Welcome to Devicewire Community Sign in | Join | Help
in Search
Devicewire Home Forum Home Blog Home Photos Contact Us

Devicewire Weblog

Choosing a remote email solution (now with screenshots!)

With the release of Windows Mobile 6.1, although it does not provide a raft of new features for remote email (with the possible exception of the new 'Device Enroll' feature), I thought it would be a good time up update a document I started a while ago detailing the differences of the 3 key players in the remote email area (as I see them): RIM, Microsoft and Nokia.

 

Remote Email Solutions

 

More and more companies, of all sizes, are recognising the need for and implementing remote email solutions. Email has surpassed voice as the principal means of business communication: email interaction being, on average, quicker than a voice call and enabling the worker to contact far more people within a given time period. Also, mobile devices like Smartphones and cellular PDAs are becoming increasingly commonplace.

 

When considering a remote email solution, there are a number of factors to take into account:

 

System Architecture

 

Ideally the solution should sit “behind the firewall” enabling direct communication with the email server over the local network and enabling full administration of the solution by the in-house IT staff. Communication between the gateway and the client device should be secure. No data should be stored on any assets not belonging to the company other than temporarily.

 

The solution should not tie the company into a particular client platform or device nor a particular mobile network operator, but should be completely agnostic of the hardware and operating system used and the method of Internet connection. The solution should also utilise the native PIM (Personal Information Manager) application on the client device to minimise the amount of training required for the end user or, if not, employ a client that offers additional or superior features.

 

The solution should not rely on so-called “desktop redirectors” – desktop computer programs that monitor the user’s mailbox on that user’s desktop and redirect mail when a change is detected – requiring that that user have a PC which remains in the office at all times, defeating the object of having a “remote” email solution. In fact, this type of solution should be avoided.

 

Ideally the solution should also offer true “push” functionality, enabling update of the client in true “real time”. The alternative being device-timed or user-initiated synchronisation, or message-based synchronisation, like SMS, which “wakes up” the client device when a change occurs on the server by sending a text message to the device causing it to initiate a synchronisation. This approach can prove costly should a large number of text messages be sent to the device.

 

Features

 

The availability of the following features should be taken into consideration when choosing a remote email solution:

 

  • The ability to read, forward and edit email attachments
  • The ability to access the Global Address List or corporate contact list
  • The ability to filter the delivery of email to the client device, ideally only downloading message headers initially and then allowing the user to choose whether or not to download the full message and any attachments
  • The provision of security features including end-to-end encryption and multiple authentication mechanisms, remote device wiping and enforcement of password usage
  • The support of remote device management and administration
  • The ability to use the solution when abroad

 

Company performance

 

When choosing a remote email solution, it is also important to examine the market share of the solution provider, its financial standing, the provision of support to its customers and the frequency with which updates are released to include support for new hardware platforms and devices.

Blackberry

 

Research In Motion (RIM)’s Blackberry solution is largely regarded as the de facto standard for the remote email industry. The Blackberry Enterprise Server (BES) can be installed simply and rapidly behind the firewall on the local network alongside Microsoft Exchange, Lotus Domino or Novell Groupwise. This does require that a separate server and Microsoft server operating system license be purchased. The installation process will, by default, use the Microsoft SQL Desktop Engine (MSDE) as the bank-end database to drive the solution, however this should only be used for deployments up to 100 users. For larger deployments, a full instance of Microsoft SQL Sever is recommended.

The solution requires that a Blackberry handheld be used, or a device that has the licensed ‘Blackberry Connect’ client software installed on it. Blackberry handhelds tend to be network-locked and can run a rapidly growing range of Java-based applications, including satellite navigation, database connectivity, etc.

 

RIM employs a number of Network Operation Centres (NOCs) or ‘RIM Relays’ globally to manage the routing of data to and from client devices.

The handheld devices register with the Relay using a unique PIN number. The BES also registers with the Relay using a unique identifier, known as an SRP key. This middleware approach means that the BES does not need an Internet-facing IP address and neither do any inbound ports need to be opened on the firewall.

The solution offers true IP-based bidirectional network push via TCP port 3101 of messaging, contact and calendar folders and communication is encrypted end-to-end using 256-bit AES encryption.

 

Common file attachment types can be viewed on the device, including doc, rtf, xls, ppt, pdf, but these attachments are converted by the BES to a plain text-only format. Common image types can also be viewed.

IT policies can be enforced on the device, on a per-user level, governing the delivery of data to that device, and all web browsing can be routed through the BES allowing the administrator to control what sites can and can’t be viewed from the handheld devices.

 

Every single element of hardware and default software packages on the Blackberry handhelds can be controlled from the BES - including camera, WiFi, Bluetooth, web browsing, phone, SMS messaging, MMS messaging, etc. The installation of third party applications on the devices can also be blocked.

 

 

Devices can also be remotely ‘killed’ from the BES.

 

New devices can be set up very easily without the need for the device to be connected to the server, or even for the end user to come into the office. The ‘Enterprise Activation’ feature allows the administrator to assign a user an activation password, which can be emailed to the user, or verbally communicated. The end user then simply enters their full email address and the activation password onto the new handheld. The handheld performs an MX lookup on the domain entered in the email address and sends a system message to that email address. The BES server, which is monitoring the user’s mailbox, receives the system message and from the information contained within it ties the PIN number of the handheld to the user and synchronisation then completes automatically.

 

It is important to note that Blackberry handhelds can ONLY access the BES server via a cellular data connection. Although some of the handhelds possess WiFi capability, they can only be used to access the BES wirelessly when that wireless network is on the same local network as the BES.

 

See the Blackberry section in the Forum for more articles:

http://forum.devicewire.com/forums/102/ShowForum.aspx


Microsoft

 

Microsoft entered the remote email area with its Microsoft Mobile Information Server (MMIS) product in 2000. The functionality provided by this product has now been incorporated into Exchange 2003 and developed upon with the release of Exchange 2007, providing remote email without the need for any other server hardware or software.

 

With the release of Windows Mobile 2003, devices were able to wirelessly synchronise Contact, Calendar and Email folders with Exchange 2003, but synchronisation was user initiated or schedule based.

 

With the release of Windows Mobile 5 AKU2 and Service Pack 2 for Exchange 2003 direct push functionality was added as well as remote device wipe capability.

 

Today, with Windows Mobile 6.1 and Exchange 2007 users can wirelessly synchronise The Inbox, Drafts, Contacts, Calendar, Sent Items and Task folders of their Exchange mailbox, as well as subdirectories of those folders.

The administrator can enforce a password policy on the client device as well as imposing size limits on the messages and attachments that are delivered:

 

    

 

The user cannot, however, filter the messages that are pushed to the device, synchronisation is either on or off. Neither can the administrator specify which attachment types are allowed to be sent to the client device.

 

Specific hardware elements on the devices can also be disabled from the Exchange server, and applications can be blacklisted by the administrator preventing their use on the client device:

 

  

 

Both the user and the administrator can remotely wipe the Windows Mobile device – this is now offered as an option in Outlook Web Access and as such can be initiated from any web browser with a connection to the Internet:

 

 

The Microsoft solution requires that the Exchange server be Internet-facing (ie, have a “real world” IP address) and that port 443 be open on the firewall.

Client-server communication is encrypted using SSL, rather than stronger AES or 3DES mechanisms. Unless the Exchange Server is using a root-trusted SSL certificate then the corresponding client certificate needs to be exported from the Exchange Server and manually installed onto each client device.

Configuring the client device is more complicated than the BES solution: the address of the Exchange Server and the user’s username, password and domain credentials need to be entered on the device, most of which it is unlikely that the end user would know without having to contact their network administrator.

Windows Mobile 6.1 has, however, incorporated a ‘domain enroll’ feature which accomplishes this procedure, but requires an additional Microsoft product, System Center 2008 Mobile Device Manager, to be deployed alongside Exchange 2007.

 

The solution is, however, agnostic of the Internet connection used by the Windows Mobile device, unlike the Blackberry solution – be it 3G, GPRS, WiFi, or connected via USB to a PC and sharing its connection to the Internet.

 

Microsoft has also licensed the Server ActiveSync protocol to other handset manufacturers, including Nokia, Palm and Sony Ericsson and more recently Apple, meaning that you are not necessarily limited to the Windows Mobile platform, however these other devices will only have the email functionality, not the device management features.

 

View the Microsoft section in the Forum for more artcles:

http://forum.devicewire.com/forums/81/ShowForum.aspx

 

 

 

Nokia

 

Nokia’s entry into the remote email arena came relatively late, and consisted of purchasing another player in the space – Intellisync.

Intellisync themselves were formerly known as Synchrologic and have been in the remote email market for as long as RIM, but are less well known, typically delivering their solution as a branded offering through mobile network operators, such as Verizon in the US.

As with Blackberry, the Intellisync server is installed behind the firewall on the local network and can be used alongside Microsoft Exchange, Lotus Domino or Novell Groupwise.

 

Intellisync, or The Intellisync Mobile Suite to give it its full name, is a modular solution comprising four components, all or only some of which can be used independently:

  • The Email Accelerator component enables the wireless synchronisation of mailbox folders and, as with Blackberry, can be policy driven on a per-user basis to filter message delivery.
  • The Systems Management component enables comprehensive device management capability.
  • The File Sync component enables the synchronisation of file packages to the client device as well as the remote installation of applications and patches.
  • The Data Sync component enables the remote interrogation and population of server-side databases, including Microsoft SQL.

 

The solution requires a separate server (and Microsoft server operating system license) to be installed on, and also requires a real world IP address on the Internet.

Client-server communication is encrypted end-to-end using 256-bit AES encryption over TCP port 80 (HTTP). A client application needs to be installed on the client device, supported platforms include Windows, Windows Mobile, Palm and Symbian. The client is agnostic of the Internet connection and can be sued via 3G, GPRS, WiFi or locally via the LAN or Broadband depending on the capabilities of the device being used.

 

The solution offers true IP-based network push of all mailbox folders, and mail delivery can be filtered based on certain conditions allowing much more flexibility than either Blackberry or Microsoft. Attachments can be filtered based on size and also type. The administrator also has the ability to lock down the client so that the user is not able to alter any of the settings themselves:

 

        

 

Users can also access the contents of their mailbox via a web interface. This same web interface can be used to remotely install the client software in the event that the device is hard reset, or replaced – all that is required from the user is a username and password (which can be their Windows login credentials).

 

The administrator can enforce password usage on the device, and can also control how many attempts the user has to enter their password correctly before the device is either locked or wiped completely:

 

   

 

The device management capabilities far outstretch anything that any other solution has to offer, including the ability to send files to and retrieve from client devices, installing and uninstalling applications, adding intelligence to processes with the use of visual basic scripting to perform different actions on different clients based on the results of interrogation commands:

 

 

There are other features within the solution such as the ability to ‘package up’ a corporate Intranet site for local offline viewing on client devices.

 

As with Blackberry, Intellisync will install its own database engine for small installations (Sybase), but for larger deployments a SQL server instance is recommended.

 

Addendum

 

For those security-conscious sysadmins who balk at the idea of opening port 80 through the firewall to a server on the local network, Intellisync can be deployed in a 'front end - back end' topology, by putting what Nokia term a 'secure gateway' in the DMZ. The Secure Gateway is service that be installed on a Windows or Linux-based machine that sits in the DMZ and accepts connections from client devices on port 80. It then forwards those connections to the Intellisync server on the LAN on a port that can be defined by the administrator (the default is 8865).

 

View the Intellisync section in the Forum for more articles:

http://forum.devicewire.com/forums/103/ShowForum.aspx

 

Published 04 April 2008 14:11 by jamesl

Comments

No Comments
Anonymous comments are disabled

About jamesl

James Liddiard is the Network Manager for the Hugh Symons Group and Brightpoint GB Ltd. His responsibilities include overseeing the IT and telecoms infrastructure of the Group and BPGB, as well as product testing and reviewing for Brightpoint GB and providing second and third-line technical support for devicewire. His interests include cycling, cinema and his many Apple computers. He lives in Christchurch with his girlfriend, and his German Shepherd, Jerry.

This Blog

Syndication