Chances and Risks
Each administrator and responsible business should never forget that mobile access everywhere and at all times is nice to have. However it is worth discussing the risk of what would happen if a mobile device is stolen and what the value of this information is for one of your competitors. It is not only a employee’s calendar, it is more: e.g. a calendar can describe a lot of the business needs and plans of a company.
On the other hand making personal information available for mobile use can optimize your business workflows internally and can provide your sales personnel with the ability to act as soon as possible to realize your customers’ needs.
So the biggest issue for implementing mobile access is to make sure that you minimize the risks of publishing internal information to the public. And you should make sure that you do not block your users with security needs. Your work as administrator is firstly to plan the most secure way to use mobile devices without maximizing the risks for your valuable company information.
Configuring Mobile Access
Microsoft has implemented two big solutions for mobile access in Exchange Server 2003. In the following we will provide detailed information for these topics. The support of each of these tools depends upon the device update of .NET Framework environment. On average, once a year, Microsoft provides a new device update for supporting more mobile devices. As of today we have device update 4 available, with Exchange Server 2003 Microsoft delivers device update 2. Here you get a detailed overview of what devices are supported:
http://www.asp.net/mobile/testeddevices.aspx?tabindex=6
a) Outlook Mobile Access
If you want to access your mailbox using a smart phone or another WAP device you can use Outlook Mobile Access (OMA). But because of security reasons do not forget to implement SSL.
If you want to configure Outlook Mobile Access, you firstly need to activate this feature using Exchange Systems Manager.
Fig. 1: Enabling Outlook Mobile Access
If you want to configure explicitly who should have access to OMA you can use the Exchange Task Wizard in Active Directory Users and Computers to configure it. The URL you should use is https://servername.domain.tld/oma and then you will be able to view your mailbox on your mobile phone as well.
If you want to allow non supported devices as well you can enable this feature, too. But this means you as administrator have to test these devices on your own and use it at your own risk.
In Outlook Mobile Access you can use nearly all the features you can use with Outlook access, too.
Fig. 2: Connecting to Outlook Mobile Access with WAP
If you don’t have any WAP device available you can use any WAP Emulator to test this configuration, even with Internet Explorer or Microsoft’s smartphone emulator, that’s available via download at:
b) Active Server Sync
If you want more and are using PDAs, you have the possibility of configuring Active Server Sync with Exchange Server 2003. Most of you already know Active Sync from a client side, if you have been using PDAs for some time. But you have had to run your desktop workstation when you wanted to synchronize with your PDA. This is no longer necessary.
SSL is a must for this synchronization, too. This means you should add the root certificate of your own CA using the well-known AddRootCert-Tool. Now let’s go on with the configuration of your Exchange Server 2003 box in detail.
Generally you have three options for Synchronization:
Fig. 3: Options for configuring Exchange Active Sync
- User Initiated Synchronization
With this option you can generally allow each user to synchronize his Exchange information with his mobile device. If you uncheck this button, no Active Sync is possible at all.
- Up-to-Date Notifications
If you use this second option you can allow each user to receive notifications in order to keep their mobile devices up-to-date with information on their Exchange server.
- Notifications to User Specified SMTP addresses
The third and last option allows your users to use their own wireless service provider to receive notifications via SMTP. If you configure this, you have to configure a new mobile carrier for each wireless service provider. This can be done by right clicking mobile services and then choosing New Mobile Carrier.
Fig. 4: Configuring Mobile Carrier
If you now want to choose specific users, giving them specific configurations for Mobile Access, this can be done in the users properties in Active Directory Users and Computers:
Fig. 5: Configuring Exchange Features in User Properties
Even though, if you do not have any Active Sync device available you can test this with different emulators such as Microsoft’s Pocket PC Emulator that can be downloaded at:
Conclusion
As you have seen in this overview, the possibilities for using mobile devices and synchronizing them with your Exchange Server 2003 means you do not have a lot to configure. Most of these features are built-in. But this easy configuration may often lead to just enabling these features without thinking about the security risks. Mobile Access nowadays is very interesting. Mobile devices can be bought cheap than ever before.
So each Exchange Server administrator should finish his risk analysis for his company first. Having done this he knows about the security requirements and based on this analysis he now can successfully configure mobile access for these employees who really need it. As often stated in computer industries: “less is more”. If you implement mobile access, never forget to implement SSL for communications and a secure authentication strategy with e.g. certificate based logon.
If there are any questions please do not hesitate to contact me via http://www.mklein-it.com/aboutme/feedback.htm
