Understanding Exchange s Mobility Features

Outlook Mobile Access

Outlook Mobile Access (OMA) is designed to render selected Exchange store content to handheld and mobile devices. OMA supports devices that use Wireless Access Protocol (WAP) 2.x protocols; this includes support for Hypertext Markup Language (HTML), Extensible HTML (XHTML), and Compact HTML (cHTML) ”the markup language used by i-Mode devices. OMA devices make connections to the front end, which proxies their requests and renders the results into a format that the device can display. The OMA implementation in Exchange Server 2003 is descended from the Microsoft Mobile Information Server product, which provided OMA capability for Microsoft Exchange 2000 Server organizations. Mobile Information Server was never very widely deployed for two reasons: it was a separate product, and there weren t very many devices (in terms of absolute numbers ) that could talk to it. Both of those circumstances have now changed, so OMA is increasingly popular in even small- and medium- sized organizations.

OMA provides access to your Exchange Inbox, Calendar, Contacts, and Tasks folders; you can look up entries in the Global Address List (GAL), and you can flag messages or mark them as unread. However, the data you see isn t persistently stored on your handheld; for example, on the SonyEricsson T68i (which features a built-in calendar and contact application that can synchronize with Outlook), if you create a new appointment using OMA it won t be added to the phone s calendar. That means that you only have access to your Exchange data when you re online with your Exchange servers. I usually describe OMA as OWA for handhelds, because that does a good job of summarizing how it works.

OMA normally uses Secure Sockets Layer (SSL) to protect its Hypertext Transfer Protocol (HTTP) sessions from end to end. For devices that are using WAP, the wireless carrier might allow the use of the Wireless Transport Layer Security (WTLS) protocol, which is based on the Internet-standard Transport Layer Security (TLS) protocol we ve talked about before. WTLS is used between the device and the WAP gateway; HTTPS is used from the WAP gateway to the OMA server. Neither the user nor the Exchange administrator has any control. Of course, this requires the WAP gateway provider to trust the certificate used by your server; if you re using an internally issued certificate, you ll probably need to get a certificate issued by a trusted certificate authority (CA) like Verisign or Thawte.

Exchange Server ActiveSync

Exchange Server ActiveSync (EAS) actually synchronizes your Exchange data to a mobile device. This functionality obviously depends on having a mobile device that runs some version of Outlook, so it s only available for Microsoft Windows “ powered devices like the Pocket PC 2002 (and later) line, the Pocket PC Phone editions (both the Pocket PC 2002 Phone Edition and the Windows Mobile 2003 Powered Pocket PC Phone Edition), and the Windows- powered Smartphones available from Motorola, Sierra, Samsung, and other manufacturers.

EAS can perform both on-demand and scheduled synchronizations, and it allows access to all the folders in your mailbox ”a handy feature. EAS allows access to message attachments, and it allows the server to send periodic always up to date (AUTD) notifications to the device so that the device can initiate a synchronization ”this is a simple way to simulate the push approach that Research in Motion (RIM) uses with its BlackBerry devices. AUTD notifications are actually Short Message Service messages originated by the Exchange server and gatewayed by the wireless carrier; you can configure Exchange to send these notifications at whatever interval makes the most sense for your users. Beware, though: most carriers charge for Short Message Service traffic, so be sure to factor it into your deployment planning if you want to use AUTD.

By default, EAS uses 128-bit SSL to protect all of its communications.

Other Mobility Services

Of course, Microsoft isn t the only company to have figured out that users want mobile access to their Exchange data; in fact, they re not even the first company to figure it out. That honor should probably go to RIM. Accordingly, it s worth mentioning a couple of other mobility services that you might find running in your Exchange environment.

First is RIM s BlackBerry software, which comes in two types. The individual desktop version acts as a redirector that runs in conjunction with Outlook; the BlackBerry Enterprise Server (BES) runs on an Exchange server and redirects mail for multiple users. In either case, mail from the selected mailboxes is encrypted by the BlackBerry redirector, then sent over the Internet to RIM s service center. From there, it s encrypted for the specific device owned by the recipient and transmitted over his or her radio network. If the device is in range of a transmitter, and it s turned on, it receives the message. The other noteworthy product is Good Technology s GoodLink product, which does more or less the same thing as RIM s BES software with a different set of supported handhelds and service providers.

The security implications of these products are pretty obvious:

• An attacker who can interfere with the user s desktop machine can prevent new mail from reaching the user, because the desktop redirector has to be running for mail to be transmitted.

• All mail has to transit both the Internet and the service provider s network. This might or might not be of concern, depending on how secure you think those networks are and how much you trust the providers.

• Any product that can proxy mail for multiple users will of necessity have a service account, or something like it, that has access to multiple mailboxes. If an attacker can compromise this account, he or she can masquerade as any of the users to which that account has permissions. Accordingly, this account should be protected with an extrastrong password, and its use should be carefully monitored through auditing.