《企业移动消息的应用用与管理.pptx》由会员分享,可在线阅读,更多相关《企业移动消息的应用用与管理.pptx(45页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、MBL220MBL220基于基于Exchange 2003 Exchange 2003 和和 Windows Windows Mobile Mobile 企业移动消息最佳实战企业移动消息最佳实战议程议程q企业移动消息应用qExchange 2003 SP2qWindows Mobile 5 with MSFPq企业Exchange 消息服务实践q移动消息安全、管理、扩展企业移动消息应用丰富的实现多目的设备终端丰富的实现多目的设备终端无处不在的低成本的无线网络无处不在的低成本的无线网络逐渐增强的安全管理基础架构逐渐增强的安全管理基础架构日渐成熟的企业移动消息应用日渐成熟的企业移动消息应用Exch
2、ange Server 2003 /Windows Mobile 5Exchange Server 2003 /Windows Mobile 5LCS 2005/Mobile Office CommunicatorLCS 2005/Mobile Office CommunicatorCRM 2.0 /Mobile CRMCRM 2.0 /Mobile CRMMobile OAMobile OAMobile ERP Mobile ERP 企业移动消息应用的挑战总拥有成本总拥有成本连接性连接性ScalabilityScalability安全性安全性Device and NetworkDevice
3、and Network管理性管理性Provisioning and SupportProvisioning and Support扩展性扩展性Leveraging infrastructureLeveraging infrastructureFocus:Microsoft Exchange Server 2003 Service Pack 2Microsoft Windows Mobile 5Messaging and SecurityFeature PackArchitectureBest Practices企业移动消息应用的起点:E-MailE-Mail E-Mail 已经是企业的核心应用
4、已经是企业的核心应用已经存在多种成熟设备和解决方案已经存在多种成熟设备和解决方案 Exchange Server 2003 Exchange Server 2003 是第一个集成的解决方案是第一个集成的解决方案结合结合ISAISA可以提供更高的可用性和管理性可以提供更高的可用性和管理性结合结合ITIT策略可以实现更高的安全性策略可以实现更高的安全性Exchange 2003 SP2Exchange Server 2003 Service Pack 2更高的安全性更高的安全性Certificate based authenticationCertificate based authenticat
5、ionLocal and Remote Wipe capabilityLocal and Remote Wipe capabilityCentral control of device policyCentral control of device policy直推技术直推技术很多的新特色很多的新特色Directory searchDirectory searchPictures in ContactsPictures in ContactsGZipGZipExchange Server 2003 移动访问服务Windows CE based devicesWindows CE based d
6、evicesPocket PC,Pocket PC Phone Edition,Smartphone 2002Pocket PC,Pocket PC Phone Edition,Smartphone 2002Windows MobileTm 2003(AUTD support)Windows MobileTm 2003(AUTD support)Windows Mobile 5 (AUTD&DP support)Windows Mobile 5 (AUTD&DP support)Outlook Mobile Access(real-time)Microsoft ActiveSync(synch
7、ronization)RPC/HTTP or OWAExchange 2003Exchange 2003Mobile ServicesMobile ServicesSP2LaptopCellular PhonePocket PCSmartPhone基于Windows Mobile 的OWA 访问小屏幕浏览小屏幕浏览Pocket Internet Explorer Pocket Internet Explorer(single windowssingle windows)支持支持 OWAOWALimited frame Limited frame 基于Windows Mobile 的OMA 访问
8、 Based on WAP/WML Based on WAP/WML Legacy Mobile Phones Legacy Mobile PhonesActiveSync 访问机制AirSyncAirSyncHTTP(basic authentication)HTTP(basic authentication)SSL(preferred)SSL(preferred)IISIISMASSYNC.DLLMASSYNC.DLLISAPI ISAPI IISIISDAVEX.DLL DAVEX.DLL ISAPIISAPIFront End ServerFront End ServerBack En
9、d ServerBack End ServerDS_ACCESSDS_ACCESSActive DirectoryActive DirectoryRead User Properties&Read User Properties&obtain Kerberos TGTobtain Kerberos TGTWebDAVWebDAVHTTP(Integrated authentication)HTTP(Integrated authentication)ClearClearExchange Server ActiveSync 的应用Mobile 5.0 with MSFP 在线联系人查找(GAL)
10、需要需要 Windows Mobile 5+MSFPWindows Mobile 5+MSFP集成的应用集成的应用导入导入 GAL GAL 记录记录到本地联系人列表到本地联系人列表Service Service Pack 2Pack 2WindowsWindowsMobile 5Mobile 5Exchange直推技术真正的真正的AUTDAUTD解决方案(解决方案(always-up-to-date always-up-to-date)不需要不需要 SMSSMS通知通知支持所有的支持所有的 PIM PIM 数据数据:Inbox,Calendar,Contacts and Tasks:Inbox
11、,Calendar,Contacts and Tasks不增加额外的数据流量不增加额外的数据流量伸缩性:全球范围伸缩性:全球范围不需要额外的软件及服务器安装不需要额外的软件及服务器安装实现条件实现条件服务器配置激活服务器配置激活缺省配置缺省配置支持支持 “SP2-readySP2-ready”的设备的设备 该方案依赖于实时连接该方案依赖于实时连接需要调整防火墙的连接超时时间为需要调整防火墙的连接超时时间为:15-30mins:15-30mins直推技术(Direct Push)Time=23 minTime=15 minTime=0 minTime=15 minTime=23 minDevic
12、e:如果我在15分钟内有邮件请告诉我,否则告诉我“没有邮件”.Server:“没有邮件”Server:“你有新邮件”Device:给我邮件Device:如果我在15分钟内有邮件请告诉我,否则告诉我“没有邮件”.Direct Push Mail 技术原理技术原理(心跳时间为心跳时间为 15min)Windows Mobile Device with MSFPServer running Exchange 2003 SP2HeartbeatHeartbeat:370 Bytes/heartbeat x 4 heartbeats/hour x 24h x 30days=1,06MB(No consi
13、deration to block rounding)370 Bytes/heartbeat x 4 heartbeats/hour x 24h x 30days=1,06MB(No consideration to block rounding)Exchange Server 2003 SP2 配置企业Exchange 消息服务实践架构总揽防火墙防火墙一个或多个一个或多个至少支持端口过滤至少支持端口过滤 支持反向代理(支持反向代理(PublishPublish)前端服务器前端服务器可以是可以是 企业版或标准版企业版或标准版Pub/private Store can be removedPub
14、/private Store can be removed可以部署在:可以部署在:Internet,DMZ Internet,DMZ,inside corporate firewall inside corporate firewall后端服务器后端服务器Inside corporate firewallInside corporate firewallStores mailboxes and public foldersStores mailboxes and public folders Firewall Ports Firewall Ports 443,993,995443,993,99
15、5Exchange Server Exchange Server 2003 Front-End2003 Front-EndServersServersExchange 2003 Exchange 2003 ServerServerActive DirectoryActive DirectoryGlobal Catalog ServerGlobal Catalog ServerExchange 2003 Exchange 2003 ServerServerExchange 2003 Exchange 2003 ServerServerInternet FE/BE Deployment Scena
16、riosSingle firewall Single firewall(简单)(简单)FirewallFirewallPorts Ports 443,993,443,993,995995Exchange Exchange Front-EndFront-EndServersServersExchange 2003 Exchange 2003 ServersServersActive Active DirectoryDirectoryGlobal Global Catalog Catalog ServerServerExchange 2003 Exchange 2003 ServersServer
17、sExchange 2003 Exchange 2003 ServersServersFirewallFirewallPorts,80Ports,80143,110,143,110,LDAP,etcLDAP,etcDMZDMZInternet Internet FE/BE Deployment ScenariosDMZ/Perimeter network DMZ/Perimeter network(安全)(安全)Firewall Firewall PortPort443443ISAISAExchange 2003 ServerExchange 2003 ServerAD/GCAD/GCExch
18、ange 2003 ServerExchange 2003 ServerExchange 2003 ServerExchange 2003 ServerExchangeExchangeFEFEFirewallFirewallPorts Ports 443 or 443 or 8080Internet Internet ISA Reverse ProxyDMZ/Perimeter network DMZ/Perimeter network(推荐)(推荐)移动消息安全 managementmanagementdevicesdevicesairairtransmissionstransmission
19、sPANPANLANLANWANWANpublicpublicnetworksnetworksprivate private networksnetworks1 12 23 3applicationsapplicationsmobilitymobilitywirelesswireless4 VPN4 VPN4 VPNtraditional securitytraditional securityMobile 的安全访问MabirMabirWindows Windows CE DUTSCE DUTSWindows CE Windows CE BRADORBRADOR29Dec0429Dec041
20、Feb051Feb05Locknut Locknut(Gavno)(Gavno)VlascoVlasco21Nov0421Nov04SkullsSkulls20June0420June04CabirCabir17Jul0417Jul045Aug045Aug048Mar058Mar05ComwarComwar7Mar057Mar05DampigDampig12Aug0412Aug04QdialQdial4Apr054Apr05FontalFontal6Apr056Apr05DreverDrever18Mar0518Mar05HobbesHobbes15Apr0515Apr05DoomedDoom
21、ed4Jul054Jul05=Symbian OS(Nokia,etc)=Symbian OS(Nokia,etc)=Windows CE(HP,etc)=Windows CE(HP,etc)Source:Trend MicroSource:Trend MicroMobile 的安全威胁Stolen informationStolen informationHost intrusion,stolen deviceHost intrusion,stolen deviceUnauthorized network/application accessUnauthorized network/appl
22、ication accessCompromised credentials,host intrusionCompromised credentials,host intrusionVirus propagationVirus propagationVirus susceptibilityVirus susceptibilityLost informationLost informationLost,stolen or damaged deviceLost,stolen or damaged deviceMobile 的内容安全(访问安全)(访问安全)简单锁定简单锁定加密加密Private ke
23、y storage?Private key storage?Smartcard/TPMSmartcard/TPMHash private key Hash private key(dictionary attack)(dictionary attack)Couple with strong Couple with strong password policiespassword policies防止不安全重启动防止不安全重启动Analogous to BIOS Analogous to BIOS password and Drivelockpassword and Drivelock身份认证U
24、sername/PasswordUsername/PasswordEncrypted on deviceEncrypted on deviceClient CertificateClient CertificatePrevents ISA from SSL-bridgingPrevents ISA from SSL-bridgingNon-trivial enrollment Non-trivial enrollment One-time PasswordOne-time Password安全连接Infrastructure similar to OWA(HTTP)Infrastructure
25、 similar to OWA(HTTP)SSL certificate-checking by the access deviceSSL certificate-checking by the access deviceRoot CARoot CA“Known”Certificate authorities:Known”Certificate authorities:-Thawte(server and Premium server Thawte(server and Premium server-Secure Server Secure Server-GTE Cybertrust GTE
26、Cybertrust-Globalsign Globalsign-E E-Class 2 and 3 Public Primary Certificates Class 2 and 3 Public Primary CertificatesRoot CA of the SSL CertificateRoot CA of the SSL CertificateMust be installed on the Must be installed on the Windows Mobile Windows Mobile TM TM clientclientCertificate forCertifi
27、cate for Visual Server Visual ServerRoot CARoot CAIssued byIssued by2.IIS presents the vitual 2.IIS presents the vitual Server SSL CertificateServer SSL Certificate1.HTTPS connection1.HTTPS connectionActiveSync ClientActiveSync ClientValidation of Root CAValidation of Root CA强制安全策略目标目标:确保移动设备启用了安全策略
28、确保移动设备启用了安全策略内容:内容:PIN code strengthPIN code strengthRemote WipeRemote WipeSpecific web UISpecific web UIDevice LockingDevice LockingExchange Servers的安全前后端直接不启用前后端直接不启用SSLSSLTrusted physical/switched networkTrusted physical/switched networkIPsec everything or specific ports such as 80 IPsec everythi
29、ng or specific ports such as 80 IISIISEnable IIS loggingEnable IIS loggingDisable non-essential script mappings Disable non-essential script mappings Always keep up to date on available fixesAlways keep up to date on available fixes使用IPsecIPsec IPsec 用于加密用于加密 Exchange Exchange 前后端的传输前后端的传输IPsec IPse
30、c 策略策略Exchange front end:meExchange front end:meany;TCP anyany;TCP any80;Encrypt80;EncryptExchange back end:Respond onlyExchange back end:Respond only使用使用 GPO GPO 推推 IPsec policiesIPsec policiesExchange 2003 Exchange 2003 前后端使用前后端使用Kerberos Kerberos authenticationauthentication推荐配置不要不要end-to-end end
31、-to-end 直接连接直接连接使用使用SSlSSl桥接(桥接(ISAISA)在前端进行认证在前端进行认证前后端之间使用前后端之间使用IPSecIPSecISA and FEISA and FE需要配置证书需要配置证书移动消息管理使用移动设备管理MDM (Mobile Device ManagementMobile Device Management)降低降低TCO,TCO,特别是技术支持消耗特别是技术支持消耗Central console,reportingCentral console,reporting更可靠的平台部署商务营运应用程序更可靠的平台部署商务营运应用程序 (line-of-l
32、ine-of-business business)更容易使用和被用户接受更容易使用和被用户接受安全安全:可保障的配置的完整性可保障的配置的完整性不同的MDM 产品基于桌面管理的基于桌面管理的AltirisAltirisMicrosoft SMSMicrosoft SMS整体解决方案的整体解决方案的GoodGoodIntellisync*Intellisync*OneBridgeOneBridgeMDM MDM 标准的标准的iAnywhere AfariaiAnywhere AfariamFormation*mFormation*MDM 成熟等级InfancyInfancy资产管理资产管理基础软
33、件更新基础软件更新AdolescenceAdolescence软件更新软件更新配置管理配置管理设备强制安全设备强制安全MatureMature数据发布和同步数据发布和同步多平台支持多平台支持基于策略的软件分发基于策略的软件分发空中下载启动和维护空中下载启动和维护 (OTAOTA)扩展的桌面管理扩展的桌面管理企业MDM 需求Integrated Management ConsoleIntegrated Management ConsoleDirectory(AD/LDAP)integrationDirectory(AD/LDAP)integrationCentralized PoliciesCe
34、ntralized PoliciesPolicy pollingPolicy pollingUser cannot removeUser cannot removeScreen-lock/Idle-lockScreen-lock/Idle-lock移动消息服务扩展Mobility 的扩展体系架构Management and Security InfrastructureManagement and Security Infrastructureprovisioning,user support,load balancingprovisioning,user support,load balan
35、cingidentity management,authorizationidentity management,authorizationAccess LayerAccess LayerConnectivityConnectivityRoamingRoamingVPNVPNPresentationPresentationrenderingrenderingsynchronizationsynchronizationlocal processinglocal processingDistribution LayerDistribution LayerConnectivityConnectivi
36、tyservicesservicesroamingroamingcompressioncompressionoptimizationoptimizationVPNVPNDeviceDeviceservicesservicesrenderingrendering synchronization synchronizationcontent-content-aggregationaggregationpersonalizationpersonalizationlocationlocationContent LayerContent LayerBusiness Business process pr
37、ocess automationautomationCRMrichmediae-mailOLTP/OLAPdatabasesERPInternet/intranetMicrosoft的 Mobility 扩展体系架构Management and Security InfrastructureManagement and Security InfrastructureActive Directory,SMS,MSFPActive Directory,SMS,MSFPAccess LayerAccess LayerConnectivityConnectivityActiveSyncActiveSy
38、ncPresentationPresentation.NET CF.NET CFSQL CESQL CEMedia PlayerMedia PlayerDistribution LayerDistribution LayerConnectivityConnectivityservicesservicesServer-Server-ActiveSyncActiveSyncISA ServerISA ServerExchange FEExchange FEDeviceDeviceservicesservicesASP.NETASP.NETMobile Mobile ControlsControlsContent LayerContent LayerBizTalkBizTalkCRMWindowsMediaExchangeMicrosoftSQLERPIIS更多资源更多资源请填写反馈表
黑公网安备:91230400333293403D