Are you trying to do both OWA and ActiveSync? On 9/23/08, mqcarp <[EMAIL PROTECTED]> wrote: > > Do you happen to use a front end Exchange server? We do not, and have come > across a problem. In reading about the solution on MS site, this seems odd > and insecure. Has anyone had to implement this fix? > > http://support.microsoft.com/kb/817379/EN-US/ > > > > On Mon, Sep 22, 2008 at 2:03 PM, Sherry Abercrombie <[EMAIL PROTECTED]>wrote: > >> I have ISA in my environment, but it is not a part of the OWA/ActiveSync >> setup. I have a reverse proxy setup at my colo that is used for both OWA >> and ActiveSync. >> >> >> On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: >>> >>> Sherry are you using ISA in your environment? >>> >>> On Mon, Sep 22, 2008 at 12:15 PM, Michael B. Smith < >>> [EMAIL PROTECTED]> wrote: >>> >>>> The below was current as of the release of Exchange Server 2003 sp2. >>>> Not sure if the attribute has additional documented values in Exchange >>>> 2007. >>>> >>>> >>>> >>>> You can also make the change globally easily using PowerShell or a tool >>>> like ADModify.Net. >>>> >>>> >>>> >>>> The final Exchange specific tab is Exchange Features, shown in Figure >>>> 9-9. The Mobile Services entries allow you to control, on a per-user basis, >>>> the mobile capabilities of Exchange. If you, by default, enable mobile >>>> services at the global level (Global Settings(R)Mobile Services(R) >>>> Properties(R)General) then this window allows you to disable the >>>> capabilities at the per-user level. Using the script made available in >>>> Microsoft KB 830188 (How to grant permission to use Outlook Mobile Access >>>> to >>>> specific users of Exchange Server 2003), you can globally disable all users >>>> and then pick and choose which specific users are to be allowed access to >>>> mobile service capabilities. >>>> >>>> >>>> >>>> The per-user AD attribute that controls these functions is named >>>> msExchOmaAdminWirelessEnable. If this attribute has a value of zero or >>>> the attribute is not present, then all mobile services are enabled. If >>>> Outlook Mobile Access (OMA) is disabled, but the other two features are >>>> enabled, then the attribute has a value of two (2). The other two items >>>> control specific features associated with Exchange ActiveSync (EAS). "User >>>> Initiated Synchronization" must be enabled for Up-to-date Notifications to >>>> be enabled; however Up-to-date Notifications may be disabled on its own. If >>>> only Up-to-date Notifications is disabled, then >>>> msExchOmaAdminWirelessEnable has a value of one (1). If both User >>>> Initiated Synchronization and Up-to-date Notifications are disabled, then >>>> msExchOmaAdminWirelessEnable has a value of five (5). If all three >>>> Mobile Services are disabled, then msExchOmaAdminWirelessEnable has a >>>> value of seven (7). >>>> >>>> >>>> >>>> If you search the Internet, you will find that other values can be >>>> specified for this attribute. However, the values described in the prior >>>> paragraph are the only values which Microsoft has documented. You are >>>> better >>>> off only using these values. >>>> >>>> >>>> >>>> >>>> >>>> Regards, >>>> >>>> >>>> >>>> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >>>> >>>> My blog: http://TheEssentialExchange.com/blogs/michael >>>> >>>> Link with me at: http://www.linkedin.com/in/theessentialexchange >>>> >>>> >>>> >>>> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >>>> *Sent:* Monday, September 22, 2008 12:55 PM >>>> *To:* MS-Exchange Admin Issues >>>> *Subject:* Re: ActiveSync Set Up Veterans >>>> >>>> >>>> >>>> The Exchange Features tab in AD for each account is the place to enable >>>> or disable additional Exchange features such as mobile and OWA. All these >>>> features are enabled by default and you will have to disable them. When we >>>> recently went through the process to setup OWA and ActiveSync, I had to >>>> manually disable everyone except those that had the proper approval for >>>> mobile and/or OWA. Check with your HR department because there are legal >>>> things to consider with employees checking or receiving email during >>>> non-business hours. >>>> >>>> In your IIS settings for ActiveSync you can set it to require SSL and I >>>> wouldn't recommend setting it up any other way. No SSL means that you're >>>> network credentials are being sent clear text.......very bad idea. >>>> >>>> Haven't had need to do any looking at logging for auditing at this point >>>> so I can't address that. >>>> >>>> On 9/22/08, *mqcarp* <[EMAIL PROTECTED]> wrote: >>>> >>>> Just have a few questions if some of you are using this feature. It >>>> seems frighteningly easy to set up on the server side and I want to ensure >>>> that the settings are secure. Here are a few observations for you vets on >>>> this: >>>> >>>> * The settings are activated for ALL users when it is enabled. Is it >>>> possible to disable it by default and enable specific users in AD? >>>> * Is there a log setting to enable for reviewing audit processes for >>>> pushes and troubleshooting in Exchange? >>>> * For iPhones, I have noticed that the config utility can require a >>>> certificate for the server side push set up, but if you set up a device >>>> manually, it will accept the connection without this validation. Can this >>>> be >>>> set to be required to avoid connections this way? >>>> >>>> This is on Exch 2003. >>>> >>>> TIA >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> Sherry Abercrombie >>>> >>>> "Any sufficiently advanced technology is indistinguishable from magic." >>>> Arthur C. Clarke >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> >> -- >> Sherry Abercrombie >> >> "Any sufficiently advanced technology is indistinguishable from magic." >> Arthur C. Clarke >> >> >> > > >
-- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
