How to Configure S/MIME for WorxMail

Similar documents
VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

AirWatch Mobile Device Management

VMware AirWatch Certificate Authentication for EAS with ADCS

Certificate Management

1Y Citrix. Designing Deploying and Managing Citrix XenMobile 10 Enterprise Solutions

Designing and Managing a Windows Public Key Infrastructure

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

VMware AirWatch Integration with RSA PKI Guide

App Orchestration 2.6

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

Comodo Certificate Authority Proxy Server Installation guide

VMware AirWatch Integration with SecureAuth PKI Guide

Windows Smart Card Logon Use Case

About the Citrix Usage Collector (versions 1.0 and 1.0.1)

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

YubiKey Smart Card Deployment Guide

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Exostar LDAP Proxy/Secure Setup Guide September 2017

PURCHASING AND USING A PERSONAL SECURE CERTIFICATE. Document issue: 12.1 Date of issue: March 2017

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

How to Configure SSL Interception in the Firewall

SCCM Plug-in User Guide. Version 3.0

V1.0 Nonkoliseko Ntshebe October 2015 V1.1 Nonkoliseko Ntshebe March 2018

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Sophos Mobile as a Service

Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

YubiKey Smart Card Deployment Guide

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Installation and Configuration Guide

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Sophos Mobile Control SaaS startup guide. Product version: 7

Setting up Microsoft Exchange Server 2016 with Avi

Setting Up Resources in VMware Identity Manager

iq.suite Crypt Pro - Server-based encryption - Efficient encryption for IBM Domino

Citrix Exam 1Y0-371 Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions Version: 6.0 [ Total Questions: 143 ]

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Zenprise Zenprise RSA Adapter

Microsoft MCTS Windows Server 2008, Active Directory. Download Full Version :

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Copyright

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Managing Certificates

Installation and Configuration Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Install and Issuing your first Full Feature Operator Card

How to Enable Client Certificate Authentication on Avi

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Sophos Mobile in Central

VMware AirWatch: Directory and Certificate Authority

Parallels Mac Management for Microsoft SCCM

etoken Integration Guide etoken and ISA Server 2006

Sophos Mobile SaaS startup guide. Product version: 7.1

1Y0-371 Q&As. Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions. Pass home 1Y0-371 Exam with 100% Guarantee

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

XenMobile 8.5 Migration Whitepaper

Configuring Alfresco Cloud with ADFS 3.0

Integrating AirWatch and VMware Identity Manager

Using digital certificates in Microsoft Outlook

S/MIME Security Services

S/MIME Security Services

Configure HTTPS Support for ISE SCEP Integration

Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Ciphermail Webmail Messenger Administration Guide


Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

Citrix SSO for ios. Page 1 18

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Certificate Autoenrollment in Windows Server 2016

1Y0-371.exam. Number: 1Y0-371 Passing Score: 800 Time Limit: 120 min. Citrix 1Y0-371

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Wired Dot1x Version 1.05 Configuration Guide

Certificate Enrollment for the Atlas Platform

VMware Enterprise Systems Connector Installation and Configuration

Sophos Mobile as a Service

Managing AON Security

Common Access Card for Xerox VersaLink Printers

Genesys Security Deployment Guide. What You Need

SSH Communications Tectia SSH

Parallels Mac Management for Microsoft SCCM

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

Implementing Messaging Security for Exchange Server Clients

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

KEY ARCHIVAL AND OCSP

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Transcription:

How to Configure S/MIME for WorxMail Windows Phone 8.1 This article describes how to configure S/MIME (Secure/Multipurpose Internet Mail Extensions) for WorxMail Windows Phone 8.1. Note: This feature works with WorxMail 10.0.7 for Windows Phone 8.1 and later versions. This same configuration can be done for XenMobile 9 deployments. For this article, the following Citrix and Microsoft components were used: XenMobile Server 10 NetScaler 10.5 build 55.8 WorxMail 10.0.7 for Windows Phone 8.1 Microsoft Windows Server 2008 R2 with Microsoft Certificate Services acting as Root Certificate Authority (CA) Microsoft Exchange Server 2010 SP3 To generate the user certificates for signing and encryption, manual enrollment is used through the Web enrollment site (example, https://ad.domain.com/certsrv/) on Microsoft Certificate Services. An alternative for IT Admins is to configure auto enrollment through Group Policy for the group of users that would use this feature. For more information, refer to the Microsoft TechNet article - Configure User Certificate Autoenrollment. For more information about S/MIME, go to Microsoft TechNet article - Understanding S/MIME. For information on how to configure S/MIME for ios devices, click here.

Table of Contents Prerequisites... 1 Create New Certificate Templates... 2 Request User Certificates... 8 Validate Published Certificates... 12 Exporting the User Certificates... 14 Send Certificates through Email... 16 Enabling S/MIME on WorxMail... 17 Testing... 25 Troubleshooting FAQ... 27

Prerequisites Refer the article CTX200463 - How to Integrate XenMobile MDM with Microsoft Certificate Services and follow the steps to configure the Microsoft Certificate Services role on the Windows Server and test Certificate Based Authentication (PKI) against the Windows Server acting as Root Certificate Authority. Note: We will create two new certificate templates for signing and encryption purposes. Ensure the Web enrollment site (example, https://ad.domain.com/certsrv/) to request user certificates is secured (HTTPS) with a server certificate (private or public). Note: This site must be accessed through HTTPS. Ensure to deliver the Root/Intermediate certificates to the mobile devices (Windows Phone 8.1). Ensure to wrap WorxMail 10.0.7 or later for Windows Phone 8.1 with the latest MDX Toolkit available in the Citrix downloads site. Ensure to download, install, and configure WorxMail (Windows Phone 8.1) on your device. Note: No special policy configuration is needed on XenMobile Server 9/10 for the WorxMail (MDX) app. If you are using private server certificates to secure the ActiveSync traffic to the Exchange Server, ensure to have all the Root/Intermediate certificates installed on the mobile devices (Windows Phone 8.1). 1

Create New Certificate Templates For the purpose of signing and encrypting email messages, it is recommended to create new certificates on the Microsoft Active Directory Certificate Services. In the event of using the same certificate for both purposes and archive the encryption certificate, then, it is possible to recover a signing certificate and allow impersonation. The following procedure will duplicate the certificate templates on the CA (Certificate Authority) server: Exchange Signature Only (for Signing) Exchange User (for Encryption) 1. Go to the Certificate Authority snap-in. 2. Expand the CA and go to the Certificate Templates. 3. Right-click and select Manage. 4. Search for Exchange Signature Only template, right-click and select Duplicate Template. 2

5. Assign any name. 6. Select the checkbox Publish certificate in Active Directory. Note: If you do not select Publish certificate in Active Directory, then, end-users will have to publish the user certificates (for signing and encryption) manually through Outlook mail client > Trust Center > E-mail Security > Publish to GAL (Global A`ddress List). For more information, click here. 7. Go to Request Handling tab and ensure these parameters are set: Purpose = Signature Minimum key size: 2048 Allow private key to be exported = checked Enroll subject without requiring any user input = selected 3

8. Under Security tab, ensure that Authenticated Users (or any desired Domain Security Group) is added and has the permissions to Read and Enroll. 4

9. For all other tabs and settings, leave them as default. 10. Repeat the same procedure to duplicate the certificate template but now for Exchange User. For the new Exchange User template, we will use the same default settings as the original template. Example: 5

11. Go to Request Handling tab and ensure these parameters are set: Purpose = Encryption Minimum key size: 2048 Allow private key to be exported = checked Enroll subject without requiring any user input = selected 6

12. When both templates are created, ensure to issue both certificate templates. 7

Request User Certificates In this procedure, we will use user1 to navigate to the Web enrollment page (example, https://ad.domain.com/certsrv/) and request two new user certificates for secure email: one certificate for signing and the other for encryption. The same procedure can be repeated for other domain users that require to use S/MIME through WorxMail (Windows Phone 8.1). 1. From a Windows workstation, open Internet Explorer and go to the Web enrollment site to request a new user certificate. Note: Ensure to log on with the correct domain user to request the certificate. Example: 2. When logged in, click Request a certificate. 8

3. Select advanced certificate request. 4. Select Create and Submit a request to this CA. First, we will generate the user certificate for signing purposes. 5. Select the appropriate template name and type your user settings. Ensure to select PKCS10 for Request Format. 9

6. The request has been submitted. Click Install this certificate. 7. Verify the certificate was installed successfully. 10

8. Repeat the same procedure but now for encrypting email messages. With the same user logged on to the Web enrollment site, go to the Home link to request a new certificate. 9. This time, ensure to select the new template for encryption and type the same user settings entered previously. 10. Ensure to install the certificate successfully. 11. Repeat the same procedure to generate a pair of user certificates for another domain user. In our use case, we followed the same procedure and generated a pair of certificates for User2. Note: For the purpose of this article, we used the same Windows workstation to request the second pair of certificates for User2. 11

Validate Published Certificates 1. To ensure the certificates were properly installed in the domain user profile, go to Active Directory Users and Computers > click View > select Advanced Features. 2. Go to the properties of your user (example, User1 for our example) > click Published Certificates tab. Ensure both certificates are available. You can verify that each certificate has a specific usage. 12

Example: Certificate to encryption email messages Certificate to sign email messages 13

Exporting the User Certificates In this procedure, we will export both User1 and User2 pair certificates in.pfx (PKCS#12) format with the private key. When exported, we will send these certificates through email to the user using Outlook Web Access (OWA). 1. Open the MMC console and go to the Certificates snap-in > My Current User. You should see both User1 and User2 pair of certificates. 2. Next, right-click on the certificate > click All Tasks > Export. 3. Ensure to export the private key. 14

4. Ensure to select Include all certificates in the certification path if possible and Export all extended properties. 5. When you export the first certificate, repeat the same procedure for the remaining certificates for your users. Note: Ensure to clearly label which one is the signing certificate and encryption certificate. In the example, we labeled them as userx-sign.pfx and userx-enc.pfx. Example: 15

Send Certificates through Email When all certificates are exported in PFX format, we will use Outlook Web Access (OWA) to send them through email. For this example, we are logged on as User1 and send myself an email with both certificates. Repeat the same procedure for User2 or other users in your domain. 16

Enabling S/MIME on WorxMail When the email has been delivered, the next step is to open the message using WorxMail and enable S/MIME with the appropriate certificates for signing and encryption. Note: For the purpose of this example, the same user certificate is used for signing and encryption. However, it is highly recommended to use different certificates for each purpose for greater security. 1. On WorxMail, open the email message. 2. Download the certificate (for signing and encryption). Type the passphrase assigned to the private key. 17

Note: The user certificate(s) for signing and encryption would be imported on WorxMail secure framework. The certificates are not accessible by any other third-party app to use or access. 3. Select if the certificate would be imported for signing, encryption or both. 18

4. When the certificate(s) get imported, ensure to go to Settings to enable S/MIME. 19

5. Tap to S/MIME to enable the feature. 20

6. To sign email messages sent by WorxMail, tap Sign Outgoing Messages. Ensure the user certificate is listed. 21

7. To enable encryption on email messages by WorxMail, tap Encrypt by default. Ensure the user certificate is listed. 22

8. When complete, ensure the S/MIME settings are ON. 23

Example: S/MIME enabled with signing and encryption. 24

Testing If everything has been performed correctly, when sending an email signed and encrypted, whoever is the recipient should be able to decrypt and read the message in clear text. Encrypted message read by recipient. 25

Verification of signer trusted certificate 26

Troubleshooting FAQ Q: I am unable to send an encrypted message to another domain user through WorxMail. What is wrong? A: Ensure that the user has the correct encrypted certificate assigned to the user. You can verify this under Active Directory Users and Computers > user properties. 27

The way WorxMail works is by checking the usercertificate user object attribute via LDAP queries. This value can also be read by IT Admins under the Attribute Editor tab. If this field is empty or has the incorrect user certificate for encryption, then, WorxMail cannot encrypt (or also decrypt) a message. 28

Q: Can I see or access any user certificates installed in the Windows Phone 8.1 for S/MIME? A: The user certificates for signing and encryption are installed in the secured MDX sandbox. The certificates can only be accessed by WorxMail s security framework. 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback