How to Use RSA SecurID with Exchange ActiveSync

As an added level of security, you can use Microsoft® Windows Mobile™ devices with Exchange ActiveSync® with RSA SecurID two-factor authentication.

Use the procedures in this topic to use RSA SecurID with Exchange ActiveSync.

Procedure

How to use RSA SecurID with Exchange ActiveSync

1. Set up the RSA SecurID server components. To configure the RSA SecurID server components, you need to:

   • Set up the RSA ACE/Server   The RSA ACE/Server is the RSA server that stores and manages authentication tickets and credentials for your users. To set up the RSA ACE/Server, follow the procedures as outlined in the RSA SecurID documentation provided by RSA Security Inc.

   • Set up the RSA ACE/Agent on the front-end server   The RSA ACE/Agent is the Internet Server Application Programming Interface (ISAPI) filter that performs authentication and communicates to the ACE/Server to retrieve SecurID credentials. To set up the RSA ACE/Agent, follow the procedures as outlined in the RSA documentation provided by RSA Security Inc.

2. Configure Internet Information Services (IIS) to use RSA SecurID. To configure IIS to use RSA Secure ID, do the following:

   1. Protect the Exchange ActiveSync virtual directories. You can protect this virtual directory in one of the following two ways:

   • Protect the entire Web server (recommended)   In this option, you protect all virtual roots on the IIS server with RSA ACE/Agent, including any other services implemented by the front-end server. For example, you may have configured your front-end Exchange server as an access point for Outlook Mobile Access or for Outlook Web Access. For information about how to verify that the ACE/Agent is configured to protect the entire Web server, see How to Verify ACE/Agent is Configured to Protect the Entire Web Server.

   • Protect only the Exchange ActiveSync virtual directories   In this option, you configure the RSA ACE/Agent so that SecurID protects only Exchange ActiveSync. Use this option if you intend to enable additional services, such as Outlook Web Access and Outlook Mobile Access, on the same server without protecting those services with SecurID. For detailed steps for how to limit RSA SecurID authentication to Exchange ActiveSync, see How to Limit SecurID Authentication to the Microsoft-Exchange-ActiveSync Virtual Directory.

     Note

     By default, the ACE/Agent is configured to protect the entire Web server.

   1. Customizing the HTTP response headers for devices. The ActiveSync client on the Microsoft Windows Mobile device must be able to distinguish between RSA SecurID authentication and Exchange ActiveSync responses. To enable this capability, you need to configure custom HTTP response headers on the WebID virtual root that contains the HTML forms configured by RSA ACE/Agent. For detailed steps for configuring the custom HTTP response headers, see How to Configure Custom HTTP Responses for Devices.

   2. Install SecurID screens (optional). For information about installing these screens, see the RSA SecurID documentation provided by RSA Security Inc.

3. Set up user accounts. User accounts for SecurID should be set up by the administrator as recommended by the RSA SecurID product documentation, with the following restriction:

   Important

   For all users, SecurID user IDs must be selected to match the Windows account name. Exchange ActiveSync with SecurID does not function for users who have a distinct RSA user ID that does not match their Windows account name.

For More Information

For an overview of RSA Secure ID, see "Configuring Exchange ActiveSync to Use RSA SecureID" in Configuring Mobile Device Support.