Re: Client application cannot connect to server
- From: wirelesstx@xxxxxxxxx
- Date: Sun, 09 Sep 2007 16:53:09 -0000
On Sep 7, 9:50 am, James H. <Jam...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I am developing a client application for Windows Mobile 5.0. I have completed
the development and everything works as expected in the developing
environment on the emulator. When I move to an actual device, i.e.,MotorolaQ, every aspect of the application work except for connecting to the server.
To make things even stranger, I can connect to the server from the device
when the device is connected to the PC using ActiveSync. Can anyone provide
any help as to why my application I am testing is not able to connect to a
server as expected when the device is not connected using ActiveSync?? Is it
a security issue, or what??
Thanks,
James
Taking a guess here but because of the device mirroring your PC and
the PC already having the correct config. for the Business Server it
has no problem connecting via activesync.
I believe you will find your issue in the ports which are opened or
not opened for your new device on the server side. I hope this
information helps... If you have an IT department then they need to
give you permission and may have to start the Windows Mobile
capability on the servers. You may want to forward this information on
to that department.
*
Quick Links
| Home | Worldwide
Microsoft TechNet *
Search Microsoft.com for:
TechNet Home | TechCenters | Downloads | TechNet Program |
Subscriptions | Security Bulletins | Archive
Search for
*Exchange Server
*ISA Server
*Office System
*Operations Manager
*Small Business Server
*SQL Server
*Systems Management Server
*Windows Server 2003
*Windows XP Professional
*Windows Vista
*More...
*Desktop Deployment
*Infrastructure Optimization
*Interop & Migration
*Regulatory Compliance
*Script Center
*Security
*Solution Accelerators
*Sysinternals
*Update Management
*Evaluation Center
*Community
*Events & Webcasts
*Virtual Labs
*IT Training & Certification
*Troubleshooting & Support
*TechNet Worldwide
Step-by-Step Guide to Deploying Windows Mobile-based Devices with
Microsoft Exchange Server 2003 SP2
Network Architecture Alternatives
Published: December 22, 2006
The choices that you have made in your network configuration and
network design may impact the steps that you will need to take to
upgrade your system to accommodate direct push technology and the
Messaging & Security Feature Pack management features.
Deployment Options
The following table introduces some of the most common deployment
configurations with the unique considerations for each.
Follow the links to deployment documentation for each configuration.
Setup Type Description Consideration
ISA Server as an advanced firewall in a workgroup in perimeter network
All of the Exchange servers are within the corporate network.
Set up FBA or Basic authentication for Exchange ActiveSync, so all
clients negotiate an SSL link before connecting.
ISA server acts as the advanced firewall in the perimeter network that
is exposed to Internet traffic.
ISA Server 2006 directly communicates with LDAP and RADIUS servers
LDAP Authentication
·
LDAP, LDAPS, LDAP-GC, and LDAPS-GC are supported.
·
Every domain controller is an LDAP server. The LDAP server has a store
of the Active Directory users' credentials.
·
Because each domain controller can only authenticate the users in its
domain, ISA Server by default queries the global catalog for a forest
to validate user credentials
Radius Authentication
·
RADIUS provides credentials validation.
·
ISA Server is the RADIUS client, depending upon RADIUS authentication
response
·
Password changes are not possible
Client authentication is possible with Windows, Kerberos, LDAP, LDAPS,
RADIUS, or RSA SecurID
Requires port 443 opened on the firewall for inbound and outbound
Internet traffic.
Requires a digital certificate in order to connect to Configuration
Storage server.
In case of firewall failure, domain and Active Directory are
inaccessible
Domain administrators do not have access to the firewall array
Workgroup clients cannot use Windows authentication.
Requires management of mirrored accounts for monitoring arrays.
For an overview of the process, see Deploying a Mobile Messaging
Solution with Windows Mobile 5.0-based Devices
ISA Server 2006 domain-joined in perimeter network
Exchange FE in the Enterprise forest
As a domain member, ISA Server 2006 integrates with Active Directory.
Additional ports on the internal firewall opened to facilitate domain
member communication to Active Directory
Simplified deployment and administration of ISA Server arrays within
the domain.
Vulnerability of access across the domain in case of firewall failure
See Publishing Exchange Server 2003 with ISA Server 2006
Firewall in separate domain with one-way trust
Exchange FE in the Enterprise forest
ISA Server 2006 as domain controller of its own DMZ forest
One-way trust created, so the DMZ forest trusts the Enterprise forest
accounts.
ISA Server 2006 authenticates requests at the ISA edge
All Exchange traffic is preauthenticated, reducing surface area and
risk.
Scales well across an Enterprise solution.
For detailed instructions, see Using ISA Server 2004 with Exchange
Server 2003 http://www.microsoft.com/technet/isa/2004/plan/exchage2003.mspx
Third Party Firewall
Configure as an advanced firewall or surrounding a perimeter network.
Encrypt all traffic between the mobile device and Exchange Server with
SSL.
Open port 443 inbound on each firewall between the mobile device and
Exchange Server.
Set Idle Session Timeout time to 30 minutes on all firewalls and
network appliances on the path between the mobile device and Exchange
FE server to facilitate direct push technology.
Consult firewall manufacturer documentation for instructions on
opening port 443 inbound and setting the Idle Session Timeout time.
Single Exchange 2003 Server
Single Exchange Server within the corporate network, behind a
firewall.
Exchange Server ActiveSync accesses the Exchange virtual directory via
port 80 using Kerberos authentication.
Simple deployment for small to medium business.
Requires the following setup steps on the ExAdmin virtual directory:
·
Turn off SSL Required
·
Use Windows Integrated authentication
If using RSA SecurID, update the RSA Authentication Agent to ensure
compatibility with direct push technology.
For details, see Deployment on a Single-Server.
See Also: Microsoft KB article, "Exchange ActiveSync and Outlook
Mobile Access errors Occur when SSL or forms-based authentication is
required for Exchange Server 2003." http://go.microsoft.com/fwlink/?LinkId=62660.
Windows Small Business Server 2003
Exchange traffic is routed to the server running Windows SBS with port
443 open inbound.
Exchange FE is behind the following firewalls:
·
ISA Server, which is included in Windows SBS Premium Edition
·
The built-in Routing and Remote Access firewall in Windows SBS
·
The UPnP? hardware firewall
Certificates installed on devices provide SSL encryption and access.
Exchange ActiveSync and ISA Server are integrated with Windows Small
Business Server 2003, providing simplified deployment:
·
Requires desktop ActiveSync installed on a client computer
See Deploying Windows Mobile 5.0 with Windows Small Business Server
2003
Exchange FE in the perimeter network
(This option is not recommended for new mobile messaging solutions.)
Exchange FE is in the perimeter network with firewalls between it and
the Internet and the corporate network.
Additional firewall ports opened to enable direct push and facilitate
connection between FE and BE servers:
·
Open port 443 inbound on the external firewall
·
UDP port 2883 open on the firewall between the Exchange FE and BE.
See Deployment with the Front End Server in a Perimeter Network.
Top of pageTop of page
ISA Server 2006 as an Advanced Firewall in a Perimeter Network
In this configuration, all of the Exchange servers are within the
corporate network and the ISA server acts as the advanced firewall in
the perimeter network that is exposed to Internet traffic. This adds
an additional layer of security to your network.
All incoming Internet traffic bound to your Exchange servers - for
example, Microsoft Office OWA and remote procedure call (RPC) over
HTTP communication from Microsoft Office Outlook 2003 clients - is
processed by the ISA server. When the ISA server receives a request
from an Exchange server, the ISA server terminates the connection and
then proxies the request to the appropriate Exchange servers that are
on your internal network. The Exchange servers on your network then
return the requested data to the ISA server, which sends the
information to the client through the Internet.
During installation of the ISA server, Microsoft recommends that you
enable Secure Sockets Layer (SSL) encryption, and designate 443 as the
SSL port. This leaves the 443 port open as the "Web Listener" to
receive Internet traffic. Microsoft also recommends that you set up
basic authentication for Exchange ActiveSync, and that you require all
clients to successfully negotiate an SSL link before connecting to the
Exchange ActiveSync site directories. If you follow these
recommendations, the Internet traffic that flows into and out of the
443 port will be more protected.
When configured in Web-publishing mode, ISA Server 2006 will provide
protocol filtering and hygiene, denial of service (DoS) and
distributed denial of service (DDoS) protection, and pre-
authentication.
The following illustration shows the recommended Exchange Server 2003
deployment for mobile messaging with ISA Server 2006.
Web Site Properties
Web Site Properties
See full-sized image
Authentication in ISA Server 2006
Users can be authenticated using built-in Windows, LDAP, RADIUS, or
RSA SecurID authentication. Front-end and back-end configuration has
been separated, providing for more flexibility and granularity. Single
sign on is supported for authentication to Web sites. Rules can be
applied to users or user groups in any namespace.
For most Enterprise installations, ISA Server 2006 with LDAP
authentication is recommended. In addition, ISA Server 2006 enables
certificate-based authentication with Web publishing. For more
information, see Authentication in ISA Server 2006 on Microsoft
TechNet Web site.
The following table summarizes some of the features of ISA Server
2006:
Feature Description
Support for LDAP authentication
LDAP authentication allows ISA Server to authenticate to Active
Directory without being a member of the domain.
See http://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx
Delegation of Basic authentication
Published Web sites are protected from unauthenticated access by
requiring the ISA Server 2006 firewall to authenticate the user before
the connection is forwarded to the published Web site. This prevents
exploits from unauthenticated users from reaching the published Web
server.
SecurID authentication for Web Proxy clients
ISA Server 2006 can authenticate remote connections using SecurID two-
factor authentication. This provides a high level of authentication
security because a user must know something and have something to gain
access to the published Web server.
RADIUS support for Web Proxy client authentication
With ISA Server 2006, you can authenticate users in Active Directory
and other authentication databases by using RADIUS to query Active
Directory. Web publishing rules can also use RADIUS to authenticate
remote access connections.
Session management
ISA Server 2006 includes improved control of cookie-based sessions to
provide for better security.
Certificate Management
ISA Server 2006 is improved to simplify certificate management and
reduce the total cost of ownership associated with using certificates
when publishing Web sites. It is possible to utilize multiple
certificates per Web listener and to use different certificates per
array member.
LDAP Authentication with ISA Server 2006
ISA Server 2006 supports Lightweight Directory Access Protocol (LDAP)
authentication. LDAP authentication is similar to Active Directory®
directory service authentication, except that the ISA Server computer
does not have to be a member of the domain. ISA Server connects to a
configured LDAP server over the LDAP protocol to authenticate the
user. Every Windows domain controller is also an LDAP server, by
default, with no additional configuration changes required. By using
LDAP authentication, you get the following benefits:
·
A server running ISA Server 2006 Standard Edition or ISA Server 2006
Enterprise Edition array members in workgroup mode. When ISA Server is
installed in a perimeter network, you no longer need to open all of
the ports required for domain membership.
·
Authentication of users in a domain with which there is no trust
relationship.
Instructions for configuring ISA Server for LDAP authentication are
included in this document in Step 5: Install and Configure ISA Server
2006 or Other Firewall. For more information about configuring ISA
Server for LDAP authentication, see "Secure Application Publishing" at
the Microsoft TechNet Web site.
Top of pageTop of page
Deployment with ISA Server in a Perimeter Network
In this configuration, the mobile device utilizes the mobile
operator's cellular data network to communicate using the Internet to
an outer firewall that the organization uses to restrict traffic. The
outer firewall port forwards the EAS traffic (via SSL port 443)
inbound to the inner third party device to forward to the Exchange
Server 2003 for processing.
The figure below illustrates an end-to-end example of a typical over
the air Exchange ActiveSync deployment.
Exchange ActiveSync Deployment
Exchange ActiveSync Deployment
See full-sized image
To ensure that Microsoft Exchange ActiveSync functions correctly in
this scenario, Microsoft recommends that port 443 inbound be opened on
both third party firewall products so that the Windows Mobile device
can communicate directly with the Exchange Server. This is a network
requirement for Exchange ActiveSync to work properly whether using
Microsoft direct push technology (default setting) and/or Always Up-to-
Date Notifications (optional).
Top of pageTop of page
Deployment on a Single-Server
If your mobile messaging solution uses a single Exchange server, you
may have to establish some special configurations to avoid conflicts
on the virtual directory.
SSL Requirements and Forms-based Authentication
In a single-server configuration, Exchange Server ActiveSync accesses
the Exchange virtual directory via port 80 by using Kerberos
authentication. Exchange ActiveSync cannot access the Exchange virtual
directory if either of the following conditions is true:
·
The Exchange virtual directory is configured to require SSL.
·
Forms-based authentication is configured.
For more information about, and workarounds for, these configurations,
see the following article in the Microsoft Knowledge Base:
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
forms-based authentication is required for Exchange Server 2003.
http://go.microsoft.com/fwlink/?LinkId=62660
Settings Required for Exchange ActiveSync Mobile Administration Web
Tool Installation
When deployed in a single-server configuration, the Exchange
ActiveSync Mobile Administration Web tool requires the default
configuration on the ExAdmin virtual directory. By default, SSL is not
turned on and the virtual directory has Windows Integrated
authentication.
In a single-server configuration, we recommend that you do the
following on the ExAdmin virtual directory:
·
Turn off SSL Required
·
Use Windows Integrated authentication
Note
The Exchange ActiveSync Mobile Administration Web tool should run in
the ExchangeAppPool.
For more information, see the following article in the Microsoft
Knowledge Base: http://support.microsoft.com/kb/916960/en-us
Error message when you try to use the Microsoft Exchange Server
ActiveSync Web Administration tool to delete a partnership or to
perform a Remote Wipe operation on a mobile device in Exchange Server
2003 SP2: "(401) Unauthorized".
RSA SecurID Compatibility
RSA SecurID provides token-based authentication that requires user
input and was not compatible with direct push technology, in which the
device synchronizes automatically. RSA has updated the RSA
Authentication Agent for Windows so that direct push technology and
scheduled synchronization features function smoothly.
ISA Server 2006 works with SecurID token authentication. See the ISA
Server 2006 documentation.
If you are using the RSA SecurID product, be sure to get the latest
RSA SecurID software from the RSA Security Web site:
http://go.microsoft.com/fwlink/?LinkId=63273.
Top of pageTop of page
Forms-based Authentication
If you have forms-based authentication set up on an Exchange
organization for Exchange ActiveSync on an Exchange Server with no
back-end, additional configurations may be required. For more
information about these configurations, see the following article in
the Microsoft Knowledge Base:
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
forms-based authentication is required for Exchange Server 2003.
Note
Exchange Server 2003 SP2 forms-based authentication does not allow you
to set the default domain setting in IIS to anything other than the
default domain setting of \. This restriction is in place in order to
support user logons that use the User Principle Name format. If the
default domain setting in IIS is changed, Exchange System Manager
resets the default domain setting to "\" on the server.
You can change this behavior by customizing the Logon.asp page in the
OWA virtual directory in IIS to specify your domain or to include a
list of domain names. However, if you customize the Logon.asp page in
the OWA virtual directory in IIS, your changes may be overwritten if
you upgrade to, or re-install, Exchange Server 2003 SP2.
Top of pageTop of page
Deployment with the Exchange Front End Server in a Perimeter Network
If your deployment configuration has the Front-End Exchange server
inside the DMZ or perimeter network, you may have to change the
firewall settings to facilitate the direct push technology.
Note
This option is not recommended for new mobile messaging solutions.
With direct push technology, whenever the back end server receives e-
mail or data to be transmitted to a mobile device, it sends a UDP
notification to the front-end server. This transmission requires that
UDP port 2883 be open on the firewall to allow one-way traffic from
the back-end server to the front-end server.
For more information about the deployment of direct push technology
and its impact on firewall configuration, see the Exchange Server blog
article "Direct push is just a heartbeat away" at
http://go.microsoft.com/fwlink/?LinkId=67080.
For more information about configuring a front-end server in the DMZ,
see "Front-End and Back-End Server Topology Guide for Exchange Server
2003 and Exchange 2000 Server" at http://go.microsoft.com/fwlink/?LinkId=62643.
Top of pageTop of page
VPN Configuration
Windows Mobile 5.0-based devices provide native support for Virtual
Private Network (VPN) access to a corporate network based on PPTP or
L2TP/IPSec VPN protocols.
Microsoft recommends using L2TP/IPSec connections, as these
connections require both device-level authentication through
certificates and user-level authentication through a PPP
authentication protocol. L2TP/IPSec relies on the existing
infrastructure for Windows Mobile-based devices to connect to internal
company resources such as file shares, Web servers, and mobile line of
business applications. For an example deployment of VPN with Windows
Server 2003, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpnexamp.mspx.
For more information about securing VPN access, see "How ISA Server
2004 Provides SSL VPN Functionality for Outlook Web Access and RPC
over HTTP" at http://go.microsoft.com/fwlink/?LinkID=67445.
For more information about the sign on process from a Windows Mobile
5.0-based device, see "Accessing a Corporate Network by using a VPN
Connection" in Step 8, Manage and Configure Mobile Devices.
Top of pageTop of page Previous6 of 18Next
* *
In This Article
· Deploying Mobile Messaging: Introduction
· Messaging and Security Feature Pack Overview
· Best Practices for Deploying a Mobile Messaging Solution
· Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based
Devices
· Understanding the Direct Push Technology
· Network Architecture Alternatives
· Step 1 - Upgrade to Exchange Server 2003 SP2
· Step 2 - Update All Servers with Security Patches
· Step 3 - Protect Communications Between the Mobile Devices and Your
Exchange Server
· Step 4 - Protect Communications Between the Exchange Server 2003 SP2
Server and Other Servers
· Step 5 - Install and Configure ISA Server 2006 or Other Firewall
· Step 6 - Configure and Manage Mobile Device Access on the Exchange
Server
· Step 7 - Install the Exchange ActiveSync Mobile Administration Web
Tool
· Step 8 - Manage and Configure Mobile Devices
· Appendix A: Overview of Deploying Exchange ActiveSync Certificate-
Based Authentication
· Appendix B: Install and Configure an ISA Server 2004 Environment
· Appendix C: Troubleshooting a Mobile Messaging Solution
· Appendix D: Adding a Certificate to the Root Store of a Windows
Mobile-based Device
* *
Manage Your Profile |Contact Us |Newsletter
© 2007 Microsoft Corporation. All rights reserved. Terms of Use |
Trademarks |Privacy Statement
Microsoft
.
- Prev by Date: Re: Adding Goahead Webserver to Wince 5.0
- Next by Date: Re: Change IP address without rebooting
- Previous by thread: Re: Client application cannot connect to server
- Next by thread: Re: Change IP address without rebooting
- Index(es):
Relevant Pages
|
Loading
