An increasing number of users want to get email while away from their desks. This trend is a far cry from the old days of mainframe-based email, which users retrieved through a terminal. Today's mobile handheld devices, such as Research In Motion's (RIM's) BlackBerry line, Good Technology's Good G100, various Windows Mobile—powered products, and PalmSource's Palm OS—powered Smartphones, are powerful enough to open and edit attachments and handle complex HTML messages. Additionally, a growing number of people carry cell phones that support Wireless Application Protocol (WAP), which lets even these small and relatively dumb devices access sophisticated Web-based applications, albeit at the cost of speed and functionality.
Exchange Server 2003 seeks to meet the growing demand for mobile-device access to Exchange by offering assorted products and services for limited-function devices. The two newest components in this array are Exchange ActiveSync and Outlook Mobile Access (OMA). For information about other mobile-access components in Exchange, see the sidebar "Exchange's Mobile-Computing Support."
EAS and OMA
Exchange 2003's Exchange ActiveSync data-synchronization service lets devices that run Pocket Outlook synchronize the Inbox, Calendar, and Contacts wirelessly, delivering an experience much like Microsoft Office Outlook 2003 with remote procedure call (RPC) over HTTP Secure (HTTPS) enabled. When the Always Up-To-Date (AUTD) function (labeled Up-to-date Notifications in Figure 1) is on, the device automatically synchronizes your local Inbox with the server's copy, meaning that your email is on your device when you need it. All of Pocket Outlook's functionality is available with Exchange ActiveSync as long as you can establish a wireless connection to your Exchange server. As a bonus, Pocket Outlook with Exchange ActiveSync lets you read locally cached mail offline.
Many cell phones can use WAP 2.x to talk to WAP-aware applications. Microsoft has exploited the wide availability of WAP 2.x-compatible devices by including the OMA service in Exchange 2003. OMA, which requires ASP.NET on the Exchange server, lets you establish a real-time connection with Exchange from a browser-enabled wireless Internet device, such as a cell phone. Compatible devices can access messages in the Exchange Inbox, Calendar, and Tasks folders. Unlike IMAP and Exchange ActiveSync, OMA doesn't offer offline access. The bottom line is that OMA provides a basic interface to Exchange data and is designed to minimize bandwidth usage because most WAP users pay per-unit data charges.
The first question many administrators have about OMA and Exchange ActiveSync is, "How secure are they?" Delivering adequate security on the desktop is hard enough; the thought of having to secure many autonomous mobile devices can be daunting. Let's examine the safeguards OMA and Exchange ActiveSync provide to secure communications traffic, authentication, access, and devices.
Communications Security
OMA usually uses Secure Sockets Layer (SSL) to protect its HTTP sessions from end to end. For devices that use WAP, the wireless carrier might let its network use Wireless Transport Layer Security (WTLS) protocol, which is based on the Internet-standard Transport Layer Security (TLS) protocol. WTLS is used for over-the-air communications between the device and the WAP gateway; HTTPS is used for Internet-based traffic between the WAP gateway and the OMA server. Neither the user nor the Exchange administrator controls whether WTLS is used. For the gateway to use HTTPS to your server, the WAP gateway provider must trust the certificate your server uses. If your server uses an internally issued certificate, you'll probably need to obtain a certificate from a trusted Certificate Authority (CA), such as VeriSign or Thawte.
Exchange ActiveSync's security is somewhat easier to understand. Exchange ActiveSync uses HTTPS to connect to your Exchange server, so you must open port 443 on your front-end server. In addition, you might have to consider how best to deploy your certificates to the client devices if you use a self-signed or locally issued certificate. In both cases, you can't change the default ports OMA and Exchange ActiveSync use, and you can't control whether they use encryption—they always do. Score one for "secure by default"!
Authentication
Exchange 2003 lets you control how your servers authenticate clients. Because OMA and Exchange ActiveSync are integrated with Exchange, you control and manage them much as you do IMAP, POP, and Outlook Web Access (OWA). Exchange ActiveSync clients connect to the Exchange virtual directory, just as OWA and other WWW Distributed Authoring and Versioning (WebDAV) clients do.
If you enable forms-based authentication (FBA) or require SSL to connect to the virtual directory, OMA and Exchange ActiveSync might stop working, reporting HTTP 500 errors. To be more precise, if you turn on FBA or SSL, Exchange ActiveSync will break; if you turn on SSL, OWA will break.