The long-awaited day is almost upon us! Microsoft Exchange Server 2003 Service Pack 2 (SP2) will ship at the end of the year. Microsoft is putting the service pack through the final stages of customer testing. SP2 builds on the already solid base that Exchange 2003 and its SP1 updates established and should be a welcome upgrade that most organizations will want to rapidly deploy. Reviewing Exchange 2003 SP2's major updates is a good way to determine whether you want to deploy the release.
Support for Mobile Devices
With so many mobile devices in use—from smart phones to Research In Motion's (RIM's) BlackBerry devices to PDAs—and the fact that messaging, calendaring, and task management are popular applications for these devices, Microsoft clearly needs to integrate mobile devices into Exchange. Pre-Exchange 2003, third-party technology provided the necessary components to connect mobile devices to Exchange, and companies such as Good Technology and RIM built large businesses around their ability to connect to and synchronize with Exchange. Although Exchange 2000 Server had some mobile capability, Microsoft stepped up its game with the first release of the Mobile Services for Exchange subsystem in Exchange 2003, recognizing the mobile-device market's importance and the rapid increase in the devices' features and putting huge development resources into the subsystem. The result is that Mobile Services, with its rich feature set, is now a competitive, low-cost offering that supports mobile devices. Microsoft has also successfully licensed its Exchange ActiveSync technology to mobile-device suppliers such as DataViz, Motorola, Nokia, Palm, and Symbian, so you can expect to see more support for Exchange in mobile devices and applications from these vendors.
Prior to SP2, Mobile Services was in the "cheap and cheerful" mobile solutions category. Although it's bundled with Exchange, it suffers from a lack of functionality in some important areas. Taken in conjunction with some of the advances in Windows Mobile 5.0, SP2 adds:
- data compression for ActiveSync connections over HTTP Secure (HTTPS) using gzip
- connection pooling that reduces the overhead of creating connections between devices and network carriers
- certificate-based authentication
- security-policy enforcement, and
- Global Address List (GAL) search and real-time address validation against the GAL.
|
Improved AUTD
Always-up-to-date (AUTD) is a mechanism Exchange uses to provide new mailbox information to a mobile device. AUTD pushes information to mobile devices, but in some ways you can consider it a pull mechanism because it pushes only server notifications. In time, Microsoft could make AUTD push more data (such as message headers) to make the tool a more complete push mechanism.
Certificate-based authentication is especially welcome because it improves security by uniquely identifying a device similar to the way that BlackBerry devices identify themselves to wireless networks. By using certificate-based authentication combined with policy enforcement that requires users to enter PINs to access devices, you can meet the test for dual-factor authentication.
In SP2, AUTD uses persistent TCP/IP connections, rather than Short Message Service (SMS), to send notifications to mobile devices. The device sends a request to Exchange to register a subscription request for updates to the mailbox the same way that Microsoft Outlook Web Access (OWA) registers for new mail and calendar notifications. The request specifies a time interval (typically 15 minutes) and the folders that the device monitors (typically Inbox, Calendar, Contacts, and Tasks). If data changes in these folders during the set interval, Exchange sends a UDP packet to port 2883 on the front-end server that the mobile device uses, and the front-end server uses its open HTTP connection to the mobile device to relay the notification. After the device receives the notification, it issues a synchronization request to Exchange to retrieve the new data and sets up a new subscription. If Exchange has no updates for the device during the time interval, Exchange sends a "no data" message to the device, which can then respond with a new subscription request.
If the network connection (such as a wireless or General Packet Radio Service—GPRS—link) times out or is broken by the device shutting down or moving into and out of coverage, the device can reestablish communications and restart its Exchange connection. GPRS devices consume additional power only when they transmit, so the AUTD mechanism is more power-efficient than devices that have to poll Exchange regularly for updates. Your mileage will vary depending on the workload to which you subject the devices, but according to Microsoft, some users report a 20 percent to 30 percent increase in battery life when using Windows Mobile 5.0 devices.
Searching the GAL
Mobile devices can use the GALSearch feature by accessing the server to validate email addresses against and search the GAL. Memory is at a premium on mobile devices, so GALSearch supports a limited subset of the information that the GAL holds (compared with other clients such as Microsoft Office Outlook). Table 1 lists the properties that GALSearch supports and how they map against Active Directory (AD) attributes. The GALSearch feature takes a user-supplied query string and executes an Ambiguous Name Resolution (ANR) indexed search on the server against mail-enabled objects in the GAL. The ANR search, which is similar to the search that Outlook executes when it searches the GAL, attempts to return as many as 100 results for GAL entries that might satisfy the search string.
Securing Mobile Devices
In SP2, Mobile Services supports a set of secure those that do mobile-device features, including those that do the following:
- Enforce PINs (the user must set and use a PIN to access the device)
- Set a minimum password length (characters)
- Require both numbers and letters in the password
- Enforce a PIN lifetime
- Wipe the device after the set number of password attempts
In addition, Mobile Services lets devices connect to Exchange even when they don't support password settings. Such devices (typically older devices such as those that run Microsoft Pocket PC 2003) can't respond correctly to Exchange requests that they download and set policy data. These devices can ignore password policy and continue to synchronize data with Exchange, which is the approach that you can take if you have to support a mixture of old and new devices. You can also create a list of users who are exempt from the password policy. These users might have older devices or have devices that support other authentication mechanisms, such as biometric fingerprint readers. You access the password policy settings by clicking Device Security from the General property tab for the Mobile Services global settings, as Figure 1 shows. See the Web sidebar "Policy Setting for Mobile Devices" (http://www.windowsitpro.com, InstantDoc ID 48035) for an explanation of the AD attributes that control policy settings for mobile devices.
Wiping Mobile Devices
Until SP2, Microsoft didn't support a way to wipe or reset a mobile device (e.g., smart phone, Pocket PC). Other competing systems, such as GoodLink Server or BlackBerry Enterprise Server (BES), support features that let administrators send instructions to mobile devices to wipe their contents if they became lost or are stolen.
The SP2 wipe functionality is basic but effective. A restricted Web page (https://server-name/MobileAdmin) lets you wipe devices, cancel wipe commands, and delete synchronization partnerships between devices and users. When you initiate a remote wipe, the Web application sends a WebDAV Proppatch command to the user's mailbox to set the mailbox's wipeinitiated property to a nonzero value. Mobile Services notices that the property is set and sends a wipe command to the device, which then locally executes the appropriate command. The client then acknowledges the wipe command back to the server with an indication of success or failure. A log tracks all commands and status as reported by the device. The wipe command doesn't, however, erase data on storage cards; the only data that the device wipes is the user-specific settings. Improvements don't come for free, so if you want to take advantage of SP2's mobility improvements, you need to update target mobile devices with the Windows Mobile 5.0 Messaging and Security feature pack (see http://www.microsoft.com/windowsmobile/business/5/default.mspx for details). Different vendors take different approaches to the provision (or even testing) of upgraded versions of Windows Mobile, so check with your vendor to determine its upgrade policy and which devices support Windows Mobile 5.0.
Previous
Register
horvanna April 19, 2006 (Article Rating: