration Utility or over-the-air enrollment and configuration to deliver this key to iPad.

4

Exchange ActiveSync Deployment Scenario

This example shows how iPad connects to a typical Microsoft Exchange Server 2003 or 2007 deployment.

Private Key (Certificate)

Certificate Server Firewall Firewall

iPhone Configuration Utility

Public Key 443 (Certificate)

Active Directory

3

1 2

Microsoft ISA Server Exchange Front-End or Internet Client Access Server

4

6 5

Mail Gateway or Bridgehead or Exchange Mailbox or Edge Transport Server* Hub Transport Server Back-End Server(s)

*Depending on your network configuration, the mail gateway or Edge Transport server may reside within the perimeter network (DMZ).

1 iPad requests access to Exchange ActiveSync services over port 443 (HTTPS). (This is the same port used for Outlook Web Access and

other secure web services, so in many deployments this port is already open and configured to allow SSL-encrypted HTTPS traffic.)

2 ISA provides access to the Exchange front-end or Client Access server. ISA is configured as a proxy, or in many cases a reverse proxy,

to route traffic to Exchange Server.

3 Exchange Server authenticates the incoming user via the Active Directory service and the certificate authority server (if using

certificate-based authentication).

4 If the user provides the proper credentials and has access to Exchange ActiveSync services, the front-end server establishes a connection

to the appropriate mailbox on the back-end server (via the Active Directory Global Catalog).

5 The Exchange ActiveSync connection is established. Updates and changes are pushed to iPad over the air, and any changes made on iPad

are reflected on Exchange Server.

6 Sent mail items on iPad are also synchronized with Exchange Server via Exchange ActiveSync (step 5). To route outbound email to external

recipients, mail is typically sent through a bridgehead (or Hub Transport) server to an external Mail Gateway (or Edge Transport Server) via SMTP. Depending on your network configuration, the external mail gateway or Edge Transport server could reside within the perimeter network or outside the firewall.

5

iPad in Business IMAP, CalDAV, and LDAP

With support for the IMAP mail protocol, CalDAV calendaring, and LDAP directory services, iPad can integrate with just about any standards-based mail, calendar, and contacts environment. If your network environment is configured to require user authentication and SSL, iPad provides a highly secure approach to accessing corporate email, calendars, and contacts.

In a typical deployment, iPad establishes direct access to IMAP and SMTP mail servers to receive and send email over the air. Synchronization with your CalDAV server allows iPad users to wirelessly receive updates to their calendars. And iPad can connect to your company's LDAPv3 corporate directories, giving users access to corporate contacts in the Mail and Contacts applications. All network servers can be located within a DMZ subnet- work, behind a corporate firewall, or both. With SSL, iPad supports 128-bit encryption and X.509 root certificates issued by the major certificate authorities.

Network Setup

The IT or network administrator will need to complete these key steps to enable direct access from iPad to IMAP, CalDAV, and LDAP services:

•

Open the following ports on the firewall: 993 for IMAP mail, 587 for SMTP mail, 636 for

•

•

•

•

Recommended ports

LDAP directory services, and 8443 for CalDAV calendaring. These are the standard ports IMAP/SSL: 993

for communications over SSL, which ensures that calls made to your servers are securely SMTP/SSL: 587

encrypted during wireless transmission. It's also recommended that communication LDAP/SSL: 636

between your proxy server and your back-end IMAP, CalDAV, and LDAP servers be set to CalDAV/SSL: 8443

use SSL and that digital certificates on your network servers be signed by a trusted

IMAP or POP-enabled mail solutions iPad supports industry-standard IMAP4- and POP3-enabled mail servers on a range of

certificate authority (CA) such as VeriSign. This is an important step to ensure that iPad recognizes your proxy server as a trusted entity within your corporate infrastructure.

•

For outbound SMTP email, port 587, 465, or 25 must be opened to allow email to be sent server platforms, including Windows, UNIX, Linux, and Mac OS X.

from iPad. iPad automatically checks for port 587, then 465, and then 25. Port 587 is the most reliable, secure port because it requires user authentication. Port 25 does Additional information regarding the

not require authentication, and some ISPs block this port by default to prevent spam. IMAP4rev1 standard can be found at www.imap.org.

CalDAV calendar standard iPad supports the CalDAV calendaring protocol. The CalDAV protocol has been standardized by the IETF. More information can be found through the CalConnect consortium at http://caldav.calconnect.org.

6

Deployment Scenario

This example shows how iPad connects to a typical IMAP, CalDAV, and LDAP deployment.

Firewall

636 (LDAP)

1

8443 (CalDAV)

Reverse Proxy Server

Firewall

2

3

4

LDAP Directory Server

CalDAV Server Internet

993 (IMAP) 587 (SMTP) 5

Mail Server

1

iPad requests access to network services over the designated ports.

2

Depending on the service, iPad users must authenticate either with the reverse proxy or directly with the server to obtain access to corporate data. In all cases, connections are relayed by the reverse proxy, which functions as a secure gateway, typically behind the company's Internet firewall. Once authenticated, users can access their corporate data on the back-end servers.

3

iPad provides lookup services on LDAP directories, giving users the ability to search for contacts and other address book information on the LDAP server.

4

For CalDAV calendars, users can access and update calendars on iPad.

5

For IMAP mail services, existing and new messages can be read on iPad through the proxy connection with the mail server. Outgoing mail on iPad is sent to the SMTP server, with copies placed in the user's Sent folder.

7

iPad in Business Virtual Private Network (VPN)

Secure access to private corporate networks is available on iPad using established industry-standard VPN protocols. iPad supports Cisco IPSec, L2TP over IPSec, and PPTP. If your organization supports one of these protocols, no additional network configuration or third-party applications are required to connect iPad to your VPN.

Cisco IPSec deployments can take advantage of certificate-based authentication via industry-standard X.509 digital certificates. With certificate-based authentication, iPad supports VPN On Demand. VPN On Demand can establish a connection automatically when accessing predefined domains, providing a seamless VPN connectivity experience for iPad users.

For two-factor token-based authentication, iPad supports RSA SecurID as well as CRYPTOCard. Users enter a PIN and a token-generated, one-time password directly on iPad when establishing a VPN connection.

iPad supports shared secret authentication for Cisco IPSec and L2TP/IPSec deployments. And for basic user name and password authentication, iPad supports MS-CHAPv2.

VPN Proxy Auto-Configuration (PAC) is also supported, which allows you to specify proxy server settings for accessing specific URLs.

•

Cisco VPN protocols

IPSec

VPN Setup

•

iPad integrates with most existing VPN networks, so minimal configuration should be necessary to enable iPad access to your network. The best way to prepare for deployment is to determine whether iPad supports your company's existing VPN proto-

•

•

•

•

•

• L2TP/IPSec

•

PPTP

Authentication methods

cols and authentication methods. Password (MS-CHAPv2) RSA SecurID CRYPTOCard X.509 digital certificates Shared secret

•

It's a good idea to review the authentication path to your authentication server to make sure standards supported by iPad are enabled within your implementation.

•

If you plan to use certificate-based authentication, ensure you have your public key infrastructure (PKI) configured to support device- and user-based certificates with the corresponding key distribution process. For additional documentation regarding digital certificates for IPSec VPNs, visit: https://cisco.hosted.jivesoftware.com/docs/DOC-3592.

•

If you want to configure URL-specific proxy settings, place a PAC file on a web server that's accessible with the basic VPN settings and ensure that it's hosted with the application/x-ns-proxy-autoconfig MIME type.

•

Check with your solution providers to confirm that your software and equipment are up to date with the latest security patches and firmware.

8

VPN Deployment Scenario

The example depicts a typical deployment with a VPN server/concentrator as well as an authentication server controlling access to enterprise network services.

Firewall Firewall

3a 3b

Authentication VPN Authentication Server Directory Service Certificate or Token Token Generation or Certificate Distribution

2

1 4

VPN Server/Concentrator

Private Network

Certificate, Token, or Password

5

Proxy Server Public Internet

1

2

3a

3b

4

5

iPad requests access to network services (typically over a PPP connection).

The VPN server/concentrator receives the request and then passes it to the authentication server.

In a two-factor token environment, the authentication server would then manage a time-synchronized token key generation with the key server. If a certificate authentication method is deployed, an identity certificate needs to be distributed to iPad prior to authentication. If a password method is deployed, the authentication process proceeds with user validation.

Once a user is authenticated, the authentication server validates user and group policies.

After user and group policies are validated, the VPN server provides tunneled and encrypted access to network services (typically via IPSec).

If a proxy server is in use, iPad connects through the proxy server for access to information outside the firewall.

9

iPad in Business WPA2 Enterprise/802.1X

iPad supports WPA2 Enterprise, ensuring corporate wireless networks are accessed securely. WPA2 Enterprise uses 128-bit AES encryption, a proven, block-based encryption method, providing users with the highest level of assurance that their data will remain protected.

With support for 802.1X, iPad can be integrated into a broad range of RADIUS authenti- cation environments. 802.1X wireless authentication methods supported on iPad include EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, PEAPv1, and LEAP.

For quick setup and deployment, wireless network, security, and authentication settings can be configured using configuration profiles. For more information, see the "Device Configuration Overview" section of this document.

WPA2 Enterprise Setup

•

Verify network appliances for compatibility and select an authentication type (EAP type) supported by iPad.

•

Check to ensure that 802.1X is enabled on the authentication server and, if necessary, install a server certificate and assign network access permissions to users and groups.

•

•

•

•

•

•

•

•

•

•

•

•

Wireless security protocols

•

Configure wireless access points for 802.1X authentication and enter the corresponding

WE

RADIUS server information. P WPA Personal WPA Enterprise WPA2 Personal

•

Test your 802.1X deployment with a Mac or a PC to ensure RADIUS authentication is properly configured.

•

If you plan to use certificate-based authentication, ensure that you have your public WPA2 Enterprise

key infrastructure (PKI) configured to support device- and user-based certificates with

802.1X authentication methods EAP-TLS

the corresponding key distribution process.

•

Verify certificate format and authentication server compatibility. iPad supports PKCS#1

EAP-TTLS

(.cer, .crt, .der) and PKCS#12. EAP-FAST EAP-SIM PEAPv0 (EAP-MS-CHAPv2) PEAPv1 (EAP-GTC)

•

Check with your solution providers to confirm that your software and equipment are up to date with the latest security patches and firmware.

•

For additional documentation regarding wireless networking standards and Wi-Fi LEAP

Protected Access (WPA), visit www.wi-fi.org.

10

WPA2 Enterprise/802.1X Deployment Scenario

This example depicts a typical secure wireless deployment that takes advantage of RADIUS-based authentication.

Authentication Server with 802.1X Support (RADIUS)

Firewall

3

Directory Service

2

Certificate or Password Based on EAP Type

1

4

Wireless Access Point with 802.1X Support

Network Services

1 iPad requests access to network services. By selecting a wireless network or configuring access to a specific SSID, iPad initiates

the connection.

2 After the request is received by the access point, the request is passed to the RADIUS server for authentication.

3 The RADIUS server validates the user account utilizing the directory service.

4 Once the user is authenticated, the access point provides network access with policies and permissions as instructed by the RADIUS server.