MBL220 基于Exchange2003Exchange 2003 和Windows Mobile...
45
MBL220 基于Exchange 2003 和 Windows 基于Exchange 2003 和 Windows Mobile 企业移动消息最佳实战
Transcript of MBL220 基于Exchange2003Exchange 2003 和Windows Mobile...
MBL220
基于Exchange 2003 和 Windows基于Exchange 2003 和 Windows Mobile 企业移动消息最佳实战
议程
企业移动消息应用
Exchange 2003 SP2Exchange 2003 SP2
Windows Mobile 5 with MSFP
企业Exchange 消息服务实践
移动消息安全 管理 扩展移动消息安全、管理、扩展
企业移动消息应用企业移动消息应用企 移动消息应用企 移动消息应用
丰富的实现多目的设备终端丰富的实现多目的设备终端丰富的实现多目的设备终端丰富的实现多目的设备终端
无处不在的低成本的无线网络无处不在的低成本的无线网络
逐渐增强的安全管理基础架构逐渐增强的安全管理基础架构逐渐增强的安全管理基础架构逐渐增强的安全管理基础架构
日渐成熟的企业移动消息应用日渐成熟的企业移动消息应用
Exchange Server 2003 / Windows Mobile 5Exchange Server 2003 / Windows Mobile 5
LCS 2005 /Mobile Office CommunicatorLCS 2005 /Mobile Office Communicator
CRM 2.0 /Mobile CRMCRM 2.0 /Mobile CRM
Mobile OAMobile OA
Mobile ERP Mobile ERP ……
企业移动消息应用的挑战企业移动消息应用的挑战
总拥有成本总拥有成本总拥有成本总拥有成本
连接性连接性ScalabilityScalability
Focus:
Microsoft Exchange Server 2003 Service Pack 2yy
安全性安全性Device and NetworkDevice and Network
Microsoft Windows Mobile 5
Messaging and SecurityFeature Pack
管理性管理性Provisioning and SupportProvisioning and Support
ArchitectureBest Practices
扩展性扩展性Leveraging infrastructureLeveraging infrastructure
企业移动消息应用的起点:企业移动消息应用的起点:EE--MailMail
EE--MailMail 已经是企业的核心应用已经是企业的核心应用EE Mail Mail 已经是企业的核心应用已经是企业的核心应用
已经存在多种成熟设备和解决方案已经存在多种成熟设备和解决方案
E h S 2003E h S 2003 是第 个集成的解决方案是第 个集成的解决方案Exchange Server 2003 Exchange Server 2003 是第一个集成的解决方案是第一个集成的解决方案
结合结合ISAISA可以提供更高的可用性和管理性可以提供更高的可用性和管理性
结合结合ITIT策略可以实现更高的安全性策略可以实现更高的安全性
移动终端的重要更新移动终端的重要更新
Windows Mobile 5Windows Mobile 5永久存储永久存储
WindowsWindowsMobile 5Mobile 5永久存储永久存储
按需同步按需同步
联系人图片联系人图片
Mobile 5Mobile 5
联系人图片联系人图片
Messaging and Security Feature Pack (MSFP)Messaging and Security Feature Pack (MSFP)数据压缩数据压缩 (GZIP)(GZIP)
基于证书的认证基于证书的认证
强制安全策略强制安全策略
在线联系 查找在线联系 查找在线联系人查找(在线联系人查找(GALGAL))
直推电邮直推电邮 (Direct(Direct--Push Technology)Push Technology)
S/MIMES/MIME 签名和加密签名和加密S/MIME S/MIME 签名和加密签名和加密
被被 Exchange Server 2003 SP2 Exchange Server 2003 SP2 支持支持Service Service Pack 2Pack 2Pack 2Pack 2
Exchange 2003 SP2Exchange 2003 SP2
Exchange Server 2003 Service Pack 2Exchange Server 2003 Service Pack 2
更高的安全性更高的安全性更高的安全性更高的安全性
Certificate based authenticationCertificate based authentication
Local and Remote Wipe capabilityLocal and Remote Wipe capabilityLocal and Remote Wipe capabilityLocal and Remote Wipe capability
Central control of device policyCentral control of device policy
直推技术直推技术直推技术直推技术
很多的新特色很多的新特色
Directory searchDirectory search
Pictures in ContactsPictures in Contacts
GZipGZip
Exchange Server 2003 Exchange Server 2003 移动访问服务移动访问服务
Outlook Mobile Access
RPC/HTTP or OWA
Laptop
(real-time)
Microsoft ActiveSync
(synchronization)C ll l (synchronization)Cellular
Phone
Exchange 2003Exchange 2003
M bil S iM bil S i
Pocket PC
Mobile ServicesMobile Services
SmartPhone
Windows CE based devicesWindows CE based devices
Pocket PC, Pocket PC Phone Edition, Smartphone 2002Pocket PC, Pocket PC Phone Edition, Smartphone 2002 SP2Windows MobileTm 2003 (AUTD support)Windows MobileTm 2003 (AUTD support)
Windows Mobile 5 (AUTD & DP support)Windows Mobile 5 (AUTD & DP support)
SP2
基于基于Windows MobileWindows Mobile 的的OWA OWA 访问访问
小屏幕浏览小屏幕浏览小屏幕浏览小屏幕浏览
Pocket Internet Explorer Pocket Internet Explorer ((single windowssingle windows))
支持支持 OWAOWA支持支持 OWAOWA
Limited frameLimited frameLimited frame Limited frame
基于基于Windows MobileWindows Mobile 的的OMA OMA 访问访问
•• Based on WAP/WMLBased on WAP/WML•• Legacy Mobile PhonesLegacy Mobile Phones
ActiveSync ActiveSync 访问机制访问机制AirSyncAirSync
HTTP (basic authentication)HTTP (basic authentication)
[SSL] (preferred)[SSL] (preferred)
WebDAVWebDAV
HTTP (Integrated authentication)HTTP (Integrated authentication)[SSL] (preferred)[SSL] (preferred)
Front End ServerFront End Server Back End ServerBack End Server
ClearClear
IISIIS
MASSYNC.DLLMASSYNC.DLL
ISAPIISAPI IISIIS DAVEX DLLDAVEX DLLIISIIS ISAPI ISAPI IISIIS DAVEX.DLL DAVEX.DLL ISAPIISAPI
DS_ACCESSDS_ACCESS
Active DirectoryActive Directory
R d U P ti &R d U P ti &Read User Properties & Read User Properties &
obtain Kerberos TGTobtain Kerberos TGT
Exchange Server ActiveSync Exchange Server ActiveSync 的应用的应用
Mobile 5.0 with MSFP Mobile 5.0 with MSFP
在线联系人查找(在线联系人查找(GALGAL))
需要需要 Windows Mobile 5 +MSFPWindows Mobile 5 +MSFP
Service Service Pack 2Pack 2
需要需要 Windows Mobile 5 +MSFPWindows Mobile 5 +MSFP
集成的应用集成的应用
导入导入 GALGAL 记录记录WindowsWindows
导入导入 GAL GAL 记录记录到本地联系人列表到本地联系人列表
WindowsWindowsMobile 5Mobile 5
ExchangeExchange直推技术直推技术
真正的真正的AUTDAUTD解决方案(解决方案(alwaysalways--upup--toto--date date ))不需要不需要 SMSSMS通知通知不需要不需要 SMSSMS通知通知
支持所有的支持所有的 PIM PIM 数据数据: Inbox, Calendar, Contacts and Tasks: Inbox, Calendar, Contacts and Tasks
不增加额外的数据流量不增加额外的数据流量
伸缩性:全球范围伸缩性:全球范围
不需要额外的软件及服务器安装不需要额外的软件及服务器安装
实现条件实现条件实现条件实现条件服务器配置激活服务器配置激活——缺省配置缺省配置
支持支持 ““SP2SP2--readyready”” 的设备的设备支持支持 SP2SP2 readyready 的设备的设备
该方案依赖于实时连接该方案依赖于实时连接
需要调整防火墙的连接超时时间为需要调整防火墙的连接超时时间为: 15: 15--30mins30mins
直推技术(直推技术(Direct PushDirect Push))
Direct Push Mail 技术原理 (心跳时间为 15min)
Time = 0 min
Device : 如果我在15分钟内有邮件请告诉我,否则告诉我“没有邮件”.
Time = 15 min
Server: “没有邮件”
Device : 如果我在15分钟内有邮件请告诉我,
Time = 15 min
Server: “你有新邮件”
否则告诉我“没有邮件”.
Time =
Time = 23 min
Server: 你有新邮件”
Device : 给我邮件Windows Mobile Time = 23 minDevice with
MSFP Server running Exchange 2003 SP2
HeartbeatHeartbeat::
370 Bytes/heartbeat x 4 heartbeats/hour x 24h x 30days = 1,06MB (No consideration to block rounding)370 Bytes/heartbeat x 4 heartbeats/hour x 24h x 30days = 1,06MB (No consideration to block rounding)
Exchange Server 2003 SP2 Exchange Server 2003 SP2 配置配置
企业企业ExchangeExchange 消息服务消息服务企业企业Exchange Exchange 消息服务消息服务实践实践
架构总揽架构总揽
防火墙防火墙防火墙防火墙一个或多个一个或多个
至少支持端口过滤至少支持端口过滤
支持反向代理(支持反向代理(PublishPublish))前端服务器前端服务器前端 务前端 务
可以是可以是 企业版或标准版企业版或标准版
Pub/private Store can be removedPub/private Store can be removed可以部署在可以部署在 Internet DMZInternet DMZ inside corporate firewallinside corporate firewall可以部署在:可以部署在: Internet, DMZInternet, DMZ,, inside corporate firewallinside corporate firewall
后端服务器后端服务器Inside corporate firewallInside corporate firewallInside corporate firewallInside corporate firewallStores mailboxes and public foldersStores mailboxes and public folders
FE/BE Deployment ScenariosFE/BE Deployment Scenarios简单简单Single firewall Single firewall (简单)(简单)
Active DirectoryActive DirectoryActive DirectoryActive DirectoryGlobal Catalog ServerGlobal Catalog Server
Exchange 2003 Exchange 2003 ServerServerInternet
Firewall Ports Firewall Ports 443 993 995443 993 995
Exchange Server Exchange Server 2003 Front2003 Front--EndEndServersServers Exchange 2003Exchange 2003443, 993, 995443, 993, 995 Exchange 2003 Exchange 2003
ServerServer
Exchange 2003 Exchange 2003 ServerServer
FE/BE Deployment ScenariosFE/BE Deployment Scenarios安全安全DMZ/Perimeter network DMZ/Perimeter network (安全)(安全)
Active Active DirectoryDirectory
Global Global Catalog Catalog ggServerServer
DMZDMZExchange 2003 Exchange 2003
ServersServersInternet Internet
FirewallFirewallPortsPorts
Exchange Exchange FrontFront--EndEnd
Exchange 2003 Exchange 2003 ServersServersFirewallFirewall
Ports 80Ports 80Ports Ports 443, 993, 443, 993, 995995
ServersServers
Exchange 2003Exchange 2003
Ports, 80Ports, 80143, 110,143, 110,LDAP, etcLDAP, etc
Exchange 2003 Exchange 2003 ServersServers
ISA Reverse ProxyISA Reverse Proxy推荐推荐
AD/GCAD/GC
DMZ/Perimeter network DMZ/Perimeter network (推荐)(推荐)
Exchange 2003 ServerExchange 2003 Server
Exchange 2003 ServerExchange 2003 Server
Internet Internet
Firewall Firewall PortPort443443
ISAISAExchange 2003 ServerExchange 2003 Server
ExchangeExchangeFEFE
FirewallFirewallPorts Ports 443 or 443 or
8080Exchange 2003 ServerExchange 2003 Server
8080
移动消息安全移动消息安全移动消息安全移动消息安全
Mobile Mobile 的安全访问的安全访问
11 22 334 VPN4 VPN4 VPN4 VPN
airairtransmissionstransmissions
private private networksnetworks
devicesdevices PANPANLANLAN
publicpublicnetworksnetworks applicationsapplications
LANLANWANWAN
bilitbilit i li l t diti l itt diti l it
managementmanagement
mobilitymobility wirelesswireless traditional securitytraditional security
managementmanagement
Mobile Mobile 的安全威胁的安全威胁
Stolen informationStolen informationHost intrusion, stolen deviceHost intrusion, stolen device
Unauthorized network/application accessUnauthorized network/application accessCompromised credentials, host intrusionCompromised credentials, host intrusionCompromised credentials, host intrusionCompromised credentials, host intrusion
Virus propagationVirus propagationVirus susceptibilityVirus susceptibility
Lost informationLost information
17Jul0417Jul047Mar057Mar05
4Apr054Apr05
Lost informationLost informationLost, stolen or damaged deviceLost, stolen or damaged device
29Dec0429Dec041Feb051Feb05
21Nov0421Nov04
20June0420June0417Jul0417Jul04
5Aug045Aug048Mar058Mar05
12Aug0412Aug046Apr056Apr05
18Mar0518Mar05 15Apr0515Apr05 4Jul054Jul05
MabirMabir
VlascoVlascoSkullsSkulls
CabirCabir ComwarComwar
DampigDampigQdialQdial
FontalFontal
HobbesHobbes
DoomedDoomed
Windows Windows CE DUTSCE DUTS Windows CE Windows CE
BRADORBRADOR
Locknut Locknut (Gavno)(Gavno)
DreverDrever= Symbian OS (Nokia, etc)= Symbian OS (Nokia, etc)
= Windows CE (HP, etc)= Windows CE (HP, etc)Source: Trend MicroSource: Trend Micro
Mobile Mobile 的内容安全的内容安全安全安全(访问安全)(访问安全)
简单锁定简单锁定简单锁定简单锁定
加密加密Private key storage?Private key storage?Private key storage?Private key storage?Smartcard/TPMSmartcard/TPMH h i t kH h i t kHash private key Hash private key (dictionary attack)(dictionary attack)
Couple with strongCouple with strongCouple with strong Couple with strong password policiespassword policies
防止不安全重启动防止不安全重启动Analogous to BIOS Analogous to BIOS password and password and D i l kD i l kDrivelockDrivelock
身份认证身份认证
Username/PasswordUsername/PasswordUsername/PasswordUsername/PasswordEncrypted on deviceEncrypted on device
Client CertificateClient CertificateClient CertificateClient CertificatePrevents ISA from SSLPrevents ISA from SSL--bridgingbridgingNN t i i l ll tt i i l ll tNonNon--trivial enrollment trivial enrollment
OneOne--time Passwordtime Password
安全连接安全连接
Infrastructure similar to OWA (HTTP)Infrastructure similar to OWA (HTTP)
SSL certificateSSL certificate--checking by the access devicechecking by the access deviceSSL certificateSSL certificate checking by the access devicechecking by the access device
1. HTTPS connection1. HTTPS connection
ActiveSync ActiveSync ll
Root CARoot CA
2. IIS presents the 2. IIS presents the vitual Server SSL vitual Server SSL
CertificateCertificate
ClientClient
Validation of Root CAValidation of Root CA
Root CARoot CA
Certificate Certificate forfor
Issued byIssued by
““Known” Certificate authorities:Known” Certificate authorities:
-- Thawte (server and Premium serverThawte (server and Premium server
-- Secure ServerSecure Server
Root CA of the SSL Root CA of the SSL CertificateCertificate
Must be installed on the Must be installed on the
Windows MobileWindows Mobile TM TM clientclient
Visual ServerVisual Server
Secure ServerSecure Server
-- GTE CybertrustGTE Cybertrust
-- GlobalsignGlobalsign
-- Entrust.netEntrust.net
-- Class 2 and 3 Public Primary CertificatesClass 2 and 3 Public Primary Certificates
Windows Mobile Windows Mobile clientclient
强制安全策略强制安全策略
目标目标: : 确保移动设备启用了安全策略确保移动设备启用了安全策略目标目标 确保移动设备启用了安全策略确保移动设备启用了安全策略
内容:内容:PIN code strengthPIN code strength
Remote WipeRemote WipeSpecific web UISpecific web UI
Device LockingDevice Lockinggg
Exchange ServersExchange Servers的安全的安全
前后端直接不启用前后端直接不启用SSLSSL前后端直接不启用前后端直接不启用SSLSSL
Trusted physical/switched networkTrusted physical/switched network
IPsec everything or specific ports such as 80IPsec everything or specific ports such as 80IPsec everything or specific ports such as 80 IPsec everything or specific ports such as 80
IISIISIISIIS
Enable IIS loggingEnable IIS logging
blbl llDisable nonDisable non--essential script mappings essential script mappings
Always keep up to date on available fixesAlways keep up to date on available fixes
使用使用IPsecIPsec
IPsecIPsec 用于加密用于加密 ExchangeExchange 前后端的传输前后端的传输IPsec IPsec 用于加密用于加密 Exchange Exchange 前后端的传输前后端的传输
IPsecIPsec 策略策略IPsec IPsec 策略策略Exchange front end: meExchange front end: me any; TCP anyany; TCP any 80; 80; EncryptEncryptEncryptEncrypt
Exchange back end: Respond onlyExchange back end: Respond only
使用使用 GPOGPO 推推 IPsec policiesIPsec policies使用使用 GPO GPO 推推 IPsec policiesIPsec policies
Exchange 2003 Exchange 2003 前后端使用前后端使用Kerberos Kerberos authenticationauthenticationauthenticationauthentication
推荐配置推荐配置
不要不要endend--toto--end end 直接连直接连接接
使用使用SSlSSl桥接(桥接(ISAISA))
在前端进行认证在前端进行认证
前后端之间使用前后端之间使用IPSecIPSecISA and FEISA and FE需要配置证书需要配置证书
移动消息管移动消息管移动消息管理移动消息管理
使用移动设备管理使用移动设备管理MDMMDM((M bil D i MM bil D i M ))((Mobile Device ManagementMobile Device Management))
降低降低TCO, TCO, 特别是技术支持消耗特别是技术支持消耗
C t l l tiC t l l tiCentral console, reportingCentral console, reporting
更可靠的平台部署商务营运应用程序更可靠的平台部署商务营运应用程序 ((lineline--ff b ib i ))ofof--business business ))
更容易使用和被用户接受更容易使用和被用户接受
安全安全: : 可保障的配置的完整性可保障的配置的完整性
不同的不同的MDM MDM 产品产品
基于桌面管理的基于桌面管理的基于桌面管理的基于桌面管理的
AltirisAltiris
Microsoft SMSMicrosoft SMSMicrosoft SMSMicrosoft SMS
整体解决方案的整体解决方案的
G dG dGoodGood
Intellisync*Intellisync*
ddOneBridgeOneBridge
MDM MDM 标准的标准的
iAnywhere AfariaiAnywhere Afaria
mFormation*mFormation*
MDM MDM 成熟等级成熟等级
InfancyInfancyInfancyInfancy资产管理资产管理
基础软件更新基础软件更新
AdolescenceAdolescence软件更新软件更新
配置管理配置管理配置管理配置管理
设备强制安全设备强制安全
MatureMature数据发布和同步数据发布和同步
多平台支持多平台支持
基于策略的软件分发基于策略的软件分发基于策略的软件分发基于策略的软件分发
空中下载启动和维护空中下载启动和维护 ((OTAOTA))
扩展的桌面管理扩展的桌面管理
企业企业MDM MDM 需求需求
Integrated Management ConsoleIntegrated Management Consoleg gg g
Directory (AD/LDAP) integrationDirectory (AD/LDAP) integration
Centralized PoliciesCentralized Policies
P li lliP li lliPolicy pollingPolicy polling
User cannot removeUser cannot remove
ScreenScreen--lock/Idlelock/Idle--locklock
移动消息服务扩展移动消息服务扩展移动消息服务扩展移动消息服务扩展
Mobility Mobility 的扩展体系架构的扩展体系架构
Access LayerAccess Layer Distribution LayerDistribution Layer Content LayerContent Layer
PresentationPresentationrenderingrendering
synchronizationsynchronizationlocal processinglocal processing
PresentationPresentationrenderingrendering
synchronizationsynchronizationlocal processinglocal processing
DeviceDeviceservicesservices
renderingrendering
DeviceDeviceservicesservices
renderingrendering
CRMOLTP/OLAPdatabases
ConnectivityConnectivityRoamingRoaming
VPNVPN
ConnectivityConnectivityRoamingRoaming
VPNVPN
ConnectivityConnectivityservicesservices
ConnectivityConnectivityservicesservices
renderingrenderingsynchronizationsynchronization
contentcontent--aggregationaggregation
personalizationpersonalizationl til ti
renderingrenderingsynchronizationsynchronization
contentcontent--aggregationaggregation
personalizationpersonalizationl til ti
Business Business process process
ERP
VPNVPNVPNVPN roamingroamingcompressioncompressionoptimizationoptimization
VPNVPN
roamingroamingcompressioncompressionoptimizationoptimization
VPNVPN
locationlocationlocationlocationpp
automationautomatione-mail
richmedia
Internet/intranet
Management and Security InfrastructureManagement and Security Infrastructureg yg yprovisioning, user support, load balancingprovisioning, user support, load balancing
identity management, authorizationidentity management, authorization
MicrosoftMicrosoft的的 Mobility Mobility 扩展体系架构扩展体系架构
Access LayerAccess Layer Distribution LayerDistribution Layer Content LayerContent Layer
PresentationPresentation.NET CF.NET CFSQL CESQL CE
Media PlayerMedia Player
PresentationPresentation.NET CF.NET CFSQL CESQL CE
Media PlayerMedia Player
DeviceDeviceservicesservices
ASP NETASP NET
DeviceDeviceservicesservices
ASP NETASP NET
CRMMicrosoftSQL
ConnectivityConnectivityActiveSyncActiveSync
ConnectivityConnectivityActiveSyncActiveSync
ConnectivityConnectivityservicesservices
ConnectivityConnectivityservicesservices
ASP.NETASP.NETMobile Mobile
ControlsControls
ASP.NETASP.NETMobile Mobile
ControlsControls
BizTalkBizTalk
ERP
ServerServer--ActiveSyncActiveSyncISA ServerISA ServerExchange FEExchange FE
ServerServer--ActiveSyncActiveSyncISA ServerISA ServerExchange FEExchange FE
BizTalkBizTalk
Exchange
WindowsMedia IIS
Management and Security InfrastructureManagement and Security InfrastructureManagement and Security InfrastructureManagement and Security InfrastructureActive Directory, SMS, MSFPActive Directory, SMS, MSFP
更多资源更多资源
SP2 / Windows Mobile Deployment GuideSP2 / Windows Mobile Deployment GuideSP2 / Windows Mobile Deployment GuideSP2 / Windows Mobile Deployment Guide
http://www.microsoft.com/technet/itsolutions/mobhttp://www.microsoft.com/technet/itsolutions/mobile/deploy/msfpdepguide.mspxile/deploy/msfpdepguide.mspx/ p y/ p pg p/ p y/ p pg p
Exchange Team Blog Exchange Team Blog -- MobilityMobility
http://msexchangeteam com/archive/category/3827http://msexchangeteam com/archive/category/3827http://msexchangeteam.com/archive/category/3827.http://msexchangeteam.com/archive/category/3827.aspxaspx
Windows Mobile for Business Web SiteWindows Mobile for Business Web SiteWindows Mobile for Business Web SiteWindows Mobile for Business Web Site
http://www.microsoft.com/windowsmobile/5/Busineshttp://www.microsoft.com/windowsmobile/5/Business/default.mspxs/default.mspx/ p/ p
Microsoft IT Case StudyMicrosoft IT Case Study
http://msexchangeteam com/archive/2006/06/09/427http://msexchangeteam com/archive/2006/06/09/427http://msexchangeteam.com/archive/2006/06/09/427http://msexchangeteam.com/archive/2006/06/09/427913.aspx913.aspx
更多资源更多资源Technical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
NNewsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User GroupsUser Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
馈馈请填写反馈表请填写反馈表
