Planning For Exchange Server 2007 Client Access Servers

8/12/2019 Planning For Exchange Server 2007 Client Access Servers

1/144

Planning for Exchange Server 2007 ClientAccess Servers

Microsoft Corporation

Published: June 2007

Author: Microsoft Exchange Documentation eam

Abstracthe purpose of this document is to help !ou plan !our Microsoft Exchange "er#er 2007 Client

Access ser#er deplo!ment$ he information and procedures included in this document focus

on the planning considerations for the design of an Exchange 2007 Client Access ser#er

infrastructure$

Important:

his document is a deplo!ment%specific compilation of se#eral Exchange 2007 &elp

topics and is pro#ided as a con#enience for customers 'ho 'ant to #ie' the topics in

print format$ o read the most up%to%date deplo!ment topics( #isit the Exchange

"er#er 2007 )ibrar!$
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


2/144

*nformation in this document( including +,) and other *nternet -eb site references( is sub.ect

to change 'ithout notice$ +nless other'ise noted( the companies( organi/ations( products(

domain names( e%mail addresses( logos( people( places( and e#ents depicted in examples

herein are fictitious$ o association 'ith an! real compan!( organi/ation( product( domain

name( e%mail address( logo( person( place( or e#ent is intended or should be inferred$

Compl!ing 'ith all applicable cop!right la's is the responsibilit! of the user$ -ithout limiting

the rights under cop!right( no part of this document ma! be reproduced( stored in or

introduced into a retrie#al s!stem( or transmitted in an! form or b! an! means 1electronic(

mechanical( photocop!ing( recording( or other'ise( or for an! purpose( 'ithout the express

'ritten permission of Microsoft Corporation$

Microsoft ma! ha#e patents( patent applications( trademar3s( cop!rights( or other intellectual

propert! rights co#ering sub.ect matter in this document$ Except as expressl! pro#ided in an!

'ritten license agreement from Microsoft( the furnishing of this document does not gi#e !ou

an! license to these patents( trademar3s( cop!rights( or other intellectual propert!$

4 2007 Microsoft Corporation$ All rights reser#ed$

Microsoft( M"%D5"( -indo's( -indo's Media( -indo's Mobile( -indo's ( -indo's

Po'er"hell( -indo's "er#er( -indo's 6ista( Acti#e Director!( Acti#e"!nc( Excel( orefront(

*nternet Explorer( 5utloo3( "harePoint( "mart"creen and 6isual 8asic are either registered

trademar3s or trademar3s of Microsoft Corporation in the +nited "tates and9or other

countries$

All other trademar3s are propert! of their respecti#e o'ners$


3/144

ContentsPlanning for Exchange "er#er 2007 Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$

Contents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;

Planning for Exchange 2007 Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

"ecurit! Planning for Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >

"i/ing Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?

@eneral "i/ing ,ecommendations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7

,eference Architecture Anal!sis$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$7

,ecommended Performance Counters$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2?

Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2

5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2

Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2


4/144

+nderstanding Exchange Acti#e"!nc Mailbox Policies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;

+nderstanding Mobile De#ice Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =?

Cellular Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=?

-ireless Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=7

+nderstanding Mobile De#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =7

Exchange Acti#e"!nc Enabled De#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =7De#ices Enabled for Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=

Exchange Acti#e"!nc ,eporting "er#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >

@enerating Exchange Acti#e"!nc ,eports$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>

A#ailable Exchange Acti#e"!nc ,eports$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>2

*nterpreting the *nternet *nformation "er#ices )og iles$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>2

5#er#ie' of P5P; and *MAP=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >

5#er#ie' of Prox!ing$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7?

5#er#ie' of ,edirection$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 0

Prox!ing 'ith et'or3 )oad 8alancing$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;

"ummar! of Client Access Methods$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?

Prox!ing Performance and "calabilit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$7

5#er#ie' of Client Access "er#er "ecurit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$5#er#ie' of "") for Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

5#er#ie' of +sing *"A "er#er 200? for Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

+nderstanding "ecurit! for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$?

+sing an Ad#anced ire'all "er#er for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?+sing "") 'ith 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?

Configuring Authentication for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$7

Configuring "") for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$7

"") Deplo!ment 5ptions for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Configuring Authentication for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

8asic Authentication and 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

Direct ile Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2>

Data Access +sing 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2>

Configuring -eb 8eacon and &M) orm iltering in 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$27

Controlling -eb 8eacon and &M) orm iltering$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2


7/144

Configuring Authentication for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2H

5utloo3 -eb Access

70H 5utloo3

An!'here

Exchange Acti#e"!nc:

> reuests per

second

>00 concurrent users

5utloo3 -eb Access:

20 reuests persecond

00 concurrent users

5utloo3 An!'here:

=0 reuests per

second

(=00 concurrent

users

Exchange Acti#e"!nc: >00

5utloo3 -eb Access: 2(=0

5utloo3 An!'here: (


21/144

O#tloo% An$here

A select group of Client Access ser#ers 'as used to anal!/e 5utloo3 An!'here performance$

Microsoft measured the total number of -eb connections on each ser#er to determine pea3loads( as 'ell as the number of connection attempts per second 1sec$ able = lists the

performance ob.ect( counter( and instance used to measure these #alues$

1able * 4al#es to #se hen meas#ring O#tloo% An$here connections

Ob5ect Co#nter Instance ,escription

-eb ser#ice Current Connections Kotal he current number

of connections

established 'ith the

-eb ser#ice$

-eb ser#ice Connection

Attempts9sec

Kotal he rate at 'hich

connections to the

-eb ser#ice are

being attempted$

able > pro#ides details about the collected #alues for the preceding load%indicating

performance counters for three of the Client Access ser#ers used to anal!/e

5utloo3 An!'here performance$

1able 6 +ni#e O#tloo% An$here #sers per server )#ring a pea% one.ho#r perio)

Server +ni#e #sers Connection attempts

per secon)

C#rrent connections

CA" ;( ;>$2 22(0;

After anal!/ing the collected data( it 'as found that processor utili/ation 'as not significantl!

affected b! user load for 5utloo3 An!'here$ 5#erall processor utili/ation 'as stable atapproximatel! 2= percent at pea3 load$ )sass$exe and the 'or3er process 1-;'p$exe

hosting the ser#ice 'ere the primar! processor load generators and sho'ed good correlation

'ith total CP+ utili/ation$ )sass$exe and -;'p$exe also sho'ed the highest memor! load(

'ith )sass$exe sho'ing significantl! higher memor! usage than an! other process$ o

indications of net'or3 bottlenec3s 'ere detected( and no significant dis3 acti#it! be!ond

logging and paging 'as obser#ed$

22


22/144

O#tloo% &eb Access

A select group of Client Access ser#ers 'as used to anal!/e 5utloo3 -eb Access

performance$ 5n the test ser#ers(


23/144

Note:

he A#erage ,euest ime counter also includes Ping ,euest ime( 'hich

significantl! increases A#erage ,euest ime #alues$ As a result( the A#erage,euest ime counter is not a good indicator of general response times$

1able 7 Performance )ata collecte) for Exchange ActiveS$nc

Performance co#nter 4al#e

A#erage ,euest ime 0=$7 sec

Ping Commands Pending 20;$$0( are all

supported$

*f !ou use a de#ice that has -indo's Mobile >$0 and the Messaging "ecurit! and eature

Pac3 1M"P installed( !our mobile de#ice 'ill support Direct Push$ Direct Push is a

technolog! that is built into Exchange Acti#e"!nc that 3eeps a mobile de#ice continuousl!

s!nchroni/ed 'ith an Exchange mailbox$

or more information about Exchange Acti#e"!nc( see the follo'ing:

5#er#ie' of Exchange Acti#e"!nc

Deplo!ing Exchange Acti#e"!nc

Managing Exchange Acti#e"!nc

POP( an) I'AP*n addition to supporting MAP* and &P clients( Exchange "er#er 2007 also supports P5P;

and *MAP= clients$ 8! default( P5P; and *MAP= are installed but the ser#ices are disabled

'hen !ou install the Client Access ser#er role$

or more information about P5P; and *MAP=( see the follo'ing:

&o' to "tart and "top the P5P; "er#ice

&o' to "tart and "top the *MAP= "er#ice

1he Availabilit$ Servicehe Exchange 2007 A#ailabilit! ser#ice impro#es free9bus! data access for information

'or3ers b! pro#iding secure( consistent( and up%to%date free9bus! data to computers that are

running Microsoft 5ffice 5utloo3 2007$ 5utloo3 2007 uses the Autodisco#er ser#ice to obtain

the +,) of the A#ailabilit! ser#ice$ he Autodisco#er ser#ice resembles the Domain ame

"!stem 1D" -eb ser#ice for 5utloo3 2007$ Essentiall!( the Autodisco#er ser#ice helps

5utloo3 2007 locate #arious -eb ser#ices( such as the Microsoft Exchange +nified

Messaging( 5ffline Address 8oo3( and A#ailabilit! ser#ices$

2


29/144

or more information about the A#ailabilit! ser#ice( see the follo'ing:

Managing the A#ailabilit! "er#ice

1he A#to)iscover Servicehe Autodisco#er ser#ice enables 5utloo3 clients and some mobile de#ices to recei#e their

necessar! profile settings directl! from the Exchange ser#er b! using the clients domain

credentials$ hese settings automaticall! update the client 'ith the information that is needed

to create the users profile$

or more information about the Autodisco#er ser#ice( see the follo'ing$

5#er#ie' of the Autodisco#er "er#ice

+nderstanding Exchange Acti#e"!nc Autodisco#er

Managing the Autodisco#er "er#ice

Ne Client "#nctionalit$

Man! client%side impro#ements in features and functionalit! are included in

Microsoft Exchange 2007 +nified Messaging$ he ne' features include the

5utloo3 -eb Access client that has +nified Messaging configuration pages( 5utloo3 6oice

Access for subscriber access( a #oice mail client for Microsoft 5ffice 5utloo3 2007( and an

impro#ed 5utloo3 experience on mobile de#ices$ his section pro#ides information about thene' and impro#ed client features that are included in Exchange 2007 +nified Messaging$

Microsoft Exchange 2007 also includes se#eral feature and functionalit! impro#ements for

the information 'or3er$ hese include impro#ements and enhancements to calendaring and

messaging records management$

+nifie) 'essaging+nified Messaging is ne' to the Microsoft Exchange product famil!$ +nified Messaging

enables Exchange 2007 recipients to store e%mail( #oice mail( and fax messages in one

*nbox$ "e#eral client%side features are a#ailable to recipients 'ho are enabled for +nified

Messaging$ or more information about the ne' +nified Messaging client features( see Client

eatures in +nified Messaging$

Note:

-hen !ou are using Microsoft Exchange Acti#e"!nc on a mobile de#ice( !ou can

open a #oice message in !our mailbox and listen to the attached $'ma file that

contains the #oice message$ he ad#anced +nified Messaging features found in the

;0
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


30/144

premium #ersion of 5utloo3 -eb Access( such as the #oice mail configuration

options( are una#ailable in 5utloo3 -eb Access )ight$

Ca#tion:

-hen !ou are using 5utloo3 -eb Access )ight and Poc3et *nternet Explorer on a

mobile de#ice( !ou ma! be able to listen to a #oice message b! using the $'ma

attachment that is described in Client eatures in +nified Messaging$ &o'e#er( this

configuration is not supported$

O#tloo% &eb Access5utloo3 -eb Access in Exchange 2007 has been redesigned to enhance the end%user

experience and producti#it!$ 5utloo3 -eb Access includes man! ne' features and

impro#ements that are not found in earlier #ersions of Microsoft Exchange$ eatures such assmart meeting boo3ing( -indo's "harePoint "er#ices and -indo's file shares integration(

and the abilit! to manage mobile de#ices are no' a#ailable$ 5utloo3 -eb Access also

includes impro#ements in search( reminders( the 5utloo3 -eb Access address boo3( and

other messaging options$

or more information about the ne' client features found in 5utloo3 -eb Access( seeClient

eatures in 5utloo3 -eb Access$

Exchange ActiveS$nc an) 'obilit$

Exchange 2007 offers a significantl! impro#ed 5utloo3 user experience on mobile de#ices$ *talso includes impro#ed securit! and better mobile de#ice management$ o additional

soft'are or outsourcing fees are necessar! to access data from a mobile de#ice b! using

Exchange Acti#e"!nc$ or more information about the ne' client features found in

Exchange Acti#e"!nc( see Client eatures *n Exchange Acti#e"!nc$

Calen)aringhe impro#ed calendaring feature in Exchange 2007 helps resol#e reliabilit! issues(

enhances the scheduling process( and encourages more sharing of calendar information$

5#erall( these impro#ements ma3e Microsoft Exchange and 5utloo3 calendaring a more

reliable and efficient tool for time management$

Cache) Exchange 'o)eBou can configure the clients on !our net'or3 that are using earlier #ersions of 5utloo3 and

5utloo3 2007 to use Cached Exchange Mode 'ith Exchange 2007$

&o'e#er( Exchange 2007 pro#ides a ne' notification mechanism for 5utloo3 2007 clients

;
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


31/144

that enables the clients that are running in Cached Exchange Mode to start do'nloading ne'

messages more uic3l! than 'ith earlier #ersions of Microsoft Exchange$

'essaging !ecor)s 'anagemento compl! 'ith legal( regulator!( or business process reuirements( man! organi/ations must

process( filter( modif!( andjournal1for'ard e%mail messages that are transferred to and from

their organi/ation and the *nternet and bet'een people in the organi/ation$ Administrators

can use the messaging records management features in Exchange 2007 to help users and

organi/ations 3eep the messages the! need for business or legal reasons and to

discard messages that the! do not ha#e to 3eep$ his is done b! using managed folders$

Managed folders in the users mailbox to 'hich retention policies ha#e been applied$ he

administrator or the user puts these managed folders in the users mailbox( and then the user

sorts messages into the managed folders according to organi/ation polic!$ Messagesincluded in these managed folders are periodicall! processed according to the retention

policies$ -hen a message reaches a retention limit( it can be .ournaled( deleted( mo#ed to

another folder( or mar3ed as past its retention date$

"or 'ore Information

or more information about Exchange 2007 +nified Messaging( see +nified

Messaging$

or more information about Exchange 2007 5utloo3 -eb Access( see 5#er#ie' of

5utloo3 -eb Access$

or more information about Exchange 2007 mobilit! and Exchange Acti#e"!nc( see

5#er#ie' of Exchange Acti#e"!nc$

or more information about ne' and impro#ed information 'or3er functionalit!( see

e' *nformation -or3er unctionalit!$

Overvie of Exchange ActiveS$nc

8! default( 'hen !ou install the Client Access ser#er role on a computer that is running

Microsoft Exchange "er#er 2007( !ou enable Microsoft Exchange Acti#e"!nc$Exchange Acti#e"!nc lets !ou s!nchroni/e a mobile de#ice 'ith !our Exchange 2007

mailbox$

;2
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


32/144

Overvie of Exchange ActiveS$ncExchange Acti#e"!nc is an Microsoft Exchange s!nchroni/ation protocol that is optimi/ed to

'or3 together 'ith high%latenc! and lo'%band'idth net'or3s$ he protocol( based on &P

and M)( lets de#ices such as bro'ser%enabled cellular telephones or Microsoft -indo's

MobileN po'ered de#ices access an organi/ations information on a ser#er that is running

Microsoft Exchange$ Exchange Acti#e"!nc enables mobile de#ice users to access their e%

mail( calendar( contacts( and tas3s and to continue to be able to access this information 'hile

the! are 'or3ing offline$

Note:

Exchange Acti#e"!nc can s!nchroni/e e%mail messages( calendar items( contacts(

and tas3s$ Bou cannot use Exchange Acti#e"!nc to s!nchroni/e notes in

Microsoft 5utloo3$

Ne "eat#res in Exchange ActiveS$ncExchange Acti#e"!nc has been enhanced in Exchange "er#er 2007$ he follo'ing are some

of the ne' and enhanced features:

"upport for &M) messages

"upport for follo'%up flags

"upport for fast message retrie#al

Meeting attendee information

Enhanced Exchange "earch

-indo's "harePoint "er#ices and +ni#ersal aming Con#ention 1+C document

access

P* reset

Enhanced de#ice securit! through pass'ord policies

Autodisco#er for o#er the air pro#isioning

"upport for 5ut of 5ffice configuration

"upport for tas3s s!nchroni/ation

Direct Push

Note:

he abilit! to use Autodisco#er depends on the mobile de#ice operating s!stem that

!ou are using$ ot all mobile de#ice operating s!stems that support s!nchroni/ation

'ith Exchange "er#er 2007 also support Autodisco#er$ or more information about

;;


33/144

'hich operating s!stems support Autodisco#er( contact the manufacturer of !our

mobile de#ice$

Note:

Man! of these features reuire the use of the latest #ersion of -indo's Mobile that is

currentl! in de#elopment$

or more information about the ne' features in Exchange Acti#e"!nc( see Client eatures in

Exchange Acti#e"!nc$

'anaging Exchange ActiveS$nc8! default( Exchange Acti#e"!nc is enabled$ All users 'ho ha#e an Exchange mailbox can

s!nchroni/e their mobile de#ice 'ith the Microsoft Exchange ser#er$

Bou can perform the follo'ing Exchange Acti#e"!nc tas3s:

Enable and disable Exchange Acti#e"!nc for users

"et policies such as minimum pass'ord length( de#ice loc3ing( and maximum failed

pass'ord attempts

*nitiate a remote 'ipe to clear all data off a lost or stolen de#ice

,un a #ariet! of reports for #ie'ing or exporting into a reporting solution

Sec#rit$ in Exchange ActiveS$nc

Bou can configure Exchange Acti#e"!nc to use "ecure "oc3ets )a!er 1"") encr!ption for

communications bet'een the Exchange ser#er and the mobile de#ice client$ Certificate%

based authentication 'or3s 'ith a self%signed certificate( a certificate from an existing public

3e! infrastructure( or a third%part! commercial certificate$ Bou can use certificate%based

authentication together 'ith other securit! features( such as local de#ice 'ipe and a de#ice

pass'ord( to turn the mobile de#ice into a smartcard$ he pri#ate 3e! and certificate for client

authentication are stored in memor! on the de#ice$ *f an unauthori/ed user tries to b!pass the

de#ice pass'ord( all user data is purged$ his includes the certificate and pri#ate 3e!$ or

more securit!( !ou can deplo! ,"A "ecur*D t'o%factor authentication on the Exchange

ser#er$

,evice Sec#rit$ "eat#res in Exchange ActiveS$nc

*n addition to the abilit! to configure securit! options for communications bet'een the

Exchange ser#er and !our mobile de#ices( Exchange Acti#e"!nc offers the follo'ing features

to enhance the securit! of mobile de#ices:

!emote ipe *f !our de#ice is lost( stolen( or other'ise compromised( !ou can

issue a remote 'ipe command from the Exchange "er#er computer or from an! -eb

;=


34/144

bro'ser b! using Microsoft 5ffice 5utloo3 -eb Access$ his command erases all data

from the mobile de#ice$

,evice passor) policies Exchange Acti#e"!nc lets !ou configure se#eral optionsfor !our de#ice pass'ord$ hese options include the follo'ing:

'inim#m passor) length


35/144

Cellular telephones that ha#e -indo's MobileN >$0 and the Messaging O "ecurit!

eature Pac3 1M"P and later #ersions of -indo's Mobile soft'are$

Cellular telephones or mobile de#ices that are produced b! Exchange Acti#e"!nclicensees and are designed specificall! to be Direct Push compatible$

8! default( Direct Push is enabled in Exchange 2007$ Mobile de#ices that support Direct

Push issue a long%li#ed &P" reuest to the Exchange ser#er$ he Exchange ser#er

monitors acti#it! on the users mailbox and sends a response to the de#ice if there are an!

changes( such as ne' or changed e%mail messages or calendar or contact items$ *f changes

occur 'ithin the lifespan of the &P" reuest( the Exchange ser#er issues a response to

the de#ice that states that changes ha#e occurred and the de#ice should initiate

s!nchroni/ation 'ith the Exchange ser#er$ he de#ice then issues a s!nchroni/ation reuest

to the ser#er$ -hen s!nchroni/ation is complete( a ne' long%li#ed &P" reuest is

generated to start the process o#er again$ his guarantees that e%mail( calendar( contact( and

tas3 items are deli#ered uic3l! to the mobile de#ice and the de#ice is al'a!s s!nchroni/ed

'ith the Exchange ser#er$

,irect P#sh 1opolog$

igure illustrates a t!pical Exchange "er#er 2007 topolog! that is configured for Direct

Push$ his figure assumes that !ou ha#e the Client Access ser#er role and the Mailbox ser#er

role installed on t'o separate Exchange "er#er computers$ Bou can also install both ser#er

roles on the same ph!sical Exchange 2007 computer$

"ig#re ,irect P#sh Netor% ,esign

;?


36/144

Direct Push operates in the follo'ing 'a!:$ A mobile de#ice that is configured to s!nchroni/e 'ith an Exchange 2007 ser#er

issues an &P" reuest to the ser#er$ his reuest is 3no'n as a ping$ he reuest

tells the ser#er to notif! the de#ice if an! items change in an! folder that is configured to

s!nchroni/e in the next > minutes$ 5ther'ise( the ser#er should return an &P 200 5

message$ he mobile de#ice 'ill then stand b!$ he >%minute time span is 3no'n as a

heartbeat inter#al$

2$ *f no items change in > minutes( the ser#er returns a response of &P 200 5$

he mobile de#ice recei#es this response( resumes acti#it! 1called waking up( and

issues its reuest again$ his restarts the process$

;$ *f an! items change or ne' items are recei#ed 'ithin the > minute heartbeatinter#al( the ser#er sends a response that informs the mobile de#ice that there is a ne' or

changed item and the name of the folder in 'hich the ne' or changed item resides$ After

the mobile de#ice recei#es this response( it issues a s!nchroni/ation reuest for the

folder that has the ne' or changed items$ -hen s!nchroni/ation is complete( the mobile

de#ice issues a ne' ping reuest and the 'hole process starts o#er$

;7


37/144

Direct Push depends on net'or3 conditions that support a long%standing &P" reuest$ *f

the carrier net'or3 for the mobile de#ice or the fire'all does not support long%standing

&P" reuests( the &P" reuest is stopped$ he follo'ing steps describe ho' Direct

Push operates 'hen a mobile de#ices carrier net'or3 has a time%out #alue of ; minutes$

$ A mobile de#ice issues an &P" reuest to the ser#er$ he reuest tells the ser#er

to notif! the de#ice if an! items change in an! folder that is configured to s!nchroni/e in

the next > minutes$ 5ther'ise( the ser#er should return an &P 200 5 message$ he

mobile de#ice then stands b!$

2$ *f the ser#er does not respond after > minutes( the mobile de#ice 'a3es up and

concludes that the connection to the ser#er 'as timed out b! the net'or3$ he de#ice

reissues the &P" reuest( but this time uses a heartbeat inter#al of eight minutes$

;$ After eight minutes( the ser#er sends an &P 200 5 message$ he de#ice 'ill

then tr! to gain a longer connection b! issuing a ne' &P" reuest to the ser#er thathas a heartbeat inter#al of 2 minutes$

=$ After four minutes( a ne' e%mail message is recei#ed and the ser#er responds b!

sending an &P" reuest that tells the de#ice to s!nchroni/e$ he de#ice s!nchroni/es

and reissues the &P" reuest that has a heartbeat of 2 minutes$

>$ After 2 minutes( if there are no ne' or changed items( the ser#er responds b!

sending an &P 200 5 message$ he de#ice 'a3es up and concludes that net'or3

conditions 'ill support a heartbeat inter#al of 2 minutes$ he de#ice 'ill then tr! to gain

a longer connection b! reissuing an &P" reuest that has a heartbeat inter#al of ?

minutes$

?$ After ? minutes( no response is recei#ed from the ser#er$ he de#ice 'a3es up andconcludes that net'or3 conditions cannot support a heartbeat inter#al of ? minutes$

8ecause this failure occurred directl! after the de#ice tried to increase the heartbeat

inter#al( it concludes that the heartbeat inter#al has reached its maximum limit$ he

de#ice then issues an &P" reuest that has a heartbeat inter#al of 2 minutes

because this 'as the last successful heartbeat inter#al$

he mobile de#ice tries to use the longest heartbeat inter#al the net'or3 supports$ his

extends batter! life on the de#ice and minimi/es the amount of data that is transferred o#er

the net'or3$ Mobile carriers can specif! a maximum( minimum( and initial heartbeat #alue in

the registr! settings for the mobile de#ice$

Config#ring ,irect P#sh to &or% 1hro#gh >o#r "ireall

or Direct Push to 'or3 through !our fire'all( !ou must open the follo'ing ports:

*f !ou ha#e the Client Access ser#er role and the Mailbox ser#er role installed on t'o

separate Exchange "er#er computers( !ou must open CP port ;> for the ,PC locator

ser#ice on an! internal fire'all that is bet'een the t'o Exchange "er#er computers$

;


38/144

CP port ==; is reuired for "ecure "oc3ets )a!er 1"") and must be opened

bet'een the *nternet and the Exchange "er#er computer that has the Client Access

ser#er role installed$

*n addition to opening ports on !our fire'all( for optimal Direct Push performance( !ou should

increase the time%out #alue on !our fire'all from the default to > to ;0 minutes$ he

maximum length of the &P" reuest is determined b! the follo'ing settings:

he maximum time%out that is set on the fire'alls that control the traffic from the

*nternet to the Exchange ser#er that has the Client Access ser#er role installed

he fire'all time%outs that are set b! the mobile carrier

A short time%out #alue causes the de#ice to initiate a ne' &P" reuest more freuentl!$

his can shorten batter! life on !our de#ice$ or more information about ho' to configure

!our fire'all( see the*"A "er#er Product Documentation$


or more information about Direct Push and ho' to s!nchroni/e mobile de#ices 'ith

Exchange 2007( see the follo'ing:

&o' to Configure Mobile De#ices to "!nchroni/e 'ith Exchange "er#er

+nderstanding Mobile De#ices

+nderstanding Mobile De#ice Connecti#it!

+n)erstan)ing Exchange ActiveS$nc'ailbox Policies

his section discusses Exchange Acti#e"!nc mailbox policies and ho' the! can be used in

!our Microsoft Exchange "er#er 2007 en#ironment$

OvervieExchange Acti#e"!nc mailbox policies let !ou appl! a common set of polic! or securit!

settings to a user or group of users$ able summari/es the settings that !ou can specif! b!

using Exchange Acti#e"!nc mailbox policies$

1able Exchange ActiveS$nc mailbox polic$ settings

;


39/144

Setting ,escription

Allo' non%pro#isionable de#ices Allo's older de#ices 1those that do not

support Exchange Acti#e"!nc mailbox

policies to connect to Exchange 2007 b!

using Exchange Acti#e"!nc$

Allo' simple pass'ord Enables or disables the abilit! to use a simple

pass'ord such as 2;=$

Alphanumeric pass'ord reuired ,euires that a pass'ord contains numeric

and non%numeric characters$

Attachments enabled Enables attachments to be do'nloaded to the

mobile de#ice$

De#ice encr!ption enabled Enables encr!ption on the de#ice$

Pass'ord enabled Enables the de#ice pass'ord$

Pass'ord expiration Enables the administrator to configure a

length of time after 'hich a de#ice pass'ord

must be changed$

Pass'ord histor! he number of past pass'ords stored in the

users mailbox$ A user cannot reuse a

pre#iousl! stored pass'ord$

Polic! refresh inter#al Defines ho' freuentl! the de#ice updates

the Exchange Acti#e"!nc polic! from the

ser#er$

Maximum attachment si/e "pecifies the maximum si/e of attachments

that are automaticall! do'nloaded to the

de#ice$

Maximum failed pass'ord attempts "pecif ies ho' man! times an incorrect

pass'ord can be entered before the de#ice

performs a 'ipe of all data$

Maximum inacti#it! time loc3 "pecifies the length of time a de#ice can go

'ithout user input before it loc3s$

Minimum pass'ord length "pecifies the minimum pass'ord length$

Pass'ord reco#er! Enables the de#ice pass'ord to be reco#ered

from the ser#er$

+C file access Enables access to files stored on +ni#ersal

aming Con#ention 1+C shares$

=0


40/144

Setting ,escription

-"" file access Enables access to files stored on

Microsoft -indo's "harePoint "er#ices sites

or example( !ou can create a polic! that !ou appl! to all users in !our Exchange

organi/ation$ able 2 lists the settings that this polic! could ha#e$

1able 2 Sample Exchange ActiveS$nc mailbox polic$ settings for all #sers

Setting 4al#e

Allo' non%pro#isionable de#ices alse

Allo' simple pass'ord alse

Alphanumeric pass'ord reuired rue

Attachments enabled rue

De#ice encr!ption enabled rue

Pass'ord enabled rue

Pass'ord expiration 0 da!s

Pass'ord histor! pass'ords stored

Maximum attachment si/e >00 3ilob!tes 18

Maximum failed pass'ord attempts =

Minimum pass'ord length =

+C file access Disabled

-"" file access Disabled

Note:

Bou do not ha#e to specif! all polic! settings 'hen !ou create a ne'

Exchange Acti#e"!nc mailbox polic!$ An! polic! setting that !ou do not explicitl! set

'ill retain its default #alue$

Exchange Acti#e"!nc mailbox policies can be created in the Exchange Management Console

or the Exchange Management "hell$ *f !ou create a polic! in the Exchange Management

Console( !ou can configure onl! a subset of the a#ailable settings$ Bou can configure the rest

of the settings b! using the Exchange Management "hell$

Bou do not ha#e to assign a user to an Exchange Acti#e"!nc mailbox polic!$ able ;

summari/es the polic! settings that are used if !ou do not assign a user to a polic!$

=


41/144

1able ( ,efa#lt Exchange ActiveS$nc settings

Setting 4al#e

Allo' non%pro#isionable de#ices rue

Allo' simple pass'ord alse

Alphanumeric pass'ord reuired alse

Attachments enabled rue

De#ice encr!ption enabled alse

Pass'ord enabled alse

Pass'ord expiration +nlimited

Pass'ord histor! 0

Polic! refresh inter#al +nlimited

Document bro'sing enabled rue

Maximum attachment si/e +nlimited

Maximum failed pass'ord attempts =

Maximum inacti#it! time loc3 > minutes

Minimum pass'ord length =

Pass'ord reco#er! Disabled

+C file access Enabled

-"" file access Enabled

Exchange ActiveS$nc 'ailbox Polic$ Examplesigure 2 illustrates ho' Exchange Acti#e"!nc mailbox policies can be created to control a

#ariet! of settings for three different groups of users$

=2


42/144

"ig#re 2 Example of Exchange ActiveS$nc mailbox policies


or more information about ho' to manage Exchange Acti#e"!nc b! using policies( see

Managing Exchange Acti#e"!nc 'ith Policies$

+n)erstan)ing !emote ,evice &ipe

5ne of the enhanced features a#ailable in Microsoft Exchange "er#er 2007 is the abilit! to

perform a remote de#ice 'ipe of a mobile de#ice$ ,emote de#ice 'ipe is a feature that

enables the Exchange ser#er to set a mobile de#ice to delete all data the next time that the

de#ice connects to the Exchange ser#er$

A remote de#ice 'ipe returns a de#ice to its factor! default condition$ his can be useful'hen a de#ice is lost( stolen( or other'ise compromised( or 'hen a de#ice has to be

reassigned from one user to another$

OvervieMobile de#ices can store sensiti#e corporate data and pro#ide access to man! corporate

resources$ *f a de#ice is lost or stolen( that data can be compromised$ hrough

=;
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


43/144

Exchange Acti#e"!nc policies( !ou can add a pass'ord reuirement to !our mobile de#ices$

his reuires that users enter a pass'ord to access their de#ice$ -e recommend that( in

addition to reuiring a de#ice pass'ord( !ou configure !our de#ices to automaticall! prompt

for a pass'ord after a period of inacti#it!$ he combination of a de#ice pass'ord and

inacti#it! loc3ing pro#ides more securit! for !our corporate data$

*n addition to these features( Exchange 2007 pro#ides remote de#ice 'ipe$ Bou can issue a

remote 'ipe command from the Exchange Management "hell$ +sers can issue their o'n

remote 'ipe commands from the 5utloo3 -eb Access user interface$

he remote de#ice 'ipe feature also includes a confirmation function that 'rites a timestamp

in the s!nc state data of the users mailbox$ his timestamp is displa!ed in

5utloo3 -eb Access and in the users mobile de#ice properties dialog box in the Exchange

Management Console$

Important:

*n addition to resetting the de#ice to factor! default condition( a remote de#ice 'ipe

also deletes an! data on an! storage card that is inserted in the de#ice$ *f !ou are

performing a remote de#ice 'ipe on a de#ice in !our possession and 'ant to retain

the data on the storage card( remo#e the storage card before !ou initiate the remote

de#ice 'ipe$

!emote ,evice &ipe vs? 3ocal ,evice &ipe

)ocal de#ice 'ipe is the mechanism b! 'hich a de#ice 'ipes itself 'ithout the reuest

coming from the ser#er$ *f !our organi/ation has implemented Exchange Acti#e"!nc policies

that specif! a maximum number of pass'ord attempts and that maximum is exceeded( the

de#ice 'ill perform a local de#ice 'ipe$ he result of a local de#ice 'ipe is the same as that

of a remote de#ice 'ipe$ he de#ice is returned to its factor! default condition$ -hen a de#ice

performs a local de#ice 'ipe( no confirmation is sent to the Exchange ser#er$


or more information about the remote de#ice 'ipe feature( see the follo'ing:

&o' to Perform a ,emote -ipe on a De#ice

Clear%Acti#e"!ncDe#ice

==


44/144

+n)erstan)ing Exchange ActiveS$nc

A#to)iscoverMicrosoft Exchange "er#er 2007 introduces a ne' ser#ice that ma3es it easier to pro#ision

de#ices for end users$ he Autodisco#er ser#ice simplifies the pro#isioning of !our mobile

de#ice b! returning the reuired s!stem settings after !ou enter !our e%mail address and

pass'ord$ 8! default( the Autodisco#er ser#ice is enabled in Exchange 2007$

Overvie of A#to)iscover ith ExchangeActiveS$nc

*f !our mobile de#ice supports Autodisco#er( !ou can configure !our de#ice to s!nchroni/e'ith Exchange 2007$ igure ; illustrates this s!nchroni/ation process$

"ig#re ( +sing A#to)iscover ith Exchange ActiveS$nc

$ he user enters their e%mail address and pass'ord on the de#ice$

2$ he de#ice connects to a root D" ser#er to retrie#e the +,) for the Autodisco#er

ser#ice and the *P address for the users domain$

;$ he de#ice uses a "ecure "oc3ets )a!er 1"") connection to connect through the

fire'all to the Autodisco#er ser#ice #irtual director!$ he Autodisco#er ser#ice assembles

the M) response based on the ser#er s!nchroni/ation settings$

=$ he Autodisco#er ser#ice sends the M) response through the fire'all o#er "")$

his M) response is interpreted b! the de#ice and s!nchroni/ation settings are

configured automaticall! on the de#ice$

=>


45/144

Note:

he abilit! to use Autodisco#er depends on the operating s!stem of the mobile

de#ice that !ou are using$ ot all mobile de#ice operating s!stems that supports!nchroni/ation 'ith Exchange "er#er 2007 support Autodisco#er$ or more

information about operating s!stems that support Autodisco#er( contact the

manufacturer of !our de#ice$

Note:

-indo's Mobile >$0 and -indo's Mobile ?$0 do not support Autodisco#er$


or more information about ho' to manage the Autodisco#er ser#ice( see Managing the

Autodisco#er "er#ice$

+n)erstan)ing 'obile ,evice Connectivit$

A 'ide #ariet! of mobile de#ices can s!nchroni/e 'ith Microsoft Exchange "er#er 2007$ Most

mobile de#ices that s!nchroni/e 'ith Exchange 2007 are cellular telephones$ hese

de#ices can run operating s!stems such as -indo's Mobile( "!mbian( Palm( and o3ia$ or

an o#er#ie' of the different mobile de#ices that are enabled for Exchange Acti#e"!nc( see

+nderstanding Mobile De#ices$

,egardless of the t!pe of de#ice that !ou select( there are t'o primar! 'a!s to connect toExchange 2007: b! using cellular connecti#it! and b! using 'ireless connecti#it!$ his section

pro#ides an o#er#ie' of the t'o connecti#it! options$

Cell#lar Connectivit$All mobile de#ices that are enabled for Exchange Acti#e"!nc can use cellular connecti#it! to

s!nchroni/e 'ith Exchange 2007$ here are se#eral different t!pes of cellular data net'or3s$

,egardless of the t!pe of cellular data net'or3 that !our mobile de#ice uses( the method of

s!nchroni/ation is the same$ *f the operating s!stem of !our de#ice is -indo's Mobile >$0

'ith the Messaging O "ecurit! eature Pac3 or -indo's Mobile ?$0( s!nchroni/ation is

accomplished through Direct Push$ *f !our de#ice has another operating s!stem( manual

s!nchroni/ation is used$ -hen a de#ice uses Direct Push to s!nchroni/e 'ith

Exchange 2007( it establishes a long%standing &P" connection 'ith the Exchange ser#er$

-hen the connection is first established( the de#ice sets a 'hat is called a heartbeat inter#al$

he default heartbeat inter#al is > minutes$ *f an! ne' messages are added to monitored

folders on the Exchange ser#er 'ithin this heartbeat inter#al( the ser#er informs the de#ice

and the de#ice initiates s!nchroni/ation$ -hen s!nchroni/ation is complete( a ne' &P"

=?


46/144

reuest is initiated and the process is repeated$ or more information about Direct Push( see

+nderstanding Direct Push$

Cellular data plans can charge b! the minute( b! the megab!te( or offer unlimited datatransfer$ -hen !ou use a cellular data connection 'ith Exchange 2007 Direct Push( 'e

recommend purchasing an unlimited data plan$

&ireless Connectivit$Man! of the mobile de#ices that are enabled for Exchange Acti#e"!nc can connect to a

'ireless )A$ Connecting to a 'ireless )A can pro#ide faster net'or3 speeds and better

co#erage in areas 'here cellular co#erage is unreliable$ *n addition( 'ireless access is

sometimes offered at commercial locations such as coffee shops and boo3 stores$ he

primar! disad#antage to using 'ireless connecti#it! is that Direct Push 'ill not 'or3 o#er a

'ireless )A$ +sers 'ho connect o#er a 'ireless )A can perform manual s!nchroni/ations

or configure scheduled s!nchroni/ations as freuentl! as e#er! fi#e minutes$


or more information( see the follo'ing:

+nderstanding Mobile De#ices

+nderstanding Direct Push

+n)erstan)ing 'obile ,evices

Mobile de#ices that are enabled for Exchange Acti#e"!nc enable users to access most

of their Microsoft Exchange mailbox data an! time( an!'here$ here are a #ariet! of different

de#ices that are enabled for Exchange Acti#e"!nc$ hese include -indo's Mobile po'ered

de#ices( o3ia de#ices( and Palm de#ices$ his section pro#ides an o#er#ie' of these mobile

de#ices$

Exchange ActiveS$nc Enable) ,evicesExchange Acti#e"!nc is a communications protocol that enables mobile access( o#er the air(

to e%mail messages( scheduling data( contacts( and tas3s$ Exchange Acti#e"!nc is a#ailable

on -indo's Mobile po'ered de#ices and third%part! de#ices that are enabled for

Exchange Acti#e"!nc$

Exchange Acti#e"!nc offers Direct Push technolog!$ Direct Push uses an encr!pted &P"

connection that is established and maintained bet'een the de#ice and the ser#er to push

ne' e%mail messages and other Exchange data to the de#ice$

=7


47/144

o use Direct Push 'ith Exchange 2007( !our users must ha#e a mobile de#ice that is

running -indo's Mobile >$0 'ith the Messaging O "ecurit! eature Pac3 or another mobile

operating s!stem that is designed to support Direct Push$

Note:

he Messaging O "ecurit! eature Pac3 includes support for Direct Push( ser#er%

based securit! policies( remote de#ice 'ipe( as3 s!nchroni/ation( global address

boo3 loo3up( and man! other features$

Exchange ActiveS$nc "eat#res

Exchange Acti#e"!nc pro#ides access to a #ariet! of features$ hese features enable !ou to

enforce de#ice securit! policies$ 8! using Exchange 2007( !ou can configure multiple

Exchange Acti#e"!nc policies and control 'hich de#ices can s!nchroni/e 'ith !our

Exchange ser#er$ Exchange Acti#e"!nc enables !ou to send a remote de#ice 'ipe command

that 'ipes all data from an existing de#ice in case that de#ice is lost or stolen$ +sers can also

initiate a remote de#ice 'ipe from Microsoft 5ffice 5utloo3 -eb Access$

or more information about Exchange Acti#e"!nc( see5#er#ie' of Exchange Acti#e"!nc$

Note:

Access to some of the features described in this section reuire either -indo's

Mobile >$0 'ith the Messaging O "ecurit! eature Pac3 or the next #ersion

of -indo's Mobile soft'are that is currentl! in de#elopment$ or more information(

see !our de#ice documentation$

,evices Enable) for Exchange ActiveS$nc+sers can ta3e ad#antage of Exchange Acti#e"!nc b! selecting mobile de#ices that are

compatible 'ith Exchange Acti#e"!nc$ hese de#ices are a#ailable from a #ariet! of

manufacturers$ Most of these de#ices do not support Direct Push$ &o'e#er( the! do support

s!nchroni/ation 'ith Microsoft Exchange$ or more information( see the de#ice

documentation$

"ome of the de#ices that are compatible 'ith Microsoft Exchange include the follo'ing:

No%ia o3ia offers Mail for Exchange on their Eseries mobile de#ices$ E%mail(

calendar( and contact data can be s!nchroni/ed o#er a cellular net'or3 or a 'ireless

)A$

Son$ Ericsson "on! Ericsson offers Exchange Acti#e"!nc support on se#eral of

their ne'er smartphone de#ices$ he! also support Direct Push through a third%part!

program$

=


48/144

Palm Palm offers t'o smartphones that ha#e the -indo's Mobile >$0 operating

s!stem$ hese de#ices support Direct Push$ Palm also supports Exchange Acti#e"!nc on

the reo ?>0 and ?0 series smartphones$ hese de#ices do not support Direct Push$

'otorola Motorola has its o'n s!nchroni/ation frame'or3 that enables o#er%the%air

s!nchroni/ation through Exchange Acti#e"!nc on a #ariet! of its de#ices$

S$mbian "!mbian )imited licenses Exchange Acti#e"!nc for use in the "!mbian

operating s!stem$ his operating s!stem is an open standard operating s!stem for mobile

telephones$

&in)os 'obile Softare "eat#re 'atrix

Mobile de#ices that ha#e a #ersion of -indo's Mobile soft'are as their operating s!stem

offer the greatest functionalit! 'hen s!nchroni/ing 'ith Exchange 2007$ able = illustrates

some of the features that are a#ailable 'ith the different #ersions of

-indo's Mobile soft'are$

1able * &in)os 'obile softare feat#re matrix

=


49/144

Operating S$stem Pro)#ctivit$

Enhancements

Sec#rit$

Enhancements

A)ministration

Enhancements

-indo's Mobile ?$0 Direct Push

&M) e%mail

support

Message

flags

Quic3

message retrie#al

Enhanced

calendar #ie's

Meeting

attendee

information

5ut of 5ffice

management

Exchange se

arch

-indo's "h

arePoint "er#ices

and -indo's fileshare 1+C

document access

Enforcement

of

Exchange Acti#e

"!nc mailbox

policies

,emote

de#ice 'ipe

Certificate%

based

authentication

"9M*ME

support 1'ith

Exchange 2007 "

P

De#ice

storage card

encr!ption

,ights

management

support

Detailed

de#ice monitoring

Error

reporting

-indo's Mobile

po'ered de#ices 'ith

the Messaging O

"ecurit! eature

Pac3

Direct Push

@lobal

address boo3

loo3up

as3

s!nchroni/ation

Enforcement

of

Exchange Acti#e

"!nc mailbox

policies

,emote

de#ice 'ipe

Certificate%

based

authentication

"9M*ME

support 1'ith

Exchange 2007 "

P

Microsoft 5pe

rations Manager

integration and

reporting

Diagnostic

tas3s and health

monitoring

>0


50/144

Operating S$stem Pro)#ctivit$

Enhancements

Sec#rit$

Enhancements

A)ministration

Enhancements

All -indo's Mobile

po'ered de#ices

"!nchroni/ation

of e%mail

messages(

calendar( and

contact data

"ecure

"oc3ets )a!er

1"") encr!ption

8asic

authentication

*ntegration

'ith *nternet

"ecurit! and

Acceleration

1*"A "er#er

Microsoft 5pe

rations Manager

integration and

reporting

Diagnostic

tas3s and health

monitoring

or more information about ho' to manage -indo's Mobile po'ered de#ices( #isit the

-indo's Mobile Center -eb site$

Exchange ActiveS$nc !eporting Services

Microsoft Exchange "er#er 2007 and Exchange Acti#e"!nc offer a 'ide #ariet! of features

for both users and administrators$ As an administrator( it is important that !ou 3no' the

#olume and usage patterns of !our deplo!ment$ his information can help !ou effecti#el!

manage !our Exchange Acti#e"!nc deplo!ment( better understand user producti#it!( and

plan for future needs$ ,eporting in Exchange Acti#e"!nc for Exchange "er#er 2007 is a

-indo's Po'er"hell tas3 that compiles a set of *nternet *nformation "er#ices 1**" logs and

processes to create a series of output files$ Each file is a separate report that can help !ou

understand !our Exchange Acti#e"!nc deplo!ment$ his section pro#ides an o#er#ie' of the

cmdlet !ou can use to generate these reports and information about the content of these

reports$

enerating Exchange ActiveS$nc !eports

Bou can generate Exchange Acti#e"!nc reports b! using the Export.ActiveS$nc3og cmdlet$his cmdlet lets !ou specif! a #ariet! of input parameters$ hese parameters include the

location of the **" log files( the start dates and the end dates for the reports( and the output

path for the reports$ o run this cmdlet( !ou must be delegated the permissions associated

'ith the Exchange "er#er Administrator or Exchange 5rgani/ation Administrator role$ Bou

must also ha#e read access to the director! 'here the **" logs are located$ or more

information about the s!ntax of the Export.ActiveS$nc3og cmdlet( see Export%

Acti#e"!nc)og$

>
http://go.microsoft.com/fwlink/?LinkID=62636http://go.microsoft.com/fwlink/?LinkId=79424http://go.microsoft.com/fwlink/?LinkId=79424http://go.microsoft.com/fwlink/?LinkID=62636http://go.microsoft.com/fwlink/?LinkId=79424http://go.microsoft.com/fwlink/?LinkId=79424


51/144

Available Exchange ActiveS$nc !eportshere are a #ariet! of Exchange Acti#e"!nc reports a#ailable$ hese reports include the

follo'ing:

Exchange ActiveS$nc +sage !eport his report includes a #ariet! of monitored

parameters$ hese include the total b!tes that ha#e been sent and recei#ed in addition to

a count of each t!pe of item that 'as sent and recei#ed$ *tem t!pes are e%mail messages(

calendar items( contact items( and tas3 items$

@its !eport his report lets !ou see the total number of s!nchroni/ation reuests

that are processed per hour( in addition to the total number of uniue de#ices that are

initiating s!nchroni/ation reuests$

@11P Stat#s !eport his report pro#ides a general o#er#ie' of the performance of

the Client Access ser#er$ *t includes a summar! of the #arious error response codes andthe percentage of the time each code 'as encountered$

Polic$ Compliance !eport his report pro#ides information about the number of

full! compliant( partiall! compliant( and noncompliant de#ices$ A full! compliant de#ice is

one that has accepted the Exchange Acti#e"!nc polic! and can implement all aspects of

the polic!$ A partiall! compliant de#ice is one that has accepted the polic!( but has a

mobile de#ice operating s!stem that is unable to enforce all aspects of the polic!$ A

noncompliant de#ice is either unable to accept the polic! or has re.ected the polic!$

+ser Agent 3ist his report returns the total number of uniue users( organi/ed b!

mobile de#ice operating s!stem$

Interpreting the Internet Information Services3og "iles

able > lists the #arious elements of the Exchange Acti#e"!nc **" logs$ *n the log file( each

element is separated b! an underscore character$

>2


52/144

1able 6 Elements of the Exchange ActiveS$nc protocol logs

3etter i)entifier Element name ,efinition Possible val#es

6 Protocol #ersion he protocol #ersion

that the de#ice is

using to s!nchroni/e

'ith the

Exchange ser#er$

4al#e 'eaning

20 6ersion

2

2> 6ersion

2$>

2 6ersion

2$

20 6ersion

2$0

0 6ersion

$0

! !pe he t!pe of folder

that is being

s!nchroni/ed$

4al#e 'eaning

Em E%mail

Co Contacts

Ca Calendar

a as3s

id older *D he *D of the folder

that is being

s!nchroni/ed$

Positi#e *nteger

c older count he number of

folders that are being

s!nchroni/ed$

Positi#e *nteger

>;


53/144


ilt ilter t!pe he data that the

user reuested$ 4a

l#

e

'

ea

ni

n

g

E.

m

ail

C

al

e

n

)

ar

1a

s%

s

0

o

filt

er

B

e

s

B

e

s

Be

s

d

a

!

b

a

c3

B

e

s

o

o

2 ;

d

a!s

b

a

c3

B

e

s

o

o

;

'

e

e

3

b

a

c3

B

e

s

o

o

= 2

'

e

e

3s

b

B

e

s

B

e

s

o

>=


54/144


"t "!nc t!pe he t!pe of

s!nchroni/ation that

is being performed$

4al#e 'eaning

irst

s!nc

" "ubseu

ent s!nc

, ,eco#er

! s!nc

* *n#alid

s!nc

"3 "!nc 3e! he actual s!nc 3e!

that is used bet'een

the mobile de#ice

and the

Exchange ser#er$

Positi#e integer

Cli: Client statistics "tores the count of

each t!pe of acti#it!

from the Client$5utput is in the form

Cli: 0A0C3D1F0E$

I)entifier

val#e

'eaning

A Adds

C Changes

D Deletes

etches

E Errors

>>


55/144


"#r: "er#er statistics "tores the count of

each t!pe of acti#it!

from the ser#er$

5utput is in the form

Svr:2A0C2D1F1E$

I)entifier

val#e

'eaning

A Adds

C Changes

D Deletes

etches

E Errors

E umber of errors his is the number of

errors encountered in

a reuest$

Positi#e integer

*o *tems opened his is the number of

items that ha#e been

opened$ his feature

has not !et been

implemented$

Positi#e integer

&b &eartbeat inter#al his indicates the

&eartbeat inter#al

that is used for the

ping command$

Positi#e integer

"sp "harePoint

documents

his is the number of

files that ha#e been

accessed from

-indo's "harePoint

"er#ices$

Positi#e integer

"spb "harePoint b!tes his is the number of

b!tes that ha#e been

accessed from

-indo's "harePoint

"er#ices$

Positi#e integer

+nc +C files his is the number of

files that ha#e been

accessed through

-indo's file shares$

Positi#e integer

>?


56/144


+ncb +C b!tes his is the number of

b!tes that ha#e been

accessed through

-indo's file shares$

Positi#e integer

Att Attachments his is the number of

attachments that

ha#e been retrie#ed$

Positi#e integer

Attb Attachment b!tes he number of b!tes

that ha#e been

retrie#ed for

attachments$

Positi#e integer

P3 Polic! 3e! recei#ed he element that is

used b! the client

and ser#er to

correlate

ac3no'ledgements to

a particular polic!

setting$

ot applicable

Pa Polic! ac3no'ledge

status

he element that

indicates success if

all the polic! settings

'ere applied

correctl!$

4al#e 'eaning

Polic!'as

successf

ull!

applied

2 Polic!

'as

partiall!

applied

; Polic!

'as notapplied

>7


57/144


5of 55f action he action that is

performed on the 5ut

of 5ffice status stored

on the

Exchange ser#er$

4al#e 'eaning

@et ,etrie#e

s the

55

status

and

message

"et "ets the

55

status

and

message

+ser*nfo +ser information

action

he parameter that

specifies retrie#al of

the user information

data$

@et

De#Model De#ice model he de#ice

information that is

supplied b! the

de#ice manufacturer$

Possible #alues

include manufacturer

name( model name(

and model number$

De#*ME* *ME* he *nternational

Mobile Euipment

*dentit! 1*ME*$ *t is a

>%digit code that is

assigned to each

de#ice$

"tring

De#ame De#ice friendl! name his element stores

the users description

of their de#ice$

"tring

De#5" De#ice 5" he operating s!stemthat is running on the

de#ice$

"tring

De#)ang De#ice 5" language he locali/ed

language of the

de#ice operating

s!stem$

"tring

>


58/144


Error Error he error section of

the reuest$

"tring

" "tatus his element returns

the status of the

de#ice$

"tring

A sample log for a de#ice s!nchroni/ation might appear as follo's:

B3og42(D1$:EmD"i):(7D"cD"ilt2DSt:SDS:906DSrv:a0c0)0s0e0rDP%22802(9(

DS


or more information about reporting for Exchange Acti#e"!nc( see the follo'ing:

Export%Acti#e"!nc)og

&o' to @enerate Exchange Acti#e"!nc ,eports

Overvie of POP( an) I'AP*

his section describes the Post 5ffice Protocol #ersion ; 1P5P; and *nternet Message

Access Protocol 6ersion =re# 1*MAP= functionalit! for Microsoft Exchange "er#er 2007$

8! default( P5P; and *MAP= are disabled in Exchange 2007$ o use these protocols( !ou

must first start the P5P; and *MAP= ser#ices on the computer that is running Exchange 2007

that has the Client Access ser#er role installed$

POP( an) I'AP* ProtocolsMessaging s!stems that are based on P5P; and *MAP= are best suited for home and

personal use 'here reuirements for data reco#erabilit! and securit! are lo'$ P5P; 'as

designed to support offline mail processing$ -ith P5P;( e%mail messages are remo#ed from

the ser#er and put on the local P5P; client$ his puts the data management and securit!

responsibilit! in the hands of the user$ *MAP= offers offline and online access( but li3e P5P;(

*MAP= does not offer ad#anced collaboration features such as scheduling and group

scheduling and tas3 and contact management$

>


59/144

'anaging POP(FI'AP* "eat#res-ith Exchange 2007( !ou can manage all the ser#er settings for P5P; and *MAP= b! using

the Exchange Management "hell$ or more information about ho' to use the Exchange

Management "hell to manage P5P; and *MAP=( see Managing P5P; and *MAP=$

Note:

here is no user interface in the Exchange Management Console for P5P; and

*MAP=$ o manage these protocols( !ou must use the Exchange Management "hell$


or more information about ho' to enable P5P; and *MAP= for use 'ith

Exchange 2007( see Enabling P5P; and *MAP= on a Client Access "er#er$

or more information about managing the client functionalit! a#ailable in

Exchange 2007 for P5P; and *MAP=( see Managing P5P; and *MAP=$

Overvie of O#tloo% &eb Access

8! default( 'hen !ou install the Client Access ser#er role on a computer that is running

Microsoft Exchange "er#er 2007( !ou enable

Microsoft 5ffice 5utloo3 -eb Access$ 5utloo3 -eb Access lets !ou access !our

Exchange 2007 mailbox from an! -eb bro'ser$

Overvie of O#tloo% &eb Access5utloo3 -eb Access has been redesigned for Exchange "er#er 2007 to create a ne' loo3(

add ne' features( and impro#e usabilit!$ or more information about 5utloo3 -eb Access

features( seeClient eatures in 5utloo3 -eb Access$

'anaging O#tloo% &eb Access-hen !ou install the Client Access ser#er role( four default #irtual directories are created to

enable access to content that is stored on Exchange ser#ers b! using a -eb bro'ser$ 5f the

four #irtual directories( the #irtual director! named o'a is used most freuentl!$ or more

information about 5utloo3 -eb Access #irtual directories( seeManaging 5utloo3 -eb

Access 6irtual Directories in Exchange "er#er 2007$

*n Exchange 2007( the most common 5utloo3 -eb Access management tas3s can be

accomplished in the Exchange Management Console$ All these tas3s( and man! other tas3s(

can be accomplished b! using the Exchange Management "hell$ Bou 'ill still ha#e to use

?0
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


60/144

tools such as *nternet *nformation "er#ices 1**" Manager for some tas3s( such as configuring

"ecure "oc3ets )a!er 1"") or setting up simple +,)s for users$

or more information about ho' to manage 5utloo3 -eb Access( see the follo'ing:

Managing 5utloo3 -eb Access

Managing 5utloo3 -eb Access "ecurit!

Overvie of O#tloo% An$here

he 5utloo3 An!'here feature for Microsoft Exchange "er#er 2007 lets !our

Microsoft 5ffice 5utloo3 2007 and 5utloo3 200; clients connect to their Exchange ser#ers

o#er the *nternet b! using the ,PC o#er &P -indo's net'or3ing component$ his section

describes the 5utloo3 An!'here feature and the benefits of using 5utloo3 An!'here$

O#tloo% An$here an) Exchange 2007Exchange "er#er 200; enabled users to use the -indo's ,PC o#er &P Prox! component

to access their Exchange information from the *nternet$ his technolog! 'raps remote

procedure calls 1,PCs 'ith an &P la!er$ his allo's the traffic to tra#erse net'or3

fire'alls 'ithout reuiring ,PC ports to be opened$ Exchange 2007 builds on this

functionalit! and greatl! reduces the difficult! of deplo!ing and managing this feature$ o

deplo! 5utloo3 An!'here in !our Exchange messaging en#ironment( !ou .ust ha#e to enable

at least one Client Access ser#er b! using the Enable 5utloo3 An!'here -i/ard$

-enefits of +sing O#tloo% An$herehere are se#eral benefits to using 5utloo3 An!'here to enable 5utloo3 200; and

5utloo3 2007 clients to access !our Exchange messaging infrastructure$ he benefits are as

follo's:

,emote access to Exchange ser#ers from the *nternet$

Bou can use the same +,) and namespace that !ou use for

Microsoft Exchange Acti#e"!nc and 5utloo3 -eb Access$

Bou can use the same "ecure "oc3ets )a!er 1"") ser#er certificate that !ou use for

both 5utloo3 -eb Access and Exchange Acti#e"!nc$

+nauthenticated reuests from 5utloo3 cannot access Exchange ser#ers$

Clients must trust the certification authorit! that issues the certificate$

Bou do not ha#e to use a #irtual pri#ate net'or3 16P to access Exchange ser#ers

across the *nternet$

?


61/144

Bou must allo' onl! port ==; through !our fire'all( because 5utloo3 reuests use &P o#er

"")$ *f !ou alread! use 5utloo3 -eb Access 'ith "") or Exchange Acti#e"!nc 'ith "")(

!ou do not ha#e to open an! additional ports from the *nternet$

,eplo$ing O#tloo% An$hereDeplo!ing 5utloo3 An!'here for !our organi/ation is no' a straightfor'ard process$ he

follo'ing recommendations should be follo'ed to successfull! deplo! 5utloo3 An!'here:

+se at least one Client Access server per site *n Exchange 2007( a site is a

net'or3 location 'ith high%band'idth connecti#it! bet'een all computers$ -e

recommend that !ou install at least one Client Access ser#er in each site that is

dedicated to pro#iding client access to the Exchange 2007 computer that has the Mailbox

ser#er role installed$ &o'e#er( !ou can ha#e multiple Client Access ser#ers in each site

for increased performance and reliabilit!$

Enable O#tloo% An$here on at least one Client Access server -e recommend

that !ou ha#e one Client Access ser#er in each site that has 5utloo3 An!'here enabled$

his lets 5utloo3 2007 clients connect to the Client Access ser#er that is closest to a

users mailbox$ +sers 'ill connect to the Client Access ser#er that is in the site together

'ith the Mailbox ser#er that contains their mailbox b! using &P"$ his minimi/es the

ris3 associated 'ith using remote procedure calls 1,PCs across the *nternet$ +sing

,PCs across the *nternet can ad#ersel! affect performance$

or more information about ho' to enable 5utloo3 An!'here( see &o' to Enable 5utloo3

An!'here$

'anaging O#tloo% An$hereBou can Manage 5utloo3 An!'here b! using the Exchange Management Console or the

Exchange Management "hell$ 8! default( 'hen !ou enable 5utloo3 An!'here on a Client

Access ser#er( all users 'ho ha#e mailboxes on Exchange 2007 Mailbox ser#ers are enabled

for 5utloo3 An!'here$ or more information about ho' to manage 5utloo3 An!'here( see

Managing 5utloo3 An!'here$

Coexistence5utloo3 An!'here can be used in en#ironments 'here Exchange 200; is still being used$ *f

!ou ha#e users 'ho ha#e mailboxes located on Exchange 200; ser#ers( and these users are

using 5utloo3 2007 or 5utloo3 200;( !ou must configure these clients manuall!$ or more

information about 5utloo3 An!'here coexistence( see &o' to Configure 5utloo3 An!'here

'ith Exchange 200;$

?2
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


62/144

!ecommen)ations for O#tloo% An$here

his section pro#ides recommendations for using 5utloo3 An!'here in !our Exchangeinfrastructure$

-e recommend that !ou use the follo'ing configuration 'hen !ou use Exchange 'ith

5utloo3 An!'here:

N13' a#thentication over Sec#re Soc%ets 3a$er


63/144

he certificate date is incorrect$

herefore( !ou must ma3e sure that the client computers trust the certification authorit!$

Additionall!( if !ou use !our o'n certification authorit!( 'hen !ou issue a certificate to !ourClient Access ser#er( !ou must ma3e sure that the Common Namefield or the Iss#e) to

field on that certificate contains the same name as the +,) of the Client Access ser#er that is

a#ailable on the *nternet$ or example( the Common Namefield or the Iss#e) tofield must

contain a name that resembles mail$contoso$com$ hese fields cannot contain the internal

full! ualified domain name of the computer$ or example( the! cannot contain a name that

resembles m!computer$contoso$com$


or more information about 5utloo3 An!'here( see the follo'ing:

5#er#ie' of 5utloo3 An!'here

Managing 5utloo3 An!'here

Deplo!ing 5utloo3 An!'here

Overvie of the A#to)iscover Service

Microsoft Exchange "er#er 2007 includes a ne' Microsoft Exchange ser#ice named the

Autodisco#er ser#ice$ he Autodisco#er ser#ice configures client computers that are running

Microsoft 5ffice 5utloo3 2007$ he Autodisco#er ser#ice can also configure supported mobilede#ices$ he Autodisco#er ser#ice pro#ides access to Microsoft Exchange features for

5utloo3 2007 clients that are connected to !our Microsoft Exchange messaging en#ironment$

he Autodisco#er ser#ice must be deplo!ed and configured correctl! for 5utloo3 2007 clients

to automaticall! connect to Microsoft Exchange features( such as the offline address boo3(

the A#ailabilit! ser#ice( and +nified Messaging 1+M$ Additionall!( these Exchange features

must be configured correctl! to pro#ide external access for 5utloo3 2007 clients$ or more

information( see &o' to Configure Exchange "er#ices for the Autodisco#er "er#ice$

he Autodisco#er ser#ice uses a users e%mail address and pass'ord to pro#ide profile

settings to 5utloo3 2007 clients and supported mobile de#ices$ *f the 5utloo3 2007 client is

.oined to the domain( the users domainaccount is used$

Note:

he Autodisco#er ser#ice is a#ailable for 5utloo3 2007 clients and some mobile

de#ices$ Earlier #ersions of 5utloo3( including Microsoft 5utloo3 200;( cannot use

the Autodisco#er ser#ice$

?=
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


64/144


65/144

he "CP ob.ect contains the authoritati#e list of Autodisco#er ser#ice +,)s for the forest$ Bou

can update the "CP ob.ect b! using the Set.ClientAccessServercmdlet$ or more

information about the Set.ClientAccessServercmdlet( see "et%ClientAccess"er#er$

Important:

8efore !ou sa#e the ne' Acti#e Director! ob.ect( ma3e sure that the Authenticated

+sers account has ,ead permissions for the "CP ob.ect$ *f users do not ha#e the

correct permissions( the! 'ill be unable to search for and read items$

or more information about "CP ob.ects( see Publishing 'ith "er#ice Connection Points$

igure = illustrates ho' a client connects to a Client Access ser#er the first time from inside

the internal net'or3$

"ig#re * 1he A#to)iscover service process for internal access

or external access( the client locates the Autodisco#er ser#ice on the *nternet b! using the

primar! "MP domain address from the users e%mail address$ Depending on 'hether !ou

ha#e configured the Autodisco#er ser#ice on a separate site( the Autodisco#er ser#ice +,)

'ill be either https:99Fsmtp-address-domainG9autodisco#er9autodisco#er$xml or

https:99autodisco#er$F smtp-address-domainG9autodisco#er9autodisco#er$xml$ igure >

illustrates a simple topolog! 'ith a client connecting from the *nternet$

"ig#re 6 1he A#to)iscover service process for external access

??
http://go.microsoft.com/fwlink/?LinkId=79424http://go.microsoft.com/fwlink/?LinkId=72744http://go.microsoft.com/fwlink/?LinkId=72744http://go.microsoft.com/fwlink/?LinkId=79424http://go.microsoft.com/fwlink/?LinkId=72744


66/144

-hen the client connects to the Acti#e Director! director! ser#ice( the client loo3s for the

"CP ob.ect that 'as created during "etup$ *n deplo!ments that include multiple Client Access

ser#ers( an Autodisco#er "CP ob.ect is created for each Client Access ser#er$ he "CP

ob.ect contains the ServiceBindingInfoattribute that has the QD of the Client Access

ser#er in the form of https:99CA"09autodisco#er9autodisco#er$xml( 'here CA"0 is the

QD for the Client Access ser#er$ 8! using the user credentials( the 5utloo3 2007 client

authenticates to Acti#e Director! and searches for the Autodisco#er "CP ob.ects$ After the

client obtains and enumerates the instances of the Autodisco#er ser#ice( the client

connects to the first Client Access ser#er in the enumerated list and obtains the profile

information in the form of M) data that is needed to connect to the users mailbox and

a#ailable Microsoft Exchange features$

,eplo$ment Options for the A#to)iscoverService

Deplo!ing the Autodisco#er ser#ice is onl! one step in ma3ing sure that !our

Microsoft Exchange ser#ices( such as the A#ailabilit! ser#ice( can be accessed b!

5utloo3 2007 clients$ hese ser#ices must be deplo!ed and configured correctl! for clients to

recei#e the correct profile configuration information from the Autodisco#er ser#ice$ or more

information about ho' to deplo! !our Microsoft Exchange ser#ices( see&o' to Configure

Exchange "er#ices for the Autodisco#er "er#ice$

-e recommend that !ou consider ho' to deplo! the Autodisco#er ser#ice 'hen !ou plan the

Client Access ser#er infrastructure for !our Exchange messaging en#ironment$

?7
http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320http://go.microsoft.com/fwlink/?LinkId=65320


67/144

or more information about ho' to deplo! the Autodisco#er ser#ice( see Deplo!ment

Considerations for the Autodisco#er "er#ice$


or more information about ho' to deplo! and manage the Autodisco#er ser#ice( see the

follo'ing:

Deplo!ment Considerations for the Autodisco#er "er#ice

&o' to Configure Exchange "er#ices for the Autodisco#er "er#ice

Managing the Autodisco#er "er#ice

,eplo$ment Consi)erations for theA#to)iscover Service

he Autodisco#er ser#ice for Microsoft Exchange "er#er 2007 pro#ides automatic profile

configuration for Microsoft 5ffice 5utloo3 2007 clients that are connected to !our Exchange

messaging en#ironment$

A#to)iscover Service 1opolog$ !e#irements

or the Autodisco#er ser#ice to function correctl! for 5utloo3 2007( !ou must ma3e sure that!our Exchange organi/ation meets the follo'ing reuirements:

Bou must ha#e at least one Exchange 2007 Client Access ser#er installed in !our

Exchange deplo!ment$ or Exchange features such as the A#ailabilit! ser#ice and

+nified Messaging( !ou must also ha#e the +nified Messaging( Mailbox( and &ub

ransport ser#er roles installed on the Client Access ser#er or another ser#er$

he Exchange 2007 Acti#e Director! schema must be applied to the forest 'here the

Autodisco#er ser#ice 'ill be running$

Connecting to the A#to)iscover Service fromthe Internet

*f !ou are pro#iding external access to Microsoft Exchange b! using 5utloo3 An!'here

1formerl! 3no'n as ,PC o#er &P( and !ou 'ant !our 5utloo3 2007 clients to be

automaticall! configured b! using the Autodisco#er ser#ice( !ou must install a #alid "ecure

"oc3ets )a!er 1"") certificate on the Client Access ser#er that includes both the common

name 1for example( mail$contoso$com and a "ub.ect Alternati#e ame for

?


68/144

autodisco#er$contoso$com$ or information about ho' to configure !our "") certificate to use

a "ub.ect Alternati#e ame( see &o' to Configure "") Certificates to +se Multiple Client

Access "er#er &ost ames$Additionall!( !ou must correctl! configure !our Exchange

ser#ices( such as the A#ailabilit! ser#ice( before the Autodisco#er ser#ice can pro#ide the

correct external +,)s to clients$ or more information( see &o' to Configure Exchange

"er#ices for the Autodisco#er "er#ice$

-hen the client tries to connect to !our Microsoft Exchange deplo!ment( the client locates

the Autodisco#er ser#ice on the *nternet b! using the primar! "MP domain address from the

users e%mail address$ 8ased on 'hether !ou ha#e configured the Autodisco#er ser#ice to

ha#e a separate name from !our organi/ations existing D" host name( the Autodisco#er

ser#ice +,) 'ill be either https:99Fsmtp-address-domainG9autodisco#er9autodisco#er$xml or

https:99autodisco#er$F smtp-address-domainG9autodisco#er9autodisco#er$xml$ or example( if

the users e%mail address is monicaRcontoso$com( the Autodisco#er ser#ice should be

located at either https:99contoso$com9autodisco#er$xml orhttps:99autodisco#er$contoso$com9autodisco#er9autodisco#er$xml$ his means that !ou must

ha#e a host record for the Autodisco#er ser#ice added to !our external D" /one$

or more information( see &o' to Configure the Autodisco#er "er#ice for *nternet Access$

+sing '#ltiple Sites for Internet Access to the A#to)iscoverService

-e recommend hosting the Autodisco#er ser#ice on a separate site if !ou manage a

freuentl! #isited -eb site that also hosts !our e%mail traffic$ o host the Autodisco#er ser#ice

on a separate site on the same computer as other Exchange features( follo' these steps:

Note:

Bou must use one *P address per site$

$ from a certification authorit! 1CA that the client computer trusts$ *f !ou ha#e decided to

host the Autodisco#er ser#ice on a separate site( see &o' to Configure "") Certificates

to +se Multiple Client Access "er#er &ost ames$

?


69/144

;$


70/144


71/144

herefore( if a client in the +"%contoso site has a mailbox located in the Europe%contoso site

and tries to locate the Autodisco#er ser#ice( the client can select the ser#ice instance that has

siteS+"%contoso or siteSEurope%contoso$

*f !ou do not specif! site scope for the Autodisco#er ser#ice( the client might return the

autodiscoverInternalUriparameter for the APAC%contoso site because of the slo' connection

to the +"%contoso site$

Note:

*f !ou do not configure a specific set of Acti#e Director! sites for clients to use(

5utloo3 2007 'ill randoml! select Client Access ser#ers to use to access the

Autodisco#er ser#ice$

or more information about site affinit!( see &o' to Configure the Autodisco#er "er#ice to

+se "ite Affinit!$

Config#ring the A#to)iscover Service for'#ltiple "orests

Bou can deplo! Microsoft Exchange b! using multiple forests$ 'o of the multiple forest

deplo!ment scenarios are the resource forest topolog! and the multiple trusted forest

topolog!$ he follo'ing sections describe ho' the Autodisco#er ser#ice is used in these t'o

deplo!ment scenarios$

Config#ring the A#to)iscover Service in a !eso#rce "orest1opolog$

*f !ou are using a resource forest topolog!( user accounts reside in one forest 1referred to as

a user account forest and Microsoft Exchange is deplo!ed in a separate forest 1referred to as

a resource forest$ *n this scenario( the client contacts Acti#e Director! in the user account

forest to locate the +,) for the Autodisco#er ser#ice$ 8ecause the ser#ice is hosted in the

resource forest( !ou must update Acti#e Director! in the user account forest to include the

information that Acti#e Director! reuires to enable the client to access the resource forest$ o

do this( !ou must create an Autodisco#er "CP pointer record in Acti#e Director! in the user

account forest$ he Autodisco#er "CP pointer record includes the )ight'eight Director!

Access Protocol 1)DAP +,) of the resource forest that the client 'ill use to locate

the Autodisco#er ser#ice$

o create the Autodisco#er "CP pointe

Documents

Planning For Exchange Server 2007 Client Access Servers