Gateway supports the encryption of email attachments for user devices that use
the ActiveSync protocol. Attachment encryption is selective based on the
properties of the device and file types of attachments. You configure XenMobile
Device Manager to control the selection criteria and to dynamically configure
Secure Mobile Gateway to perform the encryption.
Important: Due to limitations of Microsoft IIS, attachment encryption is
only supported on Forefront Threat Management Gateway (TMG) platforms.
encryption is a system, not an isolated feature of Secure Mobile Gateway.
Attachment encryption is designed to work with a large number of native and
third-party email clients. To work, it requires the participation together of
Device Manager, Secure Mobile Gateway, and Device Agents, as follows:
attachments are protected by using an industry standard secure container known
as PKCS #7. The container provides a cryptographically secure envelope around
the attachment data. Such containers can only be decrypted by the mobile device
to which the attachment is delivered, and by Secure Mobile Gateway. When
attachments are encrypted by Secure Mobile Gateway, the suffix .zsa is appended
to the original attachment name, creating a
container. The suffix allows the Device Agent, which associates itself
with .zsa files, to be automatically invoked when a .zsa file is opened in any
How Attachments Are
ZSA containers are
constructed by Secure Mobile Gateway when email attachments are delivered to
the device via ActiveSync. The Device Agent reads the container when the
attachment is accessed from within the email client. The content of container
is encrypted with a symmetric key generated uniquely for each attachment. The
symmetric content key in then encrypted with the public key of each recipient
of the ZSA. Any recipient that holds the associated private key can then open
and decrypt a ZSA container.
In the XenMobile
system, there are two recipients for each ZSA: the targeted device and Secure
Mobile Gateway. Secure Mobile Gateway is a recipient because it must be able to
decrypt ZSA containers that are forwarded or sent from the devices. To process
ZSA containers, Secure Mobile Gateway requires the public key of the device,
and the public and private key for itself.
encryption occurs through the interception and modification of ActiveSync
request and response data. As a plug-in within TMG, the Secure Mobile Gateway
ISAPI filter intercepts packets and re-aggregates packets into ActiveSync
messages in binary xml form (WbXml). The messages are then parsed to determine
if encryption is enabled by the configuration. This includes checking that the
file criteria defined by Device Manager applies to any attachments referenced
by the message. If encryption is selected, the messages are modified. Due to
encryption and message aggregation, there is a additional performance cost in
terms of CPU and memory use for the TMG server.
Between Secure Mobile Gateway and Device Manager
Gateway dynamically retrieves configuration updates from Device Manager,
including whitelist/blacklist information and encryption keys. Secure Mobile
Gateway initiates the protocol by initially requesting a baseline, or a
complete set of information about all devices known to Device Manager.
Subsequent communication requests a delta, or the set of information that has
changed since the last request. In each response, Device Manager alerts Secure
Mobile Gateway as to when to send a request for the subsequent delta or
baseline (the intervals are configurable within Device Manager). At any point
in the protocol, each side may request or force a baseline (for example, if
Device Manager or Secure Mobile Gateway restarts).
Encryption File Type
The criteria for
selecting the types of files to be encrypted is configurable within Device
Manager, and delivered to Secure Mobile Gateway as to when to send a request
for the subsequent delta or baseline (the intervals are configurable within
Device Manager). At any point in the protocol, each side may request or force a
base. The interface between Device Manager and Secure Mobile Gateway supports
defining the selection criteria as a set of rules in which each rule defines a
method of matching (for example, all files that end with .doc or .docx) and an
outcome (either encrypt or not). The rules are evaluated in order until a match
is found. Rules can therefore be created to define general rules and exception
rules (for example, all .doc files except my.doc). The selection criteria
employed for a given device is viewable in the
tab of the SMG Controller Configuration
Note: Device Manager
supports a single selection criteria for all devices.