Deploying Windows Mobile 5.0 with Windows Small Business Server 2003

Updated: May 27, 2009

Applies To: Windows SBS 2003

Do you want to add Windows Mobile devices to your network? Is your network based either on the Microsoft® Windows® Small Business Server 2003 server software (Windows SBS) with Service Pack 1 (SP1) or on Windows SBS 2003 R2? If so, you can use the step-by-step instructions in this document to deploy devices that are powered by the Microsoft Windows Mobile® 5.0 software on a Windows SBS network.

Windows Mobile 5.0

Windows Mobile 5.0 is the successor to Windows Mobile 2003. It provides new features and tools to improve productivity, connectivity, and security. Some of the new features in Windows Mobile 5.0 include the following:

• Updated versions of Microsoft Office mobile applications, including the Microsoft PowerPoint® presentation graphics program.

• Enhanced Microsoft Outlook® mobile messaging, including photo support.

• Improved navigation and speed.

• Better multimedia features, such as support for more ring tones, high-resolution pictures, and the Microsoft Windows Media® Player 10.

Messaging and Security Feature Pack

The improved messaging and security features in Windows Mobile 5.0 are available as part of the Messaging and Security Feature Pack (MSFP) add-on. New features introduced through MSFP include the following:

• Direct Push technology: Items received on the Exchange server, such as new e-mail messages, calendar changes, contact changes, or task updates, are immediately sent to a device that is running Windows Mobile 5.0 with MSFP. Direct Push technology uses an IP-based Internet connection and does not use Short Message Service Text Messaging (SMS). SMS is used by the previous Always Up To Date (AUTD) synchronization process.

• Wireless support for contact information: This feature enables over-the-air lookup of global address list (GAL) information that is stored in Exchange Server.

• Remotely enforced security policy: You can remotely manage and enforce security settings on the mobile devices over-the-air.

• Local device wipe: This feature resets the device after a specified number of incorrect logon attempts.

• Remote device wipe: This feature enables you to remotely reset a device over the Internet.

To take advantage of these new features, you must install Service Pack 2 (SP2) for Exchange Server 2003 if your server is running Windows SBS 2003 with SP1. If your server is running Windows SBS 2003 R2, it already has the service pack installed.

Earlier releases of Windows Mobile 5.0 powered devices do not have MSFP preinstalled. Most mobile operators will be providing software upgrades for these devices. For information about whether MSFP is available or is preinstalled on your device, contact your mobile operator or device manufacturer. You can also confirm whether MSFP is preinstalled by checking the Windows Mobile 5.0 build number. To check the number, on the mobile device, click Start, click Settings, and then click About. If the build number is 14847 or higher, the device has MSFP installed.

Before You Begin

Skill Level

The intended audience for this document is Windows SBS administrators. To complete the steps in this document, you should have a basic understanding of Windows Mobile and you should have experience in deploying and managing Windows SBS.

Windows Mobile Requirements

To complete the steps in this document, make sure your hardware and software meet the requirements in the following table.

Table 1. Requirements for deploying a mobile device

Requirement	Description
Windows Mobile 5.0 powered device	A mobile device that is running Windows Mobile 5.0.
Wireless data connectivity	The mobile device must have wireless data connectivity, provided through a mobile operator such as GPRS, to access the Internet.
Server running Windows SBS 2003	A server that is running Windows SBS 2003 with SP1 or Windows SBS 2003 R2. It is assumed that Exchange Server 2003 is configured and running properly on the server.
ActiveSync 4.2	You can download ActiveSync 4.2 from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75112).
Third-party or self-signed certificate	For more information about how to choose between and obtain a third-party SSL certificate or a self-signed SSL certificate, see “Step 4: Install a Certificate,” later in this document. If you install a self-signed certificate, you may need the utility smartphoneaddcert.exe, which you can download from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75113).

Additional MSFP requirements

In addition to the Windows Mobile requirements above, if you plan to deploy devices that are running Windows Mobile 5.0 with MSFP, make sure you have the following software.

Table 2. Additional Requirements for Deploying Windows Mobile 5.0 with MSFP

Requirement	Description
SP2 for Exchange Server 2003	You can download SP2 for Exchange Server 2003 from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75114). If your server is running Windows SBS 2003 R2, this service pack is already preinstalled.
Exchange Server ActiveSync Web Administration tool	You can download the Exchange Server ActiveSync Web Administration tool from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75115).

Process Steps

To deploy a mobile device on your Windows SBS network, complete the following steps:

• Step 1: Install ActiveSync 4.2.

• Step 2: Enable mobile services for users.

• Step 3: Configure the firewall and Web services.

• Step 4: Install a certificate.

• Step 5: Configure Windows Small Business Server 2003 for MSFP.

• Step 6: Configure device synchronization.

• Step 7: Test the deployment.

Step 1: Install ActiveSync 4.2

Mobile devices need to be connected to a client computer to copy files, install applications, and synchronize data directly with the computer. To connect the mobile device, you must install ActiveSync 4.2 on the client computer.

You can install ActiveSync on the client computer in either of the following ways:

• Option A: Manually install: Manually copy and install ActiveSync on the client computer.

• Option B: Automatically install using Group Policy: Configure Windows SBS to automatically install ActiveSync on the client computers to which users who are members of the Mobile Users group log on.

To install ActiveSync 4.2, complete the steps in either of the following sections.

Option A: Manually install

To manually install ActiveSync 4.2 on the client computers, copy the ActiveSync setup file to each client computer that you want to connect to a mobile device, and then run the ActiveSync 4.2 Setup program.

Option B: Automatically install using Group Policy

To automatically install ActiveSync using Group Policy:

1. Log on to the server that is running Windows SBS.

2. Start the Microsoft ActiveSync 4.2 wizard by completing the following steps:

   1. Open the command prompt.

   2. Change the current directory to the folder where the ActiveSync setup file is saved.

   3. Type setup.exe /V /a, and then press ENTER. The wizard starts after a short pause.

3. Complete the wizard as follows:

   1. On the Welcome page, click Next.

   2. On the Network Location page, click Change.

   3. Browse to the ClientApps shared folder (\\localhost\clientapps).

      

   4. Create a new folder in ClientApps by clicking the new folder button and then naming the new folder “activesync42”.

      

   5. Double click the newly created activesync42 folder, and then click OK.

      

   6. Click the Install button.

   7. Click the Finish button when the installation is finished.

4. Open Group Policy Management Console from Administrative Tools. Expand ForestName, expand Domains, and then expand DomainName.

5. Right-click Group Policy Objects, and then click New.

6. In the New GPO dialog box, type ActiveSync 4.2 Installation, and then click OK.

   

7. On the details pane, right-click the newly created Group Policy object (GPO) (that is, ActiveSync 4.2 Installation), and then click Edit.

   

8. In Group Policy Object Editor, expand User Configuration, expand Software Settings, right-click Software Installation, point to New, and then click Package.

   

9. In the Open dialog box, browse to the \\localhost\ClientApps\activesync42\ folder, and then double-click Microsoft ActiveSync 4.0.msi.

![](images\Cc747512.87638ab3-18c3-48db-b5b9-fea6d6db7be7(WS.10).gif)

10. On the Deploy Software dialog box, click Assigned, and then click OK.

    

11. In Group Policy Object Editor, right-click ActiveSync 4.2 Installation (top node of the console tree), and then click Properties.

    

12. On the General tab, select the Disable Computer Configuration settings check box, and then click Yes on the Confirm Disable dialog box.

    

13. On the Security tab, remove Authenticated Users from the list, and then add Mobile Users to the list. Make sure that the Read and Apply Group Policy permissions are set to Allow for Mobile Users, and then click OK.

    

14. Close Group Policy Object Editor.

15. In Group Policy Management Console, expand My Business, and then expand Users. Right-click SBSUsers, and then click Link an Existing GPO.

    

16. In the list of GPOs, click ActiveSync 4.2 Installation, and then click OK.

    

After you finish these steps, ActiveSync 4.2 is automatically installed on any computer to which a member of the Mobile Users group logs on. For ActiveSync 4.2 to be installed successfully, the user must have local administrative rights on the computer.

Step 2: Enable Mobile Services for Users

Before you configure a mobile device for a user, you must enable mobile services for that user’s Active Directory user account. By default, new user accounts that are created in Windows SBS already have mobile services enabled.

To ensure that mobile services are enabled for a user:

1. Open the Server Management console, click Users, and then double-click the user account.

2. On the Exchange Features tab of the Properties dialog box, ensure that all mobile services are enabled.

   

Step 3: Configure the Firewall and Web Services

To enable mobile devices to access information stored on the Exchange server over the air, ensure that incoming Exchange ActiveSync traffic is directed to the server that is running Windows SBS.

Complete the steps in this section to automatically configure the following firewalls:

• Microsoft Internet Security and Acceleration (ISA) Server, which is included in Windows SBS Premium Edition

• The built-in Routing and Remote Access firewall in Windows SBS

• The UPnP™ hardware firewall

If you are using a firewall other than these, you need to manually configure your firewall to direct incoming traffic on port 443 to the server that is running Windows SBS.

To configure the firewall and Web services:

1. Open the Server Management console, and then click Internet and E-mail.

2. Click Connect to the Internet to start the Configure E-mail and Internet Connection Wizard (CEICW).

3. On the Welcome page, click Next.

4. On the Connection Type page, click Do not change connection type, and then click Next.

5. On the Firewall page, click Enable Firewall, and then click Next.

6. On the Services Configuration page, select the services that are in use on your network, and then click Next.

7. On the Web Services Configuration page, select Outlook Mobile Access and any other services that need to be enabled. Click Next.

![](images\Cc747512.05be575f-dfec-4d54-886f-22dcdb56b683(WS.10).gif)

8. On the Web Server Certificate page, click Do not change current Web server certificate, and then click Next.

9. On the Internet E-mail page, click Do not change Internet e-mail configuration, and then click Next.

10. On the Completing the Configure E-mail and Internet Connection Wizard page, click Finish.

Step 4: Install a Certificate

This section provides guidance on choosing and configuring a certificate. A certificate helps securely synchronize data by using the Secure Sockets Layer (SSL) protocol. It is important to use SSL to help secure communications between the mobile device and the server.

Choose the Type of Certificate

You can use either of the following two options to install a certificate for Windows Mobile 5.0 devices:

• Third-party certificate: You can buy and install a certificate from a trusted root certification authority (CA). The certificate has a root certificate store present on the mobile device.

• Self-signed certificate: You can install a self-signed certificate that Windows SBS generates.

Some Windows Mobile 5.0 Smartphone devices may not work with a self-signed certificate. If your Smartphone does not work with a self-signed certificate, you need to purchase a third-party certificate to connect to the Exchange server. Pocket PC devices work with either type of certificate.

The following table summarizes the advantages and disadvantages of using these two types of certificates on Windows Mobile devices.

Table 3. Advantages and Disadvantages of Each Type of Certificate

Choice	Advantages	Disadvantages
Third-party certificate	No additional configuration is required on the Windows Mobile device. Can be used with all Smartphone and Pocket PC devices. Provides additional benefits with other Windows SBS features, such as Outlook Web Access, Remote Web Workplace, and RPC over HTTP.	Must be purchased, and may require a recurring fee for renewals. Can cost about $100 to $200 annually. Cannot be installed immediately, because it requires independent verification of your company information before it is issued.
Self-signed certificate generated by Windows SBS	Can be easily generated by Windows SBS through CEICW. No additional cost. Fewer configurations are required in Windows SBS.	Requires additional configuration on the device. The certificate must be exported to and installed on each device. Does not work on many Smartphone devices (check with the mobile operator or the device manufacturer).

Choose the certificate type that is best for your environment. For example, if you are deploying Smartphones that do not support a self-signed certificate, choose a third-party certificate. If cost is a concern for you and you are deploying Pocket PC devices only, choose a self-signed certificate.

Keep in mind that a third-party certificate offers additional benefits to users of a Windows SBS network. For example, they can use Outlook over the Internet from any computer without having to install a certificate and without being prompted with a certificate error when they access Outlook Web Access, Remote Web Workplace, Windows SharePoint Services, or other Web sites that Windows SBS hosts.

Configure the Certificate

For Exchange ActiveSync synchronization to work, a certificate must be installed either on the server that is running Windows SBS or on the mobile device. Depending on the type of certificate that you select, complete the steps in either of the following two sections.

Option A: Configure a Self-Signed Certificate

This section tells you how to export and install the self-signed certificate that is created by Windows SBS onto a mobile device. For multiple mobile devices, you need to install the certificate on each device. The certificate is already installed on the server that is running Windows SBS, so you do not need to configure the server.

Perform the following steps to install the certificate on a mobile device:

1. Create a shared folder in which to store the certificate.

2. Export the certificate to the shared folder so the mobile devices can access it.

3. Install the certificate on the Windows Mobile device.

To create a shared folder in which to store the certificate file

1. On the server, open Windows Explorer.

2. Select the root drive or folder in which you want to create the new shared folder.

3. Click File, point to New, and then click Folder.

4. Rename the new folder to something you will remember (for example, CertShare).

5. Right-click the renamed folder, and then click Sharing and Security.

6. Click the Sharing tab, select Share this folder, either type a name for the shared folder or accept the default, and then click OK.

To export the certificate file to the shared folder so the mobile devices can access it

1. While you are still logged on to the server, open Internet Explorer.

2. Click the Tools menu, and then click Internet Options. The Internet Options dialog box appears.

3. Click the Content tab, and then click the Certificates button. The Certificates dialog box appears.

4. Click the Trusted Root Certification Authorities tab.

5. Scroll through the list of certificates, and then select the certificate that was generated by Windows SBS. You can usually identify the certificate by recognizing the IP address or domain name in the Issued to or Issued by fields.

6. Click Export. The Certificate Export Wizard starts.

7. On the Welcome page, click Next.

8. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

9. On the File to Export page, click Browse, and then open the shared folder that you created in the previous procedure.

10. Type a file name to identify the certificate that you are exporting, and then click Save. The file path appears on the File to Export page of the Certificate Export Wizard.

11. Click Next.

12. Review the settings for accuracy, and then click Finish.

13. Click OK to acknowledge that you have successfully exported the certificate.

14. Click Close to close the Certificate dialog box.

15. Click OK to close the Internet Options dialog box.

After you successfully export the certificate to the shared folder, complete the following steps to install the certificate on a Windows Mobile device.

To install the certificate on a Windows Mobile device

1. Cradle the mobile device to your client computer.

2. On the client computer, open Windows Explorer, and then open the shared folder that you created on the server.

3. Copy the certificate file from the shared folder, and then paste it into the Mobile Device node in Windows Explorer on the client computer. This places the certificate in the My Documents folder on the Windows Mobile device.

4. On the Windows Mobile device, open File Explorer (for Pocket PCs) or File Manager (for Smartphones).

5. Find the certificate file you just copied to the My Documents folder on the device, and then run the file either by tapping the file name or by selecting the file and pressing ENTER.

6. Click Yes on the confirmation message box to install the certificate. If you receive no error messages, the certificate is installed successfully.

   If you receive an error message and the certificate is not installed, you need to use an external utility to install the certificate on the device. To install the certificate using the external utility, perform the following steps:

   1. On the client computer, download smartphoneaddcert.exe from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75113). If your mobile operator has a signed version of smartphoneaddcert.exe available at this Web site, download the signed version.

2.  Run smartphoneaddcert.exe, and then extract SpAddCert.exe.

3.  Copy SpAddCert.exe to the device.

4.  On the device, create a shared folder named **Storage** on the root of the device, and copy the certificate file into the **Storage** folder.

5.  On the device, run SpAddCert.exe. By default, the certificates in the **Storage** folder of the device are listed.

6.  To install the certificate, select the certificate that you just copied, and then click **OK** to all the messages that appear.

If you are using a Smartphone and the self-signed certificate still is not installed successfully, the device manufacturer or the mobile operator must have disabled access to the root certificates. Check with the device manufacturer or the mobile operator to see if they provide a separate installation utility. Otherwise, you need to use a trusted third-party certificate.

Option B: Configure a Third-Party Certificate

This section tells you how to purchase and install a third-party certificate on the server that is running Windows SBS.

Purchase a Third-Party Certificate

You should use third-party certificates only from a CA that has a root certificate present on the root store of Windows Mobile powered devices. For a list of CAs that offer certificates that are compatible with Windows Mobile, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=61499).

To purchase a certificate from a CA, you need to generate a certificate signing request on the server that is running Windows SBS.

To generate a certificate signing request

1. Open Internet Information Services (IIS) Manager from Administrative Tools.

2. Expand WindowsSBSServerName, expand Web Sites, right-click Default Web Site, and then click Properties.

3. On the Directory Security tab, click the Server Certificate button to start the IIS Certificate Wizard.

4. On the Welcome page, click Next.

5. If you have an existing certificate installed on the server, the Modify the Current Certificate Assignment page appears. If the page appears, complete the following steps:

   1. Click Remove the current certificate, and then click Next.

    ![](images\Cc747512.05728b56-1cf0-40a7-9523-22a5dd79dd26(WS.10).gif)
2.  Click **Next** on the next two pages, and then click **Finish** to complete the wizard and to remove the certificate.

3.  Start the wizard again by clicking the **Server Certificate** button on the **Directory Security** tab.

4.  On the **Welcome** page, click **Next**.

6. On the Server Certificate page, click Create a new certificate, and then click Next.

   

7. On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next.

![](images\Cc747512.ef071be1-e105-4f46-8e28-d29e7cdaf145(WS.10).gif)

8. On the Name and Security Settings page, type the name of the company, and then click Next.

9. On the Organization Information page, type the name of the company and the name of the department, which may be the same.

   

10. On the Your Site’s Common Name page, type the public DNS (Domain Name System) name of the server. Take special care to ensure that the information is correct, because the certificate will not work properly if this information is incorrect.

    

11. On the Geographical Information page, enter all of the required information. Do not use abbreviations, because some CAs do not accept abbreviations.

    

12. Provide a path and a file name for saving the request. Click Next twice, and then click Finish.

13. Open the request file that you just created by using Notepad, and then copy all of the text that is in the file, including dashes, into the application form that you are sending to the CA.

Install a Third-Party Certificate

If you purchased or already have a third-party certificate, you may be able to install it by simply cradling the mobile device to the client computer, and then copying the certificate to the Mobile Device node of the client computer. However, if this does not work, perform the following steps to configure and install a third-party certificate for use on mobile devices:

1. Install a third-party certificate on the server.

2. Create a shared folder in which to store the certificate.

3. Export the certificate to the shared folder so the mobile devices can access it.

4. Install the certificate on the Windows Mobile device.

To install a third-party certificate on the server

1. Open the Server Management console.

2. Click Internet and E-mail.

3. Click Connect to the Internet. The Configure E-mail and Internet Connection Wizard starts.

4. On the Welcome page, click Next.

5. On the Connection Type page, click Do not change connection type, and then click Next.

6. On the Firewall page, click Do not change firewall configuration, and then click Next.

7. On the Web Server Certificate page, click Use a Web server certificate from a trusted authority, click Browse, navigate to and double-click the certificate file provided by the CA, and then click Next.

   

8. On the Internet E-mail page, click Do not change Internet e-mail configuration, and then click Next.

9. On the Completing the Configure E-mail and Internet Connection Wizard page, click Finish.

To create a shared folder in which to store the certificate

1. On the server, open Windows Explorer.

2. Select the root drive or folder in which you want to create the new shared folder.

3. Click File, point to New, and then click Folder.

4. Rename the new folder to something you will remember (for example, CertShare).

5. Right-click the renamed folder, and then click Sharing and Security.

6. Click the Sharing tab, select Share this folder, either type a name for the shared folder or accept the default, and then click OK.

To export the certificate to the shared folder so the mobile devices can access it

1. While you are still logged on to the server, open Internet Explorer.

2. Click the Tools menu, and then click Internet Options. The Internet Options dialog box appears.

3. Click the Content tab, and then click the Certificates button. The Certificates dialog box appears.

4. Click the Other People tab.

5. Select the certificate that you installed on the server, and then click Export. The Certificate Export Wizard starts.

6. On the Welcome page of the Certificate Export Wizard, click Next.

7. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click Next.

8. On the File to Export page, click Browse, and then open the shared folder that you created in the previous procedure.

9. Type a file name to identify the certificate that you are exporting, and then click Save. The file path appears on the File to Export page of the Certificate Export Wizard.

10. Click Next.

11. Review the settings for accuracy, and then click Finish.

12. Click OK to acknowledge that you have successfully exported the certificate.

13. Click Close to close the Certificate dialog box.

14. Click OK to close the Internet Options dialog box.

After you successfully export the third-party certificate to the shared folder, complete the following steps to install the certificate on the Windows Mobile device.

To install the certificate on the Windows Mobile device

1. Cradle the mobile device to your client computer.

2. On the client computer, open Windows Explorer, and then open the shared folder that you created on the server.

3. Copy the certificate file from the shared folder, and then paste the copied file into the Mobile Device node in Windows Explorer on the client computer. This places the certificate in the My Documents folder on the device.

4. On the Windows Mobile device, open File Explorer (for Pocket PCs) or File Manager (for Smartphones).

5. Find the certificate file you just copied to the My Documents folder on the device, and then run the file by either tapping the file name or by selecting the file and then pressing ENTER.

6. Click Yes on the confirmation message box to install the certificate. If you receive no error messages, the certificate is installed successfully.

   If you receive an error message and the certificate is not installed, you need to use an external utility to install the certificate on the device. To install the certificate using the external utility, perform the following steps:

   1. On the client computer, download smartphoneaddcert.exe from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75113). If your mobile operator has a signed version of smartphoneaddcert.exe available at this Web site, download the signed version.

2.  Run smartphoneaddcert.exe, and then extract SpAddCert.exe.

3.  Copy SpAddCert.exe to the device.

4.  On the device, create a shared folder named **Storage** on the root of the device, and copy the certificate file into the **Storage** folder.

5.  On the device, run SpAddCert.exe. By default, the certificates in the **Storage** folder of the device are listed.

6.  To install the certificate, select the certificate that you just copied, and then click **OK** to all the messages that appear.

Step 5: Configure Windows Small Business Server for MSFP

Perform the tasks in this section only if you are deploying mobile devices that are running Windows Mobile 5.0 with MSFP. For more information about MSFP, see the section “Messaging and Security Feature Pack,” earlier in this document.

To configure the server for MSFP, complete the following tasks:

1. Install SP2 for Exchange Server 2003.

2. Install the Exchange Server ActiveSync Web Administration tool.

3. Enable Direct Push.

Install Service Pack 2 for Exchange Server 2003

As discussed earlier, you must have SP2 for Exchange Server 2003 already installed on your server that is running Windows SBS to take advantage of the new features of Windows Mobile 5.0 with MSFP. If your server is running Windows SBS 2003 R2, the service pack is already installed. If you are running Windows SBS 2003 with SP1 and the Exchange Server service pack is not already installed, install it by downloading it from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75114).

Install the Exchange Server ActiveSync Web Administration Tool

To take advantage of the remote-device wipe feature of MSFP, you need to install the Exchange Server ActiveSync Web Administration tool. Note that before you install the tool, SP2 for Exchange Server 2003 must already be installed on your server that is running Windows SBS.

The tool is available for download at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75115).

After you install the Exchange Server ActiveSync Web Administration tool, ensure that the installation was successful. To do this, open Internet Explorer on the server, browse to https://localhost/mobileadmin, and log on to the console by providing domain administrator credentials.

Enable Direct Push

Direct Push provides users with immediate access to new information or changes to information that is stored on the Exchange server, including e-mail, calendar, contacts, and tasks information.

To enable Direct Push on the server

1. Ensure that SP2 for Exchange Server 2003 is installed on the server.

2. Open Exchange System Manager.

3. Expand Global Settings.

4. Right-click Mobile Services, and then click Properties.

5. Verify that the Enable Direct Push over HTTP(s) check box is selected.

   

To enable Direct Push on the device

1. Ensure that the device is not connected to a client computer.

2. Run ActiveSync on the device.

3. Navigate to Menu\Schedule.

4. Set Sync during to As items arrive.

Step 6: Configure Device Synchronization

This section helps you configure a Windows Mobile powered device to synchronize with the server and with client computers that have Microsoft ActiveSync 4.2 installed. For guidance on installing ActiveSync 4.2, see “Step 1: Install ActiveSync 4.2,” earlier in this document.

To configure a Windows Mobile device to synchronize with Windows SBS

1. Connect the Windows Mobile device to a client computer. The connection method depends on the capabilities of the device and the computer, and it typically uses a USB, serial, Bluetooth, or infrared port.

2. After connecting the device to a client computer, the Synchronization Setup Wizard opens automatically on the client computer.

3. Click Next on the Welcome page.

4. On the Synchronize directly with a server page, select the Synchronize directly with a server running Microsoft Exchange Server check box, and then click Next.

   

5. On the Exchange server credentials page, type the public DNS name of the server and the logon credentials of the user. Select the This server requires an encrypted (SSL) connection and the Save password check boxes. Click Next.

   

   ActiveSync attempts to connect to the server.

   

   If you receive any errors during the attempt, see “Troubleshooting,” later in this document.

6. On the Synchronization Options page, select the items that you want the device to synchronize. Select Exchange Server as the Source for Contacts, Calendar, Tasks, and E-mail. Additional items, such as Media and Favorites, can be synchronized with the client computer only.

   

7. Click Next, and then click Finish to complete the wizard.

Step 7: Test the Deployment

This section provides guidance on testing the deployment of the mobile devices.

Test Over-the-Air Synchronization

To test the configuration of over-the-air ActiveSync on the device

1. Ensure that the device is not connected to the client computer or to a wireless LAN with Internet access.

2. Ensure that wireless data connectivity to the Internet, such as GPRS, is available on the device.

3. Open ActiveSync on the device and begin to synchronize.

   The device connects to the Internet, if it is not already connected, and it synchronizes the items that you selected when you configured ActiveSync.

   If the synchronization does not work for any reason, see "Troubleshooting," later in this document, for more information.

Test Direct Push

To test the configuration of Direct Push

1. Ensure that the mobile device is not connected to a client computer or to a wireless LAN with Internet access.

2. Ensure that wireless data connectivity to the Internet, such as GPRS, is available on the device.

3. Send a message to the user account for which the device is configured.

4. Verify that the device receives the new message immediately.

Remote Management

Windows Mobile 5.0 with MSFP offers several new features that help you better manage mobile devices and better protect data. This section provides guidance on using the following two features:

• Remote device wipe.

• Device security policies.

Remote Device Wipe

The remote device wipe feature enables you to erase all information on a device remotely. This prevents any compromise of corporate data if a user misplaces a device.

To remotely wipe all information from a device

1. On any computer in the network, open Internet Explorer, browse to https://ServerName/mobileadmin, and then log on using domain administrator credentials.

2. Click Remote Wipe.

3. Type the mailbox name or the default SMTP address of the user whose device you want to wipe, and then press ENTER.

   

4. Click the Wipe link next to the device name that you want to wipe remotely.

Device Security Policies

You can enforce device security policies on Windows Mobile 5.0 powered devices, such as password requirements. This helps protect information that is stored on the mobile devices. You can configure device security policies only on a server that is running Windows SBS and that has SP2 for Exchange Server installed.

To define and enforce security policies for mobile devices

1. On the server, open Exchange System Manager.

2. Expand Global Settings.

3. Right-click Mobile Services, and then click Properties.

4. Click the Device Security button.

5. In the Device Security Settings dialog box, configure the device security policy for Windows Mobile devices.

   

6. If you do not want to apply the policy to some user accounts, click the Exceptions button, and then add the user accounts to the exceptions list.

7. Click OK.

Troubleshooting

This section provides some troubleshooting steps and tips to resolve a number of issues that may occur while deploying Windows Mobile devices. The troubleshooting steps and tips are categorized into the following sections:

• Installing ActiveSync on client computers

• Installing SP2 for Exchange Server 2003

• Configuring ActiveSync

• Synchronizing the mobile device

• Accessing the Exchange Server ActiveSync Web Administration tool

• Deploying certificates

• Configuring the device

Installing ActiveSync on Client Computers

If ActiveSync 4.2 is not installed successfully on a client computer, try the following:

• Ensure that you are logged on as a local administrator on the computer. The software cannot be installed without local administrative rights.

• If you are using Group Policy to install ActiveSync, ensure the following:

  • The access control lists (ACLs) are set properly on the GPO.

    The Authenticated Users group must not be on the list, and the Windows SBS Mobile Users group must have Read and Apply Group Policy permissions checked.

  • The GPO is linked to the proper organizational unit (OU). The steps provided in this document link the GPO to the Windows SBS Users OU. If you did not use the User Setup wizards to create user accounts or if the user accounts are not in the Windows SBS Users OU for some reason, ActiveSync will not be installed when the users log on.

Installing SP2 for Exchange Server 2003

If you cannot install SP2 for Exchange Server 2003 because the Update action is disabled on the Component Selection page of the Microsoft Exchange Installation Wizard, ensure that Internet Message Filter (IMF) is not installed on the Exchange server.

Before you install SP2 for Exchange Server 2003, you must uninstall IMF. An updated version of IMF is included in SP2 for Exchange Server 2003.

You can uninstall IMF by using Add or Remove Programs in Control Panel.

For any other issues with the service-pack installation, see the Exchange Server 2003 SP2 Readme file.

Configuring ActiveSync

The following are some errors that may occur while configuring ActiveSync:

• The following error indicates a problem with SSL connectivity with the server.

  To troubleshoot this problem, see the section “Check for Certificate-Related Problems,” later in this document.

• When configuring the server, the following error indicates that the device cannot reach the server. The device has not reached the point of checking the certificate when this error occurs.

  Check the firewall configuration and the IP connectivity.

• When configuring the server, the following error indicates that the device can reach the server, but there is a problem with the certificate.

  Depending on the type of certificate you are using, perform one of the following:

  • If you are using a third-party certificate, there is a problem with the server certificate. Try to access the server from a computer on the Internet by using the steps in the section “Check for Certificate-Related Problems,” later in this document.

  • If you are redirected to an SSL connection without a prompt for a certificate, ensure that the certificate is from a CA that is listed in the supported list for Windows Mobile. Windows Mobile devices do not support as many root CAs as Windows-based desktop computers. Your CA may be approved on Windows-based desktop computers but not on Windows Mobile devices. For a list of supported CAs, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=61499).

  • If you are prompted for a certificate and are not redirected to an SSL connection, verify that you have the right type of certificate (Web server certificate). You may also try reinstalling the certificate on the server by following the steps provided in the section “Option B: Configure a Third-Party Certificate,” earlier in this document. If none of these steps work, work with the CA to troubleshoot the issue.

• If you are using a self-signed certificate, you may have not installed the certificate on the device. Click Continue, and then install the certificate after the wizard finishes. You cannot synchronize until the certificate is installed on the device.

• If you have already installed the certificate on the device, there is a problem with the certificate. Use the steps in the section “Check for Certificate-Related Problems,” later in this document, to do the following:

  • Ensure that the certificate on the server is installed correctly.

  • Ensure that the certificate on the device is installed correctly.

  Try to reinstall the certificate to the device. Make sure that you receive a message on the device that the certificate has been successfully added to the root store. If you receive any other error, follow the instructions provided for using SpAddCert.exe in the section “Option A: Configure a Self-Signed Certificate.”

Synchronizing the Mobile Device

Some Users Cannot Synchronize

If some users cannot synchronize their devices, but others can, check the following:

• On the Exchange Features tab of the user account properties dialog, ensure that all mobile services are set to Enabled.

• Ensure that the device has Internet access by browsing to a Web site from the device.

• Some carriers require a SIM update to use data service. Check with your mobile operator for any such requirements.

• Ensure that the time and time zone is set properly on the device.

• Some devices cache the IP address of DNS names. If your server uses a dynamic IP address in conjunction with Internet services such as DynDNS.org, you may need to reset the device if your IP address changes.

• If you are using Smartphones, you may have to use a third-party certificate from a trusted CA. Many Smartphones cannot use a self-signed certificate. However, all Pocket PC devices can use a self-signed certificate, so they can work without a third-party certificate.

No User Can Synchronize

If no user can synchronize devices, do the following:

• Check for certificate-related problems.

• Check the Application event log.

• Check the firewall configuration.

Check for Certificate-Related Problems

To check for certificate-related problems, perform the following:

• If you are using a third-party certificate, check the certificate on the server. To do this, browse to https://YourPublicDNS.YourServer.com/exchange on a computer (not connected to your LAN) that has Internet access, and ensure that you are redirected to an SSL connection without a prompt for a certificate.

• When you synchronize a device, click Attention Required on the ActiveSync screen. Review the error message to see if it refers to a certificate problem.

• If you are using a self-signed certificate, ensure that it is installed properly on the device. To do this, browse to https://YourPublicDNS.YourServer.com/exchange on the device, and ensure that you are redirected to an SSL connection without a prompt for a certificate.

• You may receive an error when you try to install a self signed certificate on the device using the instructions in this document. In that case, try to manually export the certificate from a client computer that is connected to the server, rather than use the files in the \\server\clientapps\sbscert directory. You can export the certificate from the Trusted Root Certificate Authorities\Certificates folder in the Certificates console and then open it by running certmgr.msc from the command prompt.

Check the Application Event Log

Check the application event log on the server for any errors related to ActiveSync.

Check the Firewall Configuration

To check the firewall configuration, check the following:

• Ensure that port 443 is open and that traffic to that port is being directed to the server.

• Ensure that the checks for useragent strings are disabled. Some firewalls have this enabled by default. Exchange ActiveSync does not send useragent strings.

• Ensure that the timeout value is set high enough for SSL connections, typically 15 minutes.

• For more information, see Knowledge Base article 905013, “Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology,“ at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75116).

• If you did not upgrade to Internet Security and Acceleration Server 2004 when you installed SP1 for Windows SBS, you need to add a registry key to use Direct Push with ISA Server 2000. For more information, see Knowledge Base article 304340, "The ISA Server response to client options requests is limited to a predefined set," at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=75117). (This article describes a different issue, however the registry change it specifies applies to Direct Push on ISA Server 2000).

If you are using ISA Server, you may need to implement a split DNS configuration to have a uniform experience both inside and outside the LAN. For more information, see "You Need to Create a Split DNS!" at the ISAServer.org Web site (https://go.microsoft.com/fwlink/?LinkID=75118).

If you are using ISA Server 2004, and users can synchronize over the air but not from the cradle, you may be able to resolve some issues by configuring settings for ISA Server 2004.

To configure settings for ISA Server 2004

1. Open ISA Server Management.

2. In the console tree, expand Configuration, and then click General.

3. In the details pane, click Define Firewall Client Settings.

4. In the Firewall Client Settings dialog box, click the Application Settings tab, and then create the following three new application settings.

Table 4. New Application Settings to Create in ISA Server

Application	Key	Value
WCESCOMM	Disabled	0
WCESMGR	Disabled	0
REPIMGR	Disabled	0

Accessing the Exchange Server ActiveSync Web Administration Tool

If you cannot access the Web site for the Exchange Server ActiveSync Web Administration tool, perform the following:

• On the server, open Internet Information Services (IIS) Manager, and then ensure that there is only one default Web site in IIS Manager.

  When the tool is installed, a duplicate default Web site is created if your original default Web site is bound to a specific IP address. To remove the duplicate default Web site, you can use either of the following two methods:

  • Option A:

  1. Uninstall the tool.

  2. Change the IP address settings of the original default Web site to “All Unassigned”.

  3. Install the tool again.

  4. Revert the IP address settings of the default Web site back to the original values.

  • Option B:

  1. Create a new virtual directory in the original default Web site.

  2. Export the settings from the duplicate default Web site.

  3. Import the settings to the new virtual directory in the original default Web site.

  4. Delete the duplicate default Web site created by the tool.

• Check the settings of the ExAdmin virtual directory to ensure that SSL is not required.

To check the settings of the ExAdmin virtual directory

1. In Internet Information Services (IIS) Manager, expand Default Web Site, right-click ExAdmin, and then click Properties.

2. On the Directory Security tab, in the Secure Communication section, click Edit.

3. Ensure that the Require secure channel (SSL) check box is cleared.

• Ensure that the MobileAdmin virtual directory is running in the Exchange Application Pool.

To ensure that the MobileAdmin virtual director is running in the Exchange Application pool

1. In Internet Information Services (IIS) Manager, expand Default Web Site, right-click MobileAdmin, and then click Properties.

2. On the Virtual Directory tab, in Application Pool, select ExchangeApplicationPool.

Deploying Certificates

Obtaining a Certificate

If you are having difficulty in obtaining a third-party certificate, perform the following:

• Ensure that your organization’s Dun & Bradstreet (D&B) or other commercial directory information is up-to-date before you apply for a certificate. You can check your D&B information at the Dun & Bradstreet Web site (https://go.microsoft.com/fwlink/?LinkId=75119).

• If you have a trade name, ensure that it is documented with your D&B information. Be prepared to provide proof of the trade name. Examples of items that are commonly accepted by root CAs for issuing a certificate include Articles of Incorporation, Business License, and D&B details.

• Depending on how you applied for the certificate, prepare as follows:

  • Using a trade or DBA (Doing Business As) name: Provide a trading license, a copy of a utility bill, a bank statement, or else check with the trade name and the company name.

  • Using a personal name: Provide a copy of your driver’s license or passport.

    These requirements vary across CAs, but all CAs verify your identity before they issue a certificate. The information provided to the CA must exactly match the information you entered in the original certificate signing request. For example, if your articles of incorporation show an address that is different than the address you provide in the certificate signing request, the CA will not issue the certificate.

Creating a Certificate Signing Request

Perform the following checks when you are creating a certificate signing request:

• Ensure that there is no certificate on the server. If there is, you must remove it before you create the new certificate signing request.

• If you have installed a certificate from a CA on the server, ensure that the certificate signing request is not sent immediately to an online authority. This will not create a third-party certificate.

Installing a Self-Signed Certificate

Following are some problems that may occur while installing a self-signed certificate on a mobile device:

• Running SpAddCert.exe on the mobile device gives the following error:

  smartphoneaddcert is not a valid Windows CE application
  

  This error appears when the utility is run on a Windows Mobile 5.0 Smartphone that does not accept root certificates. You cannot use a self-signed certificate on such a device. Ask your mobile operator or device manufacturer if they provide a separate utility for installing self-signed certificates. If they do not, you need to use a third-party certificate.

• Certchk.exe gives an error.

  Certchk.exe utility is not supported on Windows Mobile 5.0 and will not work.

• AddRootCert.exe cannot be run.

  AddRootCert.exe is not supported on Windows Mobile 5.0 and will not work.

• Running the certificate after copying it to the device does not install the certificate (add to the root store) successfully.

  You may need to use SpAddCert.exe to install the certificate to the root store. For instructions, see the section “Option A: Configure a Self-Signed Certificate,” earlier in this document.

Configuring the Device

Direct Push Messages

If messages are not being received immediately, do the following:

• Ensure that the device is running Windows Mobile 5.0 with MSFP. Direct Push technology is available only on devices that have MSFP installed. You can check whether MSFP is installed on your device by confirming that the Windows Mobile build number is 14847 or higher.

• Ensure that the device is not cradled to a computer or connected to a wireless LAN. Direct Push works only with over-the-air synchronization.

Device Policy

If new policies pushed to the device are not applied, ensure that the device has synchronized since the policy was updated. Policies are applied during the ActiveSync cycle, and new policies are not applied until the next synchronization.

When the policy is applied to a device, the user is prompted and is given the opportunity to bring their device into compliance with the new policy – for example, by setting up a password.

Synchronizing

If a user-initiated synchronization fails on the device:

• Check whether you can access Outlook Web Access (OWA) and Outlook Mobile Access (OMA). This verifies server connectivity, and it ensures that no certificate-related errors exist.

• Check for wireless Internet connectivity from the device. If the device does not have wireless Internet connectivity, contact the mobile operator.

• Check the IIS logs on the server. Look for entries coming from the mobile device, and see if there are any error messages that might help determine the problem.

• Enable logging on the device, and check the logs for entries that give more information about the problem. To enable logging on the device, perform the following steps:

  • If you have a Pocket PC:

  1. Click Start, click Programs, and then click ActiveSync.

  2. Click Menu, and then click Configure Server.

  3. Click Next, and then click Advanced.

  • If you have a Smartphone:

  1. Click Start, and then click ActiveSync.

  2. Click Menu, click Configure Server, click Next, click Next again, click Menu, and then click Advanced.

  3. Change the logging level to Verbose. Logs are stored on the device in the Windows\ActiveSync folder.

  4. Click Next, and then click Finish.

Related Links

• For more information about Windows SBS, see "Windows Small Business Server 2003" at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62476).