企業(yè)移動消息的應用用與管理課件

MBL220基于Exchange2003和WindowsMobile企業(yè)移動消息最佳實戰(zhàn)MBL220議程企業(yè)移動消息應用Exchange2003SP2WindowsMobile5withMSFP企業(yè)Exchange消息服務實踐移動消息安全、管理、擴展議程企業(yè)移動消息應用企業(yè)移動消息應用

豐富的實現(xiàn)多目的設備終端無處不在的低成本的無線網(wǎng)絡逐漸增強的安全管理基礎架構(gòu)日漸成熟的企業(yè)移動消息應用ExchangeServer2003/WindowsMobile5LCS2005/MobileOfficeCommunicatorCRM2.0/MobileCRMMobileOAMobileERP…企業(yè)移動消息應用

豐富的實現(xiàn)多目的設備終端企業(yè)移動消息應用的挑戰(zhàn)總擁有成本連接性Scalability安全性DeviceandNetwork管理性ProvisioningandSupport擴展性LeveraginginfrastructureFocus:MicrosoftExchangeServer

2003ServicePack2MicrosoftWindowsMobile5MessagingandSecurity

FeaturePackArchitectureBestPractices企業(yè)移動消息應用的挑戰(zhàn)總擁有成本Focus:企業(yè)移動消息應用的起點：E-MailE-Mail已經(jīng)是企業(yè)的核心應用已經(jīng)存在多種成熟設備和解決方案

ExchangeServer2003是第一個集成的解決方案結(jié)合ISA可以提供更高的可用性和管理性結(jié)合IT策略可以實現(xiàn)更高的安全性企業(yè)移動消息應用的起點：E-MailE-Mail已經(jīng)是企業(yè)移動終端的重要更新WindowsMobile5永久存儲按需同步聯(lián)系人圖片MessagingandSecurityFeaturePack(MSFP)數(shù)據(jù)壓縮(GZIP)基于證書的認證強制安全策略在線聯(lián)系人查找（GAL）直推電郵(Direct-PushTechnology)S/MIME簽名和加密被ExchangeServer2003SP2支持Service

Pack2Windows

Mobile5移動終端的重要更新WindowsMobile5ServiExchange2003SP2Exchange2003SP2ExchangeServer2003ServicePack2更高的安全性CertificatebasedauthenticationLocalandRemoteWipecapabilityCentralcontrolofdevicepolicy直推技術很多的新特色DirectorysearchPicturesinContactsGZipExchangeServer2003ServicePExchangeServer2003移動訪問服務WindowsCEbaseddevicesPocketPC,PocketPCPhoneEdition,Smartphone2002WindowsMobileTm2003(AUTDsupport)WindowsMobile5(AUTD&DPsupport)OutlookMobileAccess(real-time)MicrosoftActiveSync(synchronization)RPC/HTTPorOWAExchange2003MobileServicesSP2LaptopCellularPhonePocketPCSmartPhoneExchangeServer2003移動訪問服務Win基于WindowsMobile的OWA訪問小屏幕瀏覽PocketInternetExplorer（singlewindows）支持OWA

Limitedframe

基于WindowsMobile的OWA訪問小屏幕瀏覽基于WindowsMobile的OMA訪問BasedonWAP/WMLLegacyMobilePhones基于WindowsMobile的OMA訪問BaseActiveSync訪問機制AirSyncHTTP(basicauthentication)[SSL](preferred)IISMASSYNC.DLLISAPI

IISDAVEX.DLLISAPIFrontEndServerBackEndServerDS_ACCESSActiveDirectoryReadUserProperties&obtainKerberosTGTWebDAVHTTP(Integratedauthentication)ClearActiveSync訪問機制AirSyncIISMASSYExchangeServerActiveSync的應用ExchangeServerActiveSync的應用Mobile5.0withMSFPMobile5.0withMSFP在線聯(lián)系人查找（GAL）需要WindowsMobile5+MSFP集成的應用導入GAL記錄

到本地聯(lián)系人列表Service

Pack2Windows

Mobile5在線聯(lián)系人查找（GAL）需要WindowsMobileExchange直推技術真正的AUTD解決方案（always-up-to-date）不需要SMS通知支持所有的PIM數(shù)據(jù):Inbox,Calendar,ContactsandTasks不增加額外的數(shù)據(jù)流量伸縮性：全球范圍不需要額外的軟件及服務器安裝實現(xiàn)條件服務器配置激活—缺省配置支持

“SP2-ready”

的設備

該方案依賴于實時連接需要調(diào)整防火墻的連接超時時間為:15-30minsExchange直推技術真正的AUTD解決方案（always直推技術（DirectPush）Time=23minTime=15minTime=0minTime=15minTime=23minDevice:如果我在15分鐘內(nèi)有郵件請告訴我，否則告訴我“沒有郵件”.Server:“沒有郵件”Server:“你有新郵件”Device:給我郵件Device:如果我在15分鐘內(nèi)有郵件請告訴我，否則告訴我“沒有郵件”.DirectPushMail技術原理(心跳時間為15min)WindowsMobileDevicewithMSFPServerrunningExchange2003SP2Heartbeat:370Bytes/heartbeatx4heartbeats/hourx24hx30days=1,06MB(Noconsiderationtoblockrounding)直推技術（DirectPush）Time=23minExchangeServer2003SP2配置ExchangeServer2003SP2配置企業(yè)Exchange消息服務

實踐企業(yè)Exchange消息服務

實踐架構(gòu)總攬防火墻一個或多個至少支持端口過濾支持反向代理（Publish）

前端服務器可以是企業(yè)版或標準版Pub/privateStorecanberemoved可以部署在：Internet,DMZ，insidecorporatefirewall后端服務器InsidecorporatefirewallStoresmailboxesandpublicfolders

架構(gòu)總攬防火墻FirewallPorts

443,993,995ExchangeServer

2003Front-End

ServersExchange2003ServerActiveDirectoryGlobalCatalogServerExchange2003ServerExchange2003ServerInternetFE/BEDeploymentScenarios

Singlefirewall（簡單）FirewallPorts

443,993,995EFirewall

Ports

443,993,

995ExchangeFront-End

ServersExchange2003ServersActiveDirectoryGlobalCatalogServerExchange2003ServersExchange2003ServersFirewall

Ports,80

143,110,LDAP,etcDMZInternetFE/BEDeploymentScenarios

DMZ/Perimeternetwork（安全）Firewall

Ports

443,993,

995FirewallPort

443ISAExchange2003ServerAD/GCExchange2003ServerExchange2003ServerExchangeFEFirewall

Ports443or80InternetISAReverseProxy

DMZ/Perimeternetwork（推薦）FirewallPort

443ISAExchange2移動消息安全移動消息安全

managementdevicesair

transmissions

PAN

LANWANpublic

networksprivate

networks

123applicationsmobilitywireless4VPNtraditionalsecurityMobile的安全訪問managementdevicesair

transmMabirWindowsCEDUTSWindowsCEBRADOR29Dec041Feb05Locknut(Gavno)Vlasco21Nov04Skulls20June04Cabir17Jul045Aug048Mar05Comwar7Mar05Dampig12Aug04Qdial4Apr05Fontal6Apr05Drever18Mar05Hobbes15Apr05Doomed4Jul05=SymbianOS(Nokia,etc)=WindowsCE(HP,etc)Source:TrendMicroMobile的安全威脅StoleninformationHostintrusion,stolendeviceUnauthorizednetwork/applicationaccessCompromisedcredentials,hostintrusionViruspropagationVirussusceptibilityLostinformationLost,stolenordamageddeviceMabirWindowsCEDUTSWindowsCEMobile的內(nèi)容安全

（訪問安全）簡單鎖定加密Privatekeystorage?Smartcard/TPMHashprivatekey(dictionaryattack)Couplewithstrong

passwordpolicies防止不安全重啟動AnalogoustoBIOSpasswordandDrivelockMobile的內(nèi)容安全

（訪問安全）簡單鎖定身份認證Username/PasswordEncryptedondeviceClientCertificatePreventsISAfromSSL-bridgingNon-trivialenrollmentOne-timePassword身份認證Username/Password安全連接InfrastructuresimilartoOWA(HTTP)SSLcertificate-checkingbytheaccessdeviceRootCA“Known”Certificateauthorities:Thawte(serverandPremiumserverSecureServerGTECybertrustGlobalsignEClass2and3PublicPrimaryCertificatesRootCAoftheSSLCertificateMustbeinstalledontheWindowsMobileTMclientCertificateforVisualServerRootCAIssuedby2.IISpresentsthevitualServerSSLCertificate1.HTTPSconnectionActiveSyncClientValidationofRootCA安全連接Infrastructuresimilarto強制安全策略目標:確保移動設備啟用了安全策略內(nèi)容：PINcodestrengthRemoteWipeSpecificwebUIDeviceLocking強制安全策略目標:確保移動設備啟用了安全策略ExchangeServers的安全前后端直接不啟用SSLTrustedphysical/switchednetworkIPseceverythingorspecificportssuchas80IISEnableIISloggingDisablenon-essentialscriptmappingsAlwayskeepuptodateonavailablefixesExchangeServers的安全前后端直接不啟用SSL使用IPsecIPsec用于加密Exchange前后端的傳輸

IPsec策略Exchangefrontend:meany;TCPany80;EncryptExchangebackend:Respondonly使用GPO推IPsecpoliciesExchange2003前后端使用Kerberosauthentication使用IPsecIPsec用于加密Exchange前后端推薦配置不要end-to-end直接連接使用SSl橋接（ISA）在前端進行認證前后端之間使用IPSec

ISAandFE需要配置證書推薦配置移動消息管理移動消息管理使用移動設備管理MDM

（MobileDeviceManagement）降低TCO,特別是技術支持消耗Centralconsole,reporting更可靠的平臺部署商務營運應用程序（line-of-business）更容易使用和被用戶接受安全:可保障的配置的完整性使用移動設備管理MDM

（MobileDeviceM不同的MDM產(chǎn)品基于桌面管理的AltirisMicrosoftSMS整體解決方案的GoodIntellisync*OneBridgeMDM標準的iAnywhereAfariamFormation*不同的MDM產(chǎn)品基于桌面管理的MDM成熟等級Infancy資產(chǎn)管理基礎軟件更新Adolescence軟件更新配置管理設備強制安全Mature數(shù)據(jù)發(fā)布和同步多平臺支持基于策略的軟件分發(fā)空中下載啟動和維護

（OTA）擴展的桌面管理MDM成熟等級Infancy企業(yè)MDM需求IntegratedManagementConsoleDirectory(AD/LDAP)integrationCentralizedPoliciesPolicypollingUsercannotremoveScreen-lock/Idle-lock企業(yè)MDM需求IntegratedManagement移動消息服務擴展移動消息服務擴展Mobility的擴展體系架構(gòu)ManagementandSecurityInfrastructure

provisioning,usersupport,loadbalancing

identitymanagement,authorizationAccessLayerConnectivity

Roaming

VPNPresentation

rendering

synchronization

localprocessingDistributionLayerConnectivity

services

roaming

compression

optimization

VPNDevice

services

rendering

synchronization

content-

aggregation

personalization

location

ContentLayerBusinessprocessautomationCRMrich

mediae-mailOLTP/OLAP

databasesERPInternet/

intranetMobility的擴展體系架構(gòu)ManagementandMicrosoft的Mobility擴展體系架構(gòu)ManagementandSecurityInfrastructure

ActiveDirectory,SMS,MSFPAccessLayerConnectivity

ActiveSyncPresentation

.NETCFSQLCE

MediaPlayerDistributionLayerConnectivity

services

Server-

ActiveSync

ISAServerExchangeFEDevice

services

ASP.NET

Mobile

ControlsContentLayerBizTalkCRMWindows

MediaExchangeMicrosoft

SQLERPIISMicrosoft的Mobility擴展體系架構(gòu)Mana更多資源更多資源更多資源更多資源請?zhí)顚懛答伇碚執(zhí)顚懛答伇砥髽I(yè)移動消息的應用用與管理MBL220基于Exchange2003和WindowsMobile企業(yè)移動消息最佳實戰(zhàn)MBL220議程企業(yè)移動消息應用Exchange2003SP2WindowsMobile5withMSFP企業(yè)Exchange消息服務實踐移動消息安全、管理、擴展議程企業(yè)移動消息應用企業(yè)移動消息應用

豐富的實現(xiàn)多目的設備終端無處不在的低成本的無線網(wǎng)絡逐漸增強的安全管理基礎架構(gòu)日漸成熟的企業(yè)移動消息應用ExchangeServer2003/WindowsMobile5LCS2005/MobileOfficeCommunicatorCRM2.0/MobileCRMMobileOAMobileERP…企業(yè)移動消息應用

豐富的實現(xiàn)多目的設備終端企業(yè)移動消息應用的挑戰(zhàn)總擁有成本連接性Scalability安全性DeviceandNetwork管理性ProvisioningandSupport擴展性LeveraginginfrastructureFocus:MicrosoftExchangeServer

2003ServicePack2MicrosoftWindowsMobile5MessagingandSecurity

FeaturePackArchitectureBestPractices企業(yè)移動消息應用的挑戰(zhàn)總擁有成本Focus:企業(yè)移動消息應用的起點：E-MailE-Mail已經(jīng)是企業(yè)的核心應用已經(jīng)存在多種成熟設備和解決方案

ExchangeServer2003是第一個集成的解決方案結(jié)合ISA可以提供更高的可用性和管理性結(jié)合IT策略可以實現(xiàn)更高的安全性企業(yè)移動消息應用的起點：E-MailE-Mail已經(jīng)是企業(yè)移動終端的重要更新WindowsMobile5永久存儲按需同步聯(lián)系人圖片MessagingandSecurityFeaturePack(MSFP)數(shù)據(jù)壓縮(GZIP)基于證書的認證強制安全策略在線聯(lián)系人查找（GAL）直推電郵(Direct-PushTechnology)S/MIME簽名和加密被ExchangeServer2003SP2支持Service

Pack2Windows

Mobile5移動終端的重要更新WindowsMobile5ServiExchange2003SP2Exchange2003SP2ExchangeServer2003ServicePack2更高的安全性CertificatebasedauthenticationLocalandRemoteWipecapabilityCentralcontrolofdevicepolicy直推技術很多的新特色DirectorysearchPicturesinContactsGZipExchangeServer2003ServicePExchangeServer2003移動訪問服務WindowsCEbaseddevicesPocketPC,PocketPCPhoneEdition,Smartphone2002WindowsMobileTm2003(AUTDsupport)WindowsMobile5(AUTD&DPsupport)OutlookMobileAccess(real-time)MicrosoftActiveSync(synchronization)RPC/HTTPorOWAExchange2003MobileServicesSP2LaptopCellularPhonePocketPCSmartPhoneExchangeServer2003移動訪問服務Win基于WindowsMobile的OWA訪問小屏幕瀏覽PocketInternetExplorer（singlewindows）支持OWA

Limitedframe

基于WindowsMobile的OWA訪問小屏幕瀏覽基于WindowsMobile的OMA訪問BasedonWAP/WMLLegacyMobilePhones基于WindowsMobile的OMA訪問BaseActiveSync訪問機制AirSyncHTTP(basicauthentication)[SSL](preferred)IISMASSYNC.DLLISAPI

IISDAVEX.DLLISAPIFrontEndServerBackEndServerDS_ACCESSActiveDirectoryReadUserProperties&obtainKerberosTGTWebDAVHTTP(Integratedauthentication)ClearActiveSync訪問機制AirSyncIISMASSYExchangeServerActiveSync的應用ExchangeServerActiveSync的應用Mobile5.0withMSFPMobile5.0withMSFP在線聯(lián)系人查找（GAL）需要WindowsMobile5+MSFP集成的應用導入GAL記錄

到本地聯(lián)系人列表Service

Pack2Windows

Mobile5在線聯(lián)系人查找（GAL）需要WindowsMobileExchange直推技術真正的AUTD解決方案（always-up-to-date）不需要SMS通知支持所有的PIM數(shù)據(jù):Inbox,Calendar,ContactsandTasks不增加額外的數(shù)據(jù)流量伸縮性：全球范圍不需要額外的軟件及服務器安裝實現(xiàn)條件服務器配置激活—缺省配置支持

“SP2-ready”

的設備

該方案依賴于實時連接需要調(diào)整防火墻的連接超時時間為:15-30minsExchange直推技術真正的AUTD解決方案（always直推技術（DirectPush）Time=23minTime=15minTime=0minTime=15minTime=23minDevice:如果我在15分鐘內(nèi)有郵件請告訴我，否則告訴我“沒有郵件”.Server:“沒有郵件”Server:“你有新郵件”Device:給我郵件Device:如果我在15分鐘內(nèi)有郵件請告訴我，否則告訴我“沒有郵件”.DirectPushMail技術原理(心跳時間為15min)WindowsMobileDevicewithMSFPServerrunningExchange2003SP2Heartbeat:370Bytes/heartbeatx4heartbeats/hourx24hx30days=1,06MB(Noconsiderationtoblockrounding)直推技術（DirectPush）Time=23minExchangeServer2003SP2配置ExchangeServer2003SP2配置企業(yè)Exchange消息服務

實踐企業(yè)Exchange消息服務

實踐架構(gòu)總攬防火墻一個或多個至少支持端口過濾支持反向代理（Publish）

前端服務器可以是企業(yè)版或標準版Pub/privateStorecanberemoved可以部署在：Internet,DMZ，insidecorporatefirewall后端服務器InsidecorporatefirewallStoresmailboxesandpublicfolders

架構(gòu)總攬防火墻FirewallPorts

443,993,995ExchangeServer

2003Front-End

ServersExchange2003ServerActiveDirectoryGlobalCatalogServerExchange2003ServerExchange2003ServerInternetFE/BEDeploymentScenarios

Singlefirewall（簡單）FirewallPorts

443,993,995EFirewall

Ports

443,993,

995ExchangeFront-End

ServersExchange2003ServersActiveDirectoryGlobalCatalogServerExchange2003ServersExchange2003ServersFirewall

Ports,80

143,110,LDAP,etcDMZInternetFE/BEDeploymentScenarios

DMZ/Perimeternetwork（安全）Firewall

Ports

443,993,

995FirewallPort

443ISAExchange2003ServerAD/GCExchange2003ServerExchange2003ServerExchangeFEFirewall

Ports443or80InternetISAReverseProxy

DMZ/Perimeternetwork（推薦）FirewallPort

443ISAExchange2移動消息安全移動消息安全

managementdevicesair

transmissions

PAN

LANWANpublic

networksprivate

networks

123applicationsmobilitywireless4VPNtraditionalsecurityMobile的安全訪問managementdevicesair

transmMabirWindowsCEDUTSWindowsCEBRADOR29Dec041Feb05Locknut(Gavno)Vlasco21Nov04Skulls20June04Cabir17Jul045Aug048Mar05Comwar7Mar05Dampig12Aug04Qdial4Apr05Fontal6Apr05Drever18Mar05Hobbes15Apr05Doomed4Jul05=SymbianOS(Nokia,etc)=WindowsCE(HP,etc)Source:TrendMicroMobile的安全威脅StoleninformationHostintrusion,stolendeviceUnauthorizednetwork/applicationaccessCompromisedcredentials,hostintrusionViruspropagationVirussusceptibilityLostinformationLost,stolenordamageddeviceMabirWindowsCEDUTSWindowsCEMobile的內(nèi)容安全

（訪問安全）簡單鎖定加密Privatekeystorage?Smartcard/TPMHashprivatekey(dictionaryattack)Couplewithstrong

passwordpolicies防止不安全重啟動AnalogoustoBIOSpasswordandDrivelockMobile的內(nèi)容安全

（訪問安全）簡單鎖定身份認證Username/PasswordEncryptedondeviceClientCertificatePreventsISAfromSSL-bridgingNon-trivialenrollmentOne-timePassword身份認證Username/Password安全連接InfrastructuresimilartoOWA(HTTP)SSLcertificate-checkingbytheaccessdeviceRootCA“Known”Certificateauthorities:Thawte(serverandPremiumserverSecureServerGTECybertrustGlobalsignEClass2and3PublicPrimaryCertificatesRootCAoftheSSLCertificateMustbeinstalledontheWindowsMobileTMclientCertificateforVisualServerRootCAIssuedby2.IISpresentsthevitualServerSSLCertificate1.HTTPSconnectionActiveSyncClientValidationofRootCA安全連接Infrastructuresimilarto強制安全策略目標:確保移動設備啟用了安全策略內(nèi)容：PINcodestrengthRemoteWipeSpecificwebUIDeviceLocking強制安全策略目標:確保移動設備啟用了安全策略ExchangeServers的安全前后端直接不啟用SSLTrustedphysical/switchednetworkIPseceverythingorspecificportssuchas80IISEnableIISloggingDisablenon-essentialscriptmappingsAlwayskeepuptodateonavailablefixesExchangeServers的安全前后端直接不啟用SSL使用IPsecIPsec用于加密Exchange前后端的傳輸

IPsec策略Exchangefrontend:meany;TCPany80;EncryptExchangebackend:Respondonly使用GPO推IPsecpoliciesExchange2003前后端使用Kerberosauthentication使用IPsecIPsec用于加密Exchange前后端推薦配置不要end-to-end直接連接使用SSl橋接（ISA）在前端進行認證前后端之間使用IPSec

ISAandFE需要配置證