Export (0) Print
Expand All
Expand Minimize

White Paper: Deploying Exchange ActiveSync in Exchange Server 2007

 

Applies to: Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2009-12-23

Patricia DiGiacomo, Technical Writer, Microsoft Exchange Server

September 2007

This white paper provides the information that you need to deploy Microsoft Exchange ActiveSync for Microsoft Exchange Server 2007. It will cover configuration and management of the Exchange ActiveSync protocol, Exchange ActiveSync users, and Exchange ActiveSync devices. Much of the information in this white paper originally appeared as individual Help topics in the Exchange Server 2007 Help. In this white paper, we have consolidated the information that you need to deploy and manage Exchange ActiveSync in one central location.

noteNote:
To print this white paper, click Printer Friendly Version in your Web browser.

Business users are increasingly on the move and many of them must access their Exchange mailbox data from any location. Exchange ActiveSync gives users access to their Exchange 2007 mailbox data on a variety of mobile devices. Users can access e-mail messages, calendar, contact, and task data and also some of their Unified Messaging data. Devices that run Windows Mobile software, including Windows Mobile 5.0 and Windows Mobile 6.0, are all supported. Exchange ActiveSync provides Direct Push which synchronizes Exchange data in near real time.

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that is optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets devices such as browser-enabled cellular telephones or Windows Mobile powered devices access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile device users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they are working offline.

noteNote:
Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts, and tasks. You cannot use Exchange ActiveSync to synchronize notes in Outlook.

Exchange ActiveSync has been enhanced in Exchange 2007. The following are some new and enhanced features:

  • Support for HTML messages

  • Support for follow-up flags

  • Support for fast message retrieval

  • Meeting attendee information

  • Enhanced Exchange Search

  • Access to Windows SharePoint Services document libraries and Windows file share (also known as UNC) documents

  • PIN reset

  • Enhanced device security through password policies

  • Support for Out of Office configuration

  • Support for tasks synchronization

  • Direct Push

noteNote:
Most of the new features in Exchange ActiveSync require Windows Mobile 6.0 or later versions. Direct Push, tasks synchronization, and policy application are available with other mobile operating systems, including Windows Mobile 5.0 with the Messaging Security & Feature Pack.

For more information about the new features in Exchange ActiveSync, see Client Features in Exchange ActiveSync.

In earlier versions of Exchange ActiveSync, HTML-formatted e-mail was rendered as plain text on the mobile client. When a mobile device was used to reply to or forward e-mail, the whole e-mail message was converted to plain text. Exchange 2007 lets users receive, read, reply to, or forward e-mail, and keeps the HTML formatting intact.

Exchange 2007 ActiveSync lets you flag an e-mail message for follow up directly on your mobile device, exactly as if you handled the message in Microsoft Office Outlook. You can also mark a flagged message as completed. If you are using Office Outlook 2007, any items that are flagged on your mobile device will also appear in the Outlook 2007 To-Do bar.

To minimize bandwidth and save space on your mobile device, Exchange ActiveSync downloads only a part of large messages. If you want to retrieve a whole message, you do not have to wait for the next complete synchronization. You can download the rest of the message immediately.

Exchange 2007 ActiveSync synchronizes information about attendee availability to your mobile device. When you view a meeting on your mobile device, you can view the attendee status for all Microsoft Exchange users. You can also view global address list information about any attendee that you select.

By default, only three days' worth of e-mail is synchronized to your mobile device. Exchange ActiveSync lets you search for older e-mail messages that are no longer stored on your device. You can enter a search term and select a date range, search all items in a specific folder, or search all folders. When a matching item is found, that item is downloaded to your device.

You can access documents remotely from your mobile device by using Exchange 2007 and the latest Windows Mobile client. If you receive an e-mail message that contains a link to a supported document type, such as Microsoft Word or Microsoft Excel, on a Windows SharePoint Services or Windows file share path, you can follow the link and access the document.

You can configure Exchange 2007 to require that a device password be entered on mobile devices after a period of inactivity. If you forget your device password, you can unlock your device by using a device recovery password.

You can enhance the security of a Windows Mobile device by configuring additional password requirement settings, such as password history tracking, password expiration, and by prohibiting passwords that are too simple. These settings let you prevent users from creating simple passwords, such as 1234, and prevent users from keeping those simple passwords for an indefinite length of time.

You can now configure and set your Out of Office status directly from your mobile device. Exchange ActiveSync retrieves your current Out of Office settings from the Microsoft Exchange server and lets you change your Out of Office status and your Out of Office auto-reply message.

In addition to supporting the synchronization of e-mail, contacts, and calendar items, Exchange ActiveSync supports synchronization of Tasks items.

Direct Push is the method by which Exchange mailbox data is kept constantly up to date on a mobile device. For Direct Push to work, you must have a device that is Direct Push capable. These devices include the following:

  • Cellular telephones that have Windows Mobile® 5.0 and the Messaging & Security Feature Pack (MSFP) or Windows Mobile 6.0 and later versions.

  • Cellular telephones or mobile devices that are produced by Exchange ActiveSync licensees and are designed specifically to be Direct Push compatible.

By default, Direct Push is enabled in Exchange 2007. Mobile devices that support Direct Push issue a long-lived HTTPS request to the Exchange server. The Exchange server monitors activity on the user’s mailbox and sends a response to the device if a new e-mail message arrives. If changes occur within the lifespan of the HTTPS request, the Exchange server issues a response to the device that states that changes have occurred and the device should initiate synchronization with the Exchange server. The device then issues a synchronization request to the server. When synchronization is complete, a new long-lived HTTPS request is generated to start the process over again. This guarantees that e-mail messages are delivered quickly to the mobile device and that the device is always synchronized with the Exchange server.

noteNote:
The Exchange ActiveSync 12.1 protocol was introduced in Exchange 2007 SP1 and offers a variance in the Direct Push behavior. Newer mobile devices, such as Windows Mobile 6.1 and later versions, can take advantage of the new protocol. In the new Direct Push functionality offered in the Exchange ActiveSync 12.1 protocol, the mobile device sends a long-lived HTTPS request known as a Hanging Sync to the Exchange server. The mobile sync request is essentially parked on the server. When a new message arrives on the server, the server completes the Sync request and pushes the message directly to the device. This behavior helps reduce bandwidth and may help optimize battery consumption of the mobile device.

The following figure illustrates a typical Exchange 2007 topology that is configured for Direct Push. This figure assumes that you have the Client Access server role and the Mailbox server role installed on two separate Exchange Server computers. You can also install both server roles on the same physical Exchange 2007 computer.

Direct Push Network Design

Direct Push Topology

Direct Push operates in the following way:

  1. A mobile device that is configured to synchronize with an Exchange 2007 server issues an HTTPS request to the server. This request is known as a ping. The request tells the server to notify the device if any items change in any folder that is configured to synchronize in the next 15 minutes. Otherwise, the server should return an HTTP 200 OK message. The mobile device will then stand by. The 15-minute time span is known as a heartbeat interval.

  2. If no items change in 15 minutes, the server returns a response of HTTP 200 OK. The mobile device receives this response, resumes activity (known as waking up), and issues its request again. This restarts the process.

  3. If any items change or new items are received within the 15-minute heartbeat interval, the server sends a response that informs the mobile device that there is a new or changed item and the name of the folder in which the new or changed item resides. After the mobile device receives this response, it issues a synchronization request for the folder that has the new or changed items. When synchronization is complete, the mobile device issues a new ping request and the whole process starts over.

Direct Push depends on network conditions that support a long-standing HTTPS request. If the carrier network for the mobile device or the firewall does not support long-standing HTTPS requests, the HTTPS request is stopped. The following steps describe how Direct Push operates when a mobile device's carrier network has a time-out value of 13 minutes.

  1. A mobile device issues an HTTPS request to the server. The request tells the server to notify the device if any items change in any folder that is configured to synchronize in the next 15 minutes. Otherwise, the server should return an HTTP 200 OK message. The mobile device then stands by.

  2. If the server does not respond after 15 minutes, the mobile device wakes up and concludes that the connection to the server was timed out by the network. The device reissues the HTTPS request. However, this time, the device uses a heartbeat interval of 8 minutes.

  3. After 8 minutes, the server sends an HTTP 200 OK message. The device then tries to gain a longer connection by issuing a new HTTPS request to the server that has a heartbeat interval of 12 minutes.

  4. After 4 minutes, a new e-mail message is received and the server responds by sending an HTTPS request that tells the device to synchronize. The device synchronizes and reissues the HTTPS request that has a heartbeat of 12 minutes.

  5. After 12 minutes, if there are no new or changed items, the server responds by sending an HTTP 200 OK message. The device wakes up and concludes that network conditions will support a heartbeat interval of 12 minutes. The device then tries to gain a longer connection by reissuing an HTTPS request that has a heartbeat interval of 16 minutes.

  6. After 16 minutes, no response is received from the server. The device wakes up and concludes that network conditions cannot support a heartbeat interval of 16 minutes. Because this failure occurred directly after the device tried to increase the heartbeat interval, it concludes that the heartbeat interval has reached its maximum limit. The device then issues an HTTPS request that has a heartbeat interval of 12 minutes because this was the last successful heartbeat interval.

The mobile device tries to use the longest heartbeat interval that the network supports. This extends battery life on the device and reduces the data that is transferred over the network. Mobile carriers can specify a maximum, minimum, and initial heartbeat value in the registry settings for the mobile device.

For more information about Direct Push and how to synchronize mobile devices with Exchange 2007, see the following topics:

By default, when you install Exchange 2007 and the Client Access server role, Exchange ActiveSync is configured to require Secure Sockets Layer (SSL). We recommend that you do not change this setting. SSL is used to encrypt the communications between the Exchange 2007 Client Access server and the mobile device client. There are two types of security settings that you can configure for Exchange ActiveSync: encryption (SSL) and authentication. You can configure both device authentication and server authentication.

Authentication is the process by which a client and a server verify their identities before transmitting data. In Exchange 2007, authentication is used to determine whether a user or client that wants to communicate with the Exchange server is who or what it says it is. You can use authentication to verify that a device belongs to a particular individual or that a particular individual is trying to log on to Microsoft Office Outlook Web Access.

When you install Exchange 2007 and the Client Access server role, virtual directories are configured for several services. These include Outlook Web Access, the Availability service, Unified Messaging, and Exchange ActiveSync. By default, each virtual directory is configured to use an authentication method. For Exchange ActiveSync, the virtual directory is configured to use Basic authentication and SSL. You can change the authentication method for your Exchange ActiveSync server by changing the authentication method on the Exchange ActiveSync virtual directory.

There are three primary types of authentication you can choose for Exchange ActiveSync: Basic authentication, certificate-based authentication, and token-based authentication. When you install the Client Access server role on a computer that is running Exchange 2007, Exchange ActiveSync is configured to use Basic authentication with SSL. To establish the SSL connection, certificate-based authentication requires that the mobile device have a valid client certificate that was created for user authentication. In addition, the mobile device must have a copy of the trusted root certificate from the server. If you choose token-based authentication, you must work with the token vendor for configuration.

Basic authentication is the simplest method of authentication. With Basic authentication, the server requests that the client submit a user name and a password. That user name and password are sent in clear text over the Internet to the server. The server verifies that the supplied user name and password are valid and then grants access to the client. By default, this kind of authentication is enabled for Exchange ActiveSync. However, we recommend that you disable Basic authentication unless you are also deploying SSL. When you use Basic authentication over SSL, the user name and password are still sent in plain text. But the communication channel is encrypted.

Certificate-based authentication uses a digital certificate to verify an identity. Certificate-based authentication provides a second set of credentials, in addition to the user name and password, which prove the identity of the user who is trying to access the mailbox resources that are stored on the Exchange 2007 server. A digital certificate consists of two components: the private key that is stored on the device and the public key that is installed on the server. If you configure Exchange 2007 to require certificate-based authentication for Exchange ActiveSync, only devices that meet the following criteria can synchronize with Exchange 2007:

  • The device has a valid client certificate that was created for user authentication.

  • The device has a trusted root certificate for the server to which they are connecting to establish the SSL connection.

Deploying certificate-based authentication prevents users who have only a user name and password from synchronizing with Exchange 2007. As an additional level of security, the client certificate for authentication can be installed only when the device is connected to a domain-joined computer through either Desktop ActiveSync 4.5 or a later version in Microsoft Windows XP or the Windows Mobile Device Center in Microsoft Windows Vista.

A token-based authentication system is a two-factor authentication system. Two-factor authentication is based on a piece of information the user knows, such as their password, and an external device that is usually in the form of a credit card or a key fob that a user can carry with them. Each device has a unique serial number. In addition to hardware tokens, some vendors offer software-based tokens that can run on mobile devices.

Tokens work by displaying a unique number, typically six digits long, that changes every 60 seconds. When a token is issued to a user, it is synchronized with the server software. To authenticate, the user enters their user name, password, and the number that is currently displayed on the token. Some token-based authentication systems also require the user to enter a PIN.

Token-based authentication is a strong form of authentication. The disadvantage to token-based authentication is that you must install authentication server software and deploy the authentication software on every user's computer or mobile device. There is also the risk that the user can lose the external device. This can be financially costly because you would have to replace lost external devices. However, the device is useless to a third party without the original user's authentication information.

There are several companies that issue token-based authentication systems. One company is RSA. Their product, SecurID, comes in a variety of forms that includes a key fob and a credit card. A one-time authentication code is issued through the token. Each authentication code is valid for 60 seconds. Most tokens also have an expiration indicator on the device, for example, a series of dots that disappear as the length of time that the code has left decreases. This helps prevent a user from entering the correct code, only to have it expire before the authentication process is completed. After authentication has finished, the user does not have to authenticate with a new code unless they are logged off, either by choice or because the device times out because of inactivity. For more information about how to configure a token-based authentication system, see the documentation for the particular system.

By default, when you install the Client Access server role on a computer that is running Exchange 2007, an Exchange ActiveSync virtual directory is created on the default Internet Information Services (IIS) Web site on the Exchange server.

After you obtain an SSL certificate to use together with the Client Access server on the default Web site or on the Web site where you host your Exchange ActiveSync virtual directory, you can configure the Web site to require SSL. You can enable SSL for all Web sites that are hosted by the Client Access server or enable SSL only for Exchange ActiveSync.

We recommend that you use Internet Security and Acceleration (ISA) Server 2006 or Intelligent Application Gateway (IAG) 2007 to enhance the security of all available client access methods in your Exchange 2007 deployment. When you configure Exchange ActiveSync client access with ISA Server 2006 or IAG 2007, communications between the Exchange ActiveSync clients and the Exchange server computer pass through an additional layer of Secure Sockets Layer (SSL) encryption.

The following table describes several of the benefits of using ISA Server 2006 or IAG 2007 to protect client communications through Exchange ActiveSync.

ISA Server 2006 and IAG 2007 features for Exchange ActiveSync

Feature Description

Exchange server locations are hidden

When you publish an application through ISA Server or IAG, you are protecting the server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer or the IAG computer. These computers then forward the request to the server according to the conditions of the server publishing rule.

SSL Bridging and Inspection

SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts it, inspects it, and ends the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request by using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires the published Web server to respond with a server-side certificate.

For more information visit the Microsoft Forefront Edge Security and Access Web site.

Users can take advantage of Exchange ActiveSync by selecting mobile devices that are compatible with Exchange ActiveSync. These devices are available from a variety of manufacturers. Most of these devices do not support Direct Push. However, they do support synchronization with Microsoft Exchange. For more information, see the device documentation.

Devices that are compatible with Microsoft Exchange include the following:

  • Nokia   Nokia offers Mail for Exchange on their Eseries mobile devices. E-mail, calendar, and contact data can be synchronized over a cellular network or a wireless LAN.

  • Sony Ericsson   Sony Ericsson offers Exchange ActiveSync support on several of their newer smartphone devices. They also support Direct Push through a third-party program.

  • Palm   Palm offers two smartphones that have the Windows Mobile 5.0 operating system. These devices support Direct Push. Palm also supports Exchange ActiveSync on the Treo 650 and 680 series smartphones. These devices do not support Direct Push.

  • Motorola   Motorola has its own synchronization framework that enables over-the-air synchronization through Exchange ActiveSync on a variety of its devices.

  • Symbian   Symbian Limited licenses Exchange ActiveSync for use in the Symbian operating system. This operating system is an open standard operating system for mobile telephones.

Mobile devices that have a version of Windows Mobile software as their operating system offer the greatest functionality when synchronizing with Exchange 2007. The following table illustrates some features that are available with the different versions of Windows Mobile software.

Windows Mobile software feature matrix

 

Operating System Productivity Enhancements Security Enhancements Administration Enhancements

Windows Mobile 6.0

  • Direct Push

  • HTML e-mail support

  • Message flags

  • Quick message retrieval

  • Enhanced calendar views

  • Meeting attendee information

  • Out of Office management

  • Exchange search

  • Windows SharePoint Services and Windows file share (UNC) document access

  • Enforcement of Exchange ActiveSync mailbox policies

  • Remote device wipe

  • Certificate-based authentication

  • S/MIME support (with Exchange 2007 SP1)

  • Device storage card encryption

  • Rights management support

  • Detailed device monitoring

  • Error reporting

Windows Mobile powered devices with the Messaging & Security Feature Pack

  • Direct Push

  • Global address book lookup

  • Task synchronization

  • Enforcement of Exchange ActiveSync mailbox policies

  • Remote device wipe

  • Certificate-based authentication

  • S/MIME support (with Exchange 2007 SP1)

  • Microsoft Operations Manager integration and reporting

  • Diagnostic tasks and health monitoring

All Windows Mobile powered devices

  • Synchronization of e-mail messages, calendar, and contact data

  • Secure Sockets Layer (SSL) encryption

  • Basic authentication

  • Integration with Internet Security and Acceleration (ISA) Server

  • Microsoft Operations Manager integration and reporting

  • Diagnostic tasks and health monitoring

For more information about how to manage Windows Mobile powered devices, visit the Windows Mobile Center Web site.

There are several device security features that you can implement to increase the security of your Exchange ActiveSync communications. These features include Remote Device Wipe and Exchange ActiveSync mailbox policies.

Mobile devices can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Through Exchange ActiveSync policies, you can add a password requirement to your mobile devices. This requires that users enter a password to access their device. We recommend that, in addition to requiring a device password, you configure your devices to automatically prompt for a password after a period of inactivity. The combination of a device password and inactivity locking provides more security for your corporate data.

In addition to these features, Exchange 2007 provides remote device wipe. You can issue a remote wipe command from the Exchange Management Shell. Users can issue their own remote wipe commands from the Outlook Web Access user interface.

The remote device wipe feature also includes a confirmation function that writes a timestamp in the sync state data of the user's mailbox. This timestamp is displayed in Outlook Web Access and in the user's mobile device properties dialog box in the Exchange Management Console.

importantImportant:
In addition to resetting the device to factory default condition, a remote device wipe also deletes any data on any storage card that is inserted in the device. If you are performing a remote device wipe on a device in your possession and want to keep the data on the storage card, remove the storage card before you initiate the remote device wipe.

Local device wipe is the mechanism by which a device wipes itself without the request coming from the server. If your organization has implemented Exchange ActiveSync policies that specify a maximum number of password attempts and that maximum is exceeded, the device will perform a local device wipe. The result of a local device wipe is the same as that of a remote device wipe. The device is returned to its factory default condition. When a device performs a local device wipe, no confirmation is sent to the Exchange server.

In Exchange 2007 you can create Exchange ActiveSync mailbox policies to apply a common set of policies or security settings to a collection of users. After you deploy Exchange ActiveSync in your Exchange 2007 organization, you can create new Exchange ActiveSync mailbox policies or modify existing policies. This section discusses Exchange ActiveSync mailbox policies and how they can be managed in your Exchange 2007 organization. The following table provides a listing of the various Exchange ActiveSync mailbox policy settings available in Exchange Server 2007.

Exchange ActiveSync Mailbox Policy Settings

 

Setting Description

Allow non-provisionable devices

Allows older devices (those that do not support application of all policy settings) to connect to Exchange 2007 by using Exchange ActiveSync.

Allow simple password

Enables or disables the ability to use a simple password such as 1234. The default value is $true.

Alphanumeric password required

Requires that a password contains numeric and non-numeric characters.

Attachments enabled

Enables attachments to be downloaded to the mobile device.

Device encryption enabled

Enables encryption on the device.

Password enabled

Enables the device password.

Password expiration

Enables the administrator to configure a length of time after which a device password must be changed.

Password history

The number of past passwords stored in the user's mailbox. A user cannot reuse a password that was previously stored.

Policy refresh interval

Defines how frequently the device updates the Exchange ActiveSync policy from the server.

Maximum attachment size

Specifies the maximum size of attachments that are automatically downloaded to the device.

Maximum failed password attempts

Specifies how many times an incorrect password can be entered before the device performs a wipe of all data.

Maximum inactivity time lock

Specifies the length of time that a device can go without user input before it locks.

Minimum password length

Specifies the minimum password length.

Password recovery

Enables the device password to be recovered from the server.

UNC file access

Enables access to files that are stored on Windows file (also known as UNC) shares.

WSS file access

Enables access to files that are stored on Microsoft Windows SharePoint Services sites

A wide variety of mobile devices can synchronize with Exchange 2007. Most mobile devices that synchronize with Exchange 2007 are cellular telephones. These devices can run operating systems such as Windows Mobile, Symbian, Palm, and Nokia. For an overview of the different mobile devices that are enabled for Exchange ActiveSync, see Understanding Mobile Devices.

Regardless of the type of device that you select, there are two primary ways to connect to Exchange 2007: by using cellular connectivity and by using wireless connectivity. This section provides an overview of the two connectivity options.

All mobile devices that are enabled for Exchange ActiveSync can use cellular connectivity to synchronize with Exchange 2007. There are several different types of cellular data networks. Regardless of the type of cellular data network that your mobile device uses, the method of synchronization is the same. If the operating system of your device is Windows Mobile 5.0 with the Messaging & Security Feature Pack or Windows Mobile 6.0, synchronization is achieved through Direct Push. If your device has another operating system, manual synchronization is used. When a device uses Direct Push to synchronize with Exchange 2007, it establishes a long-standing HTTPS connection with the Exchange server. When the connection is first established, the device sets an interval that is known as a heartbeat interval. The default heartbeat interval is 15 minutes. If any new messages are added to monitored folders on the Exchange server within this heartbeat interval, the server informs the device and the device initiates synchronization. When synchronization is complete, a new HTTPS request is initiated and the process is repeated. For more information about Direct Push, see Understanding Direct Push.

Cellular data plans can charge by the minute, by the megabyte, or offer unlimited data transfer. When you use a cellular data connection with Exchange 2007 Direct Push, we recommend purchasing an unlimited data plan.

Many of the mobile devices that are enabled for Exchange ActiveSync can connect to a wireless LAN. Connecting to a wireless LAN can provide faster network speeds and better coverage in areas where cellular coverage is unreliable. In addition, wireless access is sometimes offered at commercial locations such as coffee shops and book stores. The primary disadvantage to using wireless connectivity is that Direct Push will not work over a wireless LAN. Users who connect over a wireless LAN can perform manual synchronizations or configure scheduled synchronizations as frequently as every five minutes.

In an Exchange 2007 organization, a computer that is running Exchange 2007 that has the Client Access server role installed can act as a proxy for other Client Access servers within the organization. This is useful when multiple Client Access servers are present in different Active Directory sites in an organization and only one is exposed to the Internet.

A Client Access server can also perform redirection for Microsoft Office Outlook Web Access URLs. Redirection is useful when a user is connecting to a Client Access server that is not in their local Active Directory site.

This section explains proxying and redirection, when each is used, and how to configure your Client Access servers for each scenario.

noteNote:
If you do not have multiple Active Directory sites in your organization, you do not have to configure Exchange 2007 for proxying or redirection.
noteNote:
Client Access servers that are not exposed to the Internet do not have to have separate Secure Sockets Layer (SSL) certificates. They can use the self-signed certificate that is installed by default with Exchange 2007.

An Exchange 2007 Client Access server can proxy requests in the following two situations:

  • Between Exchange 2007 Client Access servers   Proxying requests between two Exchange 2007 Client Access servers enables organizations that have multiple Active Directory sites to designate one Client Access server as an Internet-facing server and have that server proxy requests to Client Access servers in sites that have no Internet presence. The Internet-facing Client Access server then proxies the request to the Client Access server that is closest to the user's mailbox. This is known as CAS-CAS proxying.

  • Between an Exchange 2007 Client Access server and an Exchange Server 2003 front-end server   Proxying requests between an Exchange 2007 Client Access server and a Microsoft Exchange Server 2003 front-end server enables Exchange 2007 and Exchange 2003 to coexist in the same organization. External clients who connect to Outlook Web Access by using the \Exchange virtual directory or connect to Exchange ActiveSync by using the \Microsoft-Server-ActiveSync virtual directory will have their requests proxied to the appropriate Exchange 2003 back-end server

Proxying is supported for clients that use Outlook Web Access, Exchange ActiveSync, and Exchange Web Services. Although the Availability service does support proxying, it has its own built in logic for handling proxying and does not require explicit configuration. Proxying is supported from one Client Access server to another Client Access server when the destination Client Access server is the same version as or an earlier version than the source Client Access server. The following figure illustrates how proxying works in an organization that has multiple Client Access servers and multiple mailbox servers.

noteNote:
In each Exchange organization, only one Client Access server must be Internet-facing. A Client Access server that has no Internet presence does not require its own Internet host name. It relies on the Internet-facing Client Access server to proxy all pertinent requests from external clients.

Client Access proxying

Client Access server Redirection and Proxying

In the previous figure, the mailbox of User 1 is located on Mailbox server 01. The mailbox of User 2 is located on Mailbox server 02, and the mailbox of User 3 is located on Mailbox server 03. User 1 can access their mailbox through Client Access server 01 without using proxying. If User 1 tries to access Client Access server 02 by using Exchange ActiveSync, they will receive an error because Client Access server 01 is the appropriate Client Access server for their mailbox. If User 3 tries to access Client Access server 02, that server will proxy their request to Client Access server 03. Client Access server 03 is not Internet-facing but can receive requests from other servers inside the firewall. Proxying is not visible to the user.

noteNote:
Communications between Client Access servers in different sites occur over Secure HTTP (HTTPS).

The following scenario illustrates how incoming requests are handled for a user who connects to an Exchange 2007 Client Access server named CAS-01 by using a mobile device.

  1. The Client Access server queries the Active Directory directory service to determine the location of the user's mailbox and the version of Microsoft Exchange that is installed on the Mailbox server. If the user's mailbox is on an Exchange 2007 computer that has the Mailbox server role installed, go to step 3.

  2. If the user's mailbox is on an Exchange 2003 server, the incoming request is proxied to the Exchange 2003 server that hosts the user's mailbox and the Exchange ActiveSync virtual directory. By default, in Exchange 2003, the Exchange ActiveSync virtual directory was installed on all mailbox servers. If the incoming request is to an Exchange 2007 Client Access server that is in a different Active Directory site than the destination back-end server, the request will be proxied directly to the destination back-end server, even if there is an Exchange 2007 Client Access server within the destination Active Directory site. If the incoming request is to an Exchange 2007 Client Access server within the same Active Directory site as the destination back-end server, the request will be proxied directly to the destination back-end server.

    noteNote:
    When proxying from an Exchange 2007 Client Access server to an Exchange 2003 server, Exchange ActiveSync users will be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2007 Client Access server and the Exchange 2003 back-end server to communicate using Kerberos authentication.
  3. If the user's mailbox is on an Exchange 2007 Mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user's Mailbox server. If there is a Client Access server that is closer to the user's Mailbox server, Exchange 2007 determines whether the Client Access server has the InternalURL property configured and if the authentication method is Integrated Windows authentication. If so, the user is proxied to the Client Access server specified by the InternalURL property. Otherwise, the request is rejected. An error code is returned to the mobile device if the request is rejected.

    importantImportant:
    Proxying is not supported between virtual directories that use Basic authentication. For client communications to be proxied between virtual directories on different servers, the virtual directories must use Integrated Windows authentication.

When you install the Client Access server role in an Exchange 2007 organization, Exchange ActiveSync is enabled by default. If you use the Exchange Management Console to create new users, those new users are enabled for Exchange ActiveSync by default. The following sections of this white paper will provide the steps that you should take to deploy Exchange ActiveSync within your organization.

Direct Push is the mechanism by which Exchange ActiveSync keeps your mobile devices up to date with your Exchange mailbox. A long-standing HTTPS request is created by the mobile device and sent to the Exchange server. Direct Push requires port 443 to be open on your firewall.

For more information about Direct Push, see the following topic:

When the Client Access server role is installed, the Exchange ActiveSync virtual directory is configured for Basic authentication. Basic authentication sends information in clear text. By default, Secure Sockets Layer (SSL) is enabled. You can configure an additional authentication method on your Exchange ActiveSync virtual directory. You can use Basic authentication, Integrated Windows authentication, certificate-based authentication, or RSA SecurID.

noteNote:
Users who have mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2007 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. Enabling this setting, allows the Exchange 2007 Client Access server and the Exchange 2003 back-end server to communicate using Kerberos authentication.

To configure client authentication for Exchange ActiveSync, use the following procedure.

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group on the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

To use the Exchange Management Console to configure authentication for Exchange ActiveSync
  1. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

  2. In the result pane, click the Exchange ActiveSync tab.

  3. Select the Microsoft-Server-ActiveSync virtual directory.

  4. In the action pane, under Microsoft-Server-ActiveSync, click Properties.

  5. Click the Authentication tab.

  6. Select or clear the Basic authentication (password is sent in clear text) check box.

  7. Click Apply to save your changes or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.

To use the Exchange Management Shell to configure authentication for Exchange ActiveSync
  • Run the one of the following commands:

    Set-ActiveSyncVirtualDirectory -Identity :"ExchSrvr\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled:$true 
    Set-ActiveSyncVirtualDirectory -Identity :"ExchSrvr\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled:$false
    

For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.

In addition to configuring authentication for Exchange ActiveSync clients, you can also configure authentication on the Exchange ActiveSync virtual directory. These settings are managed through Internet Information Services (IIS) Manager. The following procedure provides instructions for configuring authentication on the Microsoft-Server-ActiveSync virtual directory.

To perform the following procedures, the account you use must be delegated the Exchange View-Only Administrator role and membership in the local Administrators group on the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

importantImportant:
Before you perform this procedure, read Managing Client Access Security.

To use Internet Information Services (IIS) Manager to configure authentication on the Exchange ActiveSync virtual directory
  1. In Internet Information Services (IIS) Manager, select the Microsoft-Server-ActiveSync virtual directory, and then click Properties.

  2. On the Directory Security tab, in Secure Communications, click Edit.

  3. In Secure Communications, select Basic Authentication or Windows Authentication.

  4. Click OK to apply your changes.

For more information about Exchange ActiveSync security, see:

To enable an encrypted channel between the client computer and the ISA Server computer, you must first install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root certificate from the private CA must be installed on any computer that requires a secure (HTTPS) connection to the ISA Server computer.

For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.

After a server certificate is installed on the ISA Server computer, you can run the New Exchange Publishing Rule Wizard. Running the New Exchange Publishing Rule Wizard to provide Exchange ActiveSync access involves the following steps:

  1. Create a server farm (optional)   When you have more than one Client Access server within your organization, you can use ISA Server to provide load balancing for these servers. The server farm properties determine the following:

    • The specific servers included in the farm.

    • The connectivity verification method that ISA Server will use to verify that the servers are functioning correctly.

  2. Create a Web listener   When you create a Web publishing rule, you must specify a Web listener. The Web listener properties determine the following:

    • The IP addresses and ports on the specified networks that the ISA Server computer uses to listen for Web requests (HTTP or HTTPS).

    • Which server certificates to use with IP addresses.

    • The authentication method to use.

    • The number of concurrent connections that are allowed.

    • Single sign-on (SSO) settings.

  3. Create an Exchange Web client access publishing rule   When you publish an internal Exchange 2007 Client Access server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then forwards the request to the internal Web server according to the conditions set by your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange client access.

For more information about how to use the New Exchange Publishing Rule Wizard, see Microsoft ISA Server 2006.

importantImportant:
There is a software update that is required for ISA Server 2006 before you can publish Exchange 2007. For more information about that update, see Update for Publishing Microsoft Exchange Server 2007 for Internet Security and Acceleration (ISA) Server 2006.

For more information about how to configure ISA Server 2006 for client access, see Configuring ISA Server 2006 for Exchange Client Access.

After you install the Client Access server role on a computer that is running Exchange 2007, you can create, configure, and manage Exchange ActiveSync mailbox policies. After you create an Exchange ActiveSync mailbox policy, you can add users individually or add a filtered list of users to the policy by using the Exchange Management Shell.

You can use the Exchange Management Console to manage some Exchange ActiveSync mailbox policy settings and the Exchange Management Shell to manage all the Exchange ActiveSync mailbox policy settings.

The following procedure explains how to use the Exchange Management Console or the Exchange Management Shell to create a mailbox policy. A mailbox policy holds a group of settings for Exchange ActiveSync. These settings include password, encryption, and attachment settings.

When you install the Client Access server role on a computer that is running Exchange 2007, no mailbox policies exist. You can create multiple mailbox policies and assign users to these policies.

noteNote:
If you are running Exchange 2007 SP1, a default policy is created during Microsoft Exchange setup.

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

To use the Exchange Management Console to create an Exchange ActiveSync mailbox policy
  1. In the console tree, expand the Organization Configuration node, and then click Client Access.

  2. In the action pane, click New ActiveSync mailbox policy.

  3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box.

  4. Select one or more of the optional check boxes.

  5. Click New to finish creating your mailbox policy.

  6. Click Finish to close the New ActiveSync Mailbox Policy Wizard.

To use the Exchange Management Shell to create an Exchange ActiveSync mailbox policy
  • Run the following command:

    New-ActiveSyncMaiboxPolicy -Name PolicyName -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -MaxInactivityTimeDeviceLock:'unlimited' -MinDevicePasswordLength:$null -PasswordReciveryEnabled:$false -DeviceEncryptionEnabled:$false -AttachmentsEnabled:$true
    
    noteNote:
    This command creates a new mailbox policy that has the default settings. For more information about how to change the default settings on an Exchange ActiveSync mailbox policy, see How to Modify Exchange ActiveSync Mailbox Policy Settings.

For more information about syntax and parameters, see Get-ActiveSyncMailboxPolicy.

After you create an Exchange ActiveSync mailbox policy, you can add users to that Exchange ActiveSync mailbox policy. By default, users are not assigned to an Exchange ActiveSync mailbox policy. You can add a user to only one Exchange ActiveSync mailbox policy at a time. If you add a user to an Exchange ActiveSync mailbox policy and that user is a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy. You can add users individually or add a filtered group of users to an Exchange ActiveSync mailbox policy.

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

In addition, before you perform the following procedures, make sure that you have created an Exchange ActiveSync mailbox policy. For more information about how to create an Exchange ActiveSync mailbox policy, see How to Create an Exchange ActiveSync Mailbox Policy.

To use the Exchange Management Console to add users to an Exchange ActiveSync mailbox policy
  1. In the console tree, expand the Recipient Configuration node, and then click Mailbox.

  2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties.

  3. In the user's Properties dialog box, click Mailbox Features.

  4. Click ActiveSync, and then click Properties.

  5. Select the Apply an ActiveSync mailbox policy check box.

  6. Click Browse to view the Select Exchange ActiveSync Mailbox Policy dialog box.

  7. Select an available policy, and then click OK three times to apply your changes.

    noteNote:
    You can add multiple users to a policy at the same time. However, that task must be performed by using the Exchange Management Shell.
To use the Exchange Management Shell to add users to an Exchange ActiveSync mailbox policy
  • Run the following command:

    Set-CASMailbox UserName -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity
    
To use the Exchange Management Shell to add all users to an Exchange ActiveSync mailbox policy
  • Run the following command:

    Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity
    
To use the Exchange Management Shell to add a filtered list of users to an Exchange ActiveSync mailbox policy
  • Run the following command:

    Get-Mailbox | where { $_.CustomAttribute1 -match "Manager"
     } | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Policy Name").Identity
    
    noteNote:
    You can substitute CustomAttribute1 for any of the properties on the Get-Mailbox object. To view the full list, type: Get-Mailbox username |fl

For more information about syntax and parameters, see Set-CASMailbox, Get-ActiveSyncMailboxPolicy, and Get-Mailbox.

For more information about mobile mailbox policies, see the following topics:

The following procedure explains how to use the Exchange Management Console or the Exchange Management Shell to manage the list of Windows SharePoint Services document libraries and Windows file shares that Microsoft Exchange ActiveSync users can access from their mobile devices.

noteNote:
The lists of Windows SharePoint Services document libraries and Windows file shares that are allowed and blocked apply to the whole Exchange ActiveSync virtual directory. You cannot configure these lists for individual users. However, you can disable Windows SharePoint Services document library and Windows file share access for individual users by using Exchange ActiveSync policies.

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

To use the Exchange Management Console to configure access to Windows SharePoint Services document libraries and Windows file shares
  1. Open the Exchange Management Console.

  2. Under Server Configuration, select Client Access.

  3. Select Exchange ActiveSync.

  4. In the action pane, under Microsoft-Server-ActiveSync, click Properties.

  5. Click the Remote File Servers tab.

  6. Click the Block button to add host names of sites that clients are prohibited from accessing.

  7. Click the Allow button to add host names of document libraries and shares that clients are permitted to access.

  8. Use the list in the Unknown Servers section to specify the default action that should be taken when a client tries to access a file from a server that is not entered in either the Allow List or Block List.

  9. Click the Configure button to enter the domain suffixes that should be treated as internal.

    noteNote:
    If you specify that a domain suffix should be treated as internal, the Exchange ActiveSync client will access the content by using the intranet connection instead of an Internet connection.
To use the Exchange Management Shell to configure access to Windows SharePoint Services document libraries and Windows file shares
  • Run the following command to add two sites to the Block list and one to the Allow list, specify an internal domain suffix, and configure the default action to take when a client tries to access a file from a server that is not entered in the Allow or Block lists:

    Set-ActiveSyncVirtualDirectory -Identity:"ServerName\Microsoft-Server-ActiveSync (Default Web Site)" -RemoteDocumentsBlockedServers:"ServerName1,ServerName2" -RemoteDocumentsAllowedServers:"ServerName3" - RemoteDocumentsInternalDomainSuffixList:"DomainSuffix" -RemoteDocumentsActionForUnknownServers:"Block"
    

For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.

After the Client Access server role is installed, users can configure devices to synchronize with the Exchange server. For more information about how to configure mobile devices for synchronization, see:

The following procedure will configure a Windows Mobile device to synchronize with Exchange 2007.

To perform the procedures in this section, confirm the following:

  • You have reviewed the manufacturer's documentation for the mobile device that you want to configure.

  • Exchange ActiveSync is enabled on the Exchange 2007 computer that has the Client Access server role installed.

To configure a mobile device to use Exchange ActiveSync
  1. On the mobile device, from the home screen, click Start, and then click ActiveSync.

  2. Click Menu, and then click Configure Server.

  3. Enter the server address. This is the same as your Microsoft Office Outlook Web Access server address.

  4. If you have configured Exchange ActiveSync to require Secure Sockets Layer (SSL), select the This server requires an encrypted (SSL) connection check box.

  5. Click Next.

  6. Enter your user name, password, and domain.

  7. Select the Save password check box.

  8. Click Next.

  9. Select the check box next to each type of information that you want to synchronize with the server, and then click Finish.

If your Client Access server is Internet-facing, set the ExternalURL property on the Exchange ActiveSync and Outlook Web Access virtual directories by using the Exchange Management Console or the Exchange Management Shell. The InternalURL property is configured automatically during the initial setup of Exchange 2007 and should rarely have to be changed. The ExternalURL property should contain the domain name that is registered for your Exchange organization in DNS. The following table contains the appropriate values for the ExternalURL and InternalURL properties for an Internet-facing Client Access server for the Exchange organization that is named www.contoso.com. The second table contains the appropriate ExternalURL and InternalURL property values for a non-Internet-facing Client Access server in a second Active Directory site for www.contoso.com. You must configure the authentication method on all these virtual directories to be Integrated Windows authentication. Proxying is not supported for virtual directories that use other authentication methods.

noteNote:
If new Outlook Web Access virtual directories are created by using the Exchange Management Shell, you must manually configure the InternalURL property on those virtual directories.

Proxying InternalURL and ExternalURL settings for an Internet-facing Client Access server

Exchange 2007 service InternalURL setting ExternalURL setting

Exchange ActiveSync

https://computername/Microsoft-Server-ActiveSync

https://www.contoso.com/Microsoft-Server-ActiveSync

Proxying InternalURL and ExternalURL settings for a non-Internet-facing Client Access server

Exchange 2007 service InternalURL setting ExternalURL setting

Exchange ActiveSync

https://computername/Microsoft-Server-ActiveSync

$Null

The following procedure lets you modify the ExternalURL and InternalURL properties on your Microsoft-Server-ActiveSync virtual directory.

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

To use the Exchange Management Console to modify the properties on an Exchange ActiveSync virtual directory
  1. In the Exchange Management Console, click Server Configuration, and then click Client Access.

  2. In the work pane, click the Exchange ActiveSync tab.

  3. In the action pane, under Microsoft-Server-ActiveSync, click Properties.

  4. Modify the InternalURL and ExternalURL properties, and then click OK to apply your changes.

To use the Exchange Management Shell to modify the properties on an Exchange ActiveSync virtual directory
  • Run the following command:

    Set-ActiveSyncVirtualDirectory -Identity "Server Name\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL www.contoso.com/Microsoft-Server-ActiveSync -InternalURL $Null
    

After you have successfully deployed Exchange ActiveSync, you can manage your users by enabling or disabling Exchange ActiveSync on a per-user basis. The following procedure provides instructions for enabling and disabling Exchange ActiveSync for a user.

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Also, before you perform these procedures, confirm that you have enabled Exchange ActiveSync on the Exchange 2007 server that has the Client Access server role installed.

noteNote:
By default, Exchange ActiveSync is enabled on a Client Access server.

To enable or disable Exchange ActiveSync for a user by using the Exchange Management Console
  1. Open the Exchange Management Console.

  2. Under Recipient Configuration, select Mailbox.

  3. Select Properties from the action pane or right-click the user's mailbox, and then click Properties.

  4. Click the Mailbox Features tab.

  5. Select Exchange ActiveSync and then click Disable or Enable.

  6. Click OK.

To disable Exchange ActiveSync for a user by using the Exchange Management Shell
  • Run one of the following commands:

    Set-CASMailbox -Identity<SMTP Address of user> -ActiveSyncEnabled $false
    Set-CASMailbox -Identity<SMTP Address of user> -ActiveSyncEnabled $true
    

For more information about syntax and parameters, see Set-CASMailbox.

In addition to enabling and disabling Exchange ActiveSync for particular users, you can also prevent a specific device from synchronizing with Exchange 2007. The following procedure will disable a specific device for Exchange ActiveSync.

To perform the following procedure, the account you use must be delegated the Exchange Recipient Administrator role and membership in the local Administrators group for the target server.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Also, before you perform this procedure, make sure that Exchange ActiveSync is enabled for the user.

To use the Exchange Management Shell to disable a device for Exchange ActiveSync
  • To prevent a device from synchronizing with Microsoft Exchange, you must remove its device ID from the ActiveSyncAllowedDeviceIDs parameter list. To do this, run the following command:

    Set-CASMailbox -Identity: "EmailAlias" -ActiveSyncAllowedDeviceIDs: "<DeviceID_1>","<DeviceID_2>"
    
    noteNote:
    There is no built-in functionality for retrieving the device ID before the user synchronizes with the Exchange server. After the user has synchronized the device with the Exchange server, you can run the following command to retrieve the device ID:
    Get-ActiveSyncDeviceStatistics -Mailbox:"<EmailAlias>" |fl DeviceID 
    

For more information about syntax and parameters, see Set-CASMailbox.

The performance of Microsoft Exchange ActiveSync is affected by many factors. These include the number of users who are synchronizing with Exchange ActiveSync, the types of mobile devices that are synchronizing with it, and how much data each user synchronizes between the Microsoft Exchange server and the mobile device. By using monitoring, you can understand the factors that affect the performance of Exchange ActiveSync. You can examine Internet Information Services (IIS) log files and use the Export-ActiveSyncLog cmdlet to generate reports in comma-separated value format. You can also create several graphs from the data in these reports to analyze traffic and usage patterns.

By monitoring Exchange ActiveSync errors and events, you can understand problems that your users encounter when they synchronize their mobile devices with Microsoft Exchange.

Exchange ActiveSync is enabled for all users when Exchange 2007 is installed. However, there are a wide variety of configuration steps that you can take to customize your Exchange ActiveSync installation. We recommend that you check the full Exchange 2007 documentation for more information and updates.

For the complete Exchange 2007 documentation, see the Exchange Server 2007 Help.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft