Before setting up secure MAPI optimization, make sure that the ProxySG appliance meets the following prerequisites:
- The ProxySG appliance must be running SGOS 6.2.x., 6.3.x, 6.4.x or 6.5.x.
- Secure ADN must configured. Secure MAPI can only be sent across secure ADN tunnels between devices on the ADN network.
To add the appliance to the domain and begin optimising traffic:
- Configure the Outlook client to use Negotiate Authentication.
- In Outlook 2007, select Tools > Account Settings > Email Account > More settings > Security.
Ensure that Encryption is enabled. Make sure that Negotiate Authentication is selected (which is the default).
Negotiate Authentication means that the client can negotiate both Kerberos and NTLM.
- In Outlook 2000 and 2003, the setting is Kerberos/NTLM Password Authentication.
Exchange Server negotiates Kerberos as preferred, which is the default setting.
- To enable the Domain Controller (DC) to support Trust Delegation, make sure that it is running Windows Server 2003 or later and configure it with the correct domain functionality level.
Select Admin Tools > Active Domains and Trusts. Right-click the Domain. Select Raise the Domain Functionality.
- Make sure that the NTP on the ProxySG appliance and the DC are configured correctly and have the same Time.
- The appliance must be configured to join the domain. Select Configuration > Authentication > Windows Domain and create a new alias for the Windows Domain (which is an independent name only used on the ProxySG appliance).
- On the Windows Domain tab, configure the ProxySG appliance to join the domain. Enter the DNS domain name (for example, bluecoat.local) and the Device name you want to assign the ProxySG appliance on the domain.
- Click Join.
- Enter admin user credentials.
- Click Apply to configure the NetBios name.
The ProxySG appliance displays in the Users and Computers list on the DC.
Note: The user account used to join the appliance to the domain must be able to read the userAccountControl, accountExpires, and passwordLastSet attributes of all the users that must be authenticated.
- Configure trust delegation on the DC for the ProxySG appliance at the branch office.
- On the DC, select Administrative Tools > AD users and Computers.
- Under Domain Name/Computers, double click the ProxySG appliance host to display the properties and click the Delegation tab.
- Select Use any authentication protocol.
- Click Add; in Add Services click Users and Computers.
- In the Enter the object names to select field, enter the name of the Exchange Server for which the system will be trusted to delegate and click OK.
- In Add Services, click the Exchange MDB database that will be trusted for delegation and click OK.
Repeat the two previous steps for any other endpoint Exchange Servers that accept MAPI connections.
The ProxySG appliance must be trusted to authenticate Exchange users (clients) when they connect to the ProxySG appliance (NTLM).
- Configure secure ADN on the Branch and core ProxySG appliances.
- In the Management Console, select Configuration > ADN > General > Device Security.
- Select the SSL Device Profile you want to use and enable Authorization, if desired. Do this for both devices.
- Configure ADN as desired (manager/backup manager, advertised routes, transparent or explicit, and so on).
- If using a self-signed certificate or another certificate signed by a root CA that the ProxySG appliance does not recognize as the SSL device profile for secure ADN, copy this certificate from the Keyring into the CA cert list on the other device.
Then, add it to the CA certificate list on both devices.
Secure ADN should be established.
- Enable secure MAPI on the ProxySG appliance.
Select Configuration > Proxy Settings > MAPI proxy. Ensure that Enable acceleration for encrypted MAPI is selected and that the Domain Alias is selected from the drop-down list.
Note: The ProxySG must be joined to the same domain of which the Exchange Server is a member. Outlook users must belong to the same domain tree as the Exchange Server and the ProxySG appliance. SGOS 220.127.116.11 and later supports multi-domains. If all the domains are members of the same domain tree in one forest and there is a Parent/Child, a two-way trust relationship exists between these domains. This release does not support multi-domain if the domains are in different domain trees but in same forest (without a trust relationship) or in different forests.