Devicewire Community

Unable to use Exchange 2003 Outlook Web Access on Windows Vista PCs

jamesl — Sun, 20 Jul 2008 11:25:00 GMT

I thought that I would fire off a quick blog post about this issue as it happened to me recently: a number of users reported that they could not reply to email messages, or compose new messages, when accessing Outlook Web Access (OWA) from PCs running Windows Vista. They were able to log in and read messages, but when trying to send a message, the text-entry box was unavailable.

The issue was definitely related specifically to the conbination of Vista and IE7, rather than IE7-specific, as IE7 on a Windows XP machine was not affected, and running Firefox on Windows Vista was also not affected.

A bit of Google action revealed that the issue is down to the fact that support for DHTML (Dynamic HTML - HyperText Markup Language) has been retired on Windows Vista, and a patch must be applied to the Exchange 2003 Server to effectively re-write the HTML code behind the OWA web site.

The patch can be downloaded from the Microsoft web site here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5bc06e8a-08eb-4976-bc68-a03ebe3a2552&DisplayLang=en

The pre-requisites listed for the patch include Exchange 2003 Service Pack 2. Our Exchange Server has service pack 2 installed - as testified to by the fact that we have been enjoying push email service for a number of years now.

Problem solved you would think. Apparently not.

When I went to install the patch I received an error message indicating that the patch could not be installed because service pack 2 was not installed on the server.

A bit more digging, and a lot of swearing at my screen, I came across an article indicating that there are 2 principal versions of service pack 2 for Exchange currently in circulation - one of them is known as the 'technology preview release' and was made available to TechNet subscribers prior to being released generally through Microsoft Update. The patch did not like the fact that I had the preview release, even though the funcitonality is exactly the same.

To find out if you are running the preview release, or the full release, open Registry Editor and browse to:

HKEY_Local_Machine\Software\Microsoft\Exchange\ServicePackBuild\

If the value reads 1DC7 then you have the preview, if it reads 1DD6 then you have the full release.

The solution was to download and reinstall Exchange Server Pack 2 over the top of the existing installation. Once installed the patch then installed also...and Vista users can now use OWA properly.

Using the Apple iPhone with Microsoft Exchange

jamesl — Mon, 14 Jul 2008 10:16:00 GMT

Version 2.0 of the iPhone software (available for download for owners of the original iPhone, but effectively the software developed for the release of the 3G iPhone), includes a licensed version of Server ActiveSync: the Microsoft protocol that allows both Windows Mobile-based and non Windows Mobile-based devices to synchronise email, contacts, calendar and tasks folders with a Microsoft Exchange mailbox, via any Internet connection, via “direct push”.

Also included in this release of the software is the ability to enforce the use of a password on the iPhone from the Exchange Server via a Mailbox Policy rule (Exchange 2007 only), as well as the ability to remotely ‘wipe’ the contents of an iPhone and restore it to a factory default state. A remote wipe operation can be triggered either via Outlook Web Access, via the Mobile Web Administration Tool (Exchange 2003) or via the Exchange Management Console (Exchange 2007).

NOTE – it can take up to 1 hour for each 8GB of memory to be erased, it is recommended that the device be connected to a power supply during this process. If the device turns itself off due to low power, the process will continue when the device is powered back on again.

Users can also access the Exchange Global Address List from the iPhone and have email addresses completed automatically as they are entered when composing a new email message.

There are some features that are not supported, however, such as it is not possible to turn on an Out Of Office message from the iPhone, nor is it possible to move items between mail folders.

Task synchronization is also not supported.

Activating the iPhone

Provided that you have an activated SIM correctly inserted in the iPhone, you cannot use the device until you have first connected it to a PC that has iTunes installed. At the time of writing version 7.7 is the current version of iTunes available.

iTunes will then run the user through a wizard which will activate the device for service (the same also applies to the iPod Touch).

If the iPhone is being rolled out across a business, this means that the administrator must decide whether to install iTunes on each iPhone user’s PC, or activate all devices themselves on their own PC with iTunes installed.

NOTE – iTunes is only required for the activation process. Once activated, iTunes is not required to enable the device to access corporate systems, only to synchronise music, photos and videos.

iTunes is required, however, to install applications and software updates onto the device.

The direct push capability of Microsoft Exchange Server is only available via a cellular data connection. Although the iPod Touch can access Exchange via a WiFi connection to the Internet, this is a ‘pull’ connection rather than ‘push’.

NOTE – if your organization does not use Mircosoft Exchange, it is still possible to use the iPhone and iPod Touch with POP and IMAP-based email servers. Calendar and Contact entries can also be synchronized with the Address Book and iCal applications on MacOS and with Microsoft Outlook on a Windows PC via iTunes.

Configuring Devices

If you are only deploying a small number of devices, it may be preferable to allow users to configure their own devices. However, should a large number of devices be deployed, there are tools available to help.

The use of configuration profiles allows for a number of settings to be quickly and easily deployed to a large number of devices.

A configuration profile is an XML document that contains settings on Email, WiFi connections, VPN settings, certificates and security policy settings.

Profiles are distributed to devices either via email, as an attachment, or via a web link.

Configuration Profiles are created using the iPhone Configuration Utility, available for free download from the Apple web site:

http://www.apple.com/support/downloads/iphoneconfigurationutility10formacosx.html

(MacOS only)

Or alternatively, a web-based version can be downloaded which can run on either MacOS or Wndows:

http://www.apple.com/support/iphone/enterprise/

Once installed, the web site is accessed by browsing to http://localhost:3000, log in with ‘admin’ for both username and password.

The interface for the utility looks like this:

A full explanation of the Configuration Utility can be downloaded from the Apple web site:

http://support.apple.com/manuals/en_US/Enterprise_Deployment_Guide.pdf

The General tab allows you enter a name and identifying information for the Profile.

The Passcode Settings tab allows the administrator to define an on-device password usage policy:

The maximum number of failed attempts field allows the administrator to define how many times the device password can be entered incorrectly before the device becomes unusable. By default, after six unsuccessful attempts the device imposes a time delay before a passcode can be entered again. The time delay increases with each failed attempt. After the eleventh failed attempt, the device is locked and must be reauthorised via iTunes.

The WiFi tab allows the administrator to define WiFi access points to be used by the device:

The VPN tab contains information on Virtual Private Network connection settings:

The Email Settings tab contains information on POP and IMAP-based email account settings:

The Exchange tab is where the settings relating to Server ActiveSync are entered:

You will notice the lack of a field to enter Domain information. This should be included in the Username field in the from "domain\username".

The Credentials tab is used to publish certificates to the device. CER, DER, CRT, P12 and PFX certificates types are supported.

The Advanced tab allows the administrator to define cellular access point settings:

Once the profile has been configured within the Utility, it can be Exported, which will create a ".mobileconfig" file (which can then be uploaded to a web site), or emailed as an attachment.

Configuring the device manually

Alternatively, the Exchange Server settings can be entered into the device manually. To add an Exchange account, go to Settings > Mail, Contacts, Calendars and then tap Add Account. On the Add Account screen, select Microsoft Exchange:

Enter the relevant details. Again, there is no field to enter domain information as on other ActiveSync devices, so this information should be entered in the username field in the from "domain\username":

When all of the fields have been completed, during the first synchronisation with the server, the password policy on the server will be checked, and if the device does not conform to it, the user will be prompted to enter a password.

By default all mail, contact and calendar information will then be synced with the device.

You can select which information you wish to synchronise under Settings > Mail, Contacts and Calendars.

NOTE - setting up a Server ActiveSync account on the device will cause all existing information on the device to be overwritten and it will no longer be possible to synchronise mail, contact and calendar information with a desktop PC via iTunes (music, video and photo transfer will not be affected).

It IS possible to add additional POP and IMAP email accounts to the device, but only one Exchange mail account.

Nokia Intellisync Mobile Suite 9.1 Device Management for Linux

jamesl — Sun, 13 Jul 2008 07:59:00 GMT

The history of Nokia's Intellisync Mobile Suite product is a long and complicated one. Even to do this day if I say 'Intellisync' to someone, they are often reminded of the PDA synchronisation software developed by PumaTech, which was an ActiveSync-like application for EPOC devices. Do not be confused.

The Intellisync Mobile Suite was formerly developed by a company named Intellisync, before they were purchased by Nokia a few years ago. Prior to being developed by Intellisync, the product was developed (and named) by a company called Synchrologic, before being bought by Intellisync. It was this company that also developed the Pumatech software, but it was in no way related to their remote email / device management solution.

Intellisync has long been the leader of the remote email and device management pack. It is a little known fact that whilst RIM manufacture Blackberry handsets, they actually paid Intellisync to develop the BES software for them - I don't know what the situation is now that Intellisync is owned by Nokia, but the more eagle-eyed of you administrators may have noticed a RIM tab within the properties of the Intellisync Server Administration Console: this is because the server can indeed be used with RIM Blackberry devices, unfortunately you need a special license key to unlock this functionality which the odds of you getting are slim (I've never managed to get one anyway).

The release of updates to the product, as this blog will attest, is frequent. However, while most of my posts refer to the updates that have been released and the new functionality included, I thought with this release it may be an idea to recap, and list all of the functionality.....as it's pretty impressive!

Before I can do that, a little more history is required.

The Intellisync Mobile Suite product is so called because it actually comprises 4 products:

·       Wireless Email

·       File Sync

·       Data Sync

·       Systems Management

Each product is modular, meaning that each module can be used independently of the others. The Wireless Email component enables remote wireless full PIM synchronisation with Microsoft Exchange, Lotus Domino or Novell Groupwise from a Windows, Windows Mobile, Palm, Symbian, Java or BREW-based device. The File Sync component enables the synchronisation of files (documents and applications) with client devices. The Data Sync component enables remote synchronisation with SQL, Oracle or other database back-end infrastructure. The Systems Management component enables full remote device management, including inventory collection, remote device wipe, password enforcement, hardware control, etc.

Until being purchased by Nokia, Intellisync Mobile Suite could only be installed on a Windows Server-based platform. The installer would install all components, but which of those components you has access to was determined by your installation license key.

Nokia's numbering scheme for this product has, to my mind, become a little confused this year. This is not helped by the fact that the product has effectively been split into Windows and Linux-based versions.

There is a reason for this: Nokia had their own device management product, which was Linux-based, called Nokia Device Manager. This was developed for the Nokia Comunicator range of devices and offered a limited range of features, but which was OMADM compliant (had the ability to provision device settings via the SS7 GSM control channel via control SMS messages). There was a lot of good stuff in this product that Nokia wanted to keep, but saw a very good product in Intellisync also, so they bought Intellisync, and ported the Systems Management component of the product (which was Windows based) to Linux. They then set about combining the functionality of the Nokia product and the Intellisync product into one single offering. However whilst doing this, they have also continued developing the rest of the 3 components, which are still Windows-based.

With me so far?

So currently we have Intellisync 9.0, which is Windows-based and offers the full range of functionality, and also Intellisync 9.1 which is Linux-based, and only offers the device management functionality.
It is important to note that the 9.1 Linux release is “multi-tenant” capable, so clearly designed to manage the devices of multiple user groups (those groups not necessarily being within the same company).
Despite the new 9.x version numbers, both 9.0 for Windows and 9.1 or Linux are listed by Nokia as being maintenance releases for the 8.x of the releases for both Windows and Linux.

Confused! .com

In this post I will list all of the features available in both versions currently. Please note that this list is by no means exhaustive – I merely thought it would be wise to include the most impressive features of the solution, which are numerous. In a future post I will seek to align these capabilities with the competition in a matrix-style chart.

Client devices

·       Windows

·       Windows Mobile

·       Symbian

·       Palm

·       Java

·       BREW

Wireless Email

·       Support for Microsoft Exchange, Lotus Domino, Novell Groupwise, LDAP / POP / IMAP Servers

·       True IP push of mailbox data

·       SMS “wake-up” support for offline clients

·       Global Address List sync support

·       Synchronisation support for Inbox, Outbox, Sent Items, Drafts, Tasks, Notes, Contacts and Calendar folders

·       Support for configuration of attachment size limits, and allowed attachment file types

·       Support for filtering of pushed data based on sender, recipient, urgency status

·       Web-based access to PIM data

File Sync

·       Inventory collection capability of client devices – hardware and software assets

·       Push or synchronisation of applications, documents, patches, or indeed any digital file to client device

·       Support for VBScript-based intelligence, allowing for if, and, or level script execution

·       Device-level or file-level device backup

·       Intranet or other web site client packaging capability for offline on-device viewing

Systems Management

·       OTA client installation support (support for SMS trigger)

·       Remote device wipe – capability to specify full hard reset, PIM data deletion or specific file deletion, based on entry of correct password or administrative command

·       Password enforcement policy – ability to force users to use passwords on their device

·       Remote Control of devices via web browser

·       Remote uninstallation of undesired applications

·       Remote disabling of client hardware elements – Bluetooth, WiFi, IR, SD memory, USB Modem, SMS functionality

·       Phone number “whitelisting”

·       OMA DM support for Nokia VoIP, VPN, Security device settings

Data Sync

This aspect of the solution’s capability is beyond the scope of this article

Profiles

All of the above settings can be defined on a per-user or a per-group basis by the administrator.

For more detailed information, read the following articles in the Forum:

Intellisync Administrator Guide (Windows)

http://forum.devicewire.com/forums/thread/545.aspx

Intellisync Administrator Guide (Linux)

http://forum.devicewire.com/forums/thread/669.aspx

The key improvements that have been included in the 9.1 release of the Linux version of the device management application, which I have not listed above, are for the Windows Mobile platform.

Ability to configure Server ActiveSync settings on Windows Mobile-based PDAs:

Within the list of device management Publications available for Pocket PC and Smartphone devices (Asset Collection, Backup, Software Install) is a new option for Device Configuration, with sub-options for Server ActiveSync and Generic.

Selecting Server ActiveSync enables the administrator to enter details of Exchange Server address, domain, username, password, Email, Contact, Calendar and Task settings:

Once published on the server and the relevant users or groups or subscribed, synchronising with the server from the client device will configure a server activesync connection automatically.

The 'Generic' option is even more powerful: this allows the administrator to send raw XML code to the client device, and have it 'parsed' by the Intellisync client:

This means that it is possible to remotely add registry entries to the Windows Mobile device, and as some of you will be aware, EVERYTHING is configured on Windows Mobile devices via the registry: GPRS/3G connection settings, WiFi access points, etc etc.

For example, the following XML code:

<wap-provisioningdoc>
<nocharacteristic type="CM_Networks" />
<nocharacteristic type="CM_GPRSEntries" />
<nocharacteristic type="CM_ProxyEntries" />
    <characteristic type="CM_Networks">
    <characteristic type="Contract MMS">
<parm name="DestId" value="{F750E26F-81D9-4379-8567-318C129CA736}" />
</characteristic>
    <characteristic type="Contract Internet">
<parm name="DestId" value="{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}" />
</characteristic><characteristic type="Contract WAP">
    <parm name="DestId" value="{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}" />
    </characteristic><characteristic type="My Work Network">
<parm name="DestId" value="{18AD9FBD-F716-ACB6-FD8A-1965DB95B814}" />
</characteristic>
    <characteristic type="Work">
<parm name="DestId" value="{A1182988-0D73-439E-87AD-2A5B369F808B}" />
</characteristic>
    <characteristic type="Secure WAP Network">
<parm name="DestId" value="{F28D1F74-72BE-4394-A4A7-4E296219390C}" />
</characteristic>
    <characteristic type="The WAP Network">
<parm name="DestId" value="{7022E968-5A97-4051-BC1C-C578E2FBA5D9}" />
</characteristic>
    <characteristic type="The Internet">
<parm name="DestId" value="{436EF144-B4FB-4863-A041-8F905A62C572}" />
</characteristic>
</characteristic>

    <characteristic type="CM_GPRSEntries">

    <characteristic type="MMS">
<parm name="DestId" value="{F750E26F-81D9-4379-8567-318C129CA736}" />
<parm name="Enabled" value="1" />
<parm name="UserName" value="wap" />
<parm name="Password" value="wap" />
<parm name="Domain" value="" />
    <characteristic type="DevSpecificCellular">
<parm name="BearerInfoValid" value="1" />
<parm name="GPRSInfoValid" value="1" />
<parm name="GPRSInfoProtocolType" value="2" />
<parm name="GPRSInfoL2ProtocolType" value="PPP" />
<parm name="GPRSInfoAccessPointName" value="wap.vodafone.co.uk" />
<parm name="GPRSInfoDataCompression" value="1" />
<parm name="GPRSInfoHeaderCompression" value="1" />
</characteristic>
</characteristic>

    <characteristic type="Contract Internet">
<parm name="DestId" value="{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}" />
    <parm name="AlwaysOn" value="1" />
    <parm name="Enabled" value="1" />
<parm name="UserName" value="web" />
<parm name="Password" value="web" />
<parm name="Domain" value="" />

    <characteristic type="DevSpecificCellular">
<parm name="BearerInfoValid" value="1" />
<parm name="GPRSInfoValid" value="1" />
<parm name="GPRSInfoProtocolType" value="2" />
<parm name="GPRSInfoL2ProtocolType" value="PPP" />
<parm name="GPRSInfoAccessPointName" value="internet" />
<parm name="GPRSInfoDataCompression" value="1" />
<parm name="GPRSInfoHeaderCompression" value="1" />
</characteristic>
</characteristic><characteristic type="Contract WAP">
<parm name="DestId" value="{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}" />
     <parm name="Enabled" value="1" />
<parm name="UserName" value="wap" />
<parm name="Password" value="wap" />
<parm name="Domain" value="" />

    <characteristic type="DevSpecificCellular">
<parm name="BearerInfoValid" value="1" />
<parm name="GPRSInfoValid" value="1" />
<parm name="GPRSInfoProtocolType" value="2" />
<parm name="GPRSInfoL2ProtocolType" value="PPP" />
<parm name="GPRSInfoAccessPointName" value="wap.vodafone.co.uk" />
<parm name="GPRSInfoDataCompression" value="1" />
<parm name="GPRSInfoHeaderCompression" value="1" />
</characteristic>
</characteristic>
    </characteristic>
    <characteristic type="CM_ProxyEntries">
    <characteristic type="NULL-HTTP-{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}">
<parm name="SrcId" value="{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}" />
<parm name="DestId" value="{436EF144-B4FB-4863-A041-8F905A62C572}" />
<parm name="Proxy" value="" />
<parm name="Type" value="0" />
<parm name="Enable" value="1" />
</characteristic>
    <characteristic type="null-corp-{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}">
<parm name="SrcId" value="{FF445A54-ADF8-4fab-86B7-E31482BEE8BE}" />
<parm name="DestId" value="{A1182988-0D73-439E-87AD-2A5B369F808B}" />
<parm name="Type" value="0" />
<parm name="Enable" value="1" />
</characteristic>
    <characteristic type="WAP-{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}">
<parm name="SrcId" value="{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}" />
<parm name="DestId" value="{7022E968-5A97-4051-BC1C-C578E2FBA5D9}" />
<parm name="Proxy" value="212.183.137.012:8799" />
<parm name="Enable" value="1" />
<parm name="Type" value="1" />
</characteristic>

    <characteristic type="WAP-secure-{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}">
<parm name="SrcId" value="{B8D6BA64-F7BB-47be-BC57-4D882CA709C2}" />
<parm name="DestId" value="{F28D1F74-72BE-4394-A4A7-4E296219390C}" />
<parm name="Proxy" value="212.183.137.012:8799" />
<parm name="Enable" value="1" />
<parm name="Type" value="1" />
</characteristic>
</characteristic>
    <characteristic type="CM_Planner">
<nocharacteristic type="PreferredConnections" />
    <characteristic type="PreferredConnections">
<parm name="{436EF144-B4FB-4863-A041-8F905A62C572}" value="Contract Internet" /><parm name="{7022E968-5A97-4051-BC1C-C578E2FBA5D9}" value="Contract WAP" />
<parm name="{F28D1F74-72BE-4394-A4A7-4E296219390C}" value="Contract WAP" />
    </characteristic>
</characteristic>
    <characteristic type="Registry">
<characteristic type="HKLM\SOFTWARE\ArcSoft\ArcSoft MMS UA\Config\UI">
<parm name="ConnectviaMatchById" value="1" datatype="integer" />
</characteristic>
    <characteristic type="HKLM\Software\ArcSoft\ArcSoft MMS UA\Config\mm1\MMSCSetting\SampleMMSC">
<parm name="WAP1DefaultSize" value="102400" datatype="integer" />
<parm name="WAP2DefaultSize" value="307200" datatype="integer" />
<parm name="ConnectionVia" value="{F750E26F-81D9-4379-8567-318C129CA736}" datatype="string" />
<parm name="Name" value="Contract MMS" datatype="string" />
<parm name="Gateway" value="212.183.137.012" datatype="string" />
<parm name="MmscURI" value="http://mms.vodafone.co.uk/servlets/mms" datatype="string" />
<parm name="GatewayPort" value="8799" datatype="integer" />
<parm name="SendDefault" value="307200" datatype="integer" />
<parm name="RecvDefault" value="512000" datatype="integer" />
<parm name="WAPType" value="1" datatype="integer" />
</characteristic>
    <characteristic type="HKLM\Software\ArcSoft\ArcSoft MMS UA\Config\mm1">
<parm name="DefaultSetting" datatype="string" value="SampleMMSC" />
<parm name="TotalSettings" value="1" datatype="integer" />
</characteristic>
    <characteristic type="HKLM\Software\ArcSoft\ArcSoft MMS UA\Config\UI\SizeLimit">
<parm name="SendCount" value="3" datatype="integer" />
<parm name="SendLimit1" value="30720" datatype="integer" />
<parm name="SendLimit2" value="102400" datatype="integer" />
<parm name="SendLimit3" value="307200" datatype="integer" />
</characteristic>
    <characteristic type="HKCU\Software\Windows\CurrentVersion\5.0\Internet Settings">
<parm name="EnableAutoDetect" value="1" datatype="integer" />
</characteristic>
    <characteristic type="HKLM\Software\Microsoft\Internet Explorer\AboutURLs">
<parm name="home" value="http://live.vodafone.com" datatype="string" />
</characteristic>
</characteristic>
</wap-provisioningdoc>

Sets up a device for Vodafone UK MMS service.

Once you know the correct registry keys to configure, virtually any aspect of a device's configuration can be set via XML. A full explanation of this process is available in the Microsoft product documentation for Windows Mobile, available here:

ftp://ca:welcome@ftp.hughsymons.com/Hugh%20Symons%20Telecom%20-%20Reseller%20Area/Microsoft/Windows%20Mobile/Crossbow_Documentation_Oct2006.chm

This then, renders the device management solution very powerful indeed. It is always a mystery to me that considering Microsoft develop the client operating system, they are not able to offer this sort of functionality themselves, but both Exchange 2007 and System Center Mobile Device Manager 2008 are nowhere near being able to offer this level of capability.

In my last blog post on this subject I included the release notes for the version 9.1, which included a section on Wireless Email. I noted that I was curious to see how Nokia had managed to include this functionality in the Linux-based version of the software. It transpires that the wireless email funcitonality that has been included is only for use with an IMAP or Novell Groupwise server:

Inside sources tell me that a fully functional release of Intellisync, including all of the functionality in both the Windows and Linux versions (including full Exchange wireless email support as well as the OMADM capability for Symbian handsets) will be available in version 10 of the software, which will be Windows-based only.

But you didn't hear that from me!

How do Virtual Private Networks (VPNs) work?

jamesl — Sun, 06 Jul 2008 09:20:00 GMT

VPN, or Virtual Private Network, technology is used to extend private networks beyond the boundaries of their physical cabling – to securely connect geographically separated networks using an unsecure medium, such as the Internet. Today VPN technology is being increasingly used to allow workers to connect to local network resources while away from the office. As I examined in my post on virtualisation (http://blog.devicewire.com/blogs/devicewire/archive/2008/06/12/virtualisation-what-s-it-all-about.aspx), the “stuff” that happens in the background to make this possible is transparent to the user: the user enjoys the same experience whether they are in the office or not.

Whilst this technology is not new, problems often arise when trying to establish VPN connections from mobile devices, because of a lack of understanding of what happens in the middle, between the user and the office.

In this article I will look more closely at this technical “stuff” – the different means by which data can be intercepted, the mechanisms by which data is secured, and common problems experienced, especially when establishing VPN connections from mobile devices, and their solutions.

This subject is inherently technical in nature and ideally you should have an understanding of the basic principles of TCP/IP. If you need a quick refresher course, have a read of my earlier blog post, “How does TCP/IP work?”, here:

http://blog.devicewire.com/blogs/devicewire/archive/2008/06/21/tcp-ip-an-introduction.aspx

Virtual Private Network technology makes it possible to securely send data over an unsecured network. Data is encrypted at the source and sent over the unsecure network, such as the Internet, and decrypted again at the receiving end. Should any of the data be intercepted while in transit, it will not be readable by any unintended recipient. This method of securely sending data over an unsecure network is known as tunnelling.

Before I look at the components involved in a VPN connection and how security is guaranteed, I will first look at the areas of concern a network administrator faces when assessing the security of their network.

The need for security

Without security measures and controls in place, data may be subject to “attack”. Some attacks can be “passive” (meaning that data is merely monitored), others can be “active” (meaning that the data is deliberately altered with intent to corrupt the data itself, or even attack the entire target network). Attacks can take one of a number of forms:

· Eavesdropping – the majority of network communications occur in an unsecured manner, or in “cleartext”. Should an attacker gain access to the network, they would be able to read any traffic crossing that network. This practice is referred to as “sniffing” or “snooping”. This is the most common form of attack and is the reason why encryption technology is being deployed even on small, local networks.

· Data Modification – once an attacker has gained access to a network, that person would then be able not only to read data, but modify it in transit between sender and receiver (increasing the quantity specified in an electronic purchase, for example). This is also referred as a ‘man-in-the-middle attack’.

· Identity / IP Address Spoofing – on an IP-based network, a computer is identified by its IP address, and the resources that computer is permitted access to is based on its IP address. Should an attacker be able to make their computer appear to have a ‘trusted’ IP address, it would be able to access any resources that a computer genuinely possessing that address would be able to.

· Password-based attacks – the password is the simplest form of authentication. Most systems do not encrypt passwords as they are sent across the local network. Should an eavesdropper gain access to a network they would be able to intercept password information, and from that moment gain access to network resources as a trusted user.

· Denial-of-service attack – a DoS attack involves flooding the network with so much traffic that it eventually crashes. The target of a DoS attack could equally be a network, a single machine on that network, or even a specific service running on that single machine.

Defence mechanisms

A VPN connection implements security in two ways – authentication and encryption.

Authentication ensures that the data originates from the source which it claims to come from.

Encryption prevents anyone from reading or copying data as it travels across the network. Data encryption is used to protect data from unauthorised users by encoding the content. For more information on how data is encrypted, read my earlier blog post, “How do digital certificates work?” – here:

http://blog.devicewire.com/blogs/devicewire/archive/2008/06/22/how-do-digital-certificates-work.aspx

VPN Infrastructure

There are 2 principle elements involved in a VPN connection. The remote network deploys a VPN Server which acts as a gateway between the internal network and the public Internet.

The remote user, or branch office, will have a VPN client which will encrypt data sent to and decrypt data received from the VPN server. The client may be a physical piece of hardware or a software application.

Typically the VPN server will be located behind a firewall in a perimeter network. The ports that will need to be opened on the firewall will vary depending on the VPN “tunnelling” protocol being used. The three most common VPN protocols are:

· PPTP (Point to Point Tunnelling Protocol)

· L2TP (Layer 2 Tunnelling Protocol)

· IPSec (Internet Protocol Security)

I will examine these protocols in more detail, but essentially they work in the same way. TCP will split the data to be transmitted into individual packets, consisting of a data payload and header information, containing sequencing and error correction details. IP will then add further information to the TCP packet containing addressing information of both the sending and receiving machines.

The VPN protocol will take the TCP packet and add further information to it. The entire packet is encrypted, making it unreadable to any machine that does not have the decryption key. Further sequencing and error correction data is added, and then the IP header is attached so that the VPN packet can be routed across the network. Due to the large amount of additional data that is added to the packet, VPN connections are correspondingly slower than plaintext communications.

PPTP is the earliest of the three VPN protocols. It provides data security by encrypting the contents of the packet, but it does not provide data authentication by verifying the identity of the sender, nor does it verify the integrity of the data to ensure that it has not been modified in transit, either accidentally or deliberately.

L2TP addresses these weaknesses firstly by adding a message digest to each packet to ensure that the data has not been modified in transit. It also guarantees the identity of the sender by digitally signing each packet with a certificate.

IPSec is the most commonly-used VPN protocol today and I will examine this in more detail. IPSec works in a similar manner to L2TP in terms of providing authentication and verification, but the strength of the encryption mechanism used is stronger – asymmetric (or public key) encryption being used.

Again, if you need a refresher on what terms like message digest and public key encryption mean, then a good place to start would be here:

http://blog.devicewire.com/blogs/devicewire/archive/2008/06/22/how-do-digital-certificates-work.aspx

IPSec

Internet Protocol Security (IPSec), is an end-to-end protocol, meaning that only the sending and receiving systems need to be able to support it – the encrypted data can pass through routers and other machines on the interlying networks without them needing to also support it.

Using IPSec, data is encrypted at the Transport Layer, which means that data is encrypted before it gets to the Network Layer. Any machines through which the encrypted packets will travel will examine the address information on the packet, see that it is not intended for that network and pass it on, the packet only being decrypted again when it reaches the Transport Layer on the target machine. This is what is meant by end-to-end.

As with TCP, IPSec itself is actually a number of protocols. The protocol that handles the encryption of the TCP data packets is called the Encapsulating Security Payload (ESP) Protocol.

Individual packets are encrypted using a different encryption key, and each encrypted packet is appended with a message digest, or checksum, so that should any of the data be altered en route, the digest will no longer match the contents of the payload (a message digest works by essentially taking the value of all of the 1s in the payload and applying a mathematical function to it, then saving that resulting value. Should the data change, the value of the 1s will change and the resulting value of the mathematical function will also change).

Individual encryption keys are used so that should an attacker manage to intercept a large amount of traffic all encrypted using the same key, they will not be able to calculate the key from that traffic, and potentially encrypt their own data using that key. This is known as anti-replay.

The checksum value is stored in the Authentication Header. This is an additional header which is added to the normal TCP packet before IP adds its own address headers. The Authentication header does not need to be used with ESP, it can be used by itself. The Authentication Header does not encrypt the data, but it does secure it against modification.

Other values are also stored in the Authentication Header:

· Next Header – this field indicates the transport protocol used (TCP, UDP, etc) so that the encrypted packet is submitted to the correct transport protocol on the receiving machine.

· Length – indicates the length in bytes of the Authentication Header.

· Security Parameters Index (SPI) – indicates whether ESP is being used or not.

· Sequence Number – indicates the packets position within the data stream and also contains another message digest to guarantee the uniqueness of that packet.

· Authentication Data – this is where the message digest for data payload is stored.

Security Association

When two computers using IPSec “handshake” (agree the parameters to be used for the connection), before any data is sent or received they must first establish a Security Association (SA). This “agreement” defines the encryption key to be used as well as the security protocol (ESP, AH, or both, for example) and a security identifier (in case each or even both of the machines are already involved in other IPSec-based communications with other machines).

Once agreed, the SA will have a specific lifetime, after which time the process will be repeated to agree a new association using a new encryption key (an anti-replay technique).

Once connected, the VPN client is effectively connected to the remote network. As such it is assigned an IP address on that remote network, a non-routable IP address which the VPN software sends over the Internet connection for reception by the VPN server.

This being the case, the VPN server will need to be able to assign remote devices local IP addresses – ideally automatically via DHCP from a pool of reserved addresses.

Tunnelling

ESP can be used in two modes: transport mode and tunnelling mode.

In transport mode, only the data payload is encrypted. In tunnelling mode, the data and also the IP Header is encrypted. When used in a VPN solution, ESP operates in tunnelling mode.

In tunnelling mode, the entire TCPIP packet is encrypted (not just the TCP packet), digitally signed, and then a new IP header created, which is unencrypted, so that the VPN packet can still be routed across the Internet. When the packet arrives at the destination network, the receiving server removes the IP header and the ESP header (decrypting it in the process), and uses the original IP header information to route the packet across the local network. It is this process that can sometimes cause problems when connecting from certain devices, especially mobile devices, which I will now endeavour to explain.

Network Address Translation (NAT)

Network Address Translation is a technology employed to address the issue of a shortage of available “routable” IP addresses. Because there are not sufficient routable IP addresses available for each machine connected to the Internet to have one, local networks employ a non-routable addressing scheme and have one machine, a gateway, with a network interface connected to the Internet with a single routable IP addresses allocated to it. Using this single address, many many machines can sit “behind” this gateway and enjoy Internet access, without being directly connected to it. This process is known as Network Address Translation. A typical example of this process may work as follows:

1. A machine on the internal network requests a web page from a web server on the Internet. The machine creates an HTTP request and submits it to the network, which sends it to the NAT gateway router.

2. The router receives the request and sees that it is destined for a machine not on the local network. The router saves the machine’s non-routable IP address to an address translation table. It then re-writes the IP header, replacing the source IP address with its own public IP address and sends the request out across the Internet.

3. When the response comes back from the web server, the router checks the address translation table, rewrites the IP header of the incoming data, changing the destination address from its own to the address of the machine on the internal network, and forwards it on.

IPSec and NAT compatibility

If a TCPIP packet crosses a NAT gateway, it will have its source IP address information changed. Because IPSec performs a data authentication check on all incoming packets to ensure that they have not been altered in any way while in transit, the changing of the source IP address by the NAT gateway will cause the message digest to no longer match the data, and IPSec will “fail” the packet and the connection will not be established.

When connecting to the Internet from a mobile device, the mobile network operator will employ a NAT gateway between the mobile network and the Internet. For this reason, VPN connections from mobile devices will quite often fail.

Help is at hand

One solution to this problem is known as NAT Traversal (NAT-T).

This technique addresses this problem by using UDP as the transport protocol, rather than TCP.

UDP is the User Datagram Protocol. It is a transport protocol similar to TCP, but it does not employ error correction, it is used for “unimportant” communications where data loss is not necessarily an issue. Because UDP does not send acknowledgement messages back to the sending machine, it does not include a sending IP address in the header, only a target IP address. For this reason it is sometimes referred to as a “fire and forget” protocol.

Using UDP to transport the encrypted the IPSec packet therefore does not involve rewriting any of the packet’s data as it passes through the NAT gateway. Instead, at the NAT gateway, a normal TCPIP header will be added for routing across the Internet. At the receiving machine, the TCPIP header will be removed at the network layer, and the unaltered UDP packet delivered to the transport layer and the waiting IPSec protocol.

This technique does require that both the VPN client software and the VPN server both support NAT-T (also referred to as UDP Encapsulation), and do agree on this protocol during the negotiation of the security association.

Fortunately, most mobile network operators are aware of this problem and have implemented their own solutions. The public “Internet” access point (APN) which most users will connect to for Internet access, will use NAT to allow the large number of mobile users to connect to the Internet whilst only requiring the operator to provide a small number of public IP addresses.

For users who wish to establish a VPN connection, there are alternative APNs available. Most operators will be able to offer two additional APNs intended for VPN use: which one is relevant for you will depend on the requirements of your VPN infrastructure.

Taking Vodafone as an example, the public APN is simply “internet”. This will employ NAT to provide users with access to the Internet. “MyLAN” is a separate access point intended for corporate VPN users. This APN will use NAT-T to get around the issue of NAT and IPSec compatibility.

On the Orange network, “orangeinternet” is the public Internet APN, whereas “internetvpn” is intended for corporate VPN users.

There is typically no cost to use these alternate APNs, but your SIM card must be enabled for these services first by calling customer services and requesting it.

However, there is another potential issue which can cause a VPN connection to fail. Typically, the “non-routable” IP addressing scheme used by mobile network operators will allocate addresses to users in the range 10.x.x.x

This is fine if the local network in the office uses an addressing scheme of, say, 172.16.x.x

This means that when connected to Vodafone 3G service, the mobile device has an IP address of, say 10.0.0.1, and when connected to the VPN, the “virtual network adapter” has an IP address of 172.16.199.1

The computer “knows” that any traffic destined for the 172.16.x.x network needs to be sent to the VPN software which will encrypt it and route it over the Internet connection (with a UDP header of 10.x.x.x being added to the VPN packet).

However, if the network in the office also uses the 10.x.x.x address range, the VPN software will be assigned a virtual address in this same range, and the PC will then no longer be able to tell what traffic is intended for the VPN and what is normal Internet traffic. In this situation it will most likely try to route encrypted packets to the wrong destination and the connection will fail.

This being the case, most network operators therefore provide 2 VPN APNs. These work in the same way, but simply use different addressing schemes to address this issue. Which one you need depends on your addressing scheme at work.

So, if the Vodafone MyLAN APN uses addresses in the range 10.x.x.x, MyLAN2 will use 172.16.x.x

Similarly on the Orange network, internetvpn will use 10.x.x.x and internetvpn2 will use 172.16.x.x

The third way

Should your VPN infrastructure not support NAT-T, then the only solution is to consistently connect from the same, routable IP address, ie have a public IP address associated with your mobile device (or more correctly, the SIM card in the mobile device).

There are providers that can offer this service, although the service is chargeable. One such company is Wireless Logic (www.wirelesslogic.co.uk).

Configuring the VPN Client

All versions of Windows since Windows 98 have had a VPN client included as part of the operating system. These VPN clients are only designed to connect to the Routing and Remote Access service on a Windows Server 2000 or 2003-based endpoint. Windows Mobile devices also have VPN capability, but these are also only intended for use with a Windows Server at the other end. If a VPN solution by any other company other than Microsoft has been deployed, such as Cisco or Checkpoint, then the corresponding client software developed by that company should be used on the remote device.

Most VPN client software will require 3 pieces of information when configuring the connection:

· VPN Server Address

· Username

· Password

MacOS X Leopard:

Windows XP:

Windows Mobile:

All VPNs clients will install a virtual network adapter as part of the installation process.

Troubleshooting

When troubleshooting VPN connections it is important not to forget the basics. At a simple level, should the VPN client report that it is not able to contact the remote server, or something along those lines, verify that the device does have a connection to the Internet and can browse web pages.

If you do have a connection to the Internet, but the VPN client is not able to contact the VPN server, it may be a DNS issue – try entering the IP address of the VPN server rather than the friendly name.

If you are able to connect to the VPN server, but once connected you are not able to access any network resources, this may be an IP issue – the VPN server must be able to allocate remote clients valid IP addresses via DHCP. This may also be a DNS issue – once connected try connecting to the IP address of a file server rather than its friendly name, for example. Your network administrator will be able to provide the details to use.

To conclude

VPNs are massively complicated, but not impossible to set up successfully provided that you understand the requirements, potential pitfalls and their workarounds. The biggest hurdle is often just finding out what it is that you have. Once you know what your equipment supports then the available options are clear.

As a bootnote, and for completeness, I should probably mention that not all VPNs are necessarily secured. A Virtual Private Network could be a Virtual LAN (VLAN) – which is a technique whereby the same physical network infrastructure (cabling and switches) is used to host separate networks using different addressing schemes and which are not “aware” of each other, but over which communications are not secured.

Nokia release Intellisync Mobile Suite Device Management 9.1 for Linux

jamesl — Sat, 05 Jul 2008 06:59:00 GMT

Following the release of Intellisync Mobile Suite 9.0 for Windows a few weeks ago, version 9.1 for Linux is now available.

Although being called specifically 'IMS Device Management', the release notes do state that both the DM and also the Wireless Email components of the solution are included in this version.

The list of new features in the release notes also include:

Improved performance and scalability

Clustering support for OMA DM Connections

Alternative SMS Channel for DM Provisioning and Notification Messages

New Service Administrator Role for Tenant Administration

Additional Configuration Options to IMS Client Sync Window

Hosting Administrator Managed Tenant Publication Templates

Orphaned Backup File Purge

More Comprehensive Web Services Interface for IMS DM

OMA DM Support for Siemens VOIP Application

Remote Control for UIQ Devices

WebAdmin Support for Delivering ActiveSync Settings to Windows Mobile Devices

WebAdmin Support for Delivering GPRS and WLAN IAP Settings to Windows Mobile Devices

Callback/Notification Interface

Confiugurable HTTP/HTTPS Ports for WebAdmin Connections

Symbian Client Backup/Restore Checkpoint Restart

FOTA (that's Firmware Over The Air) Support for Nokia S40 and S60 Devices

Additional Attributes for LDAP

Email Support for POP/IMAP & Corporate Email Connector (ECE)

I am particularly intrigued to see how they managed to implement the Wireless Email component on a Linux platform. Watch this space for a full review.

Microsoft Small Business Server 2008 Preview available

jamesl — Sat, 05 Jul 2008 06:56:00 GMT

Microsoft have released a technology preview (that's a beta to you and me!) of the next release of the Small Business Server product - SBS 2008.

The details of serial numbers and download links can be found here:

http://technet.microsoft.com/en-gb/evalcenter/cc184870.aspx

It's a bit of a whopper: 4 DVD images can be downloaded from the following links:

http://sbs.dlservice.microsoft.com/download/F/4/B/F4B32E45-EC2C-4C18-9BD2-58F5D1643A6E/SBS2008RC0_ENU_DVD1.iso

http://sbs.dlservice.microsoft.com/download/F/4/B/F4B32E45-EC2C-4C18-9BD2-58F5D1643A6E/SBS2008RC0_ENU_DVD2.iso

http://sbs.dlservice.microsoft.com/download/F/4/B/F4B32E45-EC2C-4C18-9BD2-58F5D1643A6E/SBS2008RC0_ENU_DVD3.iso

http://sbs.dlservice.microsoft.com/download/F/4/B/F4B32E45-EC2C-4C18-9BD2-58F5D1643A6E/SBS2008RC0_ENU_DVD4.iso

Be aware that the MINIMUM system requirements are 2GB of RAM and 60GB of hard disk space - I have had to move my iTunes Library just to get the minimum spec on my test machine!