Mopile Message on Exchange
-
Upload
asufyaniali -
Category
Documents
-
view
219 -
download
0
Transcript of Mopile Message on Exchange
-
8/14/2019 Mopile Message on Exchange
1/69
Step-by-StepGuidetoDeploying
MicrosoftExchangeServer2003SP2
MobileMessagingwith
WindowsMobile5.0-basedDevices
March,2006
Appliesto:ExchangeServer2003SP2
andWindows5.0-basedDevices
withtheMessagingandSecurityFeaturePack
-
8/14/2019 Mopile Message on Exchange
2/69
DirectPushTechnologyrequiresWindowsMobile5.0withtheMessagingandSecurityFeaturePack(MSFP)connected
withExchangeServer2003ServicePack2.Connectivityandsynchronizationmayrequireseparatelypurchasedequipmentand/orwirelessproducts(e.g.,WiFicard,networksoftware,serverhardware,and/orredirectorsoftware).ServiceplansarerequiredforInternet,WiFiandphoneaccess.Featuresandperformancemayvarybyserviceproviderandaresubjecttonetworklimitations.Seedevicemanufacturer,serviceproviderand/orcorporateITdepartmentfordetails.
Availableprograms,featuresandfunctionalityvarybydeviceandWindowsMobileoperatingsystemversion.PowerPointMobileavailablewithWindowsMobile5.0.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thiswhitepaperisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedin,orintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
2006MicrosoftCorporation.Allrightsreserved.
Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
Microsoft,ActiveDirectory,ActiveSync,BizTalk,Hotmail,JScript,MS-DOS,MSDN,MSN,Outlook,SharePoint,Visio,VisualBasic,VisualStudio,Windows,WindowsMedia,WindowsMobile,WindowsNT,WindowsServer,andWindowsServerSystemareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
-
8/14/2019 Mopile Message on Exchange
3/69
DeployingMicrosoftExchangeServer2003SP2MobileMessagingwithWindowsMobile5.0-basedDevices
....................................................... ............................................................ ............................ 5Introduction............ ............................................................ ................................................ 5
Overview:MessagingandSecurityFeaturePack .......................................................... ........ 8DeploymentConfigurationandBestPractices ..................................................... ................ 12DeployingExchangeServer2003SP2MobileMessaging .................................................. 17
DeploymentProcess ......................................................... .............................................. 17Step1-UpgradetoExchangeServer2003SP2................... .............................................. 18Step2-UpdateAllServerswithSecurityPatches..................................... .......................... 18Step3-ProtectCommunicationsBetweentheMobileDevicesandYourExchangeServer19
DeployingSSLtoEncryptMessagingTraffic................................................................... 19BackingupServerCertificates................................................ .................................... 24SingleServerConfiguration(Optional) ....................................................... ................ 27
ConfiguringBasicAuthentication......... ............................................................ ................ 27RequireSSLConnectiontotheExchangeActiveSyncWebSiteDirectories ............. 27
RequiredUrlScanSettings...................................................... .................................... 29Step4-ProtectCommunicationsBetweentheExchangeServer2003SP2ServerandOtherServers....................................................... ............................................................ .......................... 32Step5-InstallandConfigureanISAServer2004EnvironmentorOtherFirewall .............. 33
ConfiguringtheHostFileEntry............ ............................................................ ................ 38TestingOWAandExchangeActiveSync............................................... .......................... 39
TestingOWA(Ifinstalled) ....................................................... .................................... 39Step6-ConfigureandManageMobileDeviceAccessontheExchangeServer ................ 41
EnablingMobileAccess............................................................... .................................... 41EnableExchangeActiveSyncforAllUsers................................................................. 41EnableUser-InitiatedSynchronization........................................................ ................ 42EnableUp-to-dateNotifications(Optional)............................................................ ...... 43
MonitoringMobilePerformanceonExchangeServer ..................................................... 45Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool......................... 47Step8-ManageandConfigureMobileDevices ............................................................ ...... 48AppendixA.DeployingExchangeActiveSyncwithCertificate-BasedAuthentication .......... 53
Introduction............ ............................................................ .............................................. 53ConfiguringCertificate-BasedAuthenticationforExchangeActiveSync ......................... 53
ExchangeActiveSyncRequirements.......................................................... ................ 53KerberosBasics........................................ ............................................................ ...... 55
AlternativeDeploymentStepsforCertificate-basedAuthentication................................. 55SettingupSSLforExchangeActiveSyncVirtualDirectory......................................... 55CreatingtheExchangeActiveSyncpublishingruleusingtunneling............................ 56UsingActiveDirectoryUsersandComputerstoConfigureKerberos-ConstrainedDelegationandProtocolTransitioning ................................................... .............................................. 57
OverviewofCertificateEnrollmentConfiguration ...................................................... ...... 58ConfiguringtheXML ..................................................... .............................................. 60UploadingtheXMLtoActiveDirectory ....................................................... ................ 63
AppendixB.AddingaCertificatetotheRootStoreofaWindowsMobile-basedDevice..... 67
CreatetheProvisioningXMLtoInstallaCertificatetotheRootStore.................. ...... 67CreateaCABfilecontainingtheprovisioningXML .................................................... 68DistributingtheCABProvisioningFile ........................................................ ................ 68
-
8/14/2019 Mopile Message on Exchange
4/69
-
8/14/2019 Mopile Message on Exchange
5/69
5
DeployingMicrosoftExchangeServer2003SP2MobileMessagingwithWindowsMobile5.0-basedDevices
Introduction
ThisdocumentisdesignedprimarilyforInformationTechnology(IT)professionalswhoareresponsibleforplanninganddeployingmobilemessagingsystemsthatuseMicrosoftExchangeServer2003withServicePack2(SP2)andMicrosoftWindowsMobile-baseddevicesthathavetheMessagingandSecurityFeaturePack.
Thisdocumentisdividedintotwomainsectionsthatdescribethefollowing:
Theessentialelementsofamobilemessagingsystem,includingrequirements;asummaryofdeploymentprocedures;anoverviewofthefeaturesoftheMessagingandSecurityFeaturePack;andbestpracticesfornetworking,security,anddevicemanagement.
Theguidelinesandresourcesforthedeploymentofamobilemessagingsystem,includingupdatingExchangeServer2003SP2,settingupMicrosoftExchangeActiveSyncformobileaccess,creatingaprotectedcommunicationsenvironment,andproceduresforsetting
upandmanagingmobiledevices.ForcurrentinformationondeployingmobilemessagingsolutionsandmanagingWindowsMobile-baseddevices,visittheWindowsMobileCenterWebsiteat:http://go.microsoft.com/fwlink/?LinkId=62636
AssumptionsThisdocumentassumesthatyouhaveanunderstandingofMicrosoftOfficeOutlookWebAccess,ExchangeActiveSync,HypertextTransferProtocol(HTTP),basicExchangeServer2003concepts,andbasicMicrosoftWindowsInternetInformationServices(IIS)concepts.
RequirementsThefollowingoperatingsystemsandapplicationsarerequiredforsuccessfuldeployment.
MicrosoftWindows2000ServerwithServicePack4(SP4)orMicrosoftWindowsServer2003withServicePack1(SP1)(recommended)
MicrosoftExchangeServer2003SP2(includesExchangeActiveSync)
MicrosoftExchangeActiveSyncMobileAdministrationWebtool
MicrosoftWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturePack
ActiveDirectorydirectoryservice
InternetInformationServices(IIS)6.0
NoteWindowsMobile5.0-baseddevicesthathaveaversionnumberof148xx.2.x.xorhigherincludetheMessagingandSecurityFeaturePack.Tofindtheoperatingsystemversiononthedevice,clickStart,chooseSettings,andthenclickAbout.
OptionalItemsYoucanimplementthefollowingcomponentsforsecurityanddevicemanagementtools.SeetheBestPracticessection.
ThemostrecentversionofMicrosoftDesktopActiveSync,whichisavailableasadownloadfromtheMicrosoftdownloadWebsiteathttp://go.microsoft.com/fwlink/?LinkId=62652.
MicrosoftInternetSecurityandAcceleration(ISA)Server2004
Windowscertificationauthority(CA)
-
8/14/2019 Mopile Message on Exchange
6/69
6
RSAAuthenticationManager(6.0)
RSAAuthenticationAgentforMicrosoftWindows
RSASecurIDAuthenticator
DeploymentProcessSummary
Becausecorporatenetworkconfigurationsandsecuritypoliciesvary,thedeploymentprocesswillvaryforeachmobilemessagingsysteminstallation.ThisdeploymentprocessincludestherequiredstepsandtherecommendedstepsfordeployingamobilemessagingsolutionthatusesExchangeServer2003SP2andWindowsMobile5.0-baseddevices.
Theprocesscanbeaccomplishedinthefollowingeightsteps:
Step1UpgradeFront-EndServertoExchangeServer2003SP2
Step2UpdateAllServerswithSecurityPatches
Step3ProtectCommunicationswithMobileDevices
Step4ProtectCommunicationsbetweentheExchangeServerandOtherServers
Step5InstallandConfigureanISAServer2004EnvironmentorOtherFirewall
Step6ConfigureMobileDeviceAccessontheExchangeserver
Step7InstalltheExchangeActiveSyncMobileAdministrationWebtool
Step8ManageandConfigureMobileDevices
PlanningResourcesThefollowingMicrosoftWebsitesandtechnicalarticlesprovidebackgroundinformationthatisimportantfortheplanninganddeploymentofyourmobilemessagingsolution.
ExchangeServer2003 PlanninganExchangeServer2003MessagingSystem
http://go.microsoft.com/fwlink/?LinkId=62626
ExchangeServer2003ClientAccessGuide
http://go.microsoft.com/fwlink/?LinkId=62628
ExchangeServer2003DeploymentGuidehttp://go.microsoft.com/fwlink/?LinkId=62629
WindowsServer2003DeploymentGuide
http://go.microsoft.com/fwlink/?LinkId=62630
UsingISAServer2004withExchangeServer2003
http://go.microsoft.com/fwlink/?LinkId=42243
WindowsServer2003TechnicalReference
http://go.microsoft.com/fwlink/?LinkId=62631
IIS6.0DeploymentGuide(IIS6.0)
http://go.microsoft.com/fwlink/?LinkId=62632
MicrosoftExchangeServerTechCenter
http://go.microsoft.com/fwlink/?LinkId=62633
ExchangeServer2003TechnicalDocumentationLibrary
http://go.microsoft.com/fwlink/?LinkId=62634
WindowsMobile SupportingWindowsMobile-BasedDeviceswithintheEnterprise:CorporateGuidelinesfor
EachStageoftheDevicesLifecycle(paper)
http://go.microsoft.com/fwlink/?LinkId=62635
-
8/14/2019 Mopile Message on Exchange
7/69
7
TechNetWindowsMobileCenter
http://go.microsoft.com/fwlink/?LinkId=62636
Security WindowsMobile-basedDevicesandSecurity(paper)
http://go.microsoft.com/fwlink/?LinkId=62640
WindowsMobileSecurityhttp://go.microsoft.com/fwlink/?LinkId=62641
TechNetSecurityCenter
http://go.microsoft.com/fwlink/?LinkId=62642
-
8/14/2019 Mopile Message on Exchange
8/69
8
Overview:MessagingandSecurityFeaturePack
TheMessagingandSecurityFeaturePackforWindowsMobile5.0enablesWindowsMobile5.0-baseddevicestobemanagedbyMicrosoftExchangeServer2003SP2.TheresultisamobilemessagingsolutionthatusesthemanagementbenefitsofExchangeActiveSyncandthenew
securitypolicyfunctionsontheWindowsMobile5.0-baseddevices,whichhelpsyoutobettermanageandcontrolthedevices.
UsingWindowsMobile5.0-baseddeviceswiththeMessagingandSecurityFeaturePackwillgiveyouthefollowingcapabilities:
WithDirectPushtechnology,youcanprovideyouruserswithimmediatedeliveryofdatafromtheExchangemailboxtotheirdevice.Thisincludese-mail,calendar,contact,andtaskinformation.
YoucandefinethesecuritypoliciesonyourExchangeserverandtheywillbeenforcedonWindowsMobile5.0-baseddevicesthataredirectlysynchronizedwithyourExchangeserver.
YoucanmonitorandtestExchangeActiveSyncperformanceandreliabilitybyusingthe
ExchangeServerManagementPack. Youcanmanagetheprocessofremotelyerasingorwipinglost,stolen,orotherwise
compromisedmobiledevicesthataredirectlysynchronizedwithyourExchangeserverbyusingtheMicrosoftExchangeActiveSyncMobileAdministrationWebtool.
Features
DirectPushTechnologyTheDirectPushtechnologyincludedinExchangeServer2003SP2providesanewapproachtotheimmediatedeliveryofdatafromtheExchangemailboxtotheusersmobiledevice.DirectPushworksformailboxdata,includingInbox,Calendar,Contacts,andTasks.TheDirectPushtechnologyusesanestablishedHTTPSconnectionbetweenthedeviceandtheExchangeserver;previoussolutionsrequiredtheuseofShortMessageService(SMS),whichisnolongerrequired.
Nospecialconfigurationisrequiredonthemobiledevice,andyoucankeepyourstandarddataplansincetheserviceisworld-capableandrequiresnoadditionalsoftwareorserverinstallationsotherthanExchangeServer2003SP2.
ExchangeActiveSyncExchangeActiveSyncisanExchangesynchronizationprotocolthatisdesignedforkeepingyourExchangemailboxsynchronizedwithaWindowsMobile5.0-baseddevice.ExchangeActiveSyncisoptimizedtodealwithhigh-latency/low-bandwidthnetworks,andalsowithlow-capacityclientsthathavelimitedamountsofmemory,storage,andprocessingpower.Underthecovers,theExchangeActiveSyncprotocolisbasedonHTTP,SSL,andXMLandisapartofExchangeServer2003.Inaddition,ExchangeActiveSyncprovidesthefollowingbenefits:
TheconsistencyofthefamiliarOutlookexperienceforusers
Noextrasoftwareisrequiretoinstallorconfiguredevices
Globalfunctionalitythatisachievedviastandarddataaccessphoneservice
GlobalAddressListAccessSupportforover-the-airlookupofglobaladdresslist(GAL)informationstoredonExchangeServer.WiththeMessagingandSecurityServicePack,mobiledeviceuserswillbeabletoreceivecontactpropertiesforindividualsintheGAL.Thesepropertiescanbeusedtosearchremotelyforapersonquicklybasedonname,company,and/orotherproperty.Userswillgetalloftheinformationtheyneedtoreachtheircontactswithouthavingthedatastoreontheirdevice.
-
8/14/2019 Mopile Message on Exchange
9/69
9
SecurityFeatures
RemotelyEnforcedDeviceSecurityPoliciesExchangeServer2003SP2helpsyoutoconfigureandmanageacentralpolicythatrequiresallmobiledeviceuserstoprotecttheirdevicewithapasswordinordertoaccesstheExchangeserver.Notonlythat,butyoucanspecifythelengthofthepassword,requireusageofacharacter
orsymbol,anddesignatehowlongthedevicehastobeinactivebeforepromptingtheuserforthepasswordagain.
Anadditionalsetting,wipedeviceafterfailedattempts,allowsyoutodeletealldataonthedeviceaftertheuserentersthewrongpasswordaspecifiednumberoftimes.Theuserwillseealertdialogboxeswarningofthepossiblewipeandprovidingthenumberofattemptsleftbeforeithappens.
Anothersettingallowsyoutospecifywhethernon-compliantdevicescansynchronize.Devicesareconsiderednon-compliantiftheydonotsupportthesecuritypolicyyouhavespecified.Inmostcases,thesearedevicesnotconfiguredwiththeMessagingandSecurityFeaturePack.
ThedevicesecuritypoliciesaremanagedfromExchangeSystemManagersMobileServicesPropertiesinterface.
RemoteDeviceWipeTheremotewipefeaturehelpsyoutomanagetheprocessofremotelyerasinglost,stolen,orotherwisecompromisedmobiledevices.IfthedevicewasconnectedusingDirectPushtechnology,thewipeprocesswillbeinitiatedimmediatelyandshouldtakeplaceinseconds.Ifyouhaveusedtheenforcedlocksecuritypolicy,thedeviceisprotectedbyapasswordandlocalwipe,sothedevicewillnotbeabletoperformanyoperationotherthantoreceivetheremotewipenotificationandreportthatithasbeenwiped.
ThenewMicrosoftExchangeActiveSyncMobileAdministrationWebtoolenablesyoutoperformthefollowingactions:
Viewalistofalldevicesthatarebeingusedbyanyuser.
Selectorde-selectdevicestoberemotelyerased.
Viewthestatusofpendingremoteeraserequestsforeachdevice.
Viewatransactionlogthatindicateswhichadministratorshaveissuedremoteerasecommands,inadditiontothedevicesthosecommandspertainedto.
AdvancedSecurityFeatures
Certificate-BasedAuthenticationIfSSLbasicauthenticationdoesnotmeetyoursecurityrequirementsandyouhaveanexistingPublicKeyInfrastructure(PKI)usingMicrosoftCertificateServer,youmaywishtousethecertificate-basedauthenticationfeatureinExchangeActiveSync.Ifyouusethisfeatureinconjunctionwiththeotherfeaturesdescribedinthisdocument,suchaslocaldevicewipeandtheenforceduseofapower-onpassword,youcantransformthemobiledeviceitselfintoa
smartcard.Theprivatekeyandcertificateforclientauthenticationisstoredinmemoryonthedevice.However,ifanunauthorizeduserattemptstobruteforceattackthepower-onpasswordforthedevice,alluserdataispurgedincludingthecertificateandprivatekey.
Formoreinformation,seeAppendixA.DeployingExchangeActiveSyncCertificate-basedAuthentication.
MicrosofthascreatedatoolfordeployingExchangeActiveSynccertificate-basedauthentication.DownloadthetoolanddocumentationfromtheMicrosoftDownloadcenterWebsite:http://go.microsoft.com/fwlink/?LinkId=63271
-
8/14/2019 Mopile Message on Exchange
10/69
10
SupportforS/MIMEEncryptedMessagingTheMessagingandSecurityFeaturePackforWindowsMobile5.0providesnativesupportfordigitallysigned,encryptedmessaging.WhenencryptionwiththeSecure/Multipurpose/InternetMailExtension(S/MIME)isdeployed,userscanviewandsendS/MIME-encryptedmessagesfromtheirmobiledevice.
TheS/MIMEcontrol: Isastandardforsecurityenhancede-mailmessagesthatuseaPublicKeyInfrastructure
(PKI)tosharekeys
Offerssenderauthenticationbyusingdigitalsignatures
Canbeencryptedtoprotectprivacy
Workswellwithanystandard-compliante-mailclient
ForguidanceonhowtoimplementtheS/MIMEcontrolwithMicrosoftExchangeServer2003SP2,seetheExchangeServerMessageSecurityGuideatthefollowingMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=63272.
AdministeringtheMessagingandSecurityFeaturePackSafeguardslikepasswordpoliciesandremotewipecapabilitiesprovideyouwiththesecurityfeaturestohelpyouprotectyourorganizationsdata.WiththecombinationofthemanagementcapabilitiesbuiltintoExchangeServer2003SP2andthesecurityandconfigurationprotocolsincludedintheWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturepack,yourcontrolovermobiledeviceshasbeenstreamlined.YouwillseethatmostoftheadministrationofthesecurityfeaturesforthemobiledevicehappensontheExchangeServerorontheExchangeActiveSyncMobileAdministrationWebtool.
ThefollowingtablesummarizesthefeaturesandthesettingsrequiredontheExchangeServeroronthemobiledevice.
Feature ExchangeServerSettings MobileDeviceSettings
ExchangeDirectPushtechnology
EnabledbydefaultwithExchangeServer2003SP2
ProtectedconfigurationwithfirewallorISAServer
Setsessiontimeouttimeto30minutes
Nodevicesetuprequired;userstepsthruActiveSyncwizarduponlogintoExchangeserver.
ExchangeActiveSync
EnabledbydefaultwithExchangeServer2003SP2
SetparametersbyusingExchangeSystemManagersMobileServices
Properties
Nodevicesetuprequired;userstepsthruActiveSyncwizarduponlogintoExchangeserver.
Wirelessaccesstoglobaladdresslist(GAL)
DefaultExchangeServersetup
RequiresOutlookWebAccesspublishedonExchangeServer
Nodevicesetuprequired
TrusteddeviceshaveautomaticaccesstoGAL
RemotelyenforcedITpolicy
EnableDirectPushtechnologyinExchangeActiveSync
UseExchangeSystemManagersMobileServicesPropertiestoapply
Nodevicesetuprequired;userstepsthruActiveSyncwizarduponlogintoExchangeserver.
-
8/14/2019 Mopile Message on Exchange
11/69
11
policies
RemoteWipe
EnableDirectPushtechnologyinExchangeActiveSync
UseMobileAdministrationWebtooltoinitiate,track,andcancelthe
remotewipe
Nodevicesetuprequired;userstepsthruActiveSyncwizarduponlogintoExchangeserver.
Certificate-basedauthentication
InstallcertificateonExchangeServers
DeployActiveSync4.1todesktops
UsetheCertificateEnrollmenttooltoconfigurethedevicesviaActiveSync
InitialcertificateenrollmentusingDesktopActiveSyncisrequired
S/MIMEmobiledevicesupport
DeployanExchangeServer2003messagingsystemwithPKIsecurity
Installcertificateenrollmentprotocolandkeyonthedevice
-
8/14/2019 Mopile Message on Exchange
12/69
12
DeploymentConfigurationandBestPractices
Bestpracticesfordeployingamobilemessagingsolutiononyourcorporatenetworkarerecommendationstohelpyousmoothoperationof,andprovideahighlevelofsecurityin,yourmobilemessagingsolution.Youcandeterminewhatthebestpracticesareforyournetwork
configurationandmobiledeviceuse.
NetworkPlanningandDesignTodesignasuccessfulExchangeServer2003SP2messagingsystem,youmustfirstunderstandthecapabilitiesandlimitationsofthesoftwareandhardwareuponwhichyouwillbuildyourmessagingsystem.WhetheryouaredevelopinganewExchangeServermessagingsystemorupgradingfromapreviousExchangeimplementation,youneedtobalancethelimitationsofyournetworkinfrastructurewiththecapabilitiesofyourmessagingsystem,operatingsystem,andusersoftware.
Formoreinformationabouthowtoplanyourmessagingsystem,seePlanninganExchangeServer2003MessagingSystemathttp://go.microsoft.com/fwlink/?LinkId=62643
BestPractice:UseFront-endandBack-endConfigurationforExchangeServersAfront-endandback-endconfigurationisrecommendedformultiple-serverorganizationsthatuseExchangeActiveSync,OutlookWebAccess,POP,orIMAPandwanttoprovideHTTP,POP,orIMAPaccesstotheiremployees.Inthisarchitecture,afront-endserveracceptsrequestsfromclientsandproxiesthoserequeststotheappropriateback-endserverforprocessing.Thefront-endandback-endarchitectureallowsthefront-endservertohandletheSecureSocketsLayer(SSL)encryption,thusenablingtheback-endserverstoincreaseoveralle-mailperformance.
Securingthemessagingenvironmentalsoinvolvesdisablingthosefeaturesandsettingsforthefront-endserverthatarenotnecessaryinafront-endandback-endserverarchitecture.
Formoreinformationaboutfront-endandback-endserverarchitecture,seeExchangeServer
2003andExchange2000ServerFront-EndandBack-EndTopologyathttp://go.microsoft.com/fwlink/?LinkId=62643
ConsiderationsforDeploymentonaSingleServerIfyouaredeployingamobilemessagingsolutionthatusesasingleExchangeserver,youmayhavetoestablishsomespecialconfigurationstoavoidconflictsonthevirtualdirectory.
SSLRequirementsandForms-basedauthenticationInasingle-serverconfiguration,ExchangeServerActiveSyncaccessestheExchangevirtualdirectoryviaport80byusingKerberosauthentication.ExchangeActiveSynccannotaccesstheExchangevirtualdirectoryifeitherofthefollowingconditionsaretrue:
TheExchangevirtualdirectoryisconfiguredtorequireSSL.
Forms-basedauthenticationisconfigured.Formoreinformationabout,andworkaroundsfor,theseconfigurations,seethefollowingarticleintheMicrosoftKnowledgeBase:
ExchangeActiveSyncandOutlookMobileAccesserrorsoccurwhenSSLorforms-basedauthenticationisrequiredforExchangeServer2003
http://go.microsoft.com/fwlink/?LinkId=62660
-
8/14/2019 Mopile Message on Exchange
13/69
13
ExchangeActiveSyncMobileAdministrationWebToolWhendeployedinasingle-serverconfiguration,theExchangeActiveSyncMobileAdministrationWebtoolrequiresthedefaultconfigurationontheExAdminvirtualdirectory.Bydefault,SSLisnotturnedonandthevdirhasWindowsIntegratedauthentication.
Inasingle-serverconfiguration,werecommendthatyoudothefollowing:
TurnoffSSLRequiredontheExAdminvirtualdirectory
UseWindowsIntegratedauthenticationontheExAdminvirtualdirectory
NotetheExchangeActiveSyncMobileAdministrationWebtoolshouldrunintheExchangeAppPool.
Thisisaknownissue.AKnowledgeBasearticleaboutthisissuewillbepublishedsoon.
RSASecurIDCompatibilityRSASecurIDprovidestoken-basedauthenticationthatrequiresuserinputandwasnotcompatiblewiththeDirectPushtechnology,inwhichthedevicesynchronizesautomatically.RSAhasupdatedtheRSAAuthenticationAgentforWindowssothatDirectPushtechnologyandscheduledsynchronizationfeaturesfunctionsmoothly.
IfyouareusingtheRSASecurIDproduct,besuretogetthelatestRSASecurIDsoftwarefrom
theRSASecurityWebsite:http://go.microsoft.com/fwlink/?LinkId=63273.
BestPractice:DeployISAServer2004asanAdvancedFirewallAsabestpracticealternativetolocatingyourfront-endExchangeserversintheperimeternetwork,youcandeployISAServer2004asanadvancedfirewall.Inthisconfiguration,alloftheExchangeserversarewithinthecorporatenetworkandtheISAserveractsastheadvancedfirewallintheperimeternetworkthatisexposedtoInternettraffic.Thisaddsanadditionallayerofsecuritytoyournetwork.
AllincomingInternettrafficboundtoyourExchangeserversforexample,MicrosoftOfficeOutlookWebAccessandRPCoverHTTPcommunicationfromOutlook2003clientsisprocessedbytheISAserver.WhentheISAserverreceivesarequestfromanExchangeserver,theISAserverterminatestheconnectionandthenproxiestherequesttotheappropriate
Exchangeserversonyourinternalnetwork.TheExchangeserversonyournetworkthenreturntherequesteddatatotheISAserver,andthenISAserver,whichsendstheinformationtotheclientthroughtheInternet.
DuringinstallationoftheISAserver,werecommendthatyouenableSSLencryption,anddesignate443astheSSLport.Thisleavesthe443portopenastheWebListenertoreceiveInternettraffic.WealsorecommendthatyousetupbasicauthenticationforExchangeActiveSync,andthatyourequireallclientstosuccessfullynegotiateanSSLlinkbeforeconnectingtotheExchangeActiveSyncsitedirectories.Ifyoufollowtheserecommendations,theInternettrafficthatflowsintoandoutofthe443portwillbemoreprotected.
WhenconfiguredinWeb-publishingmode,ISAServer2004willprovideprotocolfilteringandhygiene,denialofservice(DoS)anddistributeddenialofservice(DDoS)protection,andpre-
authentication.
-
8/14/2019 Mopile Message on Exchange
14/69
14
ThefigureaboveisanexampleofarecommendedExchangeServer2003deploymentformobilemessagingwithISAServer2004.
BestPractice:ConfiguringyourfirewallforoptimalDirectPushperformanceDirectPushtechnologyrequiresaestablishedconnectionbetweentheserverandtheclient.Nodataissentoverthisconnectionunlessthereise-mailordatatobetransmittedorthedeviceneedstoreestablishitsconnectionwiththeserver.Thismeansthatthemaximumlengthoftheconnectionisdeterminedbythelowestnetworktimeoutinthepathbetweenthedeviceandtheserver.
Withgoodnetworkcoverage,themaximumtimeoutwillbedeterminedbytheconnectiontimeout
thatisenforcedbythefirewallsthatdealwithInternettraffictoyourExchangefront-endservers.Ifyoukeepthetimeoutverylow,thenyouwillforcethedevicetoreconnectseveraltimes,whichwillquicklydrainitsbattery.
Asabestpractice,youshouldadjusttheconnectiontimeoutofyourfirewalltoensurethatDirectPushfunctionalityworksefficiently.Inordertooptimizebatterylife,werecommendatimeoutperiodofbetween15and30minutes.
-
8/14/2019 Mopile Message on Exchange
15/69
15
Security:AuthenticationandCertificationSecurityforcommunicationbetweentheExchangeserverandclientmobiledevicescanbeincreasedbyusingSecureSocketsLayer(SSL)forencryptionandserverauthenticationandbyusingwebpublishingtoprotectincomingtraffic.
Thefollowingbestpracticeswillhelpyoubuildamoresecuremobilemessagingsolution.
BestPractice:UseSSLforEncryptionandServerAuthenticationToprotectoutgoingandincomingdata,deploySSLtoencryptalltraffic.YoucanconfigureSSLsecurityfeaturesonanExchangeservertoverifytheintegrityofyourcontentandtheidentityofusers,andtoencryptnetworktransmissions.TheExchangeserver,justlikeanyWebserver,requiresavalidservercertificatetoestablishSSLcommunications.
WindowsMobile5.0-baseddevicesareshippedwithtrustedrootcertificates.Checkwithyourdevicemanufacturerforacurrentlistofthecertificateauthoritiesthatshippedwithyourdevice.Ifyouobtainarootcertificatefromoneofthetrustedservices,yourclientmobiledevicesshouldbereadytoestablishSSLcommunicationswithnofurtherconfiguration.
NoteSomeservercertificatesareissuedwithintermediateauthoritiesinthe
certificationchain.IfIISisnotconfiguredtosendallcertificatesinthechaintothemobiledeviceduringtheSSLhandshake,thedevicewillnottrustthecertificatebecausethedevicedoesnotsupportdynamicallyretrievingtheothercertificates.
Formoreinformationaboutobtainingservercertificates,seeObtainingandInstallingServerCertificatesintheExchangeServer2003ClientAccessGuideathttp://go.microsoft.com/fwlink/?LinkId=62628
Formoreinformationaboutrootcertificatesformobiledevices,seeAppendixB.AddingRootCertificatestoWindowsMobileDevicesinthisdocument.
BestPractice:UseWebPublishingwithBasicAuthenticationAsabestpractice,Webpublishingiseasiertoimplementandprovidesahigherlevelofsecuritythanserverpublishing,althoughlargercompaniesthatareplanningtouseclientcertificate-based
authenticationmustimplementthelatter.
Serverpublishing,alsoknownastunneling,referstonetwork/transport-layerprotection,whereasWebpublishing,alsoknownasbridging,referstoapplication-layerprotection.WebpublishingisonlypossiblewhenSSListerminatedonISAServer2004.BecauseISAServer2004onlyseesencryptedtraffic,itcannotperformtaskssuchasprotocolhygienethatrequireittoanalyzethecontents;thusISAServer2004onlyoffersprotectionbasedonthenetwork/transportlayers.
ThefollowingtablecomparesthesecurityfeaturesofserverpublishingandWebpublishing.
SecurityFeatures ServerPublishing
WebPublishing
Synchronousidlecharacter(SYN)floodattackprotection X X
Flood/networkresiliencymechanismsthatareactivatedwhenvarioussystemandnetworkquotasarereached.Thesecanincludeblockingtraffic,increasingdelays,orreleasingmemory.
X X
Accesscontrolbasedonsourceaddress,sourceport,destinationaddress,destinationport,andprotocol.
X X
Detectionandpreventionofportscanning,fragmentattacks,variousTCP/IPattacks,andIPandTCPheadervalidation.
X X
HTTPprotocolhygiene. X
-
8/14/2019 Mopile Message on Exchange
16/69
16
HTTPsessionquota. X
HTTPfilteringthisallowsthedetectionofsignaturesinHTTPrequests,whichisoftenusedtoprotectagainstzero-dayattacks,forexample,whentheWebserversarenotallfullypatched.HTTPfilteringreducestheattacksurfaceoftheWeb
serverbyallowingonlycertainHTTPverbs,actionsorURLs.
X
Pre-authenticationandauthorizationtheWebserveronlyreceivestrafficfromauthenticatedandauthorizedusers.ThismeansthatevenifthereisvulnerabilityinIIS,onlycompanyemployeescanactuallyexploitthevulnerability.Withoutpre-authentication,theExchangefront-endserveristhefirstlineofdefense,soitmustbeintheDMZ.
X
Singlesign-oninISA2006providesincreasedusability. X
Linktranslationprovidesincreasedusability. X
BestPractice:UseServerPublishingwithCertificate-basedAuthenticationForcertificate-basedauthenticationtoworkcorrectlywithExchangeActiveSync,theenterprisefirewallmustbeconfiguredtoallowtheExchangefront-endservertoterminatetheSSLconnection.Webpublishingwillnotworkwithcertificate-basedauthentication.
MicrosofthasprovidedseveraltoolstohelpanExchangeadministratorconfigureandvalidateclientcertificateauthentication.
Formoreinformation,seeAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.
TheExchangeActiveSyncCertificate-basedAuthenticationtoolcanbedownloadedfromtheToolsforExchangeServer2003Websiteathttp://go.microsoft.com/fwlink/?LinkId=62656.
BestPractice:DetermineandDeployaDevicePasswordPolicyForthefirsttime,ExchangeServerSP2andWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturePackhelpyoutoconfigureacentralsecuritypolicythatrequiresallmobiledeviceuserstoprotecttheirdevicewithapasswordinordertoaccesstheExchangeserver.
Withinthiscentralsecuritypolicy,thereareseveralattributesyoucanconfigure,includingthelengthofthepassword(thedefaultisfourcharacters),theuseofcharactersorsymbolsinthepassword,andhowlongthedevicecanbeinactivebeforeitpromptstheuserforthepasswordagain.
Onceyouhavedeterminedyourdevicesecuritypolicies,youcanapplythembyusingExchangeSystemManagersMobileServicesProperties.WhenyourusersconnecttotheExchange
serverandsignin,thepolicieswillbesenttothedevice.Youcansettheintervalatwhichthesecuritypolicieswillautomaticallyberefreshedonthedevices.
Formoreinformationonsettingsecuritypolicies,seeConfiguringSecuritySettingsforMobileDevicesinthisdocument.
-
8/14/2019 Mopile Message on Exchange
17/69
17
DeployingExchangeServer2003SP2MobileMessaging
Forsimplicity,wehavedocumentedtherecommendeddeploymentwithreferencestoalternativeoroptionalsteps.Yourproductionenvironmentmayvaryforexample,youmayuseanotherfirewallbutifyoureadthroughtheprocessforinstallingandconfiguringtheISAserver,youshouldbeabletoconfigureyourfirewalltoworkwiththisdeployment.
DeploymentProcess
ThefollowingstepssummarizetheprocessfordeployinganExchangeServer2003SP2mobilemessagingsolution.
Step1UpgradeFront-EndServertoExchangeServer2003SP2
Step2UpdateAllServerswithSecurityPatches
Step3ProtectCommunicationsBetweentheMobileDevicesandyourExchangeServer
EncryptMessagingTrafficwithSecureSocketsLayer(SSL)
EnableSSLontheDefaultWebSite
ConfigureAuthenticationBasicAuthentication(Recommended)
RSASecurID(Optional)
ConfigureCertificationAuthentication(Optional)
ProtectIISbyUsingUrlScanandIISLockdownWizard
Step4ProtectCommunicationsBetweentheExchangeServerandOtherServers
UseIPSectoEncryptIPTraffic(Recommended)
Step5InstallandConfigureanISAServer2004EnvironmentorOtherFirewall
CreatetheExchangeActiveSyncPublishingRulebyUsingBridging
CreatetheExchangeActiveSyncPublishingRulebyUsingTunneling(withCertificate-BasedAuthentication)
ConfiguretheHostFileEntry
ModifytheFirewallIdleSessionTime-outSettingsto30Minutes
Step6ConfigureMobileDeviceAccessontheExchangeserver
EnableExchangeActiveSyncforAllUsers
EnableUserInitiatedSynchronization
EnableDirectPush
SetSecurityPolicySettingsforMobileDevices
MonitorMobilePerformanceonExchangeServer
Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool
Step8ManageandConfigureMobileDevices
SetupMobileConnectiontoExchangeServer
InitiateandTrackRemoteWipeonMobileDevices
ProvisionorConfigureMobileDevices
InitiateandTrackRemoteWipeonMobileDevices
-
8/14/2019 Mopile Message on Exchange
18/69
18
Step1-UpgradetoExchangeServer2003SP2
ExchangeServer2003SP2includesExchangeActiveSync,thesynchronizationprotocolthatkeepstheExchangemailboxsynchronizedonclientmobiledevices.Bydefault,ExchangeActiveSyncisenabled.
ExchangeServer2003SP2containsnewfeaturesthatworkwiththeWindowsMobile5.0MessagingandSecurityFeaturePacktohelpyoutoimprovethedeployment,security,andmanagementofmobiledevices.
NoteTousetheWindowsMobile5.0MessagingandSecurityFeaturepack,youmustupgradeyourfront-endExchangeservertoExchangeServer2003SP2.Back-endMailboxserverscanremainatExchange2003RTMorSP1.However,werecommendthatyouupgradebothfront-endandback-endserverstotakeadvantageoftheupdatesinSP2.
HowtoUpgradetoExchangeServer2003SP2DownloadtheServicePack2forExchangeServer2003filefromthefollowingMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=62644
FollowthedirectionsprovidedtoupgradeyourExchangeserverstoSP2.
Step2-UpdateAllServerswithSecurityPatches
Tohelpyouensurethatyourmobilemessagingnetworkisstrongfromendtoend,takethisopportunitytoupdateallofyourservers.
AfteryouinstallExchangeServer2003SP2onyourfront-endserver,updatetheserversoftwareonyourotherExchangeserversandonanyotherserverthatExchangecommunicateswith,suchasyourglobalcatalogserversandyourdomaincontrollers.
Formoreinformationaboutupdatingyoursoftwarewiththelatestsecuritypatches,seetheExchangeServerSecurityCenterWebsite:http://go.microsoft.com/fwlink/?LinkId=62646
FormoreinformationaboutMicrosoftsecurity,seetheMicrosoftSecurityWebsite:http://go.microsoft.com/fwlink/?LinkId=62649
-
8/14/2019 Mopile Message on Exchange
19/69
19
Step3-ProtectCommunicationsBetweentheMobileDevicesandYourExchangeServer
TohelpprotectthecommunicationsbetweenWindowsMobiledevicesandyourExchangefront-endserver,followthesesteps:
DeploySSLtoencryptmessagingtraffic
EnableSSLonthedefaultWebsite
ConfigurebasicauthenticationfortheExchangeActiveSyncvirtualdirectory
NoteIfyouplantouseCertificateAuthenticationinsteadofbasicconfiguration,youmustdeploySSLfollowingtheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.
NoteIfyouareusingRSASecurID,youmustupdatetheRSAAuthenticationAgent.
ProtectIISbyusingUrlScanandIISLockdownWizard
SeetheBestPracticessectionofthisdocumentformoreinformationonauthenticationandcertification.
DeployingSSLtoEncryptMessagingTraffic
Toprotectincomingandoutgoingmail,deploySSLtoencryptmessagingtraffic.YoucanconfigureSSLsecurityfeaturesonanExchangeservertoverifytheintegrityofyourcontent,verifytheidentityofusers,andencryptnetworktransmissions.
ThestepsinvolvedinconfiguringSSLforExchangeActiveSyncare:
1. ObtainingandInstallingaServerCertificate
2. ValidatingInstallation
3. BackinguptheServerCertificate
4. EnablingSSLfortheExchangeActiveSyncvirtualdirectory
ImportantToperformthefollowingprocedure,youmustbeamemberoftheAdministratorsgrouponthelocalcomputer,oryoumusthavebeendelegatedthe
appropriateauthority.Asasecuritybestpractice,logontoyourcomputerbyusingan
accountthatisnotintheAdministratorsgroup,andthenusetheRunascommandtorun
IISManagerasanadministrator.Fromthecommandprompt,typethefollowing
command:
runas/user:administrative_accountname"mmc%systemroot%\system32\inetsrv\iis.msc"
ObtainingandInstallingServerCertificatesAfteryouobtainaservercertificate,youwillinstalltheservercertificate,verifytheinstallationoftheservercertificate,andbackitup.WhenyouusetheWebServerCertificateWizardtoobtainandinstallaservercertificate,theprocessisreferredtoascreatingandassigningaserver
certificate.
ToObtainaServerCertificateFromaCA
1. LogontotheExchangeserverusinganAdministratoraccount.
2. ClickStart,clickPrograms,clickAdministrativeTools,andthenclickInternetInformationServices(IIS)Manager .
-
8/14/2019 Mopile Message on Exchange
20/69
20
3. Double-clicktheServerNametoviewtheWebsites.Right-clickDefaultWebSiteandthenclickProperties.
4. ClicktoselecttheDirectorySecuritytab.UnderSecureCommunications,clickServerCertificate.
5. IntheWelcomeWebServerCertificateWizarddialogbox,clickNext,clickCreateanewcertificate,andthenclickNext.
6. ClickPreparetherequestnow,butsenditlater ,andthenclickNext.
7. IntheNameandSecuritySettingsdialogbox,typeanameforyourservercertificate(forexample,type),clickBitlengthof1024,andthenclickNext.
NoteEnsurethatSelectcryptographicserviceprovider isnotselected.
-
8/14/2019 Mopile Message on Exchange
21/69
21
8. IntheOrganizationInformationdialogbox,typeanameintheOrganizationtextbox(forexample,type)andintheOrganizationalunittextbox(forexample,type),andthenclickNext.
9. IntheYourSitesCommonNamedialogbox,typethefullyqualifieddomainname(FQDN)ofyourserverorclusterforCommonname(forexample,type),andthenclickNext.Thiswillbethedomainnamethatyourclient
mobiledeviceswillaccess.
10.IntheGeographicalInformationdialogbox,clickCountry/region(forexample,US),State/province(forexample,)andCity/locality(forexample,),andthenclickNext.
11.IntheCertificateRequestFilenamedialogbox,keepthedefaultofC:\NewKeyRq.txt(whereC:isthelocationyourOSisinstalled),andthenclickNext.
12.IntheRequestFileSummarydialogbox,reviewtheinformationandthenclickNext.Youshouldreceiveasuccessmessagewhenthecertificaterequestiscomplete.
13.ClickFinish.
Next,youmustrequestaservercertificatefromavalidCA.Todothis,youmustaccesstheInternetoranintranet,dependingontheCAyouchoose,byusingaproperlyconfiguredWebbrowser.
ThestepsdetailedhereareforaccessingyourCAWebsite.Foraproductionenvironment,youwillprobablyrequestaservercertificatefromapublictrustedCAovertheInternet.
ToSubmittheCertificateRequest
1. StartMicrosoftInternetExplorer .TypetheUniformResourceLocator(URL)forthe
MicrosoftCAWebsite,http:///certsrv/.WhentheMicrosoftCAWebsitepagedisplays,clickRequestaCertificate,andthenclickAdvancedCertificateRequest.
-
8/14/2019 Mopile Message on Exchange
22/69
22
2. OntheAdvancedCertificateRequestpage,clickSubmitacertificaterequestbyusingabase-64encodedPKCS#10file,orsubmitarenewalrequestbyusingabase-64encodedPKCS#7file.
3. Onyourlocalserver,navigatetothelocationoftheC:\NewKeyRq.txtfilethatyousavedpreviously.
4. Double-clicktoopentheC:\NewKeyRq.txtfileinNotepad.Selectandcopytheentire
contentsofthefile.5. OntheCAWebsite,navigatetotheSubmitaCertificateRequestpage.Ifyouare
promptedtopickthetypeofcertificate,selectWebServer.
6. ClickinsidetheSavedRequestbox,pastethecontentsofthefileintothebox,andthenclickSubmit.ThecontentsintheSavedRequestboxshouldlooksimilartothefollowingexample:
-----BEGINNEWCERTIFICATEREQUEST-----
MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWxpZHM0LnJlZG1vbmQuY29ycC5taWNyb3NvZnQuY29tMR
EwDwYDVQQLEwhNb2JpbGl0eTEMMAoGA1UEChMDTVRQMRAwDgYDVQQHEwdSZWRtb25kMRMwEQYDVQQIEwpX
YXNoaW5ndG9uMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs0sV2UZ1WAX2ou
+F5S34+6M3A32tJ5qp+c7zliu4SMkcgebhnt2IMMeF5ZMD2IqfhWu49nu1vLtGHK5wWgHYTC3rTFabLZJ1
bNtXKB/BWWOsmSDYg/A7+oCZB4rHJmpc0Yh4OjbQKkr64KM67r8jGEPYGMAzf2DnUg3xUt9pbBECAwEAAa
CCAZkwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQE
AwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAg
cwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBN
AGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAG
EAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCO5g/Nk+lsuAJZideg15faBLqe4jiiytYeVBApxLrt
UlyWEQuWdPeEFv0GWvsjQGwn+WC5m9kVNmcLVsx41QtGDXtuETFOD6dSi/M9wmEy8bsbcNHXs+sntX56Ac
CxBXh1ALaE4YaE6e/zwmE/0/Cmyje3a2olE5rlk1FFIlKTDwAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GB
AAr7zjg2ykZoFUYt1+EgK106jRsLxJcoqj0oEg575eAlUgbN1e2i/L2RWju7cgo9W7uwwpBIaEqd6LJ6s1
-
8/14/2019 Mopile Message on Exchange
23/69
23
BRpZz0yeJTDzGIXByG5O6kouk+0H+WHCj2yI30zik8aSyCQ3rQbNvHoURDmWqv9Rp1BDC1SNQLEzDgZjKP
rsGZAVLb
-----ENDNEWCERTIFICATEREQUEST-----
7. OntheCertificateIssuedpage,clickDERencoded,andthenclickDownloadcertificate.
8. IntheFileDownloaddialogbox,clickSavethisfiletodisk,andthenclickOK.Keepthedefaultsettingtosavethefiletothedesktop,andclickSave.
9. CloseInternetExplorer.
Atthispoint,aservercertificateexistsonyourdesktopthatcanbeimportedintotheExchangeservercertificatestore.
Next,youmustinstallthecertificate.
ToInstalltheCertificate
1. StartInternetInformationService(IIS)Manager andexpand
2. Right-clickDefaultWebSite,andthenclickProperties.InthePropertiesdialogbox,
selecttheDirectorySecuritytab.UnderSecureCommunication,clickServerCertificate.
3. IntheCertificateWizarddialogbox,clickNext.
4. SelectProcessthePendingRequestandinstallthecertificate .ClickNext.
5. Navigateto,ortypethelocationandfilenameforthefilecontainingtheservercertificate,certnew.txt,thatislocatedonthedesktop,andthenclickNext.
6. ChoosetheSSLportthatyouwishtouse.Port443isthedefaultandisrecommended.
7. IntheCertificateSummaryInformation dialogbox,clickNext,andthenclickFinish.
ValidatingInstallationToverifytheinstallation,youcanviewtheservercertificate.
InthePropertiesdialogbox,clickDirectorySecurity,andunderSecureCommunication,clickViewCertificate.AtthebottomoftheCertificationdialogbox,amessagedisplaysindicatingthataprivatekeyisinstalled,ifacertificateisavailable.
-
8/14/2019 Mopile Message on Exchange
24/69
24
Inorderfortheauthenticationtofunction,youmustaddtheCAtotheTrustedRootCAlist.
ToAddaCAtotheTrustedRootCAList
1. StartInternetExplorerandtypetheURLforyourCertificateAuthority.Forexample,ifyoureceivedyourservercertificatefromtheCAthatyouconfiguredearlier,typehttp:///certsrv.
2. ClickDownloadaCAcertificate,certificatechain,orCRL,andthenclickDownloadCAcertificateonthenextpageaswell.IntheFiledownloaddialogbox,clickSavethisfiletodisk,andthenclickOK.
3. TypeaservercertificateName,forexample,andsavethefiletothedesktop.
4. Navigatetothedesktop.Right-clickthefilethatyoucreatedinstep3,andthenclickInstallCertificate.IntheCertificateImportWizarddialogbox,clickNext.
5. ClickPlaceallcertificatesinthefollowingstore ,andthenclickBrowse.SelecttheTrustedRootCertificationAuthoritiesfolder,andthenclickOK.
6. ClickNext.Adialogboxthatsaysthatthecertificateisbeingaddedtothetrustedcertificatestoreappears;clickYestothisdialogbox.ClickFinish,andthemessageimportsuccessfuldisplays.
BackingupServerCertificates
YoucanusetheWebServerCertificateWizardtobackupservercertificates.BecauseIISworkscloselywithWindows,youcanuseCertificateManager,whichiscalledCertificatesinMicrosoftManagementConsole(MMC),toexportandtobackupyourservercertificates.
-
8/14/2019 Mopile Message on Exchange
25/69
25
IfyoudonothaveCertificateManagerinstalledinMMC,youmustaddCertificateManagertoMMC.
ToaddCertificateManagertoMMC
1. FromtheStartmenu,clickRun.
2. IntheOpenbox,typemmc,andthenclickOK.
3. OntheFilemenu,clickAdd/RemoveSnap-in.
4. IntheAdd/RemoveSnap-indialogbox,clickAdd.
5. IntheAvailableStandaloneSnap-inslist,clickCertificates,andthenclickAdd.
6. ClickComputerAccount,andthenclickNext.
7. ClicktheLocalcomputer(thecomputerthatthisconsoleisrunningon)option,andthenclickFinish.
8. ClickClose,andthenclickOK.
WithCertificateManagerinstalled,youcanbackupyourservercertificate.
ToBackUpYourServerCertificate
1. Locatethecorrectcertificatestore.ThisstoreistypicallytheLocalComputerstoreinCertificateManager.
NoteWhenyouhaveCertificateManagerinstalled,itpointstothecorrectLocalComputercertificatestore.
2. InthePersonalstore,clicktheservercertificatethatyouwanttobackup.
3. OntheActionmenu,pointtoAlltasks,andthenclickExport.
4. IntheCertificateManagerExportWizard,clickYes,exporttheprivatekey.
5. Followthewizarddefaultsettings,andtypeapasswordfortheservercertificatebackupfilewhenprompted.
-
8/14/2019 Mopile Message on Exchange
26/69
26
NoteDonotselectDeletetheprivatekeyifexportissuccessful ,becausethis
optiondisablesyourcurrentservercertificate.
6. Completethewizardtoexportabackupcopyofyourservercertificate.
Afteryouconfigureyournetworktoissueservercertificates,youmustprotectyourExchangefront-endserverandtheservicesforyourExchangeserverbyrequiringSSLcommunicationto
theExchangefront-endserver.ThefollowingsectiondescribeshowtoenableSSLforyourdefaultWebsite.
EnablingSSLfortheDefaultWebSiteAfteryouobtainanSSLcertificatetouseeitherwithyourExchangefront-endserveronthedefaultWebsiteorontheWebsitewhereyouhostthe\RPC,\OMA,\Microsoft-Server-ActiveSync,\Exchange,\Exchweb,and\Publicvirtualdirectories,youcanenablethedefaultWebsitetorequireSSL.
NoteThe\Exchange,\Exchweb,\Public,\OMA,and\Microsoft-Server-ActiveSyncvirtualdirectoriesareinstalledbydefaultonanyExchangeServer2003SP2installation.The\RPCvirtualdirectoryforRPCoverHTTPcommunicationisinstalledmanuallywhenyouconfigureExchangeServer2003SP2tosupportRPCoverHTTP.
ForinformationabouthowtosetupExchangeServer2003touseRPCoverHTTP,seeExchangeServer2003RPCoverHTTPDeploymentScenariosathttp://go.microsoft.com/fwlink/?LinkId=62656.
ToRequireSSL
1. IntheInternetInformationServices(IIS)Manager ,selecttheDefaultWebsiteortheWebsitewhereyouarehostingyourExchangeServer2003services,andthenclickProperties.
2. OntheDirectorySecuritytab,inSecureCommunications,clickEdit.
3. InSecureCommunications,clicktheRequireSecureChannel(SSL)checkbox.ClickOK.
-
8/14/2019 Mopile Message on Exchange
27/69
27
4. Dependinguponyourinstallation,theInheritanceOverridesdialogboxmayappear.Selectthevirtualdirectoriesthatshouldinheritthenewsetting,andthenclickOK.
5. OntheDirectorySecuritytab,clickOK.
Afteryoucompletethisprocedure,allvirtualdirectoriesontheExchangefront-endserveronthedefaultWebsiteareconfiguredtouseSSL.
SingleServerConfiguration(Optional)
Ifyouhaveforms-basedauthenticationsetuponanExchangeorganizationforExchangeActiveSynconanExchangeServerwithnoback-end,additionalconfigurationsmayberequired.Formoreinformationabouttheseconfigurations,seethefollowingarticleintheMicrosoftKnowledgeBase:
ExchangeActiveSyncandOutlookMobileAccesserrorsoccurwhenSSLorforms-basedauthenticationisrequiredforExchangeServer2003
http://go.microsoft.com/fwlink/?LinkId=62660
Important ExchangeServer2003SP2forms-basedauthenticationdoesnotallow
youtosetthedefaultdomainsettinginIIStoanythingotherthanthedefaultdomain
settingof\.ThisrestrictionisinplaceinordertosupportuserlogonsthatusetheUser
PrincipleNameformat.IfthedefaultdomainsettinginIISischanged,ExchangeSystem
Managerresetsthedefaultdomainsettingto"\"ontheserver.Youcanchangethis
behaviorbycustomizingtheLogon.asppageintheOWAvirtualdirectoryinIIStospecify
yourdomainortoincludealistofdomainnames.
Note IfyoucustomizetheLogon.asppageintheOWAvirtualdirectoryinIIS,yourchangesmaybeoverwrittenifyouupgradeorre-installExchangeServer2003SP2.
ConfiguringBasicAuthentication
TheExchangeActiveSyncWebsitesupportsSSLconnectionsassoonastheservercertificateisboundtotheWebsite.However,usersstillhavetheoptiontoconnecttotheWebsitebyusinga
non-secureconnection.YoucanrequireallclientmobiledevicestosuccessfullynegotiateanSSLlinkbeforeconnectingtotheExchangeActiveSyncWebsitedirectories.
WealsorecommendthatyouenforcebasicauthenticationonallHTTPdirectoriesthattheISAServermakesaccessibletoexternalusers.Inthisway,youcantakeadvantageoftheISAServerfeaturethatenablestherelayofbasicauthenticationcredentialsfromthefirewalltotheExchangeActiveSyncWebsite.
RequireSSLConnectiontotheExchangeActiveSyncWebSiteDirectories
Thispreventsallnon-authenticatedcommunicationsfromreachingtheExchangeActiveSyncWebsiteandsignificantlyimprovesthelevelofsecurity.
NoteIfyouplantouseCertificateAuthenticationinsteadofbasicconfiguration,you
mustdeploySSLbyfollowingtheinstructionsforconfiguringSSLforExchangeActiveSyncinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.
Youcanrepeatthesestepswiththe/Exchange,/Exchweb,/Public,and/OMAdirectoriesfoundintheleftpaneoftheIISMMCconsole.ThiscanbedonetorequireSSLonthefiveWebsitedirectoriesthatyoucanmakeaccessibletoremoteusers:
/Exchange
/ExchWeb
/Public
-
8/14/2019 Mopile Message on Exchange
28/69
28
/OMA
/Microsoft-Server-ActiveSync
ToRequireanSSLConnectiontotheExchangeActiveSyncWebSiteDirectories
1. ClickStart,pointtoAdministrativeToolsandthenclickInternetInformation
Service(IIS)Manager.InInternetInformationServices(IIS)Manager ,expandyourservernameandthenexpandtheDefaultWebSitenodeintheleftpaneoftheconsole.
2. Right-clickontheMicrosoft-Server-ActiveSync directorysothatitishighlighted,andthenclickProperties.
3. ClickDirectorySecurity.IntheAuthenticationandaccesscontrolframe,clickEdit.
4. IntheAuthenticationMethodsdialogbox,clicktoclearallcheckboxesexceptfortheBasicauthentication(passwordissentincleartext)checkbox.PlaceacheckmarkintheBasicauthenticationcheckbox.
NoteOntheback-end(mailbox)server,youmustenableIntegratedWindows
AuthenticationinorderforExchangeActiveSynctowork.Onlydisableitonthe
front-endExchangeserver.5. ClickYesinthedialogboxthatwarnsyouthatthecredentialsshouldbeprotectedby
SSL.IntheDefaultdomaintextbox,typeinyourdomainname.
6. ClickOK.
7. IntheExchangePropertiesdialogbox,clickApply,andthenclickOK.
8. Afteryouhaverequiredbasicauthenticationonthedirectoriesthatyouhavechosen,closetheInternetInformationServices(IIS)Manager console.
-
8/14/2019 Mopile Message on Exchange
29/69
29
ConfigureorUpdateRSASecurIDAgent(Optional)IfyouhavechosentodeployRSASecurIDasanadditionalsecuritylayer,youshouldsetupyourExchangeserverasanAgentHostwithintheRSAACE/Serversdatabaseatthispoint.
NoteTherehavebeenlimitationsbetweenIIS6.0andtheRSA/ACEAgent.BesuretoupdateyourRSA/ACEAgentforbettercompatibility.Formoreinformation,seethe
RSASecurityWebsiteathttp://go.microsoft.com/fwlink/?LinkId=63273.
ProtectingIISbyUsingUrlScanandIISLockdownWizardBeforeyouexposeserverstotheInternet,werecommendthatyouprotectIISbyturningoffallfeaturesandservicesexceptthosethatarerequired.InWindows2003Server,manyIISfeaturesarealreadydisabledunlesstheyarerequiredbytheserver.OnMicrosoftWindows2000Server,youcanprotectIISbydownloadingandrunningtheIISLockdownWizard.
FormoreinformationabouthowtoinstallanduseIISLockdownWizard,seethefollowingMicrosoftKnowledgeBasearticle:
HowtoinstallandusetheIISLockdownWizardhttp://go.microsoft.com/fwlink/?LinkId=62662.
TheIISLockdownTool(version2.1)isavailableatthefollowingMicrosoftWebsite:
IISLockdownTool(version2.1)http://go.microsoft.com/fwlink/?LinkId=62663
Note TohelpmaximizethesecurityofyourExchangeservers,applyalltherequiredupdatesbothbeforeandafteryouapplytheIISLockdownWizard.Theupdateshelptheserversremainprotectedagainstknownsecurityvulnerabilities.
TheIISLockdownWizardhelpsyoudisablethoseIISfeaturesandservicesthatareunnecessarytotheserversoftwarethatyouarerunning.Toprovidemultiplelayersofprotectionagainstattackers,theIISLockdownWizardalsocontainsUrlScan,whichanalyzesHTTPrequestsasIISreceivesthemandrejectsanysuspiciousrequests.
TheIISLockdownWizardalsocontainsaconfigurationtemplateforExchangethatturnsoffunwantedfeaturesandservices.Tousethisconfigurationtemplate,runtheIISLockdown
Wizard,selecttheExchangetemplate,andthenchangeoracceptthedefaultconfigurationoptions.
DownloadUrlScanseparatelyifyouwanttorunitonWindowsServer2003SP2.AlistofUrlScanfeaturesandfunctionalitybeyondthoseprovidedbyIIS6.0isavailableathttp://go.microsoft.com/fwlink/?LinkId=62665
TheUrlScanapplicationisinstalledinthefolder//system32/inetsrv/urlscan.
UrlScanmustbecorrectlyconfiguredforusewithExchangeServer2003SP2.ForfulldetailsabouthowtoconfigureUrlScanforusewithExchangeServer2003SP2,seethefollowingMicrosoftKnowledgeBasearticle:
Fine-tuningandknownissueswhenyouusetheUrlScantoolinanExchangeServer2003SP2
environmenthttp://go.microsoft.com/fwlink/?LinkId=62666
RequiredUrlScanSettings
ThefollowingsectioncontainsfurtherinformationaboutwhycertainUrlScansettingsarerequired.UnlessyouconfigurethefollowingsettingsintheUrlscan.inifileimmediatelyafteryouruntheIISLockdownWizard,youmayexperienceproblemswithOWAfunctionality.ExchangeActiveSyncandOWAworkinsimilarways.IfOWAisfunctioningcorrectly,thenthebasicinfrastructureforExchangeActiveSyncshouldfunctioncorrectlyaswell.
-
8/14/2019 Mopile Message on Exchange
30/69
30
AllowDotInPathEnsurethatthissettingissetto"1"sothatOWAattachmentscanbeaccessedandthatearlier-versionbrowserscanuseOWA.
FileExtensionsBydefault,.htrfilesaredisabled.Ifthisfiletypeisdisabled,theOWAChangePasswordfeaturedoesnotfunction.
DenyUrlSequencesInthe[DenyUrlSequences]section,sequencesthatareexplicitly
blockedcanpotentiallyaffectaccesstoOWA.Anymailitemsubjectormailfoldernamethatcontainsanyofthefollowingcharactersequencesisdeniedaccess:
Period(.)
Doubleperiod(..)
Periodandforwardslash(./)
Backslash(\)
Percentsign(%)
Ampersand(&)
IfyouhaveadditionalproblemswhenyouattemptOWArequestswithUrlScanenabled,checktheUrlscan.logfileforthelistofrequeststhatarebeingrejected.
ToConfigureUrlscan.ini
1. IntheWindows\System32\Inetsrv\Urlscanfolder,editthefileUrlscan.inibyusingNotepad.
2. Removethefollowingcharactersfromthe[DenyUrlSequences]section:
..
./
\
%
&
:
3. Reviewthe[AllowVerbs]sectionandmakesurethatitcontainsthefollowingVerbs:
GET
POST
PROPFIND
PROPPATCH
BPROPPATCH
MKCOL
DELETE
BDELETE
BCOPY
MOVE
SUBSCRIBE
BMOVE
POLL
SEARCH
HEAD
PUT
COPY
OPTIONS
-
8/14/2019 Mopile Message on Exchange
31/69
-
8/14/2019 Mopile Message on Exchange
32/69
32
Step4-ProtectCommunicationsBetweentheExchangeServer2003SP2ServerandOtherServers
AfteryouenablethesecurityfeaturestohelpsecurethecommunicationsbetweenyourclientmobiledevicesandtheExchangefront-endserver,youalsomustprotectthecommunications
betweentheExchangefront-endserverandtheback-endservers.WerecommendthatyouuseIPSectoencryptIPtraffic.
HTTP,POP,andIMAPcommunicationsbetweenthefront-endserverandanyserverwithwhichthefront-endservercommunicates(suchasback-endservers,domaincontrollers,andglobalcatalogservers)isnotencrypted.Whenthefront-endandback-endserversareinatrustedphysicalorswitchednetwork,theabsenceofencryptionisnotaconcern.However,iffront-endandback-endserversarekeptinseparatesubnets,networktrafficmaypassoverunsecuredareasofthenetwork.Thesecurityriskincreaseswhenthereisgreaterphysicaldistancebetweenthefront-endandback-endservers.Insuchcases,werecommendthatthistrafficbeencryptedtoprotectpasswordsanddata.
UsingIPSectoEncryptIPTrafficWindows2000andWindowsServer2003bothsupportInternetProtocolsecurity(IPSec),whichisanInternetstandardthatallowsaservertoencryptallIPtrafficexceptIPtrafficthatusesbroadcastormulticastIPaddresses.Generally,IPSecisusedtoencryptHTTPtraffic;however,youcanalsouseIPSectoencryptLightweightDirectoryAccessProtocol(LDAP),RPC,POP,andIMAPtraffic.WithIPSec,youcan:
ConfiguretwoserversthatarerunningWindows2000orWindowsServer2003torequiretrustednetworkaccess.
Useacryptographicchecksumoneverypackettotransferdatathatisprotectedfrommodification.
EncryptanytrafficbetweenthetwoserversattheIPlayer.
Inafront-endandback-endtopology,youcanuseIPSectoencrypttrafficbetweenthefront-end
andback-endserversthatwouldotherwisenotbeencrypted.
FormoreinformationaboutconfiguringIPSecwithfirewalls,seethefollowingMicrosoftKnowledgeBasearticle:
HowtoEnableIPSecTrafficThroughaFirewallhttp://go.microsoft.com/fwlink/?LinkId=62667
FormoreinformationaboutusingIPSectoprotectcommunications,consulttheIPSecInformationCenterathttp://go.microsoft.com/fwlink/?LinkId=62668
-
8/14/2019 Mopile Message on Exchange
33/69
33
Step5-InstallandConfigureanISAServer2004EnvironmentorOtherFirewall
InternetSecurityandAcceleration(ISA)Server2004istheadvancedapplication-layerfirewall,virtualprivatenetwork(VPN),andWebcachesolutionthatimprovesnetworksecurityand
performance.ThissectiondiscussesstepsfordeploymentofExchangeServer2003SP2mobilemessaginginanISAenvironment.Youcanalsousethisinformationtodeterminewhatisneededifyouareusinganotherfirewallservice.Duringthisprocess,youwill:
InstallISAServer2004
CreatetheExchangeActiveSyncpublishingruleusingWebpublishing
OpenPort443asaWebListener
Configurethehostfileentry
SettheISAServer2004idlesessiontimeoutto1800seconds(30minutes)
NoteIncreasingthetimeoutvaluesmaximizesperformanceoftheDirectPush
technologyandoptimizesdevicebatterylife. TestOWAandExchangeActiveSync
NoteIfyouplantouseCertificateAuthentication,youmustuseServerPublishingortunnelingtocreateyourExchangeActiveSyncpublishingrule.SeetheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.
RefertotheBestPracticessection,ArchitectureofaStandardISANetworkforbackgroundonnetworkarchitectureandSSLsetup.
IfyouhaveISAServer2000,seeUsingISAServer2000withExchangeServer2003athttp://go.microsoft.com/fwlink/?LinkId=62670.
InstallingISAServer2004InstallISAServer2004asastand-alonefirewallonyourserver.DonotinstallISAServer2004aspartofanISAServerarray,becausethisrequiresdomainmembership.YourISAservershouldnotbeamemberserverinyourMicrosoftWindowsforestbecause,iftheISAserveriscompromisedbyattacksfromtheInternet,theattackerscangainaccesstodomainresourcesifthoseresourcesareinthesamedomain.Additionally,minimizethenumberofportsthatareopentoyourinternalnetwork.Memberserversrequireadditionalportsforactivities,suchastalkingtodomaincontrollers.
NoteWerecommendthatyousetupbothExchangeActiveSyncandOWAontheISAServer.HavingOWApublishedaswellasExchangeActiveSyncwillgiveyougreatertroubleshootingcapabilities.
ToInstallISAServer2004 InstallandconfigureWindowsServer2003onthefirewallcomputer.
AfteryouinstallandconfigureWindowsServer2003onthefirewallcomputer,gotoWindowsUpdateandinstallallcriticalsecurityhotfixesandservicepacksforWindowsServer2003.
Movetheservertoaworkgroup.
Removetheserverfromanydomainsthatitisamemberof,andplaceitinaworkgroup.
InstallISAServer2004.
ExporttheOWASSLCertfromtheExchangefront-endOWAservertoafile.
-
8/14/2019 Mopile Message on Exchange
34/69
34
CreatingtheExchangeActiveSyncPublishingRuleUsingBridgingWebpublishingrulesdeterminehowISAServer2004interceptsincomingrequestsforHypertextTransferProtocol(HTTP)objectsonaninternalWebserver,andhowISAServer2004respondsonbehalfoftheinternalWebserver.
Duringthisprocess,youwillberequiredtoprovidenamesforthepublishingruleitself,theinternalandexternalWebservers,andtheWebListener.Readthroughtheseinstructionsanddetermineappropriatenamesbeforeyoubegin.
Formoreinformation,seePublishingWebServersUsingISAServer2004athttp://go.microsoft.com/fwlink/?LinkId=62672.
NoteIfyouplantouseCertificateAuthentication,youmustuseServerPublishingortunnelingtocreateyourExchangeActiveSyncpublishingrule.SkipthenextstepandfollowtheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.
AfteryoucreatetheWebpublishingrule,youwillcreateandconfiguretheWebListener,completetheWebsiterule,andupdatethefirewallpolicy.
ToCreateandNametheExchangeActiveSyncWebPublishingRule
1. IntheMicrosoftInternetSecurityandAccelerationServer2004 managementconsole,expandtheservernameandclicktheFirewallPolicynode.
2. Right-clicktheFirewallPolicynode,pointtoNewandthenclickMailServerPublishingRule.
3. OntheWelcometotheNewMailServerPublishingRuleWizard page,typeanamefortheruleintheMailServerPublishingRulenametextbox.ClickNext.
4. OntheSelectAccessTypepage,selecttheWebclientaccess:OutlookWebAccess(OWA),OutlookMobileAccess,ExchangeServerActiveSync optionandthenclickNext.
5. OntheSelectServicespage,clicktoselecttheExchangeActiveSynccheckbox.ConfirmthatthereisacheckmarkintheEnablehighbitcharactersusedbynon-Englishcharactersetscheckbox.(IfyouexpectuserstoreadonlyEnglish-basedcharactersets,youcandisablethisoptionbyclickingtoclearthecheckbox.)Fortroubleshootingpurposes,werecommendthatyouclicktoselecttheOutlookWebAccesscheckbox.ClickNext.
-
8/14/2019 Mopile Message on Exchange
35/69
35
6. OntheBridgingModepage,clicktheSecureconnectiontoclientsandmailserver option,andthenclickNext.
7. TheSecureconnectiontoclientsandmailserver optioncreatesaWebpublishingrulethatprovidestheSSLconnectionfromtheclientmobiledevicetotheExchangeWebsite.Thispreventsthetrafficfrommovingintheclear,whereanintrudercansniffthetrafficandinterceptvaluableinformation.
8. OntheSpecifytheWebMailServerpage,typethenamefortheInternalWebsiteinthemailservertextbox,andthenclickNext.
9. ThisisthenameusedfortheExchangeServer2003Websiteontheinternalnetwork.ThenameintherequestthattheISAServer2004firewallsendstotheExchange
serverontheinternalnetworkshouldbethesameasthenameonthecertificatethatisinstalledontheExchangeActiveSyncWebsite.
10.OnthePublicNameDetailspage,clicktheThisdomainname(typebelow): optionintheAcceptrequestsforlist.InthePublicnamebox,typethenamethatexternaluserswillusetoaccesstheExchangeActiveSyncWebsite,andthenclickNext.
AllincomingWebrequestsmustbereceivedbyaWebListener.AWebListenermaybeusedinmultipleWebpublishingrules.
ToCreatetheWebListener
1. OntheSelectWebListenerpage,clickNew.WiththeISAServer2004WebListener,youhaveseveraloptions:
YoucancreateaseparateWeblistenerforSSLandnon-SSLconnectionsonthesameIPaddress.
BasedonthenumberofaddressesthatareboundtotheexternalinterfaceoftheISAServer2004firewall,youcanconfigureseparatesettingsforeachlistener.TheWebListenersettingsarenotglobal.
2. OntheWelcometotheNewWebListenerWizardpage,typeanamefortheWebListenerintheWeblistenernametextbox,andthenclickNext.
3. OntheIPAddressespage,selecttheExternalcheckbox,andthenclickAddress.
4. IntheExternalNetworkListenerIPSelection dialogbox,selecttheSpecifiedIPaddressesontheISAServercomputerintheselectnetwork option.Inthe
-
8/14/2019 Mopile Message on Exchange
36/69
36
AvailableIPAddresseslist,clickontheexternalIPaddressthatareontheISAServer2004firewallandthatyouwanttolistenforincomingrequeststotheOWAWebsite,andthenclickAdd.TheexternalIPaddressesthatyouselectednowappearintheSelectedIPAddresseslist.ClickOK.
5. OntheIPAddressespage,clickNext.
6. OnthePortSpecificationpage,clicktocleartheEnableHTTPcheckbox,selecttheEnableSSLcheckbox,andleavetheSSLportnumberat443.
NoteByconfiguringthisWeblistenertouseonlySSL,youcanconfigurea
secondWeblistenerthatisdedicatedfornon-SSLconnectionswithdifferentsettings.
7. ClickSelect.IntheSelectCertificatedialogbox,clicktheExchangeActiveSyncWebsitecertificatethatyouimportedintotheISAServer2004firewallcomputerscertificatestore,andclickOK.
NoteThiscertificatewillappearintheSelectCertificatedialogboxonlyafteryou
haveinstalledtheWebsitecertificateintotheISAServer2004firewallcomputerscertificatestore.Inaddition,thecertificatemustcontaintheprivatekey.Iftheprivatekeywasnotincluded,itwillnotappearinthislist.
8. OnthePortSpecificationpage,clickNext.9. OntheCompletingtheNewWebListenerpage,clickFinish.
ThenextstepistoconfiguretheWebListenersothatnoauthenticationsareconfigured.
ToConfiguretheWebListener
1. ThedetailsoftheWebListenernowappearontheSelectWebListenerpage.ClickEdit.
2. IntheSSLListenerPropertiesdialogbox,clickthePreferencestab.
3. OnthePreferencestab,clickAuthentication.
-
8/14/2019 Mopile Message on Exchange
37/69
37
4. IntheAuthenticationdialogbox,clicktocleartheIntegratedcheckbox.IntheMicrosoftInternetSecurityandAccelerationServer2004 dialogboxwarningthatnoauthenticationmethodsarecurrentlyconfigured,clickOK.DonotselecttheOWA-FormsBasedAuthenticationcheckbox.
5. IntheSSLListenerPropertiesdialogbox,clickApply,andthenclickOK.
6. OntheSelectWebListenerpage,clickNext.7. OntheUserSetspage,acceptthedefaultentryAllUsers,andthenclickNext.
NoteAcceptingtheAllUsersdefaultentrydoesnotenablealluserstoaccesstheExchangeWebsite.OnlyuserswhocanauthenticatesuccessfullywillbeabletoaccesstheExchangeWebsite.TheactualauthenticationisdonebytheExchangeWebsite,whichusesthecredentialsthattheISAServer2004firewallhasforwardedtoit.TheISAServer2004firewallandtheExchangeWebsitecannotbothauthenticatetheuser.ThismeansthatyoumustallowAllUsersaccesstotherule.AnexceptiontothisruleiswhenusersauthenticatetotheISAServer2004firewallitselfbyusingclientcertificateauthentication.
8. OntheCompletingtheNewMailServerPublishingRuleWizardpage,clickFinish.
Asafinalstep,youwillallowtheExchangeWebsitetoreceivetheactualIPaddressofthemobiledevice.
ToCompletetheWebSiteRuleandUpdatetheFirewallPolicy
1. Right-clicktheEASWebsiteruleintheDetailspaneoftheISAServerManagementconsole,andthenclickProperties.
2. IntheWebsitePropertiesdialogbox,clicktheTotab.OntheTotab,clickRequestsappeartocomefromtheoriginalclient option.ThisoptionallowstheExchangeWebsitetoreceivetheactualIPaddressoftheexternalclientmobiledevice.ThisfeatureenablesWebloggingadd-onsinstalledontheOWAWebsitetousethisinformationwhencreatingreports.
-
8/14/2019 Mopile Message on Exchange
38/69
38
3. ClickApply,andthenclickOK.
4. ClickApplytosavethechangesandupdatethefirewallpolicy.
5. IntheApplyNewConfigurationdialogbox,clickOK.
TheSSLWebsiteisnowavailableontheexternalIPaddressoftheISAserver.Youmayhavetomakehostrecordchangesonyourexternally-accessibleDNSservertomaptheIPaddressof
theISAserversexternalinterfacetothehostrecordoftheSSLWebsite.
ConfiguringtheHostFileEntry
ThenextstepistocreateaHOSTSfileentryontheISAServer2004firewallcomputersothatitresolvesthenamethatyouspecifiedforyourinternalWebmailservertotheIPaddressoftheExchangeserverthatisontheInternalnetwork.
NoteYoucouldalsouseasplitDNSinfrastructureforthispurpose.HoweveraHOSTSfileentryiseasiertocreate.Onaproductionnetwork,youwouldcreateasplitDNSinfrastructuresothattheISAServer2004firewallwouldresolvetheFQDNoftheOWAWebsitetotheIPaddressthattheExchangeServerusesontheinternalnetwork.
ToConfiguretheHostFileEntry
1. ClickStart,andthenclickRun.IntheRundialogbox,typeNotepadintheOpentextbox,andthenclickOK.
2. ClicktheFilemenu,andthenclickOpen.IntheOpendialogbox,typec:\windows\system32\drivers\etc\hosts intheFilenametextbox,andthenclickOpen.
3. AddthefollowinglinetotheHOSTSfile:10.0.0.2
4. Navigateyourcursortotheendofthelinesothattheinsertionpointsitsonthenextline,andthenpressEnter.
5. ClickFile,andthenclickExit.
6. InNotepad,savethechangestothefile,andthencloseNotepad.
-
8/14/2019 Mopile Message on Exchange
39/69
-
8/14/2019 Mopile Message on Exchange
40/69
40
TestingExchangeActiveSyncYoucanconfigureamobiledevicetoconnecttoyourExchangeserverbyusingExchangeActiveSync,andtomakesurethatISAServer2004andExchangeActiveSyncareworkingproperly.
Asanalternative,youcantestExchangeActiveSyncbyusingInternetExplorer.
TotestExchangeActiveSyncbyUsingInternetExplorer
1. OpenInternetExplorer.IntheAddressbar,typehttps://published_server_name/Microsoft-Server-Activesync ,wherepublished_server_nameisthepublishednameofyourOWAserver(thenameyourenduserswilltype).
2. Typetheusernameandinformationthatyouwanttoauthenticate.
3. IfyoureceiveanError501/505"Notimplemented"or"Notsupported" errormessage,ISAServer2004andExchangeActiveSyncareworkingtogetherproperly.
-
8/14/2019 Mopile Message on Exchange
41/69
41
Step6-ConfigureandManageMobileDeviceAccessontheExchangeServer
TheMessagingandSecurityFeaturePackforWindowsMobile5.0enablesWindowsMobile5.0-baseddevicestobemanagedbyMicrosoftExchangeServer2003SP2.Withthecombinationof
themanagementcapabilitiesandthesecurityandconfigurationprotocols,mostoftheadministrationofthemobiledeviceshappensontheExchangeServerorontheMobileAdministrationWebtool.
YoucandothefollowingonyourExchangeServer:
Enablemobileaccess
Configuresecuritysettings
MonitormobileperformanceonyourExchangeserver
EnablingMobileAccess
Withyournetworkconfigured,youcanusetheExchangeServerSystemManagertodothe
following:1. EnableExchangeActiveSyncforAllUsers
2. EnableUserInitiatedSynchronization
3. EnableDirectPushforAllUsers
4. EnableUp-to-dateNotifications(Optional)
EnableExchangeActiveSyncforAllUsers
ToenableanddisableExchangeActiveSyncforyourorganization,useExchangeSystemManager.WiththeExchangeServer2003SP2installation,ExchangeActiveSyncisenabledforallclientmobiledevices.
However,wheneveryouaddnewuserstoyourorganizationandyouwanttoenablethemtouseExchangeActiveSynctoaccessExchange,useActiveDirectoryUsersandComputerstomodifythesettingsforauserorgroupofusers.
TheExchangeActiveSyncfeatureallowsuserstosynchronizetheirExchangeinformationwithamobiledevice.
ToEnableExchangeActiveSyncforAllUsers
1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclickSystemManager.
2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServicesandthenclickProperties.
-
8/14/2019 Mopile Message on Exchange
42/69
-
8/14/2019 Mopile Message on Exchange
43/69
43
EnableUp-to-dateNotifications(Optional)
IfyouhaveanexistingmobilemessagingsetupthatincludesdevicesthatdonotsupportDirectPushtechnology,youmaywanttoenablethisfunction.
Enablingup-to-datenotificationsforyourmailbox-enabledrecipientsallowsthemtokeepthedataontheirwirelessdevicesuptodate.UsetheExchangeFeaturestabtoenablethisfunctionality
foreachuser.
NoteTouseup-to-datenotifications,youmustalsoenableuserinitiatedsynchronization.
ToEnableUp-to-dateNotifications
1. OntheStartmenu,pointtoPrograms,pointtoAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.
2. Intheconsoletree,expandthedomain.Double-clickUsers,ordouble-clickthenodethatcontainstherecipientinformationyouwanttomodify.
3. Inthedetailspane,double-clicktheuserforwhomyouwanttoenableup-to-datenotifications.
4. OntheExchangeFeaturestab,underMobileServices,ensurethatUserInitiatedSynchronizationisenabled.
5. UnderMobileServices,selectUp-to-dateNotifications,andthenclickEnable.
ConfiguringSecuritySettingsforMobileDevicesYoucanspecifysecurityoptionsforyouruserswhoconnecttoExchangeServerusingmobiledevices.WiththeExchangeSystemManager,youcansetthepasswordlengthandstrengthaswellascontrollingtheinactivitytimeandnumberoffailedattemptsbeforethedeviceiswiped.
Formoreinformationaboutsettingsecuritypolicies,seeBestPractice:DetermineandDeployaDevicePasswordPolicyinthisdocument.
NoteThetermpasswordreferencedinthistopicreferstothepasswordauserenters
tounlockhisorhermobiledevice.Itisnotthesameasanetworkuserpassword.
Thefollowingaretheoptionsyoucanusetosetyoursecuritypolicies:
Minimumpasswordlength(characters) Usethisoptiontospecifytherequiredlengthoftheuser'sdevicepassword.Thedefaultsettingis4characters.Youcanspecifyapasswordlengthof4to18characters.
RequirebothnumbersandlettersUsethisoptionifyouwanttorequirethatuserschooseapasswordwithbothnumbersandletters.Thisoptionisnotselectedbydefault.
Inactivitytime(minutes)Usethisoptiontospecifyifyouwantyouruserstologontotheirdevicesafteraspecifiednumberofminutesofinactivity.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingis5minutes.
Wipedeviceafterfailed(attempts)Usethisoptiontospecifyifyouwantthedevice
memorywipedaftermultiplefailedlogonattempts.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingis8attempts.
Refreshsettingsonthedevice(hours)Usethisoptiontospecifyhowoftenyouwanttosendaprovisionrequesttodevices.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingisevery24hours.
Allowaccesstodevicesthatdonotfullysupportpasswordsettings SelectthisoptionifyouwanttoallowdevicesthatdonotfullysupportthedevicesecuritysettingstobeabletosynchronizewithExchangeServer.Thisoptionisnotselectedbydefault.
-
8/14/2019 Mopile Message on Exchange
44/69
44
NoteIfthisoptionisnotselected,devicesthatdonotfullysupportdevicesecuritysettings(forexample,devicesthatdonotsupportprovisioning)willreceivea403errormessagewhentheyattempttosynchronizewithExchangeServer.
ToConfigureSecuritySettingsforMobileDevices
1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclick
SystemManager.2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServices,and
thenclickProperties.
3. InMobileServicesProperties,clickDeviceSecurity.
4. Tospecifythedevicesecurityoptions,selectEnforcepasswordondevice,andthenconfiguretheoptionsaccordingtothepoliciesyouhaveset.
5. ClickOK.YoucanspecifytheuserswhoyouwanttobeexemptfromthesettingsthatyouhaveconfiguredintheDeviceSecuritySettingsdialogbox.Thisexceptionslistisusefulifyouhavespecific,trustedusersofwhomyoudonotneedtorequiredevicesecuritysettings.
ToSpecifytheUsersWhoareExemptfromDeviceSecuritySettings
1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclickSystemManager.
2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServices,and
thenclickProperties.3. InMobileServicesProperties,clickDeviceSecurity.
4. InDeviceSecuritySettings,clickExceptions.
5. UsetheoptionsintheDeviceSecurityExceptionList dialogboxtoselecttheuserorgroupofuserswhoyouwanttobeexemptfromsettingsthatyouhaveconfiguredintheDeviceSecuritySettingsdialogbox.
6. Tospecifythatauserbeexemptfromdevicesecuritysettings,clickAdd.InSelectUser,specifyauserorgroupofusers,andthenclickOK.Forinformationabouthowtospecifyusers,intheSelectUsersdialogbox,click?inthetitlebar,andthenclicktheoptionyouwanttolearnmoreabout.
-
8/14/2019 Mopile Message on Exchange
45/69
-
8/14/2019 Mopile Message on Exchange
46/69
46
YoucandownloadtheExchangeManagementPackfromtheMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=55885.
TheExchangeServerManagementPackGuideforMOM2005explainshowtousetheExchangeManagementPacktomonitorandmaintainmessagingresources.
YoucandownloadthemanagementpackguidefromtheMicrosoftWebsite:
http://go.microsoft.com/fwlink/?LinkId=58794.
-
8/14/2019 Mopile Message on Exchange
47/69
47
Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool
TheMicrosoftExchangeActiveSyncMobileAdministrationWebtoolenablesadministratorstomanagetheprocessofremotelyerasinglost,stolen,orotherwisecompromisedmobiledevices.
ByusingtheExchangeActiveSyncMobileAdministrationWebtool,administratorscanperformthefollowingactions:
Viewalistofalldevicesthatarebeingusedbyanyenterpriseuser.
Selectorcanceltheselectionofdevicestoberemotelyerased.
Viewthestatusofpendingremoteeraserequestsforeachdevice.
Viewatransactionlogthatindicateswhichadministratorshaveissuedremoteerasecommands,inadditiontothedevicesthatthosecommandspertainedto.
DownloadtheToolTheExchangeActiveSyncMobileAdministrationWebtoolisavailablefordownloadfromthefollowingToolsforExchangeServer2003Website:
http://go.microsoft.com/fwlink/?LinkId=54738.
InstallingtheMobileAdministrationWebtoolToinstalltheExchangeActiveSyncMobileAdministrationWebtoolonafront-endserverthatrunsExchangeServer2003SP2,runthe.msipackage.TheinstallationpackagecreatestheMobileAdminvirtualdirectory,throughwhichthetoolcanbeaccessed.
Wheninstalledcorrectly,theExchangeActiveSyncMobileAdministrationWebtoolisavailablefromanyremotecomputerthathasanInternetbrowserthatcanaccessthevirtualdirectoryassociatedwiththetool.However,toaccesstheExchangeActiveSyncMobileAdministrationWebtoolfromthesamecomputeruponwhichitisinstalled,youmustuseoneofthefollowingapproaches:
AddtheservernametotheLocalintranetlistforInternetExplorer:InInternetExplorer,clickTools,clickInternetOptions,clickSecurity,clickLocalintranet,andthenclickSites.
UselocalhostastheservernamewhenspecifyingthemobileAdminURLinthebrowser(forexample,https://localhost/mobileAdmin).
AddingAdministratorsBydefault,accesstotheExchangeActiveSyncMobileAdministrationWebtoolisrestrictedtoExchangeadministratorsandtolocaladministrators.AuserfromeitherofthesegroupscanenableadditionaluserstoaccessthetoolbymodifyingthesecuritysettingsontheMobileAdminfolderintheinstallationdirectory.Youmakethischangebyright-clickingthefolder,andthenselectingsharing&security,whichdisplaystheInsertFolderSecuritypropertiesdialogbox.
Byusingthisuserinterface,anadministratorcanaddauserorgroupbyclickingAddandthen
enteringthenameoftheuserorgrouptowhichtheadministratorwantstograntaccess.Similarly,auserorgroupcanberemovedbyselectingthatuserorgroupandthenclickingRemove.
-
8/14/2019 Mopile Message on Exchange
48/69
48
Step8-ManageandConfigureMobileDevices
AsaSystemsAdministratorusingExchangeServer2003SP2,younowhavetoolswithwhichtosetandenforceyourmobiledevicesecuritypolicies.Youcanalsocontrolsomefeaturesonthemobiledevicesbyusingprovisioningtools.
Thissectionprovidesinstructionsandpointersfordoingthefollowingadministrativetasks:
SetUpaConnectiontoExchangeServer
InitiateandTrackingRemoteWipeonMobileDevices
ProvisionorConfigureMobileDevices
SettingUpaConnectiontoExchangeServerYouruserscanuseActiveSynctopartnertheirWindowsMobile5.0-baseddevicewithanExchangeserverbyusingaUSBcablefromadesktopcomputerthatisconnectedtoyournetwork.OrtheycanconnectdirectlytotheExchangeserverbyusingtheirdevicedirectlyiftheyhavephoneorWi-Ficapability.
NoteYoumaywanttopointyouruserstothestep-by-stepinstructionsforusingActiveSyncandotherfeaturesonSmartphonesandPocketPCsavailableathttp://go.microsoft.com/fwlink/?LinkId=37728.
ConnectingtoExchangeServerUsingaDesktopComputerTheActiveSyncWizardwillwalkyourusersthroughthesynchronizationprocess.
ImportantBeforeaUSBsyncconnectioncanbemade,ActiveSyncmustbeinstalledontheusersdesktopcomputer.AnActiveSyncsetupdiskmayaccompanythedeviceoritcanbedownloaded.
AstheActiveSyncWizardisrunfromadesktopcomputerthatisconnectedtothecorporatenetwork,theuserwillhavetheoptiontoconnectdirectlytotheExchangeServer.
ToconnectdirectlytotheExchangeServer,youruserswillneedthefollowinginformation:
ThepathanddomainnameoftheExchangeserver.
TheirExchangeusernameandpassword.
NoteDirectPushtechnologyandsecuritypolicyenforcementwillbeeffectiveonlywhenthedevicesaresynchronizeddirectlywiththeExchangeserver.Wedonotrecommendthatyousynchronizeyourmobiledeviceonlywiththedesktopcomputer.
AlsointheActiveSyncWizard,theusercanchoosewhichtypesofdata,suchascontacts,calendar,tasks,e-mail,tosynchronizewiththedevice.Youmayadviseyouruserstouncheckanydatatypesthatshouldnotbestoredontheirmobiledevices.
ConnectingDirectlytoExchangeServerTheusercanuseaWindowsMobile5.0-baseddevicetosynchronizedirectlywithExchange
Server.
IfExchangeserveraccesswaspreviouslysetbyusingActiveSynconthedesktopcomputer,theinformationshouldalreadybeavailablewhendirectsynchronizationistried.
Onthemobiledevice,theusercanclickActiveSync,chooseMenuandselectAddServerSource.Afteraddingtheserverpath,domainname,usernameandpassword,theuserconnectsdirectlytotheExchangeServer.
InitiatingandTrackingRemoteWipeonMobileDevicesTheremotewipefeatureoftheMessagingandSecurityFeaturePackismanagedbyusingtheMicrosoftExchangeActiveSyncMobileAdministrativeWebtool.Thistoolenablesyoutomanage
-
8/14/2019 Mopile Message on Exchange
49/69
49
theprocessofremotelyerasingorwipinglost,stolen,orotherwisecompromisedmobiledevicesthatareconnectedtotheExchangeserverwirelessly.
UsingtheMobileAdministrationWebtoolTheWelcomeScreenpresentstheAdministratorwithalistofavailableadministrativeoptions.SelectoneoftheseoptionstostarttheassociatedWebpage.Thefollowingoptionsaredisplayed
ontheWelcomepage.
RemoteWipeRunaremotewipecommandforalostorstolenmobiledevice
TransactionLogViewalogofadministrativeactions,notingtime/action/user
RunningandMonitoringaRemoteDeviceWipeTheRemoteDeviceWipeadministratorconsoleprovidesthefollowingfunctions:
Issuearemotewipecommandforalostorstolenmobiledevice.
Toissuearemotewipecommand,searchforausersmobiledevicesbyspecifyingtheusersname.ThetooldisplaysthedeviceID,devicetype,andthetimethedevicelastsynchronizedwiththeserverforeachoftheuser'sdevices.Locatethedesireddevice,andthenclickWipe.Thetoolthendisplaystheup-to-datestatusforthedevice,displayingwhenorifthedevicehas
beensuccessfullywiped.
Viewthestatusonapendingremotewipecommand.
WhenaWipeactionisspecifiedforadevice,itstaysactiveuntiltheadministratorspecifiesotherwise.Thismeansthat,aftertheinitialremotewipehasbeencompleted,theservercontinuestosendaremotewipedirectiveifthesamedeviceevertriestoreconnect.
Undo(cancel)aremotewipecommandifalostorstolendeviceisrecovered.
Ifalostdeviceisrecovered,theadministratorcancancelthisdirectivetoenablethedeviceto
successfullyconnectagain.Youcancelthewipebylocatingthemobiledevicethathastheremotewipeactionset,andthenclickingCancelWipe.
Deleteadevicepartnership.
Theadministratorcanusetheremotewipeconsoletodeleteadevicepartnershipfromtheserver.Thisactionhastheeffectofcleaningupallstateassociatedwithaspecifieddeviceontheserverandisprimarilyusefulforhousekeepingpurposes.Ifadevicetriestoconnectafteritspartnershiphasbeendeleted,itwillbeforcedtore-establishthatpartnershipwiththeserverthrougharecoveryprocessthatistransparenttoboththeITadministratorandthedeviceuser.Thisactioniscarriedoutbylocatingthemobiledevice,andthenclickingDelete.
-
8/14/2019 Mopile Message on Exchange
50/69
50
ViewingaLogofRemoteWipeTransactionsThetransactionlogdisplaysthefollowinginformationforallcriticaladministrativeactionsperformedwiththeExchangeActiveSyncMobileAdministrationWebtool:
DateTimeDateandtimewhentheactionwasexecuted
UserTheuserwhoexecutedtheaction
MailboxThemailboxthattheactionpertainedto
DeviceIDThedevicethattheactionpertainedto
TypeThetypeofdevicethattheactionpertainedto
ActionTheactiontakenbytheadministrator
ConfiguringtheWindowsMobile5.0-basedDeviceIfyouareworkingwithamobileoperatorormobiledevicemanufacturertodeployyourWindowsMobile5.0-baseddevices,youmaybeabletoacquiredevicesthathavebeenpre-configuredwiththefeaturesandsettingstofityourneeds.
YoucanusethedeviceprovisioningtoolsthatareavailableintheWindowsMobile5.0Software
DevelopmentKit(SDK)toconfiguresettingsonthedevices;toadd,update,andremovesoftware;ortochangefunctionality.
NoteYoumusthaveeithermanageraccesstotheWindowsMobile5.0-baseddevicesortheabilitytoruntrustedcodeontheminordertousetheprovisioningtools.Checkwithyourmobileoperatorordevicemanufacturerformoreinformationontheapplicationsecuritysettingsonyourdevices.
SeetheManagingDevicessectionoftheSDKfordetailedinformation.TheSDKdocumentationisincludedintheMSDNLibraryathttp://go.microsoft.com/fwlink/?LinkId=63274.TheSDKdocumentationandtoolsareavailableatnochargefromtheMicrosoftDownloadCenterhttp://go.microsoft.com/fwlink/?LinkId=63275.
NoteBeawarethattherearetwoversionsofWindowsMobile5.0software:Microsoft
WindowsMobileVersion5.0softwareforPocketPCsandMicrosoftWindowsMobileVersion5.0softwareforSmartphones.WhileworkingintheSDK,followreferencesanddirectionsfortheversiononyourdevices,assomeproceduresaredifferentforthetwoversions.
OverviewofProvisioningProvisioningaWindowsMobile5.0-baseddeviceinvolvescreatingaprovisioningXMLfilethatcontainsconfigurationinformation,andthensendingthefiletothedevice.ConfigurationManagerandConfigurationServiceProvidersconfigurethedevicebasedonthecontentsoftheprovisioningXMLfile.
TheConfigurationManageristhecentralauthoritythatprocessestheprovisioningXMLfile.ConfigurationServiceProviderscarryoutallconfigurationqueriesandchanges.Afterthedatais