New Office Version – New Features – More Mobility

This weekend I got a little email from Microsoft containing the necessary details to download Office 2010 CTP. (I signed up almost two months ago at 
http://www.office2010themovie.com, and received an invitation code to use at http://connect.microsoft.com .) I obviously had to test it out on Windows 7.

Being Office it contains the usual suspects like Word and Excel with a more Win7 feel, but although I use some of these applications on a regular basis it was two other apps I was more interested in testing first; OneNote and Outlook.

OneNote is a neat program once you get used to it, but I’ve felt it to be lacking in some departments. The new version will sport a “cloud” option meaning that you can synchronize your workbooks to the cloud. So if you have multiple computers they will always be in sync with each other (and I really need that). And even better – OneNote Mobile will be able to hook up to the cloud too! Finally you can use it on your Windows Mobile without tethering! Alas, I was not able to test this at the moment for two reasons – it’s not enabled in this CTP, and the mobile version is not released yet. (The Windows Mobile 6.5 images contain OneNote 2007.)

Outlook was more test-friendly for my use at the moment. I know you folks out there with Lotus Notes/Domino will laugh, but there’s finally support for multiple Exchange accounts (from multiple domains if you so desire). So in the same Outlook you can have both your company Exchange mail, and your personal Exchange mail. (Even though you might not be running Exchange at home, maybe you’ve signed up to some hosted Exchange service.) For some silly reason you must add extra Exchange accounts from the Control Panel while Outlook is not running – let’s hope they change that before RTM.

But this wouldn’t be complete if I didn’t touch upon any mobile related stuff would it? I showed some screenshots a couple of months back regarding what’s coming in Exchange 2010, and naturally this means there will be more features in Outlook 2010 as well. Going into the “Options” you’ll find something similar to this:
image

Might not be that exciting, but could be practical for some people I guess. What’s better is that you can send text messages directly from Outlook too just like you would a new email. Now, I am aware that this is not new. This is available in Outlook 2007 as well, but since I’ve been using a plug-in provided by my mobile operator I haven’t taken the native support for a spin yet.

I tried to configure it natively since I assumed my plug-in might not be that happy about the 2010 version in a 64-bit variant.

Much to my dismay the wizard started out like this:
image

And guess what – pretty much any country and operator you choose you’re being told you need to sign up to “SMSOfficer” or some other service. And I don’t feel like signing up yet another account. (Just image this in an enterprise scenario.) Surely it must be possible to be your own provider…

Why yes it is, if you happen to be running Kannel! (You can’t have missed noticing me mentioning that product a few times in the past few months if you’ve visited this site.) Outlook does not talk directly to Kannel, but since Outlook Mobile Service, (or OMS for short), hasn’t changed much from Outlook 2007 it’s actually pretty well documented. The MSDN library is your friend: http://msdn.microsoft.com/en-us/library/bb277361.aspx

Building on the sample code provided I created a wrapper for Kannel. Basically you install a web service that Outlook can talk to, and this web service just relays the necessary bits to Kannel. I’m not going to bore you with all the details of setting this up, but you need to provide three methods:
– GetServiceInfo
– GetUserInfo
– DeliverXms

A bare minimum of code that will make this work:

using System.IO;
using System.Web.Services;
using System.Xml;
using System.Text;

namespace OMS
{
    /// <summary>
    /// Summary description for Service1
    /// </summary>
    [WebService(Namespace = "http://schemas.microsoft.com/office/Outlook/2006/OMS")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    [System.ComponentModel.ToolboxItem(false)]

    public class Service1 : System.Web.Services.WebService
    {
        private const string m_sOmsNamespace = "http://schemas.microsoft.com/office/Outlook/2006/OMS";

        [WebMethod]
        public string GetServiceInfo()
        {
            StringWriter stringWriter = null;
            XmlTextWriter writer = null;
            try
            {
                stringWriter = new StringWriter(new StringBuilder());
                writer = new XmlTextWriter(stringWriter);

                writer.WriteStartElement("serviceInfo", m_sOmsNamespace);

                writer.WriteStartElement("serviceProvider");
                writer.WriteString("MobilityDojo.net");
                writer.WriteEndElement(); // </serviceProvider>

                writer.WriteStartElement("serviceUri");
                writer.WriteString("https://localhost/OMS/Service1.asmx");
                writer.WriteEndElement(); // </serviceUri>

                writer.WriteStartElement("localName");
                writer.WriteString("MobilityDojo.net");
                writer.WriteEndElement();

                writer.WriteStartElement("englishName");
                writer.WriteString("MobilityDojo.net");
                writer.WriteEndElement();

                writer.WriteStartElement("authenticationType");
                writer.WriteString("Other");
                writer.WriteEndElement();

                writer.WriteStartElement("supportedService");
                writer.WriteStartElement("SMS_SENDER");
                writer.WriteAttributeString("maxRecipientsPerMessage", "50");
                writer.WriteAttributeString("maxMessagesPerSend", "20");
                writer.WriteAttributeString("maxSbcsPerMessage", "140");
                writer.WriteAttributeString("maxDbcsPerMessage", "70");
                writer.WriteEndElement();
                writer.WriteEndElement();

                writer.WriteEndElement(); // </serviceInfo>

                return "<?xml version=\"1.0\" encoding=\"utf-16\" ?>"
                    + stringWriter.GetStringBuilder().ToString();
            }
            finally
            {
                if (writer != null)
                    writer.Close();

                if (stringWriter != null)
                    stringWriter.Close();
            }
        }

        [WebMethod]
        public string GetUserInfo(string xmsUser)
        {
           StringWriter stringWriter = null;
           XmlTextWriter writer = null;
           try
           {
              stringWriter = new StringWriter(new StringBuilder());
              writer = new XmlTextWriter(stringWriter);
              writer.WriteStartElement("userInfo");
              writer.WriteStartElement("replyPhone");
              writer.WriteString("12345678");
              writer.WriteEndElement(); // </replyPhone>
              writer.WriteStartElement("smtpAddress");
              writer.WriteString("user@domain.com");
              writer.WriteEndElement(); // </smtpAddress>
              writer.WriteStartElement("error");
              writer.WriteAttributeString("code", "ok"); // return "ok" if no errors
              writer.WriteEndElement(); // </error>
              writer.WriteEndElement(); // </userInfo>
              return stringWriter.GetStringBuilder().ToString();
           }
           finally
           {
              if (writer != null)
                 writer.Close();

              if (stringWriter != null)
                 stringWriter.Close();
           }
        }

        [WebMethod]
        public string DeliverXms(string xmsData)
        {
            return "";
        }
    }
}

Keep in mind, you’d probably want to do some user authentication as well, and configure the proper “replyPhone” number by doing an AD/LDAP lookup. The DeliverXms method doesn’t really do much at the moment, but you could get away with a HTTP GET to Kannel there if you like. Previous posts include the necessary code.

It seems you’ll get an error if you try to host the web service over plain HTTP, so you’ll need to enable SSL as well.

Type the details into the wizard:

image

Hit “More Settings”, and make sure you like what you see. (Note: if you can bring up this dialog box it means Outlook reached your web service.)

 image

Et voilà; create a new text message (don’t you love the preview pane, and how it resembles anything but a Windows Mobile device):

image

Microsoft doesn’t always get it right the way I define “right”, but you can do a lot by bringing your own utility belt to the table 🙂

I’ll keep playing with the CTP, and see if there’s more fun to be had. Windows 7 RTM hits TechNet/MSDN this week, and Windows Server 2008 R2 hits next week though, so I might have to do a couple of upgrades first mind you 🙂

Personal Certificates and Exchange ActiveSync

By now you might have been playing around with enrolling certificates on your own, either through use of my little utility or typing your own xml, or making your own utility for all I know. I mentioned previously that Exchange ActiveSync (EAS) was one candidate for doing something useful with a personal certificate. There are a couple of use cases for certificates relating to EAS:

  • Authentication to Exchange instead of username/password combo.
  • Encrypting messages.
  • Signing of messages.

Signing and encryption is more commonly referred to as S/MIME.

We’ll start with authentication. Which also happens to be a nice and tricky thing to research 🙂 I’ll make a few assumptions – I’m running Exchange 2007 SP1, but things should be similar on Exchange 2003. I’ve done my testing running Exchange on Windows Server 2008, but Server 2003 should behave similar even though IIS7 has some differences from IIS6. Since ISA Server unleashes a troubleshooting scenario of it’s own with Kerberos Constrained Delegation I’ve left that out of the scope for now. Actually the server side setup warrants a dedicated article so I’ll just assume you’ve got the server configured and working with client certificates. (Don’t know yet if I will provide my take on how to configure this, or if I’ll leave it to Google to provide reference material.)

Quick tip: To verify ActiveSync functionality (without involving a device) open up https://exchangeserver/Microsoft-Server-ActiveSync on your computer. You should be prompted for credentials and receive an error – “501 – Header values specify a method that is not implemented.” This works for both basic/integrated authentication and client certificates.

Microsoft also has a handy tool called “wfetch” that will allow you to skip the browser, and specify how you want to authenticate.
Link: https://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=…9210

Working out how to configure this using official Microsoft documentation is..well.. It didn’t give me every answer I wanted. Official documentation tells us two main things: you need to connect your device to ActiveSync/Windows Mobile Device Center to enroll for a certificate, and you need to perform the initial sync through the desktop as well. (Your computer also needs to be domain-joined, and you need to establish a partnership between desktop ActiveSync and device ActiveSync. It will not work in “Guest” mode.) And this procedure works, nothing wrong with that. But I think I’ve already touched upon the “Going Mobile” aspect of things before. I don’t like being tethered if I don’t have to. The problem is that setting up ActiveSync on the device the wizard prompts you to enter a password, and the device is hard-wired to attempt basic authentication first. After doing that you should be informed that certificates is the preferred way to go, and that your computer will set this up for you. (A registry value called “EnrollForCertOnNextCradle” is flipped to 1.) This means that depending on how you configure the rest of your servers, (for instance the already mentioned ISA box), you might have to configure Exchange to accept both basic, and certificate-based authentication.

I configured my Exchange to require client certificates, and to accept no other tokens of authentication. I then used my own utility to enroll a personal certificate. Since I could not configure ActiveSync through the wizard I wrote a configuration xml that I pushed through via RapiConfig.
Look up the Sync CSP on MSDN: http://msdn.microsoft.com/en-us/library/bb737700.aspx

Using only a minimum of configuration I applied the following provisioning document:

<wap-provisioningdoc>
  <characteristic type="Sync">
    <characteristic type="Connection">
      <parm name="Domain" value="MobilityDojo.net" />
      <parm name="Server" value="exchange" />
      <parm name="User" value="andreas" />
    </characteristic>
    <characteristic type="Mail">
      <parm name="Enabled" value="1" />
    </characteristic>
  </characteristic>
</wap-provisioningdoc>

I omitted the password (since this is part of what we are trying to achieve), but I did type in the username. I haven’t tested what happens if you omit the username, but you should probably do some testing and establish a process as to how you handle this when rolling out for production use. This is all standard procedure for provisioning the settings from a server and should be doable. Here comes the undocumented part – under the ActiveSync registry key on the device HKCU\Software\Microsoft\ActiveSync\Partners\{GUID} are two registry values I provided with a value:

EmailAddress I configured this with my email address, which is also defined in my personal certificate. (I’m thinking there might be some match checking between the two.) You can have multiple addresses as long as you separate them with semi-colons.

ClientAuthCertRequired I set this to 1 (as in required) as opposed to the default of 0.

The part that makes this hard to pre-provision is that these two keys are found under the GUID unique to each ActiveSync partnership. And you can’t guess this GUID before you have provisioned the sync settings.

I then proceeded to fire up ActiveSync on the device. It said there was an Exchange partnership, but that it had never been synchronized. I hit “Sync”, and the “green wheel” started spinning. I was never prompted for a password, and didn’t get to choose a certificate to use either, but after churning away for a while the device stated everything was in place and working like it should.

Now there might be a “hidden” reason Microsoft states you cannot do this, and there might be a flaw in my approach, but it sure does seem nice to do it like this. I’ll admit though that Microsoft are correct in the sense that it did require some tweaks to get this working and it wasn’t exactly available out of the box. (I have heard the argument before that coding is cheating because then you can do “everything”. Maybe, but MSFT could have provided some pointers even if it requires some legwork on your own.) If you are enrolling on the order of 10-20 devices you’re probably better off using the cradling procedure, unless you have a special interest in doing it different. This doesn’t pay off until you have an amount of devices that can justify that you configure and test provisioning xml, writing utilities, etc.

The manual tweaks yes…Allow me to elaborate on that part. It doesn’t seem very accessible the way I just described it. You probably don’t want to do all this xml thing for other than testing anyways. Your MDM solution of choice should probably provide you with options for setting things like server name, domain, etc. It’s probably not that much effort making it set the ClientAuthCertRequired to 1 either. Setting user name, and email address may or may not be supported depending on the scripting capabilities available to you. The approach I might be taking is to extend the certificate enroller utility I posted two weeks ago. I haven’t worked out the details for that however so for the moment I don’t have a new release available, and I’m not making any promises either 🙂 If you’re comfortable with Visual Studio you should be able to work it out though based on the bits I’ve provided in the sections above.

I’ll only briefly touch upon signing and encryption of messages. You cannot configure this before completing the first sync. This primarily being that you need to be running SP1 for Exchange 2007 server side, so the device needs to “negotiate” the capabilities before enabling this. The user then gets a new option enabled in his mail configuration due to the fact that he’s got a certificate on the device to sign and encrypt individual messages. Or you as MDM admin guy can configure that one or both of these is always a requirement for sending a message. There are already policies/settings for managing this in SCMDM, and most likely other MDM platforms handle this equally good. But then you have to choose signing and encryption algorithms and everything. You’re probably just as well looking up the official documentation on this topic, and make your own decisions:
http://msdn.microsoft.com/en-us/library/bb737380.aspx

I don’t know about you, but I think things are starting to shape up now, and we’re getting somewhere with the whole personal certificates concept 🙂

Windows Mobile In Your Server Room

Every once in a while something neat comes along. Microsoft just released Beta 2 of ForeFront TMG – or the next version of ISA Server as it’s also known. There’s still the “old” features of ISA acting as a firewall and router in addition to some new features, and integrating itself in the ForeFront family of products. Hey, you can learn a lot more about it if you visit Microsoft TechNet if you’re interested in the sales pitch 🙂

One feature in particular that I had to try out in this release is “ISP Redundancy” which lets you have two WAN interfaces, that can be configured as either a load-balancer or for failover purposes. So? We’ve had products like that for a long time. Nothing new here… Well, I realize that it’s not like they invented the wheel or anything, but it’s nice to avoid having another box in front to add redundancy. And for those of us who primarily depend on an ISA box at the edge in some of our scenarios it adds an extra touch 🙂 (Don’t you hate it when the connection to your ISP drops when you’re sitting in the couch watching YouTube…)

Now obviously we need another pipe to the Internet for this to work, and what’s better suited than your preferred mobile broadband connection as a backup link 🙂 From Windows Mobile 6.0 onwards “Internet Sharing” has been a component that let’s you easily connect your laptop (or desktop) whenever you are on the go. The beautiful thing about it is that the connection registers itself as a network interface on your computer and acts as a NAT router.

So, here we go:
Device setup
– I tether my device to my computer via USB.
– Fire up “Internet Sharing” on the device, and “Connect”. (Note: you must have an internet connection configured on your device before you can connect.)
– The drivers should install itself on your computer provided you have Windows Mobile Device Center (on Vista & Server 2008), and a new network interface should appear as well.
– Your device should now be “Not Connected” according to WMDC.
image

Hyper-V Setup
I’m running ForeFront TMG Beta 2 on a virtual Windows Server 2008 x64, so I have to configure a new network in Hyper-V.
image 

Add another NIC to this particular virtual server.
image

A new NIC appears on my ForeFront Server (yes, I renamed the connection).
image

If we check the settings we see that DHCP is automatically enabled and working.
image

The release notes for ForeFront states that only one of the interfaces used in a redundancy setup should have a default gateway defined. I have DHCP on both of my WAN interfaces in this lab, but decided to try it out in spite of this. If required it’s probably not a problem to reconfigure it to a static IP in the same range. (I don’t know if there’s a setting specifying which range the device provides.) I got a few errors regarding IP address conflict that might be related to this, but things were still working though.

ForeFront TMG Setup
Start up the ForeFront Console. Choosing “Networking” on the left hand, and you should have an “ISP Redundancy” tab in the right pane.
image

Go through the “Configure ISP Redundancy” Wizard:
image 

You can choose if you want failover or load-balancing. If you load-balance you can direct specific traffic through a specific link as well. We’ll choose the failover scenario.
image 

Choose your first interface. Options to set IP manually, select the adapter, and how you want link state to be determined. This connection is the one we have through our network cable – also known as the one that serves up at least a couple of megabits.
image

Then we add our super-speedy HSDPA interface.
image

We’ll specify DSL_WAN as our primary link.
image

Looks good so we hit “Finish”.
image

We’re apparently up and running with the failover.
image

I’m not able to yank the cable out of a virtual server, so to simulate this I disable the interface. I don’t know how quickly things update itself, but when refreshing the interface we see that the failover has occured.
image

If you want to force things you can run through the configuration steps again, and specifically mark a connection as active/disabled.

There are a few points to be aware of at this point however:
– ForeFront TMG is still a beta product, and although it seems to be stable there’s probably a bug or two left still.
– The release notes states that this feature should only be used in non-production environments. There might be a reason why this is stated explicitly.
– It doesn’t appear to be a failback option. I had some issues getting it to bring back the primary link. (Could also be related to the DHCP stuff.)
– I don’t know how long the WM device is able to keep “Internet Sharing” working, or if it might timeout.
– Make sure you have a good data plan with your mobile operator 🙂

I am fully aware that this solution cannot compete with “real” redundancy, and that HSDPA might not bring excessive surfing speed. But it’s a really cool thing to do with Windows Mobile nonetheless if you ask me 🙂