Architectural Overview of Windows Mobile Infrastructure Components Windows Mobile 5.0 and 6-powered Devices

White Paper

Published: May 2007

For the latest information, please see http://www.microsoft.com/windows/mobile/

Abstract

This whitepaper describes how mobile devices running Windows Mobile 5.0 and Windows Mobile 6 are fully integrated into Microsoft’s server infrastructure, and how the components fit together. The paper goes over the fundamental design requirements for employing Microsoft infrastructure components to help secure and manage mobile devices. The following components and their interrelationships are discussed: Exchange Server 2003 and 2007, Exchange ActiveSync, Internet Security and Acceleration Server 2004 and 2006, Microsoft Dynamics Platform, Small Business Server 2003, Microsoft Operations Manager (MOM) 2005 and Systems Center Operations Manager (SCOM) 2007, Systems Management Server (SMS) 2003 and Systems Center Configuration Manager 2007, Microsoft Office SharePoint Server 2007 and Live Communications Server 2005.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006 Microsoft Corporation. All rights reserved.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Microsoft, Active Sync, Outlook, Windows, Windows Mobile, Windows Server, and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Overview

In an enterprise environment, properly leveraging mobility involves much more than buying Windows

Mobile enabled devices. In this whitepaper, you will learn how mobile devices running Windows Mobile

5.0 and Windows Mobile 6 are fully integrated into Microsoft’s server infrastructure, and how the

components fit together to provide immediate value to your enterprise. After reading this overview,

you should be familiar with the fundamental design requirements for employing Microsoft

infrastructure components to help secure and manage your mobile devices.

The Microsoft mobility platform is comprised of several key components. Because email and messaging

is such an important application of information technology, Exchange Server is a key component of the

architecture. Additionally, your firewall solution serves to enhance security. Other components, such as

Systems Management Server 2003 and Systems Center Operations Manager 2007 (formerly Microsoft

Operations Manager) are available to manage and control the operations of the infrastructure. You will

also learn how the Windows Mobile platform allows you to reuse much of your Line of Business

application investment and personnel skill sets. The infrastructure components and the development

platforms form work together to drive one seamless, cost effective and scalable solution with enhanced

security for your enterprise.

Mobility Architecture Goals

Microsoft’s mobility architecture is designed to integrate with your existing environment, and allow you

to reuse existing systems administration skill sets. The following are some of the design goals of the

architecture:

Flexibility. In most enterprises, IT infrastructure is heterogeneous. Microsoft mobility architecture is designed to work with your existing environment, such as a variety of advanced firewall solutions, network topologies, and 3rd party device management products. While this whitepaper addresses Microsoft components and recommended architecture, the architecture is modular and was designed to work with other designs and products. This allows you to leverage your investment in such areas such as security, scalability, and manageability. This works for both enterprise messaging applications and line of business applications – no new special setup is necessary for security and authentication.

Scalability. Most enterprises already have a scalable infrastructure for managing their server and desktop environments. Mobility should be viewed as just another piece of overall management strategy. Therefore, Windows mobility architecture relies on existing infrastructure, such as Exchange 2007 or 2003, for scalability and high availability. No new middle tier servers, which can result in a single point of failure, are required for the architecture.

Manageability. Microsoft architecture supports many points of management, such as Exchange console, Systems Management Server 2003 or the upcoming Systems Center Configuration Manager 2007, or operations monitoring through Systems Center Operations Manager 2007 or Microsoft Operations Manager 2005. This allows different levels of management, depending on

existing infrastructure investment. Third-party device management products are supported as well.

Extensibility. The architecture is the basis on top of which other Microsoft and third party applications are built. It has built-in support for Microsoft Office SharePoint Server, and Live Communications Server 2005. A multitude of third party applications works with the infrastructure. Additionally, Microsoft Dynamics ERP and CRM applications use the same infrastructure to deliver their functionality.

Security. Windows Mobile Operating Systems are designed with security in mind and form an integral part of the infrastructure. Windows Mobile cryptography services have been certified with US Federal Information Processing Standard (FIPS) 140-2, level 1. Additionally, there is support for dual-factor authentication, 256-bit AES encryption, remote device wipe and application certificates. Additionally, the Internet Security and Acceleration 2006 Server has features that integrate with components on the corporate networks, such as analysis of Exchange traffic that flows to and from mobile devices.

Reuse of Existing Skill Sets. Both on the administration and application development sides, same familiar tools are used. For systems management, mobile devices are treated as just another type of asset from management tools perspective. For application development, development for both Mobile Web using ASP.NET 2.0 and Mobile Smart Client using the Compact Framework offer a similar development environment and APIs.

Overview of Windows Mobile Security

Windows Mobile operating systems play a key role in enterprise mobility infrastructure through their

support of communication security standards, security policies and features designed for remote policy-

based management. Windows Mobile 5.0 with Messaging and Security Feature Pack (MSFP) and the

new Windows Mobile 6 both have a sophisticated security system to protect the device from running

malicious code and to help secure communications with corporate servers. As an enterprise

administrator, you are responsible for provisioning and managing security policies on devices and thus

need to understand Windows Mobile features that support communications and device security.

Windows Mobile Application and Network Security

Mobile devices face many threats in today’s environment. To address these threats, digital certificates

are used both to ensure both application and communication security. In the first role, certificates help

Windows Mobile to determine whether an application can be run on the device, and what level of

privilege it receives. Furthermore, most applications are restricted from writing to the registry and

other services that might compromise security. This prevents malicious code from infecting the device

and gives administrators tight control over the applications that are installed on the device. Some

manufacturers even put additional restrictions that require all applications to be signed by a known

trusted authority in order to run.

In securing communications, Windows Mobile uses digital certificates to establish a network connection

using Secure Sockets Layer (SSL) and validate the identity of the server using its installed root

certificates. Windows Mobile offers cryptographic services for:

Data encryption - to help secure communications

Hashing - to help ensure data integrity

Digital signatures – to verify identity

SSL is used to enhance security of communications for applications such as Mobile Outlook client

connecting to an Exchange Server, Line of Business applications connecting over web services, or

database clients connecting to a central data store.

The cryptography services have been certified with the US Federal Information Processing Standard

(FIPS) 140-2, level 1. The certification designates that Windows Mobile security algorithms work

properly and protect against a variety of threats. Additionally, Windows Mobile supports Virtual Private

Networking (VPN), Wi-Fi encryption, Storage Card Encryption, and two-factor authentication systems

like RSA SecureID. Lastly, Windows Mobile supports Certificate-Based Authentication, in which each

device is issued a digital certificate that uniquely identifies the device and encrypts the connection.

For more information on security model in Windows Mobile please see Security Model for Windows

Mobile 5.0 and Windows Mobile 6, Windows Mobile 5.0 Application Security.

Windows Mobile Security Policies Security policies are used for device management; they define levels of security. The policies dictate

whether a device can be configured over the air (OTA), and whether to accept unsigned messages,

applications, or files. The policies include settings such as the number of login attempts before local

device wipe, password strength and length, and PIN-based device protection. Additionally, Windows

Mobile 5.0 and 6 include ability to remotely wipe the device, or locally wipe it after administrator-

settable number of incorrect password entry attempts. By default, only a manager of the device can

change security policies. The policies can be configured through a central management system such as

SMS 2003 or mobile management features built into Exchange 2003 and 2007, provided the OEM or

Mobile Operator has given the administrator Manager permissions. For more information on

management capabilities of SMS 2003 and Exchange, please see references in related sections of this

whitepaper.

Exchange Deployment and Mobile Device

Management

Today, every computer user is also an email user, so Exchange Server is central in enterprise

deployments. Mobile devices communicate with Exchange for a variety of services including email, data

synchronization and security. Understanding Exchange deployment topologies will give you the

background you need to leverage Microsoft Exchange with your mobile devices. Additionally, Exchange

has features that support over-the-air management, data synchronization, and security of mobile

devices through Exchange ActiveSync. Exchange ActiveSync works directly with the Windows Mobile 5.0

and 6 operating systems so you can avoid the added cost of middleware or service fees.

Exchange 2003 Deployment Topologies

Exchange 2003 is a highly scalable enterprise messaging environment designed to support many types of

clients. For large enterprises deploying several thousand devices and tens, or even hundreds of

thousands users, Exchange 2003 allows to distribute load across multiple servers. Exchange 2003

allows deployment using two types of servers – front-end and back-end. This topology is shown in

Figure 1.

Front-end servers accept all of the communications with the clients outside the corporate network.

They use a proxy mechanism to transfer requests to the correct back-end servers on behalf of client

computers and devices. They can be configured to support Outlook Web Access (OWA), Outlook

Mobile Access (OMA), Exchange ActiveSync for mobile devices, and RPC over HTTPs. Front-end servers

use Active Directory to find the correct back-end server, where the user’s mailboxes are stored. The

front-end – back-end topology results in a highly scalable solution, as the front-end servers take the load

off the back-end servers. The front-end and back-end topology should be used by large organizations; it

results in decreased management costs, and provides better performance and fault tolerance.

Additional elements in the figure, such as SCCM 2007 Device Management and SCOM 2007 Operations

Monitoring, are discussed later in the whitepaper.

Advanced

Firewall

Exchange,

AD and Firewall Monitoring

AD Monitoring

AD Server

Back-End Server 1

Front-End

Server

Back-End Server 2

Look up

User’s Mailbox

Location

SCCM 2007 –

Common Management

Infrastructure for

Desktop / Server /

Mobile Environments

Perimeter

Network

SCOM 2007

or MOM 2005

Common

Monitoring Infrastructure

Device Management

Point

Exchange Farm

SSL Bridging

Internet

HTTPS

Device Distribution Point Primary Site Server

Site Database

Exchange

Monitoring

Corporate

NetworkSM

S M

onito

ring

Figure 1 Mobile Infrastructure Architecture Including Exchange 2003 Front-end and Back-End Topology

The mobile device communicates with the front-end server. All email, task, calendar, and other data

synchronization operations are coordinated through the front-end server. Because the front-end

servers are responsible for client communication, this topology has several advantages in mobile

scenarios:

1) A single server name is exposed to the users for accessing Exchange. Addition of new servers is

transparent to the user.

2) SSL Encryption and Decryption can happen on the front-end server, thus offloading this operation

from the back-end servers and saving resources.

3) To enhance security of front-end servers, they can be put into a perimeter network creating an

additional layer of protection between the front-end and back-end servers.

Many organizations with a smaller number of users choose to run Exchange on a single server. This also

works well for testing purposes. However, to achieve scalability and security advantages, Microsoft

recommends the front-end, back-end architecture.

For more information please see the following resources:

Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topologies

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange

Server 2003 SP2

Microsoft Exchange Server 2003 Client Access Guide.

Exchange 2007 Server Roles

Exchange 2007 introduces the concept of server roles as the primary mechanism of scalability. Each

server can act as one or more roles within the topology. Mobile users are supported by a special server

role called the Client Access Server, which is analogous to the front-end server in Exchange 2003. Client

Access Server has interfaces for Exchange ActiveSync, Outlook Web Access, and RPC over HTTPS. The

Mailbox and Hub Transport server roles in combination are similar to the back-end server in Exchange

2003. The Mailbox Server role is the storage server that hosts mailboxes and public folders while the

Hub Transport Server role is responsible for routing mail.

For more information please see The Fundamentals of Mobile Access to Exchange 2007.

Exchange ActiveSync

Exchange ActiveSync is a part of Exchange Server 2003 and 2007 that is optimized to deal with high-

latency / low-bandwidth networks, and also with clients that have limited amounts of memory and

storage. Exchange ActiveSync supports Direct Push technology which automatically synchronizes (or

“pushes”) new email to mobile devices as soon as the mail arrives. Direct Push is in contrast to a polling

style where the device has to request new email from the server on a timed basis. Under the covers,

the Exchange ActiveSync protocol is based on HTTP, SSL, and WBXML, so the communications channel

has enhanced security. Exchange ActiveSync is enabled out of the box on all user mailboxes without

any additional software or servers.

Mobile devices interact with Exchange ActiveSync on the front-end servers when synchronizing email,

schedules, contact information and tasks to the device. Synchronization is extremely fast, with

enhanced data compression that enables rapid sending and receiving of messages. Because Exchange

ActiveSync uses standard transport protocols, there is no need to buy special data plans from mobile

operators; standard data plans can be used for global mobile access. It supports all types of mobile

communication networks, including GSM, GPRS, UMTS, HSDPA, and CDMA.

Microsoft Exchange Server 2007 adds several productivity-enhancing features to Exchange ActiveSync.

It includes support for flags, HTML mail, and allows users to search the entirety of their mailboxes from

the mobile device, including messages not currently synced to the device. This helps overcome the

limited resources of a mobile device, and not limiting access to just the portion that fits in device

memory.

For more information, including Exchange ActiveSync features for Exchange 2003 and Exchange 2007,

please see Mobile Messaging with Exchange ActiveSync

Mobile Device Management through Exchange ActiveSync Since Exchange is so central in many enterprise deployments, Microsoft added special administrative

features into Exchange which can allow mobile devices to adhere to the organization's security policies.

This native device management support helps reduce complexity and costs because you can reuse

existing infrastructure.

Security policies are set on the Exchange 2003 server and delivered to the client through Exchange

ActiveSync. When a mobile device security policy is defined on the server, it is automatically sent to

each device the next time the user of the device starts synchronization. The Exchange 2003 ActiveSync

Mobile Administration Web tool enables administrators to manage the process of remotely erasing lost,

stolen, or otherwise compromised mobile devices.

With Exchange Server 2007, mobile device management is integrated into the Exchange Server

Management Console and self-service capabilities are exposed via Outlook Web Access. For example,

when the device is lost or stolen, users can wipe data from their device themselves, rather than calling

the corporate helpdesk. By doing this, Exchange Server 2007 helps to drive down the cost of supporting

mobile messaging. With Exchange Server 2007, the system administrators can define and name

multiple sets of security policies and apply them to individual users or to different user groups in Active

Directory. They also have access to enhanced monitoring and logging for operational monitoring.

For information on Exchange ActiveSync in Exchange 2007, see Overview of Exchange ActiveSync .

Exchange ActiveSync Communication Security

To help secure Exchange ActiveSync traffic, encryption through Secure Sockets Layer (SSL) is necessary.

If your organization currently exposes Outlook Web Access (OWA), you already have the infrastructure

in place to support a mobile deployment using high-grade, 128-bit SSL encryption. Because Exchange

ActiveSync is implemented as an application that runs on Internet Information Services (IIS), its security

settings can be configured using the same certificates you’re already using for OWA. All communication

between the Windows Mobile device and the Exchange front-end server take place over a single TCP/IP

port: TCP port 443, used for SSL-secured HTTP traffic. This greatly simplifies enterprise firewall

configuration, because only a single port needs to be opened from the Internet to the Exchange

ActiveSync front-end server, and that port will probably be open in any case because it’s the same port

used for Outlook Web Access. Additionally, more advanced security scenarios are supported by

Exchange Server and Windows Mobile, such as S/MIME messaging, and SecureID or certificate-based

authentication.

For more information on securing communications with SSL, please see the Step-by-Step Guide to

Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2 and Mobile Secure

Certificates Whitepaper.

Communication Security and Advanced Firewall Configurations

Most enterprises use a combination of hardware and software firewall solutions, such as Internet

Security and Acceleration (ISA) Server 2004 or 2006. In addition to the ISA Servers, Exchange supports

most other reverse proxy software firewall products available on the market. Typically, the advanced

firewall is deployed in the perimeter network (see Figure 1). Existing IIS website already used for RPC

over HTTPS or Outlook Web Access is used, so usually no new inbound ports need to be opened on the

firewall. Exchange ActiveSync communicates through a different virtual directory, and the ISA server

can be configured to examine Exchange ActiveSync traffic. SSL is applied between the client and ISA

server, and between the ISA server and the front-end server. This is called terminate – initiate, or SSL

bridging.

SSL bridging protects against attacks that are hidden in SSL-encrypted connections. ISA is configured to

decrypt and examine Exchange traffic from the client, terminating the SSL connection. This step

prevents any malicious traffic from getting into the corporate network, protecting it from any threats.

ISA Web publishing rules configure the connection to the Exchange front-end server. If the rule specifies

to forward the request using HTTPS, ISA 2006 then initiates a new SSL session to the Front-End

(Exchange 2003) or Client Access (Exchange 2007) Server. The second SSL session ensures that the

communication is safe from a malicious user already inside the firewall.

For more information about ISA and Exchange deployment scenarios please see one of the following

documents:

Security for Windows Mobile Messaging in the Enterprise

Publishing Exchange Server 2007 with ISA Server 2006

Using ISA Server 2004 with Exchange Server 2003

Publishing Exchange Server 2003 with ISA Server 2006

Exchange Scalability Mobile devices represent a relatively light load on the Exchange servers compared to Outlook Web

Access or RPC/HTTP, so your infrastructure may be able to support the extra load without adding

additional servers. When rolling out Exchange ActiveSync at Microsoft to 26,000 users, Microsoft IT

found that only 3.6% of the load on their servers being due to Exchange ActiveSync, and thus did not

need to add any new servers.

The front-end and back-end architecture provides several client access performance and availability

benefits. The front-end servers offload some load processing duties from the back-end servers.

Therefore, front-end servers do not need large or particularly fast disk storage, but should have fast

CPUs and a large amount of memory. Microsoft provides several tools, such as the Exchange Server

Load Simulator tool (LoadSim) and the Exchange Server Stress and Performance (ESP) 2003 tool to test

the performance of Exchange Servers. These tools allow better planning of performance and scalability

requirements of Exchange infrastructure.

Through continuous monitoring with operations tools such as MOM 2005 or SCOM 2007 (see below),

administrators can monitor trends and pinpoint performance degradation. They can then provision

additional back-end servers to decrease the load on existing infrastructure and move mailboxes over to

the new servers. Since the clients use one URL for all their communications with the front-end servers,

back-end servers can be added transparently to the users. For Exchange 2007, the scalability efforts are

focused on the Mailbox and the Hub Transport server roles. Exchange Server architecture should

always include some planned redundancy in order to effectively handle peak loads and unforeseen

events.

Office SharePoint Server 2007 and Live Communications Server (LCS) 2005

Microsoft Office SharePoint Server (MOSS) 2007 web portal technology supports mobile devices out-of-

the-box. Every list and library in MOSS 2007 or Windows SharePoint Services (WSS) v3 is capable of

hosting ‘Mobile Views’. These are standard views of lists or libraries that an administrator has defined as

being mobile enabled. Individual list items can be viewed in mobile form and InfoPath forms can be

opened in a mobile client via a web browser interface. Additionally, Exchange 2007 and Windows

Mobile 6 enable access to files stored on WSS sites and Universal Naming Convention (UNC) file shares via

embedded Exchange links.

Microsoft Office Communicator Mobile allows users to use Microsoft Live Communications Server (LCS)

2005 SP1 on the mobile device. This allows the mobile users to use instant messaging to communicate

with their co-workers who are on the corporate network, all the while taking advantage of enterprise

features such as more secure communications and centralized logging and auditing. Communicator

Mobile provides integration between multiple mobile applications such as Voice over IP (VoIP), presence

status information and organization’s address book. Additionally, users can also communicate with

partners or public instant messaging service users.

For more information please see Microsoft Office Communicator Mobile Planning and Deployment

Guide.

Mobile Device Management and Operations

In addition to Exchange-based device management, Systems Management Server (SMS) 2003 Device

Management Pack provides features for device management using an interface already familiar to

administrators. Microsoft Operations Manager (MOM) 2005 allows operational monitoring of

enterprise infrastructure, and the Exchange Management Pack for MOM 2005 has features to monitor

mobile device performance.

Mobile Device Management

Systems Management Server (SMS) 2003 Device Management Feature Pack enables management of

mobile devices when they are connected on the corporate network, or through the VPN. It allows SMS

to collect hardware and software inventory information, distribute and install software, execute scripts

and manage security policies and other settings on devices. SMS is fully integrated with Active

Directory and allows management at levels of different granularity. This is done in one central place

through an Administrative GUI. Importantly, SMS Device Management Feature Pack allows reusing the

same common infrastructure that is already being used for Server, Laptop, and Desktop management.

Systems Management Server works by installing an agent on the mobile device, and using the agent to

collect information about the device, as well as perform management functions. The agent gets

installed during a desktop ActiveSync session and after that enables management of the devices when

on the corporate network. SMS 2003 supports multiple device management and device distribution

points, thus providing a scalable solution. Please see the SMS 2003 Device Management Feature Pack

Site for more information.

The System Center Configuration Manager (SCCM) 2007, scheduled for release in second half of 2007,

is a new version of SMS that builds on the features included with SMS 2003. It adds support for smart

phones and over-the-air software distribution from gateway located in a corporate DMZ (see Figure 1).

The user no longer has to be on the corporate network to get software updates. The device must enroll

for a client certificate during the setup process to be manageable from the internet.

For more information please see the System Center Configuration Manager 2007 site.

Operations Management

Microsoft Operations Manager (MOM) 2005 with Exchange Management Pack monitors the Exchange

Servers including some aspects of the mobile device operations. MOM uses event log entries and

special performance counters on Exchange Servers to collect information. It allows administrators to

monitor all aspects of the Exchange Server, including protocol metrics, events generated by Exchange,

server performance, and mobility features.

MOM 2005 monitors the heartbeat interval and synchronization latency of mobile devices, giving the

administrators a good indication of the mobile user’s experience. System administrators can then make

decisions about how to tune or to scale Exchange components once they notice performance

degradation.

The new version of MOM, the Systems Center Operations Manager (SCOM) 2007 together with the

SCOM Exchange Management Pack extend the advances of the MOM platform and provide more

advanced rule-based availability and performance monitoring. MOM 2005 and SCOM 2007 both

support a consolidated view of the entire enterprise infrastructure tiered deployment architecture that

can scale up to hundreds of thousands of clients.

For more information on MOM 2005 please see the Exchange Server Management Pack Guide for MOM

2005. For more information on SCOM 2007 please see the Systems Center Operations Manager 2007

Site.

Application Design and Development

Windows Mobile 5.0 and 6 are supported by one of the largest catalogs of Line of Business (LOB)

applications, offered both by Microsoft and third-party ISVs. However, to meet specific needs of many

enterprises, customers need to develop their own mobile applications. The infrastructure elements

described above combine into a platform for deploying and managing Line of Business applications.

Mobile applications use the same common infrastructure already being used for desktop and server

applications, leading to reduced complexity and lower deployment costs. Common design and

architecture issues, such as development, deployment, operations, and communication security have

well defined solutions. Development frameworks, databases and tools that are common to both

traditional and mobile development allow organizations to reuse much of their existing application

investment and the skill set of their personnel.

Windows Mobile 5.0 and 6 support the .NET Compact Framework, a specialized mobile platform for

developing applications that is based on Microsoft’s .NET. Compact Framework allows application

developers to use the same development languages and tools they are using to develop Windows and

Web-based applications. Both C# and VB.NET languages are supported, and Compact Framework has

built-in support in state-of-the-art Visual Studio 2005 Integrated Development Environment. Available

emulator tools simplify application development and testing on different types of devices.

Additionally, Microsoft provides many resources and tools for mobile development, including recently

released the Mobile Client Software Factory, which provides a framework and application blocks for

commonly used smart client application scenarios. For example, it includes a library that allows queuing

of web service calls to the server when the device is disconnected, and optimizes data transmission

depending on the network speed. For more information on Compact Framework, please see .NET

Compact Framework site.

Mobile database-based applications can take advantage of SQL Server 2005 Compact Edition. SQL

Server 2005 Compact Edition deployed on a device works with a central SQL Server 2005 database

server to synchronize data with the device. SQL Server 2005 supports ability to target each user and

device with a small subset of the enterprise database to reduce the storage requirements on the device.

Advanced mobile database scenarios such as merge replication allow database engine to synchronize

the local database that resides on the mobile device with a central database running on a server.

Developers access the database using Visual Studio 2005 development system and the familiar ADO.NET

mechanism supported by all SQL Server editions. In addition to mobile devices, the Compact Edition is

supported on other Windows platforms, including tablet PCs, and desktops. In many single-user client

applications, this means that the same code can be reused on all Windows platforms. For more

information on mobile database development, please see the SQL Server 2005 Compact Edition site.

Many Line of Business (LOB) applications are web-based or web-services based. Internet Information

Server (IIS) and ISA 2004 and 2006 allow advanced security configurations of applications, including

authentication and security rules targeted to specific applications. The network connections are

typically encrypted using SSL and the clients must authenticate themselves against the corporate

firewall server and Active Directory. For the environments using Service Oriented Architecture, mobile

devices often become just another client accessing the SOA web services.

Microsoft LOB applications also support Windows Mobile computing platforms. Microsoft Dynamics

software, such as Microsoft Dynamics AX, and Microsoft Dynamics CRM have out-of-the-box support for

mobile access. Dynamics AX offers a mini mobile ERP client called the Mobile Sales Assistance. It allows

the sales force to examine their route plans, email and calendar, point of sale information for each

costumer, and product and inventory data. There is also Mobile Business Assistant to assist business

decision makers in understanding business performance and tracking KPI metrics of a business.

Dynamics CRM 3.0 was also designed with the mobile sales force in mind. CRM Mobile Express, a

Microsoft Dynamics CRM 3.0 mobility application, enables users to instantly view, create, and modify

data on any Internet-capable device. It lets a salesperson in the field tap into the same sales, marketing,

and customer service data they have access to in the office. CRM Mobile Express runs in a Web browser

and doesn't require users to install additional software.

Mobile Device Support in Small Business

Server 2003

For smaller businesses that require only mail and file share, Microsoft recommends SBS server. Small

Business Server (SBS) 2003 R2 is an “all-in-one” server solution designed for small businesses. It is a

single server that is designed to perform the functions of the IT infrastructure in larger environments, at

a much lower cost. It provides the following services: Exchange 2003, Active Directory, DHCP, DNS,

Domain Controller, Monitoring and Management Services and Windows SharePoint Services. SBS 2003

R2 Premium version also includes SQL Server 2005 Workgroup, ISA Server 2004 and Microsoft FrontPage

2003.

SBS 2003 R2 supports mobile devices through Exchange mobility features offered in Exchange SP2

including Exchange ActiveSync access, this can be configured using SBS’s group policy (similar

functionality to SMS 2003). A key limitation of the SBS server is that only 75 users, computers, or

devices can connect to the server at one time, so adding mobile devices will count against the total limit

that the SBS server will support.

For more information and how-to instructions please see Deploying Windows Mobile 5.0 with Windows

Small Business Server 2003.

Conclusion

Properly supporting mobile devices in an enterprise environment requires interaction of several

different areas of enterprise architecture, software security, and operational support tools. Once you

understand the broad components of communications (Exchange ActiveSync), security (SSL and

certificates), management and operations (Exchange ActiveSync, Microsoft Operations Manager,

Systems Management Server), and how they fit together with LOB applications and back-end servers,

you can work with your enterprise security, administration, infrastructure and management teams to

make the most out of your mobile device investment. Since these are familiar tools that are likely

already being used to manage your Windows desktop and server infrastructure, you can expand the use

of existing infrastructure components without additional training or server costs. The Windows Mobile

Operating System and the Windows Server platform elements all work together to drive a security-

enhanced, seamless, cost effective, and scalable solution that addresses all major issues in mobile

enterprise environment.

Additional Resources:

Mobile Messaging at Microsoft: Improving Security, Manageability, and User Experience

Mobile Strategy White Papers Site

Exchange 2007 Support for mobile Devices