Mobile Information Server and Pocket PC 2002 can provide instant access to Exchange 2000 data
Mobile, wireless email access is nothing new. Research In Motion's (RIM's) BlackBerry has been providing it for several years, and millions of Web-enabled cell phones offer Wireless Application Protocol (WAP)—based browsing capabilities. But problems with ease of use, cost, security, and corporate access often prevent enterprises from implementing such solutions.
One alternative is to use the Microsoft Pocket PC 2002 handheld device with Microsoft Mobile Information Server 2002, Enterprise Edition to provide wireless access to your corporate Microsoft Exchange 2000 Server systems. Mobile Information Server provides a secure mobile gateway to and synchronization services for Exchange 2000. (Mobile Information Server can support other WAP-enabled devices, but I find the Pocket PC's Microsoft Pocket Outlook to be the best UI for Exchange access.) This setup isn't difficult, per se, but getting started can be somewhat complicated. Therefore, this article assumes that you're familiar with Active Directory (AD) administration; Mobile Information Server basics; Exchange, Microsoft Internet Security and Acceleration (ISA) Server 2000, and firewall installation and configuration; Pocket PC configuration and use; Microsoft ActiveSync setup; cellular telecommunications basics (e.g., device provisioning, device configuration, data network usage); and mobile-software concepts. (For articles that deal with these topics, see "Related Articles in Previous Issues," page 32.)
Gather the Pieces
To implement this mobile-access solution, you need a few pieces of recent hardware and software. In my experience, the following items offer the best performance:
- Pocket PC 2002 device
- Bluetooth- and General Packet Radio Service (GPRS)—enabled mobile phone with data service
- Bluetooth CompactFlash (CF) card
- Mobile Information Server 2002, Enterprise Edition, running on Windows 2000 Server Service Pack 2 (SP2)
- Exchange 2000 SP1 running on Win2K
- ISA Server 2000 running on Win2K (optional)
For details about this equipment, see the sidebar "Parts List." After you have all the pieces of your mobile-access solution, you're ready to deploy Mobile Information Server, configure the users' accounts, configure the Pocket PC, configure the Pocket PC and phone for Bluetooth, and test the solution. After a successful test run, you can implement the solution in your production environment to let users access their email from the office, their homes, or on the road.
Deploying Mobile Information Server
Mobile Information Server deployment is fairly straightforward. You can find detailed information about the product on the Microsoft Web site at http://www.microsoft.com/miserver. (Also see "Related Articles in Previous Issues.") Deploy the product on a test server in a controlled lab environment before you use the solution in a production environment (especially if this attempt is your first foray into mobile messaging). Doing so reduces any security risks to your network. Also, Mobile Information Server requires changes to AD, which holds the server product's user properties and user-account settings. You need to understand the effects of these schema changes before you roll the product out into a network environment. If your test server runs Exchange and AD, be sure to use the undocumented /vonebox=1 switch when you install Mobile Information Server. This switch removes the block to installing the product on the same system as Exchange and AD. Note, however, that Microsoft doesn't support this configuration, so for security reasons, you shouldn't use it in a production environment.
User-account configuration depends on which Mobile Information Server security topology you choose—single domain, trusted domain, or untrusted domain. A single-domain architecture means that users have the same logon for mobile access as they do for standard Windows logon. A trusted-domain topology lets you set up a forest of unique mobile user accounts (e.g., m-username) separate from your primary logon domain; these accounts have unique access rights and follow a simplified password policy. In an untrusted-domain topology, mobile accounts operate under one delegated user authority that you can control. Figure 1 shows a basic single-domain deployment with dedicated servers for Mobile Information Server, Exchange, and AD. Mobile devices connect to the network through your carrier's data center over a standard Internet link. Because the connection uses Secure Sockets Layer (SSL), it's secure end to end. Mobile Information Server can sit in your network's demilitarized zone (DMZ), either outside your network or between two firewalls, depending on your needs and desired topology. Application servers—in this case, Exchange—sit behind the private corporate firewall.
For the greatest possible security, Mobile Information Server includes an Internet Server API (ISAPI) filter for installation on ISA Server 2000. This filter uses HTTP Secure (HTTPS) through the firewall to authenticate users against their wireless accounts, then passes user requests to Mobile Information Server. Figure 2, page 34, shows a topology in which Mobile Information Server sits behind the private corporate firewall and ISA Server sits on the edge of the corporate network. Using this filter with a trusted- or untrusted-domain topology (as opposed to a single-domain topology) further protects corporate network credentials from potential man-in-the-middle attacks.