DeployExchange2003 IT MOBILE

8/11/2019 DeployExchange2003 IT MOBILE

1/138

Step-by-Step Guide to Deploying Windows Mobile-based

Devices with Microsoft Exchange Server 200 S!2

Microsoft Corporation

Published: February 15 2008


2/138

Deploying Windows Mobile-based Devices with Exchange Server 200 S!2

Information in this document, includin !"# and other Internet $eb site references, is sub%ect to chane &ithout notice'

!nless other&ise noted, the companies, orani(ations, products, domain names, e)mail addresses, loos, people, places,

and e*ents depicted in e+amples herein are fictitious' o association &ith any real company, orani(ation, product,

domain name, e)mail address, loo, person, place, or e*ent is intended or should be inferred' Complyin &ith all

applicable copyriht la&s is the responsibility of the user' $ithout limitin the rihts under copyriht, no part of this

document may be reproduced, stored in or introduced into a retrie*al system, or transmitted in any form or by any means

-electronic, mechanical, photocopyin, recordin, or other&ise., or for any purpose, &ithout the e+press &ritten permission

of Microsoft Corporation'

Microsoft may ha*e patents, patent applications, trademar/s, copyrihts, or other intellectual property rihts co*erin

sub%ect matter in this document' +cept as e+pressly pro*ided in any &ritten license areement from Microsoft, the

furnishin of this document does not i*e you any license to these patents, trademar/s, copyrihts, or other intellectual

property'

2008 Microsoft Corporation' ll rihts reser*ed'

Microsoft, cti*e 3irectory, cti*e4ync, ffice urloo/, 6isual 7asic, $indo&s Mobile and $indo&s 4er*er are

trademar/s of the Microsoft roup of companies'

ll other trademar/s are property of their respecti*e o&ners'

ii


3/138


"ontentsIntroduction''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1

3ocument 4tructure'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1

3eployin Mobile Messain: Introduction''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1

ssumptions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1

4oft&are "euirements''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2

ptional Items''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9

3eployment Process 4ummary'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9

Plannin "esources''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Messain and 4ecurity Feature Pac/ *er*ie&'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''5

Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 5

4ecurity Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;

d*anced 4ecurity Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '>4teps to nable Certificate)7ased uthentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100

Confiurin +chane 4er*er 2009 Front)nd 4er*er'''''''''''''''''''''''''''''''''''''''''''''''' ''100

Confiure Aerberos Constrained 3eleation'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100

Confiure 4er*ers to be =rusted for 3eleation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101

Confiure $indo&s Mobile Certificate nrollment''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101

*er*ie& of Certificate nrollment Confiuration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101

ppendi+ 7: Install and Confiure an I4 4er*er 200 n*ironment''''''''''''''''''''''''''''''''''''''10

Installin I4 4er*er 200'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''105

Creatin the +chane cti*e4ync Publishin "ule !sin $eb Publishin''''''''''''''''' ''''10;

Confiurin the ?osts File ntry''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 110

4ettin the I4 4er*er 200 Idle 4ession =imeout''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''112=estin $ and +chane cti*e4ync''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 112

=estin $'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11

=estin +chane cti*e4ync''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11

ppendi+ C: =roubleshootin a Mobile Messain 4olution''''''''''''''''''''''''''''''''''''''''''''''''''''115

#oin and =roubleshootin =ools'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''115

Monitorin Mobile Performance on +chane 4er*er 2009 4P2'''''''''''''''''''''''''''''''''''115

i*


5/138


I4 4er*er 7est Practices naly(er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;

Issues "elated to 3irect Push =echnoloy''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;

Beneral 3irect Push =roubleshootin =ips'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11;Path =roubleshootin 3irect Push''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''11212'

Microsoft Internet 4ecurity and cceleration -I4. 4er*er 200; -or I4 4er*er 200 or third

party fire&all.

$indo&s Certification uthority -C.

"4 uthentication Manaer ;'0 from "4 4ecurity

"4 uthentication ent for Microsoft $indo&s from "4 4ecurity

"4 4ecurI3 uthenticator from "4 4ecurity

Deploy$ent !rocess Su$$ary7ecause corporate net&or/ confiurations and security policies *ary, the deployment process &ill

*ary for each mobile messain system installation' =his deployment process includes the

reuired steps and the recommended steps for deployin a mobile messain solution that uses

+chane 4er*er 2009 4P2 and $indo&s Mobile 5'0Ebased de*ices'

*ote%

=he follo&in steps outline the process for settin up a mobile messain solution &ith

I4 4er*er 200; in a &or/roup in a perimeter net&or/, &ith #3P authentication' For

more information on alternati*e net&or/ confiurations, see et&or/ rchitecture

lternati*esin this document'=he process can be accomplished in the follo&in eiht steps:

Step ,: !prade Front)nd 4er*er to +chane 4er*er 2009 4P2

Step 2: !pdate ll 4er*ers &ith 4ecurity Patches

Step : Protect Communications &ith Mobile 3e*ices

Step : Protect Communications 7et&een the +chane 4er*er and ther 4er*ers

Step .: Install and Confiure I4 4er*er 200; or ther Fire&all

Step /: Confiure Mobile 3e*ice ccess on the +chane 4er*er

Step : Install the +chane cti*e4ync Mobile dministration $eb =ool

Step 1: Manae and Confiure Mobile 3e*ices

9
http://go.microsoft.com/fwlink/?LinkId=109212http://go.microsoft.com/fwlink/?LinkId=109212


10/138


!lanning 'esources=he follo&in Microsoft $eb sites and technical articles pro*ide bac/round information that is

important for the plannin and deployment of your mobile messain solution'

Exchange Server 200

Plannin an +chane 4er*er 2009 Messain 4ystem

+chane 4er*er 2009 Client ccess Buide

+chane 4er*er 2009 3eployment Buide

$indo&s 4er*er 2009 3eployment Buide

!sin I4 4er*er 200 &ith +chane 4er*er 2009

$indo&s 4er*er 2009 =echnical "eference

II4 ;'0 3eployment Buide -II4 ;'0.

Microsoft +chane 4er*er

+chane 4er*er 2009 =echnical 3ocumentation #ibrary

Windows Mobile

4upportin $indo&s MobileEbased 3e*ices &ithin the nterprise: Corporate Buidelines for

ach 4tae of the 3e*iceKs #ifecycle-&hite paper.

=echet $indo&s Mobile Center

#S& Server

4ecure pplication Publishin

Publishin +chane 4er*er 2009 cti*e 4ync &ith I4 4er*er 200;

Security

4ecurity Considerations for $indo&s Mobile Messain in the nterprise-&hitepaper.

4ecurity Model for $indo&s Mobile 5'0 and $indo&s Mobile ;-&hite paper.

$indo&s Mobile 4ecurity $eb site

=echet 4ecurity Center
http://go.microsoft.com/fwlink/?LinkId=62626http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62629http://go.microsoft.com/fwlink/?LinkId=62630http://go.microsoft.com/fwlink/?LinkId=42243http://go.microsoft.com/fwlink/?LinkId=62631http://go.microsoft.com/fwlink/?LinkId=62632http://go.microsoft.com/fwlink/?LinkID=109751http://go.microsoft.com/fwlink/?LinkId=62634http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62636http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=109217http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89639http://go.microsoft.com/fwlink/?LinkID=109211http://go.microsoft.com/fwlink/?LinkId=62642http://go.microsoft.com/fwlink/?LinkId=62626http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62629http://go.microsoft.com/fwlink/?LinkId=62630http://go.microsoft.com/fwlink/?LinkId=42243http://go.microsoft.com/fwlink/?LinkId=62631http://go.microsoft.com/fwlink/?LinkId=62632http://go.microsoft.com/fwlink/?LinkID=109751http://go.microsoft.com/fwlink/?LinkId=62634http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62636http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=109217http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89639http://go.microsoft.com/fwlink/?LinkID=109211http://go.microsoft.com/fwlink/?LinkId=62642


11/138


Messaging and Security eature !ac3

+verview=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 enables $indo&s Mobile 5'0)

based de*ices to be manaed by Microsoft +chane 4er*er 2009 4P2' =he result is a mobile

messain solution that uses the manaement benefits of +chane cti*e4ync and the ne&

security policy functions on the $indo&s Mobile 5'0)based de*ices, &hich helps you to better

manae and control the de*ices'

!sin $indo&s Mobile 5'0)based de*ices &ith the Messain and 4ecurity Feature Pac/ &ill i*e

you the follo&in capabilities:

$ith direct push technoloy, you can pro*ide your users &ith immediate deli*ery of data from

the +chane mailbo+ to their de*ice' =his includes e)mail, calendar, contact, and tas/

information'

@ou can define the security policies on your +chane ser*er and they &ill be enforced on

$indo&s Mobile 5'0)based de*ices that are directly synchroni(ed &ith your +chane ser*er'

@ou can monitor and test +chane cti*e4ync performance and reliability by usin the

+chane 4er*er Manaement Pac/'

@ou can manae the process of remotely erasin or &ipin lost, stolen, or other&ise

compromised mobile de*ices that are directly synchroni(ed &ith your +chane ser*er by

usin the Microsoft +chane cti*e4ync Mobile dministration $eb tool'

eatures=hese M4FP features impro*e essential communications for mobile &or/ers'

Direct !ush 4echnology

=he direct push technoloy included in +chane 4er*er 2009 4P2 pro*ides a ne& approach to

the immediate deli*ery of data from the +chane mailbo+ to the userLs mobile de*ice' 3irect

push &or/s for mailbo+ data, includin Inbo+, Calendar, Contacts, and =as/s' =he direct push

technoloy uses an established ?==P or ?==P4 connection bet&een the de*ice and the

+chane ser*er pre*ious solutions reuired the use of 4hort Messae 4er*ice -4M4., &hich is

no loner reuired' o special confiuration is reuired on the mobile de*ice, and you can /eep

your standard data plan since the ser*ice is &orld)capable and reuires no additional soft&are orser*er installations other than +chane 4er*er 2009 4P2'

For an in)depth discussion of the direct push technoloy, see !nderstandin the 3irect Push

=echnoloyin this document'

5


12/138


Exchange &ctiveSync

+chane cti*e4ync is an +chane synchroni(ation protocol that is desined for /eepin your

+chane mailbo+ synchroni(ed &ith a $indo&s Mobile 5'0)based de*ice' +chane cti*e4yncis optimi(ed to deal &ith hih)latencyGlo&)band&idth net&or/s, and also &ith lo&)capacity clients

that ha*e limited amounts of memory, storae, and processin po&er' !nder the co*ers, the

+chane cti*e4ync protocol is based on ?==P, 44#, and DM# and is a part of +chane

4er*er 2009' In addition, +chane cti*e4ync pro*ides the follo&in benefits:

=he consistency of the familiar utloo/ e+perience for users

o e+tra soft&are is reuire to install or confiure de*ices

Blobal functionality that is achie*ed *ia standard data access phone ser*ice

Global &ddress )ist &ccess

4upport for o*er)the)air loo/up of lobal address list -B#. information stored on +chane4er*er' $ith the Messain and 4ecurity 4er*ice Pac/, mobile de*ice users &ill be able to

recei*e contact properties for indi*iduals in the B#' =hese properties can be used to search

remotely for a person uic/ly based on name, company, andGor other aspect' !sers &ill et all of

the information they need to reach their contacts &ithout ha*in the data store on their de*ice'

Security eatures4ecurity features help protect personal and corporate files on mobile de*ices'

'e$otely Enforced Device Security !olicies

+chane 4er*er 2009 4P2 helps you to confiure and manae a central policy that reuires all

mobile de*ice users to protect their de*ice &ith a pass&ord in order to access the +chane

ser*er' @ou can specify the lenth of the pass&ord, reuire usae of a character or symbol, and

desinate ho& lon the de*ice has to be inacti*e before promptin the user for the pass&ord

aain'

n additional settin, wipe device after failed atte$pts, allo&s you to delete all data and

certificates on the de*ice after the user enters the &ron pass&ord a specified number of times'

=he user &ill see a series of alert dialo bo+es &arnin of the possible &ipe and pro*idin the

number of attempts left before it happens' +ternal memory, such as a secure diital -43. card, is

not erased'

@ou can also specify &hether non)compliant de*ices can synchroni(e' 3e*ices are considered

non)compliant if they do not support the security policy you ha*e specified' In most cases, these

are de*ices not confiured &ith the Messain and 4ecurity Feature Pac/'

=he de*ice security policies are manaed from +chane 4ystem ManaerLs Mobile Services

!ropertiesinterface'

;


13/138


'e$ote Device Wipe

=he remote &ipe feature helps you to manae the process of remotely erasin lost, stolen, or

other&ise compromised mobile de*ices' If the de*ice &as connected usin direct pushtechnoloy, the &ipe process &ill be initiated immediately and should ta/e place in seconds' If

you ha*e used the enforced loc/ security policy, the de*ice is protected by a pass&ord and local

&ipe, so the de*ice can recei*e calls, but &ill not be able to perform any operation other than to

recei*e the remote &ipe notification and report that it has been &iped'

=he ne& Microsoft +chane cti*e4ync Mobile dministration $eb tool enables you to perform

the follo&in actions:

6ie& a list of all de*ices that are bein used by any user'

4elect or de)select de*ices to be remotely erased'

6ie& the status of pendin remote erase reuests for each de*ice'

6ie& a transaction lo that indicates &hich administrators ha*e been deleated the ability toissue remote erase commands, in addition to the de*ices those commands pertained to'

&dvanced Security eatures=he ad*anced security features in M4FP can be used to meet more strinent security

reuirements'

"ertificate-5ased &uthentication

If 44# basic authentication does not meet your security reuirements and you ha*e an e+istin

Public Aey Infrastructure -PAI. usin Microsoft Certificate 4er*er, you may &ish to use the

certificate)based authentication feature in +chane cti*e4ync' If you use this feature in

con%unction &ith the other features described in this document, such as local de*ice &ipe and the

enforced use of a po&er)on pass&ord, you can transform the mobile de*ice itself into a

smartcard' =he pri*ate /ey and certificate for client authentication is stored in memory on the

de*ice' ?o&e*er, if an unauthori(ed user attempts to brute force attac/ the po&er)on pass&ord

for the de*ice, all user data is pured includin the certificate and pri*ate /ey'

For more information, seeppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)

7ased uthentication'

Microsoft has created a tool for deployin +chane cti*e4ync certificate)based authentication'

3o&nload the tool and documentation from the Microsoft 3o&nload center $eb site'


14/138


Support for S6M#ME Encrypted Messaging

=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 pro*ides nati*e support for

diitally sined, encrypted messain' $hen encryption &ith the 4ecureGMultipurposeGInternetMail +tension -4GMIM. is deployed, users can *ie& and send 4GMIM)encrypted messaes

from their mobile de*ice'

=he 4GMIM control:

Is a standard for security enhanced e)mail messaes that use a Public Aey Infrastructure

-PAI. to share /eys

ffers sender authentication by usin diital sinatures

nsures that only the intended recipient can read the messae

ncrypts e)mail data at rest on the de*ice to protect pri*acy

$or/s &ell &ith any standard)compliant e)mail client

"euires the use of a smart card reader

For uidance on ho& to implement the 4GMIM control &ith MicrosoftJ +chane 4er*er 2009

4P2, see the +chane 4er*er Messae 4ecurity Buide'

&d$inistering the Messaging and Securityeature !ac34afeuards li/e pass&ord policies and remote &ipe capabilities pro*ide you &ith the security

features to help you protect your orani(ationLs data' $ith the combination of the manaement

capabilities built into +chane 4er*er 2009 4P2 and the security and confiuration protocols

included in the $indo&s Mobile 5'0)based de*ices that ha*e the Messain and 4ecurity Featurepac/, your control o*er mobile de*ices has been streamlined' @ou &ill see that most of the

administration of the security features for the mobile de*ice happens on the +chane 4er*er or

on the +chane cti*e4ync Mobile dministration $eb tool'

=he follo&in table summari(es the features and the settins reuired on the +chane 4er*er or

on the mobile de*ice'

eature Exchange Server Settings Mobile Device Settings

Exchange direct push

technology

nabled by default &ith

+chane 4er*er 2009 4P2

Protect confiuration &ith

fire&all or I4 4er*er

+tend session timeout on

all fire&alls and net&or/

appliances

o preliminary de*ice setup

reuired' =he de*ice

automatically s&itches from4M4 to direct push technoloy

&hen it synchroni(es &ith

cti*e4ync' !ser steps thru

cti*e4ync &i(ard upon loin

to +chane ser*er'

8
http://go.microsoft.com/fwlink/?LinkId=63272http://go.microsoft.com/fwlink/?LinkId=63272http://go.microsoft.com/fwlink/?LinkId=63272


15/138


eature Exchange Server Settings Mobile Device Settings

Exchange &ctiveSync nabled by default &ith

+chane 4er*er 2009 4P2

4et parameters by usin+chane 4ystem ManaerLs

Mobile Services !roperties


reuired user steps thru

cti*e4ync &i(ard upon lointo +chane ser*er'

Wireless access to global

address list 7G&)8

3efault +chane 4er*er setup

"euires utloo/ $eb ccess

published on +chane 4er*er


reuired

Pri*ileed de*ices ha*e

automatic access to B#

'e$otely enforced #4 policy nable direct push technoloy

in +chane cti*e4ync

!se +chane 4ystem

ManaerLs Mobile Services

!ropertiesto apply policies




to +chane ser*er and

accepts I= policies'

'e$ote Wipe nable direct push technoloy

in +chane cti*e4ync

!seMobile &d$inistration

Webtool to initiate, trac/, and

cancel the remote &ipe




to +chane ser*er and

accepts I= policies'

"ertificate-based

authentication

Install certificate on

+chane 4er*ers

3eploy 3es/top cti*e4ync'1 or later to des/tops

!se the "ertificate

Enroll$enttool to

confiure the de*ices *ia

cti*e4ync

Initial certificate enrollment

and rene&al usin 3es/top

cti*e4ync is reuired'

S6M#ME $obile device

support

3eploy an +chane 4er*er

2009 messain system &ith

PAI security

Install certificate enrollment

protocol and /ey on the de*ice

>


16/138


9nderstanding the Direct !ush 4echnology

=he direct push technoloy uses +chane cti*e4ync to /eep data on a $indo&s MobileEbased

de*ice synchroni(ed &ith data on a Microsoft +chane ser*er' =here is no loner a reliance on

4M4 for notification'

Direct !ush 4echnology=he direct push technoloy has t&o parts: one part resides on the de*ice -client., and the other

resides on an +chane 4er*er 4P2 mail ser*er' =he follo&in list describes these parts of the

technoloy:

Windows Mobile:based device with MS!;=he cti*e4ync technoloy on the de*ice

manaes the direct push communication &ith +chane 4er*er' It establishes an ?==P or

?==P4 connection &ith the ser*er for a specified time, and then oes to sleep &hile &aitin

for the ser*er to respond' =he ser*er responds &ith either a status indicatin that ne& items

&ere recei*ed or that no ne& items arri*ed' =he de*ice then sends either a synchroni(ation

reuest or another direct push reuest' =he rate at &hich this occurs is dynamically ad%usted

based on parameters set by the M or perator and ho& lon an idle ?==P or ?==P4

connection can be maintained on the operator net&or/ and the customerKs nterprise

net&or/'

Exchange Server 200 Service !ac3 2;=his *ersion of +chane 4er*er includes a direct

push component that auments the +chane cti*e4ync infrastructure that supports manual

and scheduled synchroni(ation' +chane 4er*er uses IP)based notifications to deli*er e)

mail, contact, calendar, and tas/ updates to a de*ice as soon as the information arri*es at theser*er'

$hen data chanes on the ser*er, the chanes are transmitted to the de*ice o*er a persistent

?==P or ?==P4 connection that is used for direct push' =he time)out *alue in the mobile operator

net&or/ identifies ho& lon the persistent connection &ill be maintained &ith no acti*ity'

=o /eep this connection from timin out bet&een updates, the de*ice reissues a reuest &hen the

ser*er responds' =his periodic transmission is referred as the heartbeat' =he heartbeat is &hat

maintains the connection to the ser*er for direct push each heartbeat alerts the ser*er that the

de*ice is ready to recei*e data'

10


17/138


4he Direct !ush !rocess

3irect push traffic loo/s li/e small ?==P reuests to an Internet $eb site that ta/es a lon time to

issue a response' Microsoft recommends that the content of the pac/ets be encrypted by usin4ecure 4oc/ets #ayer -44#., &hich ma/es identifyin direct push traffic by sniffin difficult'

=he follo&in steps pro*ide an o*er*ie& of the direct push process:

1' =he client issues an ?==P messae /no&n as a pin reuest to an +chane ser*er, as/in

that the ser*er report any chanes that occur in the userLs mailbo+ &ithin a specified time

limit'

In the pin reuest, the client specifies the folders that +chane should monitor for chanes'

=ypically these are the Inbo+, Calendar, Contacts, and =as/s'

2' $hen +chane recei*es this reuest, it monitors the folders specified until one of the

follo&in occurs:

=he time limit e+pires' =he time limit is determined by the shortest time out in the net&or/path'

If this occurs, +chane issues an ?==P 200 A response to the client'

chane occurs in one of the folders, such as the arri*al of mail'

If this occurs, +chane issues a response to the reuest and identifies the folder in

&hich the chane occurred'

9' =he client reacts to the response from the +chane ser*er in one of the follo&in &ays:

If it recei*es an ?==P 200 A response indicatin that no error occurred, it re)issues the

pin reuest'

If it recei*es a response other than ?==P 200 A, it issues a synchroni(ation reuest

aainst each folder that has chaned' $hen the synchroni(ation is complete, it re)issues

the pin reuest'

If it does not recei*e a response from the +chane ser*er &ithin the time specified, it

lo&ers the time inter*al in the pin reuest and then re)issues the reuest'

Direct !ush Dyna$ic &d


18/138


=o determine the optimal heartbeat inter*al, the alorithm /eeps a lo of pin reuests' If a pin

reuest recei*es a response, the alorithm increases the inter*al' If no response is recei*ed at

the end of the inter*al, the client determines that the net&or/ timed out and the inter*al is

decreased'

7y usin this alorithm, the client e*entually determines the lonest idle connection possible

across the cellular net&or/ and corporate fire&all'

=he follo&in illustration sho&s ho& the heartbeat inter*al is ad%usted durin typical direct push

communication bet&een the client and the +chane 4er*er'

=he = in this illustration indicates the proression of time'

12


19/138


=he follo&in steps describe the communication the numbers correspond to the numbers in the

illustration:

1' =he client &a/es up and issues an ?==P reuest o*er the Internet to the +chane 4er*er,

and then oes to sleep'

=o /eep the session acti*e, the reuest states the heartbeat inter*al, &hich is the amount of

time that the ser*er should &ait for Personal Information Manaer -PIM. chanes or ne& mail

to arri*e before sendin A to the client' In this illustration, the heartbeat inter*al is 15

minutes'

2' 7ecause no mail arri*ed durin the heartbeat inter*al, the ser*er returns an ?==P 200 A'

In this e+ample, the response is lost because either the operator net&or/ or the nterprise

net&or/ &as unable to sustain the lon)li*ed ?==P connection the client ne*er recei*es it'

*ote

If the connection is closed by the front)end +chane ser*er, the de*ice &ill ac/no&lede

the ended session and immediately reconnect' If the connection is closed by the bac/)end +chane ser*er, the de*ice does not

ac/no&lede the ended session and &aits for the end of the heartbeat inter*al to

reconnect'

9' =he client &a/es up at the end of the heartbeat inter*al plus 1 minute -15 N 1 1; minutes

total.'

*ote%

=he de*ice &aits for successi*e round trips before attemptin to ad%ust the heartbeat

inter*al' tunin component in the alorithm can chane the increments to an

amount different than &hat is specified'

If this &as a successi*e round trip &ith no response from the ser*er, it issues a shorter)li*ed

reuest -8 minutes.'

In this e+ample, because the heartbeat &as not increased durin the last pin, the heartbeat

is chaned to the minimum heartbeat *alue -8 minutes.'

' 7ecause no mail arri*ed durin the heartbeat inter*al, so the ser*er returns an ?==P 200 A'

5' =he ser*er response &a/es up the client' 7ecause the connection did not time out durin the

inter*al, the client determines that the net&or/ can support idle connections for at least this

lenth of time'

If this &as a successi*e round trip, the client determines that it can increase the inter*al to a

loner time for the ne+t reuest'

19


20/138


4he #$pact of Direct !ush on *etwor3s and Exchange Servers

=he alorithm that sets the heartbeat also minimi(es bytes sent o*er the air and ma+imi(es

battery life'Implementin data compression &ill reduce the pac/et si(es sent bet&een the front end ser*er

and the client' ?o&e*er, the amount of band&idth that is consumed and &hether it &ill impact the

userLs data plan reatly depends on the follo&in factors:

$hat the user chooses to synchroni(e, such as more than the default folders'

?o& much data is chaned in the mailbo+ and on the mobile de*ice'

4he #$pact of "hanging the Direct !ush Settings

=o help you maintain adeuate de*ice performance durin direct push, Microsoft recommends

*alues for the *arious direct push settins'

=eartbeat #nterval

=he heartbeat inter*al is set on the de*ice by the mobile operator' !sin a heartbeat inter*al of 90

minutes has positi*e implications for battery life and band&idth consumption' $hen direct push

sessions are permitted to li*e loner -such as 90 minutes., there are fe&er ?==P round trips, less

data sent and recei*ed, and less po&er consumed by the de*ice'

heartbeat inter*al that is too short &ill /eep the user al&ays up to date, but &ill shorten battery

life because of the constant pinin to the ser*er'

Mini$u$ =eartbeat

If a de*ice that has a heartbeat belo& the minimum heartbeat le*el reuests a connection to the

+chane ser*er, the ser*er los an e*ent to indicate to the administrator that direct push is not

&or/in'

Exchange Session

=o ha*e de*ice information bein up to date and yet still ha*e the battery life as lon as possible,

the +chane ser*er session duration should be a little reater than the ma+imum heartbeat

settin, If the ser*er session is shorter, it may reach idle timeout causin it to drop the session'

=his &ould result in mail bein undeli*erable until the client reconnects, and the user could be

unsynchroni(ed for lon periods of time'

irewall 4i$eouts

=he net&or/ idle connection timeout indicates ho& lon a connection is permitted to li*e &ithout

traffic after a =CP connection is fully established'

=he fire&all session inter*al must be set to allo& the heartbeat inter*al and nterprise session

inter*al to communicate freely' If the fire&all closes the session, then mail &ould be undeli*erable

until the client reconnects, and the user could be unsynchroni(ed for lon periods of time' 7y

settin the fire&all session timeout eual to or reater than the idle timeout on the perator

net&or/, the fire&all &ill not close the session'

1


21/138


=he follo&in list sho&s ho& the fire&alls idle connection timeouts should be set:

perators need to set the idle connection timeouts on outoin fire&alls to 90 minutes'

nterprises also need to set timeouts on their incomin fire&alls to 90 minutes'

$eb ser*ers, net&or/ security appliances, and system net&or/ stac/s ha*e se*eral time)basedthresholds that are intended to insulate them from insufficiently tested or malicious clients' @ou

can safely increase the idle connection timeout settin &ithout compromisin the security of the

net&or/'

In a direct push scenario, the connection is idle bet&een the time that the ?==P reuest is made

and either the time that the heartbeat inter*al e+pires or &hen the ser*er responds to the reuest

&ith a chane -such as &hen mail is recei*ed.' 3irect push ma/es no assumption as to the lenth

of its sessions )mail is deli*ered rapidly &hether the heartbeat inter*al is one minute or thirty

minutes'

Increasin the idle connection timeout typically does not increase or decrease the e+posure to

attac/' =he follo&in table sho&s e+amples of attac/s and describes ho& other settins are used

to mitiation e+posure to them'

DoS threat Mitigation of exposure to attac3s

3o4 attac/ is launched by

failin to complete the

handsha/e that is implicit in the

creation of a =CP connection'

=he attac/er attempts to create

a lare number of partially open

=CP connections'

Increasin the idle connection timeouts is unrelated to this type

of attac/'

=he time &ithin &hich a =CP handsha/e must complete is a

separate threshold that is o*erned by the $indo&s =CPGIP

stac/'

3o4 attac/ is launched

aainst II4 by openin a lare

number of =CP connections but

ne*er issuin an ?==P reuest

o*er any of them'

Increasin the idle connection timeouts is unrelated to this type

of attac/'

II4 mitiates this threat by reuirin that a client submit a fully)

formed ?==P reuest &ithin a certain time before droppin the

connection' =he name of the Connection =imeout settin in the

II4 manaement console is misleadin =CP connections are

closed &hen the Connection =imeout *alue is e+ceeded -120

seconds by default.'

n attac/er establishes a lare

number of =CP connections,

issues ?==P reuests o*er all

of them, but ne*er consumes

the responses'

Increasin idle connection timeouts is unrelated to this type of

attac/'

=his threat is mitiated by the same timeout as the pre*ious

scenario' =he Connection =imeout settin in II4 defines the time

&ithin &hich a client must issue either its first reuest after a

=CP connection is established or a subseuent reuest in an

?==P /eep)ali*e scenario'

15


22/138


*etwor3 &rchitecture &lternatives

=he choices that you ha*e made in your net&or/ confiuration and net&or/ desin may impact

the steps that you &ill need to ta/e to uprade your system to accommodate direct push

technoloy and the Messain O 4ecurity Feature Pac/ manaement features'

Deploy$ent +ptions=he follo&in table introduces some of the most common deployment confiurations &ith the

uniue considerations for each'

Follo& the lin/s to deployment documentation for each confiuration'

Setup 4ype Description "onsideration

irewall in

Wor3group in

peri$eter networ3

I4 4er*er 200;

recommended

ll of the +chane ser*ers

are &ithin the corporate

net&or/'

F7 or 7asic authentication

44# confiured for +chane

cti*e4ync to encrypt all

messain traffic

I4 ser*er acts as the

ad*anced fire&all in the

perimeter net&or/ that is

e+posed to Internet traffic'

I4 4er*er 200; directly

communicates &ith #3P and

"3I!4 ser*ers

)D&! &uthentication

#3P, #3P4, #3P)BC,

and #3P4)BC are

supported'

*ery domain controller is

an #3P ser*er' =he

#3P ser*er has a store

of the cti*e 3irectory

usersK credentials'

7ecause each domain

controller can only

authenticate the users in

its domain, I4 4er*er by

ll +chane traffic is preauthenticated,

reducin surface area and ris/'

Client authentication is possible &ith

$indo&s, Aerberos, #3P, #3P4,

"3I!4, or "4 4ecurI3

"euires port 9 opened on the

fire&all for inbound and outbound

Internet traffic'

"euires a diital certificate in order to

connect to Confiuration 4torae ser*er'

#imited to one Confiuration 4torae

4er*er -3M limitation.

3omain administrators do not ha*e

access to the fire&all array

$or/roup clients cannot use $indo&s

authentication'

"euires manaement of mirrored

accounts for monitorin arrays'

1;


23/138



default ueries the lobal

catalo for a forest to

*alidate user credentials'adius &uthentication

"3I!4 pro*ides

credentials *alidation'

I4 4er*er is the "3I!4

client, dependin upon

"3I!4 authentication

response

Pass&ord chanes are

not possible

#S& Server 200/

do$ain-21215'

1


24/138



Single Exchange

200 Server

4inle +chane 4er*er &ithin

the corporate net&or/, behind

a fire&all'+chane 4er*er cti*e4ync

accesses the +chane *irtual

directory *ia port 80 usin

Aerberos authentication'

4imple deployment for small to medium

business'

"euires the follo&in setup steps:

=urn off SS) 'e(uiredon the

+dmin *irtual directory

!se Windows #ntegrated

authenticationon the +dmin

*irtual directory

If usin "4 4ecurI3, update the "4

uthentication ent to ensure

compatibility &ith direct push

technoloy'

For details, see 3eployment on a 4inle4er*er in the 4tep)by)4tep Buide to

3eployin $indo&s Mobile)based

3e*ices &ith Microsoft +chane 4er*er

2009 4P2'

4ee lso: Microsoft A7 article,

+chane cti*e4ync and utloo/

Mobile ccess errors ccur &hen 44#

or forms)based authentication is

reuired for +chane 4er*er 2009'

http:GGo'microsoft'comGf&lin/GH

#in/Id;2;;0'

Windows S$all

5usiness Server

200

+chane traffic is routed to

the ser*er runnin $indo&s

474 &ith port 9 open

inbound'

+chane F is behind the

follo&in fire&alls:

I4 4er*er 200, 4er*ice

Pac/ 1 &hich is included

in $indo&s 474 Premium

dition, 4er*ice Pac/ 1

=he built)in "outin and

"emote ccess fire&all in

$indo&s 474

Certificates installed on

+chane cti*e4ync and I4 4er*er

are interated &ith $indo&s 4mall

7usiness 4er*er 2009, pro*idin

simplified deployment

"euires des/top cti*e4ync installed

on a client computer

4ee 3eployin $indo&s Mobile 5'0 &ith

$indo&s 4mall 7usiness 4er*er 2009

at this Microsoft $eb site:


#in/Id10>220'

18
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220


25/138



de*ices pro*ide 44#

encryption and access'

Exchange E in the

peri$eter networ3

-=his option is not

recommended for ne&

mobile messain

solutions'.

+chane F is in the

perimeter net&or/ &ith

fire&alls bet&een it and the

Internet and the corporate

net&or/'

dditional fire&all ports opened to

enable direct push and facilitate

connection bet&een F and 7 ser*ers:

pen port 9 inbound on the

e+ternal fire&all

!3P port 2889 open on the fire&all

bet&een the +chane F and 7'

4ee 3eployment &ith the Front nd

4er*er in a Perimeter et&or/ section

of the 4tep)by)4tep Buide to 3eployin

$indo&s Mobile)based 3e*ices &ithMicrosoft +chane 4er*er 2009 4P2 at

this Microsoft $eb site:


#in/I381200

I4 4er*er as an

ad*anced fire&all in a

&or/roup in

perimeter net&or/

ll of the +chane ser*ers

are &ithin the corporate

net&or/'

4et up F7 or 7asic

authentication for +chane

cti*e4ync, so all clientsneotiate an 44# lin/ before

connectin'

I4 ser*er acts as the

ad*anced fire&all in the

perimeter net&or/ that is

e+posed to Internet traffic'

I4 4er*er 200; directly

communicates &ith #3P and

"3I!4 ser*ers

)D&! &uthentication

#3P, #3P4, #3P)BC,

and #3P4)BC are

supported'

*ery domain controller is

an #3P ser*er' =he

Client authentication is possible &ith

$indo&s, Aerberos, #3P, #3P4,

"3I!4, or "4 4ecurI3

"euires port 9 opened on the

fire&all for inbound and outbound

Internet traffic'"euires a diital certificate in order to

connect to Confiuration 4torae ser*er'

In case of fire&all failure, domain and

cti*e 3irectory are inaccessible

3omain administrators do not ha*e

access to the fire&all array

$or/roup clients cannot use $indo&s

authentication'

"euires manaement of mirrored

accounts for monitorin arrays'

For an o*er*ie& of the process, see

3eployin a Mobile Messain 4olution

&ith $indo&s Mobile 5'0)based 3e*ices

1>
http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=81200


26/138



#3P ser*er has a store

of the cti*e 3irectory

usersK credentials' 7ecause each domain

controller can only

authenticate the users in

its domain, I4 4er*er by

default ueries the lobal

catalo for a forest to

*alidate user credentials

'adius &uthentication

"3I!4 pro*ides

credentials *alidation'

I4 4er*er is the "3I!4

client, dependin upon

"3I!4 authentication

response

Pass&ord chanes are

not possible

I4 4er*er 200;

domain)%oined in

perimeter net&or/

+chane F in the nterprise

forest

s a domain member, I4

4er*er 200; interates &ithcti*e 3irectory'

dditional ports on the internal fire&all

opened to facilitate domain member

communication to cti*e 3irectory

4implified deployment andadministration of I4 4er*er arrays

&ithin the domain'

6ulnerability of access across the

domain in case of fire&all failure

4ee Publishin +chane 4er*er 2009

&ith I4 4er*er 200; at this Microsoft

$eb site:


#in/Id10>21


27/138



3M forest trusts the

nterprise forest accounts'

I4 4er*er 200; authenticatesreuests at the I4 ede

4er*er 2009 at this Microsoft $eb site:


#in/Id10>215'

=hird Party Fire&all Confiure as an ad*anced

fire&all or surroundin a

perimeter net&or/'

ncrypt all traffic bet&een the

mobile de*ice and +chane

4er*er &ith 44#'

pen port 9 inbound on

each fire&all bet&een the

mobile de*ice and +chane4er*er'

4et Idle 4ession =imeout time

to 90 minutes on all fire&alls

and net&or/ appliances on the

path bet&een the mobile

de*ice and +chane F

ser*er to facilitate direct push

technoloy'

Consult fire&all manufacturer

documentation for instructions on

openin port 9 inbound and settin

the Idle 4ession =imeout time'

4inle +chane 2009

4er*er

4inle +chane 4er*er &ithin

the corporate net&or/, behinda fire&all'

+chane 4er*er cti*e4ync

accesses the +chane *irtual

directory *ia port 80 usin

Aerberos authentication'

4imple deployment for small to medium

business'"euires the follo&in setup steps on

the +dmin *irtual directory:

=urn off 44# "euired

!se $indo&s Interated

authentication

If usin "4 4ecurI3, update the "4

uthentication ent to ensure

compatibility &ith direct push

technoloy'

For more information, see +chanecti*e4ync and utloo/ Mobile ccess

errors ccur &hen 44# or forms)based

authentication is reuired for +chane

4er*er 2009'


21
http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=62660


28/138



#in/Id;2;;0'

$indo&s 4mall

7usiness 4er*er 2009

+chane traffic is routed to

the ser*er runnin $indo&s

474 &ith port 9 open

inbound'

+chane F is behind the

follo&in fire&alls:

I4 4er*er, &hich is

included in $indo&s 474

Premium dition

=he built)in "outin and

"emote ccess fire&all in

$indo&s 474

=he !PnPQ hard&are

fire&all

Certificates installed on

de*ices pro*ide 44#

encryption and access'

+chane cti*e4ync and I4 4er*er

are interated &ith $indo&s 4mall

7usiness 4er*er 2009, pro*idin

simplified deployment:

"euires des/top cti*e4ync

installed on a client computer

4ee 3eployin $indo&s Mobile 5'0 &ith

$indo&s 4mall 7usiness 4er*er 2009

at this Microsoft $eb site:


#in/Id10>220'

+chane F in the

perimeter net&or/

-=his option is not

recommended for ne&

mobile messain

solutions'.

+chane F is in the

perimeter net&or/ &ith

fire&alls bet&een it and the

Internet and the corporate

net&or/'

dditional fire&all ports opened to

enable direct push and facilitate

connection bet&een F and 7 ser*ers:

pen port 9 inbound on the

e+ternal fire&all

!3P port 2889 open on the fire&all

bet&een the +chane F and 7'

#S& Server 200/ as an &dvanced irewall in a!eri$eter *etwor3In this confiuration, all of the +chane ser*ers are &ithin the corporate net&or/ and the I4

ser*er acts as the ad*anced fire&all in the perimeter net&or/ that is e+posed to Internet traffic'

=his adds an additional layer of security to your net&or/'

ll incomin Internet traffic bound to your +chane ser*ers E for e+ample, Microsoft ffice $

and remote procedure call -"PC. o*er ?==P communication from Microsoft ffice utloo/ 2009

clients E is processed by the I4 ser*er' $hen the I4 ser*er recei*es a reuest from an

+chane ser*er, the I4 ser*er terminates the connection and then pro+ies the reuest to the

appropriate +chane ser*ers that are on your internal net&or/' =he +chane ser*ers on your

22
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220


29/138


net&or/ then return the reuested data to the I4 ser*er, &hich sends the information to the client

throuh the Internet'

3urin installation of the I4 ser*er, Microsoft recommends that you enable 4ecure 4oc/ets

#ayer -44#. encryption, and desinate 9 as the 44# port' =his lea*es the 9 port open as the

R$eb #istenerS to recei*e Internet traffic' Microsoft also recommends that you set up basic

authentication for +chane cti*e4ync, and that you reuire all clients to successfully neotiate

an 44# lin/ before connectin to the +chane cti*e4ync site directories' If you follo& these

recommendations, the Internet traffic that flo&s into and out of the 9 port &ill be more

protected'

$hen confiured in $eb)publishin mode, I4 4er*er 200; &ill pro*ide protocol filterin and

hyiene, denial of ser*ice -3o4. and distributed denial of ser*ice -33o4. protection, and pre)

authentication'

29


30/138


=he follo&in illustration sho&s the recommended +chane 4er*er 2009 deployment for mobile

messain &ith I4 4er*er 200;'

&uthentication in #S& Server 200/

!sers can be authenticated usin built)in $indo&s, #3P, "3I!4, or "4 4ecurI3

authentication' Front)end and bac/)end confiuration has been separated, pro*idin for more

fle+ibility and ranularity' 4inle sin on is supported for authentication to $eb sites' "ules can

be applied to users or user roups in any namespace'

For most nterprise installations, I4 4er*er 200; &ith #3P authentication is recommended' In

addition, I4 4er*er 200; enables certificate)based authentication &ith $eb publishin' For more

information, see uthentication in I4 4er*er 200; on Microsoft =echet $eb site:

http:GGo'microsoft'comGf&lin/GH#in/I38


31/138


=he follo&in table summari(es some of the features of I4 4er*er 200;:

eature Description

4upport for #3P authentication #3P authentication allo&s I4 4er*er toauthenticate to cti*e 3irectory &ithout bein a

member of the domain'

4ee this Microsoft $eb site:

http:GGo'microsoft'comGf&lin/GH#in/I38

3eleation of 7asic authentication Published $eb sites are protected from

unauthenticated access by reuirin the I4

4er*er 200; fire&all to authenticate the user

before the connection is for&arded to the

published $eb site' =his pre*ents e+ploits from

unauthenticated users from reachin thepublished $eb ser*er'

4ecurI3 authentication for $eb Pro+y clients I4 4er*er 200; can authenticate remote

connections usin 4ecurI3 t&o)factor

authentication' =his pro*ides a hih le*el of

authentication security because a user must

/no& somethin and ha*e somethin to ain

access to the published $eb ser*er'

"3I!4 support for $eb Pro+y client

authentication

$ith I4 4er*er 200;, you can authenticate

users in cti*e 3irectory and other

authentication databases by usin "3I!4 touery cti*e 3irectory' $eb publishin rules can

also use "3I!4 to authenticate remote access

connections'

4ession manaement I4 4er*er 200; includes impro*ed control of

coo/ie)based sessions to pro*ide for better

security'

Certificate Manaement I4 4er*er 200; is impro*ed to simplify

certificate manaement and reduce the total

cost of o&nership associated &ith usin

certificates &hen publishin $eb sites' It ispossible to utili(e multiple certificates per $eb

listener and to use different certificates per array

member'

25
http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=87069


32/138


)D&! &uthentication with #S& Server 200/

I4 4er*er 200; supports #iht&eiht 3irectory ccess Protocol -#3P. authentication' #3P

authentication is similar to cti*e 3irectoryJ directory ser*ice authentication, e+cept that the I4

4er*er computer does not ha*e to be a member of the domain' I4 4er*er connects to a

confiured #3P ser*er o*er the #3P protocol to authenticate the user' *ery $indo&s domain

controller is also an #3P ser*er, by default, &ith no additional confiuration chanes reuired'

7y usin #3P authentication, you et the follo&in benefits:

ser*er runnin I4 4er*er 200; 4tandard dition or I4 4er*er 200; nterprise dition

array members in &or/roup mode' $hen I4 4er*er is installed in a perimeter net&or/, you

no loner need to open all of the ports reuired for domain membership'

uthentication of users in a domain &ith &hich there is no trust relationship'

Instructions for confiurin I4 4er*er for #3P authentication are included in this document in

4tep 5: Install and Confiure I4 4er*er 200; or ther Fire&all'For more information about

confiurin I4 4er*er for #3P authentication, see 4ecure pplication Publishin at the

Microsoft =echet $eb site'

2;


33/138


Deploy$ent with #S& Server in a !eri$eter*etwor3In this confiuration, the mobile de*ice utili(es the mobile operatorLs cellular data net&or/ to

communicate usin the Internet to an outer fire&all that the orani(ation uses to restrict traffic'

=he outer fire&all port for&ards the 4 traffic -*ia 44# port 9. inbound to the inner third party

de*ice to for&ard to the +chane 4er*er 2009 for processin'

=he fiure belo& illustrates an end)to)end e+ample of a typical o*er the air +chane cti*e4ync

deployment'

=o ensure that Microsoft +chane cti*e4ync functions correctly in this scenario, Microsoft

recommends that port 9 inbound be opened on both third party fire&all products so that the

$indo&s Mobile de*ice can communicate directly &ith the +chane 4er*er' =his is a net&or/

reuirement for +chane cti*e4ync to &or/ properly &hether usin Microsoft direct push

technoloy -default settin. andGor l&ays !p)to)3ate otifications -optional.'

2


34/138


Deploy$ent on a Single-ServerIf your mobile messain solution uses a sinle +chane ser*er, you may ha*e to establish

some special confiurations to a*oid conflicts on the *irtual directory'

SS) 'e(uire$ents and or$s-based &uthentication

In a sinle)ser*er confiuration, +chane 4er*er cti*e4ync accesses the +chane *irtual

directory *ia port 80 by usin Aerberos authentication' +chane cti*e4ync cannot access the

+chane *irtual directory if either of the follo&in conditions is true:

=he +chane *irtual directory is confiured to reuire 44#'

Forms)based authentication is confiured'

For more information about, and &or/arounds for, these confiurations, see the follo&in article in

the Microsoft Ano&lede 7ase:

+chane cti*e4ync and utloo/ Mobile ccess errors occur &hen 44# or forms)based

authentication is reuired for +chane 4er*er 2009' http:GGo'microsoft'comGf&lin/GH

#in/Id;2;;0

Settings 'e(uired for Exchange &ctiveSync Mobile&d$inistration Web 4ool #nstallation

$hen deployed in a sinle)ser*er confiuration, the +chane cti*e4ync Mobile dministration

$eb tool reuires the default confiuration on the +dmin *irtual directory' 7y default, 44# is not

turned on and the *irtual directory has $indo&s Interated authentication'

In a sinle)ser*er confiuration, &e recommend that you do the follo&in on the +dmin *irtualdirectory:

=urn off 44# "euired

!se $indo&s Interated authentication

*ote%

=he +chane cti*e4ync Mobile dministration $eb tool should run in the

+chaneppPool'

For more information, see the follo&in article in the Microsoft Ano&lede 7ase:

rror messae &hen you try to use the Microsoft +chane 4er*er cti*e4ync $eb

dministration tool to delete a partnership or to perform a "emote $ipe operation on a mobile

de*ice in +chane 4er*er 2009 4P2: -01. !nauthori(ed' Tdd lin/ to

http:GGsupport'microsoft'comG/bG>1;>;0Gen)usU

28
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660


35/138


'S& Secur#D "o$patibility

"4 4ecurI3 pro*ides to/en)based authentication that reuires user input and &as not

compatible &ith direct push technoloy, in &hich the de*ice synchroni(es automatically' "4 hasupdated the "4 uthentication ent for $indo&s so that direct push technoloy and scheduled

synchroni(ation features function smoothly'

I4 4er*er 200; &or/s &ith 4ecurI3 to/en authentication' 4ee the I4 4er*er 200;

documentation'

If you are usin the "4 4ecurI3 product, be sure to et the latest "4 4ecurI3 soft&are from

the "4 4ecurity $eb site:http:GGo'microsoft'comGf&lin/GH#in/Id;92221

+chane cti*e4ync and utloo/ Mobile ccess errors occur &hen 44# or forms)based

authentication is reuired for +chane 4er*er 2009

*ote

+chane 4er*er 2009 4P2 forms)based authentication does not allo& you to set the

default domain settin in II4 to anythin other than the default domain settin of V' =his

restriction is in place in order to support user loons that use the !ser Principle ame

format' If the default domain settin in II4 is chaned, +chane 4ystem Manaer resets

the default domain settin to V on the ser*er'

@ou can chane this beha*ior by customi(in the #oon'asp pae in the $ *irtual

directory in II4 to specify your domain or to include a list of domain names' ?o&e*er, if

you customi(e the #oon'asp pae in the $ *irtual directory in II4, your chanes may

be o*er&ritten if you uprade to, or re)install, +chane 4er*er 2009 4P2'

2>
http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=109221http://go.microsoft.com/fwlink/?LinkId=109221http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=109221


36/138


Deploy$ent with the Exchange ront End Serverin a !eri$eter *etwor3If your deployment confiuration has the Front)nd +chane ser*er inside the 3M or perimeter

net&or/, you may ha*e to chane the fire&all settins to facilitate the direct push technoloy'

*ote%

=his option is not recommended for ne& mobile messain solutions'

$ith direct push technoloy, &hene*er the bac/ end ser*er recei*es e)mail or data to be

transmitted to a mobile de*ice, it sends a !3P notification to the front)end ser*er' =his

transmission reuires that !3P port 2889 be open on the fire&all to allo& one)&ay traffic from the

bac/)end ser*er to the front)end ser*er'

For more information about the deployment of direct push technoloy and its impact on fire&all

confiuration, see the +chane 4er*er blo article 3irect push is %ust a heartbeat a&ay athttp:GGo'microsoft'comGf&lin/GH#in/Id;!* "onfiguration$indo&s Mobile 5'0)based de*ices pro*ide nati*e support for 6irtual Pri*ate et&or/ -6P.

access to a corporate net&or/ based on PP=P or #2=PGIP4ec 6P protocols'

Microsoft recommends usin #2=PGIP4ec connections, as these connections reuire both de*ice)

le*el authentication throuh certificates and user)le*el authentication throuh a PPP

authentication protocol' #2=PGIP4ec relies on the e+istin infrastructure for $indo&s Mobile)

based de*ices to connect to internal company resources such as file shares, $eb ser*ers, and

mobile line of business applications' For an e+ample deployment of 6P &ith $indo&s 4er*er

2009, see this Microsoft $eb site:http:GGo'microsoft'comGf&lin/GH#in/Id10>222'

For more information about securin 6P access, see R?o& I4 4er*er 200 Pro*ides 44# 6P

Functionality for utloo/ $eb ccess and "PC o*er ?==PS at http:GGo'microsoft'comGf&lin/GH

#in/I3;


37/138


5est !ractices for Deploying a Mobile

Messaging Solution7est practices for deployin a mobile messain solution on your corporate net&or/ are

recommendations that &ill help you ensure the smooth operation of, and pro*ide a hih le*el of

security for, your mobile messain solution'

*etwor3 "onfiguration"eardless of the net&or/ confiuration you implement, there are some best practices that &ill

strenthen your mobile messain solution'

5est !ractice% 9se ront-end and 5ac3-end "onfiguration forExchange Servers

front)end and bac/)end confiuration is recommended for multiple)ser*er orani(ations that

use +chane cti*e4ync, utloo/ $eb ccess -$., Post ffice Protocol -PP., or Internet

Messae ccess Protocol -IMP., and that &ant to pro*ide ?==P, PP, or IMP access to their

employees' In this architecture, a front)end ser*er accepts reuests from clients, and then pro+ies

those reuests to the appropriate bac/)end ser*er for processin' =he front)end and bac/)end

architecture allo&s the front)end ser*er to handle the 4ecure 4oc/ets #ayer -44#. encryption,

thus enablin the bac/)end ser*ers to increase o*erall e)mail performance' =his confiuration

scales &ell and pro*ides a measure of security by limitin access to the front)end ser*er'

4ecurin the messain en*ironment also in*ol*es disablin those features and settins for thefront)end ser*er that are not necessary in a front)end and bac/)end ser*er architecture'

For more information about front)end and bac/)end ser*er architecture, see +chane 4er*er

2009 and +chane 2000 4er*er Front)nd and 7ac/)nd =opoloy at

http:GGo'microsoft'comGf&lin/GH#in/Id;2;9'

5est !ractice% "onfiguring your irewall for +pti$al Direct !ush!erfor$ance

3irect push technoloy reuires an established connection bet&een the ser*er and the client' o

data is sent o*er this connection unless there is e)mail or data to be transmitted, or the de*ice

needs to reestablish its connection &ith the ser*er' =his means that the ma+imum lenth of the

connection is determined by the lo&est net&or/ timeout in the path bet&een the de*ice and the

ser*er'

91


38/138


$ith ood net&or/ co*erae, the ma+imum timeout &ill be determined by the connection timeout

that is enforced by the fire&alls that deal &ith Internet traffic to your +chane front)end ser*ers'

If you /eep the timeout *ery lo&, then you &ill force the de*ice to reconnect se*eral times, &hich

&ill uic/ly drain its battery' =he follo&in illustration sho&s the recommended fire&all settins'

s a best practice, you should ad%ust the connection timeout of your fire&all and any other

net&or/ appliances in the path to ensure that direct push functionality &or/s efficiently' In order to

optimi(e battery life, &e recommend a timeout period of 90 minutes'

For a technical discussion of direct push technoloy, see !nderstandin the 3irect Push

=echnoloyin this document'

Security% &uthentication and "ertification4ecurity for communication bet&een the +chane ser*er and client mobile de*ices can be

increased by usin 44# for encryption and ser*er authentication, and by usin $eb publishin to

protect incomin traffic'

=he follo&in best practices &ill help you build a more secure mobile messain solution'

5est !ractice% 9se SS) for Encryption and Server &uthentication=o protect outoin and incomin data, deploy 44# to encrypt all traffic' @ou can confiure 44#

security features on an +chane ser*er to *erify the interity of your content and the identity of

users, and to encrypt net&or/ transmissions' =he +chane ser*er, %ust li/e any $eb ser*er,

reuires a *alid ser*er certificate to establish 44# communications'

92


39/138


$indo&s Mobile 5'0)based de*ices are shipped &ith trusted root certificates' Chec/ &ith your

de*ice manufacturer for a current list of the certificate authorities that shipped &ith your de*ice' If

you obtain a root certificate from one of the trusted ser*ices, your client mobile de*ices should be

ready to establish 44# communications &ith no further confiuration' If you create your o&n

certificates, you must add that certificate to the root store of each mobile de*ice'

*ote%

4ome ser*er certificates are issued &ith intermediate authorities in the certification chain'

If II4 is not confiured to send all certificates in the chain to the mobile de*ice durin the

44# handsha/e, the de*ice &ill not trust the certificate because the de*ice does not

support dynamically retrie*in the other certificates'

For more information about obtainin ser*er certificates, see Rbtainin and Installin 4er*er

CertificatesS in the +chane 4er*er 2009 Client ccess Buide at http:GGo'microsoft'comGf&lin/GH

#in/Id;2;28'

For more information about root certificates for mobile de*ices, seeppendi+ 3: ddin a

Certificate to the "oot 4tore of a $indo&s Mobile)based 3e*ice'

5est !ractice% Deter$ine and Deploy a Device !assword !olicy

@ou can no& use +chane 4er*er 4P2 toether &ith $indo&s Mobile 5'0)based de*ices that

ha*e the Messain and 4ecurity Feature Pac/ help you to confiure a central security policy that

reuires all users &ith mobile de*ices that access the +chane ser*er to protect their de*ice

&ith a pass&ord'

$ithin this central security policy, there are se*eral attributes you can confiure, includin the

lenth of the pass&ord -the default is four characters., the use of characters or symbols in the

pass&ord, and ho& lon the de*ice can be inacti*e before it prompts the user for the pass&ord

aain' ne of these policies is the &ipe de*ice after failed attempts option, &hich allo&s you to

specify &hether you &ant the de*ice memory &iped after multiple failed loon attempts'

nce you ha*e determined your de*ice security policies, you must deploy them by usin

+chane 4ystem ManaerLs Mobile 4er*ices Properties' $hen your users connect their de*ice

to the +chane ser*er, sin in, and accept the security policies, your policies &ill be sent to the

de*ice' =he policies &ill not be enforced until they ha*e been accepted on the de*ice by the user'

@ou can set the inter*al at &hich the de*ice security policies &ill be automatically refreshed on the

de*ice'

For more information on settin security policies, see Confiurin 4ecurity 4ettins for Mobile

3e*ices in4tep ;: Confiure and Manae Mobile 3e*ice ccess on the +chane 4er*er'

99
http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628


40/138


5est !ractice% 9se Web !ublishing with 5asic &uthentication

For many companies the use of 7asic uthentication o*er an encrypted channel -44#. is an

acceptable security reuirement' =hese companies can further secure their mobile deploymentby le*erain I4 200 or I4 200; to $eb publish the +chane 4er*er 2009 front end ser*ers'

=he benefit &ith le*erain I4Ks $eb publishin capabilities is that I4 has built in loic to

distinuish &ell)formed +chane cti*e4ync reuests so it can help protect the +chane front

end ser*er from malicious attac/s'

s a best practice, $eb publishin is easier to implement and pro*ides a hiher le*el of security

than ser*er publishin, althouh larer companies that are plannin to use client certificate)based

authentication must implement the latter'

4er*er publishin, also /no&n as tunnelin, refers to net&or/Gtransport)layer protection, &hereas

$eb publishin, also /no&n as bridin, refers to application)layer protection' $eb publishin is

only possible &hen 44# is terminated on I4 4er*er 200' 7ecause I4 4er*er 200 only sees

encrypted traffic, it cannot perform tas/s such as protocol hyiene that reuire it to analy(e the

contents thus I4 4er*er 200 only offers protection based on the net&or/Gtransport layers'

5est !ractices for 9sing "ertificate-based &uthentication

For certificate)based authentication to &or/ correctly &ith +chane cti*e4ync, the enterprise

fire&all must be confiured to allo& the +chane front)end ser*er to terminate the 44#

connection' For this reason, $eb publishin &ill not &or/ &ith certificate)based authentication

&ith I4 4er*er 200' ?o&e*er, I4 4er*er 200; supports Aerberos Constrained 3eleation,

allo&in you to choose either $eb Publishin or 44# 7ridin from the I4 machine to the

+chane front end ser*er'

n o*er*ie& of the process for deployin certificate)based authentication is pro*ided inppendi+

: *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased uthentication'

Microsoft has pro*ided se*eral tools to help an +chane administrator confiure and *alidate

client certificate authentication'

For more information about the +chane cti*e4ync Certificate)based uthentication tool, see

the =ools for +chane 4er*er 2009 $eb site at http:GGo'microsoft'comGf&lin/GH#in/Id;2;5;'

9


41/138


Deploying a Mobile Messaging Solution with

Windows Mobile .;0-based Devices=his document presents the recommended deployment &ith I4 4er*er 200; as an ad*anced

fire&all in a perimeter net&or/' =his confiuration and other options are described in et&or/

rchitecture lternati*es'

For detailed information about additional deployments, see the follo&in appendices in this

document:

ppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased uthentication

ppendi+ 7: Install and Confiure an I4 4er*er 200 n*ironment

Deploy$ent !rocess +verview=he follo&in steps summari(e deployment &ith I4 4er*er 200; as an ad*anced fire&all in a

perimeter net&or/'

Step ,%!prade to +chane 4er*er 2009 4P2

Step 2%!pdate ll 4er*ers &ith 4ecurity Patches

Step %Protect Communications 7et&een the Mobile 3e*ices and @our +chane 4er*er

3eploy 44# to encrypt messain traffic

nable 44# on the 3efault $eb 4ite

Confiure basic authentication for the +chane cti*e4ync *irtual directory

ptional: Confiure certificate)based authentication -4ee ppendi+ '.

ptional: !pdate "4 4ecurI3 ent

4et !p #3P 4er*ers

Protect II4 by #imitin Potential ttac/ 4urfaces

Step %Protect Communications 7et&een the +chane 4er*er 2009 4P2 4er*er and ther

4er*ers

!se IP4ec to ncrypt IP =raffic -"ecommended.

Step .%Install and Confiure I4 4er*er 200; or ther Fire&all

Install I4 4er*er 200; -"ecommended.

Install ser*er certificate on the I4 4er*er computer

Confiure I4 4er*er &ith your #3P ser*er set

Create the +chane cti*e4ync Publishin "ule by !sin 7ridin

4et ll Fire&all Idle 4ession =ime)out 4ettins to 90 Minutes

=est $ and +chane cti*e4ync

95


42/138


Step /%Confiure and Manae Mobile 3e*ice ccess on the +chane 4er*er

nable +chane cti*e4ync for ll !sers

nable !ser Initiated 4ynchroni(ation

nable direct push technoloy 4et 4ecurity Policy 4ettins for Mobile 3e*ices

Monitor Mobile Performance on +chane 4er*er

Step %Install the +chane cti*e4ync Mobile dministration $eb =ool

Step 1%Manae and Confiure Mobile 3e*ices

4et up Mobile Connection to +chane 4er*er

!se the +chane cti*e4ync Mobile dministration $eb =ool to =rac/ Mobile 3e*ices

Pro*ision or Confiure Mobile 3e*ices

Step ,% 9pgrade to Exchange Server 200S!2

+chane 4er*er 2009 4P2 includes +chane cti*e4ync, the synchroni(ation protocol that

/eeps the +chane mailbo+ synchroni(ed on client mobile de*ices' 7y default, +chane

cti*e4ync is enabled'

+chane 4er*er 2009 4P2 contains ne& features that &or/ &ith the $indo&s Mobile 5'0

Messain and 4ecurity Feature Pac/ to help you to impro*e the deployment, security, and

manaement of mobile de*ices'

*ote%

=o use mobile de*ices &ith the $indo&s Mobile 5'0 Messain and 4ecurity Feature

pac/, you must uprade your front)end +chane ser*er to +chane 4er*er 2009 4P2'

7ac/)end Mailbo+ ser*ers can remain at +chane 2009 "=M or 4P1' ?o&e*er, &e

recommend that you uprade both front)end and bac/)end ser*ers to ta/e ad*antae of

the updates in 4P2'

=ow to 9pgrade to Exchange Server 200 S!23o&nload the 4er*ice Pac/ 2 for +chane 4er*er 2009 file from the Microsoft +chane 4er*er

=echCenter $eb site'

Follo& the directions pro*ided to uprade your +chane ser*ers to 4P2'

9;
http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=62644


43/138


Step 2% 9pdate &ll Servers with Security

!atches=o help you ensure that your mobile messain net&or/ is stron from end to end, ta/e this

opportunity to update all of your ser*ers'

fter you install +chane 4er*er 2009 4P2 on your front)end ser*er, update the ser*er soft&are

on your other +chane ser*ers and on any other ser*er that +chane communicates &ith, such

as your lobal catalo ser*ers and your domain controllers'

For more information about updatin your soft&are &ith the latest security patches, see the

+chane 4er*er 4ecurity Center $eb site'

For more information about Microsoft security, see theMicrosoft 4ecurity $eb site'

Step % !rotect "o$$unications 5etweenWindows Mobile-based Devices and ?ourExchange Server

=o help protect the communications bet&een $indo&s Mobile)based de*ices and your +chane

front)end ser*er, follo& these steps:

3eploy 44# to encrypt messain traffic'

nable 44# on the default $eb site' Confiure basic authentication for the +chane cti*e4ync *irtual directory'

*ote%

If you plan to use certificate authentication instead of basic confiuration, refer to

ppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased

uthentication'

*ote%

If you are usin "4 4ecurI3, you must update the "4 uthentication ent'

Protect II4 by limitin potential attac/ surfaces

4ee7est Practices for 3eployin a Mobile Messain 4olutionin this document for moreinformation about authentication and certification'

9


44/138


Deploying SS) to Encrypt Messaging 4raffic=o protect incomin and outoin e)mail, deploy 44# to encrypt messain traffic' @ou can

confiure 44# security features on an +chane ser*er to *erify the interity of your content,*erify the identity of users, and to encrypt net&or/ transmissions'

=he steps in*ol*ed in confiurin 44# for +chane cti*e4ync are:

1' btainin and installin a ser*er certificate

2' 6alidatin installation

9' 7ac/in up the ser*er certificate

' nablin 44# for the +chane cti*e4ync *irtual directory

*ote

=o perform the follo&in procedures, you must be a member of the dministrators roup

on the local computer, or you must ha*e been deleated the appropriate authority' s asecurity best practice, lo on to your computer by usin an account that is not in the

dministrators roup, and then use the 'un ascommand to run II4 Manaer as an

administrator' From the command prompt, type the follo&in command:

runas 6user%ad$inistrative@accountna$e A$$cBsyste$root

BCsyste$2CinetsrvCiis;$scA

+btaining and #nstalling a Server "ertificate

fter you obtain a ser*er certificate, you &ill install the ser*er certificate, *erify the installation of

the ser*er certificate, and bac/ it up' $hen you use the $eb 4er*er Certificate $i(ard to obtain

and install a ser*er certificate, the process is referred to as creatin and assinin a ser*ercertificate'

4o obtain a server certificate fro$ a "ertificate &uthority 7"&8

1' #o on to the +chane ser*er by usin an dministrator account'

2' Clic/ Start, clic/ !rogra$s, clic/ &d$inistrative 4ools, and then clic/ #nternet

#nfor$ation Services 7##S8 Manager'

9' 3ouble)clic/ the 4er*erame to *ie& the $eb sites' "iht)clic/ Default Web Site, and

then clic/ !roperties'

' Clic/ to select the Directory Securitytab' =he follo&in illustration sho&s the II4

Manaer &indo& and the 3irectory 4ecurity tab' !nder Secure "o$$unications, clic/Server "ertificate'

98


45/138


5' In the Welco$e Web Server "ertificate Wiarddialo bo+, clic/ *ext, clic/ "reate anew certificate, and then clic/ *ext'

;' Clic/ !repare the re(uest now but send it later, and then clic/ *ext'


46/138


*ote%

nsure that Select cryptographic service provideris not selected'

8' In the +rganiation #nfor$ationdialo bo+, type a name in the +rganiationte+t bo+

-for e+ample, type WCompanyXameY. and in the +rganiational unitte+t bo+ -for

e+ample, type WI= 3epartmentY., and then clic/ *ext'

>' In the?our SiteFs "o$$on *a$edialo bo+, type the fully ualified domain name of

your ser*er or cluster for "o$$on na$e-for e+ample, type

W&ebmail'mycompany'comY., and then clic/ *ext' =his &ill be the domain name that your

client mobile de*ices &ill access'

10' In the Geographical #nfor$ationdialo bo+, clic/ "ountry6region-for e+ample, !4.,

State6province -for e+ample, W4tateY. and "ity6locality-for e+ample, WCityY., and then

clic/ *ext'

11' In the "ertificate 'e(uest ilena$edialo bo+, /eep the default of "%C*ewey'(;txt

-&here C: is the location your 4 is installed., and then clic/ *ext'

12' In the 'e(uest ile Su$$arydialo bo+, re*ie& the information and then clic/ *ext'

=he follo&in illustration sho&s an e+ample of a 'e(uest ile Su$$ary'

0


47/138


19' @ou should recei*e a success messae &hen the certificate reuest is complete' Clic/

inish'

e+t, you must reuest a ser*er certificate from a *alid C' =o do this, you must access the

Internet or an intranet, dependin on the C that you choose, by usin a properly confiured $eb

bro&ser'

=he steps detailed here are for accessin the $eb site for your C' For a production

en*ironment, you &ill probably reuest a ser*er certificate from a trusted C o*er the Internet'

4o sub$it the certificate re(uest

1' 4tart Microsoft #nternet Explorer' =ype the 9nifor$ 'esource )ocator-!"#. for the

Microsoft C $eb site, http:GGWser*erXnameYGcertsr*G' $hen the Microsoft "& Web site

pae displays, clic/ 'e(uest a "ertificate, and then clic/ &dvanced "ertificate

'e(uest'

2' n the &dvanced "ertificate 'e(uestpae, clic/ Sub$it a certificate re(uest by

using a base-/ encoded !"SH,0 file or sub$it a renewal re(uest by using a

base-/ encoded !"S H file'

9' n your local ser*er, na*iate to the location of the "%C *ewey'(;txtfile that you sa*ed

pre*iously'

' 3ouble)clic/ to open the "%C *ewey'(;txtfile in otepad' 4elect and copy the entire

contents of the file'

1


48/138


5' n the C $eb site, na*iate to the Sub$it a "ertificate 'e(uestpae' If you are

prompted to pic/ the type of certificate, select Web Server' =he follo&in illustration

sho&s an e+ample of a 4ubmit a Certificate "euest pae'

;' Clic/ inside the Saved 'e(uestbo+, paste the contents of the file into the bo+, and then

choose Sub$it' =he contents in the Saved 'e(uestdialo bo+ should loo/ similar to the

follo&in e+ample:

-----BEGIN NEW CERTIFICATE REQUEST-----MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWx!"M#L$%&!G'()*Q+Y2,.C/t0WN)1N(!

$Q+Y2,tMREwDwYDVQQLEwN)2%)GTEMMAoGA'UECMDTVRQMRAwDgYDVQQ"Ew4S!WRt)2

/5MRMwEQYDVQQIEwXYXNo0W/$4G,+MQswCQYDVQQGEw%VUzCB$zANBg5q56G,w#BAQEFAA7

B8QAwgY5CgYEAs#sV2U!'WAX2o+9F/S1:9;M1A12t%/q9.B@BWW7s*SDYg@A


49/138


8)Q>5?;:>M;


50/138


e+t, you must install the certificate'

4o install the certificate

1' 4tart #nternet #nfor$ation Service 7##S8 Managerand e+pand W3omainameY2' "iht)clic/ Default Web Siteand then clic/ !roperties' In the !ropertiesdialo bo+,

select the Directory Securitytab' !nder Secure "o$$unication, clic/ Server

"ertificate'

9' In the "ertificate Wiarddialo bo+, clic/ *ext'

' 4elect !rocess the !ending 'e(uest and install the certificate ' Clic/ *ext'

5' a*iate to, or type, the location and file name for the file containin the ser*er

certificate, certne&'t+t, that is located on the des/top, and then clic/ *ext'

;' 4elect the 44# port that you &ish to use' $e recommend that you use the default 44#

port, &hich is !ort '


51/138


>alidating #nstallatio

Documents

DeployExchange2003 IT MOBILE