SWIFTTRAIN & SBSLIVE

 

Initial set of links will update this with more links before the class is over.

 

 

The SBS Cert rollercoaster

How to Deploy Windows Mobile 5 with SBS Self-Signed Certificates)

 

Choosing the right Device

Those of us who have looked into  this particular email on the move  solution realise a lot of focus is placed on the  need to choose the right mobile device  whether  it's a Smartphone  like the 3G (UMTS) HTC MTeoR or a PDA style handset like the Palm Treo 750V or even a hybrid unit like the Blackjack. Thankfully there are so many different types of units available that there is bound to be a Windows mobile device / form factor to suit you or your customer. If you can edit a word document on your phone your are using a device with the Pocket PC version of  Windows Mobile  otherwise it's probably running the Smartphone version of the operating system, so for example the Blackjack looks more like a PDA however it's running the Smartphone version of the Windows Mobile  5

 

<SCREEENSHOT 1>

 

 

Push mail

The email being pushed to the mobile device without user intervention is also seen as a crucial piece of the puzzle , which requires the selected mobile device(s) to be running  Windows Mobile 5 with the Messaging and Security Feature Pack  ( MSFP ) update applied, also referred to as AKU2 by most device manufacturers, basically in plain English  the push update to us humans.

 

Some devices unfortunately including some early Windows Mobile 5 Devices cannot be upgraded to this Feature Pack which will stop you in your tracks if your customer wants the email to be pushed automatically onto the device, you still will be able to deploy the device however the user will have to manually sync their email / calendar by selecting the  Activesync  icon on the mobile device and choosing "SYNC". Also you will miss out on the ability to remote wipe the mobile device should it get stolen or lost.

 

Unfortunately the Certificate question is often left to last even though both the security of your solution and the time you are going to spend on the deployment often depends on selecting the right approach.

 

 

3rd Party Certificate

In some cases a 3rd party certificate from someone like Thwate or especially Godaddy for SBS given it's relatively low cost will make sense particularly if there is a large number of mobile devices to be deployed  and you would prefer not to have to manually install your certificate  onto each device only needing to install the  3rd party certificate onto the  Server. If you want to us a 3rd party certificate make sure you choose a  Secure Sockets Layer (SSL) certificate  from trusted root certification authorities that have a root store presence in Windows Mobile devices otherwise you will end up installing it onto your mobile devices just like you have to with the SBS self-signed certificate.

 

The Microsoft Partner site provides a good list of 3rd Party Certificates compatible with Windows Mobile Powered Devices <https://partner.microsoft.com/global/partner/40027352>

 

<SCREEENSHOT 2>

 

 

 

However if there is a smaller number of devices you may prefer to go it alone and use an SBS Self-Signed Certificate generated by SBS itself. Firstly be careful when selecting your mobile devices  as some non Windows Mobile 5 devices like the Nokia E62 which uses a licensed  cut down Activesync implementation to connect are almost impossible to get working with SBS self-signed certs, details here from the Official SBS Blog  <http://tinyurl.com/create.php> also watch out for Smartphone devices as in general these devices are often restricted particularly in relation to the Certificate  Store making it more difficult but not impossible to get your SBS self-signed certificate onto the device.

 

 As a general rule it is much easier to install the self-signed certificate onto a Pocked PC Windows Mobile Device like a HTC TyTn or a Palm Treo 650V whereas most mobile devices running Smartphone Windows Mobile 5 are restricted in some way, which will tackle in this article.

 

 How to tell,  if your device can edit word then it's a Pocket PC device however  when purchasing you should evaluate all devices against your own in house SBS network, so you can make an informed decision one way or the other.

 

Self-Signed Cert Invalid Certificate  Problem

Okay so we are going to use the self-signed certs and you have run the Configure Internet and Email Wizard (CIEW) to generate the certificate.

Full details are here "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003" <http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/winm5.mspx.

 

Most importantly when running the CIEW wizard from the To Do List on Server Management make sure you use the actual host name or IP address you will connecting  to from outside the network (usually the same as your Outlook Web Access host name ) as the Web Server Name with the http://   for the certificate , this is a deal breaker get it wrong and your mobile device will not sync.

When the wizard finishes CIEW will have created a certificate file calledSBSCERT.CER  and place it in a folder usually "C:\Clientapps\Sbscert" for most installations, alternatively if ISA is deployed on SBS the cert file will be called ISACERT.CER.

 

 

 

The Microsoft Documentation (referenced  above )  will ask you to drop this file onto your Windows Mobile Device using Activesync 4.1 or later, basically within the Activesync Explorer right click and copy the .CER file and then place in the mobile device's "My Documents" folder or alternatively you could copy the file onto an SD  / mini SD memory card and insert the card into the mobile device.

 

Once you have the file on the mobile device you browse to the file on the device and select the certificate and  "Hey Presto" it should install the certificate into the device's own certificate root store.

 

Unfortunately in most cases when you select  the certificate file  you will get the following error message "Invalid Certificate".

 

  You can normally get past this issue if you follow the steps below.

 

<SCREEENSHOT 3>

 

 

 

1.      Open a browser on your pc / laptop with Activesync 4.1 or higher installed  with the mobile device attached via USB

 

2.    Browse to Outlook Web Access and choose to view and then install the certificate, accepting the defaults as you go, this assumes you have not already installed the certificate.

 

3.    Once you have the Certificate installed on your pc click START  then RUN "certmgr.msc" and browse to Trusted root authorities and choose the cert you just imported.

 

4.    Right click and choose export and accept the defaults and save out as "SBSC.CER", if the phone is not locked you should be able to drop the cert onto the mobile device using Activesync as described above and then install it from the mobile device using file explorer without an error.

 

If you get an error at this stage it is normally a security related error because the device usually a Smartphone Windows Mobile has a protected Certificate store, the error message may read something like "Security Permission was insufficient to update your device" normally this can be bypassed by editing the registry but as always you need to be careful if you are going to edit the registry particularly on a mobile device and now's  probably a good time to revaluate that 3rd party certificate option :-)

 

Ok so you want to continue, having done this dozens of times myself it never caused any issues with any mobile device however the standard warning about editing the registry still applies, basically be careful and your on your own if you mess up.

 

 

<SCREEENSHOT 4>

 

 

 

Unlocking a Smartphone's certificate store

 

Firstly you need to get your hands on regeditstg.exe there is different versions available however I have provided a pretty generic version here http://markmulvany.fastmail.fm/RegEditSTG2.zip  which works with most HTC derived Smartphone devices like the iMate series Sp5 and Sp5m and earlier.

 

1.      Unzip the Regedit2.zip file onto your desktop or other location on your pc attached to the mobile device.

 

2.      In most cases the Regedit.exe program will not be correctly signed for your mobile device so you will not be able to drag and drop it onto the device using Activesync however you can put the file on an SD (mini SD) using the adaptor that came with the storage card for the device first on your pc and then transferring it to the Smartphone.

 

3.      Once you have the file on the mobile device then simply click on it from the file explorer and the Smartphone registry editor will open.

 

4.      Navigate to  HKEY_LOCAL_MACHINE\Security\Policies\Policies

Then change the following values to:

 

 

 HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 1

 

HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 40

HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 144

 

5.      Restart the mobile device and you should now have no problems adding your SBS Self-signed certificate onto your device.

 

6.      To verify that the certificate has been correctly installed, on your mobile device / Smartphone simply click Start, Settings, Security, Certificates, Root,0 (for more) and you should then be able to see your SBS certificate.

 

7.      You should now be either configure Activesync for the mobile device either on the handset itself or better still following the wizard on your desktop Activesync 4.1 or later.

 

Basically putting in the user name and password and the external name for the server as per the Microsoft Deployment document mentioned earlier.

 

 

 

 

Further information links

 

 

 Microsoft Whitepaper "Deploying Windows Mobile 5.0 with Windows Small Business Server 2003" <http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/winm5.mspx>

 

 3G (UMTS) HTC MTeoR <http://www.europe.htc.com/products/htcmteor.html>

 

 Microsoft Information on Messaging and Security Feature Pack for Windows Mobile 5 http://www.microsoft.com/windowsmobile/business/directpushemail.mspx

 

Smartphone mobile editor available from here http://markmulvany.fastmail.fm/RegEditSTG2.zip

 

Bio

Mark Mulvany works closely with Microsoft in Ireland and it’s partners as an external IT Consultant helping to increase partner skills around Small Business Server, Exchange Messaging, Active directory and Mobility.

When not teaching or presenting technical briefings, Mark designs and implements networks as an independent network advisor.

Mark Mulvany MCT, MCSE, MCSE+I, MLSS, CNA, INET+

  

 

Remote Control http://www.logmein.com

 

Dos and other Tutorials http://www.computerhope.com

 

Flights http://www.expedia.co.uk

 

IP Info http://www.dnsstuff.com

 

Guys,

Links are here,

 

Ad-Aware @ Lavasoft - The Original Anti-Spyware Company - Lavasoft

Link to Online Evaluation

 

 

Course Links

 

Great links to Blogs and other info on Sharepoint 2007

 

Link to Sharepoint Lab

 

 

Virtual PC

 

Istalling Sharepoint Portal Server 2003 with SQL 2005

 

Main Microsoft Sharepoint Website

 

 

30 Day online Hosted Trial Windows Sharepoint Services V3.0 (2007)

 

 

 

I know it's been over 2 weeks since my last confession I mean post.

 

Anyway while updating myself on Virtual Server R2 for a presentation next week came across this page http://www.microsoft.com/technet/try/vhd/default.mspx which includes 3 preconfigured VHD (Virtual Server Images) a prebuilt Exchange 2007 / Live Comms 2005 image, a SQL 2005 and a Windows 2003 R2 image which you can download and run with the now free Microsoft Virtual Server R2, this is great and starts to make testing new Microsoft products even easier and makes training a lot easier for the rest of us.

 

Downloading the Exchange 2007 / Live Communications Server 2005 image as we speak, just under 1.5 GB in 3 files so not so small will let you know how I get on.

 

Kind Regards Mark

 

 

Hello,

Just recovering from SMB Nation in Seattle and Vista Training in Amsterdam.

 

Anyway wanted to post that Small Business Specialists now have a new few support avenue as well as the Business Critical phone support there is now a new Microsoft Monitored 4 hour response newsgroup only for Small Business Specialists, check out Eric Ligman Microsoft US post on this for more detail here http://blogs.msdn.com/mssmallbiz/archive/2006/09/09/747847.aspx

 

Hope this helps Mark

 

Well as per usual yours truly is absolutely ready to speak at SMB Nation http://www.smbnation.com  on Friday.

 

Anyone who even remotely knows me would realize that Mark is very much a last minute type of guy, although this year is a little different as I am extremely passionate about Windows Mobile with Push technology especially as I have just got my hands on a HTC TyTN.

 

Great device promises over 384Kbits cellular data connection using UMTS or what we call 3G in Europe and unlike the QTEK 9100 (200Mhz)which is also really a HTC model     http://www.europe.htc.com/products/qtek9100.html  the TyTn pronounced Titan uses a 400Mhz processor and sports a second camera for video calling.

 

I'm going to take the leap and try and use this pocket pc device as my only mobile (cell) phone which will be difficult as I have been using a Windows smartphone for the last 2.5 years first the Imate Sp3i and more recently the Imate SP5M http://www.imate.com/t-DETAILS_SP5m.aspx watch this space as I'm the transition is going to be a bumpy ride.

 

Let me or Dave Houston http://www.sbsireland.com know if your not going to SMB Nation and you would like notes / slide decks or info from the event.

 

 

 

Hello all IT pro's out there it's almost that time again,  the annual get together of all things SMB and SBS in particular is happening next week from the 8th to the 10th of September http://www.smbnation.com/conferences.htm.

 

I know, I know most of you reading this blog (all 2 of you :-<) have to work for a living so if anyone wants the powerpoints I am going to make them available from here and over on the http://www.sbsireland.com website if David is ok with it.

 

Check over the www.sbsireland.com for more information.

 

Also hopefully over the weekend I am going to post about my latest gadget the HTC Tytn which I purchased from Expansys http://www.expansys.ie/product.asp?code=TYTN well from their trade division (Resellers in Irealnd take note !)  anyway hope to show you show great pictures and video of the device.

 

So what's the big deal well I know it looks like a qtec 9100 however it has a 400Mhz processor twice as fast as the QTEC also a 2Mega Pixel camera and a second video camera for video calls and last but not least it supports 3G yep or to our friends in the US UMTS i.e. about 384Kbits instead of the usual 56Kbits with 2g / GPRS.

 

Last but not least Vodafone in Ireland at least have a new bundle  called Vodafone Business Works of 400 minutes any time voice mins + Vodafone to Vodafone calls are free but they are also bundling 50MB of 3G data all for € 79 http://www.vodafone.ie/businessworks/index.jsp

step in the right direction guys but how about unlimited 3G like the data card and 400min voice plan on the same sim, then there is no need for a data card use the HTC pocket pc for email / calendar and voice on the move and you can also use it as your 3G modem for your laptop.

 

Go on you know you want to comment :-)