Microsoft Mobile Information 2001 Server, a powerful platform for delivering enterprise wireless applications, will become commercially available in mid-2001. Already, many Independent Software Vendors (ISVs) are developing applications and solutions for the new platform. If your management decides the product is a good choice for your enterprise, you'll need to know something about planning for Mobile Information Server deployment and security. The product documentation will provide the click-by-click details about installation and configuration, but you'll be better prepared for the job if you become familiar with the big picture beforehand. You'll also need to know what's involved in configuring Mobile Information Server's built-in applications (i.e., Microsoft Outlook Mobile Access and Intranet Browse) and setting up enterprise users for wireless mobility.
Preparing for Installation
You'll need an implementation plan to identify the resources required for Mobile Information Server and the steps involved in deploying it. Your implementation plan should document hardware and software requirements, the location of Microsoft Exchange 2000 Server or Exchange Server 5.5, the security model your enterprise will use, and the number of wireless users you'll support. Other considerations include the effects of changes the product requires you to make to the Active Directory (AD) schema, the number of servers required, and whether you'll use load balancing.
For a basic enterprise implementation, the only hardware you need is a server on which to run Mobile Information Server. The minimum hardware requirements are a 200MHz Pentium II processor, 128MB of RAM, and 50MB of hard disk space. However, for a good production environment, you'll need to beef up this configuration. I've used a Compaq ProLiant server with a 733MHz Pentium III processor, 1GB of RAM, and two 18GB RAID 1 SCSI hard disks. The system must run Windows 2000 Server or Win2K Advanced Server, and the latest service pack (currently Service Pack 1—SP1) and Microsoft Message Queue Services (MSMQ) must be installed. You'll also need two IP addresses: one for browse traffic and the other for notification traffic. Because Mobile Information Server uses proxy-type functionality to let wireless users access enterprise data sources, optimize the system the software runs on to handle concurrent connections.
Before you can install Mobile Information Server, AD and Exchange Server (either Exchange 2000 or Exchange Server 5.5) must be installed in the enterprise. Exchange Server must reside on a system different from the Mobile Information Server installation. Companies that haven't yet migrated to Win2K, AD, or Exchange 2000 can set up a separate Win2K environment and AD forest to let users access Exchange Server 5.5 through Mobile Information Server.
Microsoft recommends implementing Mobile Information Server in the corporate demilitarized zone (DMZ), primarily for security reasons but also because the Mobile Information Server system needs to have an Internet-accessible address. Most Wireless Application Protocol (WAP) and Internet-enabled wireless devices connect to Mobile Information Server over the Internet. You'll need to open certain ports in the internal and external firewalls, as I explain later.
Successful production deployment and system performance depend on the number of users and geographical regions your implementation will serve. Microsoft recommends using separate servers for each geographical area (e.g., one server for the enterprise's Denver office and another server for the Houston, Texas, office) and adding servers when the number of users in a particular region exceeds 4000. My experience is that Mobile Information Server Enterprise Edition should have LAN access to the Exchange Server system and other enterprise data sources that wireless users will use. Enterprise data that must travel over a WAN connection can result in high latency—and thus poor response times. One benefit of a corporate-hosted solution is that it lets you avoid WAN connections to data resources.
To support more than 4000 users in a particular region, you can use multiple machines to scale up Mobile Information Server. Various load-balancing techniques, such as round-robin DNS, let you support any number of enterprise wireless users without sacrificing performance. Although Mobile Information Server doesn't support Microsoft's clustering technologies, Microsoft might enable clustering in future versions.
Deploying Mobile Information Server
Deploying Mobile Information Server is a multistep process. You need to perform steps on the AD system as well as on the Mobile Information Server machine. Although Win2K, SP1, and MSMQ are required, I don't discuss setting up those pieces of the implementation.
Prepare the AD forest. First, you need to update the AD schema to support wireless users, mobility settings, and Mobile Information Server operation. You can't undo schema changes even if you uninstall Mobile Information Server. To ensure that the schema changes won't cause a problem in your environment, you can create an AD forest to test the schema changes before you actually deploy Mobile Information Server.
The ForestPrep switch in the Mobile Information Server setup routine adds AD classes and attributes to make the necessary schema changes. The user who runs ForestPrep must be a member of both the Schema Admins group and the Enterprise Admins group. You need to perform forest preparation in the domain that contains the AD schema, but not necessarily on the computer that contains the master schema.
To prepare the forest, insert the Mobile Information Server CD-ROM in the CD-ROM drive. Click Start, Run, and type
"E:\\setup.exe" /vFORESTPREP=1
where E is the CD-ROM drive. Click OK, then click OK at the warning that Figure 1 shows to extend the AD schema. In the dialog box that appears, enter the fully qualified name of the domain in which you'll install Mobile Information Server.
The ForestPrep process creates a Microsoft Mobility Admins group and prompts you for a password for the group. Add the users who will install Mobile Information Server to the Microsoft Mobility Admins group so that those users have the necessary permissions to complete the installation.
Configure firewall ports. For Mobile Information Server to operate correctly in the DMZ, you need to open ports in the external and internal firewalls. Table 1 lists the firewall ports you need to open for a DMZ implementation. If you put Mobile Information Server somewhere other than in the DMZ, port configuration will differ from that listed in the table.
Prepare the AD domain. Next, prepare the AD domain. Domain preparation adds the accounts, groups, and security necessary to support Mobile Information Server operation. To run the DomainPrep deployment stage, you must be a member of the Domain Admins group. At a command line, type
"E:\\setup.exe" /vDOMAINPREP=1
where E is the CD-ROM drive. Click OK at the warning to update the domain, then enter passwords for the Exchange Event Source account, Message Processor account, and HTTP Connectors. (For more information about connectors, see "Introducing Mobile Information 2001 Server," June 2001.)
Install Mobile Information Server. When you initially install the product in the enterprise or auxiliary forest, the setup program prompts you to choose a security topology. The security topology specifies which type of wireless user account the product will support:
- Use existing account lets Mobile Information Server use users' regular domain credentials for authentication.
- Create new accounts in this domain with -W suffix uses auxiliary wireless accounts in the same domain to authenticate users.
- Create new accounts in the auxiliary domain creates new accounts in a new domain and is the most secure choice.
Any Mobile Information Server systems you add later will use the settings that you specify for the initial installation.
Next, the setup wizard prompts you to select the Mobile Information Server components to install. On the system that will run Mobile Information Server, you need to deselect the Exchange 2000 Notifications feature, as Figure 2 shows. You install this feature in a separate step, which I discuss later.
Finally, the wizard prompts you for the Message Processor and HTTP Connectors passwords that you entered during domain preparation. After you finish the installation options, the setup program completes installation.
Add carriers. Carrier connectors provide notification functionality in Mobile Information Server. You need to add a carrier connector for each wireless carrier, such as Sprint PCS and VoiceStream Wireless, that will support devices and users. The default carrier connector is an SMTP connection. However, when Mobile Information Server Carrier Edition is present (e.g., when a carrier uses Carrier Edition), you specify Carrier Edition's URL, and communication between Enterprise Edition and Carrier Edition takes place through HTTP. For security purposes, Microsoft recommends that you use an IP Security (IPSec) VPN between Enterprise Edition and Carrier Edition.
To add a carrier connector, right-click the carrier node in the Mobile Information Server console window and select New. In the resulting dialog box, you specify the name of the carrier connector, the connection type (i.e., SMTP or HTTP), the default device type (e.g., AT&T's Mitsubishi T250, Ericsson R380s), and the carrier address. When you use an SMTP carrier connection, the carrier address is the carrier's SMTP server address (e.g., mobile.att.net). For an HTTP carrier connection, the carrier address is the carrier's Mobile Information Server URL.
Configure users. Before users can access Outlook Mobile Access and Intranet Browse applications, you need to configure the users for wireless mobility. Select each user from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and click the Wireless Mobility tab. Select the Enable wireless access for this user check box, as Figure 3 shows. To add a device for the user, click Add and select the appropriate device module, the carrier used for the device, the device description, and the device address.
Typically, users insist that you support devices they choose—especially when, as in many enterprise environments, users buy their own devices. An essential feature of wireless middleware is the ability to support multiple device types and wireless carriers. Mobile Information Server includes device modules that support primarily existing WAP 1.1 and SMS-capable devices. If you want to support a new device or a specific device, such as Research In Motion's (RIM's) BlackBerry, the vendor needs to provide the necessary device module.
In addition to device-support considerations, the WAP gateway or Openwave Systems' UP.Link Server gateway that the wireless network uses must have cookie support turned on. To support Mobile Information Server applications, the gateway must also support HTTP authentication.
Configure user preferences. After you configure users, users can change their preferences through a Web interface at http://servername/airweb, where servername is the name of the Mobile Information Server system. After authentication, each user can configure preferences, such as a four-digit PIN and which Outlook features (e.g., email, calendar) the user wants to use with Mobile Information Server.
Deploying Applications
Recall that Mobile Information Server's two built-in applications are Outlook Mobile Access and Intranet Browse. To let users use these applications, you need to do some configuration.
Outlook Mobile Access. This application provides browse and notification access to Exchange Server. Separate Data Provider components provide Outlook Mobile Access browse functionality with Exchange 2000 and Exchange Server 5.5.
During Mobile Information Server installation, the setup program installs the Exchange 2000 Data Provider automatically as long as you have Exchange 2000 in the AD forest. On the server that runs Exchange 2000, you need to install the Exchange 2000 Event Source, which the documentation also refers to as the Exchange 2000 Notifications feature. If you want to use the Exchange Server 5.5 Data Provider, you must select it in the Mobile Information Server setup routine, as I explain later.
To use Outlook Mobile Access, users point their WAP devices to http://servername/oma, where servername is the name of the Mobile Information Server system. If you're using the Exchange 5.5 Data Provider, users use the URL http://servername/oma55 to access the Exchange Server 5.5 virtual Web. When the user connects, Mobile Information Server prompts for the user's network logon credentials. These credentials can consist of the user's primary domain logon or a wireless alias, depending on how you implement security. After being authenticated, users can access their Outlook email, calendar, contacts, and tasks.
The Exchange 2000 Event Source. Recall that during Mobile Information Server installation, you didn't install the Exchange Event Source (aka the Exchange 2000 Notifications feature). To configure Exchange 2000, you need to install the Exchange Event Source on the Exchange 2000 server. Run the Mobile Information Server setup routine on your Exchange 2000 server and select only the Exchange 2000 Notifications feature from the wizard dialog box that Figure 2 shows. To complete the event source deployment, you need to create an Exchange 2000 SMTP Connector in the Exchange System Manager. This connector lets Mobile Information Server push alerts to users' devices.
Then, access Internet Services Manager (ISM) on the Mobile Information Server machine to configure the connection to the smart host (i.e., a server configured to perform DNS name resolution to external domains). The SMTP connector lets Exchange Server route the event source notifications to Mobile Information Server, then to the user's device. The connection to the smart host lets Mobile Information Server route SMTP alerts to the smart host, which routes them to the carrier's SMTP gateway.
Outlook rules. When you install the Exchange 2000 Event Source, the installation creates the Mobile Outbox folder in the user's Outlook folder list. The event source works with the Mobile Outbox to send notifications to users. To enable notification functionality, the end user must set up Outlook rules that copy email messages to the user's Mobile Outbox when certain conditions are met. Users can decide how they want to configure their Outlook rules to generate alerts.
Exchange 5.5 Data Provider. The Exchange 5.5 Data Provider provides Outlook Mobile Access browse functionality from Exchange Server 5.5. Before you install the Exchange 5.5 Data Provider, you need to create a service account between Mobile Information Server and the Exchange Server 5.5 server. This service account can be the existing Exchange Server 5.5 service account. Alternatively, to limit access from Mobile Information Server to the Exchange Server 5.5 server (e.g., to provide access to only a subset of Exchange Server 5.5 users), you can create a service account named OMAGateway and include specific mailboxes in that account.
To install the Exchange 5.5 Data Provider, you need to expand the Microsoft Mobile Information Server node in the setup wizard's Component Selection window that Figure 2 shows, select the Exchange 5.5 Support subcomponent, and enter the requested information for the service account. The setup program will install the Exchange 5.5 Data Provider and create a virtual root to give the user browse access to data resources.
To deploy the Exchange 5.5 Data Provider, you use the Active Directory Connector (ADC) to migrate Exchange Server 5.5 user accounts to AD. Mobile Information Server then disables those user accounts and uses the disabled accounts to store mobility information about users. The ADC retrieves data from the Exchange Server 5.5 private data store and puts the data into AD. You need to set up an ADC for every Exchange Server 5.5 machine in the enterprise. For configuration details, see the online Help on the Mobile Information Server CD-ROM.
Intranet Browse. The Intranet Browse Data Provider lets users access intranet-hosted WAP applications. Those applications could provide wireless enterprise features such as sales-force and field-force automation, customer relationship management (CRM), and enterprise resource planning (ERP). When you install Mobile Information Server, Intranet Browse setup installs by default.
After installation, you need to take a couple of simple steps to let users access Intranet Browse applications. To set intranet site access, right-click the default Mobile Information Server site in the MMC Mobile Information Server snap-in, select Properties, and click the Intranet Browse Sites tab. Select the Allow access to all Intranet sites check box to let users access all intranet sites, or specify sites to limit users' access to only those sites. To access the Intranet Browse site, users use their WAP-enabled device to access a URL of the form http://servername/in/applicationpath, where servername is the name of the Mobile Information Server system and applicationpath is the application pathname (e.g., cowireless03/articletest).
Administering Mobile Information Server. You administer the various aspects of Mobile Information Server through the Mobile Information Server snap-in. The administration components in the snap-in let you access details about Mobile Information Server applications, carriers, device types, and event sources. In addition, you administer some mobility aspects through AD. As I explained earlier, users manage their own wireless mobility preferences.
Application-level security. To use application-level security, you need to configure the Mobile Information Server system with appropriate certificates from a suitable certificate authority. Users can then use an HTTP over Secure Sockets Layer (HTTPS) URL to reference the secured applications from a wireless device through the service provider's WAP gateway. Application-level security uses Wireless Transport Layer Security (WTLS) between the WAP device and the WAP gateway and Secure Sockets Layer (SSL) encryption between the WAP gateway and Mobile Information Server in the DMZ.
A Wireless Direction
Although you might see changes to particulars, such as the Mobile Information Server interface, when Mobile Information Server becomes publicly available, this implementation overview should give you the information you need to prepare a foundation for your enterprise mobility strategy. Then, after the product is available, you'll be ready to quickly implement it.
