I put this process together for securing ActiveSync traffic to IIS when using a MobileIron Sentry. When managing mobile devices it is important not to leave “back doors” in your configuration. If ActiveSync traffic is allowed from anywhere, an end-user could easily configure the connection directly to the Exchange CAS on the mobile device bypassing the Sentry security appliance. To prevent this, but still allow OWA(Outlook Web Access) communication, the following should be applied to all CAS servers in the environment.
This process can be applied generically for many different applications, Securing ActiveSync communication to run through a MobileIron Sentry is only an example. This process is leveraged to block traffic from an Exchange CAS for ActiveSync traffic only while still allowing Outlook Web Access traffic. If all traffic on port 443 is unnecessary, using a simple rule on the firewall would be a better way to accomplish this.
To begin, open the IIS Management MMC from the start menu This may be found on the recent applications list, or it is also under “Administrative Tools”.
Once the Management Console is open, drill down the tree on the left side of the console by expanding the ”[servername]”, then “Sites”, then “Default Web Site”. Locate the “Microsoft-Server-ActiveSync” virtual directory and highlight it.
On the middle pane, under IIS, locate the listing / icon for “IP Address and Domain Restrictions”. This is the option used to set ACLs based on IP address or domain name.
Double clicking the icon will open the settings pane. On the “Actions” pane on the right side of the console, select the link titled “Add Allow Entry….”.
This will open a dialog box that will allow the input of the IP address or range of addresses that should be allowed. Enter the Sentry address(es) to the window and click “OK”.
This hasn’t really changed anything yet as traffic is allowed from everywhere currently. However the next step is to prevent the traffic from everywhere else. By default traffic is allowed from everywhere. To change this, click the link “Edit Feature Settings….” In the right pane.
Again, a dialog window will open. Changing the “Access for unspecified clients:” drop down to “Deny” will prevent any access to this virtual site except what is listed in the middle pane, in our case the sentry server(s). Click OK on the dialog window.
The final step is to perform a restart of the IIS server. This can be done by opening a command prompt and issuing the command “iisreset”. To open a command prompt, click start then select “Run …” from the list. When the “Run …” dialog window appears, type “cmd” in the box and press “Enter”. You will see a “DOS” like window. Type “iisreset” and press “Enter”.
Once the services have restarted, the ActiveSync server will not be accessible from any location other than the specified IP addresses.
Download these instructions in PDF format.