BT Office Anywhere Configuring Mobile Outlook Email Synchronisation with Exchange Server
Contents Page 1 Introduction 3 2 Skill Level 3 3 Requirements 4 4 Enabling Outlook Email on the Mobile Device 5 4.1 Configuring the Server to Synchronise with the Mobile Device 5 4.2 Configuring the Mobile Device to Synchronise with the Exchange Server 6 4.3 To Test the Email Synchronisation 6 5 Deploying Certificate Based Security 7 5.1 Purchase a Valid Certificate from a Public Certification Authority. 7 5.2 Generate a Certificate Using Your Own Certification Authority. 8 5.2.1 Setting up the Certification Authority 8 5.2.2 Generating an SSL certificate for the Exchange Virtual Server in Internet Information Server 5.2.3 Exporting the Root Certificate from the Certification Authority 9 5.2.4 Installing the Root Certificate to a Mobile Device 9 5.3 To Test an SSL Implementation 9 6 Further Help and Contact Details 10 8 Date: 8 October 2007 Page 2 of 10
1 Introduction This guide is intended to assist an IT Administrator to configure a company s Exchange server for use with Office Anywhere. It contains a summarised set of instructions that will need to be performed to send and receive email from your Office Anywhere handset. 2 Skill Level The intended audience for this document is Windows Server or Exchange Server Administrators. To complete the steps in this document, a good understanding of managing the appropriate Exchange Server type for your business is required: Microsoft Windows Exchange Server 2003 Service pack 2 OR Microsoft Windows Exchange Server 2007 OR Microsoft Windows Small Business Server Date: 8 October 2007 Page 3 of 10
3 Requirements Prerequisite To Determine If Already Compliant To Install / Upgrade 1 BT Office Anywhere Mobile handset with Windows Mobile 5.0 (or later version) operating system. On the mobile, click the Start button and select Settings. Then select the About option, this will show you the current version of Windows Mobile on the mobile device. The operating system comes preinstalled on the mobile device. Check for upgrades on www.microsoft.com 2 Content synchronisation software must be installed on the user s desktop or laptop computer. Windows XP or earlier operating systems require ActiveSync 4.5 (or later version). Windows Vista requires Windows Mobile Device Centre. 3.1 Windows Server 2003 OR SBS: SP 2 must be installed on the server. 3.2 Exchange Server 2003/SBS: SP 2 must be installed on the server. In Windows XP, from the Start menu, click All Programs. You should be able to see Microsoft ActiveSync in the list of programs. In Windows Vista, from the Start menu, click All Programs. You should be able to see Windows Mobile Device Centre in the list of programs. From the Start menu, right-click the My Computer icon. From the menu that appears, select Properties, you should see the Windows version along with information about the service pack. In the Exchange System Manager MMC, expand the Servers folder, right-click the appropriate server, select Properties, and you should see the Exchange Server version and information about the service pack if it is installed. From Windows XP or earlier operating system: Go to www.microsoft.com and search for ActiveSync. From Windows Vista: Go to www.microsoft.com and search for Mobile Device Centre. Go to www.microsoft.com and search for KB914961 Go to www.microsoft.com and search for E3SP2ENG.EXE 3.3 Exchange Server 2007 tbc TBC TBC 4 All Server Types: All Windows Updates must be installed on the server. From the Start menu, click All Programs, and then select Windows Update. Follow the instructions on screen to see if any updates are necessary and install as required. Go to update.microsoft.com and install all the recommended updates. 5 The Exchange Server must be fully functional. 6 Exchange Outlook Web Access must be enabled on the server. 7 The following ports must be forwarded to the server on the router/firewall: HTTP TCP 80 SMTP TCP 25 POP3 TCP 110 and 995 HTTPS TCP 443 (if using SSL) 8 An SSL Certificate can be installed on the Exchange Virtual Server in IIS. Outlook email will work on the mobile device without a certificate, but a certificate is needed to secure communications between the server and the mobile device. The Exchange server must be able to send and receive internal and external email successfully. From the Exchange System Manager MMC, open the relevant server, open the Protocols folder and open the HTTP folder. Right-click on the Exchange Virtual Server and ensure that the service is running. The Start option should be greyed out. Open the administration consol of the router/ firewall and check to see whether the ports are being forwarded to the server. Open Internet Explorer and enter the address of the Outlook Web Access website. If the address begins with http: then there is no SSL certificate installed on the web server. If the address begins with https: then an SSL certificate is installed on the web server. Please go to www.microsoft.com and search for Ex2k3DepGuide.doc From the Exchange System Manager MMC, open the relevant server, open the Protocols folder and open the HTTP folder. Right-click on the Exchange Virtual Server and ensure that the service is running. Click the Start option. Open the administration consol of the router/ firewall and forward the ports to the server. The following companies provide SSL certificates: www.thawte.com www.verisign.com www.geotrust.com or refer to section 5.2 about generating your own SSL certificate. Date: 8 October 2007 Page 4 of 10
4 Enabling Outlook Email On The Mobile Device There are two steps to enabling email synchronisation between the mobile device and the Exchange server. Configuring the server to synchronise with the mobile device. Configuring the mobile device to synchronise with the Exchange Server. 4.1 Configuring the Server to Synchronise with the Mobile Device Mobile email access is provided through the Online Web Access (OWA) feature. This is configured through the Internet Information Server (IIS) MMC. By default the OWA functionality is installed in the Default Web Site folder in the Exchange virtual server, and is accessible through Internet Explorer at http://servername.domain.com/exchange If the OWA web site works then the Mobile Outlook Email synchronisation should work. A Secure Sockets Layer (SSL) certificate is not required to enable Outlook Email synchronisation on the mobile phone, but is very strongly advised. OWA sessions are not encrypted by default, and the communication between the Exchange server and the end-user browser/mobile is in clear text. Adding SSL to your OWA sessions ensures end-to-end encryption for the duration of the session. The image below shows the default Secure Communications options for the Default Web Site in IIS. These are the correct settings. Do not select the Require secure channel option unless you have an SSL certificate installed on a Front-end Exchange server. A Back-end Exchange server will not allow the mobile to synchronise if the Require secure channel option is selected. Date: 8 October 2007 Page 5 of 10
Each user must have a valid mailbox with the Outlook Web Access and Outlook Mobile Access Exchange features enabled in their Active Directory Properties. See image below. 4.2 Configuring the Mobile Device to Synchronise with the Exchange Server On the mobile device, click the Start button, select the Messaging Icon, and select Outlook Email. Enter the Server Address, eg: mail.domain.com Select the check box if the server requires an encrypted SSL connection. Enter the username and password. Enter the name of the Active Directory authentication domain for this user. Eg: domain.com, domain.local etc. 4.3 To Test the Email Synchronisation On the Mobile device, from the Start menu, click the ActiveSync icon. Then select the Sync option to begin synchronisation between the mobile device and the exchange server. This should synchronise the mobile phone with the Exchange mailbox for that user. Refer to any error messages on the mobile, or in the Application section of the Event Log on the server for further information if synchronisation fails. Date: 8 October 2007 Page 6 of 10
5 Deploying Certificate Based Security There are two options for implementing certificate based security. Use a valid certificate from a Public Certification Authority. Generate a certificate using your own Certification Authority. If you have your own website then you are likely to have a Public certificate already. 5.1 Purchase a Valid Certificate from a Public Certification Authority The advantage of this method is that the certificate need only be installed once on the IIS server hosting the OWA web site, and not on each mobile device. The disadvantage of this method is the cost of the certificate. Bear in mind that your business can use the certificate for other useful applications for example to secure your web server or applications you run on it. The steps involved in this solution are: - Applying for an SSL certificate. - Installing the SSL certificate onto the IIS server hosting the Exchange virtual server. The application and installation process differs between certificate vendors. Follow the instructions provided to you by your vendor of choice. The table below lists the certificates that can be validated by Windows Mobile 5.0. Vendor Certificate name Cybertrust GlobalSign Root CA Cybertrust GTE CyberTrust Global Root Cybertrust GTE CyberTrust Root Verisign Verisign Verisign Verisign Verisign Class 2 Public Primary Certification Authority Thawte Premium Server CA Thawte Server CA Secure Server Certification Authority Class 3 Public Primary Certification Authority Entrust Entrust.net Certification Authority (2048) Entrust Geotrust Godaddy Entrust.net Secure Server Certification Authority Equifax Secure Certificate Authority http://www.valicert.com/ All the above can be validated by Windows Mobile 6.0 and others may exist (tbc) BT strongly encourages the use of certificates from public certification authorities due to their security, reliability and versatility. BT is unable to support self-generated certificates and can only give general guidance. Date: 8 October 2007 Page 7 of 10
5.2 Generate a Certificate Using Your Own Certification Authority The advantage of this method is the free certificate, but the disadvantage is that the certificate will need to be installed on the IIS server as well as on each mobile device. As stated previously BT is unable to support self-generated certificates and can only give general guidance. The steps involved in this solution are: Setting up a Certification Authority. (May be preinstalled in Small Business Server) Generating an SSL certificate for the Exchange virtual server in IIS. Exporting the Root Certificate from the Certification Authority Installing the Root Certificate to a Mobile Device 5.2.1 Setting up the Certification Authority The certificate can be generated by Certification Authority, an optional service in Windows Server 2003. To install the Certification Authority on the IIS Server hosting the Exchange virtual server, open the Control Panel, and select the Add Or Remove Programs option. Then push the Add/Remove Windows Components button, select the Certificate Services check-box and click Next to install the Certification Authority on the server. BT does not have specific guidance on Exchange Server 2007 at this stage. Choose Enterprise root CA, click Next, under Common Name for this CA type the name of your domain, eg: domain.com, click Next, then Next again. Insert the Service Pack 2 CD if instructed to do so. Click Finish. 5.2.2 Generating an SSL certificate for the Exchange Virtual Server in Internet Information Server Open the IIS management console, select the relevant server, right-click the Default Web Site and select Properties. In the Directory Security tab, click Server Certificate. This opens up the Web Server Certificate Wizard, click Next. Select Create a new certificate and click Next. Select Send the request immediately to an online certification authority and click Next. Type the name of the website in the Name text box; eg mail.domain.com and click Next. Fill in the name of the Organization and the Organisational unit and click Next. Under Common Name type the name of the web site, eg mail.domain.com and click Next. Fill in the County, State and City, and click Next. The SSL port should be 443, click Next. The Certification authority should be the full name of the Certification Authority on that server, eg: server.domain.com\certification authority common name, click Next. Click Next to confirm the certificate request details, and then click Finish to complete the Web Server Certificate Wizard. To test the new certificate, Click View Certificate in the Directory Security tab of the Default Web Site Properties. Click the Certification Path tab. The Certificate Status text box should say This Certificate is OK. If it says anything else then there is a problem with either the Certification Authority settings or the Certificate settings. Click OK to close the certificate. Date: 8 October 2007 Page 8 of 10
5.2.3 Exporting the Root Certificate from the Certification Authority The Root Certificate must be exported from the Certification Authority and then installed onto each mobile device. From the Start button, select All Programs, Administrative Tools, Certification Authority. Rightclick the relevant server and select Properties. Under the General tab, click the View Certificate button. Under the General tab, it should say This Certificate is intended for the following purpose(s): - All issuance policies - All application policies. Click the Details tab, and then click the Copy to File button to open the Certificate Export Wizard. Click Next. Select the DER extended binary X.509 (.CER) option and click Next. Under file name, enter a name and browse to a convenient location, eg: RootCertificate.cer on the desktop. Click Next. Click Finish to close the wizard. 5.2.4 Installing the Root Certificate to a Mobile Device Copy the root certificate that was exported from the Certification Authority on the IIS server to the user s desktop computer. Connect the mobile device to the desktop with a USB cable. If they are using Windows XP or earlier operating system, then from the Start button, choose All Programs, and then click Microsoft ActiveSync. In ActiveSync, click the Tools menu, then select Explore Smartphone. Paste the certificate into the default folder on the mobile device (My Documents folder). Unplug the USB cable. If they are using Vista, then from the Start button, choose All Programs, and then click Windows Mobile Device Centre. Then select Browse the Contents of Your Device. Paste the certificate into the My Documents folder on the mobile device. Unplug the USB cable. Then on the mobile device, click the Start button, and select the File Explorer icon. This will open up the My Documents folder. Select the certificate file, and click Yes to install the certificate. Remember to select the This server requires an encrypted (SSL) connection option in the Outlook Email settings on the mobile phone. 5.3 To Test an SSL Implementation The SSL implementation should be tested twice, once on a desktop through Internet Explorer, and then on the mobile device. The solution can be tested by connecting to the OWA website through Internet Explorer with the https: prefix: https://servername.domain.com/exchange A small lock icon should appear in Internet Explorer indicating that the web page is secured with an SSL certificate. Install the certificate into the Trusted Certification Authorities folder to remove any warnings in Internet Explorer. On the Mobile device, from the Start menu, click the ActiveSync icon. Then select the Sync option to begin synchronisation between the mobile device and the exchange server. Date: 8 October 2007 Page 9 of 10
If the synchronisation does not work as expected, make sure to check the Application section in the Event Logs on the IIS/Exchange server for any error messages. 6. Further Contact Details and Help For BT Business One Plan with BT Office Anywhere: 0800 032 8751 For BT Office Anywhere: 0800 678 1030 Offices worldwide British Telecommunications plc 2004 Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: 1800000 Date: 8 October 2007 Page 10 of 10