Deploying Windows Mobile-based Devices with Exchange Server 2003 SP2

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

Microsoft Corporation

Published: February15 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveSync, Office Ourlook, Visual Basic,Windows Mobileand Windows Server are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Contents

Introduction

Document Structure

Deploying Mobile Messaging: Introduction

Assumptions

Software Requirements

Optional Items

Deployment Process Summary

Planning Resources

Messaging and Security Feature Pack Overview

Features

Security Features

Advanced Security Features

Administering the Messaging and Security Feature Pack

Understanding the Direct Push Technology

Direct Push Technology

Network Architecture Alternatives

Deployment Options

ISA Server 2006 as an Advanced Firewall in a Perimeter Network

Deployment with ISA Server in a Perimeter Network

Deployment on a Single-Server

Forms-based Authentication

Deployment with the Exchange Front End Server in a Perimeter Network

VPN Configuration

Best Practices for Deploying a Mobile Messaging Solution

Network Configuration

Security: Authentication and Certification

Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices

Deployment Process Overview

Step 1: Upgrade to Exchange Server 2003 SP2

How to Upgrade to Exchange Server 2003 SP2

Step 2: Update All Servers with Security Patches

Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server

Deploying SSL to Encrypt Messaging Traffic

Enabling SSL for the Default Web Site

Configuring Basic Authentication

Protect IIS by Limiting Potential Attack Surfaces

Step 4: Protect Communications Between the Exchange Server and Other Servers

Using IPSec to Encrypt IP Traffic

Step 5: Install and Configure ISA Server 2006 or Other Firewall

Install ISA Server 2006

Install a Server Certificate on the ISA Server Computer

Create the Exchange ActiveSync Publishing Rule

Configure ISA Server 2006 for LDAP Authentication

Set the Idle Session Timeout for All Firewalls and Network Appliances to 1800 seconds

Test Exchange Publishing Rule

Step 6: Configure and Manage Mobile Device Access on the Exchange Server

Configuring Mobile Access

Configuring Security Settings for Mobile Devices

Monitoring Mobile Performance on Exchange Server 2003 SP2

Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool

Download the Mobile Administration Web Tool

Step 8: Manage and Configure Mobile Devices

Setting Up a Mobile Device Connection to Exchange Server

Using the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices

Provisioning or Configuring the Windows Mobile 5.0-based Device

Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication

Configuring the Firewall for Certificate-based Authentication

Software Requirements for Certificate-Based Authentication

Downloading the Certificate Enrollment Tool

System Requirements for the Certificate Enrollment Tool

Steps to Enable Certificate-Based Authentication

Configuring Exchange Server 2003 Front-End Server

Configure Kerberos Constrained Delegation

Configure Servers to be Trusted for Delegation

Configure Windows Mobile Certificate Enrollment

Overview of Certificate Enrollment Configuration

Appendix B: Install and Configure an ISA Server 2004 Environment

Installing ISA Server 2004

Creating the Exchange ActiveSync Publishing Rule Using Web Publishing

Configuring the Hosts File Entry

Setting the ISA Server 2004 Idle Session Timeout

Testing OWA and Exchange ActiveSync

Testing OWA

Testing Exchange ActiveSync

Appendix C: Troubleshooting a Mobile Messaging Solution

Logging and Troubleshooting Tools

Monitoring Mobile Performance on Exchange Server 2003 SP2

ISA Server Best Practices Analyzer

Issues Related to Direct Push Technology

General Direct Push Troubleshooting Tips

Path Troubleshooting Direct Push

Verify Direct Push Initialization

Troubleshooting Direct Push Using Logs

Push Mail and GAL Lookup missing when syncing to Exchange 2003 SP2 with a MSFP Device.

Issues Related to ISA Server 2006

Double Authentication Required after Upgrading from ISA Server 2004

Log Off when the User Leaves Site Feature Removed

Windows Mobile Users Receive Error 401 Unauthorized

Users Receive Access Denied Error Message

Certificate Implementation Issues on the Server

Communication Issues between the Front-end and Back-end Exchange Servers

Frequently Asked Questions

Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device

Creating the Provisioning XML to Install a Certificate to the Root Store

Creating a .cab File that Contains the Provisioning XML

Distributing the CAB Provisioning File

1

Deploying Windows Mobile-based Devices with Exchange Server 2003 SP2

Introduction

This document is designed primarily for Information Technology (IT) professionals who are responsible for planning and deploying mobile messaging systems that use Microsoft Exchange Server2003 with Service Pack2 (SP2) and Windows Mobile–based devices that have the Messaging and Security Feature Pack (MSFP).

Document Structure

This document is divided into two main sections that include the following:

The essential elements of a mobile messaging system, including system requirements; a summary of deployment procedures; an overview of the features of the Messaging and Security Feature Pack; an introduction to direct push technology; a summary of ISA Server 2006 features; and best practices for networking, security, and device management.

The guidelines and resources for the deployment of a mobile messaging system, including updating Exchange Server2003 SP2, setting up Microsoft Exchange ActiveSync for mobile access, creating a protected communications environment, setting up an ISA Server 2006 environment, and procedures for setting up and managing mobile devices.

For current information about deploying mobile messaging solutions and managing Windows Mobile–based devices, visit the Windows Mobile Center Web site:

Deploying Mobile Messaging: Introduction

This guide provides best practices and procedures for implementing a mobile messaging system with Microsoft® Windows Mobile® 6 devices and Microsoft Exchange Server 2003 SP2.

Assumptions

This document assumes that you have an understanding of Microsoft Office Outlook® Web Access, Exchange ActiveSync, Hypertext Transfer Protocol (HTTP), basic Exchange Server2003 concepts, and basic Microsoft Windows Internet Information Services (IIS) concepts.

Software Requirements

The following table presents the operating systems and applications that are required for the recommended deployment.

Location / Software requirements
Exchange front-end server / Microsoft Exchange Server2003SP2
Microsoft Windows Server2003 with Service Pack1 (SP1), or Microsoft Windows2000 Server with Service Pack4 (SP4)
Additional Exchange server(s) / Microsoft Exchange Server2003 or later
Microsoft Windows Server2003 with Service Pack1 (SP1), or Microsoft Windows2000 Server with Service Pack4 (SP4)
LDAP Server / Windows Server2003 or Windows2000 Server
Exchange server where Exchange ActiveSync Mobile Administration Web tool is installed / Microsoft Exchange Server2003SP2
Microsoft Windows Server2003 with Service Pack1 (SP1)
Internet Information Services (IIS)6.0
Mobile devices / Windows Mobile5.0–based devices that have the Messaging and Security Feature Pack

Note:

Windows Mobile5.0–based devices that have a version number of 148xx.2.x.x or later include the Messaging and Security Feature Pack. To find the operating system version on the device, select Start, choose Settings, and then select About.

Optional Items

You can implement the following components for security and device management tools. See Network Architecture Alternatives in this document.

Microsoft Desktop ActiveSync 4.1 or later, which can be downloaded from this Microsoft download Web site:

Microsoft Internet Security and Acceleration (ISA) Server2006 (or ISA Server 2004 or third party firewall)

Windows Certification Authority (CA)

RSA Authentication Manager6.0 from RSA Security

RSA Authentication Agent for Microsoft Windows from RSA Security

RSA SecurID Authenticator from RSA Security

Deployment Process Summary

Because corporate network configurations and security policies vary, the deployment process will vary for each mobile messaging system installation. This deployment process includes the required steps and the recommended steps for deploying a mobile messaging solution that uses Exchange Server2003 SP2 and Windows Mobile5.0–based devices.

Note:

The following steps outline the process for setting up a mobile messaging solution with ISA Server 2006 in a workgroup in a perimeter network, with LDAP authentication. For more information on alternative network configurations, see Network Architecture Alternatives in this document.

The process can be accomplished in the following eight steps:

Step 1: Upgrade Front-End Server to Exchange Server2003 SP2

Step 2: Update All Servers with Security Patches

Step 3: Protect Communications with Mobile Devices

Step 4: Protect Communications Between the Exchange Server and Other Servers

Step 5: Install and Configure ISA Server 2006 or Other Firewall

Step 6: Configure Mobile Device Access on the Exchange Server

Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool

Step 8: Manage and Configure Mobile Devices

Planning Resources

The following Microsoft Web sites and technical articles provide background information that is important for the planning and deployment of your mobile messaging solution.

Exchange Server2003

Planning an Exchange Server2003 Messaging System

Exchange Server2003 Client Access Guide

Exchange Server2003 Deployment Guide

Windows Server2003 Deployment Guide

Using ISA Server2004with Exchange Server2003

Windows Server2003 Technical Reference

IIS6.0 Deployment Guide (IIS6.0)

Microsoft Exchange Server

Exchange Server2003 Technical Documentation Library

Windows Mobile

Supporting Windows Mobile–based Devices within the Enterprise: Corporate Guidelines for Each Stage of the Device's Lifecycle (white paper)

TechNet Windows Mobile Center

ISA Server

Secure Application Publishing

Publishing Exchange Server 2003 Active Sync with ISA Server 2006

Security

Security Considerations for Windows Mobile Messaging in the Enterprise (whitepaper)

Security Model for Windows Mobile 5.0 and Windows Mobile 6(white paper)

Windows Mobile Security Web site

TechNet Security Center

Messaging and Security Feature Pack Overview

The Messaging and Security Feature Pack for Windows Mobile 5.0 enables Windows Mobile 5.0-based devices to be managed by Microsoft Exchange Server 2003 SP2. The result is a mobile messaging solution that uses the management benefits of Exchange ActiveSync and the new security policy functions on the Windows Mobile 5.0-based devices, which helps you to better manage and control the devices.

Using Windows Mobile 5.0-based devices with the Messaging and Security Feature Pack will give you the following capabilities:

With direct push technology, you can provide your users with immediate delivery of data from the Exchange mailbox to their device. This includes e-mail, calendar, contact, and task information.

You can define the security policies on your Exchange server and they will be enforced on Windows Mobile 5.0-based devices that are directly synchronized with your Exchange server.

You can monitor and test Exchange ActiveSync performance and reliability by using the Exchange Server Management Pack.

You can manage the process of remotely erasing or wiping lost, stolen, or otherwise compromised mobile devices that are directly synchronized with your Exchange server by using the Microsoft Exchange ActiveSync Mobile Administration Web tool.

Features

These MSFP features improve essential communications for mobile workers.

Direct Push Technology

The direct push technology included in Exchange Server 2003 SP2 provides a new approach to the immediate delivery of data from the Exchange mailbox to the user’s mobile device. Direct push works for mailbox data, including Inbox, Calendar, Contacts, and Tasks. The direct push technology uses an established HTTP or HTTPS connection between the device and the Exchange server; previous solutions required the use of Short Message Service (SMS), which is no longer required. No special configuration is required on the mobile device, and you can keep your standard data plan since the service is world-capable and requires no additional software or server installations other than Exchange Server 2003 SP2.

For an in-depth discussion of the direct push technology, see Understanding the Direct Push Technology in this document.

Exchange ActiveSync

Exchange ActiveSync is an Exchange synchronization protocol that is designed for keeping your Exchange mailbox synchronized with a Windows Mobile 5.0-based device. Exchange ActiveSync is optimized to deal with high-latency/low-bandwidth networks, and also with low-capacity clients that have limited amounts of memory, storage, and processing power. Under the covers, the Exchange ActiveSync protocol is based on HTTP, SSL, and XML and is a part of Exchange Server 2003. In addition, Exchange ActiveSync provides the following benefits:

The consistency of the familiar Outlook experience for users

No extra software is require to install or configure devices

Global functionality that is achieved via standard data access phone service

Global Address List Access

Support for over-the-air lookup of global address list (GAL) information stored on Exchange Server. With the Messaging and Security Service Pack, mobile device users will be able to receive contact properties for individuals in the GAL. These properties can be used to search remotely for a person quickly based on name, company, and/or other aspect. Users will get all of the information they need to reach their contacts without having the data store on their device.

Security Features

Security features help protect personal and corporate files on mobile devices.

Remotely Enforced Device Security Policies

Exchange Server 2003 SP2 helps you to configure and manage a central policy that requires all mobile device users to protect their device with a password in order to access the Exchange server. You can specify the length of the password, require usage of a character or symbol, and designate how long the device has to be inactive before prompting the user for the password again.

An additional setting, wipe device after failed attempts, allows you to delete all data and certificates on the device after the user enters the wrong password a specified number of times. The user will see a series of alert dialog boxes warning of the possible wipe and providing the number of attempts left before it happens. External memory, such as a secure digital (SD) card, is not erased.

You can also specify whether non-compliant devices can synchronize. Devices are considered non-compliant if they do not support the security policy you have specified. In most cases, these are devices not configured with the Messaging and Security Feature Pack.

The device security policies are managed from Exchange System Manager’s Mobile Services Properties interface.

Remote Device Wipe

The remote wipe feature helps you to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices. If the device was connected using direct push technology, the wipe process will be initiated immediately and should take place in seconds. If you have used the enforced lock security policy, the device is protected by a password and local wipe, so the device can receive calls, but will not be able to perform any operation other than to receive the remote wipe notification and report that it has been wiped.

The new Microsoft Exchange ActiveSync Mobile Administration Web tool enables you to perform the following actions:

View a list of all devices that are being used by any user.

Select or de-select devices to be remotely erased.

View the status of pending remote erase requests for each device.

View a transaction log that indicates which administrators have been delegated the ability to issue remote erase commands, in addition to the devices those commands pertained to.

Advanced Security Features

The advanced security features in MSFP can be used to meet more stringent security requirements.

Certificate-Based Authentication

If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync. If you use this feature in conjunction with the other features described in this document, such as local device wipe and the enforced use of a power-on password, you can transform the mobile device itself into a smartcard. The private key and certificate for client authentication is stored in memory on the device. However, if an unauthorized user attempts to brute force attack the power-on password for the device, all user data is purged including the certificate and private key.

For more information, see Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.

Microsoft has created a tool for deploying Exchange ActiveSync certificate-based authentication. Download the tool and documentation from the Microsoft Download center Web site.