ISL01: Transparently Authenticating Tablets, Smartphones and Laptops with Symantec Managed PKI Service Hands-On Lab Description In this session, you will take a free test drive of Symantec Managed PKI Service; issue a certificate to a device and automatically configure the device/application for authentication to an enterprise Bring Your Own Device (BYOD) initiative specifically for ActiveSync communication to an Exchange email system. The BYOD lab will support iphones (3rd and 4th generation running ios 4 or 5) and ipads (1st and 2nd generation ipads running ios 4 or 5). You may use your own ios device for the lab, or a shared device will be available for the final step. At the end of this lab, you should be able to Use Symantec Managed PKI Service to strongly authenticate users and secure the communication between mobile devices and a Microsoft Exchange server using the ActiveSync protocol.
Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session. LAB AGENDA Lab Exercise 1: PKI Administrator - Enroll for Symantec Managed PKI Service Free Trial Quick, easy and free access to the Symantec Managed PKI Service online. 10 minutes Lab Exercise 2: PKI Administrator - Configure your MPKI account for ActiveSync Configure ActiveSync certificate profile for target device Send ActiveSync certificate enrollment email to end-user 10 minutes Lab Exercise 3: End-user - Certificate enrollment, installation, configuration and usage Device certificate enrollment, profile installation and configuration Access your Exchange mailbox 10 minutes Discuss the Microsoft Exchange server side configuration Review the MPKI ActiveSync guide for instructions on: - Trusting the issuing CA - Mapping certificates to Windows accounts 2 of 26
Lab Exercise 1: Symantec Managed PKI Service Account Setup Open a web browser on the PKI workstation, and sign into the lab email account, follows: URL: Userid: Password: http://gmail.com vision2012.usern where n is your lab group number. Symantec1 Open a new browser tab and go to: http://www.symantec.com/theme.jsp?themeid=free-trial Click the link Get Started. Fill out the entire form. For the contact details, use (where n is your lab group number) First Name Vision2012 Last Name Usernn Email Address vision2012n@gmail.com Title Other Company Vision2012 Department Labn Company Size 1 to 10 Industry Other Street Address City Square City Barcelona State Other Zip B1 Country Spain Phone Number 1234567890 3 of 26
Once you have submitted the registration form, you will be sent an email to pick-up your PKI Administrator certificate. Switch to the Gmail mailbox tab in your browser Open the email subject Test Drive account approved. 4 of 26
In the email body, click on the link labeled, Go to the link below to get your certificate: 5 of 26
You will now be instructed to install PKI client to protect the administrator certificate. Click the download link for the Windows platform you are using From the File Download dialogue, click Run and follow the instructions to install the PKI Client software. 6 of 26
After the client software is installed, you will be prompted to restart the computer. Restart Windows, and return to the Gmail pickup message Click on Install Certificate. When prompted, create a PIN to protect the certificate in the PKI Client virtual token store. 7 of 26
Do not interrupt the browser while you are generating your key pair and installing your certificate. On the certificate installation success page, click on the button labeled Log in now. 8 of 26
When prompted, choose your administrator certificate. Symantec PKI Client will prompt you for your token PIN. Enter your PIN and click Submit. Welcome to the PKI Manager dashboard. The account setup is now complete. 9 of 26
Lab Exercise 2: PKI Administrator - Configure your MPKI account for mobile device ActiveSync certificate use-case(s) Using your web browser, login to PKI Manager and click the Tasks icon for Manage Certificate Profiles. Click Add certificate profiles. 10 of 26
Select Production Mode and click Continue. Choose the Certificate template, Secure Sign-in (Test Drive) and click Continue. 11 of 26
Type a Certificate friendly name, iosactivesync, and change the Enrollment Method to ios. Click Continue. 12 of 26
Select Authentication method Enrollment Code, then check the box: Include enrollment code as part of the URL in the enrollment email. Then click Save. Click Continue. 13 of 26
Click Edit, to set the device configuration. Configure the ActiveSync settings, then click Save. Connection type Account name Exchange host Microsoft ActiveSync Vision 2012 Lab n mail.ua.tso-cloud.com 14 of 26
Certificate profile configuration is complete. 15 of 26
Send ActiveSync certificate enrollment email to end-user In PKI Manager, click the Tasks icon for Manage users and certificates. Click Add users. 16 of 26
Select the radio button for I want to add: A single user. In this wizard, we will set the Email as the user s corporate email, as this value is also used as the Seat Id. In this lab, the user s corporate email address and their Windows domain Universal Prinicpal Name (UPN) are the same. The UPN value will also be included in the certificate SubjectAltName and is used by ActiveSync to map the domain user s mailbox. Use domain user usern@ua.tso-cloud.com where n is your lab group number. Click Continue. 17 of 26
Enter the user s First Name and Last Name and click Continue. The user is added. Click Edit user details. Update the Email address. The email should be sent to an address where it can be read from the end-user device. You can use your own email address, or use the lab Gmail account used earlier. 18 of 26
Click Save. Click Enroll user for a certificate. 19 of 26
Select the appropriate Certificate profile for the end-user s device, iosactivesync. Check the box Have the system send the enrollment email to the users I m enrolling. Click Continue. Set Other Name (UPN) value to the same domain user that you chose for the Seat ID. Leave Email blank. (The Email from this page is not honored. The email will be sent to the value we set in Edit user details, in step 16.) Click Continue. 20 of 26
Click Done. 21 of 26
Lab Exercise 3: End-user - Certificate enrollment, installation, configuration and usage On your ios device (or on the shared lab ipad), open up your email messages to check for the pickup message from Managed PKI. If you are using the lab ipad, open up the email for Vision Lab Gmail n where n is your lab group number. You should see a message with the subject Enroll for your certificate. Open the message and click on the link in the message. This will show the initial enrolment page. 22 of 26
Next, you will see an identity confirmation message. Click on Continue to begin the profile installation process. On the Install Profile page, click Install. You will be asked to confirm the installation, then be prompted for your passcode. This is the same passcode used to lock your screen. 23 of 26
The ios device will now automatically generate a key, and enroll for the certificate, then install the profile. 24 of 26
Once the profile is installed, return to the mail, and navigate back to all Inboxes. You will see a new inbox for Vision 2012 Lab n. Select this inbox. The ios device will now connect to the Exchange server via ActiveSync, using the certificate provided. You should see your messages, including a Congratulations! message. This completes the lab. 25 of 26
Lab Exercise 3: Discuss the Microsoft Exchange server side configuration Download and review MPKI_ActiveSync.pdf (Also downloadable from PKI Manager Resources.) for instructions on the steps required to enable certificate based authentication for ActiveSync. Overall steps required are Trust the Issuing CA Map certificates to domain user accounts 26 of 26