iPhone + RSA keychains?

Question

Level 1

8 points

iPhone + RSA keychains?

I've got a question for all of you network admins who have had some face time with the 3G.

I'm looking into the 3G for my company, but we use RSA SecurID tokens for both our VPN and Exchange mail. We currently use ActiveSync on moto Qs and Treos with no problem. The way I've got it set up, there's basically an RSA page that sits in front of the OWA site. So on a windows mobile device you're basically prompted with an RSA page every 24 hours or so (when the cert is set to expire), which you just enter your credentials, and then activesync works like usual.

I know that the iPhone's VPN software has specific accomodations for RSA tokens, but what about for Exchange mail? Maybe I just have a wrong idea in my head of what the VPN on the iPhone is really there for? Maybe if i just configure the VPN on the iPhone with RSA, it'll just fire up a VPN connection when necessary to get in to activesync?

Any advice you can give on how this will actually work would be just awesome.

IT network admin

Posted on Jul 17, 2008 3:48 AM

Reply

Answer 1

Jul 17, 2008 4:47 AM in response to B. Crismon

We use RSA here in a major corporate. With no changes - where one normally uses Cisco VPN to get Exchange. So, with the iphone, I just set up the group password and left the user password blank and the VPN then accepts my secret plus the RSA gernerated key - presto VPN is in.

Reply

Answer 2

B. Crismon Author

Level 1

8 points

Jul 17, 2008 5:00 AM in response to Kevin Brown2

Hey Kevin

So do you have to manually fire up the VPN each time you want to sync, or does it just do it automatically? Or do you just leave the VPN app running all the time?

Also, is your OWA site out in the open, or is it behind your VPN & RSA device?

Reply

Answer 3

Jul 17, 2008 6:42 AM in response to B. Crismon

Hi

Behind VPN and RSA, even with Web Access VPN required.

You have to stay connected, no auto start of VPN, and at the moment something is broken relative to proxies and Web access. I can use Outlook but ip access to nothing else.

Also over WiFi, push does not seem to work, it seems to have a 10 minutes delivery cycle, so send a mail NOW and it does not go out to the exchange server for at least 10 minutes. Same for delivery.

VERY VERY annoying. When VPN is opened it checks then for incoming, but might not deliver at that point. I did extensive testing ping ponging mails in and out and it is minimum 10 minute lag.

Reply

Answer 4

B. Crismon Author

Level 1

8 points

Jul 17, 2008 6:55 AM in response to Kevin Brown2

Gotcha.

We have an exchange frontend server that sits outside out firewall, so VPN is not required to hit the OWA site (that activesync uses). There is, however, an RSA login page that gets thrown in front of the OWA login when you get to the site. On our existing windows mobile devices, they just get that RSA login webpage every once in a while, but the creds get cached on the device for 24 hours.

I'm guessing we won't be able to go that route with the iPhone...

Reply

Answer 5

dman101

Level 1

0 points

Aug 13, 2008 9:25 PM in response to B. Crismon

Hi B,

I have a very similar situation, We are currently looking at setting up Iphones to use 'Exchange push Mail' We dont allow VPN access, but do allow access via Citrix/Nfuse OR OWA with an RSA login page infront. so how will this work?

Im assuming when the iphone is setup to connect to email.company.com it will try to pass on the exchange credentials but will never get through because of the RSA page infront of it,

can anyone shed some light on this??

Reply

Answer 6

Josephtd

Level 1

4 points

Aug 15, 2008 12:40 PM in response to dman101

Yes, I can. It wont work. I have been struggling with this for a couple weeks on an off. The Activesync implementation is a waste of time. Unless you have single factor authentication and a plain vanilla deployment - there is no hope.

Reply