292 Chapter 5 • Managing the Client Access Server Let’s move on to the Authentication tab (Figure 5.45). Here we have the option of enabling Basic authentication (password sent in clear text), typically the authentication method used by Exchange ActiveSync clients. In addition, we can specify how the CAS should handle client certifi cates. NOTE Windows Mobile 5.0 and earlier don’t support the AutoDiscover service, only the next version of Windows mobile, codenamed Crossbow and currently in beta, supports this feature. Figure 5.45 The Authentication Tab on the Microsoft Server ActiveSync Properties Page Managing the Client Access Server • Chapter 5 293 Finally, we have a Remote File Servers tab. We won’t go through the available options here since they are identical to those covered in the Outlook Web Access section in this chapter and simply allow the access of fi les on remote fi le shares or SharePoint servers. Confi guring ActiveSync Policies As many of us remember, Exchange Server 2003 SP2 introduced a set of device security settings that allowed us to push out a policy to mobile devices accessing the Exchange 2003 Server using Exchange ActiveSync. We had the option of enforcing passwords on the devices, setting the minimum password length, setting the inactivity timeout, setting a device to be remotely wiped after x number of failed logon attempts, setting how often the device security settings should be pushed out to the devices, and more. One problem with the device security settings feature in Exchange Server 2003 SP2 was its limitation to one global policy, which applied to all users, unless they were explicitly added to an exception list, excluding them from all security policy. With Exchange Server 2007, it is now possible to create multiple Exchange ActiveSync policies, giving you much more control of your mobile deployment. In the following example, I’ll show you step by step how an Exchange ActiveSync policy is created. 1. Open the Exchange Management Console, and then expand the Organization Confi guration work center node. 2. Click the Client Access subnode, and then select New Exchange ActiveSync Mailbox Policy in the Action pane. 3. In the New Exchange ActiveSync Mailbox Policy, enter a name for your policy and then check and confi gure the options that should be applied to the user mailboxes to which this policy is assigned, as shown in Figure 5.46. TIP Windows mobile 5.0 and earlier devices cannot take advantage of the direct link access feature, which allows you to access documents in a share on a fi le server, or documents located on a SharePoint Server. Only the next version of Windows mobile, codenamed Crossbow and currently in beta at the time of this writing, supports the direct link access feature. 294 Chapter 5 • Managing the Client Access Server Figure 5.46 Creating a New Exchange ActiveSync Mailbox Policy Managing the Client Access Server • Chapter 5 295 4. When ready, click New, and then Finish on the following page. NOTE If you have experience with confi guring the device security settings in Exchange 2003 SP2, the options listed in Figure 5.46 should be familiar, with the exception of four. The four new options are Enable password recovery, Require encryption on device, Password expiration (days), and Enforce password history. The fi rst option, Enable password recovery, will store a user’s password on the Exchange Server so it’s possible to retrieve a lost device password should the user forget it. A lost password can be retrieved by the IT staff using the Exchange Management Console or the Exchange Management Shell, but a user can also retrieve it himself via the Mobile Device page in OWA 2007. The second option, Require encryption on device, will encrypt the data on the storage card in a device, but keep in mind this option is only supported with devices running the next version of Windows mobile, codenamed “Crossbow.” The third option, Password expiration (days), allows us to specify after how many days a device password should stay active before expiring. The fourth option, Enforce password history, makes it possible to enforce password history so users must use a completely new password when it has expired. TIP If you would rather create an Exchange ActiveSync policy using the Exchange Management Shell, you can do so using the New-ActiveSyncMailboxPolicy cmdlet. For example, the policy confi gured in Figure 5.46 could be created using the Exchange Management Shell by typing: New-ActiveSyncMailboxPolicy –Name “Exchange Dogfood – All EAS Users” – AllowNonProvisionableDevices $false –DevicePasswordEnabled $true – AlphanumericDevicePasswordRequired $false –MaxInactivityTimeDeviceLock “00:15:00” –MinDevicePasswordLengh “4” –PasswordRecoveryEnabled $true –DeviceEncryptionEnabled $true –AttachmentsEnabled $true –AllowSimpleDevicePass word $false –DevicePasswordExpiration “unlimited” –DevicePasswordHistory “0” 296 Chapter 5 • Managing the Client Access Server Figure 5.47 The General Tab on the Properties Page of an Exchange ActiveSync Mailbox Policy After you have confi gured an Exchange ActiveSync Mailbox Policy, you can always change it later if required. You can do this by selecting the respective policy in the Result pane, and then clicking the Properties link in the Action pane. This will bring you to a screen similar to the one shown in Figures 5.47 and 5.48. . the CAS should handle client certifi cates. NOTE Windows Mobile 5.0 and earlier don’t support the AutoDiscover service, only the next version of Windows mobile, codenamed Crossbow and currently. created. 1. Open the Exchange Management Console, and then expand the Organization Confi guration work center node. 2. Click the Client Access subnode, and then select New Exchange ActiveSync Mailbox. your policy and then check and confi gure the options that should be applied to the user mailboxes to which this policy is assigned, as shown in Figure 5.46. TIP Windows mobile 5.0 and earlier