DeployExchange2003 IT MOBILE

Step-by-Step Guide to Deploying Windows Mobile-based
Devices with Microsoft Exchange Server 200 S!2

Microsoft Corporation
Published: February 15 2008
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Information in this document, includin !"# and other Internet $eb site references, is sub%ect to chane &ithout notice'
!nless other&ise noted, the companies, orani(ations, products, domain names, e)mail addresses, loos, people, places,
and e*ents depicted in e+amples herein are fictitious' ,o association &ith any real company, orani(ation, product,
domain name, e)mail address, loo, person, place, or e*ent is intended or should be inferred' Complyin &ith all
applicable copyriht la&s is the responsibility of the user' $ithout limitin the rihts under copyriht, no part of this
document may be reproduced, stored in or introduced into a retrie*al system, or transmitted in any form or by any means
-electronic, mechanical, photocopyin, recordin, or other&ise., or for any purpose, &ithout the e+press &ritten permission
of Microsoft Corporation'
Microsoft may ha*e patents, patent applications, trademar/s, copyrihts, or other intellectual property rihts co*erin
sub%ect matter in this document' 0+cept as e+pressly pro*ided in any &ritten license areement from Microsoft, the
furnishin of this document does not i*e you any license to these patents, trademar/s, copyrihts, or other intellectual
property'
1 2008 Microsoft Corporation' 2ll rihts reser*ed'
Microsoft, 2cti*e 3irectory, 2cti*e4ync, 5ffice 5urloo/, 6isual 7asic, $indo&s Mobile and $indo&s 4er*er are
trademar/s of the Microsoft roup of companies'
2ll other trademar/s are property of their respecti*e o&ners'
ii
"ontents
Introduction'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
3ocument 4tructure''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
3eployin Mobile Messain: Introduction'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
2ssumptions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
4oft&are "e8uirements''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2
5ptional Items''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9
3eployment Process 4ummary'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9
Plannin "esources'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' :
Messain and 4ecurity Feature Pac/ 5*er*ie&'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''5
Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 5
4ecurity Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;
2d*anced 4ecurity Features''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' <
2dministerin the Messain and 4ecurity Feature Pac/'''''''''''''''''''''''''''''''''''''''''''''''''8
!nderstandin the 3irect Push =echnoloy''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10
3irect Push =echnoloy''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 10
,et&or/ 2rchitecture 2lternati*es''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1;
3eployment 5ptions'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1;
I42 4er*er 200; as an 2d*anced Fire&all in a Perimeter ,et&or/'''''''''''''''''''''''''''''''''29
3eployment &ith I42 4er*er in a Perimeter ,et&or/'''''''''''''''''''''''''''''''''''''''''''''''''''''''2<
3eployment on a 4inle)4er*er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 28
Forms)based 2uthentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2>
3eployment &ith the 0+chane Front 0nd 4er*er in a Perimeter ,et&or/''''''''''''''''''''''90
6P, Confiuration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 90
7est Practices for 3eployin a Mobile Messain 4olution'''''''''''''''''''''''''''''''''''''''''''''''''''91
,et&or/ Confiuration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 91
4ecurity: 2uthentication and Certification''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''92
3eployin a Mobile Messain 4olution &ith $indo&s Mobile 5'0)based 3e*ices'''''''''''''''''''95
3eployment Process 5*er*ie&''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 95
4tep 1: !prade to 0+chane 4er*er 2009 4P2''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''9;
?o& to !prade to 0+chane 4er*er 2009 4P2'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''9;
4tep 2: !pdate 2ll 4er*ers &ith 4ecurity Patches''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''9<
4tep 9: Protect Communications 7et&een $indo&s Mobile)based 3e*ices and @our
0+chane 4er*er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9<
3eployin 44# to 0ncrypt Messain =raffic'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''98
0nablin 44# for the 3efault $eb 4ite'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''':>
Confiurin 7asic 2uthentication''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 51
Protect II4 by #imitin Potential 2ttac/ 4urfaces'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''5:
4tep :: Protect Communications 7et&een the 0+chane 4er*er and 5ther 4er*ers''''''''''''5;
iii
!sin IP4ec to 0ncrypt IP =raffic''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 5;
4tep 5: Install and Confiure I42 4er*er 200; or 5ther Fire&all''''''''''''''''''''''''''''''''''''''''''''5<
Install I42 4er*er 200;'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 58
Install a 4er*er Certificate on the I42 4er*er Computer''''''''''''''''''''''''''''''''''''''''''''''''''58
Create the 0+chane 2cti*e4ync Publishin "ule'''''''''''''''''''''''''''''''''''''''''''''''''''''''''';2
Confiure I42 4er*er 200; for #32P 2uthentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''<9
4et the Idle 4ession =imeout for 2ll Fire&alls and ,et&or/ 2ppliances to 1800 seconds
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' <;
=est 0+chane Publishin "ule''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' <;
4tep ;: Confiure and Manae Mobile 3e*ice 2ccess on the 0+chane 4er*er'''''''''''''''''''<<
Confiurin Mobile 2ccess'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' <8
Confiurin 4ecurity 4ettins for Mobile 3e*ices''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''82
Monitorin Mobile Performance on 0+chane 4er*er 2009 4P2'''''''''''''''''''''''''''''''''''''8;
4tep <: Install the 0+chane 2cti*e4ync Mobile 2dministration $eb =ool'''''''''''''''''''''''''''''8<
3o&nload the Mobile 2dministration $eb =ool''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''8<
4tep 8: Manae and Confiure Mobile 3e*ices'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''8>
4ettin !p a Mobile 3e*ice Connection to 0+chane 4er*er''''''''''''''''''''''''''''''''''''''''''8>
!sin the 0+chane 2cti*e4ync Mobile 2dministration $eb =ool to =rac/ Mobile 3e*ices
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' >2
Pro*isionin or Confiurin the $indo&s Mobile 5'0)based 3e*ice''''''''''''''''''''''''''''''''>:
2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)7ased 2uthentication' ' '>8
Confiurin the Fire&all for Certificate)based 2uthentication''''''''''''''''''''''''''''''''''''''''''''''>8
4oft&are "e8uirements for Certificate)7ased 2uthentication'''''''''''''''''''''''''''''''''''''''''''''>8
3o&nloadin the Certificate 0nrollment =ool''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''>>
4ystem "e8uirements for the Certificate 0nrollment =ool'''''''''''''''''''''''''''''''''''''''''''''''''''>>
4teps to 0nable Certificate)7ased 2uthentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100
Confiurin 0+chane 4er*er 2009 Front)0nd 4er*er''''''''''''''''''''''''''''''''''''''''''''''''''100
Confiure Aerberos Constrained 3eleation'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100
Confiure 4er*ers to be =rusted for 3eleation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
Confiure $indo&s Mobile Certificate 0nrollment''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
5*er*ie& of Certificate 0nrollment Confiuration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
2ppendi+ 7: Install and Confiure an I42 4er*er 200: 0n*ironment''''''''''''''''''''''''''''''''''''''10:
Installin I42 4er*er 200:''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 105
Creatin the 0+chane 2cti*e4ync Publishin "ule !sin $eb Publishin'''''''''''''''''''''10;
Confiurin the ?osts File 0ntry''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 110
4ettin the I42 4er*er 200: Idle 4ession =imeout''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''112
=estin 5$2 and 0+chane 2cti*e4ync''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 112
=estin 5$2'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11:
=estin 0+chane 2cti*e4ync'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11:
2ppendi+ C: =roubleshootin a Mobile Messain 4olution''''''''''''''''''''''''''''''''''''''''''''''''''''115
#oin and =roubleshootin =ools''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 115
Monitorin Mobile Performance on 0+chane 4er*er 2009 4P2'''''''''''''''''''''''''''''''''''115
i*
I42 4er*er 7est Practices 2naly(er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11;
Issues "elated to 3irect Push =echnoloy''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;
Beneral 3irect Push =roubleshootin =ips''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;
Path =roubleshootin 3irect Push''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11<
6erify 3irect Push Initiali(ation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 118
=roubleshootin 3irect Push !sin #os'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''120
Push Mail and B2# #oo/up missin &hen syncin to 0+chane 2009 4P2 &ith a M4FP
3e*ice'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 121
Issues "elated to I42 4er*er 200;''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 125
3ouble 2uthentication "e8uired after !pradin from I42 4er*er 200:'''''''''''''''''''''''125
#o 5ff &hen the !ser #ea*es 4ite Feature "emo*ed'''''''''''''''''''''''''''''''''''''''''''''''''125
$indo&s Mobile !sers "ecei*e 0rror :01 !nauthori(ed''''''''''''''''''''''''''''''''''''''''''''''125
!sers "ecei*e 2ccess 3enied 0rror Messae''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''125
Certificate Implementation Issues on the 4er*er''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''128
Communication Issues bet&een the Front)end and 7ac/)end 0+chane 4er*ers'''''''''''128
Fre8uently 2s/ed Cuestions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 128
2ppendi+ 3: 2ddin a Certificate to the "oot 4tore of a $indo&s Mobile)based 3e*ice''''''''12>
Creatin the Pro*isionin DM# to Install a Certificate to the "oot 4tore'''''''''''''''''''''''''''190
Creatin a 'cab File that Contains the Pro*isionin DM#'''''''''''''''''''''''''''''''''''''''''''''''192
3istributin the C27 Pro*isionin File''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 192
*
*i
#ntroduction
=his document is desined primarily for Information =echnoloy -I=. professionals &ho are
responsible for plannin and deployin mobile messain systems that use Microsoft 0+chane
4er*er 2009 &ith 4er*ice Pac/ 2 -4P2. and $indo&s MobileEbased de*ices that ha*e the
Messain and 4ecurity Feature Pac/ -M4FP.'
Docu$ent Structure
=his document is di*ided into t&o main sections that include the follo&in:
=he essential elements of a mobile messain system, includin system re8uirementsF a
summary of deployment proceduresF an o*er*ie& of the features of the Messain and
4ecurity Feature Pac/F an introduction to direct push technoloyF a summary of I42 4er*er
200; featuresF and best practices for net&or/in, security, and de*ice manaement'
=he uidelines and resources for the deployment of a mobile messain system, includin
updatin 0+chane 4er*er 2009 4P2, settin up Microsoft 0+chane 2cti*e4ync for mobile
access, creatin a protected communications en*ironment, settin up an I42 4er*er 200;
en*ironment, and procedures for settin up and manain mobile de*ices'
For current information about deployin mobile messain solutions and manain $indo&s
MobileEbased de*ices, *isit the $indo&s Mobile Center $eb site: http:GGo'microsoft'comGf&lin/GH
#in/IdI10>211
Deploying Mobile Messaging% #ntroduction
=his uide pro*ides best practices and procedures for implementin a mobile messain system
&ith MicrosoftJ $indo&s MobileJ ; de*ices and Microsoft 0+chane 4er*er 2009 4P2'
&ssu$ptions
=his document assumes that you ha*e an understandin of Microsoft 5ffice 5utloo/J $eb
2ccess, 0+chane 2cti*e4ync, ?yperte+t =ransfer Protocol -?==P., basic 0+chane 4er*er 2009
concepts, and basic Microsoft $indo&s Internet Information 4er*ices -II4. concepts'
Software 'e(uire$ents
=he follo&in table presents the operatin systems and applications that are re8uired for the
recommended deployment'
)ocation Software re(uire$ents
0+chane front)end ser*er Microsoft 0+chane 4er*er 2009 4P2
Microsoft $indo&s 4er*er 2009 &ith
4er*ice Pac/ 1 -4P1., or Microsoft
$indo&s 2000 4er*er &ith 4er*ice Pac/ :
-4P:.
2dditional 0+chane ser*er-s. Microsoft 0+chane 4er*er 2009 or later
4er*ice Pac/ 1 -4P1., or Microsoft
$indo&s 2000 4er*er &ith 4er*ice Pac/ :
-4P:.
#32P 4er*er $indo&s 4er*er 2009 or $indo&s 2000
4er*er
0+chane ser*er &here 0+chane 2cti*e4ync
Mobile 2dministration $eb tool is installed
Microsoft 0+chane 4er*er 2009 4P2
4er*ice Pac/ 1 -4P1.
Internet Information 4er*ices -II4. ;'0
Mobile de*ices $indo&s Mobile 5'0Ebased de*ices that
ha*e the Messain and 4ecurity Feature
Pac/
*ote%
$indo&s Mobile 5'0Ebased de*ices that ha*e a *ersion number of 1:8++'2'+'+ or later
include the Messain and 4ecurity Feature Pac/' =o find the operatin system *ersion
on the de*ice, select 4tart, choose 4ettins, and then select 2bout'
2
+ptional #te$s
@ou can implement the follo&in components for security and de*ice manaement tools' 4ee
,et&or/ 2rchitecture 2lternati*es in this document'
Microsoft 3es/top 2cti*e4ync :'1 or later, &hich can be do&nloaded from this Microsoft
do&nload $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI10>212'
Microsoft Internet 4ecurity and 2cceleration -I42. 4er*er 200; -or I42 4er*er 200: or third
party fire&all.
$indo&s Certification 2uthority -C2.
"42 2uthentication Manaer ;'0 from "42 4ecurity
"42 2uthentication 2ent for Microsoft $indo&s from "42 4ecurity
"42 4ecurI3 2uthenticator from "42 4ecurity
Deploy$ent !rocess Su$$ary
7ecause corporate net&or/ confiurations and security policies *ary, the deployment process &ill
*ary for each mobile messain system installation' =his deployment process includes the
re8uired steps and the recommended steps for deployin a mobile messain solution that uses
0+chane 4er*er 2009 4P2 and $indo&s Mobile 5'0Ebased de*ices'
*ote%
=he follo&in steps outline the process for settin up a mobile messain solution &ith
I42 4er*er 200; in a &or/roup in a perimeter net&or/, &ith #32P authentication' For
more information on alternati*e net&or/ confiurations, see ,et&or/ 2rchitecture
2lternati*es in this document'
=he process can be accomplished in the follo&in eiht steps:
Step ,: !prade Front)0nd 4er*er to 0+chane 4er*er 2009 4P2
Step 2: !pdate 2ll 4er*ers &ith 4ecurity Patches
Step : Protect Communications &ith Mobile 3e*ices
Step -: Protect Communications 7et&een the 0+chane 4er*er and 5ther 4er*ers
Step .: Install and Confiure I42 4er*er 200; or 5ther Fire&all
Step /: Confiure Mobile 3e*ice 2ccess on the 0+chane 4er*er
Step 0: Install the 0+chane 2cti*e4ync Mobile 2dministration $eb =ool
Step 1: Manae and Confiure Mobile 3e*ices
9
!lanning 'esources
=he follo&in Microsoft $eb sites and technical articles pro*ide bac/round information that is
important for the plannin and deployment of your mobile messain solution'
Exchange Server 200
Plannin an 0+chane 4er*er 2009 Messain 4ystem
0+chane 4er*er 2009 Client 2ccess Buide
0+chane 4er*er 2009 3eployment Buide
$indo&s 4er*er 2009 3eployment Buide
!sin I42 4er*er 200: &ith 0+chane 4er*er 2009
$indo&s 4er*er 2009 =echnical "eference
II4 ;'0 3eployment Buide -II4 ;'0.
Microsoft 0+chane 4er*er
0+chane 4er*er 2009 =echnical 3ocumentation #ibrary
Windows Mobile
4upportin $indo&s MobileEbased 3e*ices &ithin the 0nterprise: Corporate Buidelines for
0ach 4tae of the 3e*iceKs #ifecycle -&hite paper.
=ech,et $indo&s Mobile Center
#S& Server
4ecure 2pplication Publishin
Publishin 0+chane 4er*er 2009 2cti*e 4ync &ith I42 4er*er 200;
Security
4ecurity Considerations for $indo&s Mobile Messain in the 0nterprise -&hitepaper.
4ecurity Model for $indo&s Mobile 5'0 and $indo&s Mobile ; -&hite paper.
$indo&s Mobile 4ecurity $eb site
=ech,et 4ecurity Center
:
Messaging and Security 2eature !ac3
+verview
=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 enables $indo&s Mobile 5'0)
based de*ices to be manaed by Microsoft 0+chane 4er*er 2009 4P2' =he result is a mobile
messain solution that uses the manaement benefits of 0+chane 2cti*e4ync and the ne&
security policy functions on the $indo&s Mobile 5'0)based de*ices, &hich helps you to better
manae and control the de*ices'
!sin $indo&s Mobile 5'0)based de*ices &ith the Messain and 4ecurity Feature Pac/ &ill i*e
you the follo&in capabilities:
$ith direct push technoloy, you can pro*ide your users &ith immediate deli*ery of data from
the 0+chane mailbo+ to their de*ice' =his includes e)mail, calendar, contact, and tas/
information'
@ou can define the security policies on your 0+chane ser*er and they &ill be enforced on
$indo&s Mobile 5'0)based de*ices that are directly synchroni(ed &ith your 0+chane ser*er'
@ou can monitor and test 0+chane 2cti*e4ync performance and reliability by usin the
0+chane 4er*er Manaement Pac/'
@ou can manae the process of remotely erasin or &ipin lost, stolen, or other&ise
compromised mobile de*ices that are directly synchroni(ed &ith your 0+chane ser*er by
usin the Microsoft 0+chane 2cti*e4ync Mobile 2dministration $eb tool'
2eatures
=hese M4FP features impro*e essential communications for mobile &or/ers'
Direct !ush 4echnology
=he direct push technoloy included in 0+chane 4er*er 2009 4P2 pro*ides a ne& approach to
the immediate deli*ery of data from the 0+chane mailbo+ to the userLs mobile de*ice' 3irect
push &or/s for mailbo+ data, includin Inbo+, Calendar, Contacts, and =as/s' =he direct push
technoloy uses an established ?==P or ?==P4 connection bet&een the de*ice and the
0+chane ser*erF pre*ious solutions re8uired the use of 4hort Messae 4er*ice -4M4., &hich is
no loner re8uired' ,o special confiuration is re8uired on the mobile de*ice, and you can /eep
your standard data plan since the ser*ice is &orld)capable and re8uires no additional soft&are or
ser*er installations other than 0+chane 4er*er 2009 4P2'
For an in)depth discussion of the direct push technoloy, see !nderstandin the 3irect Push
=echnoloy in this document'
5
Exchange &ctiveSync
0+chane 2cti*e4ync is an 0+chane synchroni(ation protocol that is desined for /eepin your
0+chane mailbo+ synchroni(ed &ith a $indo&s Mobile 5'0)based de*ice' 0+chane 2cti*e4ync
is optimi(ed to deal &ith hih)latencyGlo&)band&idth net&or/s, and also &ith lo&)capacity clients
that ha*e limited amounts of memory, storae, and processin po&er' !nder the co*ers, the
0+chane 2cti*e4ync protocol is based on ?==P, 44#, and DM# and is a part of 0+chane
4er*er 2009' In addition, 0+chane 2cti*e4ync pro*ides the follo&in benefits:
=he consistency of the familiar 5utloo/ e+perience for users
,o e+tra soft&are is re8uire to install or confiure de*ices
Blobal functionality that is achie*ed *ia standard data access phone ser*ice
Global &ddress )ist &ccess
4upport for o*er)the)air loo/up of lobal address list -B2#. information stored on 0+chane
4er*er' $ith the Messain and 4ecurity 4er*ice Pac/, mobile de*ice users &ill be able to
recei*e contact properties for indi*iduals in the B2#' =hese properties can be used to search
remotely for a person 8uic/ly based on name, company, andGor other aspect' !sers &ill et all of
the information they need to reach their contacts &ithout ha*in the data store on their de*ice'
Security 2eatures
4ecurity features help protect personal and corporate files on mobile de*ices'
'e$otely Enforced Device Security !olicies
0+chane 4er*er 2009 4P2 helps you to confiure and manae a central policy that re8uires all
mobile de*ice users to protect their de*ice &ith a pass&ord in order to access the 0+chane
ser*er' @ou can specify the lenth of the pass&ord, re8uire usae of a character or symbol, and
desinate ho& lon the de*ice has to be inacti*e before promptin the user for the pass&ord
aain'
2n additional settin, wipe device after failed atte$pts, allo&s you to delete all data and
certificates on the de*ice after the user enters the &ron pass&ord a specified number of times'
=he user &ill see a series of alert dialo bo+es &arnin of the possible &ipe and pro*idin the
number of attempts left before it happens' 0+ternal memory, such as a secure diital -43. card, is
not erased'
@ou can also specify &hether non)compliant de*ices can synchroni(e' 3e*ices are considered
non)compliant if they do not support the security policy you ha*e specified' In most cases, these
are de*ices not confiured &ith the Messain and 4ecurity Feature Pac/'
=he de*ice security policies are manaed from 0+chane 4ystem ManaerLs Mobile Services
!roperties interface'
;
'e$ote Device Wipe
=he remote &ipe feature helps you to manae the process of remotely erasin lost, stolen, or
other&ise compromised mobile de*ices' If the de*ice &as connected usin direct push
technoloy, the &ipe process &ill be initiated immediately and should ta/e place in seconds' If
you ha*e used the enforced loc/ security policy, the de*ice is protected by a pass&ord and local
&ipe, so the de*ice can recei*e calls, but &ill not be able to perform any operation other than to
recei*e the remote &ipe notification and report that it has been &iped'
=he ne& Microsoft 0+chane 2cti*e4ync Mobile 2dministration $eb tool enables you to perform
the follo&in actions:
6ie& a list of all de*ices that are bein used by any user'
4elect or de)select de*ices to be remotely erased'
6ie& the status of pendin remote erase re8uests for each de*ice'
6ie& a transaction lo that indicates &hich administrators ha*e been deleated the ability to
issue remote erase commands, in addition to the de*ices those commands pertained to'
&dvanced Security 2eatures
=he ad*anced security features in M4FP can be used to meet more strinent security
re8uirements'
"ertificate-5ased &uthentication
If 44# basic authentication does not meet your security re8uirements and you ha*e an e+istin
Public Aey Infrastructure -PAI. usin Microsoft Certificate 4er*er, you may &ish to use the
certificate)based authentication feature in 0+chane 2cti*e4ync' If you use this feature in
con%unction &ith the other features described in this document, such as local de*ice &ipe and the
enforced use of a po&er)on pass&ord, you can transform the mobile de*ice itself into a
smartcard' =he pri*ate /ey and certificate for client authentication is stored in memory on the
de*ice' ?o&e*er, if an unauthori(ed user attempts to brute force attac/ the po&er)on pass&ord
for the de*ice, all user data is pured includin the certificate and pri*ate /ey'
For more information, see 2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)
7ased 2uthentication'
Microsoft has created a tool for deployin 0+chane 2cti*e4ync certificate)based authentication'
3o&nload the tool and documentation from the Microsoft 3o&nload center $eb site'
<
Support for S6M#ME Encrypted Messaging
=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 pro*ides nati*e support for
diitally sined, encrypted messain' $hen encryption &ith the 4ecureGMultipurposeGInternet
Mail 0+tension -4GMIM0. is deployed, users can *ie& and send 4GMIM0)encrypted messaes
from their mobile de*ice'
=he 4GMIM0 control:
Is a standard for security enhanced e)mail messaes that use a Public Aey Infrastructure
-PAI. to share /eys
5ffers sender authentication by usin diital sinatures
0nsures that only the intended recipient can read the messae
0ncrypts e)mail data at rest on the de*ice to protect pri*acy
$or/s &ell &ith any standard)compliant e)mail client
"e8uires the use of a smart card reader
For uidance on ho& to implement the 4GMIM0 control &ith MicrosoftJ 0+chane 4er*er 2009
4P2, see the 0+chane 4er*er Messae 4ecurity Buide'
&d$inistering the Messaging and Security
2eature !ac3
4afeuards li/e pass&ord policies and remote &ipe capabilities pro*ide you &ith the security
features to help you protect your orani(ationLs data' $ith the combination of the manaement
capabilities built into 0+chane 4er*er 2009 4P2 and the security and confiuration protocols
included in the $indo&s Mobile 5'0)based de*ices that ha*e the Messain and 4ecurity Feature
pac/, your control o*er mobile de*ices has been streamlined' @ou &ill see that most of the
administration of the security features for the mobile de*ice happens on the 0+chane 4er*er or
on the 0+chane 2cti*e4ync Mobile 2dministration $eb tool'
=he follo&in table summari(es the features and the settins re8uired on the 0+chane 4er*er or
on the mobile de*ice'
2eature Exchange Server Settings Mobile Device Settings
Exchange direct push
technology
0nabled by default &ith
0+chane 4er*er 2009 4P2
Protect confiuration &ith
fire&all or I42 4er*er
0+tend session timeout on
all fire&alls and net&or/
appliances
,o preliminary de*ice setup
re8uired' =he de*ice
automatically s&itches from
4M4 to direct push technoloy
&hen it synchroni(es &ith
2cti*e4ync' !ser steps thru
2cti*e4ync &i(ard upon loin
to 0+chane ser*er'
8
2eature Exchange Server Settings Mobile Device Settings
Exchange &ctiveSync 0nabled by default &ith
0+chane 4er*er 2009 4P2
4et parameters by usin
0+chane 4ystem ManaerLs
Mobile Services !roperties
re8uiredF user steps thru
to 0+chane ser*er'
Wireless access to global
address list 7G&)8
3efault 0+chane 4er*er setup
"e8uires 5utloo/ $eb 2ccess
published on 0+chane 4er*er
re8uired
Pri*ileed de*ices ha*e
automatic access to B2#
'e$otely enforced #4 policy 0nable direct push technoloy
in 0+chane 2cti*e4ync
!se 0+chane 4ystem
ManaerLs Mobile Services
!roperties to apply policies
to 0+chane ser*er and
accepts I= policies'
'e$ote Wipe 0nable direct push technoloy
in 0+chane 2cti*e4ync
!se Mobile &d$inistration
Web tool to initiate, trac/, and
cancel the remote &ipe
to 0+chane ser*er and
accepts I= policies'
"ertificate-based
authentication
Install certificate on
0+chane 4er*ers
3eploy 3es/top 2cti*e4ync
:'1 or later to des/tops
!se the "ertificate
Enroll$ent tool to
confiure the de*ices *ia
2cti*e4ync
Initial certificate enrollment
and rene&al usin 3es/top
2cti*e4ync is re8uired'
S6M#ME $obile device
support
3eploy an 0+chane 4er*er
2009 messain system &ith
PAI security
Install certificate enrollment
protocol and /ey on the de*ice
>
9nderstanding the Direct !ush 4echnology
=he direct push technoloy uses 0+chane 2cti*e4ync to /eep data on a $indo&s MobileEbased
de*ice synchroni(ed &ith data on a Microsoft 0+chane ser*er' =here is no loner a reliance on
4M4 for notification'
Direct !ush 4echnology
=he direct push technoloy has t&o parts: one part resides on the de*ice -client., and the other
resides on an 0+chane 4er*er 4P2 mail ser*er' =he follo&in list describes these parts of the
technoloy:
Windows Mobile:based device with MS2!; =he 2cti*e4ync technoloy on the de*ice
manaes the direct push communication &ith 0+chane 4er*er' It establishes an ?==P or
?==P4 connection &ith the ser*er for a specified time, and then oes to sleep &hile &aitin
for the ser*er to respond' =he ser*er responds &ith either a status indicatin that ne& items
&ere recei*ed or that no ne& items arri*ed' =he de*ice then sends either a synchroni(ation
re8uest or another direct push re8uest' =he rate at &hich this occurs is dynamically ad%usted
based on parameters set by the 50M or 5perator and ho& lon an idle ?==P or ?==P4
connection can be maintained on the operator net&or/ and the customerKs 0nterprise
net&or/'
Exchange Server 200 Service !ac3 2; =his *ersion of 0+chane 4er*er includes a direct
push component that auments the 0+chane 2cti*e4ync infrastructure that supports manual
and scheduled synchroni(ation' 0+chane 4er*er uses IP)based notifications to deli*er e)
mail, contact, calendar, and tas/ updates to a de*ice as soon as the information arri*es at the
ser*er'
$hen data chanes on the ser*er, the chanes are transmitted to the de*ice o*er a persistent
?==P or ?==P4 connection that is used for direct push' =he time)out *alue in the mobile operator
net&or/ identifies ho& lon the persistent connection &ill be maintained &ith no acti*ity'
=o /eep this connection from timin out bet&een updates, the de*ice reissues a re8uest &hen the
ser*er responds' =his periodic transmission is referred as the MheartbeatM' =he heartbeat is &hat
maintains the connection to the ser*er for direct pushF each heartbeat alerts the ser*er that the
de*ice is ready to recei*e data'
10
4he Direct !ush !rocess
3irect push traffic loo/s li/e small ?==P re8uests to an Internet $eb site that ta/es a lon time to
issue a response' Microsoft recommends that the content of the pac/ets be encrypted by usin
4ecure 4oc/ets #ayer -44#., &hich ma/es identifyin direct push traffic by sniffin difficult'
=he follo&in steps pro*ide an o*er*ie& of the direct push process:
1' =he client issues an ?==P messae /no&n as a pin re8uest to an 0+chane ser*er, as/in
that the ser*er report any chanes that occur in the userLs mailbo+ &ithin a specified time
limit'
In the pin re8uest, the client specifies the folders that 0+chane should monitor for chanes'
=ypically these are the Inbo+, Calendar, Contacts, and =as/s'
2' $hen 0+chane recei*es this re8uest, it monitors the folders specified until one of the
follo&in occurs:
=he time limit e+pires' =he time limit is determined by the shortest time out in the net&or/
path'
If this occurs, 0+chane issues an ?==P 200 5A response to the client'
2 chane occurs in one of the folders, such as the arri*al of mail'
If this occurs, 0+chane issues a response to the re8uest and identifies the folder in
&hich the chane occurred'
9' =he client reacts to the response from the 0+chane ser*er in one of the follo&in &ays:
If it recei*es an ?==P 200 5A response indicatin that no error occurred, it re)issues the
pin re8uest'
If it recei*es a response other than ?==P 200 5A, it issues a synchroni(ation re8uest
aainst each folder that has chaned' $hen the synchroni(ation is complete, it re)issues
the pin re8uest'
If it does not recei*e a response from the 0+chane ser*er &ithin the time specified, it
lo&ers the time inter*al in the pin re8uest and then re)issues the re8uest'
Direct !ush Dyna$ic &d<ust$ent
3urin the direct push process described abo*e, the de*ice &aits for successi*e round trips
before attemptin to ad%ust the amount of time it needs to /eep a connection open &ith the ser*er'
=he amount of time that the ser*er should &ait for Personal Information Manaer -PIM. chanes
or ne& mail to arri*e before sendin 5A to the client is called the heartbeat inter*al'
=he heartbeat inter*al is specified by the client and is sent as part of the pin re8uest' =he
heartbeat beins at the default rate' =he direct push alorithm on the client then dynamically
ad%usts the heartbeat inter*al to maintain the ma+imum time bet&een heartbeats &ithout
e+ceedin the time)out *alue' =he ad%ustment is based on net&or/ conditions and ho& lon an
idle ?==P or ?==P4 connection can be maintained on the operator or corporate net&or/ and
some settins that the operator can specify'
11
=o determine the optimal heartbeat inter*al, the alorithm /eeps a lo of pin re8uests' If a pin
re8uest recei*es a response, the alorithm increases the inter*al' If no response is recei*ed at
the end of the inter*al, the client determines that the net&or/ timed out and the inter*al is
decreased'
7y usin this alorithm, the client e*entually determines the lonest idle connection possible
across the cellular net&or/ and corporate fire&all'
=he follo&in illustration sho&s ho& the heartbeat inter*al is ad%usted durin typical direct push
communication bet&een the client and the 0+chane 4er*er'
=he M=M in this illustration indicates the proression of time'
12
=he follo&in steps describe the communicationF the numbers correspond to the numbers in the
illustration:
1' =he client &a/es up and issues an ?==P re8uest o*er the Internet to the 0+chane 4er*er,
and then oes to sleep'
=o /eep the session acti*e, the re8uest states the heartbeat inter*al, &hich is the amount of
time that the ser*er should &ait for Personal Information Manaer -PIM. chanes or ne& mail
to arri*e before sendin 5A to the client' In this illustration, the heartbeat inter*al is 15
minutes'
2' 7ecause no mail arri*ed durin the heartbeat inter*al, the ser*er returns an ?==P 200 5A'
In this e+ample, the response is lost because either the operator net&or/ or the 0nterprise
net&or/ &as unable to sustain the lon)li*ed ?==P connectionF the client ne*er recei*es it'
*ote
If the connection is closed by the front)end 0+chane ser*er, the de*ice &ill ac/no&lede
the ended session and immediately reconnect'
If the connection is closed by the bac/)end 0+chane ser*er, the de*ice does not
ac/no&lede the ended session and &aits for the end of the heartbeat inter*al to
reconnect'
9' =he client &a/es up at the end of the heartbeat inter*al plus 1 minute -15 N 1 I 1; minutes
total.'
*ote%
=he de*ice &aits for successi*e round trips before attemptin to ad%ust the heartbeat
inter*al' 2 tunin component in the alorithm can chane the increments to an
amount different than &hat is specified'
If this &as a successi*e round trip &ith no response from the ser*er, it issues a shorter)li*ed
re8uest -8 minutes.'
In this e+ample, because the heartbeat &as not increased durin the last pin, the heartbeat
is chaned to the minimum heartbeat *alue -8 minutes.'
:' 7ecause no mail arri*ed durin the heartbeat inter*al, so the ser*er returns an ?==P 200 5A'
5' =he ser*er response &a/es up the client' 7ecause the connection did not time out durin the
inter*al, the client determines that the net&or/ can support idle connections for at least this
lenth of time'
If this &as a successi*e round trip, the client determines that it can increase the inter*al to a
loner time for the ne+t re8uest'
19
4he #$pact of Direct !ush on *etwor3s and Exchange Servers
=he alorithm that sets the heartbeat also minimi(es bytes sent o*er the air and ma+imi(es
battery life'
Implementin data compression &ill reduce the pac/et si(es sent bet&een the front end ser*er
and the client' ?o&e*er, the amount of band&idth that is consumed and &hether it &ill impact the
userLs data plan reatly depends on the follo&in factors:
$hat the user chooses to synchroni(e, such as more than the default folders'
?o& much data is chaned in the mailbo+ and on the mobile de*ice'
4he #$pact of "hanging the Direct !ush Settings
=o help you maintain ade8uate de*ice performance durin direct push, Microsoft recommends
*alues for the *arious direct push settins'
=eartbeat #nterval
=he heartbeat inter*al is set on the de*ice by the mobile operator' !sin a heartbeat inter*al of 90
minutes has positi*e implications for battery life and band&idth consumption' $hen direct push
sessions are permitted to li*e loner -such as 90 minutes., there are fe&er ?==P round trips, less
data sent and recei*ed, and less po&er consumed by the de*ice'
2 heartbeat inter*al that is too short &ill /eep the user al&ays up to date, but &ill shorten battery
life because of the constant pinin to the ser*er'
Mini$u$ =eartbeat
If a de*ice that has a heartbeat belo& the minimum heartbeat le*el re8uests a connection to the
0+chane ser*er, the ser*er los an e*ent to indicate to the administrator that direct push is not
&or/in'
Exchange Session
=o ha*e de*ice information bein up to date and yet still ha*e the battery life as lon as possible,
the 0+chane ser*er session duration should be a little reater than the ma+imum heartbeat
settin, If the ser*er session is shorter, it may reach idle timeout causin it to drop the session'
=his &ould result in mail bein undeli*erable until the client reconnects, and the user could be
unsynchroni(ed for lon periods of time'
2irewall 4i$eouts
=he net&or/ idle connection timeout indicates ho& lon a connection is permitted to li*e &ithout
traffic after a =CP connection is fully established'
=he fire&all session inter*al must be set to allo& the heartbeat inter*al and 0nterprise session
inter*al to communicate freely' If the fire&all closes the session, then mail &ould be undeli*erable
until the client reconnects, and the user could be unsynchroni(ed for lon periods of time' 7y
settin the fire&all session timeout e8ual to or reater than the idle timeout on the 5perator
net&or/, the fire&all &ill not close the session'
1:
=he follo&in list sho&s ho& the fire&alls idle connection timeouts should be set:
5perators need to set the idle connection timeouts on outoin fire&alls to 90 minutes'
0nterprises also need to set timeouts on their incomin fire&alls to 90 minutes'
$eb ser*ers, net&or/ security appliances, and system net&or/ stac/s ha*e se*eral time)based
thresholds that are intended to insulate them from insufficiently tested or malicious clients' @ou
can safely increase the idle connection timeout settin &ithout compromisin the security of the
net&or/'
In a direct push scenario, the connection is idle bet&een the time that the ?==P re8uest is made
and either the time that the heartbeat inter*al e+pires or &hen the ser*er responds to the re8uest
&ith a chane -such as &hen mail is recei*ed.' 3irect push ma/es no assumption as to the lenth
of its sessionsF 0)mail is deli*ered rapidly &hether the heartbeat inter*al is one minute or thirty
minutes'
Increasin the idle connection timeout typically does not increase or decrease the e+posure to
attac/' =he follo&in table sho&s e+amples of attac/s and describes ho& other settins are used
to mitiation e+posure to them'
DoS threat Mitigation of exposure to attac3s
2 3o4 attac/ is launched by
failin to complete the
handsha/e that is implicit in the
creation of a =CP connection'
=he attac/er attempts to create
a lare number of partially open
=CP connections'
Increasin the idle connection timeouts is unrelated to this type
of attac/'
=he time &ithin &hich a =CP handsha/e must complete is a
separate threshold that is o*erned by the $indo&s =CPGIP
stac/'
2 3o4 attac/ is launched
aainst II4 by openin a lare
number of =CP connections but
ne*er issuin an ?==P re8uest
o*er any of them'
Increasin the idle connection timeouts is unrelated to this type
of attac/'
II4 mitiates this threat by re8uirin that a client submit a fully)
formed ?==P re8uest &ithin a certain time before droppin the
connection' =he name of the Connection =imeout settin in the
II4 manaement console is misleadinF =CP connections are
closed &hen the Connection =imeout *alue is e+ceeded -120
seconds by default.'
2n attac/er establishes a lare
number of =CP connections,
issues ?==P re8uests o*er all
of them, but ne*er consumes
the responses'
Increasin idle connection timeouts is unrelated to this type of
attac/'
=his threat is mitiated by the same timeout as the pre*ious
scenario' =he Connection =imeout settin in II4 defines the time
&ithin &hich a client must issue either its first re8uest after a
=CP connection is established or a subse8uent re8uest in an
?==P /eep)ali*e scenario'
15
*etwor3 &rchitecture &lternatives
=he choices that you ha*e made in your net&or/ confiuration and net&or/ desin may impact
the steps that you &ill need to ta/e to uprade your system to accommodate direct push
technoloy and the Messain O 4ecurity Feature Pac/ manaement features'
Deploy$ent +ptions
=he follo&in table introduces some of the most common deployment confiurations &ith the
uni8ue considerations for each'
Follo& the lin/s to deployment documentation for each confiuration'
Setup 4ype Description "onsideration
2irewall in
Wor3group in
peri$eter networ3
I42 4er*er 200;
recommended
2ll of the 0+chane ser*ers
are &ithin the corporate
net&or/'
F72 or 7asic authentication
44# confiured for 0+chane
2cti*e4ync to encrypt all
messain traffic
I42 ser*er acts as the
ad*anced fire&all in the
perimeter net&or/ that is
e+posed to Internet traffic'
I42 4er*er 200; directly
communicates &ith #32P and
"23I!4 ser*ers
)D&! &uthentication
#32P, #32P4, #32P)BC,
and #32P4)BC are
supported'
0*ery domain controller is
an #32P ser*er' =he
#32P ser*er has a store
of the 2cti*e 3irectory
usersK credentials'
7ecause each domain
controller can only
authenticate the users in
its domain, I42 4er*er by
2ll 0+chane traffic is preauthenticated,
reducin surface area and ris/'
Client authentication is possible &ith
$indo&s, Aerberos, #32P, #32P4,
"23I!4, or "42 4ecurI3
"e8uires port ::9 opened on the
fire&all for inbound and outbound
Internet traffic'
"e8uires a diital certificate in order to
connect to Confiuration 4torae ser*er'
#imited to one Confiuration 4torae
4er*er -232M limitation.
3omain administrators do not ha*e
access to the fire&all array
$or/roup clients cannot use $indo&s
authentication'
"e8uires manaement of mirrored
accounts for monitorin arrays'
1;
default 8ueries the lobal
catalo for a forest to
*alidate user credentials
'adius &uthentication
"23I!4 pro*ides
credentials *alidation'
I42 4er*er is the "23I!4
client, dependin upon
"23I!4 authentication
response
Pass&ord chanes are
not possible
#S& Server 200/
do$ain-<oined in
peri$eter networ3
0+chane F0 in the 0nterprise
forest
2s a domain member, I42
4er*er 200; interates &ith
2cti*e 3irectory'
2dditional ports on the internal fire&all
opened to facilitate domain member
communication to 2cti*e 3irectory
IP4ec can be confiured bet&een the
I42 ser*er and 0+chane ser*er to
eliminate the need for additional open
ports
4implified deployment and
administration of I42 4er*er arrays
&ithin the domain'
4ee Publishin 0+chane 4er*er 2009
&ith I42 4er*er 200; at this Microsoft
$eb site:
http:GGo'microsoft'comGf&lin/GH
#in/IdI10>21<'
2irewall in separate
do$ain with one-way
trust
forest
I42 4er*er 200; as domain
controller of its o&n 3MP
forest
5ne)&ay trust created, so the
3MP forest trusts the
0nterprise forest accounts'
I42 4er*er 200; authenticates
re8uests at the I42 ede
Comple+ to confiure
4cales &ell across an 0nterprise
solution'
For detailed instructions, see !sin I42
4er*er 200: &ith 0+chane 4er*er
2009 at this Microsoft $eb site:
#in/IdI10>215'
1<
Single Exchange
200 Server
4inle 0+chane 4er*er &ithin
the corporate net&or/, behind
a fire&all'
0+chane 4er*er 2cti*e4ync
accesses the 0+chane *irtual
directory *ia port 80 usin
Aerberos authentication'
4imple deployment for small to medium
business'
"e8uires the follo&in setup steps:
=urn off SS) 'e(uired on the
0+2dmin *irtual directory
!se Windows #ntegrated
authentication on the 0+2dmin
*irtual directory
If usin "42 4ecurI3, update the "42
2uthentication 2ent to ensure
compatibility &ith direct push
technoloy'
For details, see 3eployment on a 4inle
4er*er in the 4tep)by)4tep Buide to
3eployin $indo&s Mobile)based
3e*ices &ith Microsoft 0+chane 4er*er
2009 4P2'
4ee 2lso: Microsoft A7 article,
M0+chane 2cti*e4ync and 5utloo/
Mobile 2ccess errors 5ccur &hen 44#
or forms)based authentication is
re8uired for 0+chane 4er*er 2009'M
#in/IdI;2;;0'
Windows S$all
5usiness Server
200
0+chane traffic is routed to
the ser*er runnin $indo&s
474 &ith port ::9 open
inbound'
0+chane F0 is behind the
follo&in fire&alls:
I42 4er*er 200:, 4er*ice
Pac/ 1 &hich is included
in $indo&s 474 Premium
0dition, 4er*ice Pac/ 1
=he built)in "outin and
"emote 2ccess fire&all in
$indo&s 474
Certificates installed on
0+chane 2cti*e4ync and I42 4er*er
are interated &ith $indo&s 4mall
7usiness 4er*er 2009, pro*idin
simplified deployment
"e8uires des/top 2cti*e4ync installed
on a client computer
4ee 3eployin $indo&s Mobile 5'0 &ith
$indo&s 4mall 7usiness 4er*er 2009
at this Microsoft $eb site:
#in/IdI10>220'
18
de*ices pro*ide 44#
encryption and access'
Exchange 2E in the
peri$eter networ3
-=his option is not
recommended for ne&
mobile messain
solutions'.
0+chane F0 is in the
perimeter net&or/ &ith
fire&alls bet&een it and the
Internet and the corporate
net&or/'
2dditional fire&all ports opened to
enable direct push and facilitate
connection bet&een F0 and 70 ser*ers:
5pen port ::9 inbound on the
e+ternal fire&all
!3P port 2889 open on the fire&all
bet&een the 0+chane F0 and 70'
4ee M3eployment &ith the Front 0nd
4er*er in a Perimeter ,et&or/M section
of the 4tep)by)4tep Buide to 3eployin
$indo&s Mobile)based 3e*ices &ith
Microsoft 0+chane 4er*er 2009 4P2 at
this Microsoft $eb site:
#in/I3I81200
I42 4er*er as an
ad*anced fire&all in a
&or/roup in
perimeter net&or/
2ll of the 0+chane ser*ers
are &ithin the corporate
net&or/'
4et up F72 or 7asic
authentication for 0+chane
2cti*e4ync, so all clients
neotiate an 44# lin/ before
connectin'
I42 ser*er acts as the
ad*anced fire&all in the
perimeter net&or/ that is
e+posed to Internet traffic'
I42 4er*er 200; directly
communicates &ith #32P and
"23I!4 ser*ers
)D&! &uthentication
#32P, #32P4, #32P)BC,
and #32P4)BC are
supported'
0*ery domain controller is
an #32P ser*er' =he
Client authentication is possible &ith
$indo&s, Aerberos, #32P, #32P4,
"23I!4, or "42 4ecurI3
"e8uires port ::9 opened on the
fire&all for inbound and outbound
Internet traffic'
"e8uires a diital certificate in order to
connect to Confiuration 4torae ser*er'
In case of fire&all failure, domain and
2cti*e 3irectory are inaccessible
3omain administrators do not ha*e
access to the fire&all array
$or/roup clients cannot use $indo&s
authentication'
"e8uires manaement of mirrored
accounts for monitorin arrays'
For an o*er*ie& of the process, see
3eployin a Mobile Messain 4olution
&ith $indo&s Mobile 5'0)based 3e*ices
1>
#32P ser*er has a store
of the 2cti*e 3irectory
usersK credentials'
7ecause each domain
controller can only
authenticate the users in
its domain, I42 4er*er by
default 8ueries the lobal
catalo for a forest to
*alidate user credentials
'adius &uthentication
"23I!4 pro*ides
credentials *alidation'
I42 4er*er is the "23I!4
client, dependin upon
"23I!4 authentication
response
Pass&ord chanes are
not possible
I42 4er*er 200;
domain)%oined in
perimeter net&or/
forest
2s a domain member, I42
4er*er 200; interates &ith
2cti*e 3irectory'
2dditional ports on the internal fire&all
opened to facilitate domain member
communication to 2cti*e 3irectory
4implified deployment and
administration of I42 4er*er arrays
&ithin the domain'
6ulnerability of access across the
domain in case of fire&all failure
4ee Publishin 0+chane 4er*er 2009
&ith I42 4er*er 200; at this Microsoft
$eb site:
#in/IdI10>21<'
Fire&all in separate
domain &ith one)&ay
trust
forest
I42 4er*er 200; as domain
controller of its o&n 3MP
forest
5ne)&ay trust created, so the
4cales &ell across an 0nterprise
solution'
For detailed instructions, see !sin I42
4er*er 200: &ith 0+chane
20
3MP forest trusts the
0nterprise forest accounts'
I42 4er*er 200; authenticates
re8uests at the I42 ede
4er*er 2009 at this Microsoft $eb site:
#in/IdI10>215'
=hird Party Fire&all Confiure as an ad*anced
fire&all or surroundin a
perimeter net&or/'
0ncrypt all traffic bet&een the
mobile de*ice and 0+chane
4er*er &ith 44#'
5pen port ::9 inbound on
each fire&all bet&een the
mobile de*ice and 0+chane
4er*er'
4et Idle 4ession =imeout time
to 90 minutes on all fire&alls
and net&or/ appliances on the
path bet&een the mobile
de*ice and 0+chane F0
ser*er to facilitate direct push
technoloy'
Consult fire&all manufacturer
documentation for instructions on
openin port ::9 inbound and settin
the Idle 4ession =imeout time'
4inle 0+chane 2009
4er*er
4inle 0+chane 4er*er &ithin
the corporate net&or/, behind
a fire&all'
0+chane 4er*er 2cti*e4ync
accesses the 0+chane *irtual
directory *ia port 80 usin
Aerberos authentication'
4imple deployment for small to medium
business'
"e8uires the follo&in setup steps on
the 0+2dmin *irtual directory:
=urn off 44# "e8uired
!se $indo&s Interated
authentication
If usin "42 4ecurI3, update the "42
2uthentication 2ent to ensure
compatibility &ith direct push
technoloy'
For more information, see M0+chane
2cti*e4ync and 5utloo/ Mobile 2ccess
errors 5ccur &hen 44# or forms)based
authentication is re8uired for 0+chane
4er*er 2009'M
21
#in/IdI;2;;0'
$indo&s 4mall
7usiness 4er*er 2009
0+chane traffic is routed to
the ser*er runnin $indo&s
474 &ith port ::9 open
inbound'
0+chane F0 is behind the
follo&in fire&alls:
I42 4er*er, &hich is
included in $indo&s 474
Premium 0dition
=he built)in "outin and
"emote 2ccess fire&all in
$indo&s 474
=he !PnPQ hard&are
fire&all
Certificates installed on
de*ices pro*ide 44#
encryption and access'
0+chane 2cti*e4ync and I42 4er*er
are interated &ith $indo&s 4mall
7usiness 4er*er 2009, pro*idin
simplified deployment:
"e8uires des/top 2cti*e4ync
installed on a client computer
4ee 3eployin $indo&s Mobile 5'0 &ith
$indo&s 4mall 7usiness 4er*er 2009
at this Microsoft $eb site:
#in/IdI10>220'
0+chane F0 in the
perimeter net&or/
-=his option is not
recommended for ne&
mobile messain
solutions'.
0+chane F0 is in the
perimeter net&or/ &ith
fire&alls bet&een it and the
Internet and the corporate
net&or/'
2dditional fire&all ports opened to
enable direct push and facilitate
connection bet&een F0 and 70 ser*ers:
5pen port ::9 inbound on the
e+ternal fire&all
!3P port 2889 open on the fire&all
bet&een the 0+chane F0 and 70'
#S& Server 200/ as an &dvanced 2irewall in a
!eri$eter *etwor3
In this confiuration, all of the 0+chane ser*ers are &ithin the corporate net&or/ and the I42
ser*er acts as the ad*anced fire&all in the perimeter net&or/ that is e+posed to Internet traffic'
=his adds an additional layer of security to your net&or/'
2ll incomin Internet traffic bound to your 0+chane ser*ers E for e+ample, Microsoft 5ffice 5$2
and remote procedure call -"PC. o*er ?==P communication from Microsoft 5ffice 5utloo/ 2009
clients E is processed by the I42 ser*er' $hen the I42 ser*er recei*es a re8uest from an
0+chane ser*er, the I42 ser*er terminates the connection and then pro+ies the re8uest to the
appropriate 0+chane ser*ers that are on your internal net&or/' =he 0+chane ser*ers on your
22
net&or/ then return the re8uested data to the I42 ser*er, &hich sends the information to the client
throuh the Internet'
3urin installation of the I42 ser*er, Microsoft recommends that you enable 4ecure 4oc/ets
#ayer -44#. encryption, and desinate ::9 as the 44# port' =his lea*es the ::9 port open as the
R$eb #istenerS to recei*e Internet traffic' Microsoft also recommends that you set up basic
authentication for 0+chane 2cti*e4ync, and that you re8uire all clients to successfully neotiate
an 44# lin/ before connectin to the 0+chane 2cti*e4ync site directories' If you follo& these
recommendations, the Internet traffic that flo&s into and out of the ::9 port &ill be more
protected'
$hen confiured in $eb)publishin mode, I42 4er*er 200; &ill pro*ide protocol filterin and
hyiene, denial of ser*ice -3o4. and distributed denial of ser*ice -33o4. protection, and pre)
authentication'
29
=he follo&in illustration sho&s the recommended 0+chane 4er*er 2009 deployment for mobile
messain &ith I42 4er*er 200;'
&uthentication in #S& Server 200/
!sers can be authenticated usin built)in $indo&s, #32P, "23I!4, or "42 4ecurI3
authentication' Front)end and bac/)end confiuration has been separated, pro*idin for more
fle+ibility and ranularity' 4inle sin on is supported for authentication to $eb sites' "ules can
be applied to users or user roups in any namespace'
For most 0nterprise installations, I42 4er*er 200; &ith #32P authentication is recommended' In
addition, I42 4er*er 200; enables certificate)based authentication &ith $eb publishin' For more
information, see 2uthentication in I42 4er*er 200; on Microsoft =ech,et $eb site:
http:GGo'microsoft'comGf&lin/GH#in/I3I8<0;8'
2:
=he follo&in table summari(es some of the features of I42 4er*er 200;:
2eature Description
4upport for #32P authentication #32P authentication allo&s I42 4er*er to
authenticate to 2cti*e 3irectory &ithout bein a
member of the domain'
4ee this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/I3I8<0;>
3eleation of 7asic authentication Published $eb sites are protected from
unauthenticated access by re8uirin the I42
4er*er 200; fire&all to authenticate the user
before the connection is for&arded to the
published $eb site' =his pre*ents e+ploits from
unauthenticated users from reachin the
published $eb ser*er'
4ecurI3 authentication for $eb Pro+y clients I42 4er*er 200; can authenticate remote
connections usin 4ecurI3 t&o)factor
authentication' =his pro*ides a hih le*el of
authentication security because a user must
/no& somethin and ha*e somethin to ain
access to the published $eb ser*er'
"23I!4 support for $eb Pro+y client
authentication
$ith I42 4er*er 200;, you can authenticate
users in 2cti*e 3irectory and other
authentication databases by usin "23I!4 to
8uery 2cti*e 3irectory' $eb publishin rules can
also use "23I!4 to authenticate remote access
connections'
4ession manaement I42 4er*er 200; includes impro*ed control of
coo/ie)based sessions to pro*ide for better
security'
Certificate Manaement I42 4er*er 200; is impro*ed to simplify
certificate manaement and reduce the total
cost of o&nership associated &ith usin
certificates &hen publishin $eb sites' It is
possible to utili(e multiple certificates per $eb
listener and to use different certificates per array
member'
25
)D&! &uthentication with #S& Server 200/
I42 4er*er 200; supports #iht&eiht 3irectory 2ccess Protocol -#32P. authentication' #32P
authentication is similar to 2cti*e 3irectoryJ directory ser*ice authentication, e+cept that the I42
4er*er computer does not ha*e to be a member of the domain' I42 4er*er connects to a
confiured #32P ser*er o*er the #32P protocol to authenticate the user' 0*ery $indo&s domain
controller is also an #32P ser*er, by default, &ith no additional confiuration chanes re8uired'
7y usin #32P authentication, you et the follo&in benefits:
2 ser*er runnin I42 4er*er 200; 4tandard 0dition or I42 4er*er 200; 0nterprise 0dition
array members in &or/roup mode' $hen I42 4er*er is installed in a perimeter net&or/, you
no loner need to open all of the ports re8uired for domain membership'
2uthentication of users in a domain &ith &hich there is no trust relationship'
Instructions for confiurin I42 4er*er for #32P authentication are included in this document in
4tep 5: Install and Confiure I42 4er*er 200; or 5ther Fire&all' For more information about
confiurin I42 4er*er for #32P authentication, see M4ecure 2pplication PublishinM at the
Microsoft =ech,et $eb site'
2;
Deploy$ent with #S& Server in a !eri$eter
*etwor3
In this confiuration, the mobile de*ice utili(es the mobile operatorLs cellular data net&or/ to
communicate usin the Internet to an outer fire&all that the orani(ation uses to restrict traffic'
=he outer fire&all port for&ards the 024 traffic -*ia 44# port ::9. inbound to the inner third party
de*ice to for&ard to the 0+chane 4er*er 2009 for processin'
=he fiure belo& illustrates an end)to)end e+ample of a typical o*er the air 0+chane 2cti*e4ync
deployment'
=o ensure that Microsoft 0+chane 2cti*e4ync functions correctly in this scenario, Microsoft
recommends that port ::9 inbound be opened on both third party fire&all products so that the
$indo&s Mobile de*ice can communicate directly &ith the 0+chane 4er*er' =his is a net&or/
re8uirement for 0+chane 2cti*e4ync to &or/ properly &hether usin Microsoft direct push
technoloy -default settin. andGor 2l&ays !p)to)3ate ,otifications -optional.'
2<
Deploy$ent on a Single-Server
If your mobile messain solution uses a sinle 0+chane ser*er, you may ha*e to establish
some special confiurations to a*oid conflicts on the *irtual directory'
SS) 'e(uire$ents and 2or$s-based &uthentication
In a sinle)ser*er confiuration, 0+chane 4er*er 2cti*e4ync accesses the 0+chane *irtual
directory *ia port 80 by usin Aerberos authentication' 0+chane 2cti*e4ync cannot access the
0+chane *irtual directory if either of the follo&in conditions is true:
=he 0+chane *irtual directory is confiured to re8uire 44#'
Forms)based authentication is confiured'
For more information about, and &or/arounds for, these confiurations, see the follo&in article in
the Microsoft Ano&lede 7ase:
0+chane 2cti*e4ync and 5utloo/ Mobile 2ccess errors occur &hen 44# or forms)based
authentication is re8uired for 0+chane 4er*er 2009' http:GGo'microsoft'comGf&lin/GH
#in/IdI;2;;0
Settings 'e(uired for Exchange &ctiveSync Mobile
&d$inistration Web 4ool #nstallation
$hen deployed in a sinle)ser*er confiuration, the 0+chane 2cti*e4ync Mobile 2dministration
$eb tool re8uires the default confiuration on the 0+2dmin *irtual directory' 7y default, 44# is not
turned on and the *irtual directory has $indo&s Interated authentication'
In a sinle)ser*er confiuration, &e recommend that you do the follo&in on the 0+2dmin *irtual
directory:
=urn off 44# "e8uired
!se $indo&s Interated authentication
*ote%
=he 0+chane 2cti*e4ync Mobile 2dministration $eb tool should run in the
0+chane2ppPool'
For more information, see the follo&in article in the Microsoft Ano&lede 7ase:
0rror messae &hen you try to use the Microsoft 0+chane 4er*er 2cti*e4ync $eb
2dministration tool to delete a partnership or to perform a "emote $ipe operation on a mobile
de*ice in 0+chane 4er*er 2009 4P2: M-:01. !nauthori(edM' T2dd lin/ to
http:GGsupport'microsoft'comG/bG>1;>;0Gen)usU
28
'S& Secur#D "o$patibility
"42 4ecurI3 pro*ides to/en)based authentication that re8uires user input and &as not
compatible &ith direct push technoloy, in &hich the de*ice synchroni(es automatically' "42 has
updated the "42 2uthentication 2ent for $indo&s so that direct push technoloy and scheduled
synchroni(ation features function smoothly'
I42 4er*er 200; &or/s &ith 4ecurI3 to/en authentication' 4ee the I42 4er*er 200;
documentation'
If you are usin the "42 4ecurI3 product, be sure to et the latest "42 4ecurI3 soft&are from
the "42 4ecurity $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI;92<9'
2or$s-based &uthentication
If you ha*e forms)based authentication set up on an 0+chane orani(ation for 0+chane
2cti*e4ync on an 0+chane 4er*er &ith no bac/)end, additional confiurations may be re8uired'
For more information about these confiurations, see the follo&in article in the Microsoft
Ano&lede 7ase: http:GGo'microsoft'comGf&lin/GH#in/IdI10>221
0+chane 2cti*e4ync and 5utloo/ Mobile 2ccess errors occur &hen 44# or forms)based
authentication is re8uired for 0+chane 4er*er 2009
*ote
0+chane 4er*er 2009 4P2 forms)based authentication does not allo& you to set the
default domain settin in II4 to anythin other than the default domain settin of V' =his
restriction is in place in order to support user loons that use the !ser Principle ,ame
format' If the default domain settin in II4 is chaned, 0+chane 4ystem Manaer resets
the default domain settin to MVM on the ser*er'
@ou can chane this beha*ior by customi(in the #oon'asp pae in the 5$2 *irtual
directory in II4 to specify your domain or to include a list of domain names' ?o&e*er, if
you customi(e the #oon'asp pae in the 5$2 *irtual directory in II4, your chanes may
be o*er&ritten if you uprade to, or re)install, 0+chane 4er*er 2009 4P2'
2>
Deploy$ent with the Exchange 2ront End Server
in a !eri$eter *etwor3
If your deployment confiuration has the Front)0nd 0+chane ser*er inside the 3MP or perimeter
net&or/, you may ha*e to chane the fire&all settins to facilitate the direct push technoloy'
*ote%
=his option is not recommended for ne& mobile messain solutions'
$ith direct push technoloy, &hene*er the bac/ end ser*er recei*es e)mail or data to be
transmitted to a mobile de*ice, it sends a !3P notification to the front)end ser*er' =his
transmission re8uires that !3P port 2889 be open on the fire&all to allo& one)&ay traffic from the
bac/)end ser*er to the front)end ser*er'
For more information about the deployment of direct push technoloy and its impact on fire&all
confiuration, see the 0+chane 4er*er blo article M3irect push is %ust a heartbeat a&ayM at
http:GGo'microsoft'comGf&lin/GH#in/IdI;<080'
For more information about confiurin a front)end ser*er in the 3MP, see MFront)0nd and 7ac/)
0nd 4er*er =opoloy Buide for 0+chane 4er*er 2009 and 0+chane 2000 4er*erM at
http:GGo'microsoft'comGf&lin/GH#in/IdI;2;:9'
>!* "onfiguration
$indo&s Mobile 5'0)based de*ices pro*ide nati*e support for 6irtual Pri*ate ,et&or/ -6P,.
access to a corporate net&or/ based on PP=P or #2=PGIP4ec 6P, protocols'
Microsoft recommends usin #2=PGIP4ec connections, as these connections re8uire both de*ice)
le*el authentication throuh certificates and user)le*el authentication throuh a PPP
authentication protocol' #2=PGIP4ec relies on the e+istin infrastructure for $indo&s Mobile)
based de*ices to connect to internal company resources such as file shares, $eb ser*ers, and
mobile line of business applications' For an e+ample deployment of 6P, &ith $indo&s 4er*er
2009, see this Microsoft $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI10>222'
For more information about securin 6P, access, see R?o& I42 4er*er 200: Pro*ides 44# 6P,
Functionality for 5utloo/ $eb 2ccess and "PC o*er ?==PS at http:GGo'microsoft'comGf&lin/GH
#in/I3I;<::5'
For more information about the sin on process from a $indo&s Mobile 5'0)based de*ice, see
R2ccessin a Corporate ,et&or/ by usin a 6P, ConnectionS in 4tep 8, Manae and Confiure
Mobile 3e*ices'
90
5est !ractices for Deploying a Mobile
Messaging Solution
7est practices for deployin a mobile messain solution on your corporate net&or/ are
recommendations that &ill help you ensure the smooth operation of, and pro*ide a hih le*el of
security for, your mobile messain solution'
*etwor3 "onfiguration
"eardless of the net&or/ confiuration you implement, there are some best practices that &ill
strenthen your mobile messain solution'
5est !ractice% 9se 2ront-end and 5ac3-end "onfiguration for
Exchange Servers
2 front)end and bac/)end confiuration is recommended for multiple)ser*er orani(ations that
use 0+chane 2cti*e4ync, 5utloo/ $eb 2ccess -5$2., Post 5ffice Protocol -P5P., or Internet
Messae 2ccess Protocol -IM2P., and that &ant to pro*ide ?==P, P5P, or IM2P access to their
employees' In this architecture, a front)end ser*er accepts re8uests from clients, and then pro+ies
those re8uests to the appropriate bac/)end ser*er for processin' =he front)end and bac/)end
architecture allo&s the front)end ser*er to handle the 4ecure 4oc/ets #ayer -44#. encryption,
thus enablin the bac/)end ser*ers to increase o*erall e)mail performance' =his confiuration
scales &ell and pro*ides a measure of security by limitin access to the front)end ser*er'
4ecurin the messain en*ironment also in*ol*es disablin those features and settins for the
front)end ser*er that are not necessary in a front)end and bac/)end ser*er architecture'
For more information about front)end and bac/)end ser*er architecture, see M0+chane 4er*er
2009 and 0+chane 2000 4er*er Front)0nd and 7ac/)0nd =opoloyM at
http:GGo'microsoft'comGf&lin/GH#in/IdI;2;:9'
5est !ractice% "onfiguring your 2irewall for +pti$al Direct !ush
!erfor$ance
3irect push technoloy re8uires an established connection bet&een the ser*er and the client' ,o
data is sent o*er this connection unless there is e)mail or data to be transmitted, or the de*ice
needs to reestablish its connection &ith the ser*er' =his means that the ma+imum lenth of the
connection is determined by the lo&est net&or/ timeout in the path bet&een the de*ice and the
ser*er'
91
$ith ood net&or/ co*erae, the ma+imum timeout &ill be determined by the connection timeout
that is enforced by the fire&alls that deal &ith Internet traffic to your 0+chane front)end ser*ers'
If you /eep the timeout *ery lo&, then you &ill force the de*ice to reconnect se*eral times, &hich
&ill 8uic/ly drain its battery' =he follo&in illustration sho&s the recommended fire&all settins'
2s a best practice, you should ad%ust the connection timeout of your fire&all and any other
net&or/ appliances in the path to ensure that direct push functionality &or/s efficiently' In order to
optimi(e battery life, &e recommend a timeout period of 90 minutes'
For a technical discussion of direct push technoloy, see !nderstandin the 3irect Push
=echnoloy in this document'
Security% &uthentication and "ertification
4ecurity for communication bet&een the 0+chane ser*er and client mobile de*ices can be
increased by usin 44# for encryption and ser*er authentication, and by usin $eb publishin to
protect incomin traffic'
=he follo&in best practices &ill help you build a more secure mobile messain solution'
5est !ractice% 9se SS) for Encryption and Server &uthentication
=o protect outoin and incomin data, deploy 44# to encrypt all traffic' @ou can confiure 44#
security features on an 0+chane ser*er to *erify the interity of your content and the identity of
users, and to encrypt net&or/ transmissions' =he 0+chane ser*er, %ust li/e any $eb ser*er,
re8uires a *alid ser*er certificate to establish 44# communications'
92
$indo&s Mobile 5'0)based de*ices are shipped &ith trusted root certificates' Chec/ &ith your
de*ice manufacturer for a current list of the certificate authorities that shipped &ith your de*ice' If
you obtain a root certificate from one of the trusted ser*ices, your client mobile de*ices should be
ready to establish 44# communications &ith no further confiuration' If you create your o&n
certificates, you must add that certificate to the root store of each mobile de*ice'
*ote%
4ome ser*er certificates are issued &ith intermediate authorities in the certification chain'
If II4 is not confiured to send all certificates in the chain to the mobile de*ice durin the
44# handsha/e, the de*ice &ill not trust the certificate because the de*ice does not
support dynamically retrie*in the other certificates'
For more information about obtainin ser*er certificates, see R5btainin and Installin 4er*er
CertificatesS in the 0+chane 4er*er 2009 Client 2ccess Buide at http:GGo'microsoft'comGf&lin/GH
#in/IdI;2;28'
For more information about root certificates for mobile de*ices, see 2ppendi+ 3: 2ddin a
Certificate to the "oot 4tore of a $indo&s Mobile)based 3e*ice'
5est !ractice% Deter$ine and Deploy a Device !assword !olicy
@ou can no& use 0+chane 4er*er 4P2 toether &ith $indo&s Mobile 5'0)based de*ices that
ha*e the Messain and 4ecurity Feature Pac/ help you to confiure a central security policy that
re8uires all users &ith mobile de*ices that access the 0+chane ser*er to protect their de*ice
&ith a pass&ord'
$ithin this central security policy, there are se*eral attributes you can confiure, includin the
lenth of the pass&ord -the default is four characters., the use of characters or symbols in the
pass&ord, and ho& lon the de*ice can be inacti*e before it prompts the user for the pass&ord
aain' 5ne of these policies is the &ipe de*ice after failed attempts option, &hich allo&s you to
specify &hether you &ant the de*ice memory &iped after multiple failed loon attempts'
5nce you ha*e determined your de*ice security policies, you must deploy them by usin
0+chane 4ystem ManaerLs Mobile 4er*ices Properties' $hen your users connect their de*ice
to the 0+chane ser*er, sin in, and accept the security policies, your policies &ill be sent to the
de*ice' =he policies &ill not be enforced until they ha*e been accepted on the de*ice by the user'
@ou can set the inter*al at &hich the de*ice security policies &ill be automatically refreshed on the
de*ice'
For more information on settin security policies, see MConfiurin 4ecurity 4ettins for Mobile
3e*icesM in 4tep ;: Confiure and Manae Mobile 3e*ice 2ccess on the 0+chane 4er*er'
99
5est !ractice% 9se Web !ublishing with 5asic &uthentication
For many companies the use of 7asic 2uthentication o*er an encrypted channel -44#. is an
acceptable security re8uirement' =hese companies can further secure their mobile deployment
by le*erain I42 200: or I42 200; to $eb publish the 0+chane 4er*er 2009 front end ser*ers'
=he benefit &ith le*erain I42Ks $eb publishin capabilities is that I42 has built in loic to
distinuish &ell)formed 0+chane 2cti*e4ync re8uests so it can help protect the 0+chane front
end ser*er from malicious attac/s'
2s a best practice, $eb publishin is easier to implement and pro*ides a hiher le*el of security
than ser*er publishin, althouh larer companies that are plannin to use client certificate)based
authentication must implement the latter'
4er*er publishin, also /no&n as tunnelin, refers to net&or/Gtransport)layer protection, &hereas
$eb publishin, also /no&n as bridin, refers to application)layer protection' $eb publishin is
only possible &hen 44# is terminated on I42 4er*er 200:' 7ecause I42 4er*er 200: only sees
encrypted traffic, it cannot perform tas/s such as protocol hyiene that re8uire it to analy(e the
contentsF thus I42 4er*er 200: only offers protection based on the net&or/Gtransport layers'
5est !ractices for 9sing "ertificate-based &uthentication
For certificate)based authentication to &or/ correctly &ith 0+chane 2cti*e4ync, the enterprise
fire&all must be confiured to allo& the 0+chane front)end ser*er to terminate the 44#
connection' For this reason, $eb publishin &ill not &or/ &ith certificate)based authentication
&ith I42 4er*er 200:' ?o&e*er, I42 4er*er 200; supports Aerberos Constrained 3eleation,
allo&in you to choose either $eb Publishin or 44# 7ridin from the I42 machine to the
0+chane front end ser*er'
2n o*er*ie& of the process for deployin certificate)based authentication is pro*ided in 2ppendi+
2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)7ased 2uthentication'
Microsoft has pro*ided se*eral tools to help an 0+chane administrator confiure and *alidate
client certificate authentication'
For more information about the 0+chane 2cti*e4ync Certificate)based 2uthentication tool, see
the =ools for 0+chane 4er*er 2009 $eb site at http:GGo'microsoft'comGf&lin/GH#in/IdI;2;5;'
9:
Deploying a Mobile Messaging Solution with
Windows Mobile .;0-based Devices
=his document presents the recommended deployment &ith I42 4er*er 200; as an ad*anced
fire&all in a perimeter net&or/' =his confiuration and other options are described in ,et&or/
2rchitecture 2lternati*es'
For detailed information about additional deployments, see the follo&in appendices in this
document:
2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)7ased 2uthentication
2ppendi+ 7: Install and Confiure an I42 4er*er 200: 0n*ironment
Deploy$ent !rocess +verview
=he follo&in steps summari(e deployment &ith I42 4er*er 200; as an ad*anced fire&all in a
perimeter net&or/'
Step ,% !prade to 0+chane 4er*er 2009 4P2
Step 2% !pdate 2ll 4er*ers &ith 4ecurity Patches
Step % Protect Communications 7et&een the Mobile 3e*ices and @our 0+chane 4er*er
3eploy 44# to encrypt messain traffic
0nable 44# on the 3efault $eb 4ite
Confiure basic authentication for the 0+chane 2cti*e4ync *irtual directory
5ptional: Confiure certificate)based authentication -4ee 2ppendi+ 2'.
5ptional: !pdate "42 4ecurI3 2ent
4et !p #32P 4er*ers
Protect II4 by #imitin Potential 2ttac/ 4urfaces
Step -% Protect Communications 7et&een the 0+chane 4er*er 2009 4P2 4er*er and 5ther
4er*ers
!se IP4ec to 0ncrypt IP =raffic -"ecommended.
Step .% Install and Confiure I42 4er*er 200; or 5ther Fire&all
Install I42 4er*er 200; -"ecommended.
Install ser*er certificate on the I42 4er*er computer
Confiure I42 4er*er &ith your #32P ser*er set
Create the 0+chane 2cti*e4ync Publishin "ule by !sin 7ridin
4et 2ll Fire&all Idle 4ession =ime)out 4ettins to 90 Minutes
=est 5$2 and 0+chane 2cti*e4ync
95
Step /% Confiure and Manae Mobile 3e*ice 2ccess on the 0+chane 4er*er
0nable 0+chane 2cti*e4ync for 2ll !sers
0nable !ser Initiated 4ynchroni(ation
0nable direct push technoloy
4et 4ecurity Policy 4ettins for Mobile 3e*ices
Monitor Mobile Performance on 0+chane 4er*er
Step 0% Install the 0+chane 2cti*e4ync Mobile 2dministration $eb =ool
Step 1% Manae and Confiure Mobile 3e*ices
4et up Mobile Connection to 0+chane 4er*er
!se the 0+chane 2cti*e4ync Mobile 2dministration $eb =ool to =rac/ Mobile 3e*ices
Pro*ision or Confiure Mobile 3e*ices
Step ,% 9pgrade to Exchange Server 200
S!2
0+chane 4er*er 2009 4P2 includes 0+chane 2cti*e4ync, the synchroni(ation protocol that
/eeps the 0+chane mailbo+ synchroni(ed on client mobile de*ices' 7y default, 0+chane
2cti*e4ync is enabled'
0+chane 4er*er 2009 4P2 contains ne& features that &or/ &ith the $indo&s Mobile 5'0
Messain and 4ecurity Feature Pac/ to help you to impro*e the deployment, security, and
manaement of mobile de*ices'
*ote%
=o use mobile de*ices &ith the $indo&s Mobile 5'0 Messain and 4ecurity Feature
pac/, you must uprade your front)end 0+chane ser*er to 0+chane 4er*er 2009 4P2'
7ac/)end Mailbo+ ser*ers can remain at 0+chane 2009 "=M or 4P1' ?o&e*er, &e
recommend that you uprade both front)end and bac/)end ser*ers to ta/e ad*antae of
the updates in 4P2'
=ow to 9pgrade to Exchange Server 200 S!2
3o&nload the 4er*ice Pac/ 2 for 0+chane 4er*er 2009 file from the Microsoft 0+chane 4er*er
=echCenter $eb site'
Follo& the directions pro*ided to uprade your 0+chane ser*ers to 4P2'
9;
Step 2% 9pdate &ll Servers with Security
!atches
=o help you ensure that your mobile messain net&or/ is stron from end to end, ta/e this
opportunity to update all of your ser*ers'
2fter you install 0+chane 4er*er 2009 4P2 on your front)end ser*er, update the ser*er soft&are
on your other 0+chane ser*ers and on any other ser*er that 0+chane communicates &ith, such
as your lobal catalo ser*ers and your domain controllers'
For more information about updatin your soft&are &ith the latest security patches, see the
0+chane 4er*er 4ecurity Center $eb site'
For more information about Microsoft security, see the Microsoft 4ecurity $eb site'
Step % !rotect "o$$unications 5etween
Windows Mobile-based Devices and ?our
Exchange Server
=o help protect the communications bet&een $indo&s Mobile)based de*ices and your 0+chane
front)end ser*er, follo& these steps:
3eploy 44# to encrypt messain traffic'
0nable 44# on the default $eb site'
Confiure basic authentication for the 0+chane 2cti*e4ync *irtual directory'
*ote%
If you plan to use certificate authentication instead of basic confiuration, refer to
2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)7ased
2uthentication'
*ote%
If you are usin "42 4ecurI3, you must update the "42 2uthentication 2ent'
Protect II4 by limitin potential attac/ surfaces
4ee 7est Practices for 3eployin a Mobile Messain 4olution in this document for more
information about authentication and certification'
9<
Deploying SS) to Encrypt Messaging 4raffic
=o protect incomin and outoin e)mail, deploy 44# to encrypt messain traffic' @ou can
confiure 44# security features on an 0+chane ser*er to *erify the interity of your content,
*erify the identity of users, and to encrypt net&or/ transmissions'
=he steps in*ol*ed in confiurin 44# for 0+chane 2cti*e4ync are:
1' 5btainin and installin a ser*er certificate
2' 6alidatin installation
9' 7ac/in up the ser*er certificate
:' 0nablin 44# for the 0+chane 2cti*e4ync *irtual directory
*ote
=o perform the follo&in procedures, you must be a member of the 2dministrators roup
on the local computer, or you must ha*e been deleated the appropriate authority' 2s a
security best practice, lo on to your computer by usin an account that is not in the
2dministrators roup, and then use the 'un as command to run II4 Manaer as an
administrator' From the command prompt, type the follo&in command:
runas 6user%ad$inistrative@accountna$e A$$cBsyste$root
BCsyste$2CinetsrvCiis;$scA
+btaining and #nstalling a Server "ertificate
2fter you obtain a ser*er certificate, you &ill install the ser*er certificate, *erify the installation of
the ser*er certificate, and bac/ it up' $hen you use the $eb 4er*er Certificate $i(ard to obtain
and install a ser*er certificate, the process is referred to as creatin and assinin a ser*er
certificate'
4o obtain a server certificate fro$ a "ertificate &uthority 7"&8
1' #o on to the 0+chane ser*er by usin an 2dministrator account'
2' Clic/ Start, clic/ !rogra$s, clic/ &d$inistrative 4ools, and then clic/ #nternet
#nfor$ation Services 7##S8 Manager'
9' 3ouble)clic/ the 4er*er,ame to *ie& the $eb sites' "iht)clic/ Default Web Site, and
then clic/ !roperties'
:' Clic/ to select the Directory Security tab' =he follo&in illustration sho&s the II4
Manaer &indo& and the 3irectory 4ecurity tab' !nder Secure "o$$unications, clic/
Server "ertificate'
98
5' In the Welco$e Web Server "ertificate WiDard dialo bo+, clic/ *ext, clic/ "reate a
new certificate, and then clic/ *ext'
;' Clic/ !repare the re(uest nowE but send it later, and then clic/ *ext'
<' In the *a$e and Security Settings dialo bo+, type a name for your ser*er certificate
-for e+ample, type W0+chaneX4er*erX,ameY., clic/ 5it length of ,02-, and then clic/
*ext' =he follo&in illustration sho&s the *a$e and Security Settings dialo bo+'
9>
*ote%
0nsure that Select cryptographic service provider is not selected'
8' In the +rganiDation #nfor$ation dialo bo+, type a name in the +rganiDationte+t bo+
-for e+ample, type WCompanyX,ameY. and in the +rganiDational unit te+t bo+ -for
e+ample, type WI= 3epartmentY., and then clic/ *ext'
>' In the ?our SiteFs "o$$on *a$e dialo bo+, type the fully 8ualified domain name of
your ser*er or cluster for "o$$on na$e -for e+ample, type
W&ebmail'mycompany'comY., and then clic/ *ext' =his &ill be the domain name that your
client mobile de*ices &ill access'
10' In the Geographical #nfor$ation dialo bo+, clic/ "ountry6region -for e+ample, !4.,
State6province -for e+ample, W4tateY. and "ity6locality -for e+ample, WCityY., and then
clic/ *ext'
11' In the "ertificate 'e(uest 2ilena$e dialo bo+, /eep the default of "%C*ewGey'(;txt
-&here C: is the location your 54 is installed., and then clic/ *ext'
12' In the 'e(uest 2ile Su$$ary dialo bo+, re*ie& the information and then clic/ *ext'
=he follo&in illustration sho&s an e+ample of a 'e(uest 2ile Su$$ary'
:0
19' @ou should recei*e a success messae &hen the certificate re8uest is complete' Clic/
2inish'
,e+t, you must re8uest a ser*er certificate from a *alid C2' =o do this, you must access the
Internet or an intranet, dependin on the C2 that you choose, by usin a properly confiured $eb
bro&ser'
=he steps detailed here are for accessin the $eb site for your C2' For a production
en*ironment, you &ill probably re8uest a ser*er certificate from a trusted C2 o*er the Internet'
4o sub$it the certificate re(uest
1' 4tart Microsoft #nternet Explorer' =ype the 9nifor$ 'esource )ocator -!"#. for the
Microsoft C2 $eb site, http:GGWser*erXnameYGcertsr*G' $hen the Microsoft "& Web site
pae displays, clic/ 'e(uest a "ertificate, and then clic/ &dvanced "ertificate
'e(uest'
2' 5n the &dvanced "ertificate 'e(uest pae, clic/ Sub$it a certificate re(uest by
using a base-/- encoded !G"SH,0 fileE or sub$it a renewal re(uest by using a
base-/- encoded !G"S H0 file'
9' 5n your local ser*er, na*iate to the location of the "%C *ewGey'(;txt file that you sa*ed
pre*iously'
:' 3ouble)clic/ to open the "%C *ewGey'(;txt file in ,otepad' 4elect and copy the entire
contents of the file'
:1
5' 5n the C2 $eb site, na*iate to the Sub$it a "ertificate 'e(uest pae' If you are
prompted to pic/ the type of certificate, select Web Server' =he follo&in illustration
sho&s an e+ample of a 4ubmit a Certificate "e8uest pae'
;' Clic/ inside the Saved 'e(uest bo+, paste the contents of the file into the bo+, and then
choose Sub$it' =he contents in the Saved 'e(uest dialo bo+ should loo/ similar to the
follo&in e+ample:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWx!"M#L$%&!G'()*Q+Y2,-.C/t0WN-)1N(!
$Q+Y2,tMREwDwYDVQQLEw2N)2%)G&#3TEMMAoGA'UEC2MDTVRQMRAwDgYDVQQ"Ew4S!WRt)2
/5MRMwEQYDVQQIEwXYXNo0W/$4G,+MQswCQYDVQQGEw%VUzCB$zANBg5q256G,w#BAQEFAA7
B8QAwgY5CgYEAs#sV2U!'WAX2o+9F/S1:9;M1A12t%/q9.<z&6+:SM5.g3)2$t2IMM3F/!MD
2Iq=2W+:,$+'(LtG">/wWg"YTC1?TF0)L!%')NtX>B@BWW7s*SDYg@A<9oC!B:?"%*.#Y2:7
:2
8)Q>5?;:>M;<?A8GEBYGMAz=2D$Ug1xUt,)BECAwEAA0CCA!5wGgY>>wYBBAGCNw#CAzEMFg
o'L8A+M8E/NS:-M"sGC6sGAQQBg8.CAQ:x)TB?MA:GA'U4DwEB@wQEAwIEADBEBg5q256G,w#
BCQAENzA'MA:GCCqGSI)1DQMCAgIAgDA7Bggq256G,w#DBAICAIAwBwYF>w:DAg.wCgYI>o!I
2(.NAw.wEwYDVR#&BAwwCgYI>wYBBQU"AwEwg=#GC6sGAQQBg8.NAgIxg3:wg3sCAQE3WgBNA
G5AYwB-AGAA.wB(AGYA4AAgAFIAUwBBACAAUwBDAGgAYQB+AG:A!QBsACAAQwB-A"5A.AB#AG
AA!wB-AGEA.ABoAG5AYwAgAFAA.gB(A"YA0QB5AGUA.g7B6QC7/g@N59&s+A%!643g'/=0BLq
3:866-tY3VBAxL?tU&-WEQ+W4B3EF(#GW(s8QGw$9WC/*,5VN*.LVsx:'QtGDXt+ETF7D;4S
6@M,w*E-A)s).N"Xs9s$tX/;A.CxBX2'AL0E:Y0E;3@zw*E@#@C*-83102o&E/?&5'FFI&>TD
wAAAAAAAAAAMA#GCSqGSI)1DQEBBQUAA:GBAA?<z8g2-5!oFUYt'9Eg>'#;8RsLx%.oq8#oEg
/</3A&Ug)N'326@L2RW8+<.go,W<+wwBI0Eq4;L%;s'BR!z#-3%TDzGIXB-G/7;5o+59#"9
W"C82-I1#z65A0S-CQ1?Q)N("oURD*Wq(,R'BDC'SNQLEzDg!8>B?sG!AVL)
-----END NEW CERTIFICATE REQUEST-----
<' 5n the "ertificate #ssued pae, clic/ DE' encoded, and then clic/ Download
certificate'
8' In the 2ile Download dialo bo+, clic/ Save this file to dis3, and then clic/ +G' Aeep
the default settin to sa*e the file to the des/top, and clic/ Save'
>' Close Internet 0+plorer'
2t this point, a ser*er certificate e+ists on your des/top that can be imported into the 0+chane
ser*er certificate store'
:9
,e+t, you must install the certificate'
4o install the certificate
1' 4tart #nternet #nfor$ation Service 7##S8 Manager and e+pand W3omain,ameY
2' "iht)clic/ Default Web Site and then clic/ !roperties' In the !roperties dialo bo+,
select the Directory Security tab' !nder Secure "o$$unication, clic/ Server
"ertificate'
9' In the "ertificate WiDard dialo bo+, clic/ *ext'
:' 4elect !rocess the !ending 'e(uest and install the certificate' Clic/ *ext'
5' ,a*iate to, or type, the location and file name for the file containin the ser*er
certificate, certne&'t+t, that is located on the des/top, and then clic/ *ext'
;' 4elect the 44# port that you &ish to use' $e recommend that you use the default 44#
port, &hich is !ort --'
<' In the "ertificate Su$$ary #nfor$ation dialo bo+, clic/ *ext, and then clic/ 2inish'
::
>alidating #nstallation
=o *erify the installation, you can *ie& the ser*er certificate'
4o view the server certificate
1' In the Default Web Site !roperties dialo bo+, clic/ Directory Security' !nder Secure
"o$$unications, select >iew "ertificate' =he follo&in illustration sho&s the
"ertificate dialo bo+'
2' 2t the bottom of the "ertificate dialo bo+, a messae displays indicatin that a pri*ate
/ey is installed, if appropriate' Clic/ +G to close the "ertificate dialo bo+'
*ote%
If the certificate does not sho& that the de*ice carries the pri*ate /ey that
corresponds to the certificate, o*er the air synchroni(ation &ill not &or/'
:5
In order for the authentication to function, you must add the C2 to the =rusted "oot C2 list'
4o add a "& to the trusted root "& list
1' 4tart #nternet Explorer and type the !"# for your Certificate 2uthority' For e+ample, if
you recei*ed your ser*er certificate from the C2 that you confiured earlier, type
http%66Iserver@na$eJ6certsrv'
2' Clic/ Download a "& certificateE certificate chainE or "'), and then clic/ Download
"& certificate on the ne+t pae as &ell' In the 2ile download dialo bo+, clic/ Save this
file to dis3, and then clic/ +G'
9' =ype a ser*er certificate *a$e -for e+ample, Wcertne&ca'cerY. and then sa*e the file to
the des/top'
:' ,a*iate to the des/top' "iht)clic/ the file that you created in step 9, and then clic/
#nstall "ertificate' In the "ertificate #$port WiDard dialo bo+, clic/ *ext'
5' Clic/ !lace all certificates in the following store, and then clic/ 5rowse' 4elect the
4rusted 'oot "ertification &uthorities folder, and then clic/ +G' =he follo&in
illustration sho&s the Select "ertificate Store dialo bo+'
*ote%
@ou may use the Intermediate Certificate 2uthorities instead of the =rusted "oot
Certificate 2uthorities'
:;
;' Clic/ *ext' 2 dialo bo+ that says that the certificate is bein added to the trusted
certificate store appearsF clic/ ?es to this dialo bo+' Clic/ 2inish, and the messae
i$port successful displays'
5ac3ing up the Server "ertificate
@ou can use the $eb 4er*er Certificate $i(ard to bac/ up ser*er certificates' 7ecause II4 &or/s
closely &ith $indo&s, you can use Certificate Manaer, &hich is called Certificates in Microsoft
Manaement Console -MMC., to e+port and to bac/ up your ser*er certificates'
If you do not ha*e Certificate Manaer installed in MMC, you must add Certificate Manaer to
MMC'
:<
4o add "ertificate Manager to MM"
1' From the Start menu, clic/ 'un'
2' In the +pen bo+, type $$c, and then clic/ +G'
9' 5n the 2ile menu, clic/ &dd6'e$ove Snap-in'
:' In the &dd6'e$ove Snap-in dialo bo+, clic/ &dd'
5' =he follo&in illustration sho&s the &dd6'e$ove Snap-in and &ddStandalone Snap-in
dialo bo+es' In the &vailable Standalone Snap-ins list, clic/ "ertificates, and then
clic/ &dd'
;' Clic/ "o$puter &ccount, and then clic/ *ext'
<' Clic/ the)ocal co$puter -the computer that this console is runnin on. option, and then
clic/ 2inish'
8' Clic/ "lose, and then clic/ +G'
$ith Certificate Manaer installed, you can bac/ up your ser*er certificate'
:8
4o bac3 up your server certificate
1' #ocate the correct certificate store' =his store is typically the )ocal "o$puter store in
"ertificate Manager'
*ote%
$hen you ha*e "ertificate Manager installed, it points to the correct )ocal
"o$puter certificate store'
2' In the !ersonal store, clic/ the ser*er certificate that you &ant to bac/ up'
9' 5n the &ction menu, point to &ll tas3s, and then clic/ Export'
:' In the "ertificate Manager Export WiDard, clic/ ?esE export the private 3ey'
5' Follo& the &i(ard default settins, and type a pass&ord for the ser*er certificate bac/up
file &hen prompted'
*ote%
3o not select Delete the private 3ey if export is successful, because this option
disables your current ser*er certificate'
;' Complete the &i(ard to e+port a bac/up copy of your ser*er certificate'
2fter you confiure your net&or/ to issue ser*er certificates, you must protect your 0+chane
front)end ser*er and its ser*ices by re8uirin 44# communication to the 0+chane front)end
ser*er' =he follo&in section describes ho& to enable 44# for your default $eb site'
Enabling SS) for the Default Web Site
2fter you obtain an 44# certificate to use either &ith your 0+chane front)end ser*er on the
default $eb site or on the $eb site &here you host the V0+chane, V0+ch&eb, VMicrosoft)4er*er)
2cti*e4ync, V5M2, VPublic, and V"PC *irtual directories, you can enable the default $eb site to
re8uire 44#'
*ote%
=he V0+chane, V0+ch&eb, VMicrosoft)4er*er)2cti*e4ync, V5M2, and VPublic *irtual
directories are installed by default on any 0+chane 4er*er 2009 4P2 installation' =he
V"PC *irtual directory for "PC o*er ?==P communication is installed manually &hen you
confiure 0+chane 4er*er 2009 4P2 to support "PC o*er ?==P'
For information about ho& to set up 0+chane 4er*er 2009 to use "PC o*er ?==P, see
0+chane 4er*er 2009 "PC o*er ?==P 3eployment 4cenarios'
:>
4o re(uire SS) on the default Web site
1' In the #nternet #nfor$ation Services 7##S8 Manager, select the DefaultWeb site or the
$eb site &here you are hostin your 0+chane 4er*er 2009 ser*ices, and then clic/
!roperties'
2' 5n the Directory Security tab, in the Secure "o$$unications bo+, clic/ Edit'
9' =he follo&in illustration sho&s the Secure "o$$unications dialo bo+' Clic/ the
'e(uire Secure "hannel 7SS)8 chec/ bo+' Clic/ +G'
:' 3ependin upon your installation, the #nheritance +verrides dialo bo+ may appear'
4elect the *irtual directories that should inherit the ne& settin, for e+ample Microsoft)
4er*er)2cti*e4ync, and then clic/ +G'
5' 5n the Directory Security tab, clic/ +G'
2fter you complete this procedure, all *irtual directories on the 0+chane front)end ser*er that is
on the default $eb site are confiured to use 44#'
50
"onfiguring 5asic &uthentication
=he 0+chane 2cti*e4ync $eb site supports 44# connections as soon as the ser*er certificate is
bound to the $eb site' ?o&e*er, users still ha*e the option to connect to the 0+chane
2cti*e4ync $eb site by usin a non)secure connection' @ou can re8uire all client $indo&s)
Mobile based de*ices to successfully neotiate an 44# lin/ before connectin to the 0+chane
2cti*e4ync $eb site directories'
$e also recommend that you enforce basic authentication on all ?==P directories that the I42
4er*er ma/es accessible to e+ternal users' In this &ay, you can ta/e ad*antae of the I42 4er*er
feature that enables the relay of basic authentication credentials from the fire&all to the 0+chane
2cti*e4ync $eb site'
'e(uire SS) "onnection to the Exchange &ctiveSync Web Site
Directories
=his pre*ents all non)authenticated communications from reachin the 0+chane 2cti*e4ync
$eb site and sinificantly impro*es the le*el of security'
*ote%
If you plan to use Certificate 2uthentication instead of basic confiuration, you must
deploy 44# by follo&in the instructions for confiurin 44# for 0+chane 2cti*e4ync,
&hich are located in 2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync
Certificate)7ased 2uthentication'
@ou can repeat these steps &ith the G0+chane, G0+ch&eb, G5M2, and GPublic directories that are
found in the left pane of the ##S MM" console' =his can be done to re8uire 44# on the fi*e $eb
site directories that you can ma/e accessible to remote users:
G0+chane
4o re(uire an SS) connection to the Exchange &ctiveSync Web site directories
1' Clic/ Start, point to &d$inistrative 4ools and then clic/ #nternet#nfor$ation Service
7##S8 Manager' In #nternet #nfor$ation Services7##S8 Manager, e+pand your ser*er
name and then e+pand the Default Web Site node in the left pane of the console'
2' "iht)clic/ on the Microsoft-Server-&ctiveSync directory so that it is hihlihted, and
then clic/ !roperties'
9' Clic/ Directory Security' In the &uthentication and access control frame, clic/ Edit'
:' =he follo&in illustration sho&s the &uthentication Methods dialo bo+' Clic/ to clear all
chec/ bo+es e+cept for the 5asic authentication -pass&ord is sent in clear te+t. chec/
bo+' Place a chec/ mar/ in the 5asic authentication chec/ bo+'
51
*ote%
5n the bac/)end -mailbo+. ser*er, you must enable #ntegrated Windows
&uthentication in order for 0+chane 2cti*e4ync to &or/' 5nly disable it on the
front)end 0+chane ser*er'
5' Clic/ ?es in the dialo bo+ that &arns you that the credentials should be protected by
44#' In the Default do$ain te+t bo+, type in your domain name'
;' Clic/ +G'
<' In the Exchange !roperties dialo bo+, clic/ &pply, and then clic/ +G'
8' 2fter you ha*e re8uired basic authentication on the directories that you ha*e chosen,
close the #nternet #nfor$ation Services 7##S8 Manager console'
52
"onfir$ for$s-based authentication not selected on the
Exchange front-end server
Forms)based authentication can be confiured on the 0+chane front)end ser*er &hen not usin
I42 4er*er to publish 0+chane $eb client access' $hen I42 4er*er is bein used to publish
0+chane $eb client access, forms)based authentication should only be confiured on the I42
4er*er computer'
Perform the follo&in procedure to confirm that forms)based authentication is not selected on the
0+chane front)end ser*er'
4o confir$ for$s-based authentication is not selected on an Exchange front-end
server
1' 4tart 0+chane 4ystem Manaer'
2' If administrati*e roups are enabled, e+pand 2dministrati*e Broups'
9' 0+pand 4er*ers, and then e+pand your front)end ser*er'
:' 0+pand Protocols, e+pand ?==P, riht)clic/ 0+chane 6irtual 4er*er, and then clic/
Properties'
5' Clic/ the 4ettins tab, and clear the chec/ bo+ 0nable Forms 7ased 2uthentication'
;' Clic/ 5A'
<' If you recei*e a messae that states that Internet Information 4er*ices -II4. must be
restarted, clic/ 5A' =o restart II4, type the follo&in command at a command prompt:
iisreset'
*ote%
Perform this procedure on e*ery 0+chane front)end ser*er in your en*ironment that &ill
be used for 5utloo/ $eb 2ccess'
"onfigure or 9pdate 'S& Secur#D &gent 7+ptional8
If you ha*e chosen to deploy "42 4ecurI3 as an additional security layer, you should set up your
0+chane ser*er as an 2ent ?ost &ithin the "42 2C0G4er*erLs database at this point'
*ote%
=here ha*e been timin limitations bet&een II4 ;'0 and the "42G2C0 2ent' 7e sure to
update your "42G2C0 2ent for better compatibility &ith II4 ;'0' For more information,
see the "42 4ecurity $eb site'
59
!rotect ##S by )i$iting !otential &ttac3 Surfaces
7efore you e+pose ser*ers to the Internet, &e recommend that you protect II4 by turnin off all
features and ser*ices e+cept those that are re8uired'
In $indo&s 4er*er 2009, II4 features are already disabled by default to ensure the most
secure defaults are in place for your ser*er'
In Microsoft $indo&s 4er*er 2000, you can protect II4 by do&nloadin and runnin the II4
#oc/do&n $i(ard and the !rl4can tool'
Windows Server 200 S!2 and ##S /;0
Microsoft $indo&s 4er*er 2009 has many built)in features that help secure II4 ;'0 ser*ers' =o
help protect aainst malicious users and attac/ers, the default confiuration for members of the
$indo&s 4er*er 2009 family does not include II4' $hen II4 is installed, it is confiured in a hihly
secure, Mloc/ed do&nM mode, only allo&in static content' 7y usin the $eb 4er*ice 0+tensions
feature, you can enable or disable II4 functionality based on the indi*idual needs of your
orani(ation e*en further'
For more information, see M"educin the 2ttac/ 4urface of the $eb 4er*erM -II4 ;'0. in the II4
3eployment Buide at http:GGo'microsoft'comGf&lin/GH#in/IdI;<;08'
9sing 9rlScan
!rl4can *ersion 2'5 is a security tool that restricts the types of ?==P re8uests that Internet
Information 4er*ices -II4. &ill accept' 7y bloc/in specific ?==P re8uests, the !rl4can security
tool helps pre*ent potentially harmful re8uests from e*er reachin the ser*er' !rl4can 2'5 &ill
no& install as a stand alone installation on ser*ers runnin Microsoft II4 :'0 and later'
!rl4can 2'5 is not included &ith II4 ;'0 because II4 ;'0 has built)in features that pro*ide security
functionality that is e8ual to or better than most of the features of !rl4can 2'5' !rl4can pro*ides
some additional functionality, such as *erb control, beyond &hat II4 ;'0 pro*ides' 2lso, if you
ha*e incorporated the use of !rl4can security tool into your ser*er manaement practices for II4
and for other Microsoft ser*ers, you may &ant to utili(e the additional functionality and features of
!rl4can 2'5'
=o do&nload the !rl4can security tool, *isit the !rl4can 4ecurity =ool $eb site:
http:GGo'microsoft'comGf&lin/GH#in/IdI;2;;5'
For more information about the !rl4can and functionality beyond those pro*ided by II4 ;'0, see
M3eterminin $hether to !se !rl4can 2'5 &ith II4 ;'0M on the !rl4can 4ecurity =ool $eb site'
!rl4can must be correctly confiured for use &ith 0+chane 4er*er 2009 4P2' For full details
about ho& to confiure !rl4can for use &ith 0+chane 4er*er 2009 4P2, see MFine)tunin and
/no&n issues &hen you use the !rl4can tool in an 0+chane 4er*er 2009 4P2 en*ironmentM at
this Microsoft $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI;2;;;'
5:
Windows Server 2000
If you are usin $indo&s 4er*er 2000, you should do&nload the II4 #oc/do&n $i(ard to help
you disable the II4 features and ser*ices that are unnecessary for your en*ironment' =o pro*ide
multiple layers of protection aainst attac/ers, the II4 #oc/do&n $i(ard also contains an earlier
*ersion of the !rl4can security tool, &hich functions in an almost similar &ay to the !rl4can 2'5
feature discussed earlier'
=he II4 #oc/do&n $i(ard contains a confiuration template for 0+chane that turns off un&anted
features and ser*ices' =o use this confiuration template, run the II4 #oc/do&n $i(ard, select the
0+chane template and then chane or accept the default confiuration options' 2dditional
templates are pro*ided as part of the loc/do&n tool as &ell'
For more information about ho& to install and use II4 #oc/do&n $i(ard, see ?o& to install and
use the II4 #oc/do&n $i(ard'
=o do&nload the II4 #oc/do&n =ool -*ersion 2'1. *isit MII4 #oc/do&n =ool -*ersion 2'1.M at the
$indo&s 2000 $eb site'
*ote%
=o help ma+imi(e the security of your 0+chane ser*ers, apply all the re8uired updates
both before and after you apply the II4 #oc/do&n $i(ard' =he updates help the ser*ers
remain protected aainst /no&n security *ulnerabilities'
See &lso
3eployin a Mobile Messain 4olution &ith $indo&s Mobile 5'0)based 3e*ices
55
Step -% !rotect "o$$unications 5etween
the Exchange Server and +ther Servers
2fter you enable the security features to help secure the communications bet&een your client
$indo&s Mobile)based de*ices and the 0+chane front)end ser*er, you also must protect the
communications bet&een the 0+chane front)end ser*er and the bac/)end ser*ers' $e
recommend that you use Internet Protocol 4ecurity -IP4ec. to encrypt IP traffic'
?==P, IM2P, and P5P communications bet&een the front)end ser*er and any ser*er &ith &hich
the front)end ser*er communicates -such as bac/)end ser*ers, domain controllers, and lobal
catalo ser*ers. are not encrypted' $hen the front)end and bac/)end ser*ers are in a trusted
physical or s&itched net&or/, the absence of encryption is not a concern' ?o&e*er, if front)end
and bac/)end ser*ers are /ept in separate subnets, net&or/ traffic may pass o*er unsecured
areas of the net&or/' =he security ris/ increases &hen there is reater physical distance bet&een
the front)end ser*ers and the bac/)end ser*ers' In such cases, &e recommend that this traffic be
encrypted to protect pass&ords and data'
9sing #!Sec to Encrypt #! 4raffic
$indo&s 2000 and $indo&s 4er*er 2009 both support IP4ec, &hich is an Internet standard that
allo&s a ser*er to encrypt all IP traffic e+cept IP traffic that uses broadcast or multicast IP
addresses' Benerally, IP4ec is used to encrypt ?==P trafficF ho&e*er, you can also use IP4ec to
encrypt IM2P, #iht&eiht 3irectory 2ccess Protocol -#32P., P5P, "PC traffic' $ith IP4ec, you
can:
Confiure t&o ser*ers that are runnin $indo&s 2000 or $indo&s 4er*er 2009 to re8uire
trusted net&or/ access'
!se a cryptoraphic chec/sum on e*ery pac/et to transfer data that is protected from
modification'
0ncrypt, at the IP layer, any traffic bet&een the t&o ser*ers'
In a front)end and bac/)end topoloy, you can use IP4ec to encrypt traffic bet&een the front)end
and bac/)end ser*ers that other&ise &ould not be encrypted'
For more information about confiurin IP4ec throuh a fire&all, see ?o& to 0nable IP4ec =raffic
'
For more information about usin IP4ec to protect communications, *isit the IP4ec Information
Center'
See &lso
5;
Step .% #nstall and "onfigure #S& Server 200/
or +ther 2irewall
Microsoft Internet 4ecurity and 2cceleration -I42. 4er*er 200; and Microsoft 0+chane 4er*er
2009 are desined to &or/ closely toether in your net&or/ to pro*ide a secure messain
en*ironment'
=his section discusses steps for deployment of 0+chane 4er*er 2009 4P2 mobile messain in
the recommended I42 4er*er 200; en*ironment' @ou can use this information to determine &hat
to do if you are deployin another fire&all'
*ote%
If you are usin I42 4er*er 200:, follo& the instructions in 2ppendi+ 7: Install and
Confiure an I42 4er*er 200: 0n*ironment'
*ote%
=his document does not co*er the upcomin release of 0+chane 4er*er 200<' 7ecause
there are sinificant chanes to 0+chane 200< from 0+chane 2009, 0+chane 200< is
discussed in a separate document'
3urin this part of the process, you &ill:
Install I42 4er*er 200;
Install a ser*er certificate on the I42 4er*er
!pdate Public 3,4
Create the 0+chane 2cti*e4ync publishin rule usin $eb publishin, openin Port ::9 as a
$eb #istener'
Confiure I42 4er*er &ith your #32P ser*er set
4et all fire&alls and pro+y ser*er idle session timeout to 1800 seconds -90 minutes.
*ote%
Increasin the timeout *alues ma+imi(es performance of the direct push technoloy and
optimi(es de*ice battery life'
=est 5$2 and 0+chane 2cti*e4ync'
"efer to ,et&or/ 2rchitecture 2lternati*es and 7est Practices for 3eployin a Mobile Messain
4olution for bac/round about net&or/ architecture and 44# setup'
5<
#nstall #S& Server 200/
It is recommended that you confiure I42 4er*er 200; in a perimeter net&or/ in &or/roup
mode'
4o install #S& Server 200/
1' Install and confiure Microsoft $indo&s 4er*er 2009 on the fire&all computer'
2' Bo to Microsoft !pdate, and then install all critical security hot fi+es and ser*ice pac/s for
$indo&s 4er*er 2009'
9' Install the I42 ser*er in &or/roup mode &ithin a perimeter net&or/'
:' Install I42 4er*er 200;'
5' 0+port the 5$2 44# Certificate from the 0+chane front)end 5$2 ser*er to a file'
#nstall a Server "ertificate on the #S& Server
"o$puter
=o enable a secure connection bet&een the client computer and the I42 4er*er computer, you
need to install a ser*er certificate on the I42 4er*er computer' =his certificate should be issued
by a public Certificate 2uthority -C2. because it &ill be accessed by users on the Internet' If a
pri*ate C2 is used, the root C2 certificate from the pri*ate C2 &ill need to be installed on any
computer that &ill need to create a secure connection -an ?==P4 connection. to the I42 4er*er
computer'
In most cases, the I42 4er*er computer does not ha*e II4 installed' =he follo&in procedures
assume that II4 is installed' !se the follo&in procedures to import a certificate on the I42 4er*er
computer'
In this section, you &ill
"e8uest and install a ser*er certificate from a public C2
0+port the ser*er certificate to a file
Import the ser*er certificate on the I42 4er*er computer
58
'e(uest and #nstall a Server "ertificate 2ro$ a !ublic "&
Perform the follo&in procedure to re8uest and install a ser*er certificate on a computer &ith II4
installed'
4o re(uest and install a server certificate fro$ a public "&
1' In II4, create a ne& $eb site, pointin the $eb site to a ne& empty directory'
2' In ##S Manager, e+pand the local computer, riht)clic/ the Web Sites folder, clic/ *ew,
and then clic/ Web Site to start the Web Site "reation WiDard'
9' Clic/ *ext on the $elcome pae'
:' =ype a name for the $eb site in the Description field' For e+ample, type I42 Cert 4ite,
and clic/ *ext'
5' 2ccept the default settins on the #! &ddress and !ort Settings pae'
;' 0nter a path for the $eb site on the Web Site =o$e Directory page' For e+ample, enter
c:Vtemp'
<' 2ccept the default settins on the Web Site &ccess !er$issions pae and clic/ *ext'
8' Clic/ 2inish to complete the Web Site "reation WiDard'
#$portant%
7y default, the ne& $eb site is stopped' @ou should lea*e this $eb site in the
stopped state' =here is no reason to start this $eb site'
*ote%
For more information about creatin a ne& $eb site, see II4 product
documentation'
>' Follo& the steps pro*ided by the public C2 to create and install a ser*er certificate usin
the $eb site you created in 4tep 1'
#$portant%
=he important information in the certificate is the common name or FC3,' 0nter
the FC3, that &ill be used by users on the Internet to connect to the 0+chane
5utloo/ $eb 2ccess site' For e+ample, enter mail'contoso'com'
*ote%
Confirm that the pri*ate /ey for the certificate that you &ill install is e+portable'
5>
Export the Server "ertificate to a 2ile
2fter the certificate is installed on the $eb site that you %ust created, you &ill e+port the certificate
to a file' @ou &ill then copy this file and import it to the I42 4er*er computer'
Perform the follo&in procedure to e+port the ser*er certificate that you %ust installed'
4o export the server certificate to a ;pfx file
1' In II4 Manaer, e+pand the local computer, and then e+pand the Web Sites folder'
2' "iht)clic/ the Web site for the Exchange front-end services, by default, the Default
Web Site, and clic/ !roperties'
9' 5n the Directory Security tab, under Secure co$$unications, clic/ Server "ertificate
to start the Web Server "ertificate WiDard'
:' Clic/ *ext on the Welco$e pae'
5' 4elect Export the current certificate to a ;pfx file on the Modify the "urrent
"ertificate &ssign$ent pae'
;' =ype the path and file name on the Export "ertificate pae' For e+ample, type
c:VcertificatesVmailXisa'pf+, and then clic/ *ext'
<' 0nter a pass&ord for the 'pf+ file' =his pass&ord &ill be re8uested &hen a user is
importin the 'pf+ file' $e recommend that a stron pass&ord be used because the 'pf+
file also has the pri*ate /ey'
#$portant%
@ou should transfer the 'pf+ file to the I42 4er*er computer in a secure fashion
because it contains the pri*ate /ey for the certificate to be installed on the I42
4er*er computer'
;0
#$port the Server "ertificate on the #S& Server "o$puter
Perform the follo&in procedure on the I42 4er*er computer to import the ser*er certificate to the
local computer store'
4o i$port a server certificate on the #S& Server co$puter
1' Copy the 'pf+ file created in the pre*ious section to the I42 4er*er computer in a secure
fashion'
2' Clic/ Start, and then clic/ 'un' In +pen, type MM", and then clic/ +G'
9' Clic/ 2ile, clic/ &dd6'e$ove Snap-in, and in the &dd6'e$ove Snap-in dialo bo+,
clic/ &dd to open the &dd Standalone Snap-in dialo bo+'
:' 4elect "ertificates, clic/ &dd, select "o$puter account, and then clic/ *ext'
5' 4elect )ocal "o$puter, and then clic/ 2inish' In the &dd Standalone Snap-in dialo
bo+, clic/ "lose, and in the &dd6'e$ove Snap-in dialo bo+, clic/ +G'
;' 0+pand the "ertificates node, and riht)clic/ the !ersonal folder'
<' 4elect &ll 4as3s, and then clic/ #$port' =his starts the "ertificate #$port WiDard;
8' 5n the Welco$e pae, clic/ *ext'
>' 5n the 2ile to #$port pae, bro&se to the file that you created pre*iously and copied to
the I42 4er*er computer, and then clic/ *ext'
10' 5n the !assword pae, type the pass&ord for this file, and then clic/ *ext'
*ote%
=he Pass&ord pae pro*ides the option Mar3 this 3ey as exportable' If you
&ant to pre*ent the e+portin of the /ey from the I42 4er*er computer, do not
select this option'
11' 5n the "ertificate Store pae, *erify that Place all certificates in the following store is
selected and "ertificate Store is set to !ersonal -the default settin., and then clic/
*ext'
12' 5n the &i(ard completion pae, clic/ 2inish'
19' 6erify that the ser*er certificate &as properly installed' Clic/ "ertificates, and double)
clic/ the ne& ser*er certificate' 5n the General tab, there should be a note that sho&s
you ha*e a pri*ate /ey that corresponds to this certificate' 5n the "ertification !ath tab,
you should see a hierarchical relationship bet&een your certificate and the C2, and a
note that sho&s 4his certificate is +G'
;1
9pdate !ublic D*S
Create a ne& 3,4 host record in your domainKs public 3,4 ser*ers' !sers &ill initiate a
connection usin the name of the $eb site' =his name needs to match the common name or
FC3, used in the certificate installed on the I42 4er*er computer' For e+ample, a user miht
bro&se to https:GGmail'contoso'comGe+chane' In this case, the follo&in conditions need to be
met for the user to successfully initiate a connection:
FC3, used in the ser*er certificate installed on the I42 4er*er computer needs to be
mail'contoso'com'
!ser needs to resol*e mail'contoso'com to an IP address'
IP address that mail'contoso'com resol*es to needs to be confiured on the 0+ternal net&or/
of the I42 4er*er computer'
*ote%
For I42 4er*er 0nterprise 0dition, if you are &or/in &ith an ,#7)enabled array, the
IP address should be a *irtual IP address confiured for the array' For more
information about ,#7, see I42 4er*er product ?elp'
"reate the Exchange &ctiveSync !ublishing 'ule
,o& that the 0+chane front)end ser*er and the I42 4er*er computer ha*e been properly
confiured and ha*e the proper ser*er certificates installed, you can start the procedures to
publish the 0+chane front)end ser*er' !sin the 0+chane Publishin $i(ard, you can pro*ide
secure access to your 0+chane front)end ser*er'
=he follo&in procedures are used to publish your 0+chane front)end ser*er'
Create a ser*er farm -optional.
Create a $eb listener
Create an 0+chane $eb client access publishin rule
;2
"reate a Server 2ar$ 7optional8
$hen you ha*e more than one 0+chane front)end ser*er, you can use I42 4er*er to pro*ide
load balancin for these ser*ers' =his &ill enable you to publish the $eb site once, instead of
ha*in to run the &i(ard multiple times' 2lso, this eliminates the need for a third)party product to
load balance a $eb site' If one of the ser*ers is una*ailable, I42 4er*er detects that the ser*er is
not a*ailable and directs users to ser*ers that are &or/in' I42 4er*er *erifies on reular inter*als
that the ser*ers that are members of the ser*er farm are functionin' =he ser*er farm properties
determine the follo&in:
4er*ers included in the farm
Connecti*ity *erification method that I42 4er*er &ill use to *erify that the ser*ers are
functionin
Perform the follo&in procedure to create a ser*er farm'
4o create a server far$
1' In the console tree of I42 4er*er Manaement, clic/ 2irewall !olicy:
For I42 4er*er 200; 4tandard 0dition, e+pand Microsoft #nternet Securityand
&cceleration Server 200/, e+pand Server@*a$e, and then clic/ 2irewall !olicy'
For I42 4er*er 200; 0nterprise 0dition, e+pand Microsoft #nternet Security and
&cceleration Server 200/, e+pand &rrays, e+pand &rray@*a$e, and then clic/
2irewall !olicy'
2' 5n the 4oolbox tab, clic/ *etwor3 +b<ects, clic/ *ew, and select Server 2ar$' !se the
&i(ard to create the ser*er farm as outlined in the follo&in table'
Pae Field or property 4ettin
$elcome 4er*er farm name =ype a name for the ser*er farm'
For e+ample, type 0+chane front
end ser*ers'
4er*ers 4er*ers included in
this farm
4elect 2dd and enter either the IP
addresses or names of your
0+chane front)end ser*ers'
4er*er Farm
Connecti*ity
Monitorin
Method used to
monitor ser*er
farm connecti*ity
4elect 4end an ?==PG?==P4 B0=
re8uest'
Completin the ,e&
4er*er Farm $i(ard
Completin the
,e& 4er*er Farm
$i(ard
"e*ie& the selected settins, and
clic/ 7ac/ to ma/e chanes and
Finish to complete the &i(ard'
;9
9' $hen the &i(ard completes, clic/ ?es in the Enable =44! "onnectivity >erification
dialo bo+'
:' Clic/ the &pply button in the details pane to sa*e the chanes and update the
confiuration'
For more information about connecti*ity *erifiers, see I42 4er*er product ?elp'
"reate a Web )istener
$hen you create a $eb publishin rule, you must specify a $eb listener to be used' =he $eb
listener properties determine the follo&in:
IP addresses and ports on the specified net&or/s that the I42 4er*er computer uses to listen
for $eb re8uests -?==P or ?==P4.'
4er*er certificates to use &ith IP addresses'
2uthentication method to use'
,umber of concurrent connections that are allo&ed'
4inle sin on -445. settins'
Collect the follo&in information that &ill be used &hen you use the *ew Web )istener WiDard'
Property 6alue
$eb listener name ,ame: XXXXXXXXXXXXXXXXXXXXXXXX
Client connection security
,ote the follo&in:
If ?==P is selected, information bet&een
the I42 4er*er computer and the client &ill
be transferred in plainte+t'
If ?==P4 is selected, a ser*er certificate
needs to be installed on the I42 4er*er
computer'
?==P4 or ?==P -circle one.
$eb listener IP address ,et&or/: XXXXXXXXXXXXXXXXXXX
5ptional
4pecific IP address: XXX'XXX'XXX'XXX
*ote%
If this specific IP address is not the
primary net&or/ adapter IP address, a
secondary IP address needs to be
confiured on the I42 4er*er computer
before creatin the $eb listener'
;:
Property 6alue
2uthentication settins $eb listener 44#
certificate
*ote%
=his is only re8uired if ?==P4 has
been selected for client connecti*ity
security'
XXX!se a sinle certificate for this $eb listener'
Certificate issued to:
XXXXXXXXXXXXXXXXXXXXXXX
XXX2ssin a certificate for each IP address'
-=his option &ill only be a*ailable if a specific IP
address has been assined to the $eb
listener'.
Certificate issued to:
XXXXXXXXXXXXXXXXXXXXXXX
2uthentication
For forms)based authentication, you ha*e
options to authenticate your users to I42
4er*er'
For more information about authentication, see
2uthentication for Mobile 3e*ices on the
Corporate ,et&or/ in 4ecurity Considerations
&ithin the Corporate ,et&or/'
4inle sin on settins XXX0nable sinle sin on'
4inle sin on domain name:
XXXXXXXXXXXXXXXXXXXXXXXXXXX
Create a $eb listener &ith the information on the &or/sheet that you filled in pre*iously, and
perform the follo&in procedure'
4o create a Web listener
1' In the console tree of #S& Server Manage$ent, clic/ 2irewall !olicy:
For I42 4er*er 200; 4tandard 0dition, e+pand Microsoft #nternet Security and
&cceleration Server 200/E e+pand &rrays, e+pand &rray@*a$e, and then clic/
2irewall !olicy'
2' 5n the 4oolbox tab, clic/ *etwor3 +b<ects, clic/ *ew, and then select Web )istener'
!se the &i(ard to create the $eb listener as outlined in the follo&in table'
;5
$elcome $eb listener name =ype a name for the $eb
listener' For e+ample, type
0+chane F72'
Client connection security 4elect &hat type of
connections this $eb
#istener &ill establish &ith
clients
4elect "e8uire 44# secured
connections &ith clients'
$eb #istener IP 2ddresses #isten for incomin $eb
re8uests on these net&or/s
I42 4er*er &ill compress
content sent to clients
4elect the 0+ternal net&or/'
Chec/ bo+ should be selected
-default.'
Clic/ 4elect IP 2ddresses'
0+ternal ,et&or/ #istener IP
4election
#isten for re8uests on
2*ailable IP 2ddresses
4elect 4pecified IP addresses on
the I42 4er*er computer in the
selected net&or/'
4elect the correct IP address and
clic/ 2dd'
*ote%
For I42 4er*er
0nterprise 0dition &ith
an ,#7)enabled array,
you should select a
*irtual IP address'
#istener 44# Certificates 4elect a certificate for each
IP address, or specify a
sinle certificate for this $eb
listener
4elect 2ssin a certificate for
each IP address'
4elect the IP address you %ust
selected and clic/ 4elect
Certificate'
4elect Certificate 4elect a certificate from the
list of a*ailable certificates
4elect the certificate that you %ust
installed on the I42 4er*er
computer' For e+ample, select
mail'contoso'com, and clic/
4elect' =he certificate must be
installed before runnin the
&i(ard'
2uthentication 4ettins 4elect ho& clients &ill
pro*ide credentials to I42
4elect ?=M# Form
2uthentication for forms)based
;;
4er*er
4elect ho& I42 4er*er &ill
*alidate client credentials
authentication and select the
appropriate method that I42
4er*er &ill use to *alidate the
clientKs credentials'
For e+ample, select #32P
2uthentication if you are
installin in &or/roup mode'
4elect $indo&s -2cti*e
3irectory. if your I42 4er*er
computer is in a domain
confiuration'
4inle 4in on 4ettins 0nable 445 for $eb sites
published &ith this $eb
listener
445 domain name
#ea*e the default settin to
enable 445'
=o enable 445 bet&een t&o
published sites
portal'contoso'com and
mail'contoso'com, type
'contoso'com'
Completin the ,e& $eb
#istener $i(ard
#istener $i(ard
"e*ie& the selected settins,
and clic/ 7ac/ to ma/e chanes
or Finish to complete the &i(ard'
"reate an Exchange Web "lient &ccess !ublishing 'ule
$hen you publish an internal 0+chane front)end ser*er throuh I42 4er*er 200;, you are
protectin the $eb ser*er from direct e+ternal access because the name and IP address of the
ser*er are not accessible to the user' =he user accesses the I42 4er*er computer, &hich then
for&ards the re8uest to the internal $eb ser*er accordin to the conditions of your $eb ser*er
publishin rule' 2n 0+chane $eb client access publishin rule is a $eb publishin rule that
contains default settins appropriate to 0+chane $eb client access'
Collect the follo&in information that &ill be used &hen you use the ,e& 0+chane Publishin
"ule $i(ard'
;<
Property 6alue
0+chane publishin rule name ,ame: XXXXXXXXXXXXXXXXXXXXXXXX
4er*ices
*ote%
@ou can publish all ser*ices in a sinle
rule usin the same $eb listener
confiured &ith forms)based
authentication' I42 4er*er 200; &ill
use 7asic authentication for ser*ices
that do not support forms)based
authentication'
0+chane *ersion: XXXXXXXXXXXX
XX5utloo/ $eb 2ccess
XX5utloo/ "PC o*er ?==P
XX5utloo/ Mobile 2ccess
XDX0+chane 2cti*e4ync
Publishin type XXPublish a sinle $eb site
or
XXPublish a ser*er farm of load balanced
ser*ers
and
4er*er farm name:XXXXXXXXXXXXX
4er*er connection security ?==P4 or ?==P -circle one.
,ote the follo&in:
If ?==P is selected, information bet&een
the I42 4er*er computer and the $eb
ser*er &ill be transferred in plainte+t'
If ?==P4 is selected, a ser*er certificate
needs to be installed on the 0+chane front)
end ser*er'
Internal publishin details Internal site name -FC3,.:
XXXXXXXXXXXXXXXXXXXXXX
If the FC3, is not resol*able by the I42 4er*er
computer:
Computer name or IP
address:XXXXXXXXXXXXXXXXXXXXX
Public name details 2ccept re8uest for:
XX=his domain name:XXXXXXXXXXXXXX
or
XX2ny domain name
;8
Property 6alue
4elect $eb listener $eb listener:XXXXXXXXXXXXXXXX
!ser set #ist user sets that &ill ha*e access to this rule:
XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXX
!se the information on the &or/sheet that you filled in pre*iously and perform the follo&in
procedure to create an 0+chane $eb client access publishin rule'
4o create an Exchange Web client access publishing rule
1' In the console tree of #S& Server Manage$ent, clic/ 2irewall !olicy:
&cceleration Server 200/, e+pand &rrays, e+pand &rray@*a$e, and then clic/
2irewall !olicy'
2' 5n the 4as3s tab, clic/ !ublish Exchange Web "lient &ccess' !se the &i(ard to create
the rule as outlined in the follo&in tables'
For a sinle $eb ser*er, use the table in *ew Exchange !ublishing 'ule WiDard for a single
Web site'
If you are usin a ser*er farm, use the table in *ew Exchange Server !ublishing 'ule WiDard
for a server far$'
;>
*ew Exchange !ublishing 'ule WiDard for a Single Web Site
$elcome 0+chane Publishin rule
name
=ype a name for the rule' For
e+ample, type 0+chane $eb
Client Publishin'
4elect 4er*ices 0+chane *ersion
$eb client mail ser*ices
4elect the proper *ersion of
0+chane' For e+ample, select
0+chane 4er*er 2009'
4elect the desired access methods'
Publishin =ype 4elect if this rule &ill publish
a sinle $eb site or
e+ternal load balancer, a
$eb ser*er farm, or multiple
$eb sites
4elect Publish a sinle $eb site or
load balancer'
4er*er Connection 4ecurity Choose the type of
connections I42 4er*er &ill
establish &ith the published
$eb ser*er or ser*er farm
4elect !se 44# to connect to the
published $eb ser*er or ser*er
farm'
*ote%
2 ser*er certificate must be
installed on the published
0+chane front)end ser*er,
and the root C2 certificate
of the C2 that issued the
ser*er certificate on the
0+chane front)end ser*er
must be installed on the
I42 4er*er computer'
Internal Publishin 3etails Internal site name =ype the internal FC3, of the
0+chane front)end ser*er' For
e+ample, type
e+chfe'corp'contoso'com'
#$portant%
=he internal site name must
match the name of the
ser*er certificate that is
installed on the internal
<0
*ote%
If you cannot properly
resol*e the internal site
name, you can select !se a
computer name or IP
address to connect to the
published ser*er, and then
type the re8uired IP
address or name that is
resol*able by the I42
4er*er computer'
Public ,ame 3etails 2ccept re8uests for
Public name
=his domain name -type belo&.
=ype the domain name that you
&ant I42 4er*er to accept the
connection for' For e+ample, type
mail'contoso'com'
4elect $eb #istener $eb listener 4elect the $eb listener you created
pre*iously' For e+ample, select
0+chane F72'
2uthentication 3eleation 4elect the method used by
I42 4er*er to authenticate
to the published $eb ser*er
4elect 7asic authentication'
!ser 4ets =his rule applies to re8uests
from the follo&in user sets
4elect the user set appro*ed to
access this rule'
Completin the ,e&
0+chane Publishin $i(ard
Completin the ,e&
0+chane Publishin "ule
$i(ard
1' Clic/ the &pply button in the details pane to sa*e the chanes and update the confiuration'
<1
*ew Exchange Server !ublishing 'ule WiDard for a Server 2ar$
$elcome 0+chane Publishin rule
name
=ype 0+chane $eb client
Publishin
4elect 4er*ices 0+chane *ersion
$eb client mail ser*ices
4elect the proper *ersion of
0+chane ser*er' For e+ample,
select 0+chane 4er*er 2009'
4elect the desired access methods'
a sinle $eb site or
$eb sites
4elect Publish a ser*er farm of load
balanced $eb ser*ers'
4er*er Connection security Choose the type of
farm'
*ote%
0+chane front)end
ser*ers, and the root C2
certificate must be installed
on the I42 4er*er
computer'
Internal Publishin 3etails Internal site name =ype e+chfe'corp'contoso'com'
4pecify 4er*er Farm 4elect the 0+chane ser*er
farm you &ant to publish
4elect the name of the ser*er farm
pre*iously created' For e+ample,
select 0+chane front end ser*ers'
Public name
=ype mail'contoso'com'
4elect $eb #istener $eb listener 4elect 0+chane F72'
<2
access this rule'
Completin the ,e&
$i(ard
Completin the ,e&
$i(ard
:' Clic/ the &pply button in the details pane to sa*e the chanes and update the confiuration'
"onfigure #S& Server 200/ for )D&!
&uthentication
#32P authentication is similar to 2cti*e 3irectory authentication, e+cept that the I42 4er*er
computer does not ha*e to be a member of the domain' I42 4er*er 200; connects to a
confiured #32P ser*er o*er the #32P protocol to authenticate the user' 0*ery $indo&s domain
controller is also an #32P ser*er, by default, &ith no additional confiuration chanes re8uired'
7y usin #32P authentication, you et the follo&in benefits:
I42 4er*er 200; 4tandard 0dition ser*er or I42 4er*er 200; 0nterprise 0dition array
members in &or/roup mode' $hen I42 4er*er is installed in a perimeter net&or/, you no
loner need to open all of the ports re8uired for domain membership'
2uthentication of users in a domain &ith &hich there is no trust relationship'
In this section you &ill do the follo&in:
Create an #32P 4er*er 4et
Create an #32P !ser 4et
For more information about #32P Confiuration, see 2ppendi+ 7 of the 4ecure 2pplication
Publication article on Microsoft =ech,et'
http:GG&&&'microsoft'comGtechnetGisaG200;GsecureX&ebXpublishin'msp+Z2ppendi+7
<9
"reate an )D&! Server Set
Perform the follo&in procedure to create an #32P 4er*er set:
For 4tandard 0dition, perform the follo&in procedure on computer isa01'
For 0nterprise 0dition, perform the follo&in procedure on computer storae01'
4o "reate an )D&! Server Set
1' In the console tree of #S& Server Manage$ent, clic/ General:
&cceleration Server 200/, e+pand isa0,, e+pand "onfiguration, and then clic/
General'
&cceleration Server 200/, e+pand &rrays, e+pand $ain, e+pand "onfiguration,
and then clic/ General'
2' In the details pane, clic/ 4pecify '&D#9S and )D&! Servers'
9' 5n the )D&! Servers Sets tab, clic/ &dd to open the &dd )D&! Server Set dialo bo+'
:' In )D&! server set na$e, type "orp)D&!'
5' Clic/ &dd, to add each #32P ser*er name or IP address'
;' In Server na$e, type dc0, and clic/ +G'
<' Clic/ +G to close the &dd )D&! Server Set dialo bo+'
8' Clic/ *ew to open the *ew )D&! Server Mapping dialo bo+'
>' In )ogin expression, type corpV[' In )D&! server set, select Corp#32P, and clic/ +G'
10' Clic/ "lose to close the &uthentication Servers &indo&'
For more information on #32P 4er*er settins, see 2ppendi+ 7: #32P Confiuration in the
Microsoft =ech,et article, 4ecure 2pplication Publishin at http:GGo'microsoft'comGf&lin/GH
#in/I3I8<0;>'
<:
"reate an )D&! 9ser Set
=o authenticate users throuh #32P, you need to determine &hich users to authenticate and &ho
authenticates the users' =o do this, you need to create an #32P user set'
Perform the follo&in procedure to create an #32P user set:
For 4tandard 0dition, perform the follo&in procedure on computer isa01'
For 0nterprise 0dition, perform the follo&in procedure on computer storae01'
1' In the console of #S& Server Manage$ent, clic/ 2irewall !olicy:
!age 2ield or property Setting
$elcome !ser set name =ype #32P!sers'
!sers 4elect the users to include
in this user set'
Clic/ 2dd, and select #32P'
2dd #32P !ser #32P ser*er set
!ser name
4elect Corp#32P, the #32P ser*er set
from the drop)do&n list'
4elect 2ll !sers in this namespace'
*ote%
@ou can also specify user
roups or specific user
accounts if you do not &ant all
users to be part of this #32P
user set'
Completin the ,e& !ser
4et $i(ard
"e*ie& settins' Clic/ 7ac/ to ma/e chanes and Finish
to complete the &i(ard'
1' Clic/ the &pply button in the details pane to sa*e the chanes and update the confiuration'
<5
Set the #dle Session 4i$eout for &ll 2irewalls and
*etwor3 &ppliances to ,100 seconds
In this step, you &ill modify the idle session timeout time on all fire&alls, pro+y ser*ers, and other
net&or/ appliances to accommodate the time re8uired for successful function of the direct push
technoloy'
=he default idle session timeout in I42 4er*er 200; is 1800 seconds, so you should not need to
modify it'
For more information about modifyin the idle session timeout time, see MConfiurin your
Fire&all for 5ptimal 3irect Push Performance in the 7est Practices for 3eployin a Mobile
Messain 4olution section in this document'
4o confir$ the firewall #dle Session 4i$eout
1' In the console tree of #S& Server Manage$ent, clic/ 2irewall !olicy'
2' 5n the 4oolbox tab, clic/ *etwor3 +b<ects'
9' From the list of folders, e+pand the Web )isteners node, and *ie& the !roperties of
appropriate $eb #istener'
:' 4elect the "onnections tab and then clic3 the &dvancedK button'
5' Ma/e sure the "onnection 4i$eout is set at 1800 seconds -90 minutes.' Chane it if
needed'
;' Clic/ +G t&ice to accept any chane'
<' Clic/ &pply to ma/e these chanes'
4est Exchange !ublishing 'ule
In this section, you &ill test the ne& 0+chane publishin rule that you %ust created'
4est Exchange &ctiveSync
Confiure a mobile de*ice to connect to your 0+chane ser*er usin Microsoft 0+chane
2cti*e4ync, and ma/e sure that I42 4er*er and 0+chane 2cti*e4ync are &or/in properly'
$hen confiurin your mobile de*ice and you are prompted to enter a name for the ser*er name
field, type the name of the 0+chane 2cti*e4ync ser*er that &as %ust published, such as
https:GGmail'contoso'comGoma'
<;
*ote%
@ou can also test 0+chane 2cti*e4ync usin Internet 0+plorer' 5pen Internet 0+plorer,
and in 2ddress, type the !"# https:GGpublishedXser*erXnameGMicrosoft)4er*er)
2cti*esync, &here publishedXser*erXname is the published name of the 5utloo/ $eb
2ccess ser*er -the name a user &ould use to access 5utloo/ $eb 2ccess.' 2fter you
authenticate yourself, if you recei*e an 0rror 501G505 E ,ot implemented or not
supported, I42 4er*er and 0+chane 2cti*e4ync are &or/in toether properly'
Step /% "onfigure and Manage Mobile Device
&ccess on the Exchange Server
$ith the Microsoft 0+chane 4er*er 2009 4P2 installation, 0+chane 2cti*e4ync features are
enabled for all client mobile de*ices at the orani(ational le*el' If your security setup accepts the
trusted certificates that are shipped on the mobile de*ices, all you need to do is instruct your
users &ho ha*e $indo&s Mobile 5'0)based de*ices sin in usin the pre)installed 2cti*e4ync
soft&are'
*ote%
If you &ant to establish a central security policy, you should use the 0+chane 4ystem
Manaer to confiure it for all usersF follo& the instructions in MConfiurin 4ecurity
4ettins for Mobile 3e*icesM later in this chapter'
For more information about settin security policies, see M7est Practice: 3etermine and 3eploy a
3e*ice Pass&ord PolicyM in 7est Practices for 3eployin a Mobile Messain 4olution'
For more information about manain and confiurin mobile de*ices, see M4ettin !p a Mobile
3e*ice Connection to 0+chane 4er*erM in 4tep 8: Manae and Confiure Mobile 3e*ices'
=he manaement capabilities that are in 0+chane 4er*er 2009 4P2 and the security and
confiuration protocols that are included in $indo&s Mobile 5'0 &ith M4FP, most of the
administration of the mobile de*ices ta/es place on the 0+chane ser*er or on the Mobile
2dministration $eb tool'
@ou can do the follo&in actions on your 0+chane ser*er:
Confiure mobile access'
Confiure security policy settins for mobile de*ices'
Monitor mobile performance on 0+chane 4er*er'
<<
"onfiguring Mobile &ccess
3urin a default installation, all 0+chane 2cti*e4ync features are enabled' @ou can modify the
feature settins at the 0+chane ser*er le*el &ith 0+chane 4er*er 4ystem Manaer, and enable
or disable the 0+chane 2cti*e4ync features for indi*idual users or roups by usin 2cti*e
3irectory'
$hen manain access to 0+chane 2cti*e4ync features, you can do the follo&in:
1' Confiure 0+chane 2cti*e4ync features for your orani(ation
2' 3isable user)initiated synchroni(ation for users or roups -if desired.
9' 0nable or disable up)to)date notifications -5ptional.
"onfiguring Exchange &ctiveSync 2eatures for ?our
+rganiDation
0+chane 2cti*e4ync allo&s users to synchroni(e their 0+chane information &ith a mobile
de*ice' 2t the orani(ational le*el on your 0+chane ser*er, you can enable or disable the
follo&in 0+chane 2cti*e4ync features:
Feature 3escription
Enable user-initiated synchroniDation 0nables users to synchroni(e their 0+chane
information &ith their mobile de*ice'
Enable up-to-date notifications via SM4!
and 4ext Messaging
2llo&s users to recei*e notifications throuh
4M=P in order to /eep their de*ice up to date
&ith information on their 0+chane ser*er' =his
should be left enabled to accommodate users
&ho ha*e $indo&s Mobile)based de*ices
&ithout M4FP'
Enable notifications to user-specified SM4!
addresses
2llo&s users to use their o&n &ireless ser*ice
pro*ider'
Enable Direct !ush over =44!7s8 0nables users &ith $indo&s Mobile)based
de*ices &ith M4FP to recei*e notifications
throuh ?==P to /eep their mobile de*ice up to
date &ith the information that is on their
0+chane ser*er'
<8
4o configure Exchange &ctiveSync features for your organiDation
1' 5n the Startmenu, point to !rogra$s, point to Microsoft Exchange, and then clic/
Syste$ Manager'
2' In the console tree, double)clic/ Global Settings, riht)clic/ Mobile Services and then
clic/ !roperties' =he follo&in illustration sho&s the Mobile Services !roperties dialo
bo+'
9' In Mobile Services !roperties, under Exchange &ctiveSync, select the chec/ bo+es
for the options you &ish to enable for your orani(ation' @ou can then use &ctive
Directory 9sers and "o$puters to enable or disable specific users or roups, if
desired'
:' Clic/ +G to sa*e your settins'
0+chane 2cti*e4ync can also be disabled for indi*idual users or roups by usin 2cti*e
3irectory !sers and Computers'
<>
Disabling 9ser-#nitiated SynchroniDation for 9sers or Groups
$ith !ser)Initiated 4ynchroni(ation enabled on the orani(ational le*el, you can control the
capability of indi*idual users or roups to use 0+chane 2cti*e4ync to synchroni(e &ith their
0+chane mailbo+ by usin mobile de*ices' !se the &ctive Directory Exchange 2eatures tab
to disable this functionality for indi*idual users or for roups'
4o disable user-initiated synchroniDation
1' 5n the Start menu, point to !rogra$s, point to &d$inistrative 4ools, and then clic/
&ctive Directory 9sers and "o$puters'
2' In the console tree, e+pand the domain' 3ouble)clic/ 9sers, or double)clic/ the node that
contains the recipient information that you &ant to modify'
9' In the details pane, double)clic/ the user or users for &hom you &ant to disable user
initiated synchroni(ation to open the !roperties dialo bo+' =he follo&in illustration
sho&s the Mobile Services !roperties dialo bo+'
:' 5n the Exchange 2eatures tab, under Mobile Services, select 9ser #nitiated
80
SynchroniDation, and then clic/ Disable'
5' Clic/ &pply'
;' Clic/ +G'
81
Enable or Disable 9p-to-date *otifications
=he 0nable !p)to)date ,otifications feature is on by default in 0+chane 2cti*e4ync at the
orani(ational le*el' If your mobile messain solution includes mobile de*ices that do not
support direct push technoloy, ma/e sure to enable this feature for users or for roups that ha*e
$indo&s Mobile)based de*ices &ithout M4FP' @ou can enable or disable !p)to)date ,otifications
by usin 2cti*e 3irectory !sers and Computers'
*ote%
=o use up)to)date notifications, you must also enable user)initiated synchroni(ation'
4o enable or to disable up-to-date notifications
1' 5n the Start menu, point to !rogra$s, point to &d$inistrative 4ools, and then clic/
&ctive Directory 9sers and "o$puters'
2' In the console tree, e+pand the domain' 3ouble)clic/ 9sers, or double)clic/ the node that
contains the recipient information that you &ant to modify'
9' In the details pane, double)clic/ the user name of the user for &hom you &ant to enable
or disable up)to)date notifications'
:' 5n the Exchange 2eatures tab, under Mobile Services, select 9ser #nitiated
SynchroniDation, and then clic/ Enable or Disable'
*ote%
$hen 9ser #nitiated SynchroniDation is disabled, 9p-to-date *otifications is
automatically disabled'
5' If you &ant to enable 9p-to-date *otifications, on the Exchange 2eatures tab, under
Mobile Services, select 9p-to-date *otifications, and then clic/ Enable'
;' Clic/ &pply'
<' Clic/ +G'
"onfiguring Security Settings for Mobile Devices
@ou can specify security options for your users &ho connect to 0+chane 4er*er by usin mobile
de*ices' $ith the 0+chane 4ystem Manaer, you can set the lenth and the strenth of the
pass&ord, the amount of inacti*ity time, and the number of failed attempts that can occur before
the mobile de*ice is &iped'
For more information about settin security policies, see M7est Practice: 3etermine and 3eploy a
3e*ice Pass&ord PolicyM in 7est Practices for 3eployin a Mobile Messain 4olution'
82
*ote%
=he term pass&ord that is referenced in this topic refers to the pass&ord that a user
enters to unloc/ his or her mobile de*ice' It is not the same as a net&or/ user pass&ord'
*ote%
=he Wipe device after failed option is off by default'
=he follo&in table presents the options you can use to set your security policies'
Security +ption Description
Mini$u$ password length 7characters8 !se this option to specify the re8uired lenth of
the userKs pass&ord for his or her mobile
de*ice' =he default settin is : characters' @ou
can specify a pass&ord lenth of : to 18
characters'
'e(uire both nu$bers and letters !se this option if you &ant to re8uire that users
choose a pass&ord that contains both numbers
and letters' =his option is not selected by
default'
#nactivity ti$e 7$inutes8 !se this option to specify &hether your users
must lo on to their mobile de*ices after a
specified number of minutes of inacti*ity' =his
option is not selected by default' If selected, the
default settin is 5 minutes'
Wipe device after failed 7atte$pts8 !se this option to specify &hether you &ant the
de*ice memory &iped after multiple failed loon
attempts' =his option is not selected by default'
If selected, the default settin is 8 attempts'
'efresh settings on the device 7hours8 !se this option to specify ho& often you &ant to
send a pro*ision re8uest to mobile de*ices' =his
option is not selected by default' If selected, the
default settin is e*ery 2: hours'
&llow access to devices that do not fully
support password settings
4elect this option if you &ant to allo& mobile
de*ices that do not fully support the de*ice
security settins to be able to synchroni(e &ith
0+chane' =his option is not selected by
default'
89
*ote%
If the &llow access to devices that do not fully support password settings option is
not selected, users that use mobile de*ices that do not fully support de*ice security
settins -for e+ample, de*ices that do not support pro*isionin. &ill recei*e a :09 error
messae &hen they attempt to synchroni(e their mobile de*ices &ith 0+chane'
4o configure security settings for $obile devices
1' 5n the Start menu, point to !rogra$s, point to Microsoft Exchange, and then clic/
Syste$ Manager'
2' In the console tree, double)clic/ Global Settings, riht)clic/ Mobile Services, and then
clic/ !roperties'
9' In Mobile Services !roperties, clic/ Device Security'
:' =o specify the de*ice security options, select Enforce password on device, and then
confiure the options accordin to the policies that you ha*e set' =he follo&in illustration
sho&s the Device Security Settings dialo bo+'
5' Clic/ +G'
Specifying 9sers Who are Exe$pt fro$ Device Security Settings
@ou can specify the users &hom you &ant to be e+empt from the settins that you ha*e
confiured in the Device Security Settings dialo bo+' =his e+ceptions list is useful if you ha*e
specific, trusted users of &hom you do not need to re8uire de*ice security settins'
8:
4o add or to re$ove users who are exe$pt fro$ device security settings
1' 5n the Start menu, point to !rogra$s, point to Microsoft Exchange, and then clic/
Syste$ Manager'
2' In the console tree, double)clic/ Global Settings, riht)clic/ Mobile Services, and then
clic/ !roperties'
9' In Mobile Services !roperties, clic/ Device Security'
:' In Device Security Settings, clic/ Exceptions'
5' !se the options in the Device Security Exception )ist dialo bo+ to select the user or
the roup of users &hom you &ant to be e+empt from settins that you ha*e confiured
in the Device Security Settings dialo bo+'
;' =o specify that a user be e+empt from de*ice security settins, clic/ &dd' =he follo&in
illustration sho&s the 4elect !ser dialo bo+'
<' In Select 9ser, specify a user or roup of users, and then clic/ +G' For information
about ho& to specify users, in the Select 9sers dialo bo+, clic/ L in the title bar, and
then clic/ the option you &ant to learn more about'
8' =o remo*e a user from the list of users &ho are e+empt from de*ice security settins, in
9sers list bo+, select the user that you &ant to remo*e, and then clic/ 'e$ove'
>' Clic/ +G'
85
Monitoring Mobile !erfor$ance on Exchange
Server 200 S!2
=o trac/ the performance, a*ailability, and reliability of 0+chane 2cti*e4ync and other mobile
messain components, you can use the 0+chane 4er*er Manaement Pac/' =he 0+chane
4er*er Manaement pac/ includes rules and scripts components that *alidate the a*ailability of
communication ser*ices, send test e)mails to *erify operations, and measure actual deli*ery
times'
$ith 0+chane 4er*er 2009 4P2, the follo&in ne& rules &ere added:
0+chane database si(es limits
0+chane 2cti*e4ync confiuration settins
0+chane 2cti*e4ync !p)to)3ate ,otifications performance
0+chane 2cti*e4ync errors
Monitor intellient messae filterin performance
Intellient messae filterin for errors
4ender I3 confiuration errors
4ender I3 errors
3is/ readG&rite performance
342ccess settins
Public folder replication
=he 0+chane Manaement Pac/ Confiuration $i(ard pro*ides a raphical user interface -B!I.
to confiure 0+chane 2000 and 0+chane 2009 Manaement Pac/s, includin test mailbo+es,
messae trac/in, and monitorin ser*ices'
@ou can do&nload the 0+chane Manaement Pac/ from the Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/IdI55885'
=he 0+chane 4er*er Manaement Pac/ Buide for M5M 2005 e+plains ho& to use the
0+chane Manaement Pac/ to monitor and maintain messain resources'
@ou can do&nload the manaement pac/ uide from the Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/IdI58<>:'
8;
Step 0% #nstall the Exchange &ctiveSync
Mobile &d$inistration Web 4ool
=he Microsoft 0+chane 2cti*e4ync Mobile 2dministration $eb tool enables administrators to
manae the process of remotely erasin lost, stolen, or other&ise compromised mobile de*ices'
7y usin the 0+chane 2cti*e4ync Mobile 2dministration $eb tool, you can perform the follo&in
actions:
6ie& a list of all de*ices that are bein used by any enterprise user'
4elect or cancel the selection of de*ices to be remotely erased'
6ie& the status of pendin remote erase re8uests for each de*ice'
6ie& a transaction lo that indicates &hich administrators ha*e issued remote erase
commands, in addition to the de*ices that those commands pertained to'
Download the Mobile &d$inistration Web 4ool
=he 0+chane 2cti*e4ync Mobile 2dministration $eb tool is a*ailable for do&nload from the
follo&in =ools for 0+chane 4er*er 2009 $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI5:<98'
Software re(uire$ents for the Mobile &d$inistration Web tool
=he follo&in bulleted list presents the soft&are re8uirements for the Mobile 2dministration $eb
tool:
Microsoft 0+chane 4er*er 2009 4P2
Microsoft $indo&s 4er*er 2009 &ith 4er*ice Pac/ 1 -4P1.
Internet Information 4er*ices -II4. ;'0
Microsoft 0+chane 2cti*e4ync Mobile 2dministration $eb tool
8<
#nstalling the Mobile &d$inistration Web tool
Follo& the instructions included &ith the do&nload to install the 0+chane 2cti*e4ync Mobile
2dministration $eb tool on a front)end ser*er that runs 0+chane 4er*er 2009 4P2' =he
installation proram creates the Mobile2dmin *irtual directory, throuh &hich the tool can be
accessed'
$hen installed correctly, the 0+chane 2cti*e4ync Mobile 2dministration $eb tool is a*ailable
from any remote computer that has an Internet bro&ser that can access the *irtual directory that
is associated &ith the tool'
?o&e*er, to access the 0+chane 2cti*e4ync Mobile 2dministration $eb tool from the same
computer upon &hich it is installed, you must use one of the follo&in approaches:
2dd the ser*er name to the #ocal intranet list for Internet 0+plorer: In Internet 0+plorer, clic/
=ools, clic/ Internet 5ptions, clic/ 4ecurity, clic/ #ocal intranet, and then clic/ 4ites'
!se localhost as the ser*er name &hen specifyin the mobile2dmin !"# in the bro&ser -for
e+ample, https:GGlocalhostGmobile2dmin.'
&dding &d$inistrators or =elp Des3
7y default, access to the 0+chane 2cti*e4ync Mobile 2dministration $eb tool is restricted to
0+chane administrators and to local administrators' @ou may &ant to i*e your ?elp 3es/ or
support personnel access to the 0+chane 2cti*e4ync Mobile 2dministration $eb tool, so that
they can monitor mobile de*ices and be ready to enforce a remote &ipe if a de*ice is reported
missin or compromised'
@ou can enable additional users to access the 0+chane 2cti*e4ync Mobile 2dministration $eb
tool by modifyin the security settins on the Mobile2dmin folder in the installation directory &ith
the follo&in process'
4o add ad$inistrators to the Exchange &ctiveSync Mobile &d$inistration Web 4ool
1' "iht)clic/ the Mobile&d$in folder, and then select sharing M security' =he #nsert
2older Security properties dialo bo+ appears'
2' In the #nsert 2older Securityproperties dialo bo+, add a user or a roup by clic/in
&dd, and then enterin the name of the user or the roup to &hich you &ant to rant
access'
9' "emo*e a user or a roup by selectin that user or that roup, and then clic/in
'e$ove'
88
Step 1% Manage and "onfigure Mobile
Devices
2s an 2dministrator usin Microsoft 0+chane 4er*er 2009 -4P2., you no& ha*e tools &ith &hich
to set and enforce your mobile de*ice security policies' @ou can also control some of the features
on the mobile de*ices by usin pro*isionin tools'
=his topic pro*ides you &ith instructions and pointers for doin the follo&in administrati*e tas/s:
4ettin !p a Mobile 3e*ice Connection to 0+chane 4er*er
!sin the Mobile 2dministration $eb =ool to =rac/ Mobile 3e*ices
Pro*isionin or Confiurin the $indo&s Mobile 5'0)based 3e*ices
Setting 9p a Mobile Device "onnection to
Exchange Server
If mobile users ha*e a data usae plan throuh a mobile operator, 0+chane 2cti*e 4ync on the
mobile de*ice can be used to synchroni(e email, contacts, calendar, and tas/s o*er the air'
2lternati*ely, they can use 3es/top 2cti*e4ync to partner their $indo&s Mobile 5'0)based de*ice
&ith an 0+chane ser*er by usin a !47 cable from a des/top computer that is connected to
your net&or/'
"eardless of the connection method that your users use, you &ill need to pro*ide them &ith the
follo&in information before they can synchroni(e &ith your 0+chane ser*er:
=he address of your e+ternal mail ser*er'
=heir respecti*e 0+chane usernames, pass&ords, and domains that they &ill use to access
your 0+chane ser*er'
@our users can use 2cti*e4ync on their mobile de*ices or on their computer to choose &hich
types of data, such as contacts, calendar, tas/s, e)mail, they &ill synchroni(e &ith 0+chane' @ou
may ad*ise your users to unchec/ any data types that should not be stored on their mobile
de*ices'
*ote%
For more information about 2cti*e4ync and other features on 4martphones and on
Poc/et PCs, includin step)by)step instructions for the use of those features, *isit the
$indo&s Mobile $eb site at http:GGo'microsoft'comGf&lin/GH#in/IdI9<<28'
8>
SynchroniDing Directly with Exchange Server
If your users use the des/top 2cti*e4ync setup, ad*ise them to be sure to choose the option to
synchroni(e their mobile de*ices directly &ith the 0+chane ser*er' 3irect push technoloy and
security policy enforcement &ill be effecti*e only &hen the de*ices are synchroni(ed directly &ith
the 0+chane ser*er' 4ynchroni(in mobile de*ices &ith only the des/top computer is not
recommended'
"onnecting to an Exchange Server by 9sing a !hone or a
Wireless *etwor3
@our users can use 2cti*e4ync on a $indo&s Mobile 5'0)based de*ice to synchroni(e their
mobile de*ice directly &ith their 0+chane ser*er'
=he first time a user starts 2cti*e4ync on his or her mobile de*ice, the user &ill see t&o options:
to synchroni(e usin the des/top computer or to synchroni(e directly' If your users ha*e the
address of their 0+chane ser*er and /no& their respecti*e 0+chane usernames, pass&ords,
and domains, the 2cti*e4ync &i(ard &ill &al/ them throuh the steps'
4o connect a Windows Mobile .;0-based device to an Exchange server
1' 5n the =o$e screen, choose Start, choose &ctiveSync, choose Menu, and then
choose the "onfigure Server tab' If the mobile de*ice has not yet been synchroni(ed
&ith 0+chane 4er*er, &dd Server SourceK &ill be the a*ailable option'
2' In Serveraddress, enter the name of the ser*er that is runnin 0+chane, and then
choose *ext'
9' 0nter your user name, pass&ord, and domain name, and then choose *ext'
:' If you &ant the mobile de*ice to sa*e your pass&ord so that you &ill not need to enter it
aain the ne+t time that you connect your mobile de*ice to 0+chane, select the
Savepassword chec/ bo+'
5' 4elect the chec/ bo+es for the types of information items that you &ant to synchroni(e
&ith 0+chane 4er*er'
;' =o chane a*ailable synchroni(ation settins, select the type of information that you &ant
to synchroni(e, choose Menu, and then choose Settings'
<' =o chane the rules for resol*in synchroni(ation conflicts, choose Menu, and then
choose &dvanced'
8' Choose 2inish'
>0
"onnecting to Exchange Server by 9sing a Des3top "o$puter
@our users can set up de*ice synchroni(ation &ith their 0+chane ser*er usin their laptop or
des/top computer and the !47 cradleGconnector that accompanies most $indo&s Mobile)based
de*ices'
#$portant%
7efore a !47 sync connection can be made, 2cti*e4ync must be installed on the userLs
des/top computer' =he 2cti*e4ync soft&are is a*ailable either on the $indo&s Mobile
Bettin 4tarted 3isc pro*ided &ith the mobile de*ice, or as a do&nload from
http:GGo'microsoft'comGf&lin/GH#in/IdI10>290'
In the 2cti*e4ync 4etup $i(ard, your users can:
Create a synchroni(ation relationship bet&een the des/top computer and the mobile de*ice'
Confiure an 0+chane ser*er connection to synchroni(e directly &ith 0+chane ser*er'
Choose &hich information types they &ould li/e to synchroni(e &ith 0+chane'
4o connect with Exchange Server by using a des3top co$puter
1' Install 2cti*e4ync :'1 or later on your des/top or laptop computer'
2' 2fter the reboot re8uired by the installation, the 2cti*e4ync $i(ardLs Get
"onnectedscreen appears'
9' Connect the phone cableGcradle to the computer and cradle the phone and follo& the
instructions on the screen to complete the &i(ard'
:' $hen you finish the &i(ard, 2cti*e4ync synchroni(es your phone automatically' 5nce
synchroni(ation completes, you can disconnect your phone from your PC
&ccessing a "orporate *etwor3 by 9sing a >!* "onnection
If your corporate net&or/ includes access to a 6P, ser*er based on PP=P or #2=PGIP4ec 6P,
protocols, your employees can set up their o&n connection &ith the interface pro*ided &ith the
$indo&s Mobile 5'0)based de*ice' =he 6P, setup *aries from de*ice to de*ice, so chec/ &ith
your manufacturer for instructions'
@ou can also pro*ision the mobile de*ices so that the connection is confiured and the users only
need to supply their usernames and pass&ords' For more information about confiurin your
$indo&s 5'0)based mobile de*ices for 6P, access, see RCMX6P,0ntries Confiuration 4er*ice
Pro*iderS topic in the $indo&s Mobile 5'0 43A http:GGo'microsoft'comGf&lin/GH#in/IdI;<:::'
>1
9sing the Exchange &ctiveSync Mobile
&d$inistration Web 4ool to 4rac3 Mobile Devices
=he follo&in bulleted list describes se*eral thins that you can use the 0+chane 2cti*e4ync
Mobile 2dministration $eb tool to do:
6ie& a list of all of the mobile de*ices that are bein used by any enterprise user'
4elect a mobile de*ice to be remotely erased, or cancel the selection of a mobile de*ice to be
remotely erased'
6ie& the status of pendin remote &ipe re8uests for each mobile de*ice'
6ie& a transaction lo that indicates &hich administrators ha*e issued remote &ipe
commands, and &hich mobile de*ices are tareted to be erased'
=he $elcome 4creen of the Mobile 2dministration $eb tool introduces its t&o administrati*e
options, presented on separate $eb paes:
'e$ote Wipe Initiate and trac/ a remote &ipe command for lost or stolen mobile de*ices
4ransaction )og 6ie& a lo of administrati*e actions on mobile de*ices, notin time, action, and
user
#nitiating and 4rac3ing 'e$ote Wipe on Mobile Devices
=he 'e$ote Device Wipe option pro*ides the follo&in functions:
#nitiating a 'e$ote Wipe for a )ost or a Stolen Mobile Device
=o initiate a remote &ipe, you can search for a userLs mobile de*ice by specifyin the userLs
name' 2s sho&n in the fiure belo&, the "emote 3e*ice $ipe $eb pae displays the de*ice I3,
de*ice type, the time that the de*ice last synchroni(ed &ith the 0+chane ser*er, and the &ipe
status or delete status of the de*ice for each userKs mobile de*ice' =o initiate a remote &ipe for a
lost or stolen mobile de*ice, you can locate the desired de*ice and then choose Wipe' =he
"emote 3e*ice $ipe $eb pae then displays the up)to)date status for the mobile de*ice,
displayin &hether and &hen the de*ice &as successfully &iped'
>2
>iewing the Status on a !ending 'e$ote Wipe for a )ost or a Stolen Mobile
Device
$hen a remote &ipe is specified for a mobile de*ice, the re$ote wipe command stays acti*e
until the administrator specifies other&ise' =his means that, after the initial remote &ipe has been
completed, the 0+chane ser*er continues to send a remote &ipe directi*e if the same de*ice
e*er tries to reconnect to the 0+chane ser*er'
"anceling a 'e$ote Wipe #f a )ost or a Stolen Mobile Device #s 'ecovered
If a lost mobile de*ice is reco*ered and the remote &ipe that you initiated has not occurred, you
must cancel the &ipe in order for the de*ice to successfully connect aain' =o cancel the &ipe,
locate the mobile de*ice that has the remote &ipe command set and then clic/ "ancel Wipe'
Deleting a Mobile Device !artnership fro$ the Exchange server
@ou can use the re$ote wipe command to delete a mobile de*ice partnership from the 0+chane
ser*er' =his action, &hich is primarily useful for Mhouse/eepinM purposes, &ill delete from the
0+chane ser*er all states that are associated &ith a specified de*ice' If a user tries to connect a
mobile de*ice to the 0+chane ser*er after the partnership bet&een the mobile de*ice and the
0+chane ser*er has been deleted, the mobile de*ice user &ill be forced to re)establish the
partnership &ith the 0+chane ser*er'
>9
>iewing a )og of 'e$ote Wipe 4ransactions
=he follo&in table sho&s the information that is compiled by the "emote $ipe transaction lo
reardin the critical administrati*e actions that are performed &hen you use the 0+chane
2cti*e4ync Mobile 2dministration $eb tool'
)og Entry Description
Date 4i$e 3ate and time &hen the action &as e+ecuted
9ser =he user &ho e+ecuted the action
Mailbox =he mailbo+ that the action pertained to
Device #D =he de*ice that the action pertained to
4ype =he type of de*ice that the action pertained to
&ction =he action ta/en by the administrator
!rovisioning or "onfiguring the Windows Mobile
.;0-based Device
If you are &or/in &ith a mobile operator or a mobile de*ice manufacturer to deploy your
$indo&s Mobile 5'0)based de*ices, you may be able to ac8uire mobile de*ices that ha*e been
pre)confiured &ith the technoloies and security settins that fit your needs'
@ou can use the de*ice pro*isionin tools that are a*ailable in the $indo&s Mobile 5'0 4oft&are
3e*elopment Ait -43A. to confiure settins on the de*icesF to add, update, and remo*e soft&are
from the mobile de*icesF or to chane the functionality of the mobile de*ices'
*ote%
@ou must ha*e either manaer access to the $indo&s Mobile 5'0)based de*ices or the
ability to run trusted code on them in order to use the pro*isionin tools' Chec/ &ith your
mobile operator or de*ice manufacturer for more information on the application security
settins on your de*ices'
For more information about manain mobile de*ices, see the MManain 3e*icesM section of the
43A for detailed information' =he 43A documentation is included in the M43, #ibrary' =he 43A
documentation and tools are a*ailable at no chare from the Microsoft 3o&nload Center'
>:
*ote%
7e a&are that there are t&o *ersions of $indo&s Mobile 5'0 soft&are: $indo&s Mobile
6ersion 5'0 soft&are for Poc/et PCs and $indo&s Mobile 6ersion 5'0 soft&are for
4martphones' 4ome procedures are different for these different *ersions of $indo&s
Mobile 5'0 soft&are' $hile &or/in in the 43A, closely follo& references and directions
for the *ersion that is on your mobile de*ices'
+verview of !rovisioning
Pro*isionin a $indo&s Mobile 5'0)based de*ice in*ol*es creatin a pro*isionin DM# file that
contains confiuration information, and then sendin the file to the de*ice' =he Confiuration
Manaer and the Confiuration 4er*ice Pro*iders confiure the de*ice based on the contents of
the pro*isionin DM# file'
=he Confiuration Manaer is the central authority that processes the pro*isionin DM# file' =he
Confiuration 4er*ice Pro*iders carry out all confiuration 8ueries and chanes' 2fter the data is
passed to the Confiuration 4er*ice Pro*iders, they are responsible for carryin out the chanes
to the mobile de*ice and for reportin the success or failure of the transaction'
*ote%
In order to use the pro*isionin tools, you must ha*e either manaer access to the
$indo&s Mobile 5'0)based de*ices or the ability to run trusted code on them'
=he follo&in bulleted list describes most, but not all, of the &ays that you can deli*er the
pro*isionin DM# file to the mobile de*ice:
2 de*ice that is connected to a des/top by a !47 connection'
4torae cards'
5*er the air -5=2.'
3o&nload from a $eb site'
Placement in de*ice "5M or persistent storae'
4he !rovisioning !rocess
=he follo&in is a &al/throuh of the pro*isionin process usin a sample DM# file that you can
use to confiure your $indo&s Mobile)5'0 based de*ices &ith the path and the domain name of
your 0+chane ser*er' =he resultin confiuration should enable your users to synchroni(e their
mobile de*ices &ithout ha*in to enter this information'
3urin this sample pro*isionin process, you &ill perform the follo&in tas/s:
1' Create the pro*isionin DM# file'
2' Prepare the pro*isionin DM# file for deli*ery usin 2cti*e4ync'
9' 3eli*er the pro*isionin DM# file to the de*ice by usin a !47 connection or a storae card'
>5
In this process, you &ill use the ma/ecab'e+e utility to create a 'cab file' Ma/ecab'e+e is included
&ith the Microsoft $indo&s 5peratin 4ystem and is a*ailable from the Command prompt'
*ote%
DM# pro*isionin files can be pac/aed as 'cab or 'cpf files' 7ecause 2cti*e4ync
2pplication Manaer does not reconi(e 'cpf files, the 'cab format is used in this sample'
!rovisioning Sa$ple% "onfiguring SynchroniDation Settings
Create a *alid pro*isionin DM# file that is named Xsetup'+ml' =his file should contain the DM#
code that addresses the Confiuration Manaer and its associated Confiuration 4er*ice
Pro*iders'
4o create the NM) file
1' Copy the follo&in pro*isionin code for the 4ync Confiuration 4er*ice Pro*ider and
paste it into ,otepad or other te+t editor'
Cw0-?o(6s6o$6$g4o.D
C.20?0.t3?6st6. t-3EFS-$.FD
C.20?0.t3?6st6. t-3EFCo$$3.t6o$FD
C0?* $0*3EFA&&owSSL7t6o$F (0&+3EF'F @D
C0?* $0*3EFS3?(3?F (0&+3EFGGt3sts3?(3?F@D
C0?* $0*3EFDo*06$F (0&+3EFt3st.o*0$-H.o*F @D
C@.20?0.t3?6st6.D
C@.20?0.t3?6st6.D
C@w0-?o(6s6o$6$g4o.D
2' Chane \\testserver to the name of your 0+chane ser*er, and chane testcompany to
the domain name of your 0+chane ser*er'
9' 4a*e the file as Xsetup'+ml'
=he Xsetup'+ml file must be processed as a 'cab file before it is transferred and installed on your
userKs mobile de*ice &ith 2cti*e4ync 2pplication Manaer'
4o prepare the NM) file for delivery through the Des3top
1' =o create a 'cab file from the Xsetup'+ml file, run the Ma/ecab'e+e utility, usin the
follo&in synta+:
$a3ecab @setup;x$l $y2ile;cab
2' @ou may &ant to ha*e your mobile operator sin the 'cab file' =his is an optional step that
&ill remo*e the possibility of your users seein the 9n3nown !ublisher dialo bo+
durin installation'
>;
=he pro*isionin 'cab file can be distributed to a de*ice that is cradled to a des/top PC' =he
pro*isionin 'cab file can also be distributed to a mobile de*ice on a *ariety of storae cards,
such as a MultiMedia Card -MMC., a 4ecure 3iital IG5 -43I5. card, and a Compact Flash card
that are inserted into the de*ice'
*ote%
If the 2cti*e4ync 4etup &i(ard appears &hen you connect the mobile de*ice to a des/top
computer, clic/ "ancel' It is recommended that you use $indo&s 0+plorer and File
e+plorer to transfer the 'cab file to the de*ice'
4o distribute the ;cab file to a $obile device
1' Mo*e or copy the 'cab file Wmyfile.cabY to the de*ice'
2' 5n the de*ice, locate the file by usin 2ile Explorerand clic/ the ;cab icon to initiate the
installation'
9' =he 9n3nown !ublisher dialo bo+ may appear if you did not sin the file' Clic/ ?es to
continue &ith the installation' ,otification of a successful installation &ill appear'
:' 4elect the 'cab file and from the Menu, and then choose Delete to remo*e the 'cab file
from the de*ice'
@ou can chec/ the de*ice to *erify that your de*ice pro*isionin &as successful'
4o verify that $obile device provisioning was successful
1' !ncradle the de*ice or remo*e the storae card'
2' Choose Start, choose !rogra$s, and then select &ctiveSync'
9' Clic/ Menu, and then select "onfigure ServerK' =he 0+chane ser*er path &ill appear
in the Server &ddress dialo bo+'
:' Clic/ *ext' 5n the Edit Server Settings pae, the domain name of your company
should appear in the Do$ain dialo bo+' =he 9ser na$e and !assword dialo bo+es
&ill be empty'
5' Clic/ 5ac3, and then choose "ancel'
><
&ppendix &% +verview of Deploying
Exchange &ctiveSync "ertificate-5ased
&uthentication
Certificate)based authentication is an ad*anced security feature that can be used to meet more
strinent security re8uirements' If 44# basic authentication does not meet your security
re8uirements and you ha*e an e+istin Public Aey Infrastructure -PAI. usin Microsoft Certificate
4er*er, you may &ish to use the certificate)based authentication feature in 0+chane 2cti*e4ync'
=his appendi+ outlines the re8uirements and process for deployin 0+chane 2cti*e4ync
certificate)based authentication' Complete instructions and the deployment tool can be
do&nloaded from the =ools for 0+chane 4er*er 2009 $eb site at http:GGo'microsoft'comGf&lin/GH
lin/idI55092'
"onfiguring the 2irewall for "ertificate-based
&uthentication
I42 4er*er 200; has a ne& feature that can end the 44# connection from the mobile de*ice,
authenticate a client connection, and then use Aerberos constrained deleation to the 0+chane
4er*er 2009 4P2 front)end ser*er' =his is an impro*ement because traffic can be inspected at
I42 and then passed to the 0+chane 2009 front)end ser*er for processin' 0arlier *ersions of
I42 4er*er re8uired that 44# tunnelin be set up' =his made it necessary for the 0+chane bac/)
end ser*er to end the 44# connection, authenticate the user, and process the re8uest'
Software 'e(uire$ents for "ertificate-5ased
&uthentication
=he follo&in is re8uired for enablin Client Certificate)base 2uthentication for $indo&s Mobile
5'0 &ith M4FP and 0+chane 4er*er 2009 4P2:
$indo&s 4er*er 2009 -runnin in $indo&s 4er*er 2009 3omain Functional #e*el.
$indo&s 4er*er 2009 Certification 2uthority runnin $eb)based enrollment
0+chane 4er*er 2009 4P2 -Front 0nd and Mailbo+ 4er*ers.
$indo&s DP 4P2
Microsoft 3es/top 2cti*e4yncJ *ersion :'1 or later' 3o&nload from =he 2dd)ons for
2cti*e4ync at http:GGo'microsoft'comGf&lin/GHlin/idI<5:29'
$indo&s Mobile 5'0 &ith Messain and 4ecurity Feature Pac/
>8
Downloading the "ertificate Enroll$ent 4ool
=he 0+chane 2cti*e4ync Certificate)based 2uthentication tool can be do&nloaded from the
=ools for 0+chane 4er*er 2009 $eb site at http:GGo'microsoft'comGf&lin/GHlin/idI55092, and
consists of a folder that contains the follo&in items:
E&S&uth9ploadNM)to&D;vbs =he 674cript file that uploads the DM# confiuration file to
2cti*e 3irectory'
E&S"ert&uthSa$pleNM);x$l =he sample DM# confiuration file'
4oft&are license terms'rtf Microsoft 4oft&are #icense =erms'
CertXbasedX2uth'doc'doc =he user documentation -this file. for the tool'
'api"onfig;exe 2 des/top confiuration tool that enables the e+ecution of pro*isionin DM#
on a $indo&s Mobile)based de*ice or an emulator that is connected by usin 0+chane
2cti*e4ync'
Ory"ert'eg;x$l =he DM# file that is used as a parameter in "apiConfi'e+e that indicates
&hether the mobile de*ice is ettin the confiuration from 2cti*e 3irectory'
Syste$ 'e(uire$ents for the "ertificate
Enroll$ent 4ool
=he follo&in operatin system and applications are re8uired for the correct operation of the tool'
$indo&s 2000 4er*er 4P: or later *ersions or $indo& 4er*er 2009 4P1 -recommended.
#$portant%
=here are problems &hen you try to run the 0+chane 2cti*e4ync Certificate)based
2uthentication tool in a non)0nlish *ersion of $indo&s 4er*er 2009' For a
description and &or/around, see the Microsoft Ano&lede 7ase article >2<:<1, M=he
0+chane 2cti*e4ync Certificate)based 2uthentication
-0242uth!ploadDM#to23'*bs. tool returns an error &hen you use it in a non)0nlish
*ersion of $indo&s 4er*er 2009,M at http:GGo'microsoft'comGf&lin/GH
lin/idI9052O/bidI>2<:<1'
Microsoft 0+chane 4er*er 2009 4er*ice Pac/ 2
Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0
2cti*e 3irectory
Internet Information 4er*ices -II4.
Microsoft 3es/top 2cti*e4ync :'1 or a later *ersion' 3o&nload from $indo&s Mobile
3o&nloads and Prorams at http:GGo'microsoft'comGf&lin/GHlin/idI9<<2<
$indo&s certification authority -C2. runnin the $eb)based enrollment feature
>>
Steps to Enable "ertificate-5ased &uthentication
=o enable Certificate)based 2uthentication bet&een a $indo&s Mobile 5'0 M4FP de*ice and
0+chane 4er*er 2009 4P2, there are three core areas that must be confiured'
1' =he 0+chane 4er*er 2009 4P2 front)end ser*er to accept Certificate)based authentication
for the 0+chane 2cti*e4ync *irtual directory'
2' Aerberos constrained deleation bet&een 0+chane 4er*er 2009 4P2 front)end and bac/)
end ser*ers'
9' Certificate enrollment DM# in 2cti*e 3irectory'
If you ha*e a fire&all or re*erse pro+y, such as an I42 ser*er, there are additional confiuration
steps re8uired'
"onfiguring Exchange Server 200 2ront-End Server
0+chane 2cti*e4ync in 0+chane 4er*er 2009 4P2 relies on the built)in authentication
mechanism of II4 ;'0 for both 7asic and Client Certificate)based authentication'
Follo& these steps to enable Client Certificate)based authentication on the 0+chane 4er*er
2009 4P2 front)end ser*er'
Confiure secure communications &ith 44#
*ote%
$e recommend that you use an 44# certificate issued from a &ell)/no&n
Certification 2uthority to a*oid ha*in to install the correspondin =rusted "oot
Certificate on the mobile de*ice'
Confiure the 0+chane 2cti*e4ync *irtual directory to accept Client Certificate)based
authentication
"onfigure Gerberos "onstrained Delegation
@ou must confiure Aerberos constrained deleation bet&een the 0+chane 4er*er 2009 4P2
front)end and bac/)end ser*ers'
&dding Service !rincipal *a$es
2 ser*ice principal name -4P,. is the name by &hich a client uni8uely identifies an instance of a
ser*ice' =he Aerberos authentication ser*ice can use an 4P, to authenticate a ser*ice' For
Aerberos constrained deleation to &or/ bet&een the I42 200; ser*er and the 0+chane 4er*er
front)end and bac/)end en*ironment, and bet&een the 0+chane 4er*er front)end and bac/)end
ser*ers, additional 4P, entries are re8uired'
100
"onfigure Servers to be 4rusted for Delegation
For Aerberos constrained deleation to &or/, the Computer ob%ect entries in 2cti*e 3irectory
must be confiured to be 4rusted for Delegation' =he 0+chane front)end ser*er must be able
to deleate Aerberos tic/ets to the 0+chane bac/)end ser*er'
*ote%
If your topoloy &ill include Internet 4ecurity and 2cceleration -I42. 4er*er 200;, you &ill
also need to confiure the I42 200; ser*er to be able to deleate Aerberos tic/ets to the
"onfigure Windows Mobile "ertificate Enroll$ent
@ou &ill need to set up 2cti*e 3irectory to be able to process client certificate enrollment re8uests
made by $indo&s Mobile 5'0 M4FP de*ices =he steps include the follo&in:
Confiurin 2cti*e 3irectory &ith the rele*ant $indo&s Mobile Certificate enrollment
information
0nrollin for a ne& client certificate by usin 3es/top 2cti*e4ync'
+verview of "ertificate Enroll$ent "onfiguration
=he I= confiuration steps and application actions in*ol*ed in certificate enrollment are as
described in the follo&in table'
4as3 or activity What occurs +utco$e
!se the certificate
enrollment tool'
=he administrator creates the
de*ice certificate enrollment
confiuration DM# from the
sample DM# that is pro*ided &ith
the tool do&nload' =hen, the
sample DM# is uploaded to 2cti*e
3irectory usin the Microsoft
6isual 7asicJ 4criptin 0dition
-674cript. file that &as pro*ided
&ith the tool do&nload'
=he de*ice certificate enrollment
DM# that is customi(ed for the
usersK I= en*ironment is a*ailable in
the correct 2cti*e 3irectory
location' 4ee M!ploadin the DM#
to 2cti*e 3irectory,M for more
information'
3eploy 3es/top
2cti*e4ync :'1 or later
to user des/tops'
3es/top 2cti*e4ync :'1 or later is
installed on the userKs corporate
computer'
=he user can cradle the de*ice,
thereby connectin it to the
corporate net&or/ and enablin it to
perform the certificate enrollment
steps noted belo&'
Confiure de*ice' =he de*ice is connected throuh =he DM# is processed into reistry
101
3es/top 2cti*e4ync :'1 or later to
the usersK corporate des/top, to
enroll'
=he 3es/top 2cti*e4ync
application do&nloads the
confiuration DM# from 2cti*e
3irectory'
3es/top 2cti*e4ync MpushesM the
DM# to the $indo&s)based
mobile de*ice o*er the !47
"emote 2PI -"2PI. connection'
3urin the setup of the de*ice
and des/top partnership, the user
is prompted to enter his or her
corporate username, pass&ord,
and domain' =o add these
credentials to the de*ice to
enable enrollment, the 4a*e the
pass&ord chec/ bo+ must be
selected'
*ote%
2fter the enrollment has
been attempted one time,
the username, pass&ord,
and domain information
are pured from the
memory of the de*ice'
=hese items are used
only for one attempted
enrollment'
settins that you can use for the
certificate enrollment operation'
2ttempt at initial
synchroni(ation'
=he de*ice tries an initial ser*er
synchroni(ation'
4ynchroni(ation fails'
=his step occurs by desin because
the client tries to use 7asic
authentication pass&ord
authentication' ?o&e*er, the ser*er
re8uires certificate authentication
so it returns an ?==P :09 error to
the de*ice' =he error indicates that
a certificate is re8uired for
102
authentication'
0nroll certification' =he de*ice initiates certificate
enrollment usin the sa*ed
0+chane 2cti*e4ync username,
pass&ord, and domain, combined
&ith the certificate enrollment
confiuration'
2 connection is made to the
$indo&s Certificate 4er*ices $eb
ser*er that is specified in the
enrollment confiuration'
0nrollment is processed usin a
$indo&s 2000 4er*er or a
$indo&s 4er*er 2009 certification
authority -C2. that is runnin the
$eb)based enrollment feature'
*ote%
If authentication fails
because the pass&ord is
incorrect, the user can
retry, but he or she must
enter the pass&ord on the
de*ice' If authentication
fails because a bad
username or domain &as
entered, the 0+chane
ser*er settins on the
mobile de*ice must be
deleted and then re)
created'
2ttempt at subse8uent
synchroni(ation'
"ecei*es the certification conte+t
from the Certificate 0nrollment
2PI' 2cti*e4ync tries to re)
authenticate to the 0+chane
front)end ser*er that uses the
returned certificate'
Certificate)based authentication
continues to &or/ after the
certificate enrollment step has been
processed'
=he same process is used to enroll
for a ne& certificate if the certificate
is deleted or e+pires'
109
&ppendix 5% #nstall and "onfigure an #S&
Server 200- Environ$ent
=his section discusses steps for deployment of 0+chane 4er*er 2009 4P2 mobile messain in
an I42 4er*er 200: en*ironment' 3urin this part of the process, you &ill:
Install I42 4er*er 200:'
Create the 0+chane 2cti*e4ync publishin rule usin $eb publishin, openin Port ::9 as a
$eb #istener'
Confiure the host file entry'
4et the I42 4er*er 200: idle session timeout to 1800 seconds -90 minutes.
*ote%
Increasin the timeout *alues ma+imi(es performance of the direct push technoloy and
optimi(es de*ice battery life'
=est 5$2 and 0+chane 2cti*e4ync'
*ote%
If you plan to use Certificate 2uthentication &ith I42 4er*er 200:, you must use 4er*er
Publishin or tunnelin to create your 0+chane 2cti*e4ync publishin rule' 4ee the
instructions in 2ppendi+ 2: 5*er*ie& of 3eployin 0+chane 2cti*e4ync Certificate)
7ased 2uthentication'
"efer to ,et&or/ 2rchitecture 2lternati*es for bac/round about net&or/ architecture and 44#
setup'
If you ha*e I42 4er*er 2000, see M!sin I42 4er*er 2000 &ith 0+chane 4er*er 2009M at
http:GGo'microsoft'comGf&lin/GH#in/IdI;2;<0'
For more information about confiurin an I42 2000, see the follo&in article in the Microsoft
Ano&lede 7ase: M?o& to publish an 0+chane 2000 4er*er computer or an 0+chane 4er*er
2009 computer by usin Internet 4ecurity and 2cceleration -I42. 4er*er 2000'M
http:GGo'microsoft'comGf&lin/GH#in/IdI10>205'
10:
#nstalling #S& Server 200-
If you are follo&in the net&or/ architecture that the 3eployment Confiurations and 7est
Practices for 3eployin a Mobile Messain 4olution section recommends, you should install I42
4er*er 200: as a stand)alone fire&all on your ser*er' 3o not install I42 4er*er 200: as part of an
I42 ser*er array because this deployment re8uires domain membership' @our I42 ser*er should
not be a member ser*er in your Microsoft $indo&s forest because, if the I42 ser*er is
compromised by attac/s from the Internet, the attac/ers can ain access to domain resources if
those resources are in the same domain' 2dditionally, you should minimi(e the number of ports
that are open to your internal net&or/' Member ser*ers re8uire additional ports for acti*ities, such
as tal/in to domain controllers'
*ote%
It is recommended that you set up both 0+chane 2cti*e4ync and 5$2 publishin on the
I42 ser*er' ?a*in 5$2 published in addition to 0+chane 2cti*e4ync &ill i*e you
reater troubleshootin capabilities'
4o install #S& Server 200-
1' Install and confiure Microsoft $indo&s 4er*er 2009 on the fire&all computer'
2' Bo to Microsoft !pdate, and then install all critical security hot fi+es and ser*ice pac/s for
$indo&s 4er*er 2009'
9' "emo*e the ser*er from any domains that is a member of, and then place it in a
&or/roup'
:' Install I42 4er*er 200:'
5' 0+port the 5$2 44# Certificate from the 0+chane front)end 5$2 ser*er to a file'
105
"reating the Exchange &ctiveSync !ublishing
'ule 9sing Web !ublishing
$eb publishin rules determine ho& I42 4er*er 200: intercepts incomin re8uests for ?yperte+t
=ransfer Protocol -?==P. ob%ects on an internal $eb ser*er, and ho& I42 4er*er 200: responds
on behalf of the internal $eb ser*er'
3urin this process, you &ill be re8uired to pro*ide names for the publishin rule itself, the
internal and e+ternal $eb ser*ers, and the $eb #istener' "ead throuh these instructions and
determine appropriate names before you bein'
For more information, see Publishin $eb 4er*ers !sin I42 4er*er 200: at this Microsoft
$ebsite: http:GGo'microsoft'comGf&lin/GH#in/IdI108>5;'
*ote%
If you plan to use Certificate 2uthentication &ith I42 4er*er 200:, you must use 4er*er
Publishin or tunnelin to create your 0+chane 2cti*e4ync publishin rule' 4/ip the
follo&in procedure, and follo& the instructions in 2ppendi+ 2: 5*er*ie& of 3eployin
0+chane 2cti*e4ync Certificate)7ased 2uthentication'
2fter you create and name the $eb publishin rule, you &ill create and confiure the $eb
#istener, complete the $eb site rule, and update the fire&all policy'
4o create and na$e the Exchange &ctiveSync Web publishing rule
1' In the Microsoft #nternet Security and &cceleration Server 200- manaement
console, e+pand the ser*er name, and then clic/ the 2irewall !olicy node'
2' "iht)clic/ the 2irewall !olicy node, point to *ew, and then clic/ Mail Server
!ublishing 'ule'
9' 5n the Welco$e to the *ew Mail Server !ublishing 'ule WiDard pae, type a name
for the rule in the Mail Server !ublishing 'ule*a$e te+t bo+' Clic/ *ext'
:' 5n the Select &ccess 4ype pae, select the Web client access% +utloo3 Web &ccess
7+W&8E +utloo3 Mobile &ccessE Exchange Server &ctiveSync option, and then clic/
*ext'
5' 5n the Select Services pae, clic/ to select the Exchange &ctiveSync chec/ bo+'
Confirm that there is a chec/ mar/ in the Enable high bit characters used by non-
English character sets chec/ bo+' -If you e+pect users to read only 0nlish)based
character sets, you can ma/e this option una*ailable by clearin the chec/ bo+'. For
troubleshootin purposes, &e recommend that you clic/ to select the +utloo3 Web
&ccess chec/ bo+' Clic/ *ext' =he follo&in illustration sho&s the 5ridging Mode pae
of the *ew Mail Server !ublishing 'ule WiDard'
10;
;' 5n the 5ridging Mode pae, clic/ the Secure connection to clients and $ail server
option, and then clic/ *ext'
=he Secure connection to clients and $ail server option creates a $eb publishin
rule that pro*ides the 44# connection from the client mobile de*ice to the 0+chane $eb
site' =his option pre*ents the traffic from mo*in in the clear, &here an intruder can sniff
the traffic and intercept *aluable information'
<' 5n the Specify the Web Mail Server pae, type the name for the internal $eb site in the
$ail server te+t bo+, and then clic/ *ext'
=he name that you type is the name used for the 0+chane 4er*er 2009 $eb site on the
internal net&or/' =he name in the re8uest that the I42 4er*er 200: fire&all sends to the
0+chane ser*er on the internal net&or/ should be the same as the name on the
certificate that is installed on the 0+chane 2cti*e4ync $eb site'
8' 5n the !ublic *a$e Details pae, clic/ the 4his do$ain na$e 7type below8 option in
the &ccept re(uests for list' In the !ublic na$e bo+, type the name that e+ternal users
&ill use to access theExchange &ctiveSync Web site, and then clic/ *ext'
10<
2ll incomin $eb re8uests must be recei*ed by a $eb #istener' 2 $eb #istener may be used in
multiple $eb publishin rules'
4o "reate the Web )istener
1' 5n the Select Web )istener pae, clic/ *ew' $ith the #S& Server 200- Web )istener,
you ha*e se*eral options:
@ou can create a separate $eb listener for 44# and non)44# connections on the
same IP address'
7ased on the number of addresses that are bound to the e+ternal interface of the I42
4er*er 200: fire&all, you can confiure separate settins for each $eb #istener' =he
$eb #istener settins are not lobal'
2' 5n the Welco$e to the *ew Web )istener WiDard pae, type a name for the $eb
#istener in the Web listener na$e te+t bo+, and then clic/ *ext'
9' 5n the #! &ddresses pae, select the External chec/ bo+, and then clic/ &ddress'
:' In the External *etwor3 )istener #! Selection dialo bo+, select the Specified #!
addresses on the #S& Serverco$puter in the select networ3 option' In the &vailable
#! &ddresses list, clic/ on the e+ternal IP addresses that are on the I42 4er*er 200:
fire&all and that you &ant to listen for incomin re8uests to the 5$2 $eb site, and then
clic/ &dd' =he e+ternal IP addresses that you selected no& appear in the Selected #!
&ddresses list' Clic/ +G'
5' 5n the #! &ddresses pae, clic/ *ext'
;' 5n the !ort Specification pae, clic/ to clear the Enable =44! chec/ bo+, select the
Enable SS) chec/ bo+, and lea*e the SS) port nu$ber at --'
*ote%
7y confiurin this $eb listener to use only 44#, you can confiure a second
$eb listener that is dedicated for non)44# connections &ith different settins'
<' Clic/ Select' In the Select "ertificate dialo bo+, clic/ the Exchange &ctiveSync Web
site certificate that you imported into the I42 4er*er 200: fire&all computerLs certificate
store, and then clic/ +G'
*ote%
=his certificate &ill appear in the Select "ertificate dialo bo+ only after you
ha*e installed the $eb site certificate into the I42 4er*er 200: fire&all
computerLs certificate store' In addition, the certificate must contain the pri*ate
/ey' If the pri*ate /ey &as not included, it &ill not appear in this list'
8' 5n the !ort Specification pae, clic/ *ext'
>' 5n the "o$pleting the *ew Web )istener pae, clic/ 2inish'
108
=he ne+t procedure is to confiure the $eb #istener so that no authentications are confiured'
4o configure the Web )istener
1' 5n the Select Web )istener pae, &here the details of the $eb #istener no& appear,
Clic/ Edit'
2' In the +W& SS) )istener !roperties dialo bo+, clic/ the !references tab' =he
follo&in illustration sho&s the +W& SS) )istener !roperties dialo bo+'
9' 5n the !references tab, clic/ &uthentication'
:' In the &uthentication dialo bo+, clic/ to clear the #ntegrated chec/ bo+' In the
Microsoft #nternet Security and &cceleration Server 200- dialo bo+ that &arns you
that no authentication methods are currently confiured, clic/ +G'
*ote%
3o not select the +W&-2or$s 5ased &uthentication chec/ bo+'
5' In the SS) )istener !roperties dialo bo+, clic/ &pply, and then clic/ +G'
;' 5n the Select Web )istener pae, clic/ *ext'
10>
<' 5n the 9ser Sets pae, accept the default entry &ll 9sers, and then clic/ *ext'
*ote%
2cceptin the &ll 9sers default entry does not enable all users to access the
0+chane $eb site' 5nly users &ho can authenticate successfully &ill be able to
access the 0+chane $eb site' =he actual authentication is done by the
0+chane $eb site, &hich uses the credentials that the I42 4er*er 200: fire&all
has for&arded to it' =he I42 4er*er 200: fire&all and the 0+chane $eb site
cannot both authenticate the user' =his means that you must allo& all users
access to the rule' 2n e+ception to this rule is &hen users authenticate to the I42
4er*er 200: fire&all itself by usin client certificate authentication'
8' 5n the "o$pleting the *ew Mail Server !ublishing 'ule WiDard pae, clic/ 2inish'
2s a final procedure, you &ill allo& the 0+chane $eb site to recei*e the mobile de*iceKs actual
IP address'
4o co$plete the Web Site rule and update the firewall policy
1' In the Details pane of the #S& Server Manage$ent console, riht)clic/ the E&S Web
site rule, and then clic/ !roperties'
2' In the Web site !roperties dialo bo+, clic/ the 4o tab' 5n the 4o tab, clic/ 'e(uests
appear to co$e fro$ the original client option' =his option allo&s the 0+chane $eb
site to recei*e the actual IP address of the e+ternal client mobile de*ice' =his feature
enables $eb loin add)ons installed on the 5$2 $eb site to use this information &hen
creatin reports' =he follo&in illustration sho&s the +W& Web site !roperties dialo
bo+'
110
9' Clic/ &pply, and then clic/ +G'
:' Clic/ &pply to sa*e the chanes and update the fire&all policy'
5' In the &pply *ew "onfiguration dialo bo+, clic/ +G'
=he 44# $eb site is no& a*ailable on the e+ternal IP address of the I42 ser*er' @ou may ha*e to
ma/e host record chanes on your e+ternally)accessible 3omain ,ame 4ystem -3,4. ser*er to
map the IP address of the I42 ser*erLs e+ternal interface to the host record of the 44# $eb site'
"onfiguring the =osts 2ile Entry
=he ne+t procedure is to create a ?osts file entry on the I42 4er*er 200: fire&all computer so it
resol*es the name that you specified for your internal $eb mail ser*er to the IP address of the
0+chane ser*er that is on the internal net&or/'
111
*ote%
@ou could also use a split 3,4 infrastructure for this purpose' ?o&e*er a ?osts file entry
is easier to create' 5n a production net&or/, you &ould create a split 3,4 infrastructure
so the I42 4er*er 200: fire&all &ould resol*e the fully 8ualified domain name -FC3,. of
the 5$2 $eb site to the IP address that the 0+chane 4er*er uses on the internal
net&or/'
4o configure the =osts file entry
1' Clic/ Start, and then clic/ 'un' In the 'un dialo bo+, type *otepad in the +pen te+t
bo+, and then clic/ +G'
2' From the 2ile menu, clic/ +pen' In the +pen dialo bo+, type
c%CwindowsCsyste$2CdriversCetcChosts in the 2ile na$e te+t bo+, and then clic/ +pen'
=he follo&in illustration sho&s the +pen dialo bo+'
9' 2dd the follo&in line to the ?osts file:,0;0;0;2 Iyour firewall nameJ'
:' Mo*e your cursor to the end of the line, so the insertion point sits on the ne+t line, and
then press 0,=0"'
112
5' From the 2ile menu, clic/ Exit'
;' In *otepad, sa*e the chanes to the file, and then close ,otepad'
Setting the #S& Server 200- #dle Session 4i$eout
In this procedure, you &ill modify the idle session timeout to accommodate the time that is
re8uired for the direct push technoloy to successfully function'
For more information about modifyin the idle session timeout time, see the M7est Practice:
Confiurin @our Fire&all for 5ptimal 3irect Push PerformanceM section in 7est Practices for
3eployin a Mobile Messain 4olution'
4o set the #S& Server 200- idle session ti$eout to ,100 seconds
1' In the console tree of #S& Server Manage$ent, clic/ 2irewall !olicy'
2' 5n the 4oolbox tab, clic/ *etwor3 +b<ects'
9' From the list of folders, e+pand the Web )isteners node, and then *ie& the !roperties
of the appropriate $eb #istener'
:' 4elect the !references tab, and then clic/ the &dvancedK button'
5' Modify the *alue for "onnection 4i$eout from the default ,20 seconds -2 minutes. to
,100 seconds -90 minutes.'
;' Clic/ +G t&ice to accept the chane'
<' Clic/ &pply to ma/e these chanes'
4esting +W& and Exchange &ctiveSync
2fter you complete the confiuration, you should test the follo&in features that you confiured:
=est 5$2 -optional.'
=est 0+chane 2cti*e4ync'
2n e+ternal client mobile de*ice can access the 5$2 ser*er as lon as it can resol*e a FC3, to
the e+ternal IP address of the I42 ser*er' =his resolution is usually achie*ed by reisterin a
public Internet domain name &ith a public 3,4 ser*er that maps the $eb site name to the
e+ternal IP address of the I42 4er*er'
If you ha*e set up 5$2 accordin to the instructions in the 0+chane 4er*er 2009 Client 2ccess
Buide at http:GGo'microsoft'comGf&lin/GH#in/IdI;2;28, you can test it by usin the follo&in
process'
119
4esting +W&
=o test the deployment in a lab en*ironment, specify the $eb site host name resolution
information by usin ,otepad in the client mobile de*ice hosts file that is located under the
follo&in path: Vsystem92Vdri*ersVetcVhosts in the $indo&s installation directory'
4o test +W& 7if installed8
1' =o connect to the 5$2 $eb site from the e+ternal client mobile de*ice, type the $eb
address that you specified durin setup' 7e certain to specify https in the !"#'
2' $hen you connect, you should see a loon pae that re8uests credentials and the
session type -public or pri*ate.' Pro*ide this information so you can access your mailbo+'
9' If you ha*e set time)outs or bloc/ed attachments, test those features by lea*in the
bro&ser inacti*e for a period of time and then tryin to access mail, and by tryin to open
or sa*e attachments'
4esting Exchange &ctiveSync
@ou can confiure a mobile de*ice to connect to your 0+chane ser*er by usin 0+chane
2cti*e4ync, and to be sure that I42 4er*er 200: and 0+chane 2cti*e4ync are &or/in properly'
2s an alternati*e, you can test 0+chane 2cti*e4ync by usin Internet 0+plorer'
4o test Exchange &ctiveSync by using #nternet Explorer
1' 5pen #nternet Explorer'
2' In the &ddress bar, type https%66published_server_name6Microsoft-Server-&ctivesync,
&here published_server_name is the published name of your 5$2 ser*er -the name
your end users &ill type.'
9' =ype the user name and information that you &ant to authenticate'
If you recei*e one of the follo&in error messaes: Error .0,6.0. A*ot i$ple$entedA or
A*ot supportedA, I42 4er*er 200: and 0+chane 2cti*e4ync are &or/in toether
properly'
See &lso
11:
&ppendix "% 4roubleshooting a Mobile
Messaging Solution
=his section pro*ides information about troubleshootin tools and detailed information and
specific troubleshootin steps around Microsoft direct push technoloy so that you can better
isolate mobility issues &ithin your net&or/ infrastructure'
=his section contains information on the follo&in sub%ects:
#oin and =roubleshootin =ools
Issues "elated to 3irect Push =echnoloy
Issues &ith I42 4er*er 200;
Certificate Implementation Issues on the 4er*er
Communication Issues bet&een the Front)end and 7ac/)end 0+chane 4er*ers
Fre8uently 2s/ed Cuestions
)ogging and 4roubleshooting 4ools
=he follo&in troubleshootin and loin tools should help you trac/ and resol*e mobility issues'
Monitoring Mobile !erfor$ance on Exchange Server 200 S!2
=o trac/ the performance, a*ailability, and reliability of 0+chane 2cti*e4ync and other mobile
messain components, you can use the 0+chane 4er*er Manaement Pac/' =he 0+chane
4er*er Manaement pac/ includes rules and script components that *alidate the a*ailability of
communication ser*ices, send test e)mails to *erify operations, and measure actual deli*ery
times'
$ith 0+chane 4er*er 2009 4P2, the follo&in ne& rules &ere added:
0+chane database si(es limits
0+chane 2cti*e4ync confiuration settins
0+chane 2cti*e4ync !p)to)3ate ,otifications performance
0+chane 2cti*e4ync errors
Monitor intellient messae filterin performance
Intellient messae filterin for errors
4ender I3 confiuration errors
4ender I3 errors
3is/ readG&rite performance
342ccess settins
Public folder replication
115
=he 0+chane Manaement Pac/ Confiuration $i(ard pro*ides a raphical user interface -B!I.
to confiure 0+chane 2000 and 0+chane 2009 Manaement Pac/s, includin test mailbo+es,
messae trac/in, and monitorin ser*ices'
@ou can do&nload the 0+chane Manaement Pac/ from the Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/IdI55885'
=he 0+chane 4er*er Manaement Pac/ Buide for M5M 2005 e+plains ho& to use the
0+chane Manaement Pac/ to monitor and maintain messain resources'
@ou can do&nload the manaement pac/ uide from the Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/IdI58<>:'
#S& Server 5est !ractices &nalyDer
=o determine the o*erall health and dianose common confiuration errors, do&nload and run the
Microsoft I42 4er*er 7est Practices 2naly(er =ool at the Microsoft 3o&nload Center at this
Microsoft $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI108><>'
#ssues 'elated to Direct !ush 4echnology
"efer to !nderstandin the 3irect Push =echnoloy in this document for details on ho& direct
push &or/s'
General Direct !ush 4roubleshooting 4ips
In eneral, there are three troubleshootin steps that an administrator can ta/e to troubleshoot
connecti*ity issues:
1' 6erify that the operatin system on the mobile de*ices includes M4FP' $indo&s Mobile 5'0E
based de*ices that ha*e a *ersion number of 1:8xx'2'x'x or later include the Messain and
4ecurity Feature Pac/' =o find the operatin system *ersion on the de*ice, select Start,
choose Settings, and then select &bout'
2' 6erify that your mobile operator supports direct push' It is important that your mobile operator
perform basic troubleshootin so that you can determine if your mobile operator supports
direct push on their cellular data net&or/'
9' Pro*ision a mobile de*ice on the mobile operatorLs net&or/ for 0+chane 2cti*e4ync and try
to synchroni(e manually' If this &or/s, then the net&or/ supports basic connecti*ity to the
Internet'
:' 0nable direct push technoloy on the de*ice by settin the synchroni(ation schedule on the
de*ice to &s ite$s arrive' 4end email to the account &ith &hich the de*ice is pro*isioned,
and *erify that it is immediately synchroni(ed by the mobile de*ice by means of 0+chane
2cti*e4ync' If this step &or/s, &ait t&enty or so minutes and try aain' If it does not &or/,
*erify that the mobile operator timeouts are set to thirty minutes'
11;
!ath 4roubleshooting Direct !ush
In many cases, a sinle fire&all or ate&ay in the net&or/ can cause timin issues that impede
the direct push path'
If your users ha*e problems &ith short battery life, the heartbeat inter*al may be too short'
Contact your mobile operator to ha*e the de*ice heartbeat inter*al modified'
If your usersK de*ices are unsynchroni(ed for lon periods of time, this may be a result of
ha*in the 0+chane ser*er session duration shorter than the ma+imum heartbeat inter*al'
Chec/ &ith your mobile operator'
2nother possible cause of unsynchroni(ed de*ices has to do &ith the fire&all settins' =he
fire&all session timeout should be e8ual to or reater than the idle timeout on your mobile
operatorKs net&or/ or the fire&all &ill close the session prematurely'
In all mobile messain scenarios, you &ill need to ensure that your fire&all confiuration is set to
&or/ correctly &ith 0+chane 2cti*e4ync and direct push technoloy' $hile each net&or/
infrastructure *aries, the follo&in illustration depicts a typical net&or/ infrastructure &here the
fire&all idle session timeouts need to be ad%usted to 90 minutes'
11<
!sin a heartbeat inter*al of 90 minutes has positi*e implications for battery life and band&idth
consumption' $hen direct push sessions are permitted to li*e loner -such as 90 minutes., there
are fe&er ?==P round trips, less data sent and recei*ed, and less po&er consumed by the
de*ice'
In other infrastructure scenarios, idle session time out settins may also include any other pac/et)
for&ardin net&or/in de*ices or &eb appliances bet&een the 0+chane 2009 4er*er and mobile
de*ice' =o modify the idle session timeout settins for your third party fire&all or re*erse pro+y
de*ice, please refer to the hard&are manufacturerLs documentation to do so' 2dditionally,
Microsoft has &or/ed &ith mobile operators to increase the idle connection timeouts on their
outoin fire&alls, but the enterprises that are deployin direct push technoloy &ill also need to
increase those timeouts on their incomin fire&alls per the instructions abo*e' In MicrosoftLs o&n
deployment, the timeouts on the fire&all are set to thirty minutes'
>erify Direct !ush #nitialiDation
=he 0+chane Product team has &ritten an article that e+plains steps that an administrator can
ta/e to help isolate direct push technoloy issues' For additional information and the full conte+t
of this article, see this Microsoft $eb site: http:GGo'microsoft'comGf&lin/GH#in/IdI;<080'
1' 6erify that 0+chane 2cti*e4ync is loaded and IP)based 2!=3 is initiali(ed by chec/in the
application lo on the F0 for e*ents belo&' 0+chane 2cti*esync ets initiali(ed on the first
sync attempt'
E(3$t T-3I I$=o?*0t6o$
E(3$t So+?.3I S3?(3? A.t6(3S-$.
E(3$t C0t3go?-I No$3
E(3$t IDI 1##2
D0t3I 1@',@2##;
T6*3I '2I::I#A BM
Us3?I N@A
Co*+t3?I 'B2/A
D3s.?6t6o$I
M6.?oso=t Ex.20$g3 A.t6(3S-$. 20s )33$ &o0434I B?o.3ss IDI J1#:AKH
E(3$t T-3I I$=o?*0t6o$
E(3$t So+?.3I S3?(3? A.t6(3S-$.
E(3$t C0t3go?-I No$3
E(3$t IDI 1#2/
D0t3I 1@',@2##;
T6*3I '2I::I', BM
118
Us3?I N@A
Co*+t3?I 'B2/A
D3s.?6t6o$I
IB-)0s34 AUTD 20s )33$ 6$6t60&6z34H
2' 6erify that the F0 is listenin on port 2889'
9' =o chec/ if the ser*er is listenin on the 2!=3 port, you can run Mnetstat )anoM' ?ere are
results before and after IP)based 2!=3 has initiali(ed'
7efore
B?oto Lo.0& A44?3ss Fo?36g$ A44?3ss St0t3 BID
UDB #H#H#H#I',A/ LIL ',2A
UDB #H#H#H#I1:/; LIL 11/;
2fter
B?oto Lo.0& A44?3ss Fo?36g$ A44?3ss St0t3 BID
UDB #H#H#H#I',A/ LIL ',2A
UDB #H#H#H#I2AA1 LIL 1#:A
UDB #H#H#H#I1:/; LIL 11/;
,etstat pro*ides the Process I3 &hich matches the 024 process per the initiali(ation e*ent in the
application lo'
2nother &ay to chec/ if the ser*er is listenin on the 2!=3 port is to use PortCry -a*ailable on
Microsoft'com.' =he follo&in lists the process that is listenin on the port:
B?o.3ss IDI 1#:A Mw1wH3x3N
BID Bo?t Lo.0& IB St0t3 R3*ot3 IBIBo?t
1#:A TCB 1':<, '<2H2,HAH222 ESTABLIS"ED '<2H2,H,H'#<I12;A
1#:A TCB 1':A# '<2H2,HAH222 ESTABLIS"ED '<2H2,H,H'#<I1A,
1#:A UDB 2AA1 #H#H#H# LIL
11>
4roubleshooting Direct !ush 9sing )ogs
1' =o enable de*ice loin, o to 2cti*e4ync, Menu, Confiure 4er*er, ,e+t, 2d*anced and
turn up 0*ent loin to 6erbose' =he los &ill be sa*ed in the $indo&sV2cti*e4ync folder'
PI,B commands &ill be loed in MPin 0+chane 4er*er +'t+tM &here + I1,2,9' @ou should
see commands similar to the one that follo&s:
B7ST M6.?oso=t-S3?(3?-A.t6(3S-$.O
Us3?E04*6$6st?0to?PD3(6.3I4E;F2:CAD/,,A/BF'A;,#2:;BAC;AFAEADPD3(6.3T-3EBo.5
3tBCPC*4EB6$g
MS-ASB?oto.o&V3?s6o$I 2H/
=he P54= command is also loed in the II4 lo on the F0'
=he Ctrl lo on the de*ice can also be used to troubleshoot direct push technoloy althouh the
format of this file may chane &ith de*ice updates'
1' Chec/ the II4 los on the 70 to see if 2!=34tate'DM# is bein created or updated' @ou
should see an entry somethin similar to the one that follo&s:
BUT @3x.20$g3@A4*6$6st?0to?Q')'4o*06$H&0)@N7NRIBMRSUBTREE@M6.?oso=t-S3?(3?-
A.t6(3S-$.@Bo.53tBC@;F2:CAD/,,A/BF'A;,#2:;BAC;AFAEAD@A+t4St0t3Hx*&
*ote%
=he 2!=34tate'DM# is created on receipt of the 1st PI,B re8uest and is updated
only &hen the heartbeat or folder list chanes' 4o you may not see this command for
e*ery Pin re8uest'
2!=3 state information is maintained on the mailbo+ ser*er in the ,5,XIPMX4!7="00 of each
userKs mailbo+'
In Internet 0+plorer, you can Choose File, 5pen, chec/ the bo+ to M5pen as $eb FolderM and
type the follo&in:
http:GGser*erGe+chaneGuserG,5,XIPMX4!7="00GMicrosoft)4er*er)2cti*e4yncG2utd)4tate'DM#
=he follo&in is a sample 2!=34tate'DM# file'
COx*& (3?s6o$EF'H#F 3$.o46$gEF+t=-AFOD
CA+t4St0t3 x*&$sEFB6$gIFD
CV3?s6o$D'H#C@V3?s6o$D
C"30?t)30tI$t3?(0&D;A#C@"30?t)30tI$t3?(0&D
CFo&43?sD
CFo&43?D
CI4D</2,0/)1;2,#00:/A),3'=.24/==A/0;-10002C@I4D
CC&0ssDE*06&C@C&0ssD
C@Fo&43?D
120
CFo&43?D
CI4D</2,0/)1;2,#00:/A),3'=.24/==A/0;-2.=)AC@I4D
CC&0ssDC0&3$40?C@C&0ssD
C@Fo&43?D
C@Fo&43?sD
C@A+t4St0t3D
UDBI S?. Bo?tI U$5$ow$ M11;;#NS Dst
Bo?tI U$5$ow$ M2AA1NS L3$gt2 E ';2
M#xA2N
UDBI So+?.3 Bo?t E #xA1<C
UDBI D3st6$0t6o$ Bo?t E #x#B:1
UDBI Tot0& &3$gt2 E ';2 M#xA2N
UDBI UDB C23.5s+* E #xC211
UDBI D0t0I N+*)3? o= 40t0 )-t3s
?3*06$6$g E '/: M#x##,AN
#####I ## #E #C #; CA C# ## D# B< 2:
A; 2B #A ## :/ ## HHHHTUHVWXY9HHEH
###'#I ## B; CA <1 ## ## A# '' #< 1A
AC 'D #, <' AC 'D HZ[sHH\HHI]HHq]H
###2#I #A DE A1 <C #B :1 ## A2 C2 11
:E :F /: :, :; /, H^_`HCHab1N7TIFY
###1#I 2# ;A <: <: <# </ 1A 2F 2F 1'
;2 12 1/ ;' 2E 1' 2tt+I@@')2/0H'
###:#I ;2 1' ;: ;F ;D ;' ;, ;E 2E ;C
;' ;2 1A 12 1A 1A )'4o*06$H&0)I2AA
###/#I 11 2F 11 1/ 11 1, 1/ ;1 ;/ 1:
2D 1' 1/ 1# 1: 2D 1@1/1,/.3:-'/#:-
###;#I 1: ;' ;1 1: 2D 1, 1< 12 1' 2D
;; 1' 1/ 12 ;1 1; :0.:-,<2'-='/2.;
###<#I 1: 1; ;/ ;' 11 1/ 2# :A /: /:
/# 2F 1' 2E 1' #D :;301/ "TTB@'H'H
###A#I #A /1 </ ;2 <1 ;1 <2 ;, ;2 ;/
2D ;< <2 ;F </ <# HS+)s.?6)3-g?o+
###,#I 1A 2# // <1 /# :1 /< << :; :C
12 1# <' 1< :: 2B I UsBCWwFL2#q<D9
121
###A#I ;E ;' <; ;F :D <' <, :' 1D 1D
#D #A /1 </ ;2 <1 $0(oMq-AEEHHS+)s
###B#I ;1 <2 ;, <# <: ;, ;F ;E 2D ;,
;: 1A 2# 12 1< #D .?6t6o$-64I 2<H
###C#I #A #D #A ##
!ush Mail and G&) )oo3up $issing when syncing to Exchange
200 S!2 with a MS2! Device;
=he follo&in is a reprint of a blo on Microsoft =ech,et that e+plains steps that an administrator
can ta/e to help isolate issues around direct push email and B2# #oo/up &hen synchin to
0+chane 2009' For additional information and the full conte+t of this article, please see the
follo&in =ech,et blo: http:GGo'microsoft'comGf&lin/GH#in/IdI108>81'
3urin deployments you may run into the issue &here your ser*er is up and you are syncin
&ithout a problem but you arenLt ettin the option to sync as items arri*e as &ell as the option to
do #oo/up 5nline is missin' =his is normally caused by a fire&all issue &here the 5ptions *erb
is bein bloc/ed'
$e see &e are not returnin the e+pected response for the 5P=I5,4 command from the
follo&in entry on the de*ice los' 0nable 6erbose loin on the de*ice from ser*er settins in
2d*anced in de*ice to see these los'
E-E B+6&4 ':A:< E-E
E-E No XIB I$=o?*0t6o$ A(06&0)&3 E-E
M06&H.o*0$-H.o*
E-E- J'2@'#@2##; 2I2AI/,H#K -E-E
E-E-E-E C&63$t R3q+3st E-E-E-E
7BTI7NS M6.?oso=t-S3?(3?-A.t6(3S-$.O
Us3?E4t3stPD3(6.3I4E;F2:CAD/,,A/BF'A;,#2:;BAC;AFAEADPD3(6.3T-3EBo.53tBC
A..3t-L0$g+0g3I 3$-+s
X-MS-Bo&6.->3-I #
-E-E-E- St0?t o= Bo4- -E-E-E-
E-E- J'2@'#@2##; 2I2,I:H#K -E-E
E-E-E-E S3?(3? R3so$s3 E-E-E-
"TTB@'H' /## I$t3?$0& S3?(3? E??o? M T23 s-st3* .0$$ot =6$4 t23 =6&3 s3.6=634H
N
Co$$3.t6o$I .&os3
122
B?0g*0I $o-.0.23
C0.23-Co$t?o&I $o-.0.23
Co$t3$t-T-3I t3xt@2t*&
Co$t3$t-L3$gt2I 2#':
=he ?==P 500 is the response from the ser*er for the 5P=I5,4 command sent by the de*ice'
$e normally et this response if !"#4can is bloc/in the *erb' 4o &e ha*e to chec/ for
!"#4can in the ser*er' If !"#4can is present, then &e can add 5P=I5,4 to the 2llo&6erb
section of !"#4can'ini file'
=he abo*e symptom is confirmed from the II4 los as &ell'
2##;-'#-'# #:I#'I'1 W1SVC' SCIDUBMSG#' '#H2/'H,,H';/ B7ST @M6.?oso=t-S3?(3?-
A.t6(3S-$.
Us3?E+s3?$0*3PD3(6.3I4E#2/;1C#21,:2F1E';A####/#BF',<<E#PD3(6.3T-3EBo.53tBCP
C*4ES-$.PLogEV'TC0SSCI#A#C#D#FSI#A#C#D#SBI'C1I1#:#S'22###R#S#L#"#B ::1
.o$sotoG+s3?$0*3 2#,H,/H22AH', "TTB@'H# M6.?oso=t-Bo.53tBC@1H# - -
*06&H.o*0$-H.o* 2## # # 12; /'; 2:,
,otice the entry )ogP>, in the abo*e lo entry'
It indicates that 2irsync protocol *ersion 1'0 is bein used, &hereas &ith Push functionality
2irsync *ersion 2'5 is the latest and to be used'
Ideally &e should use 2irsync protocol *ersion 2'5 &hich &ill be represented as #oI6:'
4o permittin the 5P=I5,4 *erb in !"#4can or &hate*er soft&are is bloc/in it should resol*e
the issue'
S0*&3 S3?(3? ?3so$s3E-E- J';@,@2##; 'I'/I21H#K -E-E
E-E-E-E S3?(3? R3so$s3 E-E-E-
"TTB@'H' 2## 7>
D0t3I F?6c '/ S3 2##; ',I:/I2' GMT
S3?(3?I M6.?oso=t-IIS@;H#
X-Bow3?34-B-I ASBHNET
B?0g*0I $o-.0.23
Co$t3$t-L3$gt2I #
B+)&6.I 7BTI7NSc B7ST
A&&owI 7BTI7NSc B7ST
MS-S3?(3?-A.t6(3S-$.I ;H/H<;1AH'
129
MS-ASB?oto.o&V3?s6o$sI 'H#c2H#c2H'c2H/
MS-ASB?oto.o&Co**0$4sI
S-$.cS3$4M06&cS*0?tFo?w0?4cS*0?tR3&-cG3tAtt0.2*3$tcG3t"63?0?.2-c
C?30t3Co&&3.t6o$cD3&3t3Co&&3.t6o$cMo(3Co&&3.t6o$cFo&43?S-$.cFo&43?C?30t3c
Fo&43?D3&3t3cFo&43?U40t3cMo(3It3*scG3tIt3*Est6*0t3cM33t6$gR3so$s3c
R3so&(3R3.663$tscV0&640t3C3?tcB?o(6s6o$cS30?.2cNot6=-cB6$g
7ased on the list of commands returned by the ser*er as abo*e, the de*ice &ill decide &hich
*ersion of 2ir4ync protocol to use' 3ifferent features li/e direct push technoloy or 2!=3 etc
depend on the *ersion of the protocol bein used for communication'
Chec/ for !"#4can on your 0+chane ser*er and chec/ if any other de*ice or soft&are de*ice is
bloc/in 5P=I5,4 command'
!"#4can is an add)on tool that can be used by $eb site administrators' =he administrators can
control the actions of !"#4can and can restrict the type of ?==P re8uests that the ser*er
processes' !"#scan'ini file is the confiuration file of this tool and !"#scan tool &ill not function
after &e rename this file and once &e rename it bac/ it &ill start &or/in aain, nothin else &ill
be affected'
For more information see the Microsoft Ano&lede 7ase article, M!sin !"#4can on II4M
-http:GGsupport'microsoft'comG/bG90<;08G.' =he purpose of this article is to ensure effecti*e
distribution of the Internet Information 4er*ices -II4. security tool !"#4can'
2fter you edit your !"#4C2,'ini file a 4er*er reboot is not re8uired %ust restart the II4 O $$$
ser*ices'
12:
#ssues 'elated to #S& Server 200/
=he follo&in issues ha*e been disco*ered in early deployment of I42 4er*er 200;'
Double &uthentication 'e(uired after 9pgrading fro$ #S& Server
200-
2fter upradin from I42 4er*er 200:, &hen an 0+chane publishin rule &as defined &ith
forms)based authentication, users are prompted t&ice for their credentials' In I42 4er*er 200:,
&hen you create a rule &ith the ,e& Mail 4er*er Publishin "ule $i(ard, authentication
deleation is not re8uired, because it is handled by I42 4er*er itself' $hen this rule is upraded
to I42 4er*er 200;, authentication deleation for the rule is set to ,o deleation'
=he solution is to manually confiure authentication deleation for the affected rule to 7asic
2uthentication'
)og +ff when the 9ser )eaves Site 2eature 'e$oved
=he )og off when the user leaves site settin has been remo*ed from I42 4er*er 200;' !sers
should al&ays use the lo off button to properly lo off from 5utloo/ $eb 2ccess'
Windows Mobile 9sers 'eceive Error -0, 9nauthoriDed
$hen a $indo&s Mobile user tries to access a published 5utloo/ $eb 2ccess or $indo&s
Mobile 2ccess $eb site published &ith the ,e& 0+chane Publishin "ule $i(ard, the user
recei*es error :01 instead of the 0+chane loon forms'
=his error appears &hen the re8uired ?=M# form directories for $indo&s Mobile access are
missin from the 0+chane ?=M# form set directory
=he solution is to manually create the t&o directories, c?=M# and +?=M#, in the \proramfiles
\VMicrosoft I42 4er*erVCoo/ie2uth=emplateV0+chane folder' =hen, copy the contents of the
\proramfiles\VMicrosoft I42 4er*erVCoo/ie2uth=emplateV0+chaneV?=M# folder to the c?=M#
and +?=M# folders'
9sers 'eceive &ccess Denied Error Message
$hen a user attempts to connect to a published 5utloo/ $eb 2ccess site and does not add
the Ge+chane suffi+ to the end of the !"#, such as https:GGmail'contoso'com, instead of recei*in
the forms)based authentication loon screen, the user recei*es an M2ccess deniedM error
messae' =his error can be difficult to troubleshoot because I42 4er*er is beha*in as e+pected'
2 &or/around is to publish the root of the 0+chane front)end ser*er, &ith an action of 3eny, and
redirect users to the proper !"#, such as https:GGmail'contoso'comGe+chane'
125
Perform the follo&in procedure to automatically redirect users to the proper 5utloo/ $eb 2ccess
!"#'
4o create an Exchange Web client access publishing rule
1' In the console tree of I42 4er*er Manaement, clic/ Fire&all Policy:
For I42 4er*er 200; 4tandard 0dition, e+pand Microsoft Internet 4ecurity and
2cceleration 4er*er 200;, e+pand 4er*erX,ame, and then clic/ Fire&all Policy'
For I42 4er*er 200; 0nterprise 0dition, e+pand Microsoft Internet 4ecurity and
2cceleration 4er*er 200;, e+pand 2rrays, e+pand 2rrayX,ame, and then clic/
Fire&all Policy'
2' 5n the =as/s tab, clic/ Publish $eb 4ites' !se the &i(ard to create the rule as outlined in
the follo&in table'
$elcome $eb publishin rule name =ype a name for the rule, such as
0+chane "edirect'
4elect "ule 2ction 2ction to ta/e &hen rule
conditions are met
4elect 3eny'
a sinle $eb site or
$eb sites
4elect Publish a sinle $eb site or
load balancer'
4er*er Connection 4ecurity Choose the type of
farm'
*ote%
0+chane front)end
ser*ers, and the root C2
certificate must be installed
on the I42 4er*er
computer'
Internal Publishin 3etails Internal site name =ype the internal FC3, of the
0+chane front)end ser*er' For
e+ample: e+chfe'corp'contoso'com'
12;
#$portant%
=he internal site name must
match the name of the
ser*er certificate that is
installed on the internal
*ote%
If you cannot properly
resol*e the internal site
name, you can select !se a
computer name or IP
address to connect to the
published ser*er, and then
type the re8uired IP
address or name that is
resol*able by the I42
4er*er computer'
Internal Publishin 3etails Path -optional. =ype G in the Path bo+'
Public name
=ype the domain name that you
&ant I42 4er*er to accept
connections for' For e+ample, type
mail'contoso'com'
4elect $eb #istener $eb listener 4elect the $eb listener you created
pre*iously, such as 0+chane F72'
access this rule' =his should be the
same user set that you used in the
0+chane publishin rule'
Publishin "ule $i(ard
Publishin "ule $i(ard
12<
"ertificate #$ple$entation #ssues on the Server
For information about troubleshootin Certificate implementation on 4er*er, see MCertificate
"e*ocation and 4tatus Chec/inM on the Microsoft =ech,et $eb site'
http:GG&&&'microsoft'comGtechnetGprodtechnolG&in+pproGsupportGtshtcrl'msp+
"o$$unication #ssues between the 2ront-end and
5ac3-end Exchange Servers
For information about front)end and bac/)end communication issues, see the Microsoft 4upport
$ebcast, M=roubleshootin Microsoft 0+chane 4er*er 2009 2cti*e4ync Issues'M
http:GGsupport'microsoft'comGdefault'asp+HscidI\2Fser*icedes/s\2F&ebcasts\2Fen
\2Ftranscripts\2F&ct09250:'asp
2re(uently &s3ed Ouestions
=he 0+chane Product team has &ritten an article that e+plains steps that an administrator can
ta/e to help isolate direct push technoloy issues' For more information about the deployment of
direct push technoloy, see the 0+chane 4er*er blo article M3irect push is %ust a heartbeat
a&ayM at http:GGo'microsoft'comGf&lin/GH#in/IdI;<080'
1' Does direct push technology wor3 for folders other than inboxL
@es, direct push is a*ailable for mail folders, Contacts, Calendar and =as/s' =he list of folders
for direct push is the same as the list of folders that ha*e been confiured for sync'
2' What devices support direct push technologyL
$indo&s Mobile 5 de*ices re8uire the Messain and 4ecurity Feature Pac/-M4FP. for
direct push' M4FP is included &ith 2A!2'2' 4o any $indo&s Mobile 5 de*ice that has
2A!2'2 supports direct push' =he 2ir4ync protocol has been licensed to se*eral companies
such as Palm, Motorola, ,o/ia, 4ymbian, 3ata*i( and 4ony0ricsson' Please contact the
licensees to see if direct push capable de*ices are a*ailable'
9' #s direct push supported over Wi-2iL
,o' direct push re8uires a cellular data connection' It is not supported o*er $i)Fi or 3es/top
Passthrouh -&hen the de*ice is cradled.'
3ue to hard&are limitations, $i)Fi cannot o into standby mode and recei*e notifications' 4o
in order to support direct push o*er $i)Fi, the $i)Fi connection &ould ha*e to be /ept ali*e
&hich in turn &ould drain the battery *ery rapidly'
128
:' Does direct push technology wor3 with Secur#DL
"42 has an update to their aent to allo& it to &or/ &ith direct push technoloy' "42
2uthentication 2ent 5'9 for $eb for II4 enables you to use 0+chane 2cti*e4ync &ithout
ha*in to reauthenticate e*ery time 2cti*e4ync is in*o/ed' For more details, please read this
and contact "42'
5' Does direct push have an i$pact on server perfor$anceL
2 typical F0 ser*ices se*eral thousand connections from clients usin 5$2, 5M2, 024, and
"PCG?==P clients' 7ased on the testin done by Microsoft I=, the additional connections
opened by direct push did not re8uire the deployment of any additional F0 or 70 ser*ers' It
also did not re8uire an uprade of hard&are on e+istin ser*ers'
For more information please refer to the &hitepaper titled MMicrosoft I= 4calability 0+perience
&ith $indo&s Mobile 2009 and 0+chane 4er*er 2009 Mobile MessainM a*ailable at
http:GG&&&'microsoft'comG&indo&smobileGbusinessGstrateyGscalability'msp+
&ppendix D% &dding a "ertificate to the 'oot
Store of a Windows Mobile-based Device
=o add a certificate to the "oot store of a $indo&s Mobile)based de*ice, you must ha*e manaer
permission to the de*ice or you must ha*e the ability to run trusted code' =he application security
settins that are on your de*ices &ill determine &hether or not you can add a root certificate'
?o&e*er, some de*ices are confiured so that you et a prompt &hen you attempt install a 'cab
file' In this case, you can follo& the procedure belo& to add a certificate to the "oot store of your
$indo&s Mobile)based de*ice'
=he follo&in list sho&s the trusted certificate authorities &hose root certificates are included &ith
$indo&s Mobile 5'0)based de*ices:
6erisin
B=0 Cyber =rust
08uifa+
0ntrust
Blobal4in
=ha&te
It is hihly recommended that you install a certificate that is issued by one of the trusted
certificate authorities on this list, or a certificate that chains to one of the trusted certificate
authorities'
12>
=o determine &hich certificates are included &ith your $indo&s Mobile)based de*ice, chec/ the
"oot certificate stores'
For a typical $indo&s Mobile)based Poc/et PC, o to
StartJSettingsJSyste$J"ertificatesJ'oot'
For a typical $indo&s Mobile)based 4martphone, o to
StartJSettingsJSecurityJ"ertificatesJ'oot'
"reating the !rovisioning NM) to #nstall a
"ertificate to the 'oot Store
=he pro*isionin code carries the certificate hash and instructions for placin it in the root store of
a mobile de*ice'
4o create the provisioning code that is necessary for adding a certificate to the root
store of a Windows Mobile-based device
1' Create an DM# file, and add the follo&in te+t'
Cw0-?o(6s6o$6$g4o.D
C.20?0.t3?6st6. t-3EFC3?t6=6.0t3Sto?3FD
C.20?0.t3?6st6. t-3EFR77TFD
C.20?0.t3?6st6. t-3EFC.3?t20s2DFD
C0?* $0*3EFE$.o434C3?t6=6.0t3F (0&+3EFC)0s3;:3$.o434.3?tDF@D
C@.20?0.t3?6st6.D
C@.20?0.t3?6st6.D
C@.20?0.t3?6st6.D
2' In $indo&s 0+plorer, double)clic/ the root certificate that you need'
9' Choose the Details tab'
:' Choose 4hu$bprint in the 2ield list bo+'
5' 4elect the te+t in the bo+ that is belo& the list bo+, and then press "4')Q"'
;' In the DM# code, replace WcerthashY &ith the copied te+t'
<' In the thumbprint te+t in the DM# code, delete the &hite spaces'
8' In the "ertificate dialo bo+, choose +G to close the dialo bo+'
>' In Windows Explorer, open the e+ported root certificate by usin a te+t editor'
10' 3elete the lines &ith 70BI, C0"=IFIC2=0 and 0,3 C0"=IFIC2=0'
11' "emo*e line brea/s from the remainin te+t' =his te+t is the encoded contents of the root
certificate'
190
12' 4elect the te+t, and then press "4')Q"'
19' In the DM# code, replace Wbase;:encodedcertY &ith the copied te+t' =he completed
pro*isionin DM# document &ill appear as sho&n in the follo&in e+ample'
Cw0-?o(6s6o$6$g4o.D
C.20?0.t3?6st6. t-3EFC3?t6=6.0t3Sto?3FD
C.20?0.t3?6st6. t-3EFR77TFD
C.20?0.t3?6st6. t-3EFd20s2 o= .3?t6=6.0t3eFD
C0?* $0*3EFE$.o434C3?t6=6.0t3F (0&+3EFd3$.o434 20s2 o=
.3?t6=6.0t3eF@D
C@.20?0.t3?6st6.D
C@.20?0.t3?6st6.D
C@.20?0.t3?6st6.D
1:' 4a*e the DM# document as an 24CII file named Xsetup'+ml'
*ote%
@ou must name the file @setup;x$l, because that is the name that the loader &ill
reconi(e'
191
"reating a ;cab 2ile that "ontains the !rovisioning NM)
=he Xsetup'+ml file that you created in step 1: must be processed as a 'cab file before it is
transferred and installed on the $indo&s Mobile)based de*ice'
From the $indo&s command line prompt, run the follo&in te+t:
$a3ecab @setup;x$l Ifilena$eJ;cab
Distributing the "&5 !rovisioning 2ile
=he 'cab file that contains the pro*isionin DM# can be distributed to a $indo&s Mobile)based
de*ice that is cradled to a des/top PC, or to a *ariety of storae cards that can be inserted into
the $indo&s Mobile)based de*ice, such as a MultiMedia Card -MMC., a 4ecure 3iital IG5
-43I5. card, and a CompactFlash card'
*ote%
If the 2cti*e4ync &i(ard appears &hen you connect the de*ice to a des/top computer,
clic/ "ancel' It is recommended that you use $indo&s 0+plorer and File 0+plorer to
transfer the 'cab file to the de*ice'
4o copy the ;cab file fro$ the des3top to the device by using 2ile Explorer
1' Copy the 'cab file to the de*ice'
2' 5n the de*ice, locate the 'cab file by usin 2ile Explorer'
9' Clic/ the ;cab file icon to initiate the installation'
:' ,otification of successful installation &ill appear' If you et a prompt, you must say yes to
let the installation process e+ecute'
5' Chec/ the 'oot certificate store of the $indo&s Mobile)based de*ice to *erify
successful installation'
192

DeployExchange2003 IT MOBILE

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DeployExchange2003 IT MOBILE

Hochgeladen von

Copyright:

Verfügbare Formate

Step-by-Step Guide to Deploying Windows Mobile-based

Devices with Microsoft Exchange Server 200 S!2

Das könnte Ihnen auch gefallen