Setting up mobile email with Exchange 2003 and 2007
ActiveSync. Nokia and other handset manufacturers have licensed ActiveSync but there are still far more handsets that don’t support it.
If they’re already running Exchange, you can set them up without needing extra systems.
Configuring Microsoft Exchange for email on Windows Mobile devices is one thing, but often you’ll need to set up mobile email for as wide a range of devices as possible – not just those capable of connecting via
Throughout this article, I’ll be assuming that you’re dealing with a single-server Exchange implementation (including SBS). Multi-server infrastructures are somewhat more complex and few small businesses require them.
Securing email over the air
The very first thing that needs to be considered is, as ever, email security. Unlike laptops, it is very unlikely that you will be able to mandate connection to the company’s Exchange server via a secure method such as a virtual private network. Mobile phones in general don’t work that way – they connect over your operator’s GPRS, EDGE or 3G data network. Moreover, many mobile phones can connect via Wi-Fi – and the last thing you want is company email travelling insecurely over a client or even a competitor’s network.
Therefore, some form of end-to-end encryption is required. For Web sites, this would be done by SSL (Secure Sockets Layer) where the familiar http: prefix to URLs is replaced by https: and traffic between the Web server and your browser is encrypted. Other services can have their traffic transmitted in an encrypted manner too, using TLS (Transport Layer Security), the successor to SSL. This is used for the encryption of many common protocols – including the email protocols of IMAP4, POP3 and SMTP. Setting it up for those protocols involves a very similar set of steps to setting up a Web server to use SSL.
Transport Layer Security has one additional advantage, unrelated to the encryption it provides. Each protocol using TLS uses a different port number from those commonly used. This gets round a very common problem, especially when using wireless hotspots for connectivity – that of firewalling or proxying. It is not unusual at all for networks to restrict access to various services, either denying access completely or forcing you to use the services they provide. This is not ideal when trying to maintain a consistent manner for connection back to the company network. The use of different ports for TLS-secured IMAP, POP and SMTP often bypasses such network-based restrictions.
One other process that increases security slightly is to restrict access to named individuals. Microsoft Exchange allows you to specify at a user level which services – ActiveSync, Outlook Mobile, POP and IMAP – can be accessed by each person. Restricting these to the minimum possible provides a small decrease in the number of potential attacks on the mail server.
POP or IMAP?
There are two ways of accessing a mailbox from a remote device. Describing the precise technical differences of the two protocols in question – POP3 and IMAP4 – is not relevant, but one difference between them does matter. IMAP4 is designed to remotely manipulate your mailbox. POP3 is designed to copy items from your mailbox to your device, and then delete them. Deleting items from your main mailbox is obviously not a good idea, as they will no longer be accessible except on the device.
Many POP3 implementations allow this deletion to be overridden, but this relies on the devices being correctly configured, and no one tampering with the settings. I think this is a risk, and prefer to use IMAP4 for mail on remote devices if possible.
One other thing to remember: many devices have the ability to set a retention time for items in a mailbox and after this time the items are often deleted. It’s always best to set the deletion time to nil on mobile devices, otherwise you may end up with mail being permanently deleted much faster than you anticipated.
Exchange’s IMAP eccentricity
There is only one problem with Exchange’s implementation of IMAP, and this is not really a problem with the protocol or its implementation. The issue is that because of the way Exchange stores information, more than just email is visible via IMAP – your contacts, tasks, calendar items and so on are all visible too. This makes it a little too easy either to lose an email by putting it into an incorrect folder or to accidentally move or delete non-email items. However, I believe this is less of an issue than accidentally deleting all your email via POP3, so I still prefer IMAP for mobile device access.
Setting up Exchange for mobile email
Decide on a name for your server. This seems like an obvious step, but it actually needs a little thought. Many Exchange servers receive mail directly from the Internet, and therefore have names already configured in DNS, and therefore need no further action here. However, many receive their email from a front-end external mail host (often to enable spam and virus filtering) and it’s likely in these circumstances that a new name will need to be chosen for direct access to the Exchange server.
Setting up a new virtual SMTP server - the first step.
Choosing the DNS name for the Exchange server is the vital first step, because without it, you can’t order an SSL certificate. Get and install an SSL certificate. The first thing that needs to be said here is do not cut corners to save money. Yes, it is possible to configure Exchange to use a self-signed certificate, at least up to Exchange Server 2003. It’s even pretty easy to generate one. However, such a certificate will not be recognised by default by any mobile device you need to connect. While it is possible to shoehorn non-standard certificates into mobile devices, the mobile networks have made this as difficult as they can. It is a nuisance to install such certificates once. To do it for a company-wide rollout is too much effort and causes too many potential problems for the money it saves. A proper certificate, one that customers’ mobile devices will recognise, is a quicker, simpler and more long-lasting solution.
If you have installed certificates for securing HTTP traffic before, then this process will be very familiar. In Exchange System Manager, navigate through Servers, your server name, Protocols and SMTP to ‘Default SMTP Virtual Server’. Right click, select the Access tab and then the Certificate button. This will bring up the Web Server Certificate Wizard. On the following page of the wizard, choose ‘Create a new certificate’. On the next page, choose ‘Prepare the request now, but send it later’.
On the next page, where it asks you for a name, enter a name for the certificate that you will remember and that makes sense. Leave bit length unchanged (some mobile devices balk at long bit-length certificates) and leave the checkbox for selecting cryptographic service provider unchecked. On the next page, type in a suitable organisation name and organisational unit. These aren’t vital but should make sense if someone manually verifies your certificate.
On the next page, type the DNS name for your server you chose earlier. It is absolutely vital to get this right. Otherwise, your devices may not connect at all. Many silently fail to connect when the certificate used in connection does not contain the exact DNS name to which they are connecting.
On the next page, enter your country; state, province or county; and your city.
On the final page, enter a location where the certificate request (CSR) file will be placed.
Then you need to send that CSR off to the SSL certificate provider of your choice.
You will get a SSL certificate back from them, which then needs installation.
Bring up the Web Server Certificate Wizard as before. You are presented with two options – to install the requested certificate and to delete the pending request. Choose the former.
Configure your firewall. The next task is to configure your firewall. TLS-secured mail services use different ports than is usual, so you will need to create new firewall rules to allow access to the secured services. The ports that the secured services use are listed below (see ‘Secured and unsecured ports for mail services’).
Note that SMTP has two ports listed. This is because you will need to choose which port to use when configuring the SMTP service. Both of the listed ports are commonly used for secured SMTP and it doesn’t matter which you choose.
For each service you choose to use, create an appropriate firewall rule, allowing access for TCP from the Internet to the specified port number.
Configure your DNS. Now your external DNS needs to be configured. It is necessary to be able to connect to your Exchange server from out on the Internet, and it’s necessary to be able to connect to it by the name chosen and set up in the SSL certificate earlier in this process.
There are many ways in which your external DNS could be set up, and it is not possible in this article to go through them all. An A Record needs to be created, linking the name previously chosen to the external IP address for your Exchange server. This external IP address should be able to be found in the configuration of the router connecting your LAN to the Internet.
Your internal DNS may need to be configured too. It is very common for company LANs to use one of the private IP address ranges, using NAT to translate these where necessary into Internet-facing IP addresses. If this is the case, in order for your devices to connect properly to your Exchange server while on your LAN, you will need to make sure the same name chosen above translates properly via internally-facing DNS to the LAN IP address of your Exchange server.
Configure the services. At this point, all the preparatory work is complete. Now, each mail service needs to be configured to use it for secured email. The following instructions assume that you are using one virtual server for each service. If you have more than one (for example, if you have a virtual server that connects to the Internet and one that is connected to your local area network) then you will need to repeat the steps for each virtual server.
By default, the system services responsible for IMAP and POP are disabled. Before the mail services will run, the system services need to be started and, preferably, configured to run automatically in future.
Choose the Services item from the Administrative Tools menu. Scroll down
to the Microsoft Exchange IMAP4 system service, and double-click it.
Change the Startup type drop-down box from Disabled to either Automatic or Manual – Automatic, for preference. Click Apply, then Start to start the system service.
Repeat the above for the Microsoft Exchange POP3 system service. Close the Services application.
Configure IMAP. Firstly, in Exchange System Manager, drill down to the Default IMAP4 Virtual Server. Right-click on it, select Properties, and choose the Access tab. Select Certificate. This starts the Web Server Certificate Wizard, as before. Here, you wish to assign the previously created certificate to the IMAP service. Choose Assign an existing certificate, and click Next.
Select the certificate you wish to use to secure the IMAP service, and click Next.
After confirmation, you have added your SSL certificate to the IMAP service. IMAP will use it if a session from a mobile device requests it. You can also configure IMAP to require SSL for extra security. To do this, again select the Properties of the Default IMAP4 Virtual Server. Choose the Access tab, and select Communication.
Tick the top checkbox to require IMAP to use SSL. Also tick the lower checkbox if you wish to require 128-bit encryption (this checkbox will only be available if your certificate supports 128-bit encryption, but most do).
For additional security, you can further require that passwords normally sent in plain text be sent over an SSL-encrypted connection. This has the advantage of protecting passwords as they are transmitted over networks, but it does mean that devices that cannot make a secured connection to your Exchange server will not be able to connect at all – which means any handset without the processing power to handle the cryptography.
To configure SSL-secured passwords, select the Properties of the Default IMAP4 Virtual Server. Choose the Access tab, and select Authentication. Make sure that the middle checkbox, ‘Requires TLS/SSL encryption’ is ticked.
Now you can verify that your server is set up for secure IMAP by going to the Properties of the Default IMAP4 Virtual Server, and, on the first pane, choosing the Advanced button. If it is correctly configured, a port number (by default, 993) will appear in the SSL Port column.
Configuring Exchange’s POP service is essentially the same as configuring the IMAP service. The SSL certificate needs to be added to the service, then the service needs to be configured to use it.
As before, in Exchange System Manager, navigate this time to the Default POP3 Virtual Server. Right-click on it, select Properties, and select the Access tab. Select Certificate. Choose Assign an existing certificate, and click Next. Select the certificate you wish to use to secure the POP service, and click Next and Next again to confirm and exit. To configure POP to require SSL for extra security, select the Properties of the Default POP3 Virtual Server. Choose the Access tab, and select Communication. Tick the top checkbox to require POP3 to use SSL. As before, tick the lower checkbox if you wish to require 128-bit encryption.
In the same way as the IMAP service, the POP3 service can require that passwords are sent over an SSL-encrypted connection. Again, this has the advantage of protecting passwords as they are transmitted over networks but means that devices that cannot make a secured connection to your Exchange server will not be able to connect at all. Select the Properties of the Default POP3 Virtual Server. Choose the Access tab, and select Authentication. Make sure that the middle checkbox; ‘Requires TLS/SSL encryption’ is ticked.
Again you can verify that your server is set up for secure POP by going to the Properties of the Default POP3 Virtual Server, and, on the first pane, choosing the Advanced button. If it is correctly configured, a port number (by default, 995) will appear in the SSL Port column.
SMTP configuration is more complex than configuring IMAP4 or POP3. Configuring those services for SSL ends up with one port that is set up as default, and one port that is secured by SSL. In addition, these ports are not generally restricted in terms of connections incoming to them. SMTP on the other hand has often been restricted to a small range of incoming IP addresses – usually those from an upstream ISP or email scanning service provider. Even if it has not so far, it is wise to anticipate that this may happen in the future.
Therefore, I recommend setting up a new SMTP virtual server, specifically to allow mobile devices to connect. This virtual server will connect on a different port, and allow user-authenticated connections from any device.
To configure this in Exchange System Manager, drill down from the Services container, through your server, and Protocols, to the SMTP container. Right-click on it, select New > SMTP Virtual Server. This will start the New SMTP Virtual Server Wizard. Give your new SMTP virtual server a descriptive name.
Click Next. Leave the IP address as ‘all unassigned’. When you click Next, a warning will appear – this is because the IP address and port number combination for the virtual server is not yet unique, so choose Yes.
Now right-click the new virtual server you just created, and select Properties > Access > Certificate, and assign the certificate as before to the SMTP service. Choose Assign an existing certificate, and click Next.
After confirmation, you have added your SSL certificate to the SMTP service. The service will use it if a session from a mobile device requests it, but in this case, we wish to make it mandatory. Select the Properties of the newly created SMTP Virtual Server. Choose the Access tab, and select Communication. Tick the top checkbox to require it to use SSL. As before, tick the lower checkbox if you wish to require 128-bit encryption.
There are three further configuration steps. Firstly, confirm that the serviceis configured to allow devices that authenticate successfully to relay. Navigate to the Access tab again, and choose Relay. Confirm that the checkbox at the bottom is checked.
Secondly, the virtual server must respond with the correct DNS name. Move to the Delivery tab and click Advanced. In the field marked ‘Fully-qualified Domain Name’ make sure the field contains the DNS name you chose previously.
Finally, set the port on which this SMTP server should listen. On the General tab, click Advanced and edit the identity line. Change the IP address to a specific IP address assigned to your server, and change the port to 587 (or 465, as previously discussed). The server should now be configured as shown (above).
Click OK to get back to the Exchange System Manager. Right-click on the SMTP virtual server you created, and choose Start. At this point, your Exchange server is configured for secured email, receiving mail by TLS-secured POP, IMAP and SMTP.
Access via ActiveSync
Devices running Windows Mobile version 5 and later automatically try to use SSL-secured ActiveSync in preference to using it unsecured. Enabled by default to send and receive mail with mobile devices, ActiveSync requires no configuration – unless you wish to turn it off. (The settings for doing this can be found in Exchange System Manager under Global Settings > Mobile Services > Properties). However, it does require a little work to enable security, and it has one distinct problem involving SSL-secured access that needs resolving before you’ll have a successful deployment.
To configure SSL-secured ActiveSync, in Internet Information Server, assign an SSL certificate to the Web site containing the Exchange virtual directories. Doing this will ensure that ActiveSync will use SSL, without forcing other parts of the Web site to use it.
Making the SSL certificate mandatory is also the most common reason for ActiveSync not working, along with configuring Forms-based authentication for Outlook Web Access. Find the details – and the solutions – in Microsoft’s Knowledgebase article 817379.
This free download checks the configuration of your Exchange Server to verify that Server ActiveSync is configured correctly. It checks the DNS configuration, SSL certificate and your login credentials and shows any problems that will stop handsets receiving mail.
Windows Mobile configuration guide:
This wizard walks you through what steps you’ll need to take to set up mobile email for a customer: you can use it with the customer to explore the options or as a reminder of the different steps you need to follow for different mixes of Exchange and Windows Mobile devices.