Mobile Information Server 2002 (MIS) is a relatively inexpensive tool that gives users access to data and messaging resources (such as Exchange Server mailboxes) from a broad range of wireless devices. MIS’s companion product, Outlook Mobile Manager, gives users greater control over content delivery and other wireless access features.
These features seem good enough to speak for themselves, but how much work is involved in getting your network ready to support MIS? The answer is a lot. But if you are organized, the workload isn’t prohibitive—especially when you consider the end result. To take full advantage of this tool, you need to plan before you install. In this Daily Drill Down, I explain how to develop your infrastructure in preparation for installing and configuring MIS.
Planning the network infrastructure
Like most add-on services for Windows 2000, you can’t just fire up Setup for MIS and let a wizard get your server and network ready for MIS. You must take the time to ensure that your network’s infrastructure can handle the additional load that MIS will place on it. This requires you to consider more than just where the physical server(s) will be located. You must take into account how the servers communicate with the back-end servers, how they fit in with your firewalls and proxy servers, and the domain changes they require.
One matter that needs immediate clarification concerns the two versions of MIS. The Enterprise Edition is meant for end-user deployment and provides communication with wireless devices that support simple mail transfer protocol (SMTP). To support short message service (SMS) devices and messages, you need the Carrier Edition sitting between you and your users. Typically, this means the carrier that provides the wireless services to your users needs to install Carrier Edition and configure it with the appropriate connectors to allow SMS messages to be sent to your users. For the purposes of preparing your network in this Daily Drill Down, I’ll focus on the Enterprise Edition.
The first issue to consider is where your MIS server(s) will fit into your enterprise in relation to your firewalls and internal network. MIS requires Windows 2000 Server or later. Additionally, you’ll need to install it on a domain controller. This can complicate server placement because it’s generally a bad idea to place a domain controller in a perimeter network. Doing so exposes domain accounts to a greater likelihood of being compromised by Web-initiated attacks. Placing the MIS servers in the perimeter network also requires you to open additional ports in the internal firewall, which will create a number of new holes in your defenses.
The approach I recommend is that you deploy MIS behind your internal firewall and use Microsoft’s Internet Security and Acceleration Server (ISA) as a gateway. If you don’t have ISA in place now and are just evaluating MIS, don’t worry—you can download an evaluation version of ISA from Microsoft’s Web site.
While you could certainly forego ISA and install MIS in your perimeter network, I’m not going to cover that approach in detail. If you decide to take that route, however, setup will be much the same. You just need to make sure you open the appropriate ports on the firewall to allow the MIS traffic through.
If you have ISA in place now, you’re in good shape. You’ll just need to install the MIS ISA filter and configure the rules to support MIS. If you don’t have ISA in place now, begin to put together the resources and information you’ll need to get it into place. This means installing a server in the perimeter network, installing Windows 2000 Server or later on it, and installing ISA. Check out the Daily Drill Down “Installing ISA Server” for more information on installing and configuring ISA.
Next, you need to consider which services on your LAN users will need to access from the Internet. At a minimum, you need to open port 389 to allow lightweight directory access protocol (LDAP) queries to the Active Directory for initial authentication and port 443 for secure sockets layer (SSL) to allow communication between ISA and MIS. If internal users need access to external services such as HTTP, POP3, SMTP, and so on, you’ll need to make sure you open those ports, as well. Also take a look at the services you provide internally that need to be accessed from the Internet, such as a Web sites or e-mail servers, so you can open ports accordingly.
Security and domain considerations
You’ll also need to consider the security mechanisms involved in an MIS deployment so that you can dictate how you want to manage users for wireless access. When concerned with security, there are three types of traffic to consider:
- Browse requests
Notifications generated by Exchange Server go through your MIS server to the carrier’s server, where they are transmitted to the user’s device. The carrier might use an SMTP server to receive the notifications from your server, or it might use MIS Carrier Edition. In all cases, however, the traffic moves between your MIS servers and the carrier across the Internet.
While the possibility that notifications could be intercepted is somewhat remote, it does exist. You can use SSL or IPSec (IP Security) to secure notification traffic between your MIS server and the carrier if the carrier installs MIS. If the carrier doesn’t use MIS but instead relies on one or more SMTP servers to receive the traffic, you can’t encrypt notification traffic. Whichever method the carrier uses, you’re at the mercy of the wireless security methods in place between the carrier’s SMSC and the wireless device. Because of this, you should bone up on the security options available on that end if security is a major consideration.
MIS supports synchronization of Exchange Server data from Pocket PC 2002 devices. In all cases, the traffic between the MIS server and the wireless devices is encrypted with SSL (or HTTPS). Depending on where your MIS server is located, you can use one of two methods to provide secure access between wireless devices and Exchange Server. If the server is located inside the internal firewall and users synchronize through local wireless access points, the wireless security you use for those access points and wireless devices secures the traffic. It’s therefore important that you use the security features built into the wireless network to prevent unauthorized access to the network and to data as it flows through the network.
Users who synchronize from the Internet must first create a VPN connection to the server if the server sits on the internal LAN rather than in the perimeter network. So you need to provide VPN servers to allow access to the MIS servers. Alternatively, you can configure ISA or your firewall to forward the SSL traffic from the Internet to the MIS server as needed. If you place the MIS server in the perimeter network, Internet users can synchronize using just SSL without a VPN connection.
Browsing for network resources is another consideration. When users browse resources on your network from wireless devices, those browse requests can come through a WAP gateway or can go directly to the MIS server(s). If they come through a gateway, the gateway translates the request from Wireless Transport Protocol (WTP) to HTTP or HTTPS and then connects to the MIS server to transfer the request. During the translation from WTP to HTTP/HTTPS, the user credentials are at some degree of risk for compromise because they are briefly in clear-text format. If you are concerned that this could be a security risk, you can minimize that risk by choosing a domain security model that minimizes account exposure.
When you install MIS, you need to decide which of four security models you’ll use to handle wireless users. The first choice is to use existing user accounts to manage wireless access. This is perhaps the least desirable model because it potentially exposes user credentials to compromise. Your second choice is to create an auxiliary account in the user’s domain and use the auxiliary account to authenticate wireless access. This helps protect the users’ primary credentials.
The third model is to create an auxiliary domain that you use specifically for controlling wireless access. You create accounts in this domain for each wireless user, and they use the auxiliary account to access wireless resources.
The fourth model is to create a separate domain forest specifically to support wireless users. These users continue to use their original forest/domain accounts for internal use but use the accounts in the new forest/domain for accessing wireless resources. Naturally, the first three models are easier to set up and manage, but this fourth model gives you greater flexibility when dealing with a large number of wireless users—particularly where those users already reside in multiple domains.
You’ll need to choose one of these security models when you install MIS. At this stage, you need to examine your existing domain structure with an eye on which users will need wireless access. Decide which of the security models best fits your existing domain structure while still offering the necessary level of security.
As I mentioned before, some wireless devices don’t browse through a WAP gateway but instead connect directly to the MIS server. These include Pocket PC 2002 devices and devices running Microsoft Mobile Explorer 3.0. So user credentials are not susceptible to interception provided you use HTTPS. However, you should still consider using one of the security topologies that uses auxiliary accounts to ensure security for those users who do browse through a WAP gateway.
MIS virtual directories
When you install MIS, Setup creates several virtual directories to support MIS’s various features. Which of these get created depends on the options you select during MIS installation.
The first virtual directory is /OMA, which provides access to Exchange 2000 Server mailboxes. Assuming mis.techrepublic.com is the fully qualified domain name (FQDN) of our fictitious MIS server, users would connect to http://mis.techrepublic.com/oma to access their mailboxes. The second virtual directory is /OMA55, which provides access to Exchange Server 5.5 mailboxes. The resulting URL would be something like http://mis.techrepublic.com/oma55.
The /In virtual directory provides redirection for intranet browsing requests. Wireless users would enter a URL like http://mis.techrepublic.com/In/<resource>, where <resource> is the path to the resource on the network.
The /MMISDeviceInfo virtual directory stores information about wireless devices. The /MMISNotify virtual directory receives notifications. For example, the Exchange 2000 Event Source sends notifications to this virtual directory when a wireless user receives a message to his or her mailbox that generates an outgoing notification.
The /MSAS virtual directory supports synchronization by Pocket PC users of their e-mail, calendar, and contact data with their Exchange 2000 Server mailboxes.
You need to take these virtual directories into account when you set up ISA and define these virtual directories in the destination sets you create under ISA to support MIS incoming traffic.
To successfully install Mobile Information Server 2002 in your organization, you must take some issues into consideration before running Setup. Start by planning where you’re going to locate your server, what kinds of traffic you’ll be sending over it, and what security implications those choices have on your network. Then, decide what features you’ll need so you’ll know what directories MIS’s Setup program will want to create. When you have all of this ready, you can reach for the Setup CD or move on to configuring ISA Server before finally installing MIS Server 2002.