Small Business Server Small Business Server 20032003Small Business Server Small Business Server 20032003

Dean Calvert – SBS MVPDean Calvert – SBS MVPPrincipal Consultant & Managing DirectorPrincipal Consultant & Managing DirectorCalvert Technologies, AdelaideCalvert Technologies, Adelaide

A great platform for mobility

Defining MobilityDefining Mobility

Mobility can mean different things to Mobility can mean different things to different peopledifferent people

LAN access around the officeLAN access around the office

Email access beyond the officeEmail access beyond the office

Remote access to company dataRemote access to company data

Remote access to company applicationsRemote access to company applications

What do you need to gain access to, and how?What do you need to gain access to, and how?

Mobility Support and SBSMobility Support and SBS

Remote Web WorkplaceRemote Web WorkplaceCompanywebCompanyweb

Outlook Web AccessOutlook Web Access

Application sharing serverApplication sharing server

Remote desktopRemote desktop

Download VPN connectoid for Windows PCsDownload VPN connectoid for Windows PCs

SBS remote connectivity requires only 4 SBS remote connectivity requires only 4 portsports

HTTPS (TCP 443)HTTPS (TCP 443)

RPD proxy (TCP 4125)RPD proxy (TCP 4125)

Companyweb (TCP 444)Companyweb (TCP 444)

PPTP (TCP 1723, GRE)PPTP (TCP 1723, GRE)

Hint: Run the CEICW!!Hint: Run the CEICW!!

Mobility Support and SBSMobility Support and SBS

Outlook Web AccessOutlook Web Accesshttps://server.fqdn/exchangehttps://server.fqdn/exchange

Outlook Mobile AccessOutlook Mobile Accesshttps://server.fqdn/omahttps://server.fqdn/oma

Support for Direct Push with Exchange 2003 Support for Direct Push with Exchange 2003 SP2SP2

Mobile DevicesMobile Devices

Requires only HTTPS (TCP 443) for OMARequires only HTTPS (TCP 443) for OMA

Windows Mobile 5 devices require some Windows Mobile 5 devices require some “tricks” to get self signed certificate onto “tricks” to get self signed certificate onto the devicethe device

Edit registry of deviceEdit registry of deviceHKLM\Security\Policies\Policies\00001017 = 144HKLM\Security\Policies\Policies\00001017 = 144

Regedit tools: Regedit.NET 1.0 from Regedit tools: Regedit.NET 1.0 from www.pocketgear.comwww.pocketgear.com (http://www.pocketgear.com/software_detail.asp?(http://www.pocketgear.com/software_detail.asp?id=17108)id=17108)

Hint: download the 7 day trial & you don’t really need Hint: download the 7 day trial & you don’t really need to provide your email address to download it. Make to provide your email address to download it. Make sure you have .NET installed on your PC first. Can sure you have .NET installed on your PC first. Can uninstall Regedit tool after the certificates have been uninstall Regedit tool after the certificates have been installedinstalled

Mobile DevicesMobile Devices

Certificates viewable under Certificates viewable under Start/Settings/System/Certificates/RootStart/Settings/System/Certificates/Root

Export certificates from server or PC local Export certificates from server or PC local store & copy to device. Doubleclick to store & copy to device. Doubleclick to install and verify certificates are installed install and verify certificates are installed from the above locationfrom the above location

Hint: use ActiveSync 4.2 (download from Hint: use ActiveSync 4.2 (download from MS). MS). *** Avoid ActiveSync 4.0 ****** Avoid ActiveSync 4.0 ***

http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=7269173a-28bf-4cac-a682-FamilyID=7269173a-28bf-4cac-a682-58d3233efb4c&DisplayLang=en58d3233efb4c&DisplayLang=en

Test certificate by visiting OWA site of Test certificate by visiting OWA site of serverserver

https://server.fqdn/exchangehttps://server.fqdn/exchange

Mobile DevicesMobile Devices

Configure device via ActiveSync to sync Configure device via ActiveSync to sync with Exchange Server for:with Exchange Server for:

EmailEmailWatch the size downloaded to minimise GPRS costsWatch the size downloaded to minimise GPRS costs

Set to download attachments to storage cardSet to download attachments to storage card

CalendarCalendar

ContactsContacts

TasksTasks

ActiveSync HintsActiveSync Hints

Hint: make sure you have the correct Hint: make sure you have the correct Connection Settings specified in Connection Settings specified in ActiveSync on your computer when in the ActiveSync on your computer when in the office or remoteoffice or remote

Hint: if your server has private IP on Hint: if your server has private IP on external interface you need to create a external interface you need to create a DNS zone for your external domain name DNS zone for your external domain name and enter a host record for the server’s and enter a host record for the server’s FQDN with the external private IPFQDN with the external private IP

ActiveSync TroubleshootingActiveSync Troubleshooting

Upgrade to ActiveSync 4.2Upgrade to ActiveSync 4.2

Refer to Refer to www.microsoft.com/windowsmobile/help/awww.microsoft.com/windowsmobile/help/activesync/default.aspxctivesync/default.aspx

Corporate environment help: Corporate environment help: www.microsoft.com/windowsmobile/help/awww.microsoft.com/windowsmobile/help/activesync/troubleshoot.aspxctivesync/troubleshoot.aspx

Configuring Exchange ServerConfiguring Exchange Server

Pre-requisite – SP2 must be installed for Pre-requisite – SP2 must be installed for Direct PushDirect Push

Other Mobile TricksOther Mobile Tricks

Remote desktop connectionRemote desktop connectionUse VPN connection into your network then Use VPN connection into your network then terminal service client to connect to serverterminal service client to connect to server

OR if you have TCP port 3389 open on your OR if you have TCP port 3389 open on your firewall you can connect straight infirewall you can connect straight in

Hint: DON’T DO THIS!!!!!Hint: DON’T DO THIS!!!!!

Security settingsSecurity settingsRefer to Exchange security policy previously Refer to Exchange security policy previously shownshown

Beware the data stored on memory cards of Beware the data stored on memory cards of devices in case they get lost or stolendevices in case they get lost or stolen

Hint: crystal based screen protectors are a fantastic Hint: crystal based screen protectors are a fantastic low cost purchase for your precious PDAlow cost purchase for your precious PDA

Beyond The DeskBeyond The Desk

Mobility is not just mobile devices outside Mobility is not just mobile devices outside the LANthe LAN

What about wireless?What about wireless?Can it be secure?Can it be secure?

ABSOLUTELYABSOLUTELY

Refer to Refer to http://home.comcast.net/~clearviewtc/http://home.comcast.net/~clearviewtc/ for Owen Williams jnr’s article on “Configuring for Owen Williams jnr’s article on “Configuring Secure Wireless Network Access with Microsoft Secure Wireless Network Access with Microsoft Windows Small Business Server 2003”Windows Small Business Server 2003”

Digital certificate based authentication & encryption Digital certificate based authentication & encryption keys that are dynamically generated for each keys that are dynamically generated for each wirelessly connecting computer (aka 802.1x with EAP-wirelessly connecting computer (aka 802.1x with EAP-TLS & WPA)!!TLS & WPA)!!

Real Outlook RemotelyReal Outlook Remotely

Combine SBS 2003 with Windows XP SP2 Combine SBS 2003 with Windows XP SP2 and Outlook 2003 to get RPC/HTTPSand Outlook 2003 to get RPC/HTTPS

Computer does not need to be a member Computer does not need to be a member of the domainof the domain

Works with XP Home too so ideal for those Works with XP Home too so ideal for those users with home computers connecting to users with home computers connecting to the corporate LAN and you don’t want the corporate LAN and you don’t want them to VPN inthem to VPN in

How do you do this?How do you do this?

Outlook Over The InternetOutlook Over The Internet

Install external certificate onto PCInstall external certificate onto PCVisit Visit https://server.fqdn/exchangehttps://server.fqdn/exchange

View the certificateView the certificate

Install the certificateInstall the certificate

Configure Outlook 2003Configure Outlook 2003

When connecting you are prompted to When connecting you are prompted to authenticateauthenticate

Provide domain\username and passwordProvide domain\username and password

Voila!Voila!

More MobilityMore Mobility

Access companyweb without a VPNAccess companyweb without a VPNSpecify to make this available when running the Specify to make this available when running the CEICW and ensure any external firewall/router CEICW and ensure any external firewall/router you are using allows TCP port 444 through to you are using allows TCP port 444 through to the serverthe server

Users will be prompted to authenticate when Users will be prompted to authenticate when accessing the URL – accessing the URL – https://server.fqdn:444/https://server.fqdn:444/

Some web parts may not display but you can Some web parts may not display but you can access stored documentsaccess stored documents

Where To Next?Where To Next?

Continually developing spaceContinually developing space

Managed servers/software as a service is Managed servers/software as a service is gathering steamgathering steam

Means mobility will be part of the normMeans mobility will be part of the norm

Means security becomes even more Means security becomes even more importantimportant

Pass Pass phrasesphrases NOT pass NOT pass wordswords

2-factor authentication2-factor authentication

Regular security audits and testsRegular security audits and tests

Offline Files (Client Side Offline Files (Client Side Caching)Caching)

When it works it’s great, when it doesn’t When it works it’s great, when it doesn’t it’s very painfulit’s very painful

Synchronise changes over VPNSynchronise changes over VPN

Not all file types supported – MDB, PST…Not all file types supported – MDB, PST…

Configurable on the client or through group Configurable on the client or through group policypolicy

CSC is stored in %systemroot%\CSC which CSC is stored in %systemroot%\CSC which is hidden by defaultis hidden by default

Troubleshooting CSCTroubleshooting CSC

““Unable to merge offline changes on \\Unable to merge offline changes on \\server\share_name. The parameter is server\share_name. The parameter is incorrect”incorrect”

Reinitialise the CSCReinitialise the CSCOpen Folder Options, select Offline Files tabOpen Folder Options, select Offline Files tab

Hold Ctrl-Shift and click “Delete Files” buttonHold Ctrl-Shift and click “Delete Files” button

Answer Yes twice to restartAnswer Yes twice to restart

Troubleshooting CSCTroubleshooting CSC

Option 2Option 2HKLM\Software\Microsoft\Windows\HKLM\Software\Microsoft\Windows\CurrentVersion\NetCacheCurrentVersion\NetCache

Key: FormatDatabaseKey: FormatDatabase

Type: DWORDType: DWORD

Value: 1 (it’s actually ignored)Value: 1 (it’s actually ignored)

Restart serverRestart server

DELETE THIS REGISTRY KEY AFTER DELETE THIS REGISTRY KEY AFTER RESTARTING!!!RESTARTING!!!

ResourcesResourcesMicrosoft Windows Small Business Server 2003 Homehttp://www.microsoft.com/windowsserver2003/sbs/default.mspx

Microsoft Windows Mobile Solutions, Applications and Handheld Deviceshttp://www.microsoft.com/windowsmobile/default.mspx

ActiveSync Help & How Toshttp://www.microsoft.com/windowsmobile/help/activesync/default.mspx

Small Business Server 2003 Best Practices bookhttp://www.smbnation.com/products.htm

Advanced Windows Small Business Server 2003 Best Practiceshttp://www.smbnation.com/products.htm

Susan Bradley’s Bloghttp://msmvps.com/blogs/bradley/archive/category/1578.aspx

Chris Rue’s Remote Device Wipe Pagehttp://www.chrisrue.com/funcave/2006/08/solving-a-problem-with-remote-device-wipe.html

ResourcesResources

List Servers SBS2K: http://groups.yahoo.com/group/sbs2k/

SmallbizIT: http://groups.yahoo.com/group/smallbizIT/

Newsgroups: Public: - Server: news.microsoft.com

Newsgroup: microsoft.public.windows.server.sbs

Partner: - Server: privatenews.microsoft.com Newsgroup:

microsoft.private.directaccess.smallbizserver2003

Usergroups: http://www.sbsusers.org/ http://groups.yahoo.com/group/melb-SBSusers/ http://www.sbsfaq.com/default.aspx http://www.smallbusinessserver.com.au/ http://www.sbsusers.net/

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.