• Deployment Process Overview
  • Step 1: Upgrade to Exchange Server 2003 SP2
  • How to Upgrade to Exchange Server 2003 SP2
  • Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server
  • Deploying SSL to Encrypt Messaging Traffic
  • Obtaining and Installing a Server Certificate
  • Validating Installation
  • Backing up the Server Certificate
  • Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2




    Download 0.55 Mb.
    bet10/26
    Sana21.03.2017
    Hajmi0.55 Mb.
    1   ...   6   7   8   9   10   11   12   13   ...   26

    Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices


    This document presents the recommended deployment with ISA Server 2006 as an advanced firewall in a perimeter network. This configuration and other options are described in Network Architecture Alternatives.

    For detailed information about additional deployments, see the following appendices in this document:



      Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication

      Appendix B: Install and Configure an ISA Server 2004 Environment


    Deployment Process Overview


    The following steps summarize deployment with ISA Server 2006 as an advanced firewall in a perimeter network.

    Step 1: Upgrade to Exchange Server 2003 SP2

    Step 2: Update All Servers with Security Patches

    Step 3: Protect Communications Between the Mobile Devices and Your Exchange Server

       Deploy SSL to encrypt messaging traffic

       Enable SSL on the Default Web Site

       Configure basic authentication for the Exchange ActiveSync virtual directory


    Optional: Configure certificate-based authentication (See Appendix A.)

    Optional: Update RSA SecurID Agent



    Step 4: Protect Communications Between the Exchange Server 2003 SP2 Server and Other Servers

       Use IPSec to Encrypt IP Traffic (Recommended)

    Step 5: Install and Configure ISA Server 2006 or Other Firewall

       Install ISA Server 2006 (Recommended)

       Install server certificate on the ISA Server computer

       Configure ISA Server with your LDAP server set

       Create the Exchange ActiveSync Publishing Rule by Using Bridging

       Set All Firewall Idle Session Time-out Settings to 30 Minutes

       Test OWA and Exchange ActiveSync



    Step 6: Configure and Manage Mobile Device Access on the Exchange Server

       Enable Exchange ActiveSync for All Users

       Enable User Initiated Synchronization

       Enable direct push technology

       Set Security Policy Settings for Mobile Devices

       Monitor Mobile Performance on Exchange Server


    Step 7: Install the Exchange ActiveSync Mobile Administration Web Tool

    Step 8: Manage and Configure Mobile Devices

       Set up Mobile Connection to Exchange Server

       Use the Exchange ActiveSync Mobile Administration Web Tool to Track Mobile Devices

       Provision or Configure Mobile Devices

    Step 1: Upgrade to Exchange Server 2003 SP2


    Exchange Server 2003 SP2 includes Exchange ActiveSync, the synchronization protocol that keeps the Exchange mailbox synchronized on client mobile devices. By default, Exchange ActiveSync is enabled.

    Exchange Server 2003 SP2 contains new features that work with the Windows Mobile 5.0 Messaging and Security Feature Pack to help you to improve the deployment, security, and management of mobile devices.



    Note:

    To use mobile devices with the Windows Mobile 5.0 Messaging and Security Feature pack, you must upgrade your front-end Exchange server to Exchange Server 2003 SP2. Back-end Mailbox servers can remain at Exchange 2003 RTM or SP1. However, we recommend that you upgrade both front-end and back-end servers to take advantage of the updates in SP2.


    How to Upgrade to Exchange Server 2003 SP2


    Download the Service Pack 2 for Exchange Server 2003 file from the Microsoft Exchange Server TechCenter Web site.

    Follow the directions provided to upgrade your Exchange servers to SP2.


    Step 2: Update All Servers with Security Patches


    To help you ensure that your mobile messaging network is strong from end to end, take this opportunity to update all of your servers.

    After you install Exchange Server 2003 SP2 on your front-end server, update the server software on your other Exchange servers and on any other server that Exchange communicates with, such as your global catalog servers and your domain controllers.

    For more information about updating your software with the latest security patches, see the Exchange Server Security Center Web site.

    For more information about Microsoft security, see the Microsoft Security Web site.


    Step 3: Protect Communications Between Windows Mobile-based Devices and Your Exchange Server


    To help protect the communications between Windows Mobile-based devices and your Exchange front-end server, follow these steps:

       Deploy SSL to encrypt messaging traffic.

       Enable SSL on the default Web site.

       Configure basic authentication for the Exchange ActiveSync virtual directory.


    Note:

    If you plan to use certificate authentication instead of basic configuration, refer to Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.



    Note:

    If you are using RSA SecurID, you must update the RSA Authentication Agent.



       Protect IIS by limiting potential attack surfaces

    See Best Practices for Deploying a Mobile Messaging Solution in this document for more information about authentication and certification.

    Deploying SSL to Encrypt Messaging Traffic


    To protect incoming and outgoing e-mail, deploy SSL to encrypt messaging traffic. You can configure SSL security features on an Exchange server to verify the integrity of your content, verify the identity of users, and to encrypt network transmissions.

    The steps involved in configuring SSL for Exchange ActiveSync are:



      1. Obtaining and installing a server certificate

      2. Validating installation

      3. Backing up the server certificate

      4. Enabling SSL for the Exchange ActiveSync virtual directory



    Note

    To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator. From the command prompt, type the following command:



    runas /user:administrative_accountname "mmc%systemroot%\system32\inetsrv\iis.msc"

    Obtaining and Installing a Server Certificate


    After you obtain a server certificate, you will install the server certificate, verify the installation of the server certificate, and back it up. When you use the Web Server Certificate Wizard to obtain and install a server certificate, the process is referred to as creating and assigning a server certificate.

    To obtain a server certificate from a Certificate Authority (CA)

      1. Log on to the Exchange server by using an Administrator account.

      2. Click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

      3. Double-click the ServerName to view the Web sites. Right-click Default Web Site, and then click Properties.

      4. Click to select the Directory Security tab. The following illustration shows the IIS Manager window and the Directory Security tab. Under Secure Communications, click Server Certificate.





      5. In the Welcome Web Server Certificate Wizard dialog box, click Next, click Create a new certificate, and then click Next.

      6. Click Prepare the request now, but send it later, and then click Next.

      7. In the Name and Security Settings dialog box, type a name for your server certificate (for example, type ), click Bit length of 1024, and then click Next. The following illustration shows the Name and Security Settings dialog box.




    Note:

    Ensure that Select cryptographic service provider is not selected.



    1. In the Organization Information dialog box, type a name in the Organizationtext box (for example, type ) and in the Organizational unit text box (for example, type ), and then click Next.

    2. In the Your Site’s Common Name dialog box, type the fully qualified domain name of your server or cluster for Common name (for example, type ), and then click Next. This will be the domain name that your client mobile devices will access.

    3. In the Geographical Information dialog box, click Country/region (for example, US), State/province (for example, ) and City/locality (for example, ), and then click Next.

    4. In the Certificate Request Filename dialog box, keep the default of C:\NewKeyRq.txt (where C: is the location your OS is installed), and then click Next.

    5. In the Request File Summary dialog box, review the information and then click Next. The following illustration shows an example of a Request File Summary.



    1. You should receive a success message when the certificate request is complete. Click Finish.

    Next, you must request a server certificate from a valid CA. To do this, you must access the Internet or an intranet, depending on the CA that you choose, by using a properly configured Web browser.

    The steps detailed here are for accessing the Web site for your CA. For a production environment, you will probably request a server certificate from a trusted CA over the Internet.



    To submit the certificate request

      1. Start Microsoft Internet Explorer. Type the Uniform Resource Locator (URL) for the Microsoft CA Web site, http:///certsrv/. When the Microsoft CA Web site page displays, click Request a Certificate, and then click Advanced Certificate Request.

      2. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64 encoded PKCS#10 file, or submit a renewal request by using a base-64 encoded PKCS #7 file.

      3. On your local server, navigate to the location of the C:\ NewKeyRq.txt file that you saved previously.

      4. Double-click to open the C:\ NewKeyRq.txt file in Notepad. Select and copy the entire contents of the file.

      5. On the CA Web site, navigate to the Submit a Certificate Request page. If you are prompted to pick the type of certificate, select Web Server. The following illustration shows an example of a Submit a Certificate Request page.




      6. Click inside the Saved Request box, paste the contents of the file into the box, and then choose Submit. The contents in the Saved Request dialog box should look similar to the following example:

    -----BEGIN NEW CERTIFICATE REQUEST-----

    MIIDXzCCAsgCAQAwgYMxLDAqBgNVBAMTI2toYWxpZHM0LnJlZG1vbmQuY29ycC5taWNyb3NvZnQuY29tMREwDwYDVQQLEwhNb2JpbGl0eTEMMAoGA1UEChMDTVRQMRAwDgYDVQQHEwdSZWRtb25kMRMwEQYDVQQIEwpXYXNoaW5ndG9uMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs0sV2UZ1WAX2ou F5S34 6M3A32tJ5qp c7zliu4SMkcgebhnt2IMMeF5ZMD2IqfhWu49nu1vLtGHK5wWgHYTC3rTFabLZJ1bNtXKB/BWWOsmSDYg/A7 oCZB4rHJmpc0Yh4OjbQKkr64KM67r8jGEPYGMAzf2DnUg3xUt9pbBECAwEAAaCCAZkwGgYKKwYBBAGCNw0CAzEMFgo1LjAuMjE5NS4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQEAwIE8DBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQCO5g/Nk lsuAJZideg15faBLqe4jiiytYeVBApxLrtUlyWEQuWdPeEFv0GWvsjQGwn WC5m9kVNmcLVsx41QtGDXtuETFOD6dSi/M9wmEy8bsbcNHXs sntX56AcCxBXh1ALaE4YaE6e/zwmE/0/Cmyje3a2olE5rlk1FFIlKTDwAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA4GBAAr7zjg2ykZoFUYt1 EgK106jRsLxJcoqj0oEg575eAlUgbN1e2i/L2RWju7cgo9W7uwwpBIaEqd6LJ6s1BRpZz0yeJTDzGIXByG5O6kouk 0H WHCj2yI30zik8aSyCQ3rQbNvHoURDmWqv9Rp1BDC1SNQLEzDgZjKPrsGZAVLb

    -----END NEW CERTIFICATE REQUEST-----


      7. On the Certificate Issued page, click DER encoded, and then click Download certificate.

      8. In the File Download dialog box, click Save this file to disk, and then click OK. Keep the default setting to save the file to the desktop, and click Save.

      9. Close Internet Explorer.


    At this point, a server certificate exists on your desktop that can be imported into the Exchange server certificate store.

    Next, you must install the certificate.



    To install the certificate

      1. Start Internet Information Service (IIS) Manager and expand

      2. Right-click Default Web Site and then click Properties. In the Properties dialog box, select the Directory Security tab. Under Secure Communication, click Server Certificate.

      3. In the Certificate Wizard dialog box, click Next.

      4. Select Process the Pending Request and install the certificate. Click Next.

      5. Navigate to, or type, the location and file name for the file containing the server certificate, certnew.txt, that is located on the desktop, and then click Next.

      6. Select the SSL port that you wish to use. We recommend that you use the default SSL port, which is Port 443.

      7. In the Certificate Summary Information dialog box, click Next, and then click Finish.



    Validating Installation


    To verify the installation, you can view the server certificate.

    To view the server certificate

      1. In the Default Web Site Properties dialog box, click Directory Security. Under Secure Communications, select View Certificate. The following illustration shows the Certificate dialog box.



      2. At the bottom of the Certificate dialog box, a message displays indicating that a private key is installed, if appropriate. Click OK to close the Certificate dialog box.

    Note:

    If the certificate does not show that the device carries the private key that corresponds to the certificate, over the air synchronization will not work.



    In order for the authentication to function, you must add the CA to the Trusted Root CA list.

    To add a CA to the trusted root CA list

      1. Start Internet Explorer and type the URL for your Certificate Authority. For example, if you received your server certificate from the CA that you configured earlier, type http:///certsrv.

      2. Click Download a CA certificate, certificate chain, or CRL, and then click Download CA certificate on the next page as well. In the File download dialog box, click Save this file to disk, and then click OK.

      3. Type a server certificate Name (for example, ) and then save the file to the desktop.

      4. Navigate to the desktop. Right-click the file that you created in step 3, and then click Install Certificate. In the Certificate Import Wizard dialog box, click Next.

      5. Click Place all certificates in the following store, and then click Browse. Select the Trusted Root Certification Authorities folder, and then click OK. The following illustration shows the Select Certificate Store dialog box.


    Note:

    You may use the Intermediate Certificate Authorities instead of the Trusted Root Certificate Authorities.





      6. Click Next. A dialog box that says that the certificate is being added to the trusted certificate store appears; click Yes to this dialog box. Click Finish, and the message import successful displays.

    Backing up the Server Certificate


    You can use the Web Server Certificate Wizard to back up server certificates. Because IIS works closely with Windows, you can use Certificate Manager, which is called Certificates in Microsoft Management Console (MMC), to export and to back up your server certificates.

    If you do not have Certificate Manager installed in MMC, you must add Certificate Manager to MMC.



    To add Certificate Manager to MMC

      1. From the Start menu, click Run.

      2. In the Open box, type mmc, and then click OK.

      3. On the File menu, click Add/Remove Snap-in.

      4. In the Add/Remove Snap-in dialog box, click Add.

      5. The following illustration shows the Add/Remove Snap-in and AddStandalone Snap-in dialog boxes. In the Available Standalone Snap-ins list, click Certificates, and then click Add.




      6. Click Computer Account, and then click Next.

      7. Click theLocal computer (the computer that this console is running on) option, and then click Finish.

      8. Click Close, and then click OK.


    With Certificate Manager installed, you can back up your server certificate.

    To back up your server certificate

    1. Locate the correct certificate store. This store is typically the Local Computer store in Certificate Manager.

    Note:

    When you have Certificate Manager installed, it points to the correct Local Computer certificate store.



    1. In the Personal store, click the server certificate that you want to back up.

    2. On the Action menu, point to All tasks, and then click Export.

    3. In the Certificate Manager Export Wizard, click Yes, export the private key.

    4. Follow the wizard default settings, and type a password for the server certificate backup file when prompted.

    Note:

    Do not select Delete the private key if export is successful, because this option disables your current server certificate.



    1. Complete the wizard to export a backup copy of your server certificate.

    After you configure your network to issue server certificates, you must protect your Exchange front-end server and its services by requiring SSL communication to the Exchange front-end server. The following section describes how to enable SSL for your default Web site.
    1   ...   6   7   8   9   10   11   12   13   ...   26


    Download 0.55 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa


    Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2

    Download 0.55 Mb.