Professional Documents
Culture Documents
IT manager guide
Version 2
Contents
1
Overview........................................................................................................................3
1.1
Deployment considerations...................................................................................4
2.1
2.2
2.3
2.4
Mail for Exchange with Exchange 2003 SP2 or Exchange 2007 (no SP)..............................................7
Mail for Exchange with Exchange 2007 SP1 and later................................................................................7
Local and remote wipe............................................................................................................................................8
Using certificates for secure connections........................................................................................................9
Using SSL certificates...............................................................................................................................................9
3.5.1
Downloading certificate directly from a remote server via mobile browser.........................10
3.5.2
Installing a certificate with a PC..............................................................................................................10
Arranging connectivity..........................................................................................12
4.1
4.2
Security considerations...........................................................................................7
3.1
3.2
3.3
3.4
3.5
Supported servers.....................................................................................................................................................3
Configuration scenarios........................................................................................16
Best practices............................................................................................................17
7.1
7.2
7.3
7.4
Use SSL........................................................................................................................................................................17
Enable phone lock policies..................................................................................................................................17
Verify network configuration.............................................................................................................................18
Understanding phone logging..........................................................................................................................18
Appendix A
Appendix B
Troubleshooting..................................................................................22
1 Overview
This document discusses how to deploy Asha mobile phones to synchronize Email, Contact, and Calendar
information with the Microsoft Exchange Server using the Microsoft Exchange ActiveSync protocol.
Mail for Exchange ensures that your business users have an intuitive solution that:
Always has up-to-date Email, Contacts and Calendar on their Asha and desktop
Can look up email recipients from the Exchange Server directly from the mobile phone
For information on phones supported by Mail for Exchange, see Asha resource hub in Business Mobility
Center.
Microsoft Hotmail
Related Links
Microsoft Exchange Solution
Exchange ActiveSync protocol
2 Deployment considerations
When you are designing, planning and deploying a managed mobile messaging infrastructure for your
business, there are four main areas to focus on:
What will deliver satisfaction among people actually using the mobile phones?
How critical is the ability to manage mobile phones from a central (and remote) point?
How will the mobile phones be managed locally by end users themselves?
The answers to these questions will drive how you manage and configure Mail for Exchange on your Asha
phone.
Direct Push is a client-initiated HTTP connection to the server where the device opens a connection to
the Exchange Server and keeps it alive for a duration known as the heartbeat interval:
The client sets up the connection, chooses the appropriate heartbeat interval and tears down and
reestablishes the connection if and when necessary.
The server sends notifications about new items over this connection and the client synchronizes to
get the new items.
Higher heartbeat intervals result in longer battery life. Mail for Exchange adapts the heartbeat for
changing network conditions to the highest possible value. The maximum heartbeat possible with
Exchange is typically 45 minutes, but this is not common. Heartbeat intervals of 8-10 minutes are
recommended. Over 5minutes is generally acceptable, but if heartbeat drops to one minute, the negative
impact on battery life may be dramatic.
Note: Mail for Exchange client does not support dynamic heartbeat optimization via a server.
Related Links
Direct Push
Service provider-specific access point (AP) settings may have an additional impact on the heartbeat
interval (and battery life) that cannot be managed by Mail for Exchange, Microsoft Internet Security
and Acceleration (ISA) Server, Microsoft Exchange Server, or firewall settings.
The access point your service provider has provided for general web use (browsing, WAP, and so on)
may not be optimized for Direct Push. The service may drop connections after one minute, for
example, when there is no data being transferred. Direct Push relies on long connections to the server
with no data activity.
When disconnected this way and the user has selected the Always on synchronization setting, Mail
for Exchange must reconnect to the network. This uses a relatively high amount of battery power.
The same service provider may offer multiple access points. Make sure that your users have
subscriptions to an access point that allows long connections with no data traffic, or recommend that
they use polled for example, every 30 minutes) or manual synchronization. For all firewalls and network
appliances, set the idle session timeout to 30-45 minutes. This will ensure that your users get higher
heartbeat intervals.
The Mail for Exchange java midlet uses both socket and http/https server connections.
Note that a plain WAP access point with http support is not enough, the AP must support socket
connections.
2.3 Deployment
Mail for Exchange does not provide support for mobile phone management servers such as OMA DM.
If not preinstalled, the Mail for Exchange app can be installed from the Store (OTA) or, for those devices
supporting Nokia Suite, from Nokia Suite (laptop).
The app consists of two files: .jar and .jad, which includes some predefined configuration data to
make initial app setup easier .
The app must be installed to the phone memory.
2.4 Autodiscover
Autodiscover is a Microsoft feature that allows easier configuration of Mail for Exchange.
3 Security considerations
Exchange allows you to configure security policies that apply to mobile phones. For example, you can
enable the mobile phone lock and set the lock code parameters. The following sections explain the
different configuration options.
Related Links
Supported Exchange Server security policies (page 19)
With Exchange 2003 the Microsoft Exchange ActiveSync Mobile Administration Web Tool must be
downloaded from the Microsoft Download Center.
With Exchange 2007, remote wipe is performed via the Outlook Web Access (OWA) interface
according to the instructions below.
Related Links
Exchange 2003: Microsoft Exchange ActiveSync Mobile Administration Web Tool
Exchange 2007: How to Perform a Remote Wipe on a Device
3.2 Mail for Exchange with Exchange 2007 SP1 and later
With Exchange 2007 SP1, groups of users can have separate policies, so you can have a group of Asha
users with different policies.
Mail for Exchange responds to the wipe command by removing all Mail for Exchange specific email and
PIM data in mobile phone. Remote wipe is performed either:
Related Links
How to Perform a Remote Wipe on a Device
For a remote wipe to be successful, the lost phone must still have connectivity to the server as the mobile
phone needs to be able to receive the wipe command. The wipe command is received the next time the
mobile phone and the server communicate.
The server will continue to send the wipe command until instructed otherwise by the user or
administrator. This means that if the mobile phone is recovered and partnered with the server it will be
wiped again.
There are some situations that may affect the remote wipe:
Lost phone is turned off
Wipe command cannot be received and data cannot be accessed. When the mobile phone is powered
up and next makes communication with the server it will receive the wipe command.
Lost phone is out of coverage (or in offline mode)
Wipe command cannot be received, but data can be accessed until Mail for Exchange app lock timeout
expires. To enhance security make sure you have phone lock timeout set low enough to protect data.
When the mobile phone is next able to communicate with the server it will receive the wipe command.
We recommend a relatively short phone lock timeout to mitigate the above situation. The timeout period
can be set in Mail for Exchange via the menu Options > Settings > Security.
Lost phone has SIM replaced
This requires a reboot. On boot, the application is locked and the user can only access Mail for Exchange
by typing the lock code.
If the user enters an incorrect code a predetermined number of times (as defined by your Exchange
server), a local wipe will be initiated and the Email, Contacts and Calendar entries will be wiped out.
Lost phone is booted with SIM card removed (or in Offline mode)
This requires reboot. On boot, the application is locked and the user can only access Mail for Exchange
by typing the lock code.
If the user enters an incorrect code a predetermined number of times (as defined by your Exchange
server), a local wipe will be initiated and the Email, Contacts and Calendar entries will be wiped out.
Security unlock code typed incorrectly by end user
When Mail for Exchange lock is activated, administrators can set mobile phones to perform a local wipe
after a given number (usually three to five) of failed attempts to unlock the app. So its important that
end users remember their lock code.
If you configure Microsoft Exchange 2010 to require certificate-based authentication for Exchange
ActiveSync, only mobile phones that have a trusted root certificate for the server to which the user is
connecting can establish the SSL connection.
Related Links
Using certificates for securing business with Asha
How to Configure Certificate-Based Authentication for Exchange ActiveSync
Using SSL certificates (page 9)
The list of preinstalled certificates may vary by mobile phone refer to the user guide for information.
For example, on Nokia 301, go to Menu > Settings > Security > Authority certificates.
If you use a certificate from this list (established certificate authorities), you do not have to distribute and
install certificates on all managed mobile phones, which will save time and reduce support costs.
Use of self-created certificates is possible, but not recommended, since they are difficult to support.
Installing an SSL certificate
To use Mail for Exchange with an Exchange account, you must have a Secure Sockets Layer (SSL) certificate
installed in your phone. If you receive an error such as SSL Certificate is not trusted, the certificate is missing
or has expired. You must install the certificate either by downloading the certificate to the device directly
from a remote server or through your PC.
Note: When you use Mail for Exchange for your Hotmail account, you do not need an SSL
certificate on your phone.
Related Links
Using certificates for secure connections (page 9)
http://dl.nokia.com/nvsfiles/Entrust.cer.
Note: To stage this Entrust certificate (or any other certificate file) from your own file delivery
server:
1. Ensure that your web delivery servers are configured to deliver the *.cer files with the
mime-type: application/x=x509-ca-cert.
2. Place the certificate file, in the format, filename.cer, on a remote server accessible to
your employees.
10
Another window appears this varies depending upon your browser displaying your certificates.
4. In the Certificate dialog, select Certification Path.
5. Select the top-most certificate or the root certificate and then select View Certificate.
6. On the Details tab, select Copy to file.
7. In Certificate Export Wizard, click Next.
8. Select the export file format, DER encoded binary X.509 (.CER) and click Next.
9. Browse to the file you want to save the file and enter the filenamemfe as the file name (the file name
will be mfe.cer).
10. Click Save.
11. After exporting the certificate on your PC, create an html file format for the certificate by doing one
of the following:
Use one of the HTML files contained in the zip file in http://dl.nokia.com/nvsfiles/MFE_CERTIFICATE
INSTALLATIONS.ZIP.
12. Transfer both files using either Nokia PC Suite or the device's via mass storage mode .
You can save the files to either the device memory or the memory card.
13. Save the certificate on the device:
1. On the device, browse to and open the HTML file, mfe.html.
2. Select the link to install the certificate.
3. Save the certificate.
11
12
4 Arranging connectivity
This section describes how to make Exchange Server accessible from the internet and how to verify that
ActiveSync is enabled.
Description
Server
13
Description
For information on verifying or enabling
ActiveSync visit Microsoft Technet, How to Enable
Exchange ActiveSync .
Publishing Exchange Server via ISA 2006 (optional) If you are already using Outlook or other Exchange
clients, this step may not be necessary.
Otherwise, you will have to publish Exchange. This
means creating both a web listener as well as an
Exchange web client access publishing rule. To get
started visit Microsoft Technet, Deploy ISA Server
2006 for Outlook Web App.
Email Address
Domain
Server name*
Username
Password
SSL settings
*Needed only if Autodiscover is not configured on the server. If the Autodiscover fails, check the option for
enabling/disabling SSL.
There are also a number of optional settings with recommended Default values. You may want to inform
your users of your preferences.
14
launch the Software Update app anytime on their mobile phone to check if new updates of Mail for
Exchange are available for download.
15
6 Configuration scenarios
Determining which steps to follow when setting up and configuring Mail for Exchange depends on your
readiness to deploy mobile phones. Weve grouped the steps into three main scenarios:
Case 1 You are an Exchange admin currently using other ActiveSync clients
1. Verify your SSL Certificate.
2. Consider your security policies.
3. Install and configure Mail for Exchange.
Case 2 You are an admin using Exchange 2003 SP2 or later with no mobile phones
1. Make Exchange accessible from the internet.
2. Optionally configure Autodiscover.
3. Consider your security policies.
4. Install and configure Mail for Exchange.
Case 3 You are an admin not using Exchange yet
1. Purchase and prepare your Exchange Server environment.
For more information, see:
Exchange. Search Exchange system requirementsto find the system requirements for your version
of Exchange.
Microsoft Technet: Microsoft Internet Security and Acceleration (ISA) Server 2006
16
7 Best practices
This section describes the best practices related to security.
Data encryption between the mobile phone and the server, ensuring that if the data is intercepted it
cannot be interpreted.
Prevents data from being changed or replaced between the client and server.
This requires installation of a certificate on the server.
In Exchange 2007 (and later) groups of users can have separate policies.
17
Related Links
Understanding Exchange ActiveSync Mailbox Policies
Supported Exchange Server security policies (page 19)
18
19
Category
Description
2003 SP2
General policies
Maximum failed
password attempts
2003 SP2
Password policies
Minimum password
length
2003 SP2
Password policies
Password enabled
2003 SP2
Password policies
Exchange 2007
Password policies
Password expiration
Exchange 2007
Password policies
Password history
Exchange 2007
Password policies
Value
20
Category
Description
passwords that can be
stored in a user's
mailbox. A user can't
reuse a stored password.
Exchange 2007
Password policies
Attachments enabled
Exchange 2007
Synch policies
Password policies
Device encryption
enabled
Password policies
Minimum device
password complex
characters
Password policies
Value
21
Category
Description
character that is not a
letter.
Require Device
Encryption
Password policies
22
Appendix B Troubleshooting
Table 3: Troubleshooting scenarios
Problem
category
Issue
Workaround
Sync status
Connection error