This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EAS configuration (iOS device profile) with SMC v7 and Office 365

Hi all,

Before we moved to Office 365 we configured our on Premise Exchange 2010 server Active Sync virtual site to only allow access using a restricted IP - to our SMC server.

This worked well as we were able to force all end-points to connect to the SMC EAS server as a proxy for Active Sync.

However since we moved to Office 365 this broke as SMC did not support EAS proxy. That is until version 7! :)

This is where we are stuck - we're trying to configure the EAS configuration (iOS device profile) with SMC v7 and Office 365, but can't seem to get the settings to work. - The ios mail profile just failes on verifying the Exchange account details.

 

  • We've configured Exchange ActiveSync host as the external URL of the SMC EAS Proxy: server.domain.com (With and without https:// prefix)
  • Domain: Blank / populated with external domain / and internal name space. Both Pre and post Win 2000 domain name,
  • User: we've tried %_USERNAME_% and %_EMAILADDRESS_%
  • Email: We of course use %_EMAILADDRESS_%
  • Password: obviously blank (as this is a shared profile)
  • SSL: enabled

I've searched all over the numerous admin guides, user guides, this guide, that guide, another guide, etc from Sophos, but I can;t find any examples. I've looked through the KB too, but all the articles poiunt to the old versions.

I thought I'd try here first before raising another ticket.

Thanks,

John

 

 

 

 



This thread was automatically locked due to age.
  • My theory (from witnessing the behaviour of the system since upgrading to V7) is that the relationship for SMC as an EAS proxy and Office 365 is not a linear one like it is with SMC acting as a EAS proxy with an on premise Exchange. I think it's now a triangular relationship....

    So linear being:

    1. Mobile SMC app AND iOS profile --> SMC Server external URL --> on-premise Exchange server

     

    I think it's now a triangular relationship for Office 365 and SMC EAS:

    1. iOS profile --> Office 365 (outlook.office365.com)

    2. Mobile SMC app --> SMC Server external URL

    3. SMC server --> Office 365

    The above translates into a diagram relationship ;)

     

    The reason why I say this is the following:

    When we upgraded from SMC v6 to SMC v7 our mobiles (that were/are pointing to outlook.office365.com as their iOS profile) could no longer retrieve their emails on their mobile. Some received the following email messages in their desktop mail client:

     

    From: Microsoft Outlook <MicrosoftExchangeXXXXXXXXXX@domain.onmicrosoft.com>
    Date: Monday, 3 April 2017 at 09:20
    To: Example User <example.UserX@domain.com>
    Subject: Your mobile device has been denied access to the server because of server policies.
     
    Your device won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.
    Information about your device:
    Device model:    iPhone8C4
    Device type:    iPhone
    Device ID:    Removed for Security
    Device OS:    iOS 10.1.1 14B100
    Device user agent:    Apple-iPhone8C4/1402.100
    Device IMEI:    
    Exchange ActiveSync version:    16.1
    Device access state:    Blocked
    Device access state reason:    Individual
    Sent at 03/04/2017 08:20:14 to example.UserX@domain.com

     

    Why?

     

    Well. My theory: The SMC app compliance policy has been set to revoke email EAS flow if the SMC client hasn't synced in X days, for example.

    Prior to version 7, SMC was simply dead wood when used in conjunction with Office 365. The users realised this and took the liberty of never needing to run the SMC app anymore. (It was kinda pointless).

    Then since upgrading to SMC version 7 and pointing the SMC EAS settings to Office 365, configuring the certs, the PowerShell, and the backend rights on Office 365. The SMC server now checks to see if the SMC clients have checked in within the set policy period, and if not, the SMC server simply sends the powershell commands to Office 365 to revoke the Mobile Clients from using Office 365 Active Sync. - One of my guys noticed that in the Office 365 Active sync settings for the denied users, their mobiles had dissapeared from being allowed access.

     

    This is all now highly theortical as it's based on what we've experienced. However if I am correct then here's some points to think about:

     

    1. Unlike what the Sophos guides, KB's, and the in-context helps says, you don't set the iOS active Sync profile to point to the SMC server if you're using Office 365 and SMC as a EAS proxy. - You set the iOS profile to point to outlook.office365.com still. The access seems to now be controlled by the SMC server talking to the Office 365 server and setting access.

    You still need to make sure the SMC app points to the external URL of the SMC server.

    2. Again, if my theory is correct then you could very likely experience a lag with the changes made in Office 365 by the SMC server. Previously it was easy as the SMC server would sinply deny /allow EAS access by controlling the flow directly. However in the triangle relationship, the iSO profile now talks to the Office 365 servers and it could take 24 hours for Microsoft to update and deny / allow the Active Sync, as set by the SMC server.

    ---

    Personally I'm hoping that my theory is way out, and that I just need to make a few changes with the help of Sophos and we can go back to the old days of:

    Mobile SMC app AND iOS profile --> SMC Server external URL --> Office 365

     

    I've now raised a case with Sophos, but as I thought, this is so new that Sophos support are not sure - so it;s likely to go back to the Germany for the SMC engineers to answer.

    Hopefully someone at Sophos can answer this before it gets to that?

    Cheers,

    John

     

     

  • Raised a case with Sophos support, and it seems that no-one in Sophos support actually knows how version 7 now works with EAS with Office 365.

    Sophos, this is poor - you could learn a few things from Palo Alto:

    1. When you provide a new feature - train your staff accordingly.

    2. Create documentation describing how the new features work.

    Thought to be honest, I've come to expect this of Sohos - seeing as we've been a customer for about 15 years and the release of products always has poor initial support and documentation.

    I've been saying this for years though, and always recieve broken promises of improvement from Sophos...

    I'd love to hear what Sophos product management have to say to this on an open forum...