Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
© 2008 Microsoft Corporation. All rights reserved.
All other trademarks are property of their respective owners.
Introduction 1
Document Structure 1
Deploying Mobile Messaging: Introduction 1
Assumptions 1
Software Requirements 2
Optional Items 3
Deployment Process Summary 3
Planning Resources 4
Messaging and Security Feature Pack Overview 5
Features 5
Security Features 6
Advanced Security Features 7
Administering the Messaging and Security Feature Pack 8
Understanding the Direct Push Technology 10
Direct Push Technology 10
Network Architecture Alternatives 16
Deployment Options 16
ISA Server 2006 as an Advanced Firewall in a Perimeter Network 22
Deployment with ISA Server in a Perimeter Network 27
Deployment on a Single-Server 28
Forms-based Authentication 29
Deployment with the Exchange Front End Server in a Perimeter Network 30
VPN Configuration 30
Best Practices for Deploying a Mobile Messaging Solution 31
Network Configuration 31
Security: Authentication and Certification 32
Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices 35
Deployment Process Overview 35
Step 1: Upgrade to Exchange Server 2003 SP2 36
How to Upgrade to Exchange Server 2003 SP2 36
Step 2: Update All Servers with Security Patches 37
Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server 37
Deploying SSL to Encrypt Messaging Traffic 38
Enabling SSL for the Default Web Site 49
Configuring Basic Authentication 51
Protect IIS by Limiting Potential Attack Surfaces 54
See Also 55
Step 4: Protect Communications Between the Exchange Server and Other Servers 56
Using IPSec to Encrypt IP Traffic 56
See Also 56
Step 5: Install and Configure ISA Server 2006 or Other Firewall 57
Install ISA Server 2006 58
Install a Server Certificate on the ISA Server Computer 58
Create the Exchange ActiveSync Publishing Rule 62
Configure ISA Server 2006 for LDAP Authentication 73
Set the Idle Session Timeout for All Firewalls and Network Appliances to 1800 seconds 76
Test Exchange Publishing Rule 76
Step 6: Configure and Manage Mobile Device Access on the Exchange Server 77
Configuring Mobile Access 78
Configuring Security Settings for Mobile Devices 82
Monitoring Mobile Performance on Exchange Server 2003 SP2 86
Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool 87
Download the Mobile Administration Web Tool 87
Step 8: Manage and Configure Mobile Devices 89
Setting Up a Mobile Device Connection to Exchange Server 89
Using the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices 92
Provisioning or Configuring the Windows Mobile 5.0-based Device 94
Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication 98
Configuring the Firewall for Certificate-based Authentication 98
Software Requirements for Certificate-Based Authentication 98
Downloading the Certificate Enrollment Tool 99
System Requirements for the Certificate Enrollment Tool 99
Steps to Enable Certificate-Based Authentication 100
Configuring Exchange Server 2003 Front-End Server 100
Configure Kerberos Constrained Delegation 100
Configure Servers to be Trusted for Delegation 101
Configure Windows Mobile Certificate Enrollment 101
Overview of Certificate Enrollment Configuration 101
Appendix B: Install and Configure an ISA Server 2004 Environment 104
Installing ISA Server 2004 105
Creating the Exchange ActiveSync Publishing Rule Using Web Publishing 106
Configuring the Hosts File Entry 111
Setting the ISA Server 2004 Idle Session Timeout 113
Testing OWA and Exchange ActiveSync 113
Testing OWA 114
Testing Exchange ActiveSync 114
See Also 114
Appendix C: Troubleshooting a Mobile Messaging Solution 115
Logging and Troubleshooting Tools 115
Monitoring Mobile Performance on Exchange Server 2003 SP2 115
ISA Server Best Practices Analyzer 116
Issues Related to Direct Push Technology 116
General Direct Push Troubleshooting Tips 116
Path Troubleshooting Direct Push 117
Verify Direct Push Initialization 118
Troubleshooting Direct Push Using Logs 120
Push Mail and GAL Lookup missing when syncing to Exchange 2003 SP2 with a MSFP Device. 122
Issues Related to ISA Server 2006 125
Double Authentication Required after Upgrading from ISA Server 2004 125
Log Off when the User Leaves Site Feature Removed 125
Windows Mobile Users Receive Error 401 Unauthorized 125
Users Receive Access Denied Error Message 125
Certificate Implementation Issues on the Server 128
Communication Issues between the Front-end and Back-end Exchange Servers 128
Frequently Asked Questions 128
Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device 129
Creating the Provisioning XML to Install a Certificate to the Root Store 130
Creating a .cab File that Contains the Provisioning XML 132
Distributing the CAB Provisioning File 132
