Step-by-Step Guide to Deploying Windows Mobile-based

snortfearServers

Dec 4, 2013 (3 years and 9 months ago)

447 views







Step
-
by
-
Step Guide to Deploying Windows Mobile
-
based
Devices with Microsoft Exchange Server 2003 SP2



Microsoft Corporation

Published: February

15 2008












Deploying W
indows
M
obile
-
based Devices with
E
xchang
e
S
erver

2003 SP2



ii









Information in this document, including URL and other Internet Web site refer
ences, is subject to change without notice.
Unless otherwise noted, the companies, organizations, products, domain names, e
-
mail addresses, logos, people, places,
and events depicted in examples herein are fictitious. No association with any real company
, organization, product,
domain name, e
-
mail address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of

this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Mic
rosoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the

furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory,
ActiveSync,
Office Ourlook
, Visual Basic,

Windows Mobile

and Windows Server are
trademarks of the Microsoft group of companies.


All other trademarks are property of their respective owners.

Deploying W
indows
M
obile
-
based Devices with
E
xchang
e
S
erver

2003 SP2



iii

Contents

Introduction

................................
................................
................................
................................
...

1

Document Structure

................................
................................
................................
.....................

1

Deploying Mobile Messaging: Introduction

................................
................................
..................

1

Assumptions

................................
................................
................................
..........................

1

Software Requirements

................................
................................
................................
.....

2

Optional Items

................................
................................
................................
....................

3

Deployment Process Summary

................................
................................
.............................

3

Planning Resources

................................
................................
................................
..............

4

Messaging and Security Feature Pack Overview

................................
................................
.....

5

Features

................................
................................
................................
.............................

5

Security Features

................................
................................
................................
...............

6

Advanced Security Features

................................
................................
..............................

7

Administering the Messaging and Security Feature Pack

................................
.................

8

Understanding the Direct Push Technology

................................
................................
...........

10

Direct Push Technology

................................
................................
................................
...

10

Network Architecture Alternatives

................................
................................
...........................

16

Deployment Options
................................
................................
................................
.........

16

ISA Server 2006 as an Advanced Firewall in a Perimeter Network

................................

23

Deployment with ISA Server in a Perimeter Network

................................
......................

27

Deployment on a Single
-
Server

................................
................................
.......................

28

Forms
-
based Authenti
cation

................................
................................
............................

29

Deployment with the Exchange Front End Server in a Perimeter Network

.....................

30

VPN Configuration

................................
................................
................................
...........

30

Best Practices for Deploying a Mobile Messaging Solution

................................
...................

31

Network Configuration

................................
................................
................................
.....

31

Secu
rity: Authentication and Certification

................................
................................
........

32

Deploying a Mobile Messaging Solution with Windows Mobile 5.0
-
based Devices

..................

35

Deploym
ent Process Overview

................................
................................
...........................

35

Step 1: Upgrade to Exchange Server 2003 SP2

................................
................................
....

36

How to Upgrade to Exchange Server 2003 SP2

................................
.............................

36

Step 2: Update All Servers with Security Patches

................................
................................
..

37

Step 3: Protect Communications Between Windows Mobile
-
based Devices and Your
Exchange S
erver

................................
................................
................................
.................

37

Deploying SSL to Encrypt Messaging Traffic

................................
................................
..

38

Enabling SSL for the Default Web Site

................................
................................
............

49

Configuring Basic Authentication

................................
................................
.....................

51

Protect IIS by Limiting Potential Attack Surfaces

................................
.............................

54

Deploying W
indows
M
obile
-
based Devices with
E
xchang
e
S
erver

2003 SP2



iv

Step 4:

Protect Communications Between the Exchange Server and Other Servers

............

56

Using IPSec to Encrypt IP Traffic

................................
................................
.....................

56

Step 5: Install an
d Configure ISA Server 2006 or Other Firewall

................................
...........

57

Install ISA Server 2006

................................
................................
................................
....

58

Install a Server Certificate on the ISA Server Compu
ter

................................
.................

58

Create the Exchange ActiveSync Publishing Rule

................................
..........................

62

Configure ISA Server 2006 for LDAP Authentication

................................
......................

73

Set the Idle Session Timeout for All Firewalls and Network Appliances to 1800 seconds

................................
................................
................................
................................
......

76

Test Exchange Publishing Rule

................................
................................
.......................

76

Step 6: Configure and Manage Mobile Device Access on the Exchange Server

..................

77

Configuring Mobile Access

................................
................................
..............................

78

Configuring Security Settings for Mobile Devices

................................
............................

82

Monitoring Mobile Performance on Exchange Server 2003 SP2

................................
....

86

Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool

............................

87

Download the Mobile Administration Web Tool

................................
...............................

87

Step
8: Manage and Configure Mobile Devices

................................
................................
.....

89

Setting Up a Mobile Device Connection to Exchange Server

................................
.........

89

Using the Exchange ActiveS
ync Mobile Administration Web Tool to Track Mobile
Devices

................................
................................
................................
.........................

92

Provisioning or Configuring the Windows Mobile 5.0
-
based Device

...............................

94

Appendix A: Overview of Deploying Exchange ActiveSync Certificate
-
Based Authentication

..

98

Configuring the Firewall for Certificate
-
based Authentication

................................
.............

98

Software Requirements for Certificate
-
Based Authentication

................................
.............

98

Downloading the Certificate Enrollment Tool

................................
................................
......

99

System Requirements for the Certificate Enrollment Tool

................................
..................

99

Steps to Enable Certificate
-
Based Authentication

................................
............................

100

Configu
ring Exchange Server 2003 Front
-
End Server

................................
..................

100

Configure Kerberos Constrained Delegation

................................
................................
.

100

Configure Servers to be Trusted for

Delegation

................................
............................

101

Configure Windows Mobile Certificate Enrollment

................................
............................

101

Overview of Certificate Enrollment Configuration

................................
..........................

101

Appendix B: Install and Configure an ISA Server 2004 Environment

................................
......

104

Installing ISA Server 2004

................................
................................
................................
.

105

Creating the Exchange ActiveSync Publishing Rule Using Web Publishing

....................

106

Configuring the Hosts File Entry

................................
................................
........................

111

Setting the ISA Server 2004 Idle Session Timeout

................................
...........................

113

Testing OWA and Exchange ActiveSync

................................
................................
..........

113

Testing OWA

................................
................................
................................
..................

114

Testing Exchange ActiveSync

................................
................................
.......................

114

Appendix C: Troubleshooting a Mobile Messaging Solution

................................
...................

115

Deploying W
indows
M
obile
-
based Devices with
E
xchang
e
S
erver

2003 SP2



v

Logging and Troubleshooting Tools

................................
................................
..................

115

Monitoring Mobile Performance on Exchange Server 2003 SP2

................................
..

115

ISA Ser
ver Best Practices Analyzer

................................
................................
...............

116

Issues Related to Direct Push Technology

................................
................................
.......

116

General Direct Push Troubleshooting Tips

................................
................................
....

116

Path Troubleshooting Direct Push

................................
................................
.................

117

Verify Direct Push Initialization

................................
................................
......................

118

Troubleshooting Direct Push Using Logs
................................
................................
.......

120

Push Mail and GAL Lookup missing when syncing to Exchange 2003 SP2 with a MSFP
Device.

................................
................................
................................
........................

122

Issues Related to ISA Server 2006

................................
................................
...................

125

Double Authentication Required after Upgrading from ISA Server 2004

......................

125

Log Off

when the User Leaves Site Feature Removed

................................
.................

125

Windows Mobile Users Receive Error 401 Unauthorized

................................
..............

125

Users Receive Access Deni
ed Error Message

................................
..............................

125

Certificate Implementation Issues on the Server

................................
..............................

128

Communication Issues between the Front
-
end and Back
-
end

Exchange Servers

...........

128

Frequently Asked Questions

................................
................................
.............................

128

Appendix D: Adding a Certificate to the Root Store of a Windows Mobile
-
base
d Device

.......

129

Creating the Provisioning XML to Install a Certificate to the Root Store
...........................

130

Creating a .cab File that Contains the

Provisioning XML

................................
..............

132

Distributing the CAB Provisioning File

................................
................................
...........

132


Deploying W
indows
M
obile
-
based Devices with
E
xchang
e
S
erver

2003 SP2



vi

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



1

Introduction

This document is designed primarily for Information Technology (IT) professiona
ls who are
responsible for planning and deploying mobile messaging systems that use Microsoft Exchange
Server

2003 with Service Pack

2 (SP2) and Windows Mobile

based devices that have the
Messaging and Security Feature Pack (MSFP).

Document Structure

This
document is divided into two main sections that include the following:



The essential elements of a mobile messaging system, including system requirements; a
summary of deployment procedures; an overview of the features of the Messaging and
Security Feature Pack; an introduction to direct push technology; a summary of ISA Se
rver
2006 features; and best practices for networking, security, and device management.



The guidelines and resources for the deployment of a mobile messaging system, including
updating Exchange Server

2003 SP2, setting up Microsoft Exchange ActiveSync fo
r mobile
access, creating a protected communications environment, setting up an ISA Server 2006
environment, and procedures for setting up and managing mobile devices.

For current information about deploying mobile messaging solutions and managing Windows
Mobile

based devices, visit the Windows Mobile Center Web site:
http://go.microsoft.com/fwlink/?LinkId=109211

Deploying Mobile Messaging: Introduction

This guide provides best practices and proced
ures for implementing a mobile messaging system
with Microsoft® Windows Mobile® 6 devices and Microsoft Exchange Server 2003 SP2.

Assumptions

This document assumes that you have an understanding of Microsoft Office Outlook® Web
Access, Exchange ActiveSync,

Hypertext Transfer Protocol (HTTP), basic Exchange Server

2003
concepts, and basic Microsoft Windows Internet Information Services (IIS) concepts.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



2

Software Requirements

The following table presents the operating systems and applications that are required

for the
recommended deployment.


Location

Software requirements

Exchange front
-
end server



Microsoft Exchange Server

2003

SP2



Microsoft Windows Server

2003 with
Service Pack

1 (SP1), or Microsoft
Windows

2000 Server with Service Pack

4
(SP4)

Addition
al Exchange server(s)



Microsoft Exchange Server

2003 or later



Microsoft Windows Server

2003 with
Service Pack

1 (SP1), or Microsoft
Windows

2000 Server with Service Pack

4
(SP4)

LDAP Server



Windows Server

2003 or Windows

2000
Server

Exchange server

where Exchange ActiveSync
Mobile Administration Web tool is installed



Microsoft Exchange Server

2003

SP2



Microsoft Windows Server

2003 with
Service Pack

1 (SP1)



Internet Information Services (IIS)

6.0

Mobile devices



Windows Mobile

5.0

based devic
es that
have the Messaging and Security Feature
Pack


Note:

Windows Mobile

5.0

based devices that have a version number of 148xx.2.x.x or later
include the Messaging and Security Feature Pack. To find the operating system version
on the device, select S
tart, choose Settings, and then select About.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



3

Optional Items

You can implement the following components for security and device management tools. See
Netwo
rk Architecture Alternatives

in this document.



Microsoft Desktop ActiveSync 4.1 or later, which can be downloaded from this Microsoft
download Web site:
http://go.microsoft.com/fwlink/?LinkId=10
9212
.



Microsoft Internet Security and Acceleration (ISA) Server

2006 (or ISA Server 2004 or third
party firewall)



Windows Certification Authority (CA)



RSA Authentication Manager

6.0 from RSA Security



RSA Authentication Agent for Microsoft Windows
from RSA Security



RSA SecurID Authenticator from RSA Security

Deployment Process Summary

Because corporate network configurations and security policies vary, the deployment process will
vary for each mobile messaging system installation. This deployment
process includes the
required steps and the recommended steps for deploying a mobile messaging solution that uses
Exchange Server

2003 SP2 and Windows Mobile

5.0

based devices.

Note:


The following steps outline the process for setting up a mobile messa
ging solution with
ISA Server 2006 in a workgroup in a perimeter network, with LDAP authentication. For
more information on alternative network configurations, see
Network Architecture
Alternatives

in this document.

The process can be accomplished in the following eight steps:



Step 1
: Upgrade Front
-
End Server to Exchange Server

2003 SP2



Step 2
: Update All Servers with Security Patches



Step 3
: Protect C
ommunications with Mobile Devices



Step 4
: Protect Communications Between the Exchange Server and Other Servers



Step 5
: Install and Configure ISA Server 2006 or Other Firewall



Step 6
: Configure Mobile Device Access on the Exchange Server



Step 7
: Ins
tall the Exchange ActiveSync Mobile Administration Web Tool



Step 8
: Manage and Configure Mobile Devices

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



4

Planning Resources

The following Microsoft Web sites and technical articles provide background information that is
important for the planning and dep
loyment of your mobile messaging solution.

Exchange Server

2003



Planning an Exchange Server

2003 Messaging System



Exchange Server

2003
Client Access Guide



Exchange Server

2003 Deployment Guide



Windows Server

2003 Deployment Guide



Using ISA Server

2004 with Exchange Server

2003



Windows Server

2003 Technical Reference



IIS

6.0 Deployment Guide

(IIS

6.0)



Microsoft Exchange Server



Exchange Server

2003 Technical Documentation Library

Windows Mobile



Supporting Windows Mobile

based Devices within the Enterprise: Corporate Guidelines for
Each Stage of the Device's Lifecycle

(white paper)



TechNet Windows Mobile

Center

ISA Server



Secure Application Publishing



Publishing Exchange Server 2003 Active Sync with ISA Server 2006

Security



Security Considerations for Windows Mobile Messaging in the Enterprise

(whitepaper)



Security Model for Windows Mobile 5.0 and Windows Mobile 6

(white paper)



Windows Mobile Security Web site



TechNet Security Center

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



5

Messaging and Security Feature Pack
Overview

The Messaging an
d Security Feature Pack for Windows Mobile 5.0 enables Windows Mobile 5.0
-
based devices to be managed by Microsoft Exchange Server 2003 SP2. The result is a mobile
messaging solution that uses the management benefits of Exchange ActiveSync and the new
secu
rity policy functions on the Windows Mobile 5.0
-
based devices, which helps you to better
manage and control the devices.

Using Windows Mobile 5.0
-
based devices with the Messaging and Security Feature Pack will give
you the following capabilities:



With direct push technology, you can provide your users with immediate delivery of data from
the Exchange mailbox to their device. This includes e
-
mail, calendar, contact, and task
information.



You can define the security policies on your Exchange serv
er and they will be enforced on
Windows Mobile 5.0
-
based devices that are directly synchronized with your Exchange server.



You can monitor and test Exchange ActiveSync performance and reliability by using the
Exchange Server Management Pack.



You can
manage the process of remotely erasing or wiping lost, stolen, or otherwise
compromised mobile devices that are directly synchronized with your Exchange server by
using the Microsoft Exchange ActiveSync Mobile Administration Web tool.

Features


These MSFP
features improve essential communications for mobile workers.

Direct Push Technology

The direct push technology included in Exchange Server 2003 SP2 provides a new approach to
the immediate delivery of data from the Exchange mailbox to the user’s mobile de
vice. Direct
push works for mailbox data, including Inbox, Calendar, Contacts, and Tasks. The direct push
technology uses an established HTTP or HTTPS connection between the device and the
Exchange server; previous solutions required the use of Short Messa
ge Service (SMS), which is
no longer required. No special configuration is required on the mobile device, and you can keep
your standard data plan since the service is world
-
capable and requires no additional software or
server installations other than Exc
hange Server 2003 SP2.

For an in
-
depth discussion of the direct push technology, see
Understanding the Direct Push
Technology

in this document.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



6

E
xchange ActiveSync

Exchange ActiveSync is an Exchange synchronization protocol that is designed for keeping your
Exchange mailbox synchronized with a Windows Mobile 5.0
-
based device. Exchange ActiveSync
is optimized to deal with high
-
latency/low
-
bandwidth
networks, and also with low
-
capacity clients
that have limited amounts of memory, storage, and processing power. Under the covers, the
Exchange ActiveSync protocol is based on HTTP, SSL, and XML and is a part of Exchange
Server 2003. In addition, Exchange
ActiveSync provides the following benefits:



The consistency of the familiar Outlook experience for users



No extra software is require to install or configure devices



Global functionality that is achieved via standard data access phone service

Global Address List Access

Support for over
-
the
-
air

lookup of global address list (GAL) information stored on Exchange
Server. With the Messaging and Security Service Pack, mobile device users will be able to
receive contact properties for individuals in the GAL. These properties can be used to search
remo
tely for a person quickly based on name, company, and/or other aspect. Users will get all of
the information they need to reach their contacts without having the data store on their device.

Security Features

Security features help protect personal and corp
orate files on mobile devices.

Remotely Enforced Device Security Policies

Exchange Server 2003 SP2 helps you to configure and manage a central policy that requires all
mobile device users to protect their device with a password in order to access the Excha
nge
server. You can specify the length of the password, require usage of a character or symbol, and
designate how long the device has to be inactive before prompting the user for the password
again.

An additional setting,
wipe device after failed attempts
, allows you to delete all data and
certificates on the device after the user enters the wrong password a specified number of times.
The user will see a series of alert dialog boxes warning of the possible wipe and providing the
number of attempts left bef
ore it happens. External memory, such as a secure digital (SD) card, is
not erased.

You can also specify whether non
-
compliant devices can synchronize. Devices are considered
non
-
compliant if they do not support the security policy you have specified. In m
ost cases, these
are devices not configured with the Messaging and Security Feature Pack.

The device security policies are managed from Exchange System Manager’s
Mobile Services
Properties

interface.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



7

Remote Device Wipe

The remote wipe feature helps you t
o manage the process of remotely erasing lost, stolen, or
otherwise compromised mobile devices. If the device was connected using direct push
technology, the wipe process will be initiated immediately and should take place in seconds. If
you have used the
enforced lock security policy, the device is protected by a password and local
wipe, so the device can receive calls, but will not be able to perform any operation other than to
receive the remote wipe notification and report that it has been wiped.

The n
ew Microsoft Exchange ActiveSync Mobile Administration Web tool enables you to perform
the following actions:



View a list of all devices that are being used by any user.



Select or de
-
select devices to be remotely erased.



View the status of pending remote erase requests for each device.



View a transaction log that indicates which administrators have been de
legated the ability to
issue remote erase commands, in addition to the devices those commands pertained to.

Advanced Security Features

The advanced security features in MSFP can be used to meet more stringent security
requirements.

Certificate
-
Based Authen
tication

If SSL basic authentication does not meet your security requirements and you have an existing
Public Key Infrastructure (PKI) using Microsoft Certificate Server, you may wish to use the
certificate
-
based authentication feature in Exchange ActiveSy
nc. If you use this feature in
conjunction with the other features described in this document, such as local device wipe and the
enforced use of a power
-
on password, you can transform the mobile device itself into a
smartcard. The private key and certifica
te for client authentication is stored in memory on the
device. However, if an unauthorized user attempts to brute force attack the power
-
on password
for the device, all user data is purged including the certificate and private key.

For more information,
see
Appendix A: Overview of Deploying Exchange ActiveSync Certificate
-
Based Authentication
.

Microsoft
has created a tool for deploying Exchange ActiveSync certificate
-
based authentication.
Download the tool and documentation from the
Microsoft Download center Web site
.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



8

Support for S/MIME Encrypted

Messaging

The Messaging and Security Feature Pack for Windows Mobile 5.0 provides native support for
digitally signed, encrypted messaging. When encryption with the Secure/Multipurpose/Internet
Mail Extension (S/MIME) is deployed, users can view and send
S/MIME
-
encrypted messages
from their mobile device.

The S/MIME control:



Is a standard for security enhanced e
-
mail messages that use a Public Key Infrastructure
(PKI) to share keys



Offers sender authentication by using digital signatures



Ensures that only the intended recipient can read the message



Encrypts e
-
mail data

at rest on the device to protect privacy



Works well with any standard
-
compliant e
-
mail client



Requires the use of a smart card reader

For guidance on how to implement the S/MIME control with Microsoft® Exchange Server 2003
SP2, see the
Exchange Server Message Security Guide
.

Administering the Messaging and Security
Feature Pack

Safeguards like password policies and remote wipe capabilities provide you with the security
features to help you prot
ect your organization’s data. With the combination of the management
capabilities built into Exchange Server 2003 SP2 and the security and configuration protocols
included in the Windows Mobile 5.0
-
based devices that have the Messaging and Security Feature

pack, your control over mobile devices has been streamlined. You will see that most of the
administration of the security features for the mobile device happens on the Exchange Server or
on the Exchange ActiveSync Mobile Administration Web tool.

The foll
owing table summarizes the features and the settings required on the Exchange Server or
on the mobile device.


Feature

Exchange Server Settings

Mobile Device Settings

Exchange direct push
technology

Enabled by default with
Exchange Server 2003 SP2



Protect configuration with
firewall or ISA Server



Extend session timeout on
all firewalls and network
appliances

No preliminary device setup
required. The device
automatically switches from
SMS to direct push
technology when it
synchronizes with Acti
veSync.
User steps thru ActiveSync
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



9

Feature

Exchange Server Settings

Mobile Device Settings

wizard upon login to
Exchange server.

Exchange ActiveSync

Enabled by default with
Exchange Server 2003 SP2

Set parameters by using
Exchange System Manager’s
Mobile Services Properties

No preliminary device setup
require
d; user steps thru
ActiveSync wizard upon login
to Exchange server.

Wireless access to global
address list (GAL)

Default Exchange Server setup

Requires Outlook Web Access
published on Exchange Server

No preliminary device setup
required

Privileged devic
es have
automatic access to GAL

Remotely enforced IT policy

Enable direct push technology
in Exchange ActiveSync

Use Exchange System
Manager’s
Mobile Services
Properties

to apply policies

No preliminary device setup
required; user steps thru
ActiveSync wi
zard upon login
to Exchange server and
accepts IT policies.

Remote Wipe

Enable direct push technology
in Exchange ActiveSync

Use

Mobile Administration
Web

tool to initiate, track, and
cancel the remote wipe

No preliminary device setup
required; user step
s thru
ActiveSync wizard upon login
to Exchange server and
accepts IT policies.

Certificate
-
based
authentication



䥮I瑡tl⁣敲瑩fic慴a
Ec桡湧攠e敲e敲e



䑥灬oy 䑥Dk瑯t
Ac瑩veSy湣 㐮4 潲慴ar⁴
摥sk瑯ts



啳攠e桥
Certificate
Enrollment

tool to
config
ure the devices via
ActiveSync

Initial certificate enrollment
and renewal using Desktop
ActiveSync is required.

S/MIME mobile device
support

Deploy an Exchange Server
2003 messaging system with
PKI security

Install certificate enrollment
protocol and key
on the
device


Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



10

Understanding the Direct Push Technology

The direct push technology uses Exchange ActiveSync to keep data on a Windows Mobile

based
device synchronized with data on a Microsoft Exchange server. There is no longer a reliance on
SMS for noti
fication.

Direct Push Technology

The direct push technology has two parts: one part resides on the device (client), and the other
resides on an Exchange Server SP2 mail server. The following list describes these parts of the
technology:



Windows Mobile

b
ased device with MSFP.

The ActiveSync technology on the device
manages the direct push communication with Exchange Server. It establishes an HTTP or
HTTPS connection with the server for a specified time, and then goes to sleep while waiting
for the server
to respond. The server responds with either a status indicating that new items
were received or that no new items arrived. The device then sends either a synchronization
request or another direct push request. The rate at which this occurs is dynamically a
djusted
based on parameters set by the OEM or Operator and how long an idle HTTP or HTTPS
connection can be maintained on the operator network and the customer's Enterprise
network.



Exchange Server 2003 Service Pack 2.

This version of Exchange Server in
cludes a direct
push component that augments the Exchange ActiveSync infrastructure that supports manual
and scheduled synchronization. Exchange Server uses IP
-
based notifications to deliver e
-
mail, contact, calendar, and task updates to a device as soon a
s the information arrives at the
server.

When data changes on the server, the changes are transmitted to the device over a persistent
HTTP or HTTPS connection that is used for direct push. The time
-
out value in the mobile
operator network identifies how l
ong the persistent connection will be maintained with no activity.

To keep this connection from timing out between updates, the device reissues a request when
the server responds. This periodic transmission is referred as the "heartbeat". The heartbeat is
what maintains the connection to the server for direct push; each heartbeat alerts the server that
the device is ready to receive data.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



11

The Direct Push Process

Direct push traffic looks like small HTTP requests to an Internet Web site that takes a long ti
me to
issue a response. Microsoft recommends that the content of the packets be encrypted by using
Secure Sockets Layer (SSL), which makes identifying direct push traffic by sniffing difficult.

The following steps provide an overview of the direct push pro
cess:

1.

The client issues an HTTP message known as a ping request to an Exchange server, asking
that the server report any changes that occur in the user’s mailbox within a specified time
limit.

In the ping request, the client specifies the folders that E
xchange should monitor for changes.
Typically these are the Inbox, Calendar, Contacts, and Tasks.

2.

When Exchange receives this request, it monitors the folders specified until one of the
following occurs:



The time limit expires. The time limit is deter
mined by the shortest time out in the network
path.

If this occurs, Exchange issues an HTTP 200 OK response to the client.



A change occurs in one of the folders, such as the arrival of mail.

If this occurs, Exchange issues a response to the request and
identifies the folder in
which the change occurred.

3.

The client reacts to the response from the Exchange server in one of the following ways:



If it receives an HTTP 200 OK response indicating that no error occurred, it re
-
issues the
ping request.



If
it receives a response other than HTTP 200 OK, it issues a synchronization request
against each folder that has changed. When the synchronization is complete, it re
-
issues
the ping request.



If it does not receive a response from the Exchange server withi
n the time specified, it
lowers the time interval in the ping request and then re
-
issues the request.

Direct Push Dynamic Adjustment

During the direct push process described above, the device waits for successive round trips
before attempting to adjust the

amount of time it needs to keep a connection open with the
server. The amount of time that the server should wait for Personal Information Manager (PIM)
changes or new mail to arrive before sending OK to the client is called the heartbeat interval.

The h
eartbeat interval is specified by the client and is sent as part of the ping request. The
heartbeat begins at the default rate. The direct push algorithm on the client then dynamically
adjusts the heartbeat interval to maintain the maximum time between hea
rtbeats without
exceeding the time
-
out value. The adjustment is based on network conditions and how long an
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



12

idle HTTP or HTTPS connection can be maintained on the operator or corporate network and
some settings that the operator can specify.

To determine t
he optimal heartbeat interval, the algorithm keeps a log of ping requests. If a ping
request receives a response, the algorithm increases the interval. If no response is received at
the end of the interval, the client determines that the network timed out
and the interval is
decreased.

By using this algorithm, the client eventually determines the longest idle connection possible
across the cellular network and corporate firewall.

The following illustration shows how the heartbeat interval is adjusted during

typical direct push
communication between the client and the Exchange Server.



The "T" in this illustration indicates the progression of time.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



13

The following steps describe the communication; the numbers correspond to the numbers in the
illustration:

1
.

The client wakes up and issues an HTTP request over the Internet to the Exchange Server,
and then goes to sleep.

To keep the session active, the request states the heartbeat interval, which is the amount of
time that the server should wait for Personal
Information Manager (PIM) changes or new mail
to arrive before sending OK to the client. In this illustration, the heartbeat interval is 15
minutes.

2.

Because no mail arrived during the heartbeat interval, the server returns an HTTP 200 OK.

In this exam
ple, the response is lost because either the operator network or the Enterprise
network was unable to sustain the long
-
lived HTTP connection; the client never receives it.

Note



If the connection is closed by the front
-
end Exchange server, the device will acknowledge
the ended session and immediately reconnect.



If the connection is closed by the back
-
end Exchange server, the device does not
acknowledge the ended session and wa
its for the end of the heartbeat interval to
reconnect.

3.

The client wakes up at the end of the heartbeat interval plus 1 minute (15 + 1 = 16 minutes
total).

Note:

The device waits for successive round trips before attempting to adjust the heartbeat
int
erval. A tuning component in the algorithm can change the increments to an
amount different than what is specified.

If this was a successive round trip with no response from the server, it issues a shorter
-
lived
request (8 minutes).

In this example, becaus
e the heartbeat was not increased during the last ping, the heartbeat
is changed to the minimum heartbeat value (8 minutes).

4.

Because no mail arrived during the heartbeat interval, so the server returns an HTTP 200
OK.

5.

The server response wakes up th
e client. Because the connection did not time out during the
interval, the client determines that the network can support idle connections for at least this
length of time.

If this was a successive round trip, the client determines that it can increase th
e interval to a
longer time for the next request.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



14

The Impact of Direct Push on Networks and Exchange Servers

The algorithm that sets the heartbeat also minimizes bytes sent over the air and maximizes
battery life.

Implementing data compression will reduc
e the packet sizes sent between the front end server
and the client. However, the amount of bandwidth that is consumed and whether it will impact the
user’s data plan greatly depends on the following factors:



What the user chooses to synchronize, such as more than the default folders.



How much data is changed in the mailbox and on the mobile device.

The Impact of Changing the Direct Push Settings

To help you maintain adequate device performance during dire
ct push, Microsoft recommends
values for the various direct push settings.

Heartbeat Interval

The heartbeat interval is set on the device by the mobile operator. Using a heartbeat interval of
30 minutes has positive implications for battery life and bandw
idth consumption. When direct
push sessions are permitted to live longer (such as 30 minutes), there are fewer HTTP round
trips, less data sent and received, and less power consumed by the device.

A heartbeat interval that is too short will keep the user a
lways up to date, but will shorten battery
life because of the constant pinging to the server.

Minimum Heartbeat

If a device that has a heartbeat below the minimum heartbeat level requests a connection to the
Exchange server, the server logs an event to i
ndicate to the administrator that direct push is not
working.

Exchange Session

To have device information being up to date and yet still have the battery life as long as possible,
the Exchange server session duration should be a little greater than the ma
ximum heartbeat
setting, If the server session is shorter, it may reach idle timeout causing it to drop the session.
This would result in mail being undeliverable until the client reconnects, and the user could be
unsynchronized for long periods of time.

Firewall Timeouts

The network idle connection timeout indicates how long a connection is permitted to live without
traffic after a TCP connection is fully established.

The firewall session interval must be set to allow the heartbeat interval and Enterpri
se session
interval to communicate freely. If the firewall closes the session, then mail would be undeliverable
until the client reconnects, and the user could be unsynchronized for long periods of time. By
setting the firewall session timeout equal to or
greater than the idle timeout on the Operator
network, the firewall will not close the session.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



15

The following list shows how the firewalls idle connection timeouts should be set:



Operators need to set the idle connection timeouts on outgoing firewalls to 30 minutes.



Enterprises also need to set timeouts on their incoming firewalls to 30 minutes.

Web servers, network security appliances, and system network stacks have several
time
-
based
thresholds that are intended to insulate them from insufficiently tested or malicious clients. You
can safely increase the idle connection timeout setting without compromising the security of the
network.

In a direct push scenario, the connecti
on is idle between the time that the HTTP request is made
and either the time that the heartbeat interval expires or when the server responds to the request
with a change (such as when mail is received). Direct push makes no assumption as to the length
of
its sessions; E
-
mail is delivered rapidly whether the heartbeat interval is one minute or thirty
minutes.

Increasing the idle connection timeout typically does not increase or decrease the exposure to
attack. The following table shows examples of attacks
and describes how other settings are used
to mitigation exposure to them.


DoS threat

Mitigation of exposure to attacks

A DoS attack is launched by
failing to complete the
handshake that is implicit in the
creation of a TCP connection.
The attacker attem
pts to create
a large number of partially open
TCP connections.

Increasing the idle connection timeouts is unrelated to this type
of attack.

The time within which a TCP handshake must complete is a
separate threshold that is governed by the Windows TCP/IP

stack.

A DoS attack is launched
against IIS by opening a large
number of TCP connections but
never issuing an HTTP request
over any of them.

Increasing the idle connection timeouts is unrelated to this type
of attack.

IIS mitigates this threat by requi
ring that a client submit a fully
-
formed HTTP request within a certain time before dropping the
connection. The name of the Connection Timeout setting in the
IIS management console is misleading; TCP connections are
closed when the Connection Timeout value

is exceeded (120
seconds by default).

An attacker establishes a large
number of TCP connections,
issues HTTP requests over all
of them, but never consumes
the responses.

Increasing idle connection timeouts is unrelated to this type of
attack.

This thre
at is mitigated by the same timeout as the previous
scenario. The Connection Timeout setting in IIS defines the
time within which a client must issue either its first request after
a TCP connection is established or a subsequent request in an
HTTP keep
-
ali
ve scenario.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



16


Network Architecture Alternatives

The choices that you have made in your network configuration and network design may impact
the steps that you will need to take to upgrade your system to accommodate direct push
technology and the Messaging
& Security Feature Pack management features.

Deployment Options

The following table introduces some of the most common deployment configurations with the
unique considerations for each.

Follow the links to deployment documentation for each configuration.


Setup Type

Description

Consideration

Firewall in
Workgroup in
perimeter network

ISA Server 2006
recommended

All of the Exchange servers
are within the corporate
network.

FBA or Basic authentication

SSL configured for Exchange
ActiveSync to encrypt all
messaging traffic

ISA server acts as the
advanced firewall in the
perimeter network that is
exposed to Internet traffic.

ISA Server 2006 directly
communicates with LDAP and
RADIUS servers

LDAP Authentication



LDAP, LDAPS, LDAP
-
GC,
and LDAPS
-
GC are
support
ed.



Every domain controller is
an LDAP server. The
LDAP server has a store
of the Active Directory
users' credentials.



Because each domain
All Exchange traffic is preauthentica
ted,
reducing surface area and risk.

Client authentication is possible with
Windows, Kerberos, LDAP, LDAPS,
RADIUS, or RSA SecurID

Requires port 443 opened on the
firewall for inbound and outbound
Internet traffic.

Requires a digital certificate in order

to
connect to Configuration Storage
server.

Limited to one Configuration Storage
Server (ADAM limitation)

Domain administrators do not have
access to the firewall array

Workgroup clients cannot use Windows
authentication.

Requires management of mirrored
accounts for monitoring arrays.


Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



17

Setup Type

Description

Consideration

controller can only
authenticate the users in
its domain, ISA Server by
default queries the global
catalog for a
forest to
validate user credentials

Radius Authentication



剁䑉DS⁰牯vi摥s
cr敤敮瑩慬s vali摡ti潮.



䥓A S敲v敲eis⁴ 攠剁D䥕I
cli敮琬⁤数e湤i湧 異o渠
剁䑉DS⁡畴u敮tic慴a潮
r敳灯湳e



P慳s睯w搠d桡湧敳 慲攠
湯琠t潳si扬e

ISA Server 2006
domain
-
joined in
perimeter network

Exchange FE in the Enterprise
forest

As a domain member, ISA
Server 2006 integrates with
Active Directory.

Additional ports on the internal firewall
opened to facilitate d
omain member
communication to Active Directory

IPSec can be configured between the
ISA server and Exchange server to
eliminate the need for additional open
ports

Simplified deployment and
administration of ISA Server arrays
within the domain.

See Publishin
g Exchange Server 2003
with ISA Server 2006 at this Microsoft
Web site:
http://go.microsoft.com/fwlink/?LinkId=1
09217
.


Firewall in separate
domain with one
-
way
trust

Exchange FE in the Enterpri
se
forest

ISA Server 2006 as domain
controller of its own DMZ
forest

One
-
way trust created, so the
All Exchange traffic is preauthenticated,
reducin
g surface area and risk.

Complex to configure

Scales well across an Enterprise
solution.

For detailed instructions, see Using
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



18

Setup Type

Description

Consideration

DMZ forest trusts the
Enterprise forest accounts.

ISA Server 2006 authenticates
requests at the ISA edge

ISA Server 2004 with Exchange Server
2003 at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=1
09215
.

Single Exchange
2003 Server

Single Exchange Server within
the corporate network, behind
a firewall.

Exchange Server ActiveSync
accesses the Exchange virtual
directory via port 80 using
Kerberos authenticati
on.

Simple deployment for small to medium
business.

Requires the following setup steps:



T畲渠潦u
SSL Required

on the
ExAdmin virtual directory



啳攠
Windows Integrated
authentication

on the ExAdmin
virtual directory

If using RSA SecurID, update the RSA
Authentication Agent to ensure
compatibility with direct push
technology.

For details, see Deployment on a Single
Server in the Step
-
by
-
Step Guide to
Deploying Windows Mobile
-
based
Devices with Microsoft Exchange
Server 2003 SP2.

See Also: Microsoft KB ar
ticle,
"Exchange ActiveSync and Outlook
Mobile Access errors Occur when SSL
or forms
-
based authentication is
required for Exchange Server 2003."
http://go.microsoft.com/fwlink/?LinkId=6
2660
.

Wind
ows Small
Business Server
2003

Exchange traffic is routed to
the server running Windows
SBS with port 443 open
inbound.

Exchange FE is behind the
following firewalls:



䥓A S敲v敲′〰4Ⱐ,敲eic攠
P慣k‱ whic栠is⁩湣l畤敤
i渠Wi湤潷s SBS Pr敭i畭
Ec桡湧攠ectiv敓y湣 慮搠ISA S敲v敲e
慲攠an瑥tra瑥t 睩t栠Wi湤潷o⁓m慬l
B畳in敳s⁓敲v敲′〰㌬⁰牯vi摩n朠
sim灬ifi敤
摥灬oym敮t

剥煵ir敳⁤ sk瑯t⁁ctiv敓y湣⁩湳瑡ll敤
潮⁡ clie湴nc潭灵瑥t

S敥 䑥Dloyi湧 Wi湤ows⁍潢il攠㔮5
睩瑨tWi湤潷s⁓m慬l B畳i湥ss⁓敲e敲e
㈰〳⁡ ⁴桩s⁍icr潳潦琠W敢⁳i瑥t
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



19

Setup Type

Description

Consideration

Edition, Servi
ce Pack 1



T桥⁢ ilt
-
i渠副畴in朠g湤
剥R潴o⁁cc敳s⁦ir敷all i渠
Wi湤潷s⁓BS

䍥C瑩fic慴as⁩湳瑡lle搠d渠
摥vic敳⁰牯vi摥 SS䰠
敮cry灴io渠nn搠dcc敳s.

桴h瀺p/杯⹭icr潳潦琮tom/fw
li湫⼿/i湫䥤I1
〹㈲0
.

Exchange FE in the
perimeter network

(This option is not
recommended for new
mobile messaging
solutions.)

Exchange FE is in the
perimeter network with
firewalls between it and the
Internet and the corporate
network.

Additional firewa
ll ports opened to
enable direct push and facilitate
connection between FE and BE
servers:



O灥渠n潲琠㐴㌠i湢潵n搠dn⁴桥
數瑥牮慬⁦irew慬l



啄倠p潲琠o㠸㌠潰e渠n渠nhe⁦ir敷all
扥twe敮⁴桥 Ec桡n来⁆E 慮搠BE.

S敥 "D数loyme湴n睩瑨tt桥 Fr潮琠t湤
S敲e敲⁩n⁡
P敲業整er⁎整睯wk"⁳散瑩潮
潦⁴ 攠et数
-

-
St数⁇uid攠e漠䑥ployi湧
Wi湤潷s⁍ bile
-
扡se搠䑥vic敳 睩瑨t
䵩cr潳潦琠tc桡n来 S敲e敲′〰㌠3P㈠
慴a瑨is⁍ cr潳潦琠W敢⁳i瑥t
桴h瀺p/杯⹭icr潳潦琮tom/fwli湫⼿/in
k䥄I8
ㄲ〰

䥓A S敲v敲⁡e 慮
慤v慮c敤⁦irew慬l i渠n
睯wk杲潵瀠i渠
灥rim整er t睯wk

All ⁴ 攠Ec桡n来⁳敲v敲e
慲攠wit桩渠nh攠e潲灯oa瑥t
湥tw潲o.

S整e異⁆BA 潲⁂慳ic
慵瑨敮tic慴a潮⁦潲⁅oc桡湧攠
Ac瑩veSy湣,⁳漠oll⁣lie湴n
湥杯瑩a瑥ta渠SSLi湫⁢ f潲攠
c潮湥ct
i湧⸠

䥓A⁳敲e敲e慣瑳⁡ ⁴ 攠
慤v慮c敤⁦irew慬l i渠n桥
灥rim整er t睯wk⁴ 慴ais
數灯s敤⁴漠on瑥牮t琠瑲慦fic.

䥓A S敲v敲′〰6⁤ir散瑬y
comm畮ic慴as wit栠hDAP⁡湤
䍬i敮琠慵瑨敮tic慴a潮 is⁰ ssi扬e wit栠
Wi湤潷sⰠ,
敲e敲潳Ⱐ,DAP,⁌䑁PSⰠ
剁䑉DSⰠ潲⁒oA S散畲䥄u

剥煵ir敳⁰ r琠㐴3 敮e搠潮⁴ 攠
fir敷all⁦潲⁩湢o畮搠dn搠d畴扯畮搠
䥮I敲湥琠瑲慦fic.

剥煵ir敳⁡ 摩gi瑡l⁣敲eific慴a⁩n牤敲⁴漠
c潮湥c琠t漠䍯湦i杵r慴i潮⁓t潲慧攠
s敲e敲e

䥮Ic慳攠ef⁦ir敷慬l⁦慩l畲攬ud潭慩渠n湤

瑩v攠eir散瑯ty⁡牥 i湡ccessi扬e

䑯D慩渠n摭i湩s瑲慴ars⁤漠o潴o桡ve
慣c敳s⁴ ⁴ 攠eire睡wl⁡牲ay

Work杲潵瀠cli敮瑳⁣慮湯琠us攠Wi湤ows
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



20

Setup Type

Description

Consideration

RADIUS servers

LDAP Authentication



䱄LPⰠ,䑁PS,⁌ AP
-
G䌬C
慮搠䱄LPS
-
G䌠慲攠
s異灯r瑥搮



Ev敲y
摯m慩渠n潮瑲oll敲⁩s
慮⁌ AP⁳敲e敲⸠e桥
䱄LP⁳敲e敲⁨慳⁡⁳瑯牥t
潦⁴ 攠ectiv攠䑩r散瑯ty
畳敲e✠'r敤敮瑩慬s.



B散慵s攠敡c栠摯m慩渠
c潮瑲潬l敲⁣慮 潮ly
慵瑨敮tic慴a⁴桥 畳敲e⁩渠
i瑳⁤ m慩測nISA⁓敲e敲eby
摥f慵l琠煵敲i敳⁴ 攠el潢慬
c慴alo朠g潲⁡⁦潲敳琠瑯

lid慴a 畳敲⁣r敤e湴n慬s

Radius Authentication



剁䑉DS⁰牯vi摥s
cr敤敮瑩慬s vali摡ti潮.



䥓A S敲v敲eis⁴ 攠剁D䥕I
cli敮琬⁤数e湤i湧 異o渠
剁䑉DS⁡畴u敮tic慴a潮
r敳灯湳e



P慳s睯w搠d桡湧敳 慲攠
湯琠t潳si扬e

慵瑨敮tic慴a潮⸠

剥煵ir敳慮慧敭敮琠tfirr潲敤o
慣c潵湴n⁦潲潮i瑯物湧 慲aays.

F潲⁡渠ov敲view ⁴ 攠er潣敳sⰠ,敥
䑥灬oyin朠g 䵯bil攠e敳s慧in朠g潬畴u潮
睩瑨tWi湤潷s⁍ 扩l攠㔮5
-
b慳敤
䑥Dic敳

䥓A S敲v敲′〰6
摯m慩n
-
j潩湥搠d渠
灥rim整er
湥t睯wk

Ec桡湧攠䙅 i渠瑨t⁅n瑥牰ris攠
f潲敳t

As⁡ d潭慩渠nem扥rⰠ䥓A
S敲e敲′e〶 i湴敧r慴as 睩th
Ac瑩v攠eir散瑯ty.

A摤i瑩潮慬 灯r瑳 瑨t in瑥t湡l⁦ire睡wl
潰敮敤⁴漠o慣ili瑡t攠e潭慩渠mem扥r
comm畮ic慴a潮⁴ Ac瑩v攠䑩r散瑯ty

Sim灬ifi敤 摥ploym敮琠慮d
慤mi
湩s瑲慴ao渠nf⁉ A S敲eer⁡牲ays
睩瑨i渠n桥 摯m慩渮

V畬湥ra扩lity ⁡ c敳s⁡ r潳s⁴ 攠
摯m慩渠nn⁣慳攠ef⁦ir敷慬l⁦慩l畲u

S敥 Pu扬is桩湧 Ec桡湧攠S敲e敲′e〳
睩瑨t䥓A⁓敲e敲′e〶⁡琠瑨is⁍ cr潳潦琠
We戠bi瑥t
桴h瀺p/杯⹭icr潳潦琮tom/fwli湫⼿/i湫䥤I1
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



21

Setup Type

Description

Consideration

09217
.

Firewall in separate
domain with one
-
way
trust

Exchange FE in the Enterprise
forest

ISA Server 2006 as domain
controller of its own DMZ
forest

One
-
way trust created, so the
DMZ forest trusts the
En
terprise forest accounts.

ISA Server 2006 authenticates
requests at the ISA edge

All Exchange traffic is preauthenticated,
reducing surface area and risk.

Scales well across an Enterprise
solution.

For detailed instructions, see Using ISA
Server

2004 wi
th Exchange
Server

2003 at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkId=1
09215
.

Third Party Firewall

Configure as an advanced
firewall or surrounding a
perimeter network.

Encry
pt all traffic between the
mobile device and Exchange
Server with SSL.

Open port 443 inbound on
each firewall between the
mobile device and Exchange
Server.

Set Idle Session Timeout time
to 30 minutes on all firewalls
and network appliances on the
path bet
ween the mobile
device and Exchange FE
server to facilitate direct push
technology.

Consult firewall manufacturer
documentation for instructions on
opening port 443 inbound and setting
the Idle Session Timeout time.

Single Exchange 2003
Server

Single Exc
hange Server within
the corporate network, behind
a firewall.

Exchange Server ActiveSync
accesses the Exchange virtual
directory via port 80 using
Kerberos authentication.

Simple deployment for small to medium
business.

Requires the following setup steps
on
the ExAdmin virtual directory:



T畲渠潦u⁓S䰠L敱uir敤



啳攠Wi湤潷s⁉ t敧r慴敤
慵瑨敮tic慴a潮

䥦⁵ i湧⁒SA S散畲䥄Ⱐ,p摡瑥t瑨攠剓A
A畴u敮tic慴a潮 Ag敮琠t漠o湳畲攠
Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



22

Setup Type

Description

Consideration

compatibility with direct push
technology.

For more information, see "Exchange
ActiveSync and Outlook Mobile Access
errors
Occur when SSL or forms
-
based
authentication is required for Exchange
Server 2003."
http://go.microsoft.com/fwlink/?LinkId=6
2660
.

Windows Small
Business Server 2003

Exchange traffic is routed to
the server running Windows
SBS with port 443 open
inbound.

Exchange FE is behind the
following firewalls:



䥓A S敲v敲Ⱐ睨wc栠is
i湣lu摥d⁩n Wi湤潷s⁓BS
Pr敭ium⁅摩ti潮



T桥⁢ ilt
-
i渠副畴in朠g湤
剥R潴o⁁cc敳s⁦ir敷all i渠
Wi湤潷s⁓BS



The UPnP™ hardware
fir敷all

䍥C瑩fic慴as⁩湳瑡lle搠d渠
摥vic敳⁰牯vi摥 pp䰠
敮cry灴io渠nn搠dcc敳sK

bxc桡湧攠ectiv敓y湣 慮搠fpA p
敲v敲e
慲攠an瑥tra瑥t 睩t栠ti湤潷o⁓m慬l
_畳in敳s⁓敲v敲′〰㌬⁰牯vi摩n朠
sim灬ifi敤⁤ 灬oym敮tW



剥煵ir敳⁤ sk瑯t⁁ctiv敓y湣
i湳瑡lle搠d渠n⁣lie湴nc潭灵瑥t

S敥 䑥Dloyi湧 Wi湤ows⁍潢il攠㔮5
睩瑨tWi湤潷s⁓m慬l B畳i湥ss⁓敲e敲e
㈰〳⁡ ⁴桩s⁍icr潳潦琠W敢⁳i瑥t

桴h瀺p/杯⹭icr潳潦琮tom/fwli湫⼿/i湫䥤I1
〹㈲0
.

Ec桡湧攠䙅 i渠瑨t
灥rim整er t睯wk

(T桩s 瑩潮⁩s潴o
r散潭m敮摥搠d潲ow
m潢il攠e敳s慧i湧
s潬畴i潮s⸩

Ec桡湧攠䙅 is⁩渠nh攠
灥rim整er t睯wk⁷
i瑨t
fir敷alls 扥t睥敮 i琠慮搠瑨t
䥮I敲湥琠tn搠dh攠e潲灯o慴a
湥tw潲o.

A摤i瑩潮慬⁦irewall⁰ r瑳灥湥搠d漠
敮慢l攠摩r散琠灵s栠慮搠d慣ili瑡t攠
c潮湥c瑩潮 扥t睥敮⁆䔠慮搠dE
s敲e敲e:



O灥渠n潲琠㐴㌠i湢潵n搠dn⁴桥
數瑥牮慬⁦irew慬l



啄倠p潲琠o㠸㌠潰e渠n渠nhe⁦ir敷all
扥twe敮⁴桥 Ec桡n来⁆E 慮搠BE.


Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



23

ISA Server 2006 as an Advanced Firewall in a
Perimeter Network

In this configuration, all of the Exchange servers are within the corpora
te network and the ISA
server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.
This adds an additional layer of security to your network.

All incoming Internet traffic bound to your Exchange servers


for example,

Microsoft Office OWA
and remote procedure call (RPC) over HTTP communication from Microsoft Office Outlook 2003
clients


is processed by the ISA server. When the ISA server receives a request from an
Exchange server, the ISA server terminates the connect
ion and then proxies the request to the
appropriate Exchange servers that are on your internal network. The Exchange servers on your
network then return the requested data to the ISA server, which sends the information to the
client through the Internet.

During installation of the ISA server, Microsoft recommends that you enable Secure Sockets
Layer (SSL) encryption, and designate 443 as the SSL port. This leaves the 443 port open as the
“Web Listener” to receive Internet traffic. Microsoft also recommends

that you set up basic
authentication for Exchange ActiveSync, and that you require all clients to successfully negotiate
an SSL link before connecting to the Exchange ActiveSync site directories. If you follow these
recommendations, the Internet traffic t
hat flows into and out of the 443 port will be more
protected.

When configured in Web
-
publishing mode, ISA Server 2006 will provide protocol filtering and
hygiene, denial of service (DoS) and distributed denial of service (DDoS) protection, and pre
-
authent
ication.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



24

The following illustration shows the recommended Exchange Server 2003 deployment for mobile
messaging with ISA Server 2006.



Authentication in ISA Server 2006

Users can be authenticated using built
-
in Windows, LDAP, RADIUS, or RSA SecurID
authe
ntication. Front
-
end and back
-
end configuration has been separated, providing for more
flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can
be applied to users or user groups in any namespace.

For most Enterpr
ise installations, ISA Server 2006 with LDAP authentication is recommended. In
addition, ISA Server 2006 enables certificate
-
based authentication with Web publishing. For more
information, see Authentication in ISA Server 2006 on Microsoft TechNet Web site
:
http://go.microsoft.com/fwlink/?LinkID=87068
.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



25

The following table summarizes some of the features of ISA Server 2006:


Feature

Description

Support for LDAP authentication

LDAP authentication a
llows ISA Server to
authenticate to Active Directory without being a
member of the domain.

See this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=87069

Delegation of Basic authenticat
ion

Published Web sites are protected from
unauthenticated access by requiring the ISA
Server 2006 firewall to authenticate the user
before the connection is forwarded to the
published Web site. This prevents exploits from
unauthenticated users from reachi
ng the
published Web server.

SecurID authentication for Web Proxy clients

ISA Server 2006 can authenticate remote
connections using SecurID two
-
factor
authentication. This provides a high level of
authentication security because a user must
know something

and have something to gain
access to the published Web server.

RADIUS support for Web Proxy client
authentication

With ISA Server 2006, you can authenticate
users in Active Directory and other
authentication databases by using RADIUS to
query Active Dire
ctory. Web publishing rules
can also use RADIUS to authenticate remote
access connections.

Session management

ISA Server 2006 includes improved control of
cookie
-
based sessions to provide for better
security.

Certificate Management

ISA Server 2006 is imp
roved to simplify
certificate management and reduce the total
cost of ownership associated with using
certificates when publishing Web sites. It is
possible to utilize multiple certificates per Web
listener and to use different certificates per
array membe
r.


Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



26

LDAP Authentication with ISA Server 2006

ISA Server 2006 supports Lightweight Directory Access Protocol (LDAP) authentication. LDAP
authentication is similar to Active Directory® directory service authentication, except that the ISA
Server computer do
es not have to be a member of the domain. ISA Server connects to a
configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain
controller is also an LDAP server, by default, with no additional configuration changes required
.
By using LDAP authentication, you get the following benefits:



A server running ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition
array members in workgroup mode. When ISA Server is installed in a perimeter network, you
no longer ne
ed to open all of the ports required for domain membership.



Authentication of users in a domain with which there is no trust relationship.

Instructions for configuring ISA Server for LDAP authentication are included in this document in
Step 5: Install and Configure ISA Server 2006 or Other Firewall
. For more information about
configuring ISA Server for LDAP authentication, see

"Secure Application Publishing" at the
Microsoft TechNet Web site.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



27

Deployment with ISA Server in a Perimeter
Network

In this configuration, the mobile device utilizes the mobile operator’s cellular data network to
communicate using the Internet to an out
er firewall that the organization uses to restrict traffic.
The outer firewall port forwards the EAS traffic (via SSL port 443) inbound to the inner third party
device to forward to the Exchange Server 2003 for processing.

The figure below illustrates an

end
-
to
-
end example of a typical over the air Exchange ActiveSync
deployment.



To ensure that Microsoft Exchange ActiveSync functions correctly in this scenario, Microsoft
recommends that port 443 inbound be opened on both third party firewall products s
o that the
Windows Mobile device can communicate directly with the Exchange Server. This is a network
requirement for Exchange ActiveSync to work properly whether using Microsoft direct push
technology (default setting) and/or Always Up
-
to
-
Date Notificati
ons (optional).

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



28

Deployment on a Single
-
Server

If your mobile messaging solution uses a single Exchange server, you may have to establish
some special configurations to avoid conflicts on the virtual directory.

SSL Requirements and Forms
-
based Authentic
ation

In a single
-
server configuration, Exchange Server ActiveSync accesses the Exchange virtual
directory via port 80 by using Kerberos authentication. Exchange ActiveSync cannot access the
Exchange virtual directory if either of the following conditions
is true:



The Exchange virtual directory is configured to require SSL.



Forms
-
based authentication is configured.

For more information about, and workarounds for, these configurations, see the following article
in the Microsoft Knowledge Base:

Exchange ActiveSync

and Outlook Mobile Access errors occur when SSL or forms
-
based
authentication is required for Exchange Server 2003.
http://go.microsoft.com/fwlink/?LinkId=62660

Settings Required for Exchange Acti
veSync Mobile
Administration Web Tool Installation

When deployed in a single
-
server configuration, the Exchange ActiveSync Mobile Administration
Web tool requires the default configuration on the ExAdmin virtual directory. By default, SSL is
not turned on
and the virtual directory has Windows Integrated authentication.

In a single
-
server configuration, we recommend that you do the following on the ExAdmin virtual
directory:



Turn off SSL Required



Use Windows Integrated authentication

Note:

The Exchang
e ActiveSync Mobile Administration Web tool should run in the
ExchangeAppPool.

For more information, see the following article in the Microsoft Knowledge Base:

Error message when you try to use the Microsoft Exchange Server ActiveSync Web
Administration to
ol to delete a partnership or to perform a Remote Wipe operation on a mobile
device in Exchange Server 2003 SP2: "(401) Unauthorized". [Add link to
http://support.microsoft.com/kb/916960/en
-
us]

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



29

RSA SecurID Compatibility

RSA SecurID provides token
-
based au
thentication that requires user input and was not
compatible with direct push technology, in which the device synchronizes automatically. RSA has
updated the RSA Authentication Agent for Windows so that direct push technology and
scheduled synchronization
features function smoothly.

ISA Server 2006 works with SecurID token authentication. See the ISA Server 2006
documentation.

If you are using the RSA SecurID product, be sure to get the latest RSA SecurID software from
the RSA Security Web site:
http://go.microsoft.com/fwlink/?LinkId=63273
.

Forms
-
based Authentication

If you have forms
-
based authentication set up on an Exchange organization for Exchange
ActiveSync on an Exchange Server with no back
-
en
d, additional configurations may be required.
For more information about these configurations, see the following article in the Microsoft
Knowledge Base:
http://go.microsoft.com/fwlink/?LinkId=1092
21

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms
-
based
authentication is required for Exchange Server 2003

Note



Exchange

Server

2003 SP2 forms
-
based authentication does not allow you to set the
default domain setting in I
IS to anything other than the default domain setting of
\
. This
restriction is in place in order to support user logons that use the User Principle Name
format. If the default domain setting in IIS is changed, Exchange System Manager resets
the default dom
ain setting to "
\
" on the server.



You can change this behavior by customizing the Logon.asp page in the OWA virtual
directory in IIS to specify your domain or to include a list of domain names. However, if
you customize the Logon.asp page in the OWA virtual directory in IIS, your changes

may
be overwritten if you upgrade to, or re
-
install, Exchange Server

2003 SP2.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



30

Deployment with the Exchange Front End Server
in a Perimeter Network

If your deployment configuration has the Front
-
End Exchange server inside the DMZ or perimeter
network, yo
u may have to change the firewall settings to facilitate the direct push technology.

Note:

This option is not recommended for new mobile messaging solutions.

With direct push technology, whenever the back end server receives e
-
mail or data to be
transmit
ted to a mobile device, it sends a UDP notification to the front
-
end server. This
transmission requires that UDP port 2883 be open on the firewall to allow one
-
way traffic from the
back
-
end server to the front
-
end server.

For more information about the dep
loyment of direct push technology and its impact on firewall
configuration, see the Exchange Server blog article "Direct push is just a heartbeat away" at
http://go.microsoft.com/fwlink/?LinkId=6708
0
.

For more information about configuring a front
-
end server in the DMZ, see "Front
-
End and Back
-
End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" at
http://go.microsoft.
com/fwlink/?LinkId=62643
.

VPN Configuration

Windows Mobile 5.0
-
based devices provide native support for Virtual Private Network (VPN)
access to a corporate network based on PPTP or L2TP/IPSec VPN protocols.

Microsoft recommends using L2TP/IPSec connectio
ns, as these connections require both device
-
level authentication through certificates and user
-
level authentication through a PPP
authentication protocol. L2TP/IPSec relies on the existing infrastructure for Windows Mobile
-
based devices to connect to inte
rnal company resources such as file shares, Web servers, and
mobile line of business applications. For an example deployment of VPN with Windows Server
2003, see this Microsoft Web site:
http://go.
microsoft.com/fwlink/?LinkId=109222
.

For more information about securing VPN access, see “How ISA Server 2004 Provides SSL VPN
Functionality for Outlook Web Access and RPC over HTTP” at
http://go.
microsoft.com/fwlink/?LinkID=67445
.

For more information about the sign on process from a Windows Mobile 5.0
-
based device, see
“Accessing a Corporate Network by using a VPN Connection” in Step 8, Manage and Configure
Mobile Devices.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



31

Best Practices for
Deploying a Mobile
Messaging Solution

Best practices for deploying a mobile messaging solution on your corporate network are
recommendations that will help you ensure the smooth operation of, and provide a high level of
security for, your mobile messaging
solution.

Network Configuration

Regardless of the network configuration you implement, there are some best practices that will
strengthen your mobile messaging solution.

Best Practice: Use Front
-
end and Back
-
end Configuration for
Exchange Servers

A front
-
end and back
-
end configuration is recommended for multiple
-
server organizations that
use Exchange ActiveSync, Outlook Web Access (OWA), Post Office Protocol (POP), or Internet
Message Access Protocol (IMAP), and that want to provide HTTP, POP, or IMAP acce
ss to their
employees. In this architecture, a front
-
end server accepts requests from clients, and then proxies
those requests to the appropriate back
-
end server for processing. The front
-
end and back
-
end
architecture allows the front
-
end server to handle
the Secure Sockets Layer (SSL) encryption,
thus enabling the back
-
end servers to increase overall e
-
mail performance. This configuration
scales well and provides a measure of security by limiting access to the front
-
end server.

Securing the messaging envir
onment also involves disabling those features and settings for the
front
-
end server that are not necessary in a front
-
end and back
-
end server architecture.

For more information about front
-
end and back
-
end server architecture, see "Exchange Server
2003 and

Exchange 2000 Server Front
-
End and Back
-
End Topology" at
http://go.microsoft.com/fwlink/?LinkId=62643
.

Best Practice: Configuring your Firewall for Optimal Direct Push
Performance

Direct push tech
nology requires an established connection between the server and the client. No
data is sent over this connection unless there is e
-
mail or data to be transmitted, or the device
needs to reestablish its connection with the server. This means that the maxim
um length of the
connection is determined by the lowest network timeout in the path between the device and the
server.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



32

With good network coverage, the maximum timeout will be determined by the connection timeout
that is enforced by the firewalls that dea
l with Internet traffic to your Exchange front
-
end servers.
If you keep the timeout very low, then you will force the device to reconnect several times, which
will quickly drain its battery. The following illustration shows the recommended firewall setting
s.



As a best practice, you should adjust the connection timeout of your firewall and any other
network appliances in the path to ensure that direct push functionality works efficiently. In order to
optimize battery life, we recommend a timeout period of

30 minutes.

For a technical discussion of direct push technology, see
Understanding the Direct Push
Technology

in this document.

Security: Authent
ication and Certification

Security for communication between the Exchange server and client mobile devices can be
increased by using SSL for encryption and server authentication, and by using Web publishing to
protect incoming traffic.

The following best p
ractices will help you build a more secure mobile messaging solution.

Best Practice: Use SSL for Encryption and Server Authentication

To protect outgoing and incoming data, deploy SSL to encrypt all traffic. You can configure SSL
security features on an Ex
change server to verify the integrity of your content and the identity of
users, and to encrypt network transmissions. The Exchange server, just like any Web server,
requires a valid server certificate to establish SSL communications.

Deploying W
indows
M
obile
-
based Devices with
E
xchange
S
erver

2003 SP2



33

Windows Mobile 5.0
-
b
ased devices are shipped with trusted root certificates. Check with your