1 / 44

MBL220 基于 Exchange 2003 和 Windows Mobile 企业移动消息最佳实战

MBL220 基于 Exchange 2003 和 Windows Mobile 企业移动消息最佳实战. 辛浩 资深 IT 服务顾问. 议程. 企业移动消息应用 Exchange 2003 SP2 Windows Mobile 5 with MSFP 企业 Exchange 消息服务实践 移动消息安全、管理、扩展. 企业移动消息应用. 丰富的实现多目的设备终端 无处不在的低成本的无线网络 逐渐增强的安全管理基础架构 日渐成熟的企业移动消息应用 Exchange Server 2003 / Windows Mobile 5

gunda
Download Presentation

MBL220 基于 Exchange 2003 和 Windows Mobile 企业移动消息最佳实战

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MBL220 基于Exchange 2003 和 Windows Mobile 企业移动消息最佳实战 辛浩 资深IT服务顾问

  2. 议程 • 企业移动消息应用 • Exchange 2003 SP2 • Windows Mobile 5 with MSFP • 企业Exchange 消息服务实践 • 移动消息安全、管理、扩展

  3. 企业移动消息应用 • 丰富的实现多目的设备终端 • 无处不在的低成本的无线网络 • 逐渐增强的安全管理基础架构 • 日渐成熟的企业移动消息应用 • Exchange Server 2003 / Windows Mobile 5 • LCS 2005 /Mobile Office Communicator • CRM 2.0 /Mobile CRM • Mobile OA • Mobile ERP …

  4. Focus: Microsoft Exchange Server 2003 Service Pack 2 Microsoft Windows Mobile 5 Messaging and SecurityFeature Pack Architecture Best Practices 企业移动消息应用的挑战 • 总拥有成本 • 连接性 • Scalability • 安全性 • Device and Network • 管理性 • Provisioning and Support • 扩展性 • Leveraging infrastructure

  5. 企业移动消息应用的起点:E-Mail • E-Mail 已经是企业的核心应用 • 已经存在多种成熟设备和解决方案 • Exchange Server 2003 是第一个集成的解决方案 • 结合ISA可以提供更高的可用性和管理性 • 结合IT策略可以实现更高的安全性 

  6. Exchange 2003 SP2

  7. Exchange Server 2003 Service Pack 2 • 更高的安全性 • Certificate based authentication • Local and Remote Wipe capability • Central control of device policy • 直推技术 • 很多的新特色 • Directory search • Pictures in Contacts • GZip

  8. RPC/HTTP or OWA Laptop Outlook Mobile Access (real-time) Microsoft ActiveSync (synchronization) Cellular Phone Pocket PC Exchange 2003 Mobile Services SmartPhone Windows CE based devices Pocket PC, Pocket PC Phone Edition, Smartphone 2002 Windows MobileTm 2003 (AUTD support) Windows Mobile 5 (AUTD & DP support) SP2 Exchange Server 2003 移动访问服务

  9. 基于Windows Mobile 的OWA 访问 • 小屏幕浏览 • Pocket Internet Explorer (single windows) • 支持 OWA • Limited frame

  10. 基于Windows Mobile 的OMA 访问 • Based on WAP/WML • Legacy Mobile Phones

  11. AirSync HTTP (basic authentication) [SSL] (preferred) WebDAV HTTP (Integrated authentication) Clear Front End Server Back End Server MASSYNC.DLL ISAPI IIS IIS DAVEX.DLL ISAPI DS_ACCESS Active Directory Read User Properties & obtain Kerberos TGT ActiveSync 访问机制

  12. Exchange Server ActiveSync 的应用

  13. Mobile 5.0 with MSFP

  14. 在线联系人查找(GAL) Service Pack 2 • 需要 Windows Mobile 5 +MSFP • 集成的应用 • 导入 GAL 记录到本地联系人列表 WindowsMobile 5

  15. Exchange直推技术 • 真正的AUTD解决方案(always-up-to-date ) • 不需要 SMS通知 • 支持所有的 PIM 数据: Inbox, Calendar, Contacts and Tasks • 不增加额外的数据流量 • 伸缩性:全球范围 • 不需要额外的软件及服务器安装 • 实现条件 • 服务器配置激活—缺省配置 • 支持“SP2-ready”的设备 • 该方案依赖于实时连接 • 需要调整防火墙的连接超时时间为: 15-30mins

  16. Time = 0 min Time = 15 min Time = 23 min Time = 23 min Time = 15 min 直推技术(Direct Push) Direct Push Mail 技术原理 (心跳时间为 15min) Device : 如果我在15分钟内有邮件请告诉我,否则告诉我“没有邮件”. Server: “没有邮件” Device : 如果我在15分钟内有邮件请告诉我,否则告诉我“没有邮件”. Server: “你有新邮件” Device : 给我邮件 Windows Mobile Device with MSFP Server running Exchange 2003 SP2 Heartbeat: 370 Bytes/heartbeat x 4 heartbeats/hour x 24h x 30days = 1,06MB (No consideration to block rounding)

  17. Exchange Server 2003 SP2 配置

  18. 企业Exchange 消息服务实践

  19. 架构总揽 • 防火墙 • 一个或多个 • 至少支持端口过滤 • 支持反向代理(Publish) • 前端服务器 • 可以是 企业版或标准版 • Pub/private Store can be removed • 可以部署在: Internet, DMZ, inside corporate firewall • 后端服务器 • Inside corporate firewall • Stores mailboxes and public folders

  20. Active Directory Global Catalog Server Exchange 2003 Server Internet Exchange Server 2003 Front-EndServers Firewall Ports 443, 993, 995 Exchange 2003 Server Exchange 2003 Server FE/BE Deployment ScenariosSingle firewall (简单)

  21. Active Directory Global Catalog Server DMZ Exchange 2003 Servers Internet Exchange 2003 Servers Exchange Front-EndServers FirewallPorts 443, 993, 995 FirewallPorts, 80143, 110, LDAP, etc Exchange 2003 Servers FE/BE Deployment ScenariosDMZ/Perimeter network (安全)

  22. ISA Reverse ProxyDMZ/Perimeter network (推荐) AD/GC Exchange 2003 Server Internet Exchange 2003 Server ISA FirewallPorts 443 or 80 Exchange FE Firewall Port443 Exchange 2003 Server

  23. 移动消息安全

  24. 4 VPN 1 2 3 Mobile 的安全访问 management devices airtransmissionsPANLAN WAN private networks publicnetworks applications mobility wireless traditional security

  25. 4Apr05 7Mar05 17Jul04 20June04 8Mar05 29Dec04 6Apr05 5Aug04 1Feb05 18Mar05 15Apr05 4Jul05 12Aug04 21Nov04 Mabir Doomed Comwar Vlasco Fontal Cabir Skulls Dampig Qdial Hobbes Locknut (Gavno) Drever Windows CE DUTS = Symbian OS (Nokia, etc) = Windows CE (HP, etc) Windows CE BRADOR Mobile 的安全威胁 • Stolen information • Host intrusion, stolen device • Unauthorized network/application access • Compromised credentials, host intrusion • Virus propagation • Virus susceptibility • Lost information • Lost, stolen or damaged device Source: Trend Micro

  26. Mobile 的内容安全(访问安全) • 简单锁定 • 加密 • Private key storage? • Smartcard/TPM • Hash private key (dictionary attack) • Couple with strong password policies • 防止不安全重启动 • Analogous to BIOS password and Drivelock

  27. 身份认证 • Username/Password • Encrypted on device • Client Certificate • Prevents ISA from SSL-bridging • Non-trivial enrollment • One-time Password

  28. ActiveSync Client 安全连接 • Infrastructure similar to OWA (HTTP) • SSL certificate-checking by the access device 1. HTTPS connection 2. IIS presents the vitual Server SSL Certificate Validation of Root CA Root CA Issued by Root CA Certificate for Visual Server Root CA of the SSL Certificate Must be installed on the Windows Mobile TM client • “Known” Certificate authorities: • Thawte (server and Premium server • Secure Server • GTE Cybertrust • Globalsign • Entrust.net • Class 2 and 3 Public Primary Certificates

  29. 强制安全策略 • 目标: 确保移动设备启用了安全策略 • 内容: • PIN code strength • Remote Wipe • Specific web UI • Device Locking

  30. Exchange Servers的安全 • 前后端直接不启用SSL • Trusted physical/switched network • IPsec everything or specific ports such as 80 • IIS • Enable IIS logging • Disable non-essential script mappings • Always keep up to date on available fixes

  31. 使用IPsec • IPsec 用于加密 Exchange 前后端的传输 • IPsec 策略 • Exchange front end: meany; TCP any80; Encrypt • Exchange back end: Respond only • 使用 GPO 推 IPsec policies • Exchange 2003 前后端使用Kerberos authentication

  32. 不要end-to-end 直接连接 使用SSl桥接(ISA) 在前端进行认证 前后端之间使用IPSecISA and FE需要配置证书 推荐配置

  33. 移动消息管理

  34. 使用移动设备管理MDM(Mobile Device Management) • 降低TCO, 特别是技术支持消耗 • Central console, reporting • 更可靠的平台部署商务营运应用程序 (line-of-business ) • 更容易使用和被用户接受 • 安全: 可保障的配置的完整性

  35. 不同的MDM 产品 基于桌面管理的 • Altiris • Microsoft SMS • 整体解决方案的 • Good • Intellisync* • OneBridge • MDM 标准的 • iAnywhere Afaria • mFormation*

  36. MDM 成熟等级 • Infancy • 资产管理 • 基础软件更新 • Adolescence • 软件更新 • 配置管理 • 设备强制安全 • Mature • 数据发布和同步 • 多平台支持 • 基于策略的软件分发 • 空中下载启动和维护(OTA) • 扩展的桌面管理

  37. 企业MDM 需求 • Integrated Management Console • Directory (AD/LDAP) integration • Centralized Policies • Policy polling • User cannot remove • Screen-lock/Idle-lock

  38. 移动消息服务扩展

  39. Mobility 的扩展体系架构 Content Layer Distribution Layer Access Layer Deviceservicesrendering synchronizationcontent-aggregationpersonalizationlocation Presentationrenderingsynchronizationlocal processing OLTP/OLAPdatabases CRM ERP ConnectivityservicesroamingcompressionoptimizationVPN Business process automation ConnectivityRoamingVPN e-mail richmedia Internet/intranet Management and Security Infrastructureprovisioning, user support, load balancingidentity management, authorization

  40. Microsoft的 Mobility 扩展体系架构 Content Layer Distribution Layer Access Layer DeviceservicesASP.NETMobile Controls Presentation.NET CF SQL CEMedia Player MicrosoftSQL CRM ERP ConnectivityservicesServer-ActiveSyncISA Server Exchange FE BizTalk ConnectivityActiveSync Exchange WindowsMedia IIS Management and Security InfrastructureActive Directory, SMS, MSFP

  41. 更多资源 SP2 / Windows Mobile Deployment Guide http://www.microsoft.com/technet/itsolutions/mobile/deploy/msfpdepguide.mspx Exchange Team Blog - Mobility http://msexchangeteam.com/archive/category/3827.aspx Windows Mobile for Business Web Site http://www.microsoft.com/windowsmobile/5/Business/default.mspx Microsoft IT Case Study http://msexchangeteam.com/archive/2006/06/09/427913.aspx

  42. 更多资源 Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx User Groups http://www.microsoft.com/communities/usergroups/default.mspx

  43. 请填写反馈表

More Related