Mail For Exchange For Asha IT Admin Guide

Mail for Exchange for Asha
IT manager guide
Version 2

Version 2
Contents
1
Overview........................................................................................................................3
1.1
Deployment considerations...................................................................................4
2.1
2.2
2.3
2.4
Mail for Exchange with Exchange 2003 SP2 or Exchange 2007 (no SP)..............................................7
Mail for Exchange with Exchange 2007 SP1 and later................................................................................7
Local and remote wipe............................................................................................................................................8
Using certificates for secure connections........................................................................................................9
Using SSL certificates...............................................................................................................................................9
3.5.1
Downloading certificate directly from a remote server via mobile browser.........................10
3.5.2
Installing a certificate with a PC..............................................................................................................10
Arranging connectivity..........................................................................................12
4.1
4.2
Battery life considerations.....................................................................................................................................4

Access point impact.................................................................................................................................................5
Deployment.................................................................................................................................................................5
Autodiscover...............................................................................................................................................................5
Security considerations...........................................................................................7
3.1
3.2
3.3
3.4
3.5
Supported servers.....................................................................................................................................................3
Make Exchange Server accessible from the internet................................................................................12

Verifying that Exchange ActiveSync is enabled..........................................................................................12
Installing and configuring Mail for Exchange..............................................14

5.1
5.2
5.3
Downloading and installing Mail for Exchange..........................................................................................14

Configuring mailboxes..........................................................................................................................................14
Upgrading Mail for Exchange............................................................................................................................14
Configuration scenarios........................................................................................16
Best practices............................................................................................................17
7.1
7.2
7.3
7.4
Use SSL........................................................................................................................................................................17
Enable phone lock policies..................................................................................................................................17
Verify network configuration.............................................................................................................................18
Understanding phone logging..........................................................................................................................18
Appendix A
Supported Exchange Server security policies.........................19
Appendix B
Troubleshooting..................................................................................22
2014 Microsoft Mobile. All rights reserved.

Version 2
1 Overview
This document discusses how to deploy Asha mobile phones to synchronize Email, Contact, and Calendar
information with the Microsoft Exchange Server using the Microsoft Exchange ActiveSync protocol.
Mail for Exchange ensures that your business users have an intuitive solution that:
Always has up-to-date Email, Contacts and Calendar on their Asha and desktop
Can look up email recipients from the Exchange Server directly from the mobile phone
For IT departments, Mail for Exchange is a secure solution that supports:
Direct, secure connectivity between Asha and Exchange Server
Exchange Server security policies
For information on phones supported by Mail for Exchange, see Asha resource hub in Business Mobility
Center.
1.1 Supported servers

The following Microsoft Exchange Server versions are supported by Mail for Exchange for Asha:
Microsoft Exchange 2003 Service Pack 2 (SP2)
Microsoft Exchange 2007
Microsoft Exchange 2010
Microsoft Exchange 2010 SP 1
Microsoft Office 365 Mobility Online Service
Microsoft Hotmail
Related Links
Microsoft Exchange Solution
Exchange ActiveSync protocol

Version 2
2 Deployment considerations
When you are designing, planning and deploying a managed mobile messaging infrastructure for your
business, there are four main areas to focus on:
What are your goals around increasing productivity?
What will deliver satisfaction among people actually using the mobile phones?
How critical is the ability to manage mobile phones from a central (and remote) point?
How will the mobile phones be managed locally by end users themselves?
The answers to these questions will drive how you manage and configure Mail for Exchange on your Asha
phone.
2.1 Battery life considerations

Mail for Exchange supports Microsoft Direct Push for use during always on connections.
Note: Microsoft Direct Push is only supported on single SIM phones.
Direct Push is a client-initiated HTTP connection to the server where the device opens a connection to
the Exchange Server and keeps it alive for a duration known as the heartbeat interval:
The client sets up the connection, chooses the appropriate heartbeat interval and tears down and
reestablishes the connection if and when necessary.
The server sends notifications about new items over this connection and the client synchronizes to
get the new items.
Higher heartbeat intervals result in longer battery life. Mail for Exchange adapts the heartbeat for
changing network conditions to the highest possible value. The maximum heartbeat possible with
Exchange is typically 45 minutes, but this is not common. Heartbeat intervals of 8-10 minutes are
recommended. Over 5minutes is generally acceptable, but if heartbeat drops to one minute, the negative
impact on battery life may be dramatic.
Note: Mail for Exchange client does not support dynamic heartbeat optimization via a server.

Version 2
Related Links
Direct Push
2.2 Access point impact

Mail for Exchange has the following impact on access points:
Service provider-specific access point (AP) settings may have an additional impact on the heartbeat
interval (and battery life) that cannot be managed by Mail for Exchange, Microsoft Internet Security
and Acceleration (ISA) Server, Microsoft Exchange Server, or firewall settings.
The access point your service provider has provided for general web use (browsing, WAP, and so on)
may not be optimized for Direct Push. The service may drop connections after one minute, for
example, when there is no data being transferred. Direct Push relies on long connections to the server
with no data activity.
When disconnected this way and the user has selected the Always on synchronization setting, Mail
for Exchange must reconnect to the network. This uses a relatively high amount of battery power.
The same service provider may offer multiple access points. Make sure that your users have
subscriptions to an access point that allows long connections with no data traffic, or recommend that
they use polled for example, every 30 minutes) or manual synchronization. For all firewalls and network
appliances, set the idle session timeout to 30-45 minutes. This will ensure that your users get higher
heartbeat intervals.
The Mail for Exchange java midlet uses both socket and http/https server connections.
Note that a plain WAP access point with http support is not enough, the AP must support socket
connections.
2.3 Deployment
Mail for Exchange does not provide support for mobile phone management servers such as OMA DM.
If not preinstalled, the Mail for Exchange app can be installed from the Store (OTA) or, for those devices
supporting Nokia Suite, from Nokia Suite (laptop).
The app consists of two files: .jar and .jad, which includes some predefined configuration data to
make initial app setup easier .
The app must be installed to the phone memory.
2.4 Autodiscover
Autodiscover is a Microsoft feature that allows easier configuration of Mail for Exchange.

Version 2
Autodiscover is available if you are using Exchange 2007 Server or later .

When Mail for Exchange is first launched, the user is asked for their email address, username, password,
domain, and security in use (SSL). If your environment is configured for Autodiscover, these are used to
retrieve the mail server name and other sync profile information. If the Autodiscover fails, check the option
for enabling/disabling SSL.
If Autodiscover is not configured, the user must manually enter the mail server name, which means you
must provide this information to your users.
Related Links
Configure Exchange ActiveSync Autodiscover Settings

Version 2
3 Security considerations
Exchange allows you to configure security policies that apply to mobile phones. For example, you can
enable the mobile phone lock and set the lock code parameters. The following sections explain the
different configuration options.
Related Links
Supported Exchange Server security policies (page 19)
3.1 Mail for Exchange with Exchange 2003 SP2 or Exchange

2007 (no SP)
From the Exchange server point of view, Asha with Mail for Exchange client is counted as a provisionable
mobile phone. When installed on Asha, Mail for Exchange can enforce all Exchange 2003 SP2 security
policies.
It is also possible for the admin to remotely wipe a provisionable mobile phone. This wipes all Mail for
Exchange-specific email and PIM data in mobile phone:
With Exchange 2003 the Microsoft Exchange ActiveSync Mobile Administration Web Tool must be
downloaded from the Microsoft Download Center.
With Exchange 2007, remote wipe is performed via the Outlook Web Access (OWA) interface
according to the instructions below.
Related Links
Exchange 2003: Microsoft Exchange ActiveSync Mobile Administration Web Tool
Exchange 2007: How to Perform a Remote Wipe on a Device
3.2 Mail for Exchange with Exchange 2007 SP1 and later
With Exchange 2007 SP1, groups of users can have separate policies, so you can have a group of Asha
users with different policies.
Mail for Exchange responds to the wipe command by removing all Mail for Exchange specific email and
PIM data in mobile phone. Remote wipe is performed either:
Via the OWA interface
Remotely, by the administrator

Version 2
Related Links
How to Perform a Remote Wipe on a Device
3.3 Local and remote wipe

For a mobile phone to be enabled for remote wipe, Exchange must know that it is a so-called
provisionable phone. This can only be achieved through enforcing security policies and have the phone
report back that it is ok with these policies. A local wipe is triggered by entering the incorrect password
for a predetermined number of times.
Asha with Mail for Exchange has two types of lock keys:
Mobile phone lock

A mobile phone turns this on automatically to prevent accidental key presses. User can also activate
it by user by selecting the keys for Menu + Function key in QWERTY mobile phones; or then lock
button on Touch and Type mobile phones.
Asha Touch devices include a dedicated lock/unlock button controlled with a swipe gesture.
Mail for Exchange lock

Password enforced via Exchange server policies to protect synced email content in the mobile phone.
For a remote wipe to be successful, the lost phone must still have connectivity to the server as the mobile
phone needs to be able to receive the wipe command. The wipe command is received the next time the
mobile phone and the server communicate.
The server will continue to send the wipe command until instructed otherwise by the user or
administrator. This means that if the mobile phone is recovered and partnered with the server it will be
wiped again.
There are some situations that may affect the remote wipe:
Lost phone is turned off
Wipe command cannot be received and data cannot be accessed. When the mobile phone is powered
up and next makes communication with the server it will receive the wipe command.
Lost phone is out of coverage (or in offline mode)
Wipe command cannot be received, but data can be accessed until Mail for Exchange app lock timeout
expires. To enhance security make sure you have phone lock timeout set low enough to protect data.
When the mobile phone is next able to communicate with the server it will receive the wipe command.
We recommend a relatively short phone lock timeout to mitigate the above situation. The timeout period
can be set in Mail for Exchange via the menu Options > Settings > Security.
Lost phone has SIM replaced
This requires a reboot. On boot, the application is locked and the user can only access Mail for Exchange
by typing the lock code.

Version 2
If the user enters an incorrect code a predetermined number of times (as defined by your Exchange
server), a local wipe will be initiated and the Email, Contacts and Calendar entries will be wiped out.
Lost phone is booted with SIM card removed (or in Offline mode)
This requires reboot. On boot, the application is locked and the user can only access Mail for Exchange
by typing the lock code.
If the user enters an incorrect code a predetermined number of times (as defined by your Exchange
server), a local wipe will be initiated and the Email, Contacts and Calendar entries will be wiped out.
Security unlock code typed incorrectly by end user
When Mail for Exchange lock is activated, administrators can set mobile phones to perform a local wipe
after a given number (usually three to five) of failed attempts to unlock the app. So its important that
end users remember their lock code.
3.4 Using certificates for secure connections

In most Exchange environments, basic authentication is required; meaning the server requests and the
client submits a username and password. To support this, the credentials are stored on the mobile phone
and sent over the air, usually encrypted via SSL (highly recommended), during authentication. Access to
the server is controlled not only by the mailbox permissions, but by the validity of the certificate.
Certificates are valid for a defined period and may also be revoked.
Certificate-based authentication uses a digital certificate in addition to the user name and password to
verify the identity. A digital certificate consists of two components:
Private key stored on the phone
Public key installed on the Exchange server
If you configure Microsoft Exchange 2010 to require certificate-based authentication for Exchange
ActiveSync, only mobile phones that have a trusted root certificate for the server to which the user is
connecting can establish the SSL connection.
Related Links
Using certificates for securing business with Asha
How to Configure Certificate-Based Authentication for Exchange ActiveSync
Using SSL certificates (page 9)
3.5 Using SSL certificates

Most IT departments use secure sockets layer (SSL) and have a certificate installed on their Internet
Security and Acceleration (ISA) Server as well as on their Exchange Server. You must install this certificate
one the phone if it is not pre-installed .

Version 2
The list of preinstalled certificates may vary by mobile phone refer to the user guide for information.
For example, on Nokia 301, go to Menu > Settings > Security > Authority certificates.
If you use a certificate from this list (established certificate authorities), you do not have to distribute and
install certificates on all managed mobile phones, which will save time and reduce support costs.
Use of self-created certificates is possible, but not recommended, since they are difficult to support.
Installing an SSL certificate
To use Mail for Exchange with an Exchange account, you must have a Secure Sockets Layer (SSL) certificate
installed in your phone. If you receive an error such as SSL Certificate is not trusted, the certificate is missing
or has expired. You must install the certificate either by downloading the certificate to the device directly
from a remote server or through your PC.
Note: When you use Mail for Exchange for your Hotmail account, you do not need an SSL
certificate on your phone.
Related Links
Using certificates for secure connections (page 9)
3.5.1 Downloading certificate directly from a remote server via

mobile browser
If your phone is missing the Entrust certificate and you are viewing this article via your Asha mobile
browser, click the following URL to install the Entrust certificate file directly to your phone:
http://dl.nokia.com/nvsfiles/Entrust.cer.
Note: To stage this Entrust certificate (or any other certificate file) from your own file delivery
server:
1. Ensure that your web delivery servers are configured to deliver the *.cer files with the
mime-type: application/x=x509-ca-cert.
2. Place the certificate file, in the format, filename.cer, on a remote server accessible to
your employees.
3.5.2 Installing a certificate with a PC

To install a certificate with a PC
1. Login to your email account using Outlook Web Access https://mail.<your mail server>/
owa) on your PC.
The SSL lock icon is at the bottom or beside the address bar.
2. In the web browser, select the lock icon next to the address bar.
3. Click View certificates.
10

Version 2
Another window appears this varies depending upon your browser displaying your certificates.
4. In the Certificate dialog, select Certification Path.
5. Select the top-most certificate or the root certificate and then select View Certificate.
6. On the Details tab, select Copy to file.
7. In Certificate Export Wizard, click Next.
8. Select the export file format, DER encoded binary X.509 (.CER) and click Next.
9. Browse to the file you want to save the file and enter the filenamemfe as the file name (the file name
will be mfe.cer).
10. Click Save.
11. After exporting the certificate on your PC, create an html file format for the certificate by doing one
of the following:
Create your own HTML file:

1. Open a text editor and type:
<HTML><BODY><a href=mfe.cer</a>>Install certificate</HTML></BODY>
2. Save the file as mfe.html.
Use one of the HTML files contained in the zip file in http://dl.nokia.com/nvsfiles/MFE_CERTIFICATE
INSTALLATIONS.ZIP.
12. Transfer both files using either Nokia PC Suite or the device's via mass storage mode .
You can save the files to either the device memory or the memory card.
13. Save the certificate on the device:
1. On the device, browse to and open the HTML file, mfe.html.
2. Select the link to install the certificate.
3. Save the certificate.
11

Version 2
12
4 Arranging connectivity
This section describes how to make Exchange Server accessible from the internet and how to verify that
ActiveSync is enabled.
4.1 Make Exchange Server accessible from the internet

To Make Exchange Server accessible from the internet
1. Make sure port 443 is open on your firewall. If your company uses Outlook Web Access, port 443 is
most likely already open. It is possible to use other port numbers, but 443 is the default for SSL.
2. Make sure the Domain Name System (DNS) servers for your network returns a single, externallyroutable address to the Exchange ActiveSync server for both intranet and internet clients. This is so
the mobile phone can use the same IP address for communicating with the server when both types
of connections are active.
3. Verify that a server certificate is installed on the front-end Exchange server.
4. In the Authentication Method properties, turn on basic authentication (only) to require an SSL
connection to the Microsoft Server ActiveSync directory of your IIS.
4.2 Verifying that Exchange ActiveSync is enabled

Check that ActiveSync is enabled on Exchange Server.
Also, verify that a server certificate is installed and update the public domain name system (DNS) to
properly resolve incoming connections. ISA 2004 can also be used.
Table 1: Enable ActiveSync
Server
Description
Exchange 2003 SP2
For information on enabling these features at an

organizational level visit Microsoft Technet, How to
Enable and Disable Exchange ActiveSync Features
at the Organizational Level.
Exchange 2007 and later
ActiveSync should be enabled by default when you

have installed the client access server (CAS) role.

Version 2
Server
13
Description
For information on verifying or enabling
ActiveSync visit Microsoft Technet, How to Enable
Exchange ActiveSync .
Publishing Exchange Server via ISA 2006 (optional) If you are already using Outlook or other Exchange
clients, this step may not be necessary.
Otherwise, you will have to publish Exchange. This
means creating both a web listener as well as an
Exchange web client access publishing rule. To get
started visit Microsoft Technet, Deploy ISA Server
2006 for Outlook Web App.

Version 2
5 Installing and configuring Mail for

Exchange
This section describes how to install, configure and upgrade Mail for Exchange for Asha.
5.1 Downloading and installing Mail for Exchange

Mail for Exchange for Asha is available via the Store on the Internet, via the Store app on the mobile
phone, or as a pre-installed application. After accessing the Store, search for Mail for Exchange, and the
version of Mail for Exchange recommended for your phone will be available for download and installation.
5.2 Configuring mailboxes

You can choose configuring mobile phones for your users, or either you will have to share the necessary
information with them so they can configure it. Mail for Exchange for Asha requires the following
mandatory settings:
Email Address
Domain
Server name*
Username
Password
SSL settings
*Needed only if Autodiscover is not configured on the server. If the Autodiscover fails, check the option for
enabling/disabling SSL.
There are also a number of optional settings with recommended Default values. You may want to inform
your users of your preferences.
5.3 Upgrading Mail for Exchange

Asha phones can be updated via over-the-air download. When an updated app is available, the Software
Update app on the mobile phone prompts users to download the latest version. Alternatively, users can
14

Version 2
launch the Software Update app anytime on their mobile phone to check if new updates of Mail for
Exchange are available for download.
15

Version 2
6 Configuration scenarios
Determining which steps to follow when setting up and configuring Mail for Exchange depends on your
readiness to deploy mobile phones. Weve grouped the steps into three main scenarios:
Case 1 You are an Exchange admin currently using other ActiveSync clients
1. Verify your SSL Certificate.
2. Consider your security policies.
3. Install and configure Mail for Exchange.
Case 2 You are an admin using Exchange 2003 SP2 or later with no mobile phones
1. Make Exchange accessible from the internet.
2. Optionally configure Autodiscover.
Case 3 You are an admin not using Exchange yet
1. Purchase and prepare your Exchange Server environment.
For more information, see:
Exchange. Search Exchange system requirementsto find the system requirements for your version
of Exchange.
Microsoft Technet: Microsoft Internet Security and Acceleration (ISA) Server 2006
Microsoft Technet: ISA Server 2006 System Requirements
2. Make Exchange accessible from the internet.

3. Optionally configure Autodiscover.
16

Version 2
7 Best practices
This section describes the best practices related to security.
7.1 Use SSL

The Secure Sockets Layer (SSL) protocol provides several layers of security for users of a web server:
Data encryption between the mobile phone and the server, ensuring that if the data is intercepted it
cannot be interpreted.
Prevents data from being changed or replaced between the client and server.
This requires installation of a certificate on the server.
7.2 Enable phone lock policies

Phone lock policies are enforced to Mail for Exchange users through the ActiveSync connection. Policies
cannot be disabled by the mobile user. As an Exchange Administrator your tasks include one or both of:
Creating Exchange ActiveSync Mailbox Policy
Adding Mail for Exchange users to Exchange ActiveSync Mailbox Policy
Exchange ActiveSync Mailbox Policy options to configure phone lock include:
Require a password for phone lock
Require alphanumeric password
Minimum password length
Prevent simple passwords
Password expiration days
Maximum inactivity timeout
Maximum password attempts
Local wipe after maximum attempts
In Exchange 2007 (and later) groups of users can have separate policies.
17

Version 2
Related Links
Understanding Exchange ActiveSync Mailbox Policies
Supported Exchange Server security policies (page 19)
7.3 Verify network configuration

In the Authentication Method properties, verify that a server certificate is installed on the front-end
Exchange server and then turn on basic authentication only. This requires an SSL connection to the
Microsoft Server ActiveSync directory of your internet information services (IIS).
7.4 Understanding phone logging

Mail for Exchange does not display a specific error message for errors that are not commonly
encountered, have an unclear solution or a known complex solution. Instead, these errors are logged to
files on the mobile phone.
The admin logs are located in the mobile phone MMC if a directory such as file://E:/data/ and
the logs are stored under file://E:/data/Log directory. The Log sub-directory is created by the Mail
for Exchange app. These logs can be viewed by using the mobile phones File Manager app or by moving
them via data cable or Bluetooth to a PC. You may even ask your users to email them to you if possible.
Many HTTP and GPRS errors are visible in these logs.
18

Version 2
19
Appendix A Supported Exchange Server

security policies
Table 2: Supported security policies
Value
Server version where

introduced
Category
Description
Policy refresh interval
2003 SP2
General policies
This setting defines how

frequently the mobile
phone updates the
Exchange ActiveSync
policy from the server.
Maximum failed
password attempts
2003 SP2
Password policies
This setting specifies

how many times an
incorrect password can
be entered before the
mobile phone performs
a wipe of all data.
Minimum password
length
2003 SP2
Password policies
This setting specifies the

minimum password
length.
Password enabled
2003 SP2
Password policies
This setting enables the

mobile phone password.
Allow simple password
Exchange 2007
Password policies
This setting enables or

disables the ability to
use a simple password
such as 1234. The
Default value is $true.
Password expiration
Exchange 2007
Password policies
This setting enables the

administrator to
configure a length of
time after which a
mobile phone password
must be changed.
Password history
Exchange 2007
Password policies

number of past

Version 2
Value

introduced
20
Category
Description
passwords that can be
stored in a user's
mailbox. A user can't
reuse a stored password.
Require storage card

encryption
Exchange 2007
Password policies

whether the storage
card must be encrypted.
Not all mobile phone
operating systems
support storage card
encryption. For more
information, see your
mobile phone and
mobile operating
system for more
information.
Attachments enabled
Exchange 2007
Synch policies
This setting enables

attachments to be
downloaded to the
mobile phone.
Alphanumeric password Exchange 2007 SP1

required
Password policies
This setting requires that

a password contains
numeric and nonnumeric characters.
Device encryption
enabled
Exchange 2007 SP1
Password policies
This setting enables

encryption on the
mobile phone. Not all
mobile phones can
enforce encryption. For
more information, see
the phone and mobile
operating system
documentation.
Minimum device
password complex
characters
Exchange 2007 SP1
Password policies

minimum number of
complex characters
required in a mobile
phone password. A
complex character is any

Version 2
Value

introduced
21
Category
Description
character that is not a
letter.
Require Device
Encryption
Exchange 2007 SP1
Password policies

whether device
encryption is required. If
set to $true, the mobile
phone must be able to
support and implement
encryption to
synchronize with the
server.

Version 2
22
Appendix B Troubleshooting
Table 3: Troubleshooting scenarios
Problem
category
Issue
Workaround
Sync status
User receives an error, e.g.

Sync status screen shows an
error and the Options > Sync
now command does not help
1. Write down the error message and time when it

has occurred.
2. If Options > Sync now doesnt help then activate
the logging via Options > Settings > Diagnostic
settings: Logging enabled.
3. Tracing requires MMC in device and the folder
file://E:/data/Log needs to be created there
before logging.
4. Reproduce the error (e.g. by selecting Sync now).
5. Reboot the phone.
6. Connect the phone to Nokia Suite and copy the
files MarjaTrace*.txt from the data/Log
folder.
7. Zip the files and send to Support. Along with
additional information listed below:
Connection error
User receives a connection

error
Device Software version: Enter the key

combination : *#0000 to get the phone
software version
App version: As shown in the About screen
Language Build: As shown in the About screen
Make sure a socket is used at the Access Point (AP).

Plain WAP access point with http support is not
enough.

Mail For Exchange For Asha IT Admin Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mail For Exchange For Asha IT Admin Guide

Uploaded by

Copyright:

Available Formats

Mail for Exchange for Asha