Wednesday, July 23, 2008

iPhone v2.0 & Enabling Mobility on SBS 2003

Enabling Mobility on SBS 2003

This Post is designed for Microsoft Small Business Specialists. These steps are for professionals and if you are a "do IT yourself'r" then I highly recommend you invest in a professionals time to assist you. You will help yourself in at least two ways: you can concentrate on what you do best and bring in more money; and, you will save yourself from having to spend more when things o south. Find a local professional using http://www.microsoft.com/smallbusiness/hub.mspx.

In the wake of iPhone 2.0, many executives are wanting their iPhones connected to their Exchange Servers. You may have previously enabled IMAP, but we all know Exchange-ActiveSync is the right way to go (plus this enables Windows Mobile devices without the need for a Good Server). In order to support Windows Mobile devices (and the iPhone version 2) on a Microsoft Small Business Server 2003 running Exchange 2003, several things need to be done. The following instructions I generated after spending too much time researching this issue and I hope you find them as useful as I do. The standard legal stuff applies, these directions are provided without warranty, follow at your own peril.

When you need to do this for the first time at a clients’ site and you want some help, just let me know, I am happy to co-consult with my fellow SBSC.

- Tim Carney tim@sfbaylink.com

  1. Open HTTPS (port 443) on the firewall and point towards the server, please be careful, there are several things you should do before opening up your server to the outside to make it secure.
  2. Install a third-party SSL certificate. For future compatibility when migrating to Exchange 2007 without ISA, I use http://www.comodo.com/msexchange/, otherwise I use http://www.dotster.com/other/ssl/123.
    a. Follow http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx until you reach the Title “Transferring the SSL Certificate to the Default Web Site”
    b. If you are not running with ISA then continue with Transferring the SSL Certificate to the Default Web Site.
    c. But, if you are running ISA then install the certificate on to the two listening ports in ISA and leave the self-generated certificate on the Default Web Site. (I am looking for a good document for this step.)
  3. Exchange SP2 should be installed (this is already done if R2 has been installed).
  4. Enable RPC over HTTP on Exchange.
  5. Run CEICW and enable Outlook Mobile Access.
  6. Check Active Directory Users to make sure Mobile Services are enabled if not add users to Mobile Users.
  7. Enable Direct Push on the server
    a. Ensure that SP2 for Exchange Server 2003 is installed on the server.
    b. Open Exchange System Manager.
    c. Expand Global Settings.
    d. Right-click Mobile Services, and then click Properties.
    e. Verify that the Enable Direct Push over HTTP(s) check box is selected.
  8. Install the Exchange Server ActiveSync Web Admin Tool on SBS
    If you are trying to get familiar with the Microsoft Exchange Server ActiveSync Web Administration Tool on your Small Business Server computer to take advantage of the new Mobile Security Features that will be introduced in the Windows Mobile 5.0 Messaging & Security Feature Pack, you will need to follow the steps below to get the web interface functioning properly on your Small Business Server computer:
    a. Download the Mobile Admin pack
    http://www.microsoft.com/downloads/details.aspx?FamilyID=e6851d23-d145-4dbf-a2cc-e0b4c6301453&DisplayLang=en
    b. Backup the metabase in IIS (right click the servername in IIS -> all tasks -> backup/restore -> create backup)
    c. TEMPORARILY set the default website to “all unassigned” (if it is not already)
    d. Run MobileAdmin.exe that you downloaded in step 1.
    e. You can also run OWAAdmin.exe at this point too for web based admin of OWA.
    f. Reset IIS back to the way it was before step 3, if applicable
    g. Open the properties for the ExAdmin virtual directory under the default website -> directory security -> Edit for Secure Communications and uncheck “Require SSL”
    h. Restart the IIS Admin service
    i. You should now be able to browse http://servername/mobileadmin and also select users to manage.
    Note this interface allows 2 options: 1) Wipe the device and 2) delete the partnership. “Wipe the device” is self explanatory - we remove all user-specific information from the device and return it to factory default (like a hard reset). So what is “delete the partnership” you ask? Well, when a device synchs with Exchange it pushes some information to Exchange so that the server knows about the device. This information is referred to as a “partnership” (not to be confused with an ActiveSync partnership -no relation). You can remove this partnership information by using the “delete” option on the MobileAdmin page. When would you want to “delete” a partnership. One scenario is if only one user cannot synch with Exchange when previously he/she could. It may be that this “partnership” is confused. Simply “delete” the device partnership on the MobileAdmin page and then resynch with the device. After deleting the partnership, resynch with the device. You should see a new partnership appear on the MobileAdmin page and hopefully the device synchs successfully.
  9. Define and enforce security policies for mobile devices
    a. On the server, open Exchange System Manager.
    b. Expand Global Settings.
    c. Right-click Mobile Services, and then click Properties.
    d. Click the Device Security button.
    e. In the Device Security Settings dialog box, configure the device security policy for Windows Mobile devices.
    f. Enforce, Minimum 4 Characters, 20 minutes of inactivity, Wipe after 3 failed attempts, refresh settings every 1 hour
    g. If you do not want to apply the policy to some user accounts, click the Exceptions button, and then add the user accounts to the exceptions list.
    h. Click OK.
  10. Double check and fine-tune installation by following
    http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

No comments: