Deploying Windows Mobile-based Devices with Exchange Server 2003 SP2
Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2
Microsoft Corporation
Published: February15 2008
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveSync, Office Ourlook, Visual Basic,Windows Mobileand Windows Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Introduction
Document Structure
Deploying Mobile Messaging: Introduction
Assumptions
Software Requirements
Optional Items
Deployment Process Summary
Planning Resources
Messaging and Security Feature Pack Overview
Features
Security Features
Advanced Security Features
Administering the Messaging and Security Feature Pack
Understanding the Direct Push Technology
Direct Push Technology
Network Architecture Alternatives
Deployment Options
ISA Server 2006 as an Advanced Firewall in a Perimeter Network
Deployment with ISA Server in a Perimeter Network
Deployment on a Single-Server
Forms-based Authentication
Deployment with the Exchange Front End Server in a Perimeter Network
VPN Configuration
Best Practices for Deploying a Mobile Messaging Solution
Network Configuration
Security: Authentication and Certification
Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices
Deployment Process Overview
Step 1: Upgrade to Exchange Server 2003 SP2
How to Upgrade to Exchange Server 2003 SP2
Step 2: Update All Servers with Security Patches
Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server
Deploying SSL to Encrypt Messaging Traffic
Enabling SSL for the Default Web Site
Configuring Basic Authentication
Protect IIS by Limiting Potential Attack Surfaces
Step 4: Protect Communications Between the Exchange Server and Other Servers
Using IPSec to Encrypt IP Traffic
Step 5: Install and Configure ISA Server 2006 or Other Firewall
Install ISA Server 2006
Install a Server Certificate on the ISA Server Computer
Create the Exchange ActiveSync Publishing Rule
Configure ISA Server 2006 for LDAP Authentication
Set the Idle Session Timeout for All Firewalls and Network Appliances to 1800 seconds
Test Exchange Publishing Rule
Step 6: Configure and Manage Mobile Device Access on the Exchange Server
Configuring Mobile Access
Configuring Security Settings for Mobile Devices
Monitoring Mobile Performance on Exchange Server 2003 SP2
Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool
Download the Mobile Administration Web Tool
Step 8: Manage and Configure Mobile Devices
Setting Up a Mobile Device Connection to Exchange Server
Using the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices
Provisioning or Configuring the Windows Mobile 5.0-based Device
Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication
Configuring the Firewall for Certificate-based Authentication
Software Requirements for Certificate-Based Authentication
Downloading the Certificate Enrollment Tool
System Requirements for the Certificate Enrollment Tool
Steps to Enable Certificate-Based Authentication
Configuring Exchange Server 2003 Front-End Server
Configure Kerberos Constrained Delegation
Configure Servers to be Trusted for Delegation
Configure Windows Mobile Certificate Enrollment
Overview of Certificate Enrollment Configuration
Appendix B: Install and Configure an ISA Server 2004 Environment
Installing ISA Server 2004
Creating the Exchange ActiveSync Publishing Rule Using Web Publishing
Configuring the Hosts File Entry
Setting the ISA Server 2004 Idle Session Timeout
Testing OWA and Exchange ActiveSync
Testing OWA
Testing Exchange ActiveSync
Appendix C: Troubleshooting a Mobile Messaging Solution
Logging and Troubleshooting Tools
Monitoring Mobile Performance on Exchange Server 2003 SP2
ISA Server Best Practices Analyzer
Issues Related to Direct Push Technology
General Direct Push Troubleshooting Tips
Path Troubleshooting Direct Push
Verify Direct Push Initialization
Troubleshooting Direct Push Using Logs
Push Mail and GAL Lookup missing when syncing to Exchange 2003 SP2 with a MSFP Device.
Issues Related to ISA Server 2006
Double Authentication Required after Upgrading from ISA Server 2004
Log Off when the User Leaves Site Feature Removed
Windows Mobile Users Receive Error 401 Unauthorized
Users Receive Access Denied Error Message
Certificate Implementation Issues on the Server
Communication Issues between the Front-end and Back-end Exchange Servers
Frequently Asked Questions
Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device
Creating the Provisioning XML to Install a Certificate to the Root Store
Creating a .cab File that Contains the Provisioning XML
Distributing the CAB Provisioning File
1
Deploying Windows Mobile-based Devices with Exchange Server 2003 SP2
Introduction
This document is designed primarily for Information Technology (IT) professionals who are responsible for planning and deploying mobile messaging systems that use Microsoft Exchange Server2003 with Service Pack2 (SP2) and Windows Mobile–based devices that have the Messaging and Security Feature Pack (MSFP).
Document Structure
This document is divided into two main sections that include the following:
The essential elements of a mobile messaging system, including system requirements; a summary of deployment procedures; an overview of the features of the Messaging and Security Feature Pack; an introduction to direct push technology; a summary of ISA Server 2006 features; and best practices for networking, security, and device management.
The guidelines and resources for the deployment of a mobile messaging system, including updating Exchange Server2003 SP2, setting up Microsoft Exchange ActiveSync for mobile access, creating a protected communications environment, setting up an ISA Server 2006 environment, and procedures for setting up and managing mobile devices.
For current information about deploying mobile messaging solutions and managing Windows Mobile–based devices, visit the Windows Mobile Center Web site:
Deploying Mobile Messaging: Introduction
This guide provides best practices and procedures for implementing a mobile messaging system with Microsoft® Windows Mobile® 6 devices and Microsoft Exchange Server 2003 SP2.
Assumptions
This document assumes that you have an understanding of Microsoft Office Outlook® Web Access, Exchange ActiveSync, Hypertext Transfer Protocol (HTTP), basic Exchange Server2003 concepts, and basic Microsoft Windows Internet Information Services (IIS) concepts.
Software Requirements
The following table presents the operating systems and applications that are required for the recommended deployment.
Location / Software requirementsExchange front-end server / Microsoft Exchange Server2003SP2
Microsoft Windows Server2003 with Service Pack1 (SP1), or Microsoft Windows2000 Server with Service Pack4 (SP4)
Additional Exchange server(s) / Microsoft Exchange Server2003 or later
Microsoft Windows Server2003 with Service Pack1 (SP1), or Microsoft Windows2000 Server with Service Pack4 (SP4)
LDAP Server / Windows Server2003 or Windows2000 Server
Exchange server where Exchange ActiveSync Mobile Administration Web tool is installed / Microsoft Exchange Server2003SP2
Microsoft Windows Server2003 with Service Pack1 (SP1)
Internet Information Services (IIS)6.0
Mobile devices / Windows Mobile5.0–based devices that have the Messaging and Security Feature Pack
Note:
Windows Mobile5.0–based devices that have a version number of 148xx.2.x.x or later include the Messaging and Security Feature Pack. To find the operating system version on the device, select Start, choose Settings, and then select About.
Optional Items
You can implement the following components for security and device management tools. See Network Architecture Alternatives in this document.
Microsoft Desktop ActiveSync 4.1 or later, which can be downloaded from this Microsoft download Web site:
Microsoft Internet Security and Acceleration (ISA) Server2006 (or ISA Server 2004 or third party firewall)
Windows Certification Authority (CA)
RSA Authentication Manager6.0 from RSA Security
RSA Authentication Agent for Microsoft Windows from RSA Security
RSA SecurID Authenticator from RSA Security
Deployment Process Summary
Because corporate network configurations and security policies vary, the deployment process will vary for each mobile messaging system installation. This deployment process includes the required steps and the recommended steps for deploying a mobile messaging solution that uses Exchange Server2003 SP2 and Windows Mobile5.0–based devices.
Note:
The following steps outline the process for setting up a mobile messaging solution with ISA Server 2006 in a workgroup in a perimeter network, with LDAP authentication. For more information on alternative network configurations, see Network Architecture Alternatives in this document.
The process can be accomplished in the following eight steps:
Step 1: Upgrade Front-End Server to Exchange Server2003 SP2
Step 2: Update All Servers with Security Patches
Step 3: Protect Communications with Mobile Devices
Step 4: Protect Communications Between the Exchange Server and Other Servers
Step 5: Install and Configure ISA Server 2006 or Other Firewall
Step 6: Configure Mobile Device Access on the Exchange Server
Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool
Step 8: Manage and Configure Mobile Devices
Planning Resources
The following Microsoft Web sites and technical articles provide background information that is important for the planning and deployment of your mobile messaging solution.
Exchange Server2003
Planning an Exchange Server2003 Messaging System
Exchange Server2003 Client Access Guide
Exchange Server2003 Deployment Guide
Windows Server2003 Deployment Guide
Using ISA Server2004with Exchange Server2003
Windows Server2003 Technical Reference
IIS6.0 Deployment Guide (IIS6.0)
Microsoft Exchange Server
Exchange Server2003 Technical Documentation Library
Windows Mobile
Supporting Windows Mobile–based Devices within the Enterprise: Corporate Guidelines for Each Stage of the Device's Lifecycle (white paper)
TechNet Windows Mobile Center
ISA Server
Secure Application Publishing
Publishing Exchange Server 2003 Active Sync with ISA Server 2006
Security
Security Considerations for Windows Mobile Messaging in the Enterprise (whitepaper)
Security Model for Windows Mobile 5.0 and Windows Mobile 6(white paper)
Windows Mobile Security Web site
TechNet Security Center
Messaging and Security Feature Pack Overview
The Messaging and Security Feature Pack for Windows Mobile 5.0 enables Windows Mobile 5.0-based devices to be managed by Microsoft Exchange Server 2003 SP2. The result is a mobile messaging solution that uses the management benefits of Exchange ActiveSync and the new security policy functions on the Windows Mobile 5.0-based devices, which helps you to better manage and control the devices.
Using Windows Mobile 5.0-based devices with the Messaging and Security Feature Pack will give you the following capabilities:
With direct push technology, you can provide your users with immediate delivery of data from the Exchange mailbox to their device. This includes e-mail, calendar, contact, and task information.
You can define the security policies on your Exchange server and they will be enforced on Windows Mobile 5.0-based devices that are directly synchronized with your Exchange server.
You can monitor and test Exchange ActiveSync performance and reliability by using the Exchange Server Management Pack.
You can manage the process of remotely erasing or wiping lost, stolen, or otherwise compromised mobile devices that are directly synchronized with your Exchange server by using the Microsoft Exchange ActiveSync Mobile Administration Web tool.
Features
These MSFP features improve essential communications for mobile workers.
Direct Push Technology
The direct push technology included in Exchange Server 2003 SP2 provides a new approach to the immediate delivery of data from the Exchange mailbox to the user’s mobile device. Direct push works for mailbox data, including Inbox, Calendar, Contacts, and Tasks. The direct push technology uses an established HTTP or HTTPS connection between the device and the Exchange server; previous solutions required the use of Short Message Service (SMS), which is no longer required. No special configuration is required on the mobile device, and you can keep your standard data plan since the service is world-capable and requires no additional software or server installations other than Exchange Server 2003 SP2.
For an in-depth discussion of the direct push technology, see Understanding the Direct Push Technology in this document.
Exchange ActiveSync
Exchange ActiveSync is an Exchange synchronization protocol that is designed for keeping your Exchange mailbox synchronized with a Windows Mobile 5.0-based device. Exchange ActiveSync is optimized to deal with high-latency/low-bandwidth networks, and also with low-capacity clients that have limited amounts of memory, storage, and processing power. Under the covers, the Exchange ActiveSync protocol is based on HTTP, SSL, and XML and is a part of Exchange Server 2003. In addition, Exchange ActiveSync provides the following benefits:
The consistency of the familiar Outlook experience for users
No extra software is require to install or configure devices
Global functionality that is achieved via standard data access phone service
Global Address List Access
Support for over-the-air lookup of global address list (GAL) information stored on Exchange Server. With the Messaging and Security Service Pack, mobile device users will be able to receive contact properties for individuals in the GAL. These properties can be used to search remotely for a person quickly based on name, company, and/or other aspect. Users will get all of the information they need to reach their contacts without having the data store on their device.
Security Features
Security features help protect personal and corporate files on mobile devices.
Remotely Enforced Device Security Policies
Exchange Server 2003 SP2 helps you to configure and manage a central policy that requires all mobile device users to protect their device with a password in order to access the Exchange server. You can specify the length of the password, require usage of a character or symbol, and designate how long the device has to be inactive before prompting the user for the password again.
An additional setting, wipe device after failed attempts, allows you to delete all data and certificates on the device after the user enters the wrong password a specified number of times. The user will see a series of alert dialog boxes warning of the possible wipe and providing the number of attempts left before it happens. External memory, such as a secure digital (SD) card, is not erased.
You can also specify whether non-compliant devices can synchronize. Devices are considered non-compliant if they do not support the security policy you have specified. In most cases, these are devices not configured with the Messaging and Security Feature Pack.
The device security policies are managed from Exchange System Manager’s Mobile Services Properties interface.
Remote Device Wipe
The remote wipe feature helps you to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices. If the device was connected using direct push technology, the wipe process will be initiated immediately and should take place in seconds. If you have used the enforced lock security policy, the device is protected by a password and local wipe, so the device can receive calls, but will not be able to perform any operation other than to receive the remote wipe notification and report that it has been wiped.
The new Microsoft Exchange ActiveSync Mobile Administration Web tool enables you to perform the following actions:
View a list of all devices that are being used by any user.
Select or de-select devices to be remotely erased.
View the status of pending remote erase requests for each device.
View a transaction log that indicates which administrators have been delegated the ability to issue remote erase commands, in addition to the devices those commands pertained to.
Advanced Security Features
The advanced security features in MSFP can be used to meet more stringent security requirements.
Certificate-Based Authentication
If SSL basic authentication does not meet your security requirements and you have an existing Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the certificate-based authentication feature in Exchange ActiveSync. If you use this feature in conjunction with the other features described in this document, such as local device wipe and the enforced use of a power-on password, you can transform the mobile device itself into a smartcard. The private key and certificate for client authentication is stored in memory on the device. However, if an unauthorized user attempts to brute force attack the power-on password for the device, all user data is purged including the certificate and private key.
For more information, see Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
Microsoft has created a tool for deploying Exchange ActiveSync certificate-based authentication. Download the tool and documentation from the Microsoft Download center Web site.