Upload
shaban-khan
View
220
Download
0
Embed Size (px)
Citation preview
8/11/2019 DeployExchange2003 IT MOBILE
1/138
Step-by-Step Guide to Deploying Windows Mobile-based
Devices with Microsoft Exchange Server 200 S!2
Microsoft Corporation
Published: February 15 2008
8/11/2019 DeployExchange2003 IT MOBILE
2/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Information in this document, includin !"# and other Internet $eb site references, is sub%ect to chane &ithout notice'
!nless other&ise noted, the companies, orani(ations, products, domain names, e)mail addresses, loos, people, places,
and e*ents depicted in e+amples herein are fictitious' o association &ith any real company, orani(ation, product,
domain name, e)mail address, loo, person, place, or e*ent is intended or should be inferred' Complyin &ith all
applicable copyriht la&s is the responsibility of the user' $ithout limitin the rihts under copyriht, no part of this
document may be reproduced, stored in or introduced into a retrie*al system, or transmitted in any form or by any means
-electronic, mechanical, photocopyin, recordin, or other&ise., or for any purpose, &ithout the e+press &ritten permission
of Microsoft Corporation'
Microsoft may ha*e patents, patent applications, trademar/s, copyrihts, or other intellectual property rihts co*erin
sub%ect matter in this document' +cept as e+pressly pro*ided in any &ritten license areement from Microsoft, the
furnishin of this document does not i*e you any license to these patents, trademar/s, copyrihts, or other intellectual
property'
2008 Microsoft Corporation' ll rihts reser*ed'
Microsoft, cti*e 3irectory, cti*e4ync, ffice urloo/, 6isual 7asic, $indo&s Mobile and $indo&s 4er*er are
trademar/s of the Microsoft roup of companies'
ll other trademar/s are property of their respecti*e o&ners'
ii
8/11/2019 DeployExchange2003 IT MOBILE
3/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
"ontentsIntroduction''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1
3ocument 4tructure'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1
3eployin Mobile Messain: Introduction''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''1
ssumptions''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 1
4oft&are "euirements''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 2
ptional Items''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9
3eployment Process 4ummary'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 9
Plannin "esources''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Messain and 4ecurity Feature Pac/ *er*ie&'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''5
Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 5
4ecurity Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ;
d*anced 4ecurity Features'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '>4teps to nable Certificate)7ased uthentication'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100
Confiurin +chane 4er*er 2009 Front)nd 4er*er'''''''''''''''''''''''''''''''''''''''''''''''' ''100
Confiure Aerberos Constrained 3eleation'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''100
Confiure 4er*ers to be =rusted for 3eleation''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
Confiure $indo&s Mobile Certificate nrollment''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
*er*ie& of Certificate nrollment Confiuration''''''''''''''''''''''''''''''''''''''''''''''''''''''''''101
ppendi+ 7: Install and Confiure an I4 4er*er 200 n*ironment''''''''''''''''''''''''''''''''''''''10
Installin I4 4er*er 200'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''105
Creatin the +chane cti*e4ync Publishin "ule !sin $eb Publishin''''''''''''''''' ''''10;
Confiurin the ?osts File ntry''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 110
4ettin the I4 4er*er 200 Idle 4ession =imeout''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''112=estin $ and +chane cti*e4ync''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 112
=estin $'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11
=estin +chane cti*e4ync''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11
ppendi+ C: =roubleshootin a Mobile Messain 4olution''''''''''''''''''''''''''''''''''''''''''''''''''''115
#oin and =roubleshootin =ools'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''115
Monitorin Mobile Performance on +chane 4er*er 2009 4P2'''''''''''''''''''''''''''''''''''115
i*
8/11/2019 DeployExchange2003 IT MOBILE
5/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
I4 4er*er 7est Practices naly(er'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;
Issues "elated to 3irect Push =echnoloy''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''11;
Beneral 3irect Push =roubleshootin =ips'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' 11;Path =roubleshootin 3irect Push''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''11212'
Microsoft Internet 4ecurity and cceleration -I4. 4er*er 200; -or I4 4er*er 200 or third
party fire&all.
$indo&s Certification uthority -C.
"4 uthentication Manaer ;'0 from "4 4ecurity
"4 uthentication ent for Microsoft $indo&s from "4 4ecurity
"4 4ecurI3 uthenticator from "4 4ecurity
Deploy$ent !rocess Su$$ary7ecause corporate net&or/ confiurations and security policies *ary, the deployment process &ill
*ary for each mobile messain system installation' =his deployment process includes the
reuired steps and the recommended steps for deployin a mobile messain solution that uses
+chane 4er*er 2009 4P2 and $indo&s Mobile 5'0Ebased de*ices'
*ote%
=he follo&in steps outline the process for settin up a mobile messain solution &ith
I4 4er*er 200; in a &or/roup in a perimeter net&or/, &ith #3P authentication' For
more information on alternati*e net&or/ confiurations, see et&or/ rchitecture
lternati*esin this document'=he process can be accomplished in the follo&in eiht steps:
Step ,: !prade Front)nd 4er*er to +chane 4er*er 2009 4P2
Step 2: !pdate ll 4er*ers &ith 4ecurity Patches
Step : Protect Communications &ith Mobile 3e*ices
Step : Protect Communications 7et&een the +chane 4er*er and ther 4er*ers
Step .: Install and Confiure I4 4er*er 200; or ther Fire&all
Step /: Confiure Mobile 3e*ice ccess on the +chane 4er*er
Step : Install the +chane cti*e4ync Mobile dministration $eb =ool
Step 1: Manae and Confiure Mobile 3e*ices
9
http://go.microsoft.com/fwlink/?LinkId=109212http://go.microsoft.com/fwlink/?LinkId=1092128/11/2019 DeployExchange2003 IT MOBILE
10/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
!lanning 'esources=he follo&in Microsoft $eb sites and technical articles pro*ide bac/round information that is
important for the plannin and deployment of your mobile messain solution'
Exchange Server 200
Plannin an +chane 4er*er 2009 Messain 4ystem
+chane 4er*er 2009 Client ccess Buide
+chane 4er*er 2009 3eployment Buide
$indo&s 4er*er 2009 3eployment Buide
!sin I4 4er*er 200 &ith +chane 4er*er 2009
$indo&s 4er*er 2009 =echnical "eference
II4 ;'0 3eployment Buide -II4 ;'0.
Microsoft +chane 4er*er
+chane 4er*er 2009 =echnical 3ocumentation #ibrary
Windows Mobile
4upportin $indo&s MobileEbased 3e*ices &ithin the nterprise: Corporate Buidelines for
ach 4tae of the 3e*iceKs #ifecycle-&hite paper.
=echet $indo&s Mobile Center
#S& Server
4ecure pplication Publishin
Publishin +chane 4er*er 2009 cti*e 4ync &ith I4 4er*er 200;
Security
4ecurity Considerations for $indo&s Mobile Messain in the nterprise-&hitepaper.
4ecurity Model for $indo&s Mobile 5'0 and $indo&s Mobile ;-&hite paper.
$indo&s Mobile 4ecurity $eb site
=echet 4ecurity Center
http://go.microsoft.com/fwlink/?LinkId=62626http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62629http://go.microsoft.com/fwlink/?LinkId=62630http://go.microsoft.com/fwlink/?LinkId=42243http://go.microsoft.com/fwlink/?LinkId=62631http://go.microsoft.com/fwlink/?LinkId=62632http://go.microsoft.com/fwlink/?LinkID=109751http://go.microsoft.com/fwlink/?LinkId=62634http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62636http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=109217http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89639http://go.microsoft.com/fwlink/?LinkID=109211http://go.microsoft.com/fwlink/?LinkId=62642http://go.microsoft.com/fwlink/?LinkId=62626http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62629http://go.microsoft.com/fwlink/?LinkId=62630http://go.microsoft.com/fwlink/?LinkId=42243http://go.microsoft.com/fwlink/?LinkId=62631http://go.microsoft.com/fwlink/?LinkId=62632http://go.microsoft.com/fwlink/?LinkID=109751http://go.microsoft.com/fwlink/?LinkId=62634http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62635http://go.microsoft.com/fwlink/?LinkId=62636http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=109217http://go.microsoft.com/fwlink/?LinkID=89638http://go.microsoft.com/fwlink/?LinkID=89639http://go.microsoft.com/fwlink/?LinkID=109211http://go.microsoft.com/fwlink/?LinkId=626428/11/2019 DeployExchange2003 IT MOBILE
11/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Messaging and Security eature !ac3
+verview=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 enables $indo&s Mobile 5'0)
based de*ices to be manaed by Microsoft +chane 4er*er 2009 4P2' =he result is a mobile
messain solution that uses the manaement benefits of +chane cti*e4ync and the ne&
security policy functions on the $indo&s Mobile 5'0)based de*ices, &hich helps you to better
manae and control the de*ices'
!sin $indo&s Mobile 5'0)based de*ices &ith the Messain and 4ecurity Feature Pac/ &ill i*e
you the follo&in capabilities:
$ith direct push technoloy, you can pro*ide your users &ith immediate deli*ery of data from
the +chane mailbo+ to their de*ice' =his includes e)mail, calendar, contact, and tas/
information'
@ou can define the security policies on your +chane ser*er and they &ill be enforced on
$indo&s Mobile 5'0)based de*ices that are directly synchroni(ed &ith your +chane ser*er'
@ou can monitor and test +chane cti*e4ync performance and reliability by usin the
+chane 4er*er Manaement Pac/'
@ou can manae the process of remotely erasin or &ipin lost, stolen, or other&ise
compromised mobile de*ices that are directly synchroni(ed &ith your +chane ser*er by
usin the Microsoft +chane cti*e4ync Mobile dministration $eb tool'
eatures=hese M4FP features impro*e essential communications for mobile &or/ers'
Direct !ush 4echnology
=he direct push technoloy included in +chane 4er*er 2009 4P2 pro*ides a ne& approach to
the immediate deli*ery of data from the +chane mailbo+ to the userLs mobile de*ice' 3irect
push &or/s for mailbo+ data, includin Inbo+, Calendar, Contacts, and =as/s' =he direct push
technoloy uses an established ?==P or ?==P4 connection bet&een the de*ice and the
+chane ser*er pre*ious solutions reuired the use of 4hort Messae 4er*ice -4M4., &hich is
no loner reuired' o special confiuration is reuired on the mobile de*ice, and you can /eep
your standard data plan since the ser*ice is &orld)capable and reuires no additional soft&are orser*er installations other than +chane 4er*er 2009 4P2'
For an in)depth discussion of the direct push technoloy, see !nderstandin the 3irect Push
=echnoloyin this document'
5
8/11/2019 DeployExchange2003 IT MOBILE
12/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Exchange &ctiveSync
+chane cti*e4ync is an +chane synchroni(ation protocol that is desined for /eepin your
+chane mailbo+ synchroni(ed &ith a $indo&s Mobile 5'0)based de*ice' +chane cti*e4yncis optimi(ed to deal &ith hih)latencyGlo&)band&idth net&or/s, and also &ith lo&)capacity clients
that ha*e limited amounts of memory, storae, and processin po&er' !nder the co*ers, the
+chane cti*e4ync protocol is based on ?==P, 44#, and DM# and is a part of +chane
4er*er 2009' In addition, +chane cti*e4ync pro*ides the follo&in benefits:
=he consistency of the familiar utloo/ e+perience for users
o e+tra soft&are is reuire to install or confiure de*ices
Blobal functionality that is achie*ed *ia standard data access phone ser*ice
Global &ddress )ist &ccess
4upport for o*er)the)air loo/up of lobal address list -B#. information stored on +chane4er*er' $ith the Messain and 4ecurity 4er*ice Pac/, mobile de*ice users &ill be able to
recei*e contact properties for indi*iduals in the B#' =hese properties can be used to search
remotely for a person uic/ly based on name, company, andGor other aspect' !sers &ill et all of
the information they need to reach their contacts &ithout ha*in the data store on their de*ice'
Security eatures4ecurity features help protect personal and corporate files on mobile de*ices'
'e$otely Enforced Device Security !olicies
+chane 4er*er 2009 4P2 helps you to confiure and manae a central policy that reuires all
mobile de*ice users to protect their de*ice &ith a pass&ord in order to access the +chane
ser*er' @ou can specify the lenth of the pass&ord, reuire usae of a character or symbol, and
desinate ho& lon the de*ice has to be inacti*e before promptin the user for the pass&ord
aain'
n additional settin, wipe device after failed atte$pts, allo&s you to delete all data and
certificates on the de*ice after the user enters the &ron pass&ord a specified number of times'
=he user &ill see a series of alert dialo bo+es &arnin of the possible &ipe and pro*idin the
number of attempts left before it happens' +ternal memory, such as a secure diital -43. card, is
not erased'
@ou can also specify &hether non)compliant de*ices can synchroni(e' 3e*ices are considered
non)compliant if they do not support the security policy you ha*e specified' In most cases, these
are de*ices not confiured &ith the Messain and 4ecurity Feature Pac/'
=he de*ice security policies are manaed from +chane 4ystem ManaerLs Mobile Services
!ropertiesinterface'
;
8/11/2019 DeployExchange2003 IT MOBILE
13/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
'e$ote Device Wipe
=he remote &ipe feature helps you to manae the process of remotely erasin lost, stolen, or
other&ise compromised mobile de*ices' If the de*ice &as connected usin direct pushtechnoloy, the &ipe process &ill be initiated immediately and should ta/e place in seconds' If
you ha*e used the enforced loc/ security policy, the de*ice is protected by a pass&ord and local
&ipe, so the de*ice can recei*e calls, but &ill not be able to perform any operation other than to
recei*e the remote &ipe notification and report that it has been &iped'
=he ne& Microsoft +chane cti*e4ync Mobile dministration $eb tool enables you to perform
the follo&in actions:
6ie& a list of all de*ices that are bein used by any user'
4elect or de)select de*ices to be remotely erased'
6ie& the status of pendin remote erase reuests for each de*ice'
6ie& a transaction lo that indicates &hich administrators ha*e been deleated the ability toissue remote erase commands, in addition to the de*ices those commands pertained to'
&dvanced Security eatures=he ad*anced security features in M4FP can be used to meet more strinent security
reuirements'
"ertificate-5ased &uthentication
If 44# basic authentication does not meet your security reuirements and you ha*e an e+istin
Public Aey Infrastructure -PAI. usin Microsoft Certificate 4er*er, you may &ish to use the
certificate)based authentication feature in +chane cti*e4ync' If you use this feature in
con%unction &ith the other features described in this document, such as local de*ice &ipe and the
enforced use of a po&er)on pass&ord, you can transform the mobile de*ice itself into a
smartcard' =he pri*ate /ey and certificate for client authentication is stored in memory on the
de*ice' ?o&e*er, if an unauthori(ed user attempts to brute force attac/ the po&er)on pass&ord
for the de*ice, all user data is pured includin the certificate and pri*ate /ey'
For more information, seeppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)
7ased uthentication'
Microsoft has created a tool for deployin +chane cti*e4ync certificate)based authentication'
3o&nload the tool and documentation from the Microsoft 3o&nload center $eb site'
8/11/2019 DeployExchange2003 IT MOBILE
14/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Support for S6M#ME Encrypted Messaging
=he Messain and 4ecurity Feature Pac/ for $indo&s Mobile 5'0 pro*ides nati*e support for
diitally sined, encrypted messain' $hen encryption &ith the 4ecureGMultipurposeGInternetMail +tension -4GMIM. is deployed, users can *ie& and send 4GMIM)encrypted messaes
from their mobile de*ice'
=he 4GMIM control:
Is a standard for security enhanced e)mail messaes that use a Public Aey Infrastructure
-PAI. to share /eys
ffers sender authentication by usin diital sinatures
nsures that only the intended recipient can read the messae
ncrypts e)mail data at rest on the de*ice to protect pri*acy
$or/s &ell &ith any standard)compliant e)mail client
"euires the use of a smart card reader
For uidance on ho& to implement the 4GMIM control &ith MicrosoftJ +chane 4er*er 2009
4P2, see the +chane 4er*er Messae 4ecurity Buide'
&d$inistering the Messaging and Securityeature !ac34afeuards li/e pass&ord policies and remote &ipe capabilities pro*ide you &ith the security
features to help you protect your orani(ationLs data' $ith the combination of the manaement
capabilities built into +chane 4er*er 2009 4P2 and the security and confiuration protocols
included in the $indo&s Mobile 5'0)based de*ices that ha*e the Messain and 4ecurity Featurepac/, your control o*er mobile de*ices has been streamlined' @ou &ill see that most of the
administration of the security features for the mobile de*ice happens on the +chane 4er*er or
on the +chane cti*e4ync Mobile dministration $eb tool'
=he follo&in table summari(es the features and the settins reuired on the +chane 4er*er or
on the mobile de*ice'
eature Exchange Server Settings Mobile Device Settings
Exchange direct push
technology
nabled by default &ith
+chane 4er*er 2009 4P2
Protect confiuration &ith
fire&all or I4 4er*er
+tend session timeout on
all fire&alls and net&or/
appliances
o preliminary de*ice setup
reuired' =he de*ice
automatically s&itches from4M4 to direct push technoloy
&hen it synchroni(es &ith
cti*e4ync' !ser steps thru
cti*e4ync &i(ard upon loin
to +chane ser*er'
8
http://go.microsoft.com/fwlink/?LinkId=63272http://go.microsoft.com/fwlink/?LinkId=63272http://go.microsoft.com/fwlink/?LinkId=632728/11/2019 DeployExchange2003 IT MOBILE
15/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
eature Exchange Server Settings Mobile Device Settings
Exchange &ctiveSync nabled by default &ith
+chane 4er*er 2009 4P2
4et parameters by usin+chane 4ystem ManaerLs
Mobile Services !roperties
o preliminary de*ice setup
reuired user steps thru
cti*e4ync &i(ard upon lointo +chane ser*er'
Wireless access to global
address list 7G&)8
3efault +chane 4er*er setup
"euires utloo/ $eb ccess
published on +chane 4er*er
o preliminary de*ice setup
reuired
Pri*ileed de*ices ha*e
automatic access to B#
'e$otely enforced #4 policy nable direct push technoloy
in +chane cti*e4ync
!se +chane 4ystem
ManaerLs Mobile Services
!ropertiesto apply policies
o preliminary de*ice setup
reuired user steps thru
cti*e4ync &i(ard upon loin
to +chane ser*er and
accepts I= policies'
'e$ote Wipe nable direct push technoloy
in +chane cti*e4ync
!seMobile &d$inistration
Webtool to initiate, trac/, and
cancel the remote &ipe
o preliminary de*ice setup
reuired user steps thru
cti*e4ync &i(ard upon loin
to +chane ser*er and
accepts I= policies'
"ertificate-based
authentication
Install certificate on
+chane 4er*ers
3eploy 3es/top cti*e4ync'1 or later to des/tops
!se the "ertificate
Enroll$enttool to
confiure the de*ices *ia
cti*e4ync
Initial certificate enrollment
and rene&al usin 3es/top
cti*e4ync is reuired'
S6M#ME $obile device
support
3eploy an +chane 4er*er
2009 messain system &ith
PAI security
Install certificate enrollment
protocol and /ey on the de*ice
>
8/11/2019 DeployExchange2003 IT MOBILE
16/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
9nderstanding the Direct !ush 4echnology
=he direct push technoloy uses +chane cti*e4ync to /eep data on a $indo&s MobileEbased
de*ice synchroni(ed &ith data on a Microsoft +chane ser*er' =here is no loner a reliance on
4M4 for notification'
Direct !ush 4echnology=he direct push technoloy has t&o parts: one part resides on the de*ice -client., and the other
resides on an +chane 4er*er 4P2 mail ser*er' =he follo&in list describes these parts of the
technoloy:
Windows Mobile:based device with MS!;=he cti*e4ync technoloy on the de*ice
manaes the direct push communication &ith +chane 4er*er' It establishes an ?==P or
?==P4 connection &ith the ser*er for a specified time, and then oes to sleep &hile &aitin
for the ser*er to respond' =he ser*er responds &ith either a status indicatin that ne& items
&ere recei*ed or that no ne& items arri*ed' =he de*ice then sends either a synchroni(ation
reuest or another direct push reuest' =he rate at &hich this occurs is dynamically ad%usted
based on parameters set by the M or perator and ho& lon an idle ?==P or ?==P4
connection can be maintained on the operator net&or/ and the customerKs nterprise
net&or/'
Exchange Server 200 Service !ac3 2;=his *ersion of +chane 4er*er includes a direct
push component that auments the +chane cti*e4ync infrastructure that supports manual
and scheduled synchroni(ation' +chane 4er*er uses IP)based notifications to deli*er e)
mail, contact, calendar, and tas/ updates to a de*ice as soon as the information arri*es at theser*er'
$hen data chanes on the ser*er, the chanes are transmitted to the de*ice o*er a persistent
?==P or ?==P4 connection that is used for direct push' =he time)out *alue in the mobile operator
net&or/ identifies ho& lon the persistent connection &ill be maintained &ith no acti*ity'
=o /eep this connection from timin out bet&een updates, the de*ice reissues a reuest &hen the
ser*er responds' =his periodic transmission is referred as the heartbeat' =he heartbeat is &hat
maintains the connection to the ser*er for direct push each heartbeat alerts the ser*er that the
de*ice is ready to recei*e data'
10
8/11/2019 DeployExchange2003 IT MOBILE
17/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
4he Direct !ush !rocess
3irect push traffic loo/s li/e small ?==P reuests to an Internet $eb site that ta/es a lon time to
issue a response' Microsoft recommends that the content of the pac/ets be encrypted by usin4ecure 4oc/ets #ayer -44#., &hich ma/es identifyin direct push traffic by sniffin difficult'
=he follo&in steps pro*ide an o*er*ie& of the direct push process:
1' =he client issues an ?==P messae /no&n as a pin reuest to an +chane ser*er, as/in
that the ser*er report any chanes that occur in the userLs mailbo+ &ithin a specified time
limit'
In the pin reuest, the client specifies the folders that +chane should monitor for chanes'
=ypically these are the Inbo+, Calendar, Contacts, and =as/s'
2' $hen +chane recei*es this reuest, it monitors the folders specified until one of the
follo&in occurs:
=he time limit e+pires' =he time limit is determined by the shortest time out in the net&or/path'
If this occurs, +chane issues an ?==P 200 A response to the client'
chane occurs in one of the folders, such as the arri*al of mail'
If this occurs, +chane issues a response to the reuest and identifies the folder in
&hich the chane occurred'
9' =he client reacts to the response from the +chane ser*er in one of the follo&in &ays:
If it recei*es an ?==P 200 A response indicatin that no error occurred, it re)issues the
pin reuest'
If it recei*es a response other than ?==P 200 A, it issues a synchroni(ation reuest
aainst each folder that has chaned' $hen the synchroni(ation is complete, it re)issues
the pin reuest'
If it does not recei*e a response from the +chane ser*er &ithin the time specified, it
lo&ers the time inter*al in the pin reuest and then re)issues the reuest'
Direct !ush Dyna$ic &d
8/11/2019 DeployExchange2003 IT MOBILE
18/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
=o determine the optimal heartbeat inter*al, the alorithm /eeps a lo of pin reuests' If a pin
reuest recei*es a response, the alorithm increases the inter*al' If no response is recei*ed at
the end of the inter*al, the client determines that the net&or/ timed out and the inter*al is
decreased'
7y usin this alorithm, the client e*entually determines the lonest idle connection possible
across the cellular net&or/ and corporate fire&all'
=he follo&in illustration sho&s ho& the heartbeat inter*al is ad%usted durin typical direct push
communication bet&een the client and the +chane 4er*er'
=he = in this illustration indicates the proression of time'
12
8/11/2019 DeployExchange2003 IT MOBILE
19/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
=he follo&in steps describe the communication the numbers correspond to the numbers in the
illustration:
1' =he client &a/es up and issues an ?==P reuest o*er the Internet to the +chane 4er*er,
and then oes to sleep'
=o /eep the session acti*e, the reuest states the heartbeat inter*al, &hich is the amount of
time that the ser*er should &ait for Personal Information Manaer -PIM. chanes or ne& mail
to arri*e before sendin A to the client' In this illustration, the heartbeat inter*al is 15
minutes'
2' 7ecause no mail arri*ed durin the heartbeat inter*al, the ser*er returns an ?==P 200 A'
In this e+ample, the response is lost because either the operator net&or/ or the nterprise
net&or/ &as unable to sustain the lon)li*ed ?==P connection the client ne*er recei*es it'
*ote
If the connection is closed by the front)end +chane ser*er, the de*ice &ill ac/no&lede
the ended session and immediately reconnect' If the connection is closed by the bac/)end +chane ser*er, the de*ice does not
ac/no&lede the ended session and &aits for the end of the heartbeat inter*al to
reconnect'
9' =he client &a/es up at the end of the heartbeat inter*al plus 1 minute -15 N 1 1; minutes
total.'
*ote%
=he de*ice &aits for successi*e round trips before attemptin to ad%ust the heartbeat
inter*al' tunin component in the alorithm can chane the increments to an
amount different than &hat is specified'
If this &as a successi*e round trip &ith no response from the ser*er, it issues a shorter)li*ed
reuest -8 minutes.'
In this e+ample, because the heartbeat &as not increased durin the last pin, the heartbeat
is chaned to the minimum heartbeat *alue -8 minutes.'
' 7ecause no mail arri*ed durin the heartbeat inter*al, so the ser*er returns an ?==P 200 A'
5' =he ser*er response &a/es up the client' 7ecause the connection did not time out durin the
inter*al, the client determines that the net&or/ can support idle connections for at least this
lenth of time'
If this &as a successi*e round trip, the client determines that it can increase the inter*al to a
loner time for the ne+t reuest'
19
8/11/2019 DeployExchange2003 IT MOBILE
20/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
4he #$pact of Direct !ush on *etwor3s and Exchange Servers
=he alorithm that sets the heartbeat also minimi(es bytes sent o*er the air and ma+imi(es
battery life'Implementin data compression &ill reduce the pac/et si(es sent bet&een the front end ser*er
and the client' ?o&e*er, the amount of band&idth that is consumed and &hether it &ill impact the
userLs data plan reatly depends on the follo&in factors:
$hat the user chooses to synchroni(e, such as more than the default folders'
?o& much data is chaned in the mailbo+ and on the mobile de*ice'
4he #$pact of "hanging the Direct !ush Settings
=o help you maintain adeuate de*ice performance durin direct push, Microsoft recommends
*alues for the *arious direct push settins'
=eartbeat #nterval
=he heartbeat inter*al is set on the de*ice by the mobile operator' !sin a heartbeat inter*al of 90
minutes has positi*e implications for battery life and band&idth consumption' $hen direct push
sessions are permitted to li*e loner -such as 90 minutes., there are fe&er ?==P round trips, less
data sent and recei*ed, and less po&er consumed by the de*ice'
heartbeat inter*al that is too short &ill /eep the user al&ays up to date, but &ill shorten battery
life because of the constant pinin to the ser*er'
Mini$u$ =eartbeat
If a de*ice that has a heartbeat belo& the minimum heartbeat le*el reuests a connection to the
+chane ser*er, the ser*er los an e*ent to indicate to the administrator that direct push is not
&or/in'
Exchange Session
=o ha*e de*ice information bein up to date and yet still ha*e the battery life as lon as possible,
the +chane ser*er session duration should be a little reater than the ma+imum heartbeat
settin, If the ser*er session is shorter, it may reach idle timeout causin it to drop the session'
=his &ould result in mail bein undeli*erable until the client reconnects, and the user could be
unsynchroni(ed for lon periods of time'
irewall 4i$eouts
=he net&or/ idle connection timeout indicates ho& lon a connection is permitted to li*e &ithout
traffic after a =CP connection is fully established'
=he fire&all session inter*al must be set to allo& the heartbeat inter*al and nterprise session
inter*al to communicate freely' If the fire&all closes the session, then mail &ould be undeli*erable
until the client reconnects, and the user could be unsynchroni(ed for lon periods of time' 7y
settin the fire&all session timeout eual to or reater than the idle timeout on the perator
net&or/, the fire&all &ill not close the session'
1
8/11/2019 DeployExchange2003 IT MOBILE
21/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
=he follo&in list sho&s ho& the fire&alls idle connection timeouts should be set:
perators need to set the idle connection timeouts on outoin fire&alls to 90 minutes'
nterprises also need to set timeouts on their incomin fire&alls to 90 minutes'
$eb ser*ers, net&or/ security appliances, and system net&or/ stac/s ha*e se*eral time)basedthresholds that are intended to insulate them from insufficiently tested or malicious clients' @ou
can safely increase the idle connection timeout settin &ithout compromisin the security of the
net&or/'
In a direct push scenario, the connection is idle bet&een the time that the ?==P reuest is made
and either the time that the heartbeat inter*al e+pires or &hen the ser*er responds to the reuest
&ith a chane -such as &hen mail is recei*ed.' 3irect push ma/es no assumption as to the lenth
of its sessions )mail is deli*ered rapidly &hether the heartbeat inter*al is one minute or thirty
minutes'
Increasin the idle connection timeout typically does not increase or decrease the e+posure to
attac/' =he follo&in table sho&s e+amples of attac/s and describes ho& other settins are used
to mitiation e+posure to them'
DoS threat Mitigation of exposure to attac3s
3o4 attac/ is launched by
failin to complete the
handsha/e that is implicit in the
creation of a =CP connection'
=he attac/er attempts to create
a lare number of partially open
=CP connections'
Increasin the idle connection timeouts is unrelated to this type
of attac/'
=he time &ithin &hich a =CP handsha/e must complete is a
separate threshold that is o*erned by the $indo&s =CPGIP
stac/'
3o4 attac/ is launched
aainst II4 by openin a lare
number of =CP connections but
ne*er issuin an ?==P reuest
o*er any of them'
Increasin the idle connection timeouts is unrelated to this type
of attac/'
II4 mitiates this threat by reuirin that a client submit a fully)
formed ?==P reuest &ithin a certain time before droppin the
connection' =he name of the Connection =imeout settin in the
II4 manaement console is misleadin =CP connections are
closed &hen the Connection =imeout *alue is e+ceeded -120
seconds by default.'
n attac/er establishes a lare
number of =CP connections,
issues ?==P reuests o*er all
of them, but ne*er consumes
the responses'
Increasin idle connection timeouts is unrelated to this type of
attac/'
=his threat is mitiated by the same timeout as the pre*ious
scenario' =he Connection =imeout settin in II4 defines the time
&ithin &hich a client must issue either its first reuest after a
=CP connection is established or a subseuent reuest in an
?==P /eep)ali*e scenario'
15
8/11/2019 DeployExchange2003 IT MOBILE
22/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
*etwor3 &rchitecture <ernatives
=he choices that you ha*e made in your net&or/ confiuration and net&or/ desin may impact
the steps that you &ill need to ta/e to uprade your system to accommodate direct push
technoloy and the Messain O 4ecurity Feature Pac/ manaement features'
Deploy$ent +ptions=he follo&in table introduces some of the most common deployment confiurations &ith the
uniue considerations for each'
Follo& the lin/s to deployment documentation for each confiuration'
Setup 4ype Description "onsideration
irewall in
Wor3group in
peri$eter networ3
I4 4er*er 200;
recommended
ll of the +chane ser*ers
are &ithin the corporate
net&or/'
F7 or 7asic authentication
44# confiured for +chane
cti*e4ync to encrypt all
messain traffic
I4 ser*er acts as the
ad*anced fire&all in the
perimeter net&or/ that is
e+posed to Internet traffic'
I4 4er*er 200; directly
communicates &ith #3P and
"3I!4 ser*ers
)D&! &uthentication
#3P, #3P4, #3P)BC,
and #3P4)BC are
supported'
*ery domain controller is
an #3P ser*er' =he
#3P ser*er has a store
of the cti*e 3irectory
usersK credentials'
7ecause each domain
controller can only
authenticate the users in
its domain, I4 4er*er by
ll +chane traffic is preauthenticated,
reducin surface area and ris/'
Client authentication is possible &ith
$indo&s, Aerberos, #3P, #3P4,
"3I!4, or "4 4ecurI3
"euires port 9 opened on the
fire&all for inbound and outbound
Internet traffic'
"euires a diital certificate in order to
connect to Confiuration 4torae ser*er'
#imited to one Confiuration 4torae
4er*er -3M limitation.
3omain administrators do not ha*e
access to the fire&all array
$or/roup clients cannot use $indo&s
authentication'
"euires manaement of mirrored
accounts for monitorin arrays'
1;
8/11/2019 DeployExchange2003 IT MOBILE
23/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
default ueries the lobal
catalo for a forest to
*alidate user credentials'adius &uthentication
"3I!4 pro*ides
credentials *alidation'
I4 4er*er is the "3I!4
client, dependin upon
"3I!4 authentication
response
Pass&ord chanes are
not possible
#S& Server 200/
do$ain-21215'
1
8/11/2019 DeployExchange2003 IT MOBILE
24/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
Single Exchange
200 Server
4inle +chane 4er*er &ithin
the corporate net&or/, behind
a fire&all'+chane 4er*er cti*e4ync
accesses the +chane *irtual
directory *ia port 80 usin
Aerberos authentication'
4imple deployment for small to medium
business'
"euires the follo&in setup steps:
=urn off SS) 'e(uiredon the
+dmin *irtual directory
!se Windows #ntegrated
authenticationon the +dmin
*irtual directory
If usin "4 4ecurI3, update the "4
uthentication ent to ensure
compatibility &ith direct push
technoloy'
For details, see 3eployment on a 4inle4er*er in the 4tep)by)4tep Buide to
3eployin $indo&s Mobile)based
3e*ices &ith Microsoft +chane 4er*er
2009 4P2'
4ee lso: Microsoft A7 article,
+chane cti*e4ync and utloo/
Mobile ccess errors ccur &hen 44#
or forms)based authentication is
reuired for +chane 4er*er 2009'
http:GGo'microsoft'comGf&lin/GH
#in/Id;2;;0'
Windows S$all
5usiness Server
200
+chane traffic is routed to
the ser*er runnin $indo&s
474 &ith port 9 open
inbound'
+chane F is behind the
follo&in fire&alls:
I4 4er*er 200, 4er*ice
Pac/ 1 &hich is included
in $indo&s 474 Premium
dition, 4er*ice Pac/ 1
=he built)in "outin and
"emote ccess fire&all in
$indo&s 474
Certificates installed on
+chane cti*e4ync and I4 4er*er
are interated &ith $indo&s 4mall
7usiness 4er*er 2009, pro*idin
simplified deployment
"euires des/top cti*e4ync installed
on a client computer
4ee 3eployin $indo&s Mobile 5'0 &ith
$indo&s 4mall 7usiness 4er*er 2009
at this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH
#in/Id10>220'
18
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=1092208/11/2019 DeployExchange2003 IT MOBILE
25/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
de*ices pro*ide 44#
encryption and access'
Exchange E in the
peri$eter networ3
-=his option is not
recommended for ne&
mobile messain
solutions'.
+chane F is in the
perimeter net&or/ &ith
fire&alls bet&een it and the
Internet and the corporate
net&or/'
dditional fire&all ports opened to
enable direct push and facilitate
connection bet&een F and 7 ser*ers:
pen port 9 inbound on the
e+ternal fire&all
!3P port 2889 open on the fire&all
bet&een the +chane F and 7'
4ee 3eployment &ith the Front nd
4er*er in a Perimeter et&or/ section
of the 4tep)by)4tep Buide to 3eployin
$indo&s Mobile)based 3e*ices &ithMicrosoft +chane 4er*er 2009 4P2 at
this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH
#in/I381200
I4 4er*er as an
ad*anced fire&all in a
&or/roup in
perimeter net&or/
ll of the +chane ser*ers
are &ithin the corporate
net&or/'
4et up F7 or 7asic
authentication for +chane
cti*e4ync, so all clientsneotiate an 44# lin/ before
connectin'
I4 ser*er acts as the
ad*anced fire&all in the
perimeter net&or/ that is
e+posed to Internet traffic'
I4 4er*er 200; directly
communicates &ith #3P and
"3I!4 ser*ers
)D&! &uthentication
#3P, #3P4, #3P)BC,
and #3P4)BC are
supported'
*ery domain controller is
an #3P ser*er' =he
Client authentication is possible &ith
$indo&s, Aerberos, #3P, #3P4,
"3I!4, or "4 4ecurI3
"euires port 9 opened on the
fire&all for inbound and outbound
Internet traffic'"euires a diital certificate in order to
connect to Confiuration 4torae ser*er'
In case of fire&all failure, domain and
cti*e 3irectory are inaccessible
3omain administrators do not ha*e
access to the fire&all array
$or/roup clients cannot use $indo&s
authentication'
"euires manaement of mirrored
accounts for monitorin arrays'
For an o*er*ie& of the process, see
3eployin a Mobile Messain 4olution
&ith $indo&s Mobile 5'0)based 3e*ices
1>
http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=81200http://go.microsoft.com/fwlink/?LinkID=812008/11/2019 DeployExchange2003 IT MOBILE
26/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
#3P ser*er has a store
of the cti*e 3irectory
usersK credentials' 7ecause each domain
controller can only
authenticate the users in
its domain, I4 4er*er by
default ueries the lobal
catalo for a forest to
*alidate user credentials
'adius &uthentication
"3I!4 pro*ides
credentials *alidation'
I4 4er*er is the "3I!4
client, dependin upon
"3I!4 authentication
response
Pass&ord chanes are
not possible
I4 4er*er 200;
domain)%oined in
perimeter net&or/
+chane F in the nterprise
forest
s a domain member, I4
4er*er 200; interates &ithcti*e 3irectory'
dditional ports on the internal fire&all
opened to facilitate domain member
communication to cti*e 3irectory
4implified deployment andadministration of I4 4er*er arrays
&ithin the domain'
6ulnerability of access across the
domain in case of fire&all failure
4ee Publishin +chane 4er*er 2009
&ith I4 4er*er 200; at this Microsoft
$eb site:
http:GGo'microsoft'comGf&lin/GH
#in/Id10>21
8/11/2019 DeployExchange2003 IT MOBILE
27/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
3M forest trusts the
nterprise forest accounts'
I4 4er*er 200; authenticatesreuests at the I4 ede
4er*er 2009 at this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH
#in/Id10>215'
=hird Party Fire&all Confiure as an ad*anced
fire&all or surroundin a
perimeter net&or/'
ncrypt all traffic bet&een the
mobile de*ice and +chane
4er*er &ith 44#'
pen port 9 inbound on
each fire&all bet&een the
mobile de*ice and +chane4er*er'
4et Idle 4ession =imeout time
to 90 minutes on all fire&alls
and net&or/ appliances on the
path bet&een the mobile
de*ice and +chane F
ser*er to facilitate direct push
technoloy'
Consult fire&all manufacturer
documentation for instructions on
openin port 9 inbound and settin
the Idle 4ession =imeout time'
4inle +chane 2009
4er*er
4inle +chane 4er*er &ithin
the corporate net&or/, behinda fire&all'
+chane 4er*er cti*e4ync
accesses the +chane *irtual
directory *ia port 80 usin
Aerberos authentication'
4imple deployment for small to medium
business'"euires the follo&in setup steps on
the +dmin *irtual directory:
=urn off 44# "euired
!se $indo&s Interated
authentication
If usin "4 4ecurI3, update the "4
uthentication ent to ensure
compatibility &ith direct push
technoloy'
For more information, see +chanecti*e4ync and utloo/ Mobile ccess
errors ccur &hen 44# or forms)based
authentication is reuired for +chane
4er*er 2009'
http:GGo'microsoft'comGf&lin/GH
21
http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=109215http://go.microsoft.com/fwlink/?LinkId=626608/11/2019 DeployExchange2003 IT MOBILE
28/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Setup 4ype Description "onsideration
#in/Id;2;;0'
$indo&s 4mall
7usiness 4er*er 2009
+chane traffic is routed to
the ser*er runnin $indo&s
474 &ith port 9 open
inbound'
+chane F is behind the
follo&in fire&alls:
I4 4er*er, &hich is
included in $indo&s 474
Premium dition
=he built)in "outin and
"emote ccess fire&all in
$indo&s 474
=he !PnPQ hard&are
fire&all
Certificates installed on
de*ices pro*ide 44#
encryption and access'
+chane cti*e4ync and I4 4er*er
are interated &ith $indo&s 4mall
7usiness 4er*er 2009, pro*idin
simplified deployment:
"euires des/top cti*e4ync
installed on a client computer
4ee 3eployin $indo&s Mobile 5'0 &ith
$indo&s 4mall 7usiness 4er*er 2009
at this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH
#in/Id10>220'
+chane F in the
perimeter net&or/
-=his option is not
recommended for ne&
mobile messain
solutions'.
+chane F is in the
perimeter net&or/ &ith
fire&alls bet&een it and the
Internet and the corporate
net&or/'
dditional fire&all ports opened to
enable direct push and facilitate
connection bet&een F and 7 ser*ers:
pen port 9 inbound on the
e+ternal fire&all
!3P port 2889 open on the fire&all
bet&een the +chane F and 7'
#S& Server 200/ as an &dvanced irewall in a!eri$eter *etwor3In this confiuration, all of the +chane ser*ers are &ithin the corporate net&or/ and the I4
ser*er acts as the ad*anced fire&all in the perimeter net&or/ that is e+posed to Internet traffic'
=his adds an additional layer of security to your net&or/'
ll incomin Internet traffic bound to your +chane ser*ers E for e+ample, Microsoft ffice $
and remote procedure call -"PC. o*er ?==P communication from Microsoft ffice utloo/ 2009
clients E is processed by the I4 ser*er' $hen the I4 ser*er recei*es a reuest from an
+chane ser*er, the I4 ser*er terminates the connection and then pro+ies the reuest to the
appropriate +chane ser*ers that are on your internal net&or/' =he +chane ser*ers on your
22
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=109220http://go.microsoft.com/fwlink/?LinkId=1092208/11/2019 DeployExchange2003 IT MOBILE
29/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
net&or/ then return the reuested data to the I4 ser*er, &hich sends the information to the client
throuh the Internet'
3urin installation of the I4 ser*er, Microsoft recommends that you enable 4ecure 4oc/ets
#ayer -44#. encryption, and desinate 9 as the 44# port' =his lea*es the 9 port open as the
R$eb #istenerS to recei*e Internet traffic' Microsoft also recommends that you set up basic
authentication for +chane cti*e4ync, and that you reuire all clients to successfully neotiate
an 44# lin/ before connectin to the +chane cti*e4ync site directories' If you follo& these
recommendations, the Internet traffic that flo&s into and out of the 9 port &ill be more
protected'
$hen confiured in $eb)publishin mode, I4 4er*er 200; &ill pro*ide protocol filterin and
hyiene, denial of ser*ice -3o4. and distributed denial of ser*ice -33o4. protection, and pre)
authentication'
29
8/11/2019 DeployExchange2003 IT MOBILE
30/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
=he follo&in illustration sho&s the recommended +chane 4er*er 2009 deployment for mobile
messain &ith I4 4er*er 200;'
&uthentication in #S& Server 200/
!sers can be authenticated usin built)in $indo&s, #3P, "3I!4, or "4 4ecurI3
authentication' Front)end and bac/)end confiuration has been separated, pro*idin for more
fle+ibility and ranularity' 4inle sin on is supported for authentication to $eb sites' "ules can
be applied to users or user roups in any namespace'
For most nterprise installations, I4 4er*er 200; &ith #3P authentication is recommended' In
addition, I4 4er*er 200; enables certificate)based authentication &ith $eb publishin' For more
information, see uthentication in I4 4er*er 200; on Microsoft =echet $eb site:
http:GGo'microsoft'comGf&lin/GH#in/I38
8/11/2019 DeployExchange2003 IT MOBILE
31/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
=he follo&in table summari(es some of the features of I4 4er*er 200;:
eature Description
4upport for #3P authentication #3P authentication allo&s I4 4er*er toauthenticate to cti*e 3irectory &ithout bein a
member of the domain'
4ee this Microsoft $eb site:
http:GGo'microsoft'comGf&lin/GH#in/I38
3eleation of 7asic authentication Published $eb sites are protected from
unauthenticated access by reuirin the I4
4er*er 200; fire&all to authenticate the user
before the connection is for&arded to the
published $eb site' =his pre*ents e+ploits from
unauthenticated users from reachin thepublished $eb ser*er'
4ecurI3 authentication for $eb Pro+y clients I4 4er*er 200; can authenticate remote
connections usin 4ecurI3 t&o)factor
authentication' =his pro*ides a hih le*el of
authentication security because a user must
/no& somethin and ha*e somethin to ain
access to the published $eb ser*er'
"3I!4 support for $eb Pro+y client
authentication
$ith I4 4er*er 200;, you can authenticate
users in cti*e 3irectory and other
authentication databases by usin "3I!4 touery cti*e 3irectory' $eb publishin rules can
also use "3I!4 to authenticate remote access
connections'
4ession manaement I4 4er*er 200; includes impro*ed control of
coo/ie)based sessions to pro*ide for better
security'
Certificate Manaement I4 4er*er 200; is impro*ed to simplify
certificate manaement and reduce the total
cost of o&nership associated &ith usin
certificates &hen publishin $eb sites' It ispossible to utili(e multiple certificates per $eb
listener and to use different certificates per array
member'
25
http://go.microsoft.com/fwlink/?LinkID=87069http://go.microsoft.com/fwlink/?LinkID=870698/11/2019 DeployExchange2003 IT MOBILE
32/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
)D&! &uthentication with #S& Server 200/
I4 4er*er 200; supports #iht&eiht 3irectory ccess Protocol -#3P. authentication' #3P
authentication is similar to cti*e 3irectoryJ directory ser*ice authentication, e+cept that the I4
4er*er computer does not ha*e to be a member of the domain' I4 4er*er connects to a
confiured #3P ser*er o*er the #3P protocol to authenticate the user' *ery $indo&s domain
controller is also an #3P ser*er, by default, &ith no additional confiuration chanes reuired'
7y usin #3P authentication, you et the follo&in benefits:
ser*er runnin I4 4er*er 200; 4tandard dition or I4 4er*er 200; nterprise dition
array members in &or/roup mode' $hen I4 4er*er is installed in a perimeter net&or/, you
no loner need to open all of the ports reuired for domain membership'
uthentication of users in a domain &ith &hich there is no trust relationship'
Instructions for confiurin I4 4er*er for #3P authentication are included in this document in
4tep 5: Install and Confiure I4 4er*er 200; or ther Fire&all'For more information about
confiurin I4 4er*er for #3P authentication, see 4ecure pplication Publishin at the
Microsoft =echet $eb site'
2;
8/11/2019 DeployExchange2003 IT MOBILE
33/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Deploy$ent with #S& Server in a !eri$eter*etwor3In this confiuration, the mobile de*ice utili(es the mobile operatorLs cellular data net&or/ to
communicate usin the Internet to an outer fire&all that the orani(ation uses to restrict traffic'
=he outer fire&all port for&ards the 4 traffic -*ia 44# port 9. inbound to the inner third party
de*ice to for&ard to the +chane 4er*er 2009 for processin'
=he fiure belo& illustrates an end)to)end e+ample of a typical o*er the air +chane cti*e4ync
deployment'
=o ensure that Microsoft +chane cti*e4ync functions correctly in this scenario, Microsoft
recommends that port 9 inbound be opened on both third party fire&all products so that the
$indo&s Mobile de*ice can communicate directly &ith the +chane 4er*er' =his is a net&or/
reuirement for +chane cti*e4ync to &or/ properly &hether usin Microsoft direct push
technoloy -default settin. andGor l&ays !p)to)3ate otifications -optional.'
2
8/11/2019 DeployExchange2003 IT MOBILE
34/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Deploy$ent on a Single-ServerIf your mobile messain solution uses a sinle +chane ser*er, you may ha*e to establish
some special confiurations to a*oid conflicts on the *irtual directory'
SS) 'e(uire$ents and or$s-based &uthentication
In a sinle)ser*er confiuration, +chane 4er*er cti*e4ync accesses the +chane *irtual
directory *ia port 80 by usin Aerberos authentication' +chane cti*e4ync cannot access the
+chane *irtual directory if either of the follo&in conditions is true:
=he +chane *irtual directory is confiured to reuire 44#'
Forms)based authentication is confiured'
For more information about, and &or/arounds for, these confiurations, see the follo&in article in
the Microsoft Ano&lede 7ase:
+chane cti*e4ync and utloo/ Mobile ccess errors occur &hen 44# or forms)based
authentication is reuired for +chane 4er*er 2009' http:GGo'microsoft'comGf&lin/GH
#in/Id;2;;0
Settings 'e(uired for Exchange &ctiveSync Mobile&d$inistration Web 4ool #nstallation
$hen deployed in a sinle)ser*er confiuration, the +chane cti*e4ync Mobile dministration
$eb tool reuires the default confiuration on the +dmin *irtual directory' 7y default, 44# is not
turned on and the *irtual directory has $indo&s Interated authentication'
In a sinle)ser*er confiuration, &e recommend that you do the follo&in on the +dmin *irtualdirectory:
=urn off 44# "euired
!se $indo&s Interated authentication
*ote%
=he +chane cti*e4ync Mobile dministration $eb tool should run in the
+chaneppPool'
For more information, see the follo&in article in the Microsoft Ano&lede 7ase:
rror messae &hen you try to use the Microsoft +chane 4er*er cti*e4ync $eb
dministration tool to delete a partnership or to perform a "emote $ipe operation on a mobile
de*ice in +chane 4er*er 2009 4P2: -01. !nauthori(ed' Tdd lin/ to
http:GGsupport'microsoft'comG/bG>1;>;0Gen)usU
28
http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=62660http://go.microsoft.com/fwlink/?LinkId=626608/11/2019 DeployExchange2003 IT MOBILE
35/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
'S& Secur#D "o$patibility
"4 4ecurI3 pro*ides to/en)based authentication that reuires user input and &as not
compatible &ith direct push technoloy, in &hich the de*ice synchroni(es automatically' "4 hasupdated the "4 uthentication ent for $indo&s so that direct push technoloy and scheduled
synchroni(ation features function smoothly'
I4 4er*er 200; &or/s &ith 4ecurI3 to/en authentication' 4ee the I4 4er*er 200;
documentation'
If you are usin the "4 4ecurI3 product, be sure to et the latest "4 4ecurI3 soft&are from
the "4 4ecurity $eb site:http:GGo'microsoft'comGf&lin/GH#in/Id;92221
+chane cti*e4ync and utloo/ Mobile ccess errors occur &hen 44# or forms)based
authentication is reuired for +chane 4er*er 2009
*ote
+chane 4er*er 2009 4P2 forms)based authentication does not allo& you to set the
default domain settin in II4 to anythin other than the default domain settin of V' =his
restriction is in place in order to support user loons that use the !ser Principle ame
format' If the default domain settin in II4 is chaned, +chane 4ystem Manaer resets
the default domain settin to V on the ser*er'
@ou can chane this beha*ior by customi(in the #oon'asp pae in the $ *irtual
directory in II4 to specify your domain or to include a list of domain names' ?o&e*er, if
you customi(e the #oon'asp pae in the $ *irtual directory in II4, your chanes may
be o*er&ritten if you uprade to, or re)install, +chane 4er*er 2009 4P2'
2>
http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=109221http://go.microsoft.com/fwlink/?LinkId=109221http://go.microsoft.com/fwlink/?LinkId=63273http://go.microsoft.com/fwlink/?LinkId=1092218/11/2019 DeployExchange2003 IT MOBILE
36/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Deploy$ent with the Exchange ront End Serverin a !eri$eter *etwor3If your deployment confiuration has the Front)nd +chane ser*er inside the 3M or perimeter
net&or/, you may ha*e to chane the fire&all settins to facilitate the direct push technoloy'
*ote%
=his option is not recommended for ne& mobile messain solutions'
$ith direct push technoloy, &hene*er the bac/ end ser*er recei*es e)mail or data to be
transmitted to a mobile de*ice, it sends a !3P notification to the front)end ser*er' =his
transmission reuires that !3P port 2889 be open on the fire&all to allo& one)&ay traffic from the
bac/)end ser*er to the front)end ser*er'
For more information about the deployment of direct push technoloy and its impact on fire&all
confiuration, see the +chane 4er*er blo article 3irect push is %ust a heartbeat a&ay athttp:GGo'microsoft'comGf&lin/GH#in/Id;!* "onfiguration$indo&s Mobile 5'0)based de*ices pro*ide nati*e support for 6irtual Pri*ate et&or/ -6P.
access to a corporate net&or/ based on PP=P or #2=PGIP4ec 6P protocols'
Microsoft recommends usin #2=PGIP4ec connections, as these connections reuire both de*ice)
le*el authentication throuh certificates and user)le*el authentication throuh a PPP
authentication protocol' #2=PGIP4ec relies on the e+istin infrastructure for $indo&s Mobile)
based de*ices to connect to internal company resources such as file shares, $eb ser*ers, and
mobile line of business applications' For an e+ample deployment of 6P &ith $indo&s 4er*er
2009, see this Microsoft $eb site:http:GGo'microsoft'comGf&lin/GH#in/Id10>222'
For more information about securin 6P access, see R?o& I4 4er*er 200 Pro*ides 44# 6P
Functionality for utloo/ $eb ccess and "PC o*er ?==PS at http:GGo'microsoft'comGf&lin/GH
#in/I3;
8/11/2019 DeployExchange2003 IT MOBILE
37/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
5est !ractices for Deploying a Mobile
Messaging Solution7est practices for deployin a mobile messain solution on your corporate net&or/ are
recommendations that &ill help you ensure the smooth operation of, and pro*ide a hih le*el of
security for, your mobile messain solution'
*etwor3 "onfiguration"eardless of the net&or/ confiuration you implement, there are some best practices that &ill
strenthen your mobile messain solution'
5est !ractice% 9se ront-end and 5ac3-end "onfiguration forExchange Servers
front)end and bac/)end confiuration is recommended for multiple)ser*er orani(ations that
use +chane cti*e4ync, utloo/ $eb ccess -$., Post ffice Protocol -PP., or Internet
Messae ccess Protocol -IMP., and that &ant to pro*ide ?==P, PP, or IMP access to their
employees' In this architecture, a front)end ser*er accepts reuests from clients, and then pro+ies
those reuests to the appropriate bac/)end ser*er for processin' =he front)end and bac/)end
architecture allo&s the front)end ser*er to handle the 4ecure 4oc/ets #ayer -44#. encryption,
thus enablin the bac/)end ser*ers to increase o*erall e)mail performance' =his confiuration
scales &ell and pro*ides a measure of security by limitin access to the front)end ser*er'
4ecurin the messain en*ironment also in*ol*es disablin those features and settins for thefront)end ser*er that are not necessary in a front)end and bac/)end ser*er architecture'
For more information about front)end and bac/)end ser*er architecture, see +chane 4er*er
2009 and +chane 2000 4er*er Front)nd and 7ac/)nd =opoloy at
http:GGo'microsoft'comGf&lin/GH#in/Id;2;9'
5est !ractice% "onfiguring your irewall for +pti$al Direct !ush!erfor$ance
3irect push technoloy reuires an established connection bet&een the ser*er and the client' o
data is sent o*er this connection unless there is e)mail or data to be transmitted, or the de*ice
needs to reestablish its connection &ith the ser*er' =his means that the ma+imum lenth of the
connection is determined by the lo&est net&or/ timeout in the path bet&een the de*ice and the
ser*er'
91
http://go.microsoft.com/fwlink/?LinkId=62643http://go.microsoft.com/fwlink/?LinkId=626438/11/2019 DeployExchange2003 IT MOBILE
38/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
$ith ood net&or/ co*erae, the ma+imum timeout &ill be determined by the connection timeout
that is enforced by the fire&alls that deal &ith Internet traffic to your +chane front)end ser*ers'
If you /eep the timeout *ery lo&, then you &ill force the de*ice to reconnect se*eral times, &hich
&ill uic/ly drain its battery' =he follo&in illustration sho&s the recommended fire&all settins'
s a best practice, you should ad%ust the connection timeout of your fire&all and any other
net&or/ appliances in the path to ensure that direct push functionality &or/s efficiently' In order to
optimi(e battery life, &e recommend a timeout period of 90 minutes'
For a technical discussion of direct push technoloy, see !nderstandin the 3irect Push
=echnoloyin this document'
Security% &uthentication and "ertification4ecurity for communication bet&een the +chane ser*er and client mobile de*ices can be
increased by usin 44# for encryption and ser*er authentication, and by usin $eb publishin to
protect incomin traffic'
=he follo&in best practices &ill help you build a more secure mobile messain solution'
5est !ractice% 9se SS) for Encryption and Server &uthentication=o protect outoin and incomin data, deploy 44# to encrypt all traffic' @ou can confiure 44#
security features on an +chane ser*er to *erify the interity of your content and the identity of
users, and to encrypt net&or/ transmissions' =he +chane ser*er, %ust li/e any $eb ser*er,
reuires a *alid ser*er certificate to establish 44# communications'
92
8/11/2019 DeployExchange2003 IT MOBILE
39/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
$indo&s Mobile 5'0)based de*ices are shipped &ith trusted root certificates' Chec/ &ith your
de*ice manufacturer for a current list of the certificate authorities that shipped &ith your de*ice' If
you obtain a root certificate from one of the trusted ser*ices, your client mobile de*ices should be
ready to establish 44# communications &ith no further confiuration' If you create your o&n
certificates, you must add that certificate to the root store of each mobile de*ice'
*ote%
4ome ser*er certificates are issued &ith intermediate authorities in the certification chain'
If II4 is not confiured to send all certificates in the chain to the mobile de*ice durin the
44# handsha/e, the de*ice &ill not trust the certificate because the de*ice does not
support dynamically retrie*in the other certificates'
For more information about obtainin ser*er certificates, see Rbtainin and Installin 4er*er
CertificatesS in the +chane 4er*er 2009 Client ccess Buide at http:GGo'microsoft'comGf&lin/GH
#in/Id;2;28'
For more information about root certificates for mobile de*ices, seeppendi+ 3: ddin a
Certificate to the "oot 4tore of a $indo&s Mobile)based 3e*ice'
5est !ractice% Deter$ine and Deploy a Device !assword !olicy
@ou can no& use +chane 4er*er 4P2 toether &ith $indo&s Mobile 5'0)based de*ices that
ha*e the Messain and 4ecurity Feature Pac/ help you to confiure a central security policy that
reuires all users &ith mobile de*ices that access the +chane ser*er to protect their de*ice
&ith a pass&ord'
$ithin this central security policy, there are se*eral attributes you can confiure, includin the
lenth of the pass&ord -the default is four characters., the use of characters or symbols in the
pass&ord, and ho& lon the de*ice can be inacti*e before it prompts the user for the pass&ord
aain' ne of these policies is the &ipe de*ice after failed attempts option, &hich allo&s you to
specify &hether you &ant the de*ice memory &iped after multiple failed loon attempts'
nce you ha*e determined your de*ice security policies, you must deploy them by usin
+chane 4ystem ManaerLs Mobile 4er*ices Properties' $hen your users connect their de*ice
to the +chane ser*er, sin in, and accept the security policies, your policies &ill be sent to the
de*ice' =he policies &ill not be enforced until they ha*e been accepted on the de*ice by the user'
@ou can set the inter*al at &hich the de*ice security policies &ill be automatically refreshed on the
de*ice'
For more information on settin security policies, see Confiurin 4ecurity 4ettins for Mobile
3e*ices in4tep ;: Confiure and Manae Mobile 3e*ice ccess on the +chane 4er*er'
99
http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=62628http://go.microsoft.com/fwlink/?LinkId=626288/11/2019 DeployExchange2003 IT MOBILE
40/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
5est !ractice% 9se Web !ublishing with 5asic &uthentication
For many companies the use of 7asic uthentication o*er an encrypted channel -44#. is an
acceptable security reuirement' =hese companies can further secure their mobile deploymentby le*erain I4 200 or I4 200; to $eb publish the +chane 4er*er 2009 front end ser*ers'
=he benefit &ith le*erain I4Ks $eb publishin capabilities is that I4 has built in loic to
distinuish &ell)formed +chane cti*e4ync reuests so it can help protect the +chane front
end ser*er from malicious attac/s'
s a best practice, $eb publishin is easier to implement and pro*ides a hiher le*el of security
than ser*er publishin, althouh larer companies that are plannin to use client certificate)based
authentication must implement the latter'
4er*er publishin, also /no&n as tunnelin, refers to net&or/Gtransport)layer protection, &hereas
$eb publishin, also /no&n as bridin, refers to application)layer protection' $eb publishin is
only possible &hen 44# is terminated on I4 4er*er 200' 7ecause I4 4er*er 200 only sees
encrypted traffic, it cannot perform tas/s such as protocol hyiene that reuire it to analy(e the
contents thus I4 4er*er 200 only offers protection based on the net&or/Gtransport layers'
5est !ractices for 9sing "ertificate-based &uthentication
For certificate)based authentication to &or/ correctly &ith +chane cti*e4ync, the enterprise
fire&all must be confiured to allo& the +chane front)end ser*er to terminate the 44#
connection' For this reason, $eb publishin &ill not &or/ &ith certificate)based authentication
&ith I4 4er*er 200' ?o&e*er, I4 4er*er 200; supports Aerberos Constrained 3eleation,
allo&in you to choose either $eb Publishin or 44# 7ridin from the I4 machine to the
+chane front end ser*er'
n o*er*ie& of the process for deployin certificate)based authentication is pro*ided inppendi+
: *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased uthentication'
Microsoft has pro*ided se*eral tools to help an +chane administrator confiure and *alidate
client certificate authentication'
For more information about the +chane cti*e4ync Certificate)based uthentication tool, see
the =ools for +chane 4er*er 2009 $eb site at http:GGo'microsoft'comGf&lin/GH#in/Id;2;5;'
9
http://go.microsoft.com/fwlink/?LinkId=62656http://go.microsoft.com/fwlink/?LinkId=626568/11/2019 DeployExchange2003 IT MOBILE
41/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Deploying a Mobile Messaging Solution with
Windows Mobile .;0-based Devices=his document presents the recommended deployment &ith I4 4er*er 200; as an ad*anced
fire&all in a perimeter net&or/' =his confiuration and other options are described in et&or/
rchitecture lternati*es'
For detailed information about additional deployments, see the follo&in appendices in this
document:
ppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased uthentication
ppendi+ 7: Install and Confiure an I4 4er*er 200 n*ironment
Deploy$ent !rocess +verview=he follo&in steps summari(e deployment &ith I4 4er*er 200; as an ad*anced fire&all in a
perimeter net&or/'
Step ,%!prade to +chane 4er*er 2009 4P2
Step 2%!pdate ll 4er*ers &ith 4ecurity Patches
Step %Protect Communications 7et&een the Mobile 3e*ices and @our +chane 4er*er
3eploy 44# to encrypt messain traffic
nable 44# on the 3efault $eb 4ite
Confiure basic authentication for the +chane cti*e4ync *irtual directory
ptional: Confiure certificate)based authentication -4ee ppendi+ '.
ptional: !pdate "4 4ecurI3 ent
4et !p #3P 4er*ers
Protect II4 by #imitin Potential ttac/ 4urfaces
Step %Protect Communications 7et&een the +chane 4er*er 2009 4P2 4er*er and ther
4er*ers
!se IP4ec to ncrypt IP =raffic -"ecommended.
Step .%Install and Confiure I4 4er*er 200; or ther Fire&all
Install I4 4er*er 200; -"ecommended.
Install ser*er certificate on the I4 4er*er computer
Confiure I4 4er*er &ith your #3P ser*er set
Create the +chane cti*e4ync Publishin "ule by !sin 7ridin
4et ll Fire&all Idle 4ession =ime)out 4ettins to 90 Minutes
=est $ and +chane cti*e4ync
95
8/11/2019 DeployExchange2003 IT MOBILE
42/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Step /%Confiure and Manae Mobile 3e*ice ccess on the +chane 4er*er
nable +chane cti*e4ync for ll !sers
nable !ser Initiated 4ynchroni(ation
nable direct push technoloy 4et 4ecurity Policy 4ettins for Mobile 3e*ices
Monitor Mobile Performance on +chane 4er*er
Step %Install the +chane cti*e4ync Mobile dministration $eb =ool
Step 1%Manae and Confiure Mobile 3e*ices
4et up Mobile Connection to +chane 4er*er
!se the +chane cti*e4ync Mobile dministration $eb =ool to =rac/ Mobile 3e*ices
Pro*ision or Confiure Mobile 3e*ices
Step ,% 9pgrade to Exchange Server 200S!2
+chane 4er*er 2009 4P2 includes +chane cti*e4ync, the synchroni(ation protocol that
/eeps the +chane mailbo+ synchroni(ed on client mobile de*ices' 7y default, +chane
cti*e4ync is enabled'
+chane 4er*er 2009 4P2 contains ne& features that &or/ &ith the $indo&s Mobile 5'0
Messain and 4ecurity Feature Pac/ to help you to impro*e the deployment, security, and
manaement of mobile de*ices'
*ote%
=o use mobile de*ices &ith the $indo&s Mobile 5'0 Messain and 4ecurity Feature
pac/, you must uprade your front)end +chane ser*er to +chane 4er*er 2009 4P2'
7ac/)end Mailbo+ ser*ers can remain at +chane 2009 "=M or 4P1' ?o&e*er, &e
recommend that you uprade both front)end and bac/)end ser*ers to ta/e ad*antae of
the updates in 4P2'
=ow to 9pgrade to Exchange Server 200 S!23o&nload the 4er*ice Pac/ 2 for +chane 4er*er 2009 file from the Microsoft +chane 4er*er
=echCenter $eb site'
Follo& the directions pro*ided to uprade your +chane ser*ers to 4P2'
9;
http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=62644http://go.microsoft.com/fwlink/?LinkId=626448/11/2019 DeployExchange2003 IT MOBILE
43/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Step 2% 9pdate &ll Servers with Security
!atches=o help you ensure that your mobile messain net&or/ is stron from end to end, ta/e this
opportunity to update all of your ser*ers'
fter you install +chane 4er*er 2009 4P2 on your front)end ser*er, update the ser*er soft&are
on your other +chane ser*ers and on any other ser*er that +chane communicates &ith, such
as your lobal catalo ser*ers and your domain controllers'
For more information about updatin your soft&are &ith the latest security patches, see the
+chane 4er*er 4ecurity Center $eb site'
For more information about Microsoft security, see theMicrosoft 4ecurity $eb site'
Step % !rotect "o$$unications 5etweenWindows Mobile-based Devices and ?ourExchange Server
=o help protect the communications bet&een $indo&s Mobile)based de*ices and your +chane
front)end ser*er, follo& these steps:
3eploy 44# to encrypt messain traffic'
nable 44# on the default $eb site' Confiure basic authentication for the +chane cti*e4ync *irtual directory'
*ote%
If you plan to use certificate authentication instead of basic confiuration, refer to
ppendi+ : *er*ie& of 3eployin +chane cti*e4ync Certificate)7ased
uthentication'
*ote%
If you are usin "4 4ecurI3, you must update the "4 uthentication ent'
Protect II4 by limitin potential attac/ surfaces
4ee7est Practices for 3eployin a Mobile Messain 4olutionin this document for moreinformation about authentication and certification'
9
8/11/2019 DeployExchange2003 IT MOBILE
44/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
Deploying SS) to Encrypt Messaging 4raffic=o protect incomin and outoin e)mail, deploy 44# to encrypt messain traffic' @ou can
confiure 44# security features on an +chane ser*er to *erify the interity of your content,*erify the identity of users, and to encrypt net&or/ transmissions'
=he steps in*ol*ed in confiurin 44# for +chane cti*e4ync are:
1' btainin and installin a ser*er certificate
2' 6alidatin installation
9' 7ac/in up the ser*er certificate
' nablin 44# for the +chane cti*e4ync *irtual directory
*ote
=o perform the follo&in procedures, you must be a member of the dministrators roup
on the local computer, or you must ha*e been deleated the appropriate authority' s asecurity best practice, lo on to your computer by usin an account that is not in the
dministrators roup, and then use the 'un ascommand to run II4 Manaer as an
administrator' From the command prompt, type the follo&in command:
runas 6user%ad$inistrative@accountna$e A$$cBsyste$root
BCsyste$2CinetsrvCiis;$scA
+btaining and #nstalling a Server "ertificate
fter you obtain a ser*er certificate, you &ill install the ser*er certificate, *erify the installation of
the ser*er certificate, and bac/ it up' $hen you use the $eb 4er*er Certificate $i(ard to obtain
and install a ser*er certificate, the process is referred to as creatin and assinin a ser*ercertificate'
4o obtain a server certificate fro$ a "ertificate &uthority 7"&8
1' #o on to the +chane ser*er by usin an dministrator account'
2' Clic/ Start, clic/ !rogra$s, clic/ &d$inistrative 4ools, and then clic/ #nternet
#nfor$ation Services 7##S8 Manager'
9' 3ouble)clic/ the 4er*erame to *ie& the $eb sites' "iht)clic/ Default Web Site, and
then clic/ !roperties'
' Clic/ to select the Directory Securitytab' =he follo&in illustration sho&s the II4
Manaer &indo& and the 3irectory 4ecurity tab' !nder Secure "o$$unications, clic/Server "ertificate'
98
8/11/2019 DeployExchange2003 IT MOBILE
45/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
5' In the Welco$e Web Server "ertificate Wiarddialo bo+, clic/ *ext, clic/ "reate anew certificate, and then clic/ *ext'
;' Clic/ !repare the re(uest now but send it later, and then clic/ *ext'
8/11/2019 DeployExchange2003 IT MOBILE
46/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
*ote%
nsure that Select cryptographic service provideris not selected'
8' In the +rganiation #nfor$ationdialo bo+, type a name in the +rganiationte+t bo+
-for e+ample, type WCompanyXameY. and in the +rganiational unitte+t bo+ -for
e+ample, type WI= 3epartmentY., and then clic/ *ext'
>' In the?our SiteFs "o$$on *a$edialo bo+, type the fully ualified domain name of
your ser*er or cluster for "o$$on na$e-for e+ample, type
W&ebmail'mycompany'comY., and then clic/ *ext' =his &ill be the domain name that your
client mobile de*ices &ill access'
10' In the Geographical #nfor$ationdialo bo+, clic/ "ountry6region-for e+ample, !4.,
State6province -for e+ample, W4tateY. and "ity6locality-for e+ample, WCityY., and then
clic/ *ext'
11' In the "ertificate 'e(uest ilena$edialo bo+, /eep the default of "%C*ewey'(;txt
-&here C: is the location your 4 is installed., and then clic/ *ext'
12' In the 'e(uest ile Su$$arydialo bo+, re*ie& the information and then clic/ *ext'
=he follo&in illustration sho&s an e+ample of a 'e(uest ile Su$$ary'
0
8/11/2019 DeployExchange2003 IT MOBILE
47/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
19' @ou should recei*e a success messae &hen the certificate reuest is complete' Clic/
inish'
e+t, you must reuest a ser*er certificate from a *alid C' =o do this, you must access the
Internet or an intranet, dependin on the C that you choose, by usin a properly confiured $eb
bro&ser'
=he steps detailed here are for accessin the $eb site for your C' For a production
en*ironment, you &ill probably reuest a ser*er certificate from a trusted C o*er the Internet'
4o sub$it the certificate re(uest
1' 4tart Microsoft #nternet Explorer' =ype the 9nifor$ 'esource )ocator-!"#. for the
Microsoft C $eb site, http:GGWser*erXnameYGcertsr*G' $hen the Microsoft "& Web site
pae displays, clic/ 'e(uest a "ertificate, and then clic/ &dvanced "ertificate
'e(uest'
2' n the &dvanced "ertificate 'e(uestpae, clic/ Sub$it a certificate re(uest by
using a base-/ encoded !"SH,0 file or sub$it a renewal re(uest by using a
base-/ encoded !"S H file'
9' n your local ser*er, na*iate to the location of the "%C *ewey'(;txtfile that you sa*ed
pre*iously'
' 3ouble)clic/ to open the "%C *ewey'(;txtfile in otepad' 4elect and copy the entire
contents of the file'
1
8/11/2019 DeployExchange2003 IT MOBILE
48/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
5' n the C $eb site, na*iate to the Sub$it a "ertificate 'e(uestpae' If you are
prompted to pic/ the type of certificate, select Web Server' =he follo&in illustration
sho&s an e+ample of a 4ubmit a Certificate "euest pae'
;' Clic/ inside the Saved 'e(uestbo+, paste the contents of the file into the bo+, and then
choose Sub$it' =he contents in the Saved 'e(uestdialo bo+ should loo/ similar to the
follo&in e+ample:
-----BEGIN NEW CERTIFICATE REQUEST-----MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWx!"M#L$%&!G'()*Q+Y2,.C/t0WN)1N(!
$Q+Y2,tMREwDwYDVQQLEwN)2%)GTEMMAoGA'UECMDTVRQMRAwDgYDVQQ"Ew4S!WRt)2
/5MRMwEQYDVQQIEwXYXNo0W/$4G,+MQswCQYDVQQGEw%VUzCB$zANBg5q56G,w#BAQEFAA7
B8QAwgY5CgYEAs#sV2U!'WAX2o+9F/S1:9;M1A12t%/q9.B@BWW7s*SDYg@A
8/11/2019 DeployExchange2003 IT MOBILE
49/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
8)Q>5?;:>M;
8/11/2019 DeployExchange2003 IT MOBILE
50/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
e+t, you must install the certificate'
4o install the certificate
1' 4tart #nternet #nfor$ation Service 7##S8 Managerand e+pand W3omainameY2' "iht)clic/ Default Web Siteand then clic/ !roperties' In the !ropertiesdialo bo+,
select the Directory Securitytab' !nder Secure "o$$unication, clic/ Server
"ertificate'
9' In the "ertificate Wiarddialo bo+, clic/ *ext'
' 4elect !rocess the !ending 'e(uest and install the certificate ' Clic/ *ext'
5' a*iate to, or type, the location and file name for the file containin the ser*er
certificate, certne&'t+t, that is located on the des/top, and then clic/ *ext'
;' 4elect the 44# port that you &ish to use' $e recommend that you use the default 44#
port, &hich is !ort '
8/11/2019 DeployExchange2003 IT MOBILE
51/138
Deploying Windows Mobile-based Devices with Exchange Server 200 S!2
>alidating #nstallatio