Ultimate Wireless Email

Mobile Information Server and Pocket PC 2002 can provide instant access to Exchange 2000 data

Mobile, wireless email access is nothing new. Research In Motion's (RIM's) BlackBerry has been providing it for several years, and millions of Web-enabled cell phones offer Wireless Application Protocol (WAP)—based browsing capabilities. But problems with ease of use, cost, security, and corporate access often prevent enterprises from implementing such solutions.

One alternative is to use the Microsoft Pocket PC 2002 handheld device with Microsoft Mobile Information Server 2002, Enterprise Edition to provide wireless access to your corporate Microsoft Exchange 2000 Server systems. Mobile Information Server provides a secure mobile gateway to and synchronization services for Exchange 2000. (Mobile Information Server can support other WAP-enabled devices, but I find the Pocket PC's Microsoft Pocket Outlook to be the best UI for Exchange access.) This setup isn't difficult, per se, but getting started can be somewhat complicated. Therefore, this article assumes that you're familiar with Active Directory (AD) administration; Mobile Information Server basics; Exchange, Microsoft Internet Security and Acceleration (ISA) Server 2000, and firewall installation and configuration; Pocket PC configuration and use; Microsoft ActiveSync setup; cellular telecommunications basics (e.g., device provisioning, device configuration, data network usage); and mobile-software concepts. (For articles that deal with these topics, see "Related Articles in Previous Issues," page 32.)

Gather the Pieces
To implement this mobile-access solution, you need a few pieces of recent hardware and software. In my experience, the following items offer the best performance:

  • Pocket PC 2002 device
  • Bluetooth- and General Packet Radio Service (GPRS)—enabled mobile phone with data service
  • Bluetooth CompactFlash (CF) card
  • Mobile Information Server 2002, Enterprise Edition, running on Windows 2000 Server Service Pack 2 (SP2)
  • Exchange 2000 SP1 running on Win2K
  • ISA Server 2000 running on Win2K (optional)

For details about this equipment, see the sidebar "Parts List." After you have all the pieces of your mobile-access solution, you're ready to deploy Mobile Information Server, configure the users' accounts, configure the Pocket PC, configure the Pocket PC and phone for Bluetooth, and test the solution. After a successful test run, you can implement the solution in your production environment to let users access their email from the office, their homes, or on the road.

Deploying Mobile Information Server
Mobile Information Server deployment is fairly straightforward. You can find detailed information about the product on the Microsoft Web site at http://www.microsoft.com/miserver. (Also see "Related Articles in Previous Issues.") Deploy the product on a test server in a controlled lab environment before you use the solution in a production environment (especially if this attempt is your first foray into mobile messaging). Doing so reduces any security risks to your network. Also, Mobile Information Server requires changes to AD, which holds the server product's user properties and user-account settings. You need to understand the effects of these schema changes before you roll the product out into a network environment. If your test server runs Exchange and AD, be sure to use the undocumented /vonebox=1 switch when you install Mobile Information Server. This switch removes the block to installing the product on the same system as Exchange and AD. Note, however, that Microsoft doesn't support this configuration, so for security reasons, you shouldn't use it in a production environment.

User-account configuration depends on which Mobile Information Server security topology you choose—single domain, trusted domain, or untrusted domain. A single-domain architecture means that users have the same logon for mobile access as they do for standard Windows logon. A trusted-domain topology lets you set up a forest of unique mobile user accounts (e.g., m-username) separate from your primary logon domain; these accounts have unique access rights and follow a simplified password policy. In an untrusted-domain topology, mobile accounts operate under one delegated user authority that you can control. Figure 1 shows a basic single-domain deployment with dedicated servers for Mobile Information Server, Exchange, and AD. Mobile devices connect to the network through your carrier's data center over a standard Internet link. Because the connection uses Secure Sockets Layer (SSL), it's secure end to end. Mobile Information Server can sit in your network's demilitarized zone (DMZ), either outside your network or between two firewalls, depending on your needs and desired topology. Application servers—in this case, Exchange—sit behind the private corporate firewall.

For the greatest possible security, Mobile Information Server includes an Internet Server API (ISAPI) filter for installation on ISA Server 2000. This filter uses HTTP Secure (HTTPS) through the firewall to authenticate users against their wireless accounts, then passes user requests to Mobile Information Server. Figure 2, page 34, shows a topology in which Mobile Information Server sits behind the private corporate firewall and ISA Server sits on the edge of the corporate network. Using this filter with a trusted- or untrusted-domain topology (as opposed to a single-domain topology) further protects corporate network credentials from potential man-in-the-middle attacks.

Mobile Information Server requires secure communications between the server and a Pocket PC. Server ActiveSync—the over-the-air synchronization engine that lets a Pocket PC sync directly to Exchange—uses SSL to encrypt the link between a Pocket PC and Mobile Information Server, thus giving you a secure end-to-end connection. For Server ActiveSync to function properly, you must install a valid X.509 certificate from a trusted Certificate Authority (CA) on your Web server—otherwise, Mobile Information Server will deny the connection. You can purchase a valid certificate from a third-party provider such as VeriSign. By default, Pocket PC 2002 devices include root certificates for several providers. Another option is to install Microsoft Certificate Services on your Win2K server and issue your own certificates. If you select this route, you need to use the Mobile Information Server CD-ROM's Disable SSL tool to update users' Pocket PCs so that they don't require a certificate from one of the established trusted CAs.

Configuring the User Account
After you've deployed Mobile Information Server, you're ready to configure your users' mobile devices. The first step is to configure the users' accounts for wireless access (aka provisioning). For simplicity, I'll use the single-domain setup that Figure 1 shows as an example because that topology doesn't require creation of an additional mobile forest, user accounts, or trust relationships. One hint: As a security precaution, Win2K by default denies users the right to log on locally to a domain controller (DC). If you're installing all the server software on one test system, this restriction will prevent you from synchronizing the Pocket PCs with Exchange. Be sure to grant the Logon Locally right to user accounts for your trial.

To configure a user account, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, then open the account's Properties dialog box. Go to the Wireless Mobility tab, which Figure 3 shows (and which Mobile Information Server adds to the Properties dialog box during installation). Select the Enable wireless access for this user check box to let the user authenticate against Mobile Information Server. Also select the Allow this user to synchronize Exchange data with their device using Mobile Information Server check box to permit synchronization through Server ActiveSync. When you roll this solution out in a production environment, Mobile Information Server's new Enterprise Device Setup Wizard (a bulk-provisioning tool) will help you automate the process of enabling wireless access for multiple users simultaneously. In case you plan to let users provision their own accounts, Mobile Information Server provides the Personal Device Setup self-provisioning tool.

You also need to configure the user's device settings if you plan to use Short Message Service (SMS) notifications or Outlook Mobile Access 2002. Outlook Mobile Access 2002 lets users use their cell phones for realtime Wireless Markup Language (WML) browsing of Outlook folders (e.g., Inbox, Calendar) through WAP. (To give a user realtime PDA access to such Exchange data as the Global Address List—GAL—or unsynchronized Outlook folders, you need to install a WAP browser, such as EZOS's EzWAP 2.1, on the user's Pocket PC.) Click Add on the Wireless Mobility tab to open a dialog box in which you define the mobile phone type, carrier, and other properties to format the Outlook UI for viewing on a mobile phone. After provisioning the user account, close the dialog box. Finally, configure user preferences on the Outlook Mobile Access User Personalization page at //localhost/airweb (where localhost is your Exchange server).

Configuring the Pocket PC
Your next step is to install the proper software on your users' desktop PCs and Pocket PCs. Most Pocket PC 2002 devices come with the ActiveSync 3.5 desktop software on the companion CD-ROM. You can download the most recent software from the Microsoft Web site at http://www.microsoft.com/mobile/pocketpc/downloads/activesync35.asp.

ActiveSync 3.5 includes updates for Pocket PC 2002, such as the server sync profile—creation and desktop pass-through features. A server sync profile is similar to a desktop partnership profile that you create using ActiveSync's Get Connected! Wizard but includes settings for server name, domain name, and network-logon password. The desktop pass-through feature lets users sync their Pocket PCs through any PC with an Internet connection (providing that the ActiveSync desktop software is installed on that PC). The user simply cradles the Pocket PC, establishes a Guest connection, then starts ActiveSync. This capability lets users synchronize Pocket Outlook to Exchange without creating a new connection profile. (Users of the AvantGo Web content service can launch the AvantGo Connect tool from the Pocket PC's Settings, Connections menu to sync their AvantGo channels through the active Internet connection.) If a user has ActiveSync 3.1 or earlier installed on his or her desktop PC when you upgrade to ActiveSync 3.5, you need to delete the existing device partnership and create a new server-enabled partnership for use with Mobile Information Server. If a user already uses ActiveSync 3.5, you can add server sync to the user's existing profile. (Users can directly update server profile settings from the ActiveSync dialog box's Server tab, accessible from the Pocket PC ActiveSync Tools, Options menu.)

Now, you need to update the Pocket PCs' ROM. The update, called Sync XIP, adds a few enhancements to let Pocket PC 2002 devices communicate with Mobile Information Server and Exchange. The update is permanent, so a dead main battery or backup battery won't cause the device to lose the enhancements.

To install the Sync XIP update on the Pocket PC, cradle the device, initiate a Guest partnership between the PC and Pocket PC, then copy the full_XIP.cab file from the Mobile Information Server CD-ROM to the Pocket PC's local memory. This file contains the installer for flashing the Pocket PC's ROM with the updated software. Keep the Pocket PC plugged into AC power, open File Explorer on the device, navigate to the file, then click the file to launch the update. This process takes a few minutes to complete; soft-reset the device after the process finishes.

Now you're ready to set up a new server sync profile. Recradle the Pocket PC; ActiveSync's New Partnership Wizard automatically launches and prompts you to create a partnership. On the wizard's Set Up a Partnership screen, select the Yes, with this computer and a server option, then click Next. The next screen prompts you to enter your Mobile Information Server name, domain, username, and password. (If you're running the test on an internal LAN only, the Mobile Information Server name can be your test server's NetBIOS name.) Click Next. The wizard prompts you to select which data the Pocket PC will receive directly from the Exchange server. Click Next, then complete the wizard's walkthrough, which deals with the setup of standard ActiveSync desktop dialog boxes and properties. After you click Finish, ActiveSync first synchronizes the device against the Exchange server, then processes standard client-side data. This initial synchronization can be time-consuming and bandwidth-intensive over a wireless connection, so use the Pocket PC cradle. To test whether your setup is working thus far, you can use an 802.11 wireless LAN (WLAN) card to determine whether the Pocket PC can access Mobile Information Server and successfully synchronize without a cradle connection.

Configuring the Pocket PC and Phone for Bluetooth
After you've set up desktop communications and server sync, you're ready to let your users go wireless—assuming you've properly provisioned each cell phone's data-service account. You need to contact your corporate cellular carrier's customer service group for exact instructions about setting up data service accounts and provisioning particular phones for WAP browsing and GPRS data. Follow these instructions to create a WAP browse account, then perform some basic WAP browsing to test the service.

Next, follow the carrier's instructions to create a GPRS Internet data account and direct it to the applicable AP Name address (i.e., the address of the external data network you want to connect to for general Internet access through the carrier). For example, VoiceStream's AP Name address is internet2.voicestream.com. Note the connection ID in your phone's account settings. The connection ID in the previous example would be 2 because the GPRS data account was the second account you set up (the WAP account was first). The Pocket PC dialing string uses this ID to connect to the proper data-network account.

Next, you need to install the Bluetooth driver and card-manager software on the Pocket PC. If the card's companion CD-ROM doesn't provide this software, you can download the most recent version from the vendor's Web site. You might need to soft-reset the device after you insert the card.

Now, here's how to associate the cell phone with the Pocket PC through Bluetooth. Click the Bluetooth icon in the lower-right corner of the Pocket PC's screen to open the Get Connected! Wizard. This wizard directs you to perform certain tasks on both the cell phone and the Pocket PC; the exact steps depend on the particular phone. To begin, select the model of Bluetooth phone you're using. The wizard then guides you through the creation of a unique code-secured partnership between the phone and the Pocket PC. This partnership prevents someone with a similar setup from commandeering the user's phone and GPRS account.

The final action is to create a GPRS connection. On the Pocket PC, select Settings, Connections, then choose the Connections icon to open the Connections dialog box. You need to configure the Pocket PC to use a special dialing string. The Pocket PC can't use a regular dial-up telephone number to initiate a GPRS Internet session because the Pocket PC's Internet data connection is an always-on connection, much like a DSL connection. Hence, command codes are necessary. In the Connections dialog box, go to the Dialing Locations tab, then click New. Enter a New Location name (such as GPRS), click OK, then click Dialing Patterns. As the note that appears at the bottom of the display indicates, you want the Pocket PC to dial this specific string, so accept the default G in each text-entry field, then click OK. Select the Connections tab again, then select Modify under the Internet Settings drop-down list. To create a dial-up connection that uses your new Bluetooth phone-modem profile, click New. Enter a name (e.g., GPRS Modem) for the connection, then select Bluetooth Phone from the Select a modem drop-down list. Click Advanced, and enter any DNS IP address information that your carrier provided in its GPRS account instructions. Click Next, then enter your country code and area code (e.g., 1 425) and the phone number *99***2# (where 2 is the connection ID you noted previously in your phone's GPRS Internet configuration) in the Connection Name Dialing Properties (e.g., GPRS Modem Dialing Properties) dialog box. This dialing string tells the phone to start a GPRS Internet session, which your Pocket PC will use as a shared connection through Bluetooth. Click Next, then click Finish and exit out of all menus. Whenever the user opens Pocket Internet Explorer (PIE) or starts ActiveSync, the Pocket PC will automatically use this connection to dial out.

If you've done everything correctly, the final step—testing—will be the easiest to complete. To test your setup, launch PIE to open a connection, or use the Pocket PC's Connections applet to manually open a link. Browse the Web to test your connectivity. Next, sync to Exchange: Launch ActiveSync, then click Sync. If you've exposed your test server with a public IP address or URL (as the New Partnership Wizard prompted you to do), the Pocket PC will locate the server on the Internet and sync your data.

At Work, at Home, and on the Road
After you configure your servers, update users' devices, and provision user accounts, your users are ready to go wireless, whether they're in the office, working from home, or traveling. And with the variety of available technologies, users aren't limited to synchronizing through their mobile phones.

Connecting at the office. Within the corporate setting, you can set up an 802.11 WLAN to provide direct WLAN access from users' Pocket PCs. Now that 802.11b wireless NICs are available in both PC Card and CF versions, users can sync their Pocket PCs regardless of which type of card they use. (The Cisco Systems' Cisco Aironet 340 series works well for an iPAQ with a PC Card Type II sleeve; Symbol Technologies' Wireless Networker CF card is a good choice for Hewlett-Packard's HP Jornada.) Using a WLAN will save valuable—and expensive—GPRS bandwidth.

The primary advantages to using a WLAN are high-speed access (11Mbps), easy setup and usage, and high availability. The disadvantages are the protocol's vulnerability as well as most corporate WLANs' open nature, which can expose an otherwise secure network. These concerns have caused many companies to either shut down their 802.11b networks or use the more secure 802.11x. The Pocket PC 2002 currently supports only 802.11b.

If you decide to use a WLAN, you can provide access in one of two ways: entirely behind the corporate firewall or by routing wireless network traffic outside your network, then back in through a secure proxy or firewall, such as ISA Server. When you run WLAN-enabled devices locally on your network (i.e., behind the firewall), you can use either the Universal Naming Convention (UNC) pathname to the server or the server's IP address (depending on your use of DHCP and dynamic DNS—DDNS). When you route wireless traffic outside the network, you point ActiveSync on your Pocket PC to an Internet address (e.g., miserver.corpdomain.com) rather than a UNC pathname (e.g., //miserver). The bonus to using the external approach is that users don't need to change server addresses when they switch between the WLAN and GPRS modem.

Connecting at home. Users can use their Pocket PCs to get email when they're at home. One way to connect is through the GPRS modem. Users who live in an area with unreliable GPRS coverage or who are concerned about the added expense of extra bandwidth usage have another option: setting up a home WLAN. (Windows XP's new integrated wireless networking capabilities make such a setup easy.) Users with a home WLAN simply need to match their Pocket PC's WLAN NIC settings (e.g., DHCP, Extended Service Set—ESS—ID, Wired Equivalent Privacy—WEP—key) to their home WLAN. After the users connect to the home network, the Pocket PC automatically treats the shared PC Internet connection as its own, letting the users sync to Exchange in the same way as through the GPRS modem or corporate LAN.

Connecting on the road. Typically, a traveling user will use the Bluetooth card and GPRS phone to get Internet access. However, various technology groups and companies have proposed the use of 802.11 to provide broadband Internet access at malls, train stations, and other public places. Some trial deployments are already in place (e.g., at Sea-Tac Airport in Seattle, at several Starbucks coffeehouses).

Stay in Sync
Setting up wireless email connectivity through Mobile Information Server, the Pocket PC 2002, and a Bluetooth- and GPRS-enabled cell phone doesn't just offer easy mobile email access. Users can also employ the CF Bluetooth card and GPRS modem to provide faster laptop connectivity. Most cell phones that use a standard dial-up modem can handle 19.2Kbps at best, whereas cell phones that use GPRS can handle almost as much as 50Kbps.

Watch for a new generation of Pocket PCs with built-in GPRS and Bluetooth radio transceivers. Such devices have been available in Europe for some time and are beginning to appear in the United States. Several manufacturers are releasing US versions that will sell through wireless providers. These integrated devices are easier to use, and users won't need to sacrifice an expansion slot for the modem card.

Related Articles in Previous Issues
You can obtain the following articles from Windows & .NET Magazine's Web site at http://www.winnetmag.com.

"Making Exchange Mobile with MIS," December 2001 Web Exclusive, InstantDoc ID 23520
"ISA Server: Your Network's Lifeguard," October 2001, InstantDoc ID 22251
"Wireless Application Protocol," June 2001, InstantDoc ID 20708
"Pocket PC 2002 Devices," April 2002,
InstantDoc ID 24228
"Wireless Networking for Pocket PC Devices,"
March 2002 Web Exclusive, InstantDoc ID 24535
"Pocket PC 2002," January 2002 Web Exclusive, InstantDoc ID 23685
"Upgrading Your iPAQ's ROM," January 2002 Web Exclusive,
InstantDoc ID 23715
"Compaq Got It Right!" October 2001 Web
Exclusive, InstantDoc ID 22871
Market Watch, "Wireless Exchange Email Access,"
October 2001, InstantDoc ID 22238
"Going Wireless," Spring 2001, InstantDoc ID 19876

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.