mopile message on exchange

8/14/2019 Mopile Message on Exchange

1/69

Step-by-StepGuidetoDeploying

MicrosoftExchangeServer2003SP2

MobileMessagingwith

WindowsMobile5.0-basedDevices

March,2006

Appliesto:ExchangeServer2003SP2

andWindows5.0-basedDevices

withtheMessagingandSecurityFeaturePack


2/69

DirectPushTechnologyrequiresWindowsMobile5.0withtheMessagingandSecurityFeaturePack(MSFP)connected

withExchangeServer2003ServicePack2.Connectivityandsynchronizationmayrequireseparatelypurchasedequipmentand/orwirelessproducts(e.g.,WiFicard,networksoftware,serverhardware,and/orredirectorsoftware).ServiceplansarerequiredforInternet,WiFiandphoneaccess.Featuresandperformancemayvarybyserviceproviderandaresubjecttonetworklimitations.Seedevicemanufacturer,serviceproviderand/orcorporateITdepartmentfordetails.

Availableprograms,featuresandfunctionalityvarybydeviceandWindowsMobileoperatingsystemversion.PowerPointMobileavailablewithWindowsMobile5.0.

TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.

Thiswhitepaperisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,INTHISDOCUMENT.

Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedin,orintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.

Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.

2006MicrosoftCorporation.Allrightsreserved.

Theexamplecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.

Microsoft,ActiveDirectory,ActiveSync,BizTalk,Hotmail,JScript,MS-DOS,MSDN,MSN,Outlook,SharePoint,Visio,VisualBasic,VisualStudio,Windows,WindowsMedia,WindowsMobile,WindowsNT,WindowsServer,andWindowsServerSystemareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.


3/69

DeployingMicrosoftExchangeServer2003SP2MobileMessagingwithWindowsMobile5.0-basedDevices

....................................................... ............................................................ ............................ 5Introduction............ ............................................................ ................................................ 5

Overview:MessagingandSecurityFeaturePack .......................................................... ........ 8DeploymentConfigurationandBestPractices ..................................................... ................ 12DeployingExchangeServer2003SP2MobileMessaging .................................................. 17

DeploymentProcess ......................................................... .............................................. 17Step1-UpgradetoExchangeServer2003SP2................... .............................................. 18Step2-UpdateAllServerswithSecurityPatches..................................... .......................... 18Step3-ProtectCommunicationsBetweentheMobileDevicesandYourExchangeServer19

DeployingSSLtoEncryptMessagingTraffic................................................................... 19BackingupServerCertificates................................................ .................................... 24SingleServerConfiguration(Optional) ....................................................... ................ 27

ConfiguringBasicAuthentication......... ............................................................ ................ 27RequireSSLConnectiontotheExchangeActiveSyncWebSiteDirectories ............. 27

RequiredUrlScanSettings...................................................... .................................... 29Step4-ProtectCommunicationsBetweentheExchangeServer2003SP2ServerandOtherServers....................................................... ............................................................ .......................... 32Step5-InstallandConfigureanISAServer2004EnvironmentorOtherFirewall .............. 33

ConfiguringtheHostFileEntry............ ............................................................ ................ 38TestingOWAandExchangeActiveSync............................................... .......................... 39

TestingOWA(Ifinstalled) ....................................................... .................................... 39Step6-ConfigureandManageMobileDeviceAccessontheExchangeServer ................ 41

EnablingMobileAccess............................................................... .................................... 41EnableExchangeActiveSyncforAllUsers................................................................. 41EnableUser-InitiatedSynchronization........................................................ ................ 42EnableUp-to-dateNotifications(Optional)............................................................ ...... 43

MonitoringMobilePerformanceonExchangeServer ..................................................... 45Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool......................... 47Step8-ManageandConfigureMobileDevices ............................................................ ...... 48AppendixA.DeployingExchangeActiveSyncwithCertificate-BasedAuthentication .......... 53

Introduction............ ............................................................ .............................................. 53ConfiguringCertificate-BasedAuthenticationforExchangeActiveSync ......................... 53

ExchangeActiveSyncRequirements.......................................................... ................ 53KerberosBasics........................................ ............................................................ ...... 55

AlternativeDeploymentStepsforCertificate-basedAuthentication................................. 55SettingupSSLforExchangeActiveSyncVirtualDirectory......................................... 55CreatingtheExchangeActiveSyncpublishingruleusingtunneling............................ 56UsingActiveDirectoryUsersandComputerstoConfigureKerberos-ConstrainedDelegationandProtocolTransitioning ................................................... .............................................. 57

OverviewofCertificateEnrollmentConfiguration ...................................................... ...... 58ConfiguringtheXML ..................................................... .............................................. 60UploadingtheXMLtoActiveDirectory ....................................................... ................ 63

AppendixB.AddingaCertificatetotheRootStoreofaWindowsMobile-basedDevice..... 67

CreatetheProvisioningXMLtoInstallaCertificatetotheRootStore.................. ...... 67CreateaCABfilecontainingtheprovisioningXML .................................................... 68DistributingtheCABProvisioningFile ........................................................ ................ 68


4/69


5/69

5

DeployingMicrosoftExchangeServer2003SP2MobileMessagingwithWindowsMobile5.0-basedDevices

Introduction

ThisdocumentisdesignedprimarilyforInformationTechnology(IT)professionalswhoareresponsibleforplanninganddeployingmobilemessagingsystemsthatuseMicrosoftExchangeServer2003withServicePack2(SP2)andMicrosoftWindowsMobile-baseddevicesthathavetheMessagingandSecurityFeaturePack.

Thisdocumentisdividedintotwomainsectionsthatdescribethefollowing:

Theessentialelementsofamobilemessagingsystem,includingrequirements;asummaryofdeploymentprocedures;anoverviewofthefeaturesoftheMessagingandSecurityFeaturePack;andbestpracticesfornetworking,security,anddevicemanagement.

Theguidelinesandresourcesforthedeploymentofamobilemessagingsystem,includingupdatingExchangeServer2003SP2,settingupMicrosoftExchangeActiveSyncformobileaccess,creatingaprotectedcommunicationsenvironment,andproceduresforsetting

upandmanagingmobiledevices.ForcurrentinformationondeployingmobilemessagingsolutionsandmanagingWindowsMobile-baseddevices,visittheWindowsMobileCenterWebsiteat:http://go.microsoft.com/fwlink/?LinkId=62636

AssumptionsThisdocumentassumesthatyouhaveanunderstandingofMicrosoftOfficeOutlookWebAccess,ExchangeActiveSync,HypertextTransferProtocol(HTTP),basicExchangeServer2003concepts,andbasicMicrosoftWindowsInternetInformationServices(IIS)concepts.

RequirementsThefollowingoperatingsystemsandapplicationsarerequiredforsuccessfuldeployment.

MicrosoftWindows2000ServerwithServicePack4(SP4)orMicrosoftWindowsServer2003withServicePack1(SP1)(recommended)

MicrosoftExchangeServer2003SP2(includesExchangeActiveSync)

MicrosoftExchangeActiveSyncMobileAdministrationWebtool

MicrosoftWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturePack

ActiveDirectorydirectoryservice

InternetInformationServices(IIS)6.0

NoteWindowsMobile5.0-baseddevicesthathaveaversionnumberof148xx.2.x.xorhigherincludetheMessagingandSecurityFeaturePack.Tofindtheoperatingsystemversiononthedevice,clickStart,chooseSettings,andthenclickAbout.

OptionalItemsYoucanimplementthefollowingcomponentsforsecurityanddevicemanagementtools.SeetheBestPracticessection.

ThemostrecentversionofMicrosoftDesktopActiveSync,whichisavailableasadownloadfromtheMicrosoftdownloadWebsiteathttp://go.microsoft.com/fwlink/?LinkId=62652.

MicrosoftInternetSecurityandAcceleration(ISA)Server2004

Windowscertificationauthority(CA)


6/69

6

RSAAuthenticationManager(6.0)

RSAAuthenticationAgentforMicrosoftWindows

RSASecurIDAuthenticator

DeploymentProcessSummary

Becausecorporatenetworkconfigurationsandsecuritypoliciesvary,thedeploymentprocesswillvaryforeachmobilemessagingsysteminstallation.ThisdeploymentprocessincludestherequiredstepsandtherecommendedstepsfordeployingamobilemessagingsolutionthatusesExchangeServer2003SP2andWindowsMobile5.0-baseddevices.

Theprocesscanbeaccomplishedinthefollowingeightsteps:

Step1UpgradeFront-EndServertoExchangeServer2003SP2

Step2UpdateAllServerswithSecurityPatches

Step3ProtectCommunicationswithMobileDevices

Step4ProtectCommunicationsbetweentheExchangeServerandOtherServers

Step5InstallandConfigureanISAServer2004EnvironmentorOtherFirewall

Step6ConfigureMobileDeviceAccessontheExchangeserver

Step7InstalltheExchangeActiveSyncMobileAdministrationWebtool

Step8ManageandConfigureMobileDevices

PlanningResourcesThefollowingMicrosoftWebsitesandtechnicalarticlesprovidebackgroundinformationthatisimportantfortheplanninganddeploymentofyourmobilemessagingsolution.

ExchangeServer2003 PlanninganExchangeServer2003MessagingSystem

http://go.microsoft.com/fwlink/?LinkId=62626

ExchangeServer2003ClientAccessGuide


ExchangeServer2003DeploymentGuidehttp://go.microsoft.com/fwlink/?LinkId=62629

WindowsServer2003DeploymentGuide


UsingISAServer2004withExchangeServer2003


WindowsServer2003TechnicalReference


IIS6.0DeploymentGuide(IIS6.0)


MicrosoftExchangeServerTechCenter


ExchangeServer2003TechnicalDocumentationLibrary


WindowsMobile SupportingWindowsMobile-BasedDeviceswithintheEnterprise:CorporateGuidelinesfor

EachStageoftheDevicesLifecycle(paper)



7/69

7

TechNetWindowsMobileCenter


Security WindowsMobile-basedDevicesandSecurity(paper)


WindowsMobileSecurityhttp://go.microsoft.com/fwlink/?LinkId=62641

TechNetSecurityCenter



8/69

8

Overview:MessagingandSecurityFeaturePack

TheMessagingandSecurityFeaturePackforWindowsMobile5.0enablesWindowsMobile5.0-baseddevicestobemanagedbyMicrosoftExchangeServer2003SP2.TheresultisamobilemessagingsolutionthatusesthemanagementbenefitsofExchangeActiveSyncandthenew

securitypolicyfunctionsontheWindowsMobile5.0-baseddevices,whichhelpsyoutobettermanageandcontrolthedevices.

UsingWindowsMobile5.0-baseddeviceswiththeMessagingandSecurityFeaturePackwillgiveyouthefollowingcapabilities:

WithDirectPushtechnology,youcanprovideyouruserswithimmediatedeliveryofdatafromtheExchangemailboxtotheirdevice.Thisincludese-mail,calendar,contact,andtaskinformation.

YoucandefinethesecuritypoliciesonyourExchangeserverandtheywillbeenforcedonWindowsMobile5.0-baseddevicesthataredirectlysynchronizedwithyourExchangeserver.

YoucanmonitorandtestExchangeActiveSyncperformanceandreliabilitybyusingthe

ExchangeServerManagementPack. Youcanmanagetheprocessofremotelyerasingorwipinglost,stolen,orotherwise

compromisedmobiledevicesthataredirectlysynchronizedwithyourExchangeserverbyusingtheMicrosoftExchangeActiveSyncMobileAdministrationWebtool.

Features

DirectPushTechnologyTheDirectPushtechnologyincludedinExchangeServer2003SP2providesanewapproachtotheimmediatedeliveryofdatafromtheExchangemailboxtotheusersmobiledevice.DirectPushworksformailboxdata,includingInbox,Calendar,Contacts,andTasks.TheDirectPushtechnologyusesanestablishedHTTPSconnectionbetweenthedeviceandtheExchangeserver;previoussolutionsrequiredtheuseofShortMessageService(SMS),whichisnolongerrequired.

Nospecialconfigurationisrequiredonthemobiledevice,andyoucankeepyourstandarddataplansincetheserviceisworld-capableandrequiresnoadditionalsoftwareorserverinstallationsotherthanExchangeServer2003SP2.

ExchangeActiveSyncExchangeActiveSyncisanExchangesynchronizationprotocolthatisdesignedforkeepingyourExchangemailboxsynchronizedwithaWindowsMobile5.0-baseddevice.ExchangeActiveSyncisoptimizedtodealwithhigh-latency/low-bandwidthnetworks,andalsowithlow-capacityclientsthathavelimitedamountsofmemory,storage,andprocessingpower.Underthecovers,theExchangeActiveSyncprotocolisbasedonHTTP,SSL,andXMLandisapartofExchangeServer2003.Inaddition,ExchangeActiveSyncprovidesthefollowingbenefits:

TheconsistencyofthefamiliarOutlookexperienceforusers

Noextrasoftwareisrequiretoinstallorconfiguredevices

Globalfunctionalitythatisachievedviastandarddataaccessphoneservice

GlobalAddressListAccessSupportforover-the-airlookupofglobaladdresslist(GAL)informationstoredonExchangeServer.WiththeMessagingandSecurityServicePack,mobiledeviceuserswillbeabletoreceivecontactpropertiesforindividualsintheGAL.Thesepropertiescanbeusedtosearchremotelyforapersonquicklybasedonname,company,and/orotherproperty.Userswillgetalloftheinformationtheyneedtoreachtheircontactswithouthavingthedatastoreontheirdevice.


9/69

9

SecurityFeatures

RemotelyEnforcedDeviceSecurityPoliciesExchangeServer2003SP2helpsyoutoconfigureandmanageacentralpolicythatrequiresallmobiledeviceuserstoprotecttheirdevicewithapasswordinordertoaccesstheExchangeserver.Notonlythat,butyoucanspecifythelengthofthepassword,requireusageofacharacter

orsymbol,anddesignatehowlongthedevicehastobeinactivebeforepromptingtheuserforthepasswordagain.

Anadditionalsetting,wipedeviceafterfailedattempts,allowsyoutodeletealldataonthedeviceaftertheuserentersthewrongpasswordaspecifiednumberoftimes.Theuserwillseealertdialogboxeswarningofthepossiblewipeandprovidingthenumberofattemptsleftbeforeithappens.

Anothersettingallowsyoutospecifywhethernon-compliantdevicescansynchronize.Devicesareconsiderednon-compliantiftheydonotsupportthesecuritypolicyyouhavespecified.Inmostcases,thesearedevicesnotconfiguredwiththeMessagingandSecurityFeaturePack.

ThedevicesecuritypoliciesaremanagedfromExchangeSystemManagersMobileServicesPropertiesinterface.

RemoteDeviceWipeTheremotewipefeaturehelpsyoutomanagetheprocessofremotelyerasinglost,stolen,orotherwisecompromisedmobiledevices.IfthedevicewasconnectedusingDirectPushtechnology,thewipeprocesswillbeinitiatedimmediatelyandshouldtakeplaceinseconds.Ifyouhaveusedtheenforcedlocksecuritypolicy,thedeviceisprotectedbyapasswordandlocalwipe,sothedevicewillnotbeabletoperformanyoperationotherthantoreceivetheremotewipenotificationandreportthatithasbeenwiped.

ThenewMicrosoftExchangeActiveSyncMobileAdministrationWebtoolenablesyoutoperformthefollowingactions:

Viewalistofalldevicesthatarebeingusedbyanyuser.

Selectorde-selectdevicestoberemotelyerased.

Viewthestatusofpendingremoteeraserequestsforeachdevice.

Viewatransactionlogthatindicateswhichadministratorshaveissuedremoteerasecommands,inadditiontothedevicesthosecommandspertainedto.

AdvancedSecurityFeatures

Certificate-BasedAuthenticationIfSSLbasicauthenticationdoesnotmeetyoursecurityrequirementsandyouhaveanexistingPublicKeyInfrastructure(PKI)usingMicrosoftCertificateServer,youmaywishtousethecertificate-basedauthenticationfeatureinExchangeActiveSync.Ifyouusethisfeatureinconjunctionwiththeotherfeaturesdescribedinthisdocument,suchaslocaldevicewipeandtheenforceduseofapower-onpassword,youcantransformthemobiledeviceitselfintoa

smartcard.Theprivatekeyandcertificateforclientauthenticationisstoredinmemoryonthedevice.However,ifanunauthorizeduserattemptstobruteforceattackthepower-onpasswordforthedevice,alluserdataispurgedincludingthecertificateandprivatekey.

Formoreinformation,seeAppendixA.DeployingExchangeActiveSyncCertificate-basedAuthentication.

MicrosofthascreatedatoolfordeployingExchangeActiveSynccertificate-basedauthentication.DownloadthetoolanddocumentationfromtheMicrosoftDownloadcenterWebsite:http://go.microsoft.com/fwlink/?LinkId=63271


10/69

10

SupportforS/MIMEEncryptedMessagingTheMessagingandSecurityFeaturePackforWindowsMobile5.0providesnativesupportfordigitallysigned,encryptedmessaging.WhenencryptionwiththeSecure/Multipurpose/InternetMailExtension(S/MIME)isdeployed,userscanviewandsendS/MIME-encryptedmessagesfromtheirmobiledevice.

TheS/MIMEcontrol: Isastandardforsecurityenhancede-mailmessagesthatuseaPublicKeyInfrastructure

(PKI)tosharekeys

Offerssenderauthenticationbyusingdigitalsignatures

Canbeencryptedtoprotectprivacy

Workswellwithanystandard-compliante-mailclient

ForguidanceonhowtoimplementtheS/MIMEcontrolwithMicrosoftExchangeServer2003SP2,seetheExchangeServerMessageSecurityGuideatthefollowingMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=63272.

AdministeringtheMessagingandSecurityFeaturePackSafeguardslikepasswordpoliciesandremotewipecapabilitiesprovideyouwiththesecurityfeaturestohelpyouprotectyourorganizationsdata.WiththecombinationofthemanagementcapabilitiesbuiltintoExchangeServer2003SP2andthesecurityandconfigurationprotocolsincludedintheWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturepack,yourcontrolovermobiledeviceshasbeenstreamlined.YouwillseethatmostoftheadministrationofthesecurityfeaturesforthemobiledevicehappensontheExchangeServerorontheExchangeActiveSyncMobileAdministrationWebtool.

ThefollowingtablesummarizesthefeaturesandthesettingsrequiredontheExchangeServeroronthemobiledevice.

Feature ExchangeServerSettings MobileDeviceSettings

ExchangeDirectPushtechnology

EnabledbydefaultwithExchangeServer2003SP2

ProtectedconfigurationwithfirewallorISAServer

Setsessiontimeouttimeto30minutes

Nodevicesetuprequired;userstepsthruActiveSyncwizarduponlogintoExchangeserver.

ExchangeActiveSync

EnabledbydefaultwithExchangeServer2003SP2

SetparametersbyusingExchangeSystemManagersMobileServices

Properties


Wirelessaccesstoglobaladdresslist(GAL)

DefaultExchangeServersetup

RequiresOutlookWebAccesspublishedonExchangeServer

Nodevicesetuprequired

TrusteddeviceshaveautomaticaccesstoGAL

RemotelyenforcedITpolicy

EnableDirectPushtechnologyinExchangeActiveSync

UseExchangeSystemManagersMobileServicesPropertiestoapply



11/69

11

policies

RemoteWipe

EnableDirectPushtechnologyinExchangeActiveSync

UseMobileAdministrationWebtooltoinitiate,track,andcancelthe

remotewipe


Certificate-basedauthentication

InstallcertificateonExchangeServers

DeployActiveSync4.1todesktops

UsetheCertificateEnrollmenttooltoconfigurethedevicesviaActiveSync

InitialcertificateenrollmentusingDesktopActiveSyncisrequired

S/MIMEmobiledevicesupport

DeployanExchangeServer2003messagingsystemwithPKIsecurity

Installcertificateenrollmentprotocolandkeyonthedevice


12/69

12

DeploymentConfigurationandBestPractices

Bestpracticesfordeployingamobilemessagingsolutiononyourcorporatenetworkarerecommendationstohelpyousmoothoperationof,andprovideahighlevelofsecurityin,yourmobilemessagingsolution.Youcandeterminewhatthebestpracticesareforyournetwork

configurationandmobiledeviceuse.

NetworkPlanningandDesignTodesignasuccessfulExchangeServer2003SP2messagingsystem,youmustfirstunderstandthecapabilitiesandlimitationsofthesoftwareandhardwareuponwhichyouwillbuildyourmessagingsystem.WhetheryouaredevelopinganewExchangeServermessagingsystemorupgradingfromapreviousExchangeimplementation,youneedtobalancethelimitationsofyournetworkinfrastructurewiththecapabilitiesofyourmessagingsystem,operatingsystem,andusersoftware.

Formoreinformationabouthowtoplanyourmessagingsystem,seePlanninganExchangeServer2003MessagingSystemathttp://go.microsoft.com/fwlink/?LinkId=62643

BestPractice:UseFront-endandBack-endConfigurationforExchangeServersAfront-endandback-endconfigurationisrecommendedformultiple-serverorganizationsthatuseExchangeActiveSync,OutlookWebAccess,POP,orIMAPandwanttoprovideHTTP,POP,orIMAPaccesstotheiremployees.Inthisarchitecture,afront-endserveracceptsrequestsfromclientsandproxiesthoserequeststotheappropriateback-endserverforprocessing.Thefront-endandback-endarchitectureallowsthefront-endservertohandletheSecureSocketsLayer(SSL)encryption,thusenablingtheback-endserverstoincreaseoveralle-mailperformance.

Securingthemessagingenvironmentalsoinvolvesdisablingthosefeaturesandsettingsforthefront-endserverthatarenotnecessaryinafront-endandback-endserverarchitecture.

Formoreinformationaboutfront-endandback-endserverarchitecture,seeExchangeServer

2003andExchange2000ServerFront-EndandBack-EndTopologyathttp://go.microsoft.com/fwlink/?LinkId=62643

ConsiderationsforDeploymentonaSingleServerIfyouaredeployingamobilemessagingsolutionthatusesasingleExchangeserver,youmayhavetoestablishsomespecialconfigurationstoavoidconflictsonthevirtualdirectory.

SSLRequirementsandForms-basedauthenticationInasingle-serverconfiguration,ExchangeServerActiveSyncaccessestheExchangevirtualdirectoryviaport80byusingKerberosauthentication.ExchangeActiveSynccannotaccesstheExchangevirtualdirectoryifeitherofthefollowingconditionsaretrue:

TheExchangevirtualdirectoryisconfiguredtorequireSSL.

Forms-basedauthenticationisconfigured.Formoreinformationabout,andworkaroundsfor,theseconfigurations,seethefollowingarticleintheMicrosoftKnowledgeBase:

ExchangeActiveSyncandOutlookMobileAccesserrorsoccurwhenSSLorforms-basedauthenticationisrequiredforExchangeServer2003



13/69

13

ExchangeActiveSyncMobileAdministrationWebToolWhendeployedinasingle-serverconfiguration,theExchangeActiveSyncMobileAdministrationWebtoolrequiresthedefaultconfigurationontheExAdminvirtualdirectory.Bydefault,SSLisnotturnedonandthevdirhasWindowsIntegratedauthentication.

Inasingle-serverconfiguration,werecommendthatyoudothefollowing:

TurnoffSSLRequiredontheExAdminvirtualdirectory

UseWindowsIntegratedauthenticationontheExAdminvirtualdirectory

NotetheExchangeActiveSyncMobileAdministrationWebtoolshouldrunintheExchangeAppPool.

Thisisaknownissue.AKnowledgeBasearticleaboutthisissuewillbepublishedsoon.

RSASecurIDCompatibilityRSASecurIDprovidestoken-basedauthenticationthatrequiresuserinputandwasnotcompatiblewiththeDirectPushtechnology,inwhichthedevicesynchronizesautomatically.RSAhasupdatedtheRSAAuthenticationAgentforWindowssothatDirectPushtechnologyandscheduledsynchronizationfeaturesfunctionsmoothly.

IfyouareusingtheRSASecurIDproduct,besuretogetthelatestRSASecurIDsoftwarefrom

theRSASecurityWebsite:http://go.microsoft.com/fwlink/?LinkId=63273.

BestPractice:DeployISAServer2004asanAdvancedFirewallAsabestpracticealternativetolocatingyourfront-endExchangeserversintheperimeternetwork,youcandeployISAServer2004asanadvancedfirewall.Inthisconfiguration,alloftheExchangeserversarewithinthecorporatenetworkandtheISAserveractsastheadvancedfirewallintheperimeternetworkthatisexposedtoInternettraffic.Thisaddsanadditionallayerofsecuritytoyournetwork.

AllincomingInternettrafficboundtoyourExchangeserversforexample,MicrosoftOfficeOutlookWebAccessandRPCoverHTTPcommunicationfromOutlook2003clientsisprocessedbytheISAserver.WhentheISAserverreceivesarequestfromanExchangeserver,theISAserverterminatestheconnectionandthenproxiestherequesttotheappropriate

Exchangeserversonyourinternalnetwork.TheExchangeserversonyournetworkthenreturntherequesteddatatotheISAserver,andthenISAserver,whichsendstheinformationtotheclientthroughtheInternet.

DuringinstallationoftheISAserver,werecommendthatyouenableSSLencryption,anddesignate443astheSSLport.Thisleavesthe443portopenastheWebListenertoreceiveInternettraffic.WealsorecommendthatyousetupbasicauthenticationforExchangeActiveSync,andthatyourequireallclientstosuccessfullynegotiateanSSLlinkbeforeconnectingtotheExchangeActiveSyncsitedirectories.Ifyoufollowtheserecommendations,theInternettrafficthatflowsintoandoutofthe443portwillbemoreprotected.

WhenconfiguredinWeb-publishingmode,ISAServer2004willprovideprotocolfilteringandhygiene,denialofservice(DoS)anddistributeddenialofservice(DDoS)protection,andpre-

authentication.


14/69

14

ThefigureaboveisanexampleofarecommendedExchangeServer2003deploymentformobilemessagingwithISAServer2004.

BestPractice:ConfiguringyourfirewallforoptimalDirectPushperformanceDirectPushtechnologyrequiresaestablishedconnectionbetweentheserverandtheclient.Nodataissentoverthisconnectionunlessthereise-mailordatatobetransmittedorthedeviceneedstoreestablishitsconnectionwiththeserver.Thismeansthatthemaximumlengthoftheconnectionisdeterminedbythelowestnetworktimeoutinthepathbetweenthedeviceandtheserver.

Withgoodnetworkcoverage,themaximumtimeoutwillbedeterminedbytheconnectiontimeout

thatisenforcedbythefirewallsthatdealwithInternettraffictoyourExchangefront-endservers.Ifyoukeepthetimeoutverylow,thenyouwillforcethedevicetoreconnectseveraltimes,whichwillquicklydrainitsbattery.

Asabestpractice,youshouldadjusttheconnectiontimeoutofyourfirewalltoensurethatDirectPushfunctionalityworksefficiently.Inordertooptimizebatterylife,werecommendatimeoutperiodofbetween15and30minutes.


15/69

15

Security:AuthenticationandCertificationSecurityforcommunicationbetweentheExchangeserverandclientmobiledevicescanbeincreasedbyusingSecureSocketsLayer(SSL)forencryptionandserverauthenticationandbyusingwebpublishingtoprotectincomingtraffic.

Thefollowingbestpracticeswillhelpyoubuildamoresecuremobilemessagingsolution.

BestPractice:UseSSLforEncryptionandServerAuthenticationToprotectoutgoingandincomingdata,deploySSLtoencryptalltraffic.YoucanconfigureSSLsecurityfeaturesonanExchangeservertoverifytheintegrityofyourcontentandtheidentityofusers,andtoencryptnetworktransmissions.TheExchangeserver,justlikeanyWebserver,requiresavalidservercertificatetoestablishSSLcommunications.

WindowsMobile5.0-baseddevicesareshippedwithtrustedrootcertificates.Checkwithyourdevicemanufacturerforacurrentlistofthecertificateauthoritiesthatshippedwithyourdevice.Ifyouobtainarootcertificatefromoneofthetrustedservices,yourclientmobiledevicesshouldbereadytoestablishSSLcommunicationswithnofurtherconfiguration.

NoteSomeservercertificatesareissuedwithintermediateauthoritiesinthe

certificationchain.IfIISisnotconfiguredtosendallcertificatesinthechaintothemobiledeviceduringtheSSLhandshake,thedevicewillnottrustthecertificatebecausethedevicedoesnotsupportdynamicallyretrievingtheothercertificates.

Formoreinformationaboutobtainingservercertificates,seeObtainingandInstallingServerCertificatesintheExchangeServer2003ClientAccessGuideathttp://go.microsoft.com/fwlink/?LinkId=62628

Formoreinformationaboutrootcertificatesformobiledevices,seeAppendixB.AddingRootCertificatestoWindowsMobileDevicesinthisdocument.

BestPractice:UseWebPublishingwithBasicAuthenticationAsabestpractice,Webpublishingiseasiertoimplementandprovidesahigherlevelofsecuritythanserverpublishing,althoughlargercompaniesthatareplanningtouseclientcertificate-based

authenticationmustimplementthelatter.

Serverpublishing,alsoknownastunneling,referstonetwork/transport-layerprotection,whereasWebpublishing,alsoknownasbridging,referstoapplication-layerprotection.WebpublishingisonlypossiblewhenSSListerminatedonISAServer2004.BecauseISAServer2004onlyseesencryptedtraffic,itcannotperformtaskssuchasprotocolhygienethatrequireittoanalyzethecontents;thusISAServer2004onlyoffersprotectionbasedonthenetwork/transportlayers.

ThefollowingtablecomparesthesecurityfeaturesofserverpublishingandWebpublishing.

SecurityFeatures ServerPublishing

WebPublishing

Synchronousidlecharacter(SYN)floodattackprotection X X

Flood/networkresiliencymechanismsthatareactivatedwhenvarioussystemandnetworkquotasarereached.Thesecanincludeblockingtraffic,increasingdelays,orreleasingmemory.

X X

Accesscontrolbasedonsourceaddress,sourceport,destinationaddress,destinationport,andprotocol.

X X

Detectionandpreventionofportscanning,fragmentattacks,variousTCP/IPattacks,andIPandTCPheadervalidation.

X X

HTTPprotocolhygiene. X


16/69

16

HTTPsessionquota. X

HTTPfilteringthisallowsthedetectionofsignaturesinHTTPrequests,whichisoftenusedtoprotectagainstzero-dayattacks,forexample,whentheWebserversarenotallfullypatched.HTTPfilteringreducestheattacksurfaceoftheWeb

serverbyallowingonlycertainHTTPverbs,actionsorURLs.

X

Pre-authenticationandauthorizationtheWebserveronlyreceivestrafficfromauthenticatedandauthorizedusers.ThismeansthatevenifthereisvulnerabilityinIIS,onlycompanyemployeescanactuallyexploitthevulnerability.Withoutpre-authentication,theExchangefront-endserveristhefirstlineofdefense,soitmustbeintheDMZ.

X

Singlesign-oninISA2006providesincreasedusability. X

Linktranslationprovidesincreasedusability. X

BestPractice:UseServerPublishingwithCertificate-basedAuthenticationForcertificate-basedauthenticationtoworkcorrectlywithExchangeActiveSync,theenterprisefirewallmustbeconfiguredtoallowtheExchangefront-endservertoterminatetheSSLconnection.Webpublishingwillnotworkwithcertificate-basedauthentication.

MicrosofthasprovidedseveraltoolstohelpanExchangeadministratorconfigureandvalidateclientcertificateauthentication.

Formoreinformation,seeAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.

TheExchangeActiveSyncCertificate-basedAuthenticationtoolcanbedownloadedfromtheToolsforExchangeServer2003Websiteathttp://go.microsoft.com/fwlink/?LinkId=62656.

BestPractice:DetermineandDeployaDevicePasswordPolicyForthefirsttime,ExchangeServerSP2andWindowsMobile5.0-baseddevicesthathavetheMessagingandSecurityFeaturePackhelpyoutoconfigureacentralsecuritypolicythatrequiresallmobiledeviceuserstoprotecttheirdevicewithapasswordinordertoaccesstheExchangeserver.

Withinthiscentralsecuritypolicy,thereareseveralattributesyoucanconfigure,includingthelengthofthepassword(thedefaultisfourcharacters),theuseofcharactersorsymbolsinthepassword,andhowlongthedevicecanbeinactivebeforeitpromptstheuserforthepasswordagain.

Onceyouhavedeterminedyourdevicesecuritypolicies,youcanapplythembyusingExchangeSystemManagersMobileServicesProperties.WhenyourusersconnecttotheExchange

serverandsignin,thepolicieswillbesenttothedevice.Youcansettheintervalatwhichthesecuritypolicieswillautomaticallyberefreshedonthedevices.

Formoreinformationonsettingsecuritypolicies,seeConfiguringSecuritySettingsforMobileDevicesinthisdocument.


17/69

17

DeployingExchangeServer2003SP2MobileMessaging

Forsimplicity,wehavedocumentedtherecommendeddeploymentwithreferencestoalternativeoroptionalsteps.Yourproductionenvironmentmayvaryforexample,youmayuseanotherfirewallbutifyoureadthroughtheprocessforinstallingandconfiguringtheISAserver,youshouldbeabletoconfigureyourfirewalltoworkwiththisdeployment.

DeploymentProcess

ThefollowingstepssummarizetheprocessfordeployinganExchangeServer2003SP2mobilemessagingsolution.

Step1UpgradeFront-EndServertoExchangeServer2003SP2

Step2UpdateAllServerswithSecurityPatches

Step3ProtectCommunicationsBetweentheMobileDevicesandyourExchangeServer

EncryptMessagingTrafficwithSecureSocketsLayer(SSL)

EnableSSLontheDefaultWebSite

ConfigureAuthenticationBasicAuthentication(Recommended)

RSASecurID(Optional)

ConfigureCertificationAuthentication(Optional)

ProtectIISbyUsingUrlScanandIISLockdownWizard

Step4ProtectCommunicationsBetweentheExchangeServerandOtherServers

UseIPSectoEncryptIPTraffic(Recommended)

Step5InstallandConfigureanISAServer2004EnvironmentorOtherFirewall

CreatetheExchangeActiveSyncPublishingRulebyUsingBridging

CreatetheExchangeActiveSyncPublishingRulebyUsingTunneling(withCertificate-BasedAuthentication)

ConfiguretheHostFileEntry

ModifytheFirewallIdleSessionTime-outSettingsto30Minutes

Step6ConfigureMobileDeviceAccessontheExchangeserver

EnableExchangeActiveSyncforAllUsers

EnableUserInitiatedSynchronization

EnableDirectPush

SetSecurityPolicySettingsforMobileDevices

MonitorMobilePerformanceonExchangeServer

Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool

Step8ManageandConfigureMobileDevices

SetupMobileConnectiontoExchangeServer

InitiateandTrackRemoteWipeonMobileDevices

ProvisionorConfigureMobileDevices

InitiateandTrackRemoteWipeonMobileDevices


18/69

18

Step1-UpgradetoExchangeServer2003SP2

ExchangeServer2003SP2includesExchangeActiveSync,thesynchronizationprotocolthatkeepstheExchangemailboxsynchronizedonclientmobiledevices.Bydefault,ExchangeActiveSyncisenabled.

ExchangeServer2003SP2containsnewfeaturesthatworkwiththeWindowsMobile5.0MessagingandSecurityFeaturePacktohelpyoutoimprovethedeployment,security,andmanagementofmobiledevices.

NoteTousetheWindowsMobile5.0MessagingandSecurityFeaturepack,youmustupgradeyourfront-endExchangeservertoExchangeServer2003SP2.Back-endMailboxserverscanremainatExchange2003RTMorSP1.However,werecommendthatyouupgradebothfront-endandback-endserverstotakeadvantageoftheupdatesinSP2.

HowtoUpgradetoExchangeServer2003SP2DownloadtheServicePack2forExchangeServer2003filefromthefollowingMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=62644

FollowthedirectionsprovidedtoupgradeyourExchangeserverstoSP2.

Step2-UpdateAllServerswithSecurityPatches

Tohelpyouensurethatyourmobilemessagingnetworkisstrongfromendtoend,takethisopportunitytoupdateallofyourservers.

AfteryouinstallExchangeServer2003SP2onyourfront-endserver,updatetheserversoftwareonyourotherExchangeserversandonanyotherserverthatExchangecommunicateswith,suchasyourglobalcatalogserversandyourdomaincontrollers.

Formoreinformationaboutupdatingyoursoftwarewiththelatestsecuritypatches,seetheExchangeServerSecurityCenterWebsite:http://go.microsoft.com/fwlink/?LinkId=62646

FormoreinformationaboutMicrosoftsecurity,seetheMicrosoftSecurityWebsite:http://go.microsoft.com/fwlink/?LinkId=62649


19/69

19

Step3-ProtectCommunicationsBetweentheMobileDevicesandYourExchangeServer

TohelpprotectthecommunicationsbetweenWindowsMobiledevicesandyourExchangefront-endserver,followthesesteps:

DeploySSLtoencryptmessagingtraffic

EnableSSLonthedefaultWebsite

ConfigurebasicauthenticationfortheExchangeActiveSyncvirtualdirectory

NoteIfyouplantouseCertificateAuthenticationinsteadofbasicconfiguration,youmustdeploySSLfollowingtheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.

NoteIfyouareusingRSASecurID,youmustupdatetheRSAAuthenticationAgent.

ProtectIISbyusingUrlScanandIISLockdownWizard

SeetheBestPracticessectionofthisdocumentformoreinformationonauthenticationandcertification.

DeployingSSLtoEncryptMessagingTraffic

Toprotectincomingandoutgoingmail,deploySSLtoencryptmessagingtraffic.YoucanconfigureSSLsecurityfeaturesonanExchangeservertoverifytheintegrityofyourcontent,verifytheidentityofusers,andencryptnetworktransmissions.

ThestepsinvolvedinconfiguringSSLforExchangeActiveSyncare:

1. ObtainingandInstallingaServerCertificate

2. ValidatingInstallation

3. BackinguptheServerCertificate

4. EnablingSSLfortheExchangeActiveSyncvirtualdirectory

ImportantToperformthefollowingprocedure,youmustbeamemberoftheAdministratorsgrouponthelocalcomputer,oryoumusthavebeendelegatedthe

appropriateauthority.Asasecuritybestpractice,logontoyourcomputerbyusingan

accountthatisnotintheAdministratorsgroup,andthenusetheRunascommandtorun

IISManagerasanadministrator.Fromthecommandprompt,typethefollowing

command:

runas/user:administrative_accountname"mmc%systemroot%\system32\inetsrv\iis.msc"

ObtainingandInstallingServerCertificatesAfteryouobtainaservercertificate,youwillinstalltheservercertificate,verifytheinstallationoftheservercertificate,andbackitup.WhenyouusetheWebServerCertificateWizardtoobtainandinstallaservercertificate,theprocessisreferredtoascreatingandassigningaserver

certificate.

ToObtainaServerCertificateFromaCA

1. LogontotheExchangeserverusinganAdministratoraccount.

2. ClickStart,clickPrograms,clickAdministrativeTools,andthenclickInternetInformationServices(IIS)Manager .


20/69

20

3. Double-clicktheServerNametoviewtheWebsites.Right-clickDefaultWebSiteandthenclickProperties.

4. ClicktoselecttheDirectorySecuritytab.UnderSecureCommunications,clickServerCertificate.

5. IntheWelcomeWebServerCertificateWizarddialogbox,clickNext,clickCreateanewcertificate,andthenclickNext.

6. ClickPreparetherequestnow,butsenditlater ,andthenclickNext.

7. IntheNameandSecuritySettingsdialogbox,typeanameforyourservercertificate(forexample,type),clickBitlengthof1024,andthenclickNext.

NoteEnsurethatSelectcryptographicserviceprovider isnotselected.


21/69

21

8. IntheOrganizationInformationdialogbox,typeanameintheOrganizationtextbox(forexample,type)andintheOrganizationalunittextbox(forexample,type),andthenclickNext.

9. IntheYourSitesCommonNamedialogbox,typethefullyqualifieddomainname(FQDN)ofyourserverorclusterforCommonname(forexample,type),andthenclickNext.Thiswillbethedomainnamethatyourclient

mobiledeviceswillaccess.

10.IntheGeographicalInformationdialogbox,clickCountry/region(forexample,US),State/province(forexample,)andCity/locality(forexample,),andthenclickNext.

11.IntheCertificateRequestFilenamedialogbox,keepthedefaultofC:\NewKeyRq.txt(whereC:isthelocationyourOSisinstalled),andthenclickNext.

12.IntheRequestFileSummarydialogbox,reviewtheinformationandthenclickNext.Youshouldreceiveasuccessmessagewhenthecertificaterequestiscomplete.

13.ClickFinish.

Next,youmustrequestaservercertificatefromavalidCA.Todothis,youmustaccesstheInternetoranintranet,dependingontheCAyouchoose,byusingaproperlyconfiguredWebbrowser.

ThestepsdetailedhereareforaccessingyourCAWebsite.Foraproductionenvironment,youwillprobablyrequestaservercertificatefromapublictrustedCAovertheInternet.

ToSubmittheCertificateRequest

1. StartMicrosoftInternetExplorer .TypetheUniformResourceLocator(URL)forthe

MicrosoftCAWebsite,http:///certsrv/.WhentheMicrosoftCAWebsitepagedisplays,clickRequestaCertificate,andthenclickAdvancedCertificateRequest.


22/69

22

2. OntheAdvancedCertificateRequestpage,clickSubmitacertificaterequestbyusingabase-64encodedPKCS#10file,orsubmitarenewalrequestbyusingabase-64encodedPKCS#7file.

3. Onyourlocalserver,navigatetothelocationoftheC:\NewKeyRq.txtfilethatyousavedpreviously.

4. Double-clicktoopentheC:\NewKeyRq.txtfileinNotepad.Selectandcopytheentire

contentsofthefile.5. OntheCAWebsite,navigatetotheSubmitaCertificateRequestpage.Ifyouare

promptedtopickthetypeofcertificate,selectWebServer.

6. ClickinsidetheSavedRequestbox,pastethecontentsofthefileintothebox,andthenclickSubmit.ThecontentsintheSavedRequestboxshouldlooksimilartothefollowingexample:

-----BEGINNEWCERTIFICATEREQUEST-----

MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWxpZHM0LnJlZG1vbmQuY29ycC5taWNyb3NvZnQuY29tMR

EwDwYDVQQLEwhNb2JpbGl0eTEMMAoGA1UEChMDTVRQMRAwDgYDVQQHEwdSZWRtb25kMRMwEQYDVQQIEwpX

YXNoaW5ndG9uMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs0sV2UZ1WAX2ou

+F5S34+6M3A32tJ5qp+c7zliu4SMkcgebhnt2IMMeF5ZMD2IqfhWu49nu1vLtGHK5wWgHYTC3rTFabLZJ1

bNtXKB/BWWOsmSDYg/A7+oCZB4rHJmpc0Yh4OjbQKkr64KM67r8jGEPYGMAzf2DnUg3xUt9pbBECAwEAAa

CCAZkwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQE

AwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAg

cwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBN

AGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAG

EAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCO5g/Nk+lsuAJZideg15faBLqe4jiiytYeVBApxLrt

UlyWEQuWdPeEFv0GWvsjQGwn+WC5m9kVNmcLVsx41QtGDXtuETFOD6dSi/M9wmEy8bsbcNHXs+sntX56Ac

CxBXh1ALaE4YaE6e/zwmE/0/Cmyje3a2olE5rlk1FFIlKTDwAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GB

AAr7zjg2ykZoFUYt1+EgK106jRsLxJcoqj0oEg575eAlUgbN1e2i/L2RWju7cgo9W7uwwpBIaEqd6LJ6s1


23/69

23

BRpZz0yeJTDzGIXByG5O6kouk+0H+WHCj2yI30zik8aSyCQ3rQbNvHoURDmWqv9Rp1BDC1SNQLEzDgZjKP

rsGZAVLb

-----ENDNEWCERTIFICATEREQUEST-----

7. OntheCertificateIssuedpage,clickDERencoded,andthenclickDownloadcertificate.

8. IntheFileDownloaddialogbox,clickSavethisfiletodisk,andthenclickOK.Keepthedefaultsettingtosavethefiletothedesktop,andclickSave.

9. CloseInternetExplorer.

Atthispoint,aservercertificateexistsonyourdesktopthatcanbeimportedintotheExchangeservercertificatestore.

Next,youmustinstallthecertificate.

ToInstalltheCertificate

1. StartInternetInformationService(IIS)Manager andexpand

2. Right-clickDefaultWebSite,andthenclickProperties.InthePropertiesdialogbox,

selecttheDirectorySecuritytab.UnderSecureCommunication,clickServerCertificate.

3. IntheCertificateWizarddialogbox,clickNext.

4. SelectProcessthePendingRequestandinstallthecertificate .ClickNext.

5. Navigateto,ortypethelocationandfilenameforthefilecontainingtheservercertificate,certnew.txt,thatislocatedonthedesktop,andthenclickNext.

6. ChoosetheSSLportthatyouwishtouse.Port443isthedefaultandisrecommended.

7. IntheCertificateSummaryInformation dialogbox,clickNext,andthenclickFinish.

ValidatingInstallationToverifytheinstallation,youcanviewtheservercertificate.

InthePropertiesdialogbox,clickDirectorySecurity,andunderSecureCommunication,clickViewCertificate.AtthebottomoftheCertificationdialogbox,amessagedisplaysindicatingthataprivatekeyisinstalled,ifacertificateisavailable.


24/69

24

Inorderfortheauthenticationtofunction,youmustaddtheCAtotheTrustedRootCAlist.

ToAddaCAtotheTrustedRootCAList

1. StartInternetExplorerandtypetheURLforyourCertificateAuthority.Forexample,ifyoureceivedyourservercertificatefromtheCAthatyouconfiguredearlier,typehttp:///certsrv.

2. ClickDownloadaCAcertificate,certificatechain,orCRL,andthenclickDownloadCAcertificateonthenextpageaswell.IntheFiledownloaddialogbox,clickSavethisfiletodisk,andthenclickOK.

3. TypeaservercertificateName,forexample,andsavethefiletothedesktop.

4. Navigatetothedesktop.Right-clickthefilethatyoucreatedinstep3,andthenclickInstallCertificate.IntheCertificateImportWizarddialogbox,clickNext.

5. ClickPlaceallcertificatesinthefollowingstore ,andthenclickBrowse.SelecttheTrustedRootCertificationAuthoritiesfolder,andthenclickOK.

6. ClickNext.Adialogboxthatsaysthatthecertificateisbeingaddedtothetrustedcertificatestoreappears;clickYestothisdialogbox.ClickFinish,andthemessageimportsuccessfuldisplays.

BackingupServerCertificates

YoucanusetheWebServerCertificateWizardtobackupservercertificates.BecauseIISworkscloselywithWindows,youcanuseCertificateManager,whichiscalledCertificatesinMicrosoftManagementConsole(MMC),toexportandtobackupyourservercertificates.


25/69

25

IfyoudonothaveCertificateManagerinstalledinMMC,youmustaddCertificateManagertoMMC.

ToaddCertificateManagertoMMC

1. FromtheStartmenu,clickRun.

2. IntheOpenbox,typemmc,andthenclickOK.

3. OntheFilemenu,clickAdd/RemoveSnap-in.

4. IntheAdd/RemoveSnap-indialogbox,clickAdd.

5. IntheAvailableStandaloneSnap-inslist,clickCertificates,andthenclickAdd.

6. ClickComputerAccount,andthenclickNext.

7. ClicktheLocalcomputer(thecomputerthatthisconsoleisrunningon)option,andthenclickFinish.

8. ClickClose,andthenclickOK.

WithCertificateManagerinstalled,youcanbackupyourservercertificate.

ToBackUpYourServerCertificate

1. Locatethecorrectcertificatestore.ThisstoreistypicallytheLocalComputerstoreinCertificateManager.

NoteWhenyouhaveCertificateManagerinstalled,itpointstothecorrectLocalComputercertificatestore.

2. InthePersonalstore,clicktheservercertificatethatyouwanttobackup.

3. OntheActionmenu,pointtoAlltasks,andthenclickExport.

4. IntheCertificateManagerExportWizard,clickYes,exporttheprivatekey.

5. Followthewizarddefaultsettings,andtypeapasswordfortheservercertificatebackupfilewhenprompted.


26/69

26

NoteDonotselectDeletetheprivatekeyifexportissuccessful ,becausethis

optiondisablesyourcurrentservercertificate.

6. Completethewizardtoexportabackupcopyofyourservercertificate.

Afteryouconfigureyournetworktoissueservercertificates,youmustprotectyourExchangefront-endserverandtheservicesforyourExchangeserverbyrequiringSSLcommunicationto

theExchangefront-endserver.ThefollowingsectiondescribeshowtoenableSSLforyourdefaultWebsite.

EnablingSSLfortheDefaultWebSiteAfteryouobtainanSSLcertificatetouseeitherwithyourExchangefront-endserveronthedefaultWebsiteorontheWebsitewhereyouhostthe\RPC,\OMA,\Microsoft-Server-ActiveSync,\Exchange,\Exchweb,and\Publicvirtualdirectories,youcanenablethedefaultWebsitetorequireSSL.

NoteThe\Exchange,\Exchweb,\Public,\OMA,and\Microsoft-Server-ActiveSyncvirtualdirectoriesareinstalledbydefaultonanyExchangeServer2003SP2installation.The\RPCvirtualdirectoryforRPCoverHTTPcommunicationisinstalledmanuallywhenyouconfigureExchangeServer2003SP2tosupportRPCoverHTTP.

ForinformationabouthowtosetupExchangeServer2003touseRPCoverHTTP,seeExchangeServer2003RPCoverHTTPDeploymentScenariosathttp://go.microsoft.com/fwlink/?LinkId=62656.

ToRequireSSL

1. IntheInternetInformationServices(IIS)Manager ,selecttheDefaultWebsiteortheWebsitewhereyouarehostingyourExchangeServer2003services,andthenclickProperties.

2. OntheDirectorySecuritytab,inSecureCommunications,clickEdit.

3. InSecureCommunications,clicktheRequireSecureChannel(SSL)checkbox.ClickOK.


27/69

27

4. Dependinguponyourinstallation,theInheritanceOverridesdialogboxmayappear.Selectthevirtualdirectoriesthatshouldinheritthenewsetting,andthenclickOK.

5. OntheDirectorySecuritytab,clickOK.

Afteryoucompletethisprocedure,allvirtualdirectoriesontheExchangefront-endserveronthedefaultWebsiteareconfiguredtouseSSL.

SingleServerConfiguration(Optional)

Ifyouhaveforms-basedauthenticationsetuponanExchangeorganizationforExchangeActiveSynconanExchangeServerwithnoback-end,additionalconfigurationsmayberequired.Formoreinformationabouttheseconfigurations,seethefollowingarticleintheMicrosoftKnowledgeBase:

ExchangeActiveSyncandOutlookMobileAccesserrorsoccurwhenSSLorforms-basedauthenticationisrequiredforExchangeServer2003


Important ExchangeServer2003SP2forms-basedauthenticationdoesnotallow

youtosetthedefaultdomainsettinginIIStoanythingotherthanthedefaultdomain

settingof\.ThisrestrictionisinplaceinordertosupportuserlogonsthatusetheUser

PrincipleNameformat.IfthedefaultdomainsettinginIISischanged,ExchangeSystem

Managerresetsthedefaultdomainsettingto"\"ontheserver.Youcanchangethis

behaviorbycustomizingtheLogon.asppageintheOWAvirtualdirectoryinIIStospecify

yourdomainortoincludealistofdomainnames.

Note IfyoucustomizetheLogon.asppageintheOWAvirtualdirectoryinIIS,yourchangesmaybeoverwrittenifyouupgradeorre-installExchangeServer2003SP2.

ConfiguringBasicAuthentication

TheExchangeActiveSyncWebsitesupportsSSLconnectionsassoonastheservercertificateisboundtotheWebsite.However,usersstillhavetheoptiontoconnecttotheWebsitebyusinga

non-secureconnection.YoucanrequireallclientmobiledevicestosuccessfullynegotiateanSSLlinkbeforeconnectingtotheExchangeActiveSyncWebsitedirectories.

WealsorecommendthatyouenforcebasicauthenticationonallHTTPdirectoriesthattheISAServermakesaccessibletoexternalusers.Inthisway,youcantakeadvantageoftheISAServerfeaturethatenablestherelayofbasicauthenticationcredentialsfromthefirewalltotheExchangeActiveSyncWebsite.

RequireSSLConnectiontotheExchangeActiveSyncWebSiteDirectories

Thispreventsallnon-authenticatedcommunicationsfromreachingtheExchangeActiveSyncWebsiteandsignificantlyimprovesthelevelofsecurity.

NoteIfyouplantouseCertificateAuthenticationinsteadofbasicconfiguration,you

mustdeploySSLbyfollowingtheinstructionsforconfiguringSSLforExchangeActiveSyncinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.

Youcanrepeatthesestepswiththe/Exchange,/Exchweb,/Public,and/OMAdirectoriesfoundintheleftpaneoftheIISMMCconsole.ThiscanbedonetorequireSSLonthefiveWebsitedirectoriesthatyoucanmakeaccessibletoremoteusers:

/Exchange

/ExchWeb

/Public


28/69

28

/OMA

/Microsoft-Server-ActiveSync

ToRequireanSSLConnectiontotheExchangeActiveSyncWebSiteDirectories

1. ClickStart,pointtoAdministrativeToolsandthenclickInternetInformation

Service(IIS)Manager.InInternetInformationServices(IIS)Manager ,expandyourservernameandthenexpandtheDefaultWebSitenodeintheleftpaneoftheconsole.

2. Right-clickontheMicrosoft-Server-ActiveSync directorysothatitishighlighted,andthenclickProperties.

3. ClickDirectorySecurity.IntheAuthenticationandaccesscontrolframe,clickEdit.

4. IntheAuthenticationMethodsdialogbox,clicktoclearallcheckboxesexceptfortheBasicauthentication(passwordissentincleartext)checkbox.PlaceacheckmarkintheBasicauthenticationcheckbox.

NoteOntheback-end(mailbox)server,youmustenableIntegratedWindows

AuthenticationinorderforExchangeActiveSynctowork.Onlydisableitonthe

front-endExchangeserver.5. ClickYesinthedialogboxthatwarnsyouthatthecredentialsshouldbeprotectedby

SSL.IntheDefaultdomaintextbox,typeinyourdomainname.

6. ClickOK.

7. IntheExchangePropertiesdialogbox,clickApply,andthenclickOK.

8. Afteryouhaverequiredbasicauthenticationonthedirectoriesthatyouhavechosen,closetheInternetInformationServices(IIS)Manager console.


29/69

29

ConfigureorUpdateRSASecurIDAgent(Optional)IfyouhavechosentodeployRSASecurIDasanadditionalsecuritylayer,youshouldsetupyourExchangeserverasanAgentHostwithintheRSAACE/Serversdatabaseatthispoint.

NoteTherehavebeenlimitationsbetweenIIS6.0andtheRSA/ACEAgent.BesuretoupdateyourRSA/ACEAgentforbettercompatibility.Formoreinformation,seethe

RSASecurityWebsiteathttp://go.microsoft.com/fwlink/?LinkId=63273.

ProtectingIISbyUsingUrlScanandIISLockdownWizardBeforeyouexposeserverstotheInternet,werecommendthatyouprotectIISbyturningoffallfeaturesandservicesexceptthosethatarerequired.InWindows2003Server,manyIISfeaturesarealreadydisabledunlesstheyarerequiredbytheserver.OnMicrosoftWindows2000Server,youcanprotectIISbydownloadingandrunningtheIISLockdownWizard.

FormoreinformationabouthowtoinstallanduseIISLockdownWizard,seethefollowingMicrosoftKnowledgeBasearticle:

HowtoinstallandusetheIISLockdownWizardhttp://go.microsoft.com/fwlink/?LinkId=62662.

TheIISLockdownTool(version2.1)isavailableatthefollowingMicrosoftWebsite:

IISLockdownTool(version2.1)http://go.microsoft.com/fwlink/?LinkId=62663

Note TohelpmaximizethesecurityofyourExchangeservers,applyalltherequiredupdatesbothbeforeandafteryouapplytheIISLockdownWizard.Theupdateshelptheserversremainprotectedagainstknownsecurityvulnerabilities.

TheIISLockdownWizardhelpsyoudisablethoseIISfeaturesandservicesthatareunnecessarytotheserversoftwarethatyouarerunning.Toprovidemultiplelayersofprotectionagainstattackers,theIISLockdownWizardalsocontainsUrlScan,whichanalyzesHTTPrequestsasIISreceivesthemandrejectsanysuspiciousrequests.

TheIISLockdownWizardalsocontainsaconfigurationtemplateforExchangethatturnsoffunwantedfeaturesandservices.Tousethisconfigurationtemplate,runtheIISLockdown

Wizard,selecttheExchangetemplate,andthenchangeoracceptthedefaultconfigurationoptions.

DownloadUrlScanseparatelyifyouwanttorunitonWindowsServer2003SP2.AlistofUrlScanfeaturesandfunctionalitybeyondthoseprovidedbyIIS6.0isavailableathttp://go.microsoft.com/fwlink/?LinkId=62665

TheUrlScanapplicationisinstalledinthefolder//system32/inetsrv/urlscan.

UrlScanmustbecorrectlyconfiguredforusewithExchangeServer2003SP2.ForfulldetailsabouthowtoconfigureUrlScanforusewithExchangeServer2003SP2,seethefollowingMicrosoftKnowledgeBasearticle:

Fine-tuningandknownissueswhenyouusetheUrlScantoolinanExchangeServer2003SP2

environmenthttp://go.microsoft.com/fwlink/?LinkId=62666

RequiredUrlScanSettings

ThefollowingsectioncontainsfurtherinformationaboutwhycertainUrlScansettingsarerequired.UnlessyouconfigurethefollowingsettingsintheUrlscan.inifileimmediatelyafteryouruntheIISLockdownWizard,youmayexperienceproblemswithOWAfunctionality.ExchangeActiveSyncandOWAworkinsimilarways.IfOWAisfunctioningcorrectly,thenthebasicinfrastructureforExchangeActiveSyncshouldfunctioncorrectlyaswell.


30/69

30

AllowDotInPathEnsurethatthissettingissetto"1"sothatOWAattachmentscanbeaccessedandthatearlier-versionbrowserscanuseOWA.

FileExtensionsBydefault,.htrfilesaredisabled.Ifthisfiletypeisdisabled,theOWAChangePasswordfeaturedoesnotfunction.

DenyUrlSequencesInthe[DenyUrlSequences]section,sequencesthatareexplicitly

blockedcanpotentiallyaffectaccesstoOWA.Anymailitemsubjectormailfoldernamethatcontainsanyofthefollowingcharactersequencesisdeniedaccess:

Period(.)

Doubleperiod(..)

Periodandforwardslash(./)

Backslash(\)

Percentsign(%)

Ampersand(&)

IfyouhaveadditionalproblemswhenyouattemptOWArequestswithUrlScanenabled,checktheUrlscan.logfileforthelistofrequeststhatarebeingrejected.

ToConfigureUrlscan.ini

1. IntheWindows\System32\Inetsrv\Urlscanfolder,editthefileUrlscan.inibyusingNotepad.

2. Removethefollowingcharactersfromthe[DenyUrlSequences]section:

..

./

\

%

&

:

3. Reviewthe[AllowVerbs]sectionandmakesurethatitcontainsthefollowingVerbs:

GET

POST

PROPFIND

PROPPATCH

BPROPPATCH

MKCOL

DELETE

BDELETE

BCOPY

MOVE

SUBSCRIBE

BMOVE

POLL

SEARCH

HEAD

PUT

COPY

OPTIONS


31/69


32/69

32

Step4-ProtectCommunicationsBetweentheExchangeServer2003SP2ServerandOtherServers

AfteryouenablethesecurityfeaturestohelpsecurethecommunicationsbetweenyourclientmobiledevicesandtheExchangefront-endserver,youalsomustprotectthecommunications

betweentheExchangefront-endserverandtheback-endservers.WerecommendthatyouuseIPSectoencryptIPtraffic.

HTTP,POP,andIMAPcommunicationsbetweenthefront-endserverandanyserverwithwhichthefront-endservercommunicates(suchasback-endservers,domaincontrollers,andglobalcatalogservers)isnotencrypted.Whenthefront-endandback-endserversareinatrustedphysicalorswitchednetwork,theabsenceofencryptionisnotaconcern.However,iffront-endandback-endserversarekeptinseparatesubnets,networktrafficmaypassoverunsecuredareasofthenetwork.Thesecurityriskincreaseswhenthereisgreaterphysicaldistancebetweenthefront-endandback-endservers.Insuchcases,werecommendthatthistrafficbeencryptedtoprotectpasswordsanddata.

UsingIPSectoEncryptIPTrafficWindows2000andWindowsServer2003bothsupportInternetProtocolsecurity(IPSec),whichisanInternetstandardthatallowsaservertoencryptallIPtrafficexceptIPtrafficthatusesbroadcastormulticastIPaddresses.Generally,IPSecisusedtoencryptHTTPtraffic;however,youcanalsouseIPSectoencryptLightweightDirectoryAccessProtocol(LDAP),RPC,POP,andIMAPtraffic.WithIPSec,youcan:

ConfiguretwoserversthatarerunningWindows2000orWindowsServer2003torequiretrustednetworkaccess.

Useacryptographicchecksumoneverypackettotransferdatathatisprotectedfrommodification.

EncryptanytrafficbetweenthetwoserversattheIPlayer.

Inafront-endandback-endtopology,youcanuseIPSectoencrypttrafficbetweenthefront-end

andback-endserversthatwouldotherwisenotbeencrypted.

FormoreinformationaboutconfiguringIPSecwithfirewalls,seethefollowingMicrosoftKnowledgeBasearticle:

HowtoEnableIPSecTrafficThroughaFirewallhttp://go.microsoft.com/fwlink/?LinkId=62667

FormoreinformationaboutusingIPSectoprotectcommunications,consulttheIPSecInformationCenterathttp://go.microsoft.com/fwlink/?LinkId=62668


33/69

33

Step5-InstallandConfigureanISAServer2004EnvironmentorOtherFirewall

InternetSecurityandAcceleration(ISA)Server2004istheadvancedapplication-layerfirewall,virtualprivatenetwork(VPN),andWebcachesolutionthatimprovesnetworksecurityand

performance.ThissectiondiscussesstepsfordeploymentofExchangeServer2003SP2mobilemessaginginanISAenvironment.Youcanalsousethisinformationtodeterminewhatisneededifyouareusinganotherfirewallservice.Duringthisprocess,youwill:

InstallISAServer2004

CreatetheExchangeActiveSyncpublishingruleusingWebpublishing

OpenPort443asaWebListener

Configurethehostfileentry

SettheISAServer2004idlesessiontimeoutto1800seconds(30minutes)

NoteIncreasingthetimeoutvaluesmaximizesperformanceoftheDirectPush

technologyandoptimizesdevicebatterylife. TestOWAandExchangeActiveSync

NoteIfyouplantouseCertificateAuthentication,youmustuseServerPublishingortunnelingtocreateyourExchangeActiveSyncpublishingrule.SeetheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.

RefertotheBestPracticessection,ArchitectureofaStandardISANetworkforbackgroundonnetworkarchitectureandSSLsetup.

IfyouhaveISAServer2000,seeUsingISAServer2000withExchangeServer2003athttp://go.microsoft.com/fwlink/?LinkId=62670.

InstallingISAServer2004InstallISAServer2004asastand-alonefirewallonyourserver.DonotinstallISAServer2004aspartofanISAServerarray,becausethisrequiresdomainmembership.YourISAservershouldnotbeamemberserverinyourMicrosoftWindowsforestbecause,iftheISAserveriscompromisedbyattacksfromtheInternet,theattackerscangainaccesstodomainresourcesifthoseresourcesareinthesamedomain.Additionally,minimizethenumberofportsthatareopentoyourinternalnetwork.Memberserversrequireadditionalportsforactivities,suchastalkingtodomaincontrollers.

NoteWerecommendthatyousetupbothExchangeActiveSyncandOWAontheISAServer.HavingOWApublishedaswellasExchangeActiveSyncwillgiveyougreatertroubleshootingcapabilities.

ToInstallISAServer2004 InstallandconfigureWindowsServer2003onthefirewallcomputer.

AfteryouinstallandconfigureWindowsServer2003onthefirewallcomputer,gotoWindowsUpdateandinstallallcriticalsecurityhotfixesandservicepacksforWindowsServer2003.

Movetheservertoaworkgroup.

Removetheserverfromanydomainsthatitisamemberof,andplaceitinaworkgroup.

InstallISAServer2004.

ExporttheOWASSLCertfromtheExchangefront-endOWAservertoafile.


34/69

34

CreatingtheExchangeActiveSyncPublishingRuleUsingBridgingWebpublishingrulesdeterminehowISAServer2004interceptsincomingrequestsforHypertextTransferProtocol(HTTP)objectsonaninternalWebserver,andhowISAServer2004respondsonbehalfoftheinternalWebserver.

Duringthisprocess,youwillberequiredtoprovidenamesforthepublishingruleitself,theinternalandexternalWebservers,andtheWebListener.Readthroughtheseinstructionsanddetermineappropriatenamesbeforeyoubegin.

Formoreinformation,seePublishingWebServersUsingISAServer2004athttp://go.microsoft.com/fwlink/?LinkId=62672.

NoteIfyouplantouseCertificateAuthentication,youmustuseServerPublishingortunnelingtocreateyourExchangeActiveSyncpublishingrule.SkipthenextstepandfollowtheinstructionsinAppendixA.DeployingExchangeActiveSyncCertificate-BasedAuthentication.

AfteryoucreatetheWebpublishingrule,youwillcreateandconfiguretheWebListener,completetheWebsiterule,andupdatethefirewallpolicy.

ToCreateandNametheExchangeActiveSyncWebPublishingRule

1. IntheMicrosoftInternetSecurityandAccelerationServer2004 managementconsole,expandtheservernameandclicktheFirewallPolicynode.

2. Right-clicktheFirewallPolicynode,pointtoNewandthenclickMailServerPublishingRule.

3. OntheWelcometotheNewMailServerPublishingRuleWizard page,typeanamefortheruleintheMailServerPublishingRulenametextbox.ClickNext.

4. OntheSelectAccessTypepage,selecttheWebclientaccess:OutlookWebAccess(OWA),OutlookMobileAccess,ExchangeServerActiveSync optionandthenclickNext.

5. OntheSelectServicespage,clicktoselecttheExchangeActiveSynccheckbox.ConfirmthatthereisacheckmarkintheEnablehighbitcharactersusedbynon-Englishcharactersetscheckbox.(IfyouexpectuserstoreadonlyEnglish-basedcharactersets,youcandisablethisoptionbyclickingtoclearthecheckbox.)Fortroubleshootingpurposes,werecommendthatyouclicktoselecttheOutlookWebAccesscheckbox.ClickNext.


35/69

35

6. OntheBridgingModepage,clicktheSecureconnectiontoclientsandmailserver option,andthenclickNext.

7. TheSecureconnectiontoclientsandmailserver optioncreatesaWebpublishingrulethatprovidestheSSLconnectionfromtheclientmobiledevicetotheExchangeWebsite.Thispreventsthetrafficfrommovingintheclear,whereanintrudercansniffthetrafficandinterceptvaluableinformation.

8. OntheSpecifytheWebMailServerpage,typethenamefortheInternalWebsiteinthemailservertextbox,andthenclickNext.

9. ThisisthenameusedfortheExchangeServer2003Websiteontheinternalnetwork.ThenameintherequestthattheISAServer2004firewallsendstotheExchange

serverontheinternalnetworkshouldbethesameasthenameonthecertificatethatisinstalledontheExchangeActiveSyncWebsite.

10.OnthePublicNameDetailspage,clicktheThisdomainname(typebelow): optionintheAcceptrequestsforlist.InthePublicnamebox,typethenamethatexternaluserswillusetoaccesstheExchangeActiveSyncWebsite,andthenclickNext.

AllincomingWebrequestsmustbereceivedbyaWebListener.AWebListenermaybeusedinmultipleWebpublishingrules.

ToCreatetheWebListener

1. OntheSelectWebListenerpage,clickNew.WiththeISAServer2004WebListener,youhaveseveraloptions:

YoucancreateaseparateWeblistenerforSSLandnon-SSLconnectionsonthesameIPaddress.

BasedonthenumberofaddressesthatareboundtotheexternalinterfaceoftheISAServer2004firewall,youcanconfigureseparatesettingsforeachlistener.TheWebListenersettingsarenotglobal.

2. OntheWelcometotheNewWebListenerWizardpage,typeanamefortheWebListenerintheWeblistenernametextbox,andthenclickNext.

3. OntheIPAddressespage,selecttheExternalcheckbox,andthenclickAddress.

4. IntheExternalNetworkListenerIPSelection dialogbox,selecttheSpecifiedIPaddressesontheISAServercomputerintheselectnetwork option.Inthe


36/69

36

AvailableIPAddresseslist,clickontheexternalIPaddressthatareontheISAServer2004firewallandthatyouwanttolistenforincomingrequeststotheOWAWebsite,andthenclickAdd.TheexternalIPaddressesthatyouselectednowappearintheSelectedIPAddresseslist.ClickOK.

5. OntheIPAddressespage,clickNext.

6. OnthePortSpecificationpage,clicktocleartheEnableHTTPcheckbox,selecttheEnableSSLcheckbox,andleavetheSSLportnumberat443.

NoteByconfiguringthisWeblistenertouseonlySSL,youcanconfigurea

secondWeblistenerthatisdedicatedfornon-SSLconnectionswithdifferentsettings.

7. ClickSelect.IntheSelectCertificatedialogbox,clicktheExchangeActiveSyncWebsitecertificatethatyouimportedintotheISAServer2004firewallcomputerscertificatestore,andclickOK.

NoteThiscertificatewillappearintheSelectCertificatedialogboxonlyafteryou

haveinstalledtheWebsitecertificateintotheISAServer2004firewallcomputerscertificatestore.Inaddition,thecertificatemustcontaintheprivatekey.Iftheprivatekeywasnotincluded,itwillnotappearinthislist.

8. OnthePortSpecificationpage,clickNext.9. OntheCompletingtheNewWebListenerpage,clickFinish.

ThenextstepistoconfiguretheWebListenersothatnoauthenticationsareconfigured.

ToConfiguretheWebListener

1. ThedetailsoftheWebListenernowappearontheSelectWebListenerpage.ClickEdit.

2. IntheSSLListenerPropertiesdialogbox,clickthePreferencestab.

3. OnthePreferencestab,clickAuthentication.


37/69

37

4. IntheAuthenticationdialogbox,clicktocleartheIntegratedcheckbox.IntheMicrosoftInternetSecurityandAccelerationServer2004 dialogboxwarningthatnoauthenticationmethodsarecurrentlyconfigured,clickOK.DonotselecttheOWA-FormsBasedAuthenticationcheckbox.

5. IntheSSLListenerPropertiesdialogbox,clickApply,andthenclickOK.

6. OntheSelectWebListenerpage,clickNext.7. OntheUserSetspage,acceptthedefaultentryAllUsers,andthenclickNext.

NoteAcceptingtheAllUsersdefaultentrydoesnotenablealluserstoaccesstheExchangeWebsite.OnlyuserswhocanauthenticatesuccessfullywillbeabletoaccesstheExchangeWebsite.TheactualauthenticationisdonebytheExchangeWebsite,whichusesthecredentialsthattheISAServer2004firewallhasforwardedtoit.TheISAServer2004firewallandtheExchangeWebsitecannotbothauthenticatetheuser.ThismeansthatyoumustallowAllUsersaccesstotherule.AnexceptiontothisruleiswhenusersauthenticatetotheISAServer2004firewallitselfbyusingclientcertificateauthentication.

8. OntheCompletingtheNewMailServerPublishingRuleWizardpage,clickFinish.

Asafinalstep,youwillallowtheExchangeWebsitetoreceivetheactualIPaddressofthemobiledevice.

ToCompletetheWebSiteRuleandUpdatetheFirewallPolicy

1. Right-clicktheEASWebsiteruleintheDetailspaneoftheISAServerManagementconsole,andthenclickProperties.

2. IntheWebsitePropertiesdialogbox,clicktheTotab.OntheTotab,clickRequestsappeartocomefromtheoriginalclient option.ThisoptionallowstheExchangeWebsitetoreceivetheactualIPaddressoftheexternalclientmobiledevice.ThisfeatureenablesWebloggingadd-onsinstalledontheOWAWebsitetousethisinformationwhencreatingreports.


38/69

38

3. ClickApply,andthenclickOK.

4. ClickApplytosavethechangesandupdatethefirewallpolicy.

5. IntheApplyNewConfigurationdialogbox,clickOK.

TheSSLWebsiteisnowavailableontheexternalIPaddressoftheISAserver.Youmayhavetomakehostrecordchangesonyourexternally-accessibleDNSservertomaptheIPaddressof

theISAserversexternalinterfacetothehostrecordoftheSSLWebsite.

ConfiguringtheHostFileEntry

ThenextstepistocreateaHOSTSfileentryontheISAServer2004firewallcomputersothatitresolvesthenamethatyouspecifiedforyourinternalWebmailservertotheIPaddressoftheExchangeserverthatisontheInternalnetwork.

NoteYoucouldalsouseasplitDNSinfrastructureforthispurpose.HoweveraHOSTSfileentryiseasiertocreate.Onaproductionnetwork,youwouldcreateasplitDNSinfrastructuresothattheISAServer2004firewallwouldresolvetheFQDNoftheOWAWebsitetotheIPaddressthattheExchangeServerusesontheinternalnetwork.

ToConfiguretheHostFileEntry

1. ClickStart,andthenclickRun.IntheRundialogbox,typeNotepadintheOpentextbox,andthenclickOK.

2. ClicktheFilemenu,andthenclickOpen.IntheOpendialogbox,typec:\windows\system32\drivers\etc\hosts intheFilenametextbox,andthenclickOpen.

3. AddthefollowinglinetotheHOSTSfile:10.0.0.2

4. Navigateyourcursortotheendofthelinesothattheinsertionpointsitsonthenextline,andthenpressEnter.

5. ClickFile,andthenclickExit.

6. InNotepad,savethechangestothefile,andthencloseNotepad.


39/69


40/69

40

TestingExchangeActiveSyncYoucanconfigureamobiledevicetoconnecttoyourExchangeserverbyusingExchangeActiveSync,andtomakesurethatISAServer2004andExchangeActiveSyncareworkingproperly.

Asanalternative,youcantestExchangeActiveSyncbyusingInternetExplorer.

TotestExchangeActiveSyncbyUsingInternetExplorer

1. OpenInternetExplorer.IntheAddressbar,typehttps://published_server_name/Microsoft-Server-Activesync ,wherepublished_server_nameisthepublishednameofyourOWAserver(thenameyourenduserswilltype).

2. Typetheusernameandinformationthatyouwanttoauthenticate.

3. IfyoureceiveanError501/505"Notimplemented"or"Notsupported" errormessage,ISAServer2004andExchangeActiveSyncareworkingtogetherproperly.


41/69

41

Step6-ConfigureandManageMobileDeviceAccessontheExchangeServer

TheMessagingandSecurityFeaturePackforWindowsMobile5.0enablesWindowsMobile5.0-baseddevicestobemanagedbyMicrosoftExchangeServer2003SP2.Withthecombinationof

themanagementcapabilitiesandthesecurityandconfigurationprotocols,mostoftheadministrationofthemobiledeviceshappensontheExchangeServerorontheMobileAdministrationWebtool.

YoucandothefollowingonyourExchangeServer:

Enablemobileaccess

Configuresecuritysettings

MonitormobileperformanceonyourExchangeserver

EnablingMobileAccess

Withyournetworkconfigured,youcanusetheExchangeServerSystemManagertodothe

following:1. EnableExchangeActiveSyncforAllUsers

2. EnableUserInitiatedSynchronization

3. EnableDirectPushforAllUsers

4. EnableUp-to-dateNotifications(Optional)

EnableExchangeActiveSyncforAllUsers

ToenableanddisableExchangeActiveSyncforyourorganization,useExchangeSystemManager.WiththeExchangeServer2003SP2installation,ExchangeActiveSyncisenabledforallclientmobiledevices.

However,wheneveryouaddnewuserstoyourorganizationandyouwanttoenablethemtouseExchangeActiveSynctoaccessExchange,useActiveDirectoryUsersandComputerstomodifythesettingsforauserorgroupofusers.

TheExchangeActiveSyncfeatureallowsuserstosynchronizetheirExchangeinformationwithamobiledevice.

ToEnableExchangeActiveSyncforAllUsers

1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclickSystemManager.

2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServicesandthenclickProperties.


42/69


43/69

43

EnableUp-to-dateNotifications(Optional)

IfyouhaveanexistingmobilemessagingsetupthatincludesdevicesthatdonotsupportDirectPushtechnology,youmaywanttoenablethisfunction.

Enablingup-to-datenotificationsforyourmailbox-enabledrecipientsallowsthemtokeepthedataontheirwirelessdevicesuptodate.UsetheExchangeFeaturestabtoenablethisfunctionality

foreachuser.

NoteTouseup-to-datenotifications,youmustalsoenableuserinitiatedsynchronization.

ToEnableUp-to-dateNotifications

1. OntheStartmenu,pointtoPrograms,pointtoAdministrativeTools,andthenclickActiveDirectoryUsersandComputers.

2. Intheconsoletree,expandthedomain.Double-clickUsers,ordouble-clickthenodethatcontainstherecipientinformationyouwanttomodify.

3. Inthedetailspane,double-clicktheuserforwhomyouwanttoenableup-to-datenotifications.

4. OntheExchangeFeaturestab,underMobileServices,ensurethatUserInitiatedSynchronizationisenabled.

5. UnderMobileServices,selectUp-to-dateNotifications,andthenclickEnable.

ConfiguringSecuritySettingsforMobileDevicesYoucanspecifysecurityoptionsforyouruserswhoconnecttoExchangeServerusingmobiledevices.WiththeExchangeSystemManager,youcansetthepasswordlengthandstrengthaswellascontrollingtheinactivitytimeandnumberoffailedattemptsbeforethedeviceiswiped.

Formoreinformationaboutsettingsecuritypolicies,seeBestPractice:DetermineandDeployaDevicePasswordPolicyinthisdocument.

NoteThetermpasswordreferencedinthistopicreferstothepasswordauserenters

tounlockhisorhermobiledevice.Itisnotthesameasanetworkuserpassword.

Thefollowingaretheoptionsyoucanusetosetyoursecuritypolicies:

Minimumpasswordlength(characters) Usethisoptiontospecifytherequiredlengthoftheuser'sdevicepassword.Thedefaultsettingis4characters.Youcanspecifyapasswordlengthof4to18characters.

RequirebothnumbersandlettersUsethisoptionifyouwanttorequirethatuserschooseapasswordwithbothnumbersandletters.Thisoptionisnotselectedbydefault.

Inactivitytime(minutes)Usethisoptiontospecifyifyouwantyouruserstologontotheirdevicesafteraspecifiednumberofminutesofinactivity.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingis5minutes.

Wipedeviceafterfailed(attempts)Usethisoptiontospecifyifyouwantthedevice

memorywipedaftermultiplefailedlogonattempts.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingis8attempts.

Refreshsettingsonthedevice(hours)Usethisoptiontospecifyhowoftenyouwanttosendaprovisionrequesttodevices.Thisoptionisnotselectedbydefault.Ifselected,thedefaultsettingisevery24hours.

Allowaccesstodevicesthatdonotfullysupportpasswordsettings SelectthisoptionifyouwanttoallowdevicesthatdonotfullysupportthedevicesecuritysettingstobeabletosynchronizewithExchangeServer.Thisoptionisnotselectedbydefault.


44/69

44

NoteIfthisoptionisnotselected,devicesthatdonotfullysupportdevicesecuritysettings(forexample,devicesthatdonotsupportprovisioning)willreceivea403errormessagewhentheyattempttosynchronizewithExchangeServer.

ToConfigureSecuritySettingsforMobileDevices

1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclick

SystemManager.2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServices,and

thenclickProperties.

3. InMobileServicesProperties,clickDeviceSecurity.

4. Tospecifythedevicesecurityoptions,selectEnforcepasswordondevice,andthenconfiguretheoptionsaccordingtothepoliciesyouhaveset.

5. ClickOK.YoucanspecifytheuserswhoyouwanttobeexemptfromthesettingsthatyouhaveconfiguredintheDeviceSecuritySettingsdialogbox.Thisexceptionslistisusefulifyouhavespecific,trustedusersofwhomyoudonotneedtorequiredevicesecuritysettings.

ToSpecifytheUsersWhoareExemptfromDeviceSecuritySettings

1. OntheStartmenu,pointtoPrograms,pointtoMicrosoftExchange,andthenclickSystemManager.

2. Intheconsoletree,double-clickGlobalSettings,right-clickMobileServices,and

thenclickProperties.3. InMobileServicesProperties,clickDeviceSecurity.

4. InDeviceSecuritySettings,clickExceptions.

5. UsetheoptionsintheDeviceSecurityExceptionList dialogboxtoselecttheuserorgroupofuserswhoyouwanttobeexemptfromsettingsthatyouhaveconfiguredintheDeviceSecuritySettingsdialogbox.

6. Tospecifythatauserbeexemptfromdevicesecuritysettings,clickAdd.InSelectUser,specifyauserorgroupofusers,andthenclickOK.Forinformationabouthowtospecifyusers,intheSelectUsersdialogbox,click?inthetitlebar,andthenclicktheoptionyouwanttolearnmoreabout.


45/69


46/69

46

YoucandownloadtheExchangeManagementPackfromtheMicrosoftWebsite:http://go.microsoft.com/fwlink/?LinkId=55885.

TheExchangeServerManagementPackGuideforMOM2005explainshowtousetheExchangeManagementPacktomonitorandmaintainmessagingresources.

YoucandownloadthemanagementpackguidefromtheMicrosoftWebsite:

http://go.microsoft.com/fwlink/?LinkId=58794.


47/69

47

Step7InstalltheExchangeActiveSyncMobileAdministrationWebTool

TheMicrosoftExchangeActiveSyncMobileAdministrationWebtoolenablesadministratorstomanagetheprocessofremotelyerasinglost,stolen,orotherwisecompromisedmobiledevices.

ByusingtheExchangeActiveSyncMobileAdministrationWebtool,administratorscanperformthefollowingactions:

Viewalistofalldevicesthatarebeingusedbyanyenterpriseuser.

Selectorcanceltheselectionofdevicestoberemotelyerased.

Viewthestatusofpendingremoteeraserequestsforeachdevice.

Viewatransactionlogthatindicateswhichadministratorshaveissuedremoteerasecommands,inadditiontothedevicesthatthosecommandspertainedto.

DownloadtheToolTheExchangeActiveSyncMobileAdministrationWebtoolisavailablefordownloadfromthefollowingToolsforExchangeServer2003Website:

http://go.microsoft.com/fwlink/?LinkId=54738.

InstallingtheMobileAdministrationWebtoolToinstalltheExchangeActiveSyncMobileAdministrationWebtoolonafront-endserverthatrunsExchangeServer2003SP2,runthe.msipackage.TheinstallationpackagecreatestheMobileAdminvirtualdirectory,throughwhichthetoolcanbeaccessed.

Wheninstalledcorrectly,theExchangeActiveSyncMobileAdministrationWebtoolisavailablefromanyremotecomputerthathasanInternetbrowserthatcanaccessthevirtualdirectoryassociatedwiththetool.However,toaccesstheExchangeActiveSyncMobileAdministrationWebtoolfromthesamecomputeruponwhichitisinstalled,youmustuseoneofthefollowingapproaches:

AddtheservernametotheLocalintranetlistforInternetExplorer:InInternetExplorer,clickTools,clickInternetOptions,clickSecurity,clickLocalintranet,andthenclickSites.

UselocalhostastheservernamewhenspecifyingthemobileAdminURLinthebrowser(forexample,https://localhost/mobileAdmin).

AddingAdministratorsBydefault,accesstotheExchangeActiveSyncMobileAdministrationWebtoolisrestrictedtoExchangeadministratorsandtolocaladministrators.AuserfromeitherofthesegroupscanenableadditionaluserstoaccessthetoolbymodifyingthesecuritysettingsontheMobileAdminfolderintheinstallationdirectory.Youmakethischangebyright-clickingthefolder,andthenselectingsharing&security,whichdisplaystheInsertFolderSecuritypropertiesdialogbox.

Byusingthisuserinterface,anadministratorcanaddauserorgroupbyclickingAddandthen

enteringthenameoftheuserorgrouptowhichtheadministratorwantstograntaccess.Similarly,auserorgroupcanberemovedbyselectingthatuserorgroupandthenclickingRemove.


48/69

48

Step8-ManageandConfigureMobileDevices

AsaSystemsAdministratorusingExchangeServer2003SP2,younowhavetoolswithwhichtosetandenforceyourmobiledevicesecuritypolicies.Youcanalsocontrolsomefeaturesonthemobiledevicesbyusingprovisioningtools.

Thissectionprovidesinstructionsandpointersfordoingthefollowingadministrativetasks:

SetUpaConnectiontoExchangeServer

InitiateandTrackingRemoteWipeonMobileDevices

ProvisionorConfigureMobileDevices

SettingUpaConnectiontoExchangeServerYouruserscanuseActiveSynctopartnertheirWindowsMobile5.0-baseddevicewithanExchangeserverbyusingaUSBcablefromadesktopcomputerthatisconnectedtoyournetwork.OrtheycanconnectdirectlytotheExchangeserverbyusingtheirdevicedirectlyiftheyhavephoneorWi-Ficapability.

NoteYoumaywanttopointyouruserstothestep-by-stepinstructionsforusingActiveSyncandotherfeaturesonSmartphonesandPocketPCsavailableathttp://go.microsoft.com/fwlink/?LinkId=37728.

ConnectingtoExchangeServerUsingaDesktopComputerTheActiveSyncWizardwillwalkyourusersthroughthesynchronizationprocess.

ImportantBeforeaUSBsyncconnectioncanbemade,ActiveSyncmustbeinstalledontheusersdesktopcomputer.AnActiveSyncsetupdiskmayaccompanythedeviceoritcanbedownloaded.

AstheActiveSyncWizardisrunfromadesktopcomputerthatisconnectedtothecorporatenetwork,theuserwillhavetheoptiontoconnectdirectlytotheExchangeServer.

ToconnectdirectlytotheExchangeServer,youruserswillneedthefollowinginformation:

ThepathanddomainnameoftheExchangeserver.

TheirExchangeusernameandpassword.

NoteDirectPushtechnologyandsecuritypolicyenforcementwillbeeffectiveonlywhenthedevicesaresynchronizeddirectlywiththeExchangeserver.Wedonotrecommendthatyousynchronizeyourmobiledeviceonlywiththedesktopcomputer.

AlsointheActiveSyncWizard,theusercanchoosewhichtypesofdata,suchascontacts,calendar,tasks,e-mail,tosynchronizewiththedevice.Youmayadviseyouruserstouncheckanydatatypesthatshouldnotbestoredontheirmobiledevices.

ConnectingDirectlytoExchangeServerTheusercanuseaWindowsMobile5.0-baseddevicetosynchronizedirectlywithExchange

Server.

IfExchangeserveraccesswaspreviouslysetbyusingActiveSynconthedesktopcomputer,theinformationshouldalreadybeavailablewhendirectsynchronizationistried.

Onthemobiledevice,theusercanclickActiveSync,chooseMenuandselectAddServerSource.Afteraddingtheserverpath,domainname,usernameandpassword,theuserconnectsdirectlytotheExchangeServer.

InitiatingandTrackingRemoteWipeonMobileDevicesTheremotewipefeatureoftheMessagingandSecurityFeaturePackismanagedbyusingtheMicrosoftExchangeActiveSyncMobileAdministrativeWebtool.Thistoolenablesyoutomanage


49/69

49

theprocessofremotelyerasingorwipinglost,stolen,orotherwisecompromisedmobiledevicesthatareconnectedtotheExchangeserverwirelessly.

UsingtheMobileAdministrationWebtoolTheWelcomeScreenpresentstheAdministratorwithalistofavailableadministrativeoptions.SelectoneoftheseoptionstostarttheassociatedWebpage.Thefollowingoptionsaredisplayed

ontheWelcomepage.

RemoteWipeRunaremotewipecommandforalostorstolenmobiledevice

TransactionLogViewalogofadministrativeactions,notingtime/action/user

RunningandMonitoringaRemoteDeviceWipeTheRemoteDeviceWipeadministratorconsoleprovidesthefollowingfunctions:

Issuearemotewipecommandforalostorstolenmobiledevice.

Toissuearemotewipecommand,searchforausersmobiledevicesbyspecifyingtheusersname.ThetooldisplaysthedeviceID,devicetype,andthetimethedevicelastsynchronizedwiththeserverforeachoftheuser'sdevices.Locatethedesireddevice,andthenclickWipe.Thetoolthendisplaystheup-to-datestatusforthedevice,displayingwhenorifthedevicehas

beensuccessfullywiped.

Viewthestatusonapendingremotewipecommand.

WhenaWipeactionisspecifiedforadevice,itstaysactiveuntiltheadministratorspecifiesotherwise.Thismeansthat,aftertheinitialremotewipehasbeencompleted,theservercontinuestosendaremotewipedirectiveifthesamedeviceevertriestoreconnect.

Undo(cancel)aremotewipecommandifalostorstolendeviceisrecovered.

Ifalostdeviceisrecovered,theadministratorcancancelthisdirectivetoenablethedeviceto

successfullyconnectagain.Youcancelthewipebylocatingthemobiledevicethathastheremotewipeactionset,andthenclickingCancelWipe.

Deleteadevicepartnership.

Theadministratorcanusetheremotewipeconsoletodeleteadevicepartnershipfromtheserver.Thisactionhastheeffectofcleaningupallstateassociatedwithaspecifieddeviceontheserverandisprimarilyusefulforhousekeepingpurposes.Ifadevicetriestoconnectafteritspartnershiphasbeendeleted,itwillbeforcedtore-establishthatpartnershipwiththeserverthrougharecoveryprocessthatistransparenttoboththeITadministratorandthedeviceuser.Thisactioniscarriedoutbylocatingthemobiledevice,andthenclickingDelete.


50/69

50

ViewingaLogofRemoteWipeTransactionsThetransactionlogdisplaysthefollowinginformationforallcriticaladministrativeactionsperformedwiththeExchangeActiveSyncMobileAdministrationWebtool:

DateTimeDateandtimewhentheactionwasexecuted

UserTheuserwhoexecutedtheaction

MailboxThemailboxthattheactionpertainedto

DeviceIDThedevicethattheactionpertainedto

TypeThetypeofdevicethattheactionpertainedto

ActionTheactiontakenbytheadministrator

ConfiguringtheWindowsMobile5.0-basedDeviceIfyouareworkingwithamobileoperatorormobiledevicemanufacturertodeployyourWindowsMobile5.0-baseddevices,youmaybeabletoacquiredevicesthathavebeenpre-configuredwiththefeaturesandsettingstofityourneeds.

YoucanusethedeviceprovisioningtoolsthatareavailableintheWindowsMobile5.0Software

DevelopmentKit(SDK)toconfiguresettingsonthedevices;toadd,update,andremovesoftware;ortochangefunctionality.

NoteYoumusthaveeithermanageraccesstotheWindowsMobile5.0-baseddevicesortheabilitytoruntrustedcodeontheminordertousetheprovisioningtools.Checkwithyourmobileoperatorordevicemanufacturerformoreinformationontheapplicationsecuritysettingsonyourdevices.

SeetheManagingDevicessectionoftheSDKfordetailedinformation.TheSDKdocumentationisincludedintheMSDNLibraryathttp://go.microsoft.com/fwlink/?LinkId=63274.TheSDKdocumentationandtoolsareavailableatnochargefromtheMicrosoftDownloadCenterhttp://go.microsoft.com/fwlink/?LinkId=63275.

NoteBeawarethattherearetwoversionsofWindowsMobile5.0software:Microsoft

WindowsMobileVersion5.0softwareforPocketPCsandMicrosoftWindowsMobileVersion5.0softwareforSmartphones.WhileworkingintheSDK,followreferencesanddirectionsfortheversiononyourdevices,assomeproceduresaredifferentforthetwoversions.

OverviewofProvisioningProvisioningaWindowsMobile5.0-baseddeviceinvolvescreatingaprovisioningXMLfilethatcontainsconfigurationinformation,andthensendingthefiletothedevice.ConfigurationManagerandConfigurationServiceProvidersconfigurethedevicebasedonthecontentsoftheprovisioningXMLfile.

TheConfigurationManageristhecentralauthoritythatprocessestheprovisioningXMLfile.ConfigurationServiceProviderscarryoutallconfigurationqueriesandchanges.Afterthedatais

mopile message on exchange

Documents