Small Business Server Small Business Server 20032003Small Business Server Small Business Server 20032003
Dean Calvert – SBS MVPDean Calvert – SBS MVPPrincipal Consultant & Managing DirectorPrincipal Consultant & Managing DirectorCalvert Technologies, AdelaideCalvert Technologies, Adelaide
A great platform for mobility
Defining MobilityDefining Mobility
Mobility can mean different things to Mobility can mean different things to different peopledifferent people
LAN access around the officeLAN access around the office
Email access beyond the officeEmail access beyond the office
Remote access to company dataRemote access to company data
Remote access to company applicationsRemote access to company applications
What do you need to gain access to, and how?What do you need to gain access to, and how?
Mobility Support and SBSMobility Support and SBS
Remote Web WorkplaceRemote Web WorkplaceCompanywebCompanyweb
Outlook Web AccessOutlook Web Access
Application sharing serverApplication sharing server
Remote desktopRemote desktop
Download VPN connectoid for Windows PCsDownload VPN connectoid for Windows PCs
SBS remote connectivity requires only 4 SBS remote connectivity requires only 4 portsports
HTTPS (TCP 443)HTTPS (TCP 443)
RPD proxy (TCP 4125)RPD proxy (TCP 4125)
Companyweb (TCP 444)Companyweb (TCP 444)
PPTP (TCP 1723, GRE)PPTP (TCP 1723, GRE)
Hint: Run the CEICW!!Hint: Run the CEICW!!
Mobility Support and SBSMobility Support and SBS
Outlook Web AccessOutlook Web Accesshttps://server.fqdn/exchangehttps://server.fqdn/exchange
Outlook Mobile AccessOutlook Mobile Accesshttps://server.fqdn/omahttps://server.fqdn/oma
Support for Direct Push with Exchange 2003 Support for Direct Push with Exchange 2003 SP2SP2
Mobile DevicesMobile Devices
Requires only HTTPS (TCP 443) for OMARequires only HTTPS (TCP 443) for OMA
Windows Mobile 5 devices require some Windows Mobile 5 devices require some “tricks” to get self signed certificate onto “tricks” to get self signed certificate onto the devicethe device
Edit registry of deviceEdit registry of deviceHKLM\Security\Policies\Policies\00001017 = 144HKLM\Security\Policies\Policies\00001017 = 144
Regedit tools: Regedit.NET 1.0 from Regedit tools: Regedit.NET 1.0 from www.pocketgear.comwww.pocketgear.com (http://www.pocketgear.com/software_detail.asp?(http://www.pocketgear.com/software_detail.asp?id=17108)id=17108)
Hint: download the 7 day trial & you don’t really need Hint: download the 7 day trial & you don’t really need to provide your email address to download it. Make to provide your email address to download it. Make sure you have .NET installed on your PC first. Can sure you have .NET installed on your PC first. Can uninstall Regedit tool after the certificates have been uninstall Regedit tool after the certificates have been installedinstalled
Mobile DevicesMobile Devices
Certificates viewable under Certificates viewable under Start/Settings/System/Certificates/RootStart/Settings/System/Certificates/Root
Export certificates from server or PC local Export certificates from server or PC local store & copy to device. Doubleclick to store & copy to device. Doubleclick to install and verify certificates are installed install and verify certificates are installed from the above locationfrom the above location
Hint: use ActiveSync 4.2 (download from Hint: use ActiveSync 4.2 (download from MS). MS). *** Avoid ActiveSync 4.0 ****** Avoid ActiveSync 4.0 ***
http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=7269173a-28bf-4cac-a682-FamilyID=7269173a-28bf-4cac-a682-58d3233efb4c&DisplayLang=en58d3233efb4c&DisplayLang=en
Test certificate by visiting OWA site of Test certificate by visiting OWA site of serverserver
https://server.fqdn/exchangehttps://server.fqdn/exchange
Mobile DevicesMobile Devices
Configure device via ActiveSync to sync Configure device via ActiveSync to sync with Exchange Server for:with Exchange Server for:
EmailEmailWatch the size downloaded to minimise GPRS costsWatch the size downloaded to minimise GPRS costs
Set to download attachments to storage cardSet to download attachments to storage card
CalendarCalendar
ContactsContacts
TasksTasks
ActiveSync HintsActiveSync Hints
Hint: make sure you have the correct Hint: make sure you have the correct Connection Settings specified in Connection Settings specified in ActiveSync on your computer when in the ActiveSync on your computer when in the office or remoteoffice or remote
Hint: if your server has private IP on Hint: if your server has private IP on external interface you need to create a external interface you need to create a DNS zone for your external domain name DNS zone for your external domain name and enter a host record for the server’s and enter a host record for the server’s FQDN with the external private IPFQDN with the external private IP
ActiveSync TroubleshootingActiveSync Troubleshooting
Upgrade to ActiveSync 4.2Upgrade to ActiveSync 4.2
Refer to Refer to www.microsoft.com/windowsmobile/help/awww.microsoft.com/windowsmobile/help/activesync/default.aspxctivesync/default.aspx
Corporate environment help: Corporate environment help: www.microsoft.com/windowsmobile/help/awww.microsoft.com/windowsmobile/help/activesync/troubleshoot.aspxctivesync/troubleshoot.aspx
Configuring Exchange ServerConfiguring Exchange Server
Pre-requisite – SP2 must be installed for Pre-requisite – SP2 must be installed for Direct PushDirect Push
Other Mobile TricksOther Mobile Tricks
Remote desktop connectionRemote desktop connectionUse VPN connection into your network then Use VPN connection into your network then terminal service client to connect to serverterminal service client to connect to server
OR if you have TCP port 3389 open on your OR if you have TCP port 3389 open on your firewall you can connect straight infirewall you can connect straight in
Hint: DON’T DO THIS!!!!!Hint: DON’T DO THIS!!!!!
Security settingsSecurity settingsRefer to Exchange security policy previously Refer to Exchange security policy previously shownshown
Beware the data stored on memory cards of Beware the data stored on memory cards of devices in case they get lost or stolendevices in case they get lost or stolen
Hint: crystal based screen protectors are a fantastic Hint: crystal based screen protectors are a fantastic low cost purchase for your precious PDAlow cost purchase for your precious PDA
Beyond The DeskBeyond The Desk
Mobility is not just mobile devices outside Mobility is not just mobile devices outside the LANthe LAN
What about wireless?What about wireless?Can it be secure?Can it be secure?
ABSOLUTELYABSOLUTELY
Refer to Refer to http://home.comcast.net/~clearviewtc/http://home.comcast.net/~clearviewtc/ for Owen Williams jnr’s article on “Configuring for Owen Williams jnr’s article on “Configuring Secure Wireless Network Access with Microsoft Secure Wireless Network Access with Microsoft Windows Small Business Server 2003”Windows Small Business Server 2003”
Digital certificate based authentication & encryption Digital certificate based authentication & encryption keys that are dynamically generated for each keys that are dynamically generated for each wirelessly connecting computer (aka 802.1x with EAP-wirelessly connecting computer (aka 802.1x with EAP-TLS & WPA)!!TLS & WPA)!!
Real Outlook RemotelyReal Outlook Remotely
Combine SBS 2003 with Windows XP SP2 Combine SBS 2003 with Windows XP SP2 and Outlook 2003 to get RPC/HTTPSand Outlook 2003 to get RPC/HTTPS
Computer does not need to be a member Computer does not need to be a member of the domainof the domain
Works with XP Home too so ideal for those Works with XP Home too so ideal for those users with home computers connecting to users with home computers connecting to the corporate LAN and you don’t want the corporate LAN and you don’t want them to VPN inthem to VPN in
How do you do this?How do you do this?
Outlook Over The InternetOutlook Over The Internet
Install external certificate onto PCInstall external certificate onto PCVisit Visit https://server.fqdn/exchangehttps://server.fqdn/exchange
View the certificateView the certificate
Install the certificateInstall the certificate
Configure Outlook 2003Configure Outlook 2003
When connecting you are prompted to When connecting you are prompted to authenticateauthenticate
Provide domain\username and passwordProvide domain\username and password
Voila!Voila!
More MobilityMore Mobility
Access companyweb without a VPNAccess companyweb without a VPNSpecify to make this available when running the Specify to make this available when running the CEICW and ensure any external firewall/router CEICW and ensure any external firewall/router you are using allows TCP port 444 through to you are using allows TCP port 444 through to the serverthe server
Users will be prompted to authenticate when Users will be prompted to authenticate when accessing the URL – accessing the URL – https://server.fqdn:444/https://server.fqdn:444/
Some web parts may not display but you can Some web parts may not display but you can access stored documentsaccess stored documents
Where To Next?Where To Next?
Continually developing spaceContinually developing space
Managed servers/software as a service is Managed servers/software as a service is gathering steamgathering steam
Means mobility will be part of the normMeans mobility will be part of the norm
Means security becomes even more Means security becomes even more importantimportant
Pass Pass phrasesphrases NOT pass NOT pass wordswords
2-factor authentication2-factor authentication
Regular security audits and testsRegular security audits and tests
Offline Files (Client Side Offline Files (Client Side Caching)Caching)
When it works it’s great, when it doesn’t When it works it’s great, when it doesn’t it’s very painfulit’s very painful
Synchronise changes over VPNSynchronise changes over VPN
Not all file types supported – MDB, PST…Not all file types supported – MDB, PST…
Configurable on the client or through group Configurable on the client or through group policypolicy
CSC is stored in %systemroot%\CSC which CSC is stored in %systemroot%\CSC which is hidden by defaultis hidden by default
Troubleshooting CSCTroubleshooting CSC
““Unable to merge offline changes on \\Unable to merge offline changes on \\server\share_name. The parameter is server\share_name. The parameter is incorrect”incorrect”
Reinitialise the CSCReinitialise the CSCOpen Folder Options, select Offline Files tabOpen Folder Options, select Offline Files tab
Hold Ctrl-Shift and click “Delete Files” buttonHold Ctrl-Shift and click “Delete Files” button
Answer Yes twice to restartAnswer Yes twice to restart
Troubleshooting CSCTroubleshooting CSC
Option 2Option 2HKLM\Software\Microsoft\Windows\HKLM\Software\Microsoft\Windows\CurrentVersion\NetCacheCurrentVersion\NetCache
Key: FormatDatabaseKey: FormatDatabase
Type: DWORDType: DWORD
Value: 1 (it’s actually ignored)Value: 1 (it’s actually ignored)
Restart serverRestart server
DELETE THIS REGISTRY KEY AFTER DELETE THIS REGISTRY KEY AFTER RESTARTING!!!RESTARTING!!!
ResourcesResourcesMicrosoft Windows Small Business Server 2003 Homehttp://www.microsoft.com/windowsserver2003/sbs/default.mspx
Microsoft Windows Mobile Solutions, Applications and Handheld Deviceshttp://www.microsoft.com/windowsmobile/default.mspx
ActiveSync Help & How Toshttp://www.microsoft.com/windowsmobile/help/activesync/default.mspx
Small Business Server 2003 Best Practices bookhttp://www.smbnation.com/products.htm
Advanced Windows Small Business Server 2003 Best Practiceshttp://www.smbnation.com/products.htm
Susan Bradley’s Bloghttp://msmvps.com/blogs/bradley/archive/category/1578.aspx
Chris Rue’s Remote Device Wipe Pagehttp://www.chrisrue.com/funcave/2006/08/solving-a-problem-with-remote-device-wipe.html
ResourcesResources
List Servers SBS2K: http://groups.yahoo.com/group/sbs2k/
SmallbizIT: http://groups.yahoo.com/group/smallbizIT/
Newsgroups: Public: - Server: news.microsoft.com
Newsgroup: microsoft.public.windows.server.sbs
Partner: - Server: privatenews.microsoft.com Newsgroup:
microsoft.private.directaccess.smallbizserver2003
Usergroups: http://www.sbsusers.org/ http://groups.yahoo.com/group/melb-SBSusers/ http://www.sbsfaq.com/default.aspx http://www.smallbusinessserver.com.au/ http://www.sbsusers.net/
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.