• Deployment Options
  • Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2




    Download 0.55 Mb.
    bet6/26
    Sana21.03.2017
    Hajmi0.55 Mb.
    1   2   3   4   5   6   7   8   9   ...   26

    Network Architecture Alternatives


    The choices that you have made in your network configuration and network design may impact the steps that you will need to take to upgrade your system to accommodate direct push technology and the Messaging & Security Feature Pack management features.

    Deployment Options


    The following table introduces some of the most common deployment configurations with the unique considerations for each.

    Follow the links to deployment documentation for each configuration.



    Setup Type

    Description

    Consideration

    Firewall in Workgroup in perimeter network

    ISA Server 2006 recommended



    All of the Exchange servers are within the corporate network.

    FBA or Basic authentication

    SSL configured for Exchange ActiveSync to encrypt all messaging traffic

    ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.

    ISA Server 2006 directly communicates with LDAP and RADIUS servers

    LDAP Authentication


       LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.

       Every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials.

       Because each domain controller can only authenticate the users in its domain, ISA Server by default queries the global catalog for a forest to validate user credentials


    Radius Authentication

       RADIUS provides credentials validation.

       ISA Server is the RADIUS client, depending upon RADIUS authentication response

       Password changes are not possible


    All Exchange traffic is preauthenticated, reducing surface area and risk.

    Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID

    Requires port 443 opened on the firewall for inbound and outbound Internet traffic.

    Requires a digital certificate in order to connect to Configuration Storage server.

    Limited to one Configuration Storage Server (ADAM limitation)

    Domain administrators do not have access to the firewall array

    Workgroup clients cannot use Windows authentication.

    Requires management of mirrored accounts for monitoring arrays.




    ISA Server 2006 domain-joined in perimeter network

    Exchange FE in the Enterprise forest

    As a domain member, ISA Server 2006 integrates with Active Directory.



    Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory

    IPSec can be configured between the ISA server and Exchange server to eliminate the need for additional open ports

    Simplified deployment and administration of ISA Server arrays within the domain.

    See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109217.




    Firewall in separate domain with one-way trust

    Exchange FE in the Enterprise forest

    ISA Server 2006 as domain controller of its own DMZ forest

    One-way trust created, so the DMZ forest trusts the Enterprise forest accounts.

    ISA Server 2006 authenticates requests at the ISA edge



    All Exchange traffic is preauthenticated, reducing surface area and risk.

    Complex to configure

    Scales well across an Enterprise solution.

    For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109215.



    Single Exchange 2003 Server

    Single Exchange Server within the corporate network, behind a firewall.

    Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication.



    Simple deployment for small to medium business.

    Requires the following setup steps:



       Turn off SSL Required on the ExAdmin virtual directory

       Use Windows Integrated authentication on the ExAdmin virtual directory



    If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology.

    For details, see Deployment on a Single Server in the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2.

    See Also: Microsoft KB article, "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.


    Windows Small Business Server 2003

    Exchange traffic is routed to the server running Windows SBS with port 443 open inbound.

    Exchange FE is behind the following firewalls:



       ISA Server 2004, Service Pack 1 which is included in Windows SBS Premium Edition, Service Pack 1

       The built-in Routing and Remote Access firewall in Windows SBS



    Certificates installed on devices provide SSL encryption and access.

    Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment

    Requires desktop ActiveSync installed on a client computer

    See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109220.


    Exchange FE in the perimeter network

    (This option is not recommended for new mobile messaging solutions.)



    Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network.

    Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:

       Open port 443 inbound on the external firewall

       UDP port 2883 open on the firewall between the Exchange FE and BE.



    See "Deployment with the Front End Server in a Perimeter Network" section of the Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=81200

    ISA Server as an advanced firewall in a workgroup in perimeter network

    All of the Exchange servers are within the corporate network.

    Set up FBA or Basic authentication for Exchange ActiveSync, so all clients negotiate an SSL link before connecting.

    ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic.

    ISA Server 2006 directly communicates with LDAP and RADIUS servers



    LDAP Authentication

       LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.

       Every domain controller is an LDAP server. The LDAP server has a store of the Active Directory users' credentials.

       Because each domain controller can only authenticate the users in its domain, ISA Server by default queries the global catalog for a forest to validate user credentials


    Radius Authentication

       RADIUS provides credentials validation.

       ISA Server is the RADIUS client, depending upon RADIUS authentication response

       Password changes are not possible


    Client authentication is possible with Windows, Kerberos, LDAP, LDAPS, RADIUS, or RSA SecurID

    Requires port 443 opened on the firewall for inbound and outbound Internet traffic.

    Requires a digital certificate in order to connect to Configuration Storage server.

    In case of firewall failure, domain and Active Directory are inaccessible

    Domain administrators do not have access to the firewall array

    Workgroup clients cannot use Windows authentication.

    Requires management of mirrored accounts for monitoring arrays.

    For an overview of the process, see Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices



    ISA Server 2006 domain-joined in perimeter network

    Exchange FE in the Enterprise forest

    As a domain member, ISA Server 2006 integrates with Active Directory.



    Additional ports on the internal firewall opened to facilitate domain member communication to Active Directory

    Simplified deployment and administration of ISA Server arrays within the domain.

    Vulnerability of access across the domain in case of firewall failure

    See Publishing Exchange Server 2003 with ISA Server 2006 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109217.



    Firewall in separate domain with one-way trust

    Exchange FE in the Enterprise forest

    ISA Server 2006 as domain controller of its own DMZ forest

    One-way trust created, so the DMZ forest trusts the Enterprise forest accounts.

    ISA Server 2006 authenticates requests at the ISA edge



    All Exchange traffic is preauthenticated, reducing surface area and risk.

    Scales well across an Enterprise solution.

    For detailed instructions, see Using ISA Server 2004 with Exchange Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109215.


    Third Party Firewall

    Configure as an advanced firewall or surrounding a perimeter network.

    Encrypt all traffic between the mobile device and Exchange Server with SSL.

    Open port 443 inbound on each firewall between the mobile device and Exchange Server.

    Set Idle Session Timeout time to 30 minutes on all firewalls and network appliances on the path between the mobile device and Exchange FE server to facilitate direct push technology.



    Consult firewall manufacturer documentation for instructions on opening port 443 inbound and setting the Idle Session Timeout time.

    Single Exchange 2003 Server

    Single Exchange Server within the corporate network, behind a firewall.

    Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 using Kerberos authentication.



    Simple deployment for small to medium business.

    Requires the following setup steps on the ExAdmin virtual directory:



       Turn off SSL Required

       Use Windows Integrated authentication



    If using RSA SecurID, update the RSA Authentication Agent to ensure compatibility with direct push technology.

    For more information, see "Exchange ActiveSync and Outlook Mobile Access errors Occur when SSL or forms-based authentication is required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.



    Windows Small Business Server 2003

    Exchange traffic is routed to the server running Windows SBS with port 443 open inbound.

    Exchange FE is behind the following firewalls:



      ISA Server, which is included in Windows SBS Premium Edition

       The built-in Routing and Remote Access firewall in Windows SBS

       The UPnP™ hardware firewall


    Certificates installed on devices provide SSL encryption and access.

    Exchange ActiveSync and ISA Server are integrated with Windows Small Business Server 2003, providing simplified deployment:

       Requires desktop ActiveSync installed on a client computer

    See Deploying Windows Mobile 5.0 with Windows Small Business Server 2003 at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=109220.

    Exchange FE in the perimeter network

    (This option is not recommended for new mobile messaging solutions.)



    Exchange FE is in the perimeter network with firewalls between it and the Internet and the corporate network.

    Additional firewall ports opened to enable direct push and facilitate connection between FE and BE servers:

       Open port 443 inbound on the external firewall

       UDP port 2883 open on the firewall between the Exchange FE and BE.




    1   2   3   4   5   6   7   8   9   ...   26


    Download 0.55 Mb.

    Bosh sahifa
    Aloqalar

        Bosh sahifa


    Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 sp2

    Download 0.55 Mb.