Do you happen to use a front end Exchange server? We do not, and have come across a problem. In reading about the solution on MS site, this seems odd and insecure. Has anyone had to implement this fix?
http://support.microsoft.com/kb/817379/EN-US/ On Mon, Sep 22, 2008 at 2:03 PM, Sherry Abercrombie <[EMAIL PROTECTED]>wrote: > I have ISA in my environment, but it is not a part of the OWA/ActiveSync > setup. I have a reverse proxy setup at my colo that is used for both OWA > and ActiveSync. > > > On 9/22/08, mqcarp <[EMAIL PROTECTED]> wrote: >> >> Sherry are you using ISA in your environment? >> >> On Mon, Sep 22, 2008 at 12:15 PM, Michael B. Smith < >> [EMAIL PROTECTED]> wrote: >> >>> The below was current as of the release of Exchange Server 2003 sp2. >>> Not sure if the attribute has additional documented values in Exchange 2007. >>> >>> >>> >>> You can also make the change globally easily using PowerShell or a tool >>> like ADModify.Net. >>> >>> >>> >>> The final Exchange specific tab is Exchange Features, shown in Figure >>> 9-9. The Mobile Services entries allow you to control, on a per-user basis, >>> the mobile capabilities of Exchange. If you, by default, enable mobile >>> services at the global level (Global Settings(R)Mobile Services(R)Properties >>> (R)General) then this window allows you to disable the capabilities at the >>> per-user level. Using the script made available in Microsoft KB 830188 (How >>> to grant permission to use Outlook Mobile Access to specific users of >>> Exchange Server 2003), you can globally disable all users and then pick and >>> choose which specific users are to be allowed access to mobile service >>> capabilities. >>> >>> >>> >>> The per-user AD attribute that controls these functions is named >>> msExchOmaAdminWirelessEnable. If this attribute has a value of zero or >>> the attribute is not present, then all mobile services are enabled. If >>> Outlook Mobile Access (OMA) is disabled, but the other two features are >>> enabled, then the attribute has a value of two (2). The other two items >>> control specific features associated with Exchange ActiveSync (EAS). "User >>> Initiated Synchronization" must be enabled for Up-to-date Notifications to >>> be enabled; however Up-to-date Notifications may be disabled on its own. If >>> only Up-to-date Notifications is disabled, then >>> msExchOmaAdminWirelessEnable has a value of one (1). If both User >>> Initiated Synchronization and Up-to-date Notifications are disabled, then >>> msExchOmaAdminWirelessEnable has a value of five (5). If all three >>> Mobile Services are disabled, then msExchOmaAdminWirelessEnable has a >>> value of seven (7). >>> >>> >>> >>> If you search the Internet, you will find that other values can be >>> specified for this attribute. However, the values described in the prior >>> paragraph are the only values which Microsoft has documented. You are better >>> off only using these values. >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP >>> >>> My blog: http://TheEssentialExchange.com/blogs/michael >>> >>> Link with me at: http://www.linkedin.com/in/theessentialexchange >>> >>> >>> >>> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >>> *Sent:* Monday, September 22, 2008 12:55 PM >>> *To:* MS-Exchange Admin Issues >>> *Subject:* Re: ActiveSync Set Up Veterans >>> >>> >>> >>> The Exchange Features tab in AD for each account is the place to enable >>> or disable additional Exchange features such as mobile and OWA. All these >>> features are enabled by default and you will have to disable them. When we >>> recently went through the process to setup OWA and ActiveSync, I had to >>> manually disable everyone except those that had the proper approval for >>> mobile and/or OWA. Check with your HR department because there are legal >>> things to consider with employees checking or receiving email during >>> non-business hours. >>> >>> In your IIS settings for ActiveSync you can set it to require SSL and I >>> wouldn't recommend setting it up any other way. No SSL means that you're >>> network credentials are being sent clear text.......very bad idea. >>> >>> Haven't had need to do any looking at logging for auditing at this point >>> so I can't address that. >>> >>> On 9/22/08, *mqcarp* <[EMAIL PROTECTED]> wrote: >>> >>> Just have a few questions if some of you are using this feature. It seems >>> frighteningly easy to set up on the server side and I want to ensure that >>> the settings are secure. Here are a few observations for you vets on this: >>> >>> * The settings are activated for ALL users when it is enabled. Is it >>> possible to disable it by default and enable specific users in AD? >>> * Is there a log setting to enable for reviewing audit processes for >>> pushes and troubleshooting in Exchange? >>> * For iPhones, I have noticed that the config utility can require a >>> certificate for the server side push set up, but if you set up a device >>> manually, it will accept the connection without this validation. Can this be >>> set to be required to avoid connections this way? >>> >>> This is on Exch 2003. >>> >>> TIA >>> >>> >>> >>> >>> >>> >>> -- >>> Sherry Abercrombie >>> >>> "Any sufficiently advanced technology is indistinguishable from magic." >>> Arthur C. Clarke >>> >>> >>> >>> >>> >> >> >> > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
