Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Getting OMA to work with SBS Premium and WM 5.0

  • Comments 2
  • Likes

Being that I am on vacation, I just had to take a break from all the relaxing and get my new K-JAM/QTek 9100 to connect to OMA on my SBS server. These devices have not been out very long and run the latest version of Windows Mobile (nee, Windows CE), version 5.0.  Nick, one of the SBS MVPs, has been doing some great work getting Exchange Active Sync (EAS) and Outlook Mobile Access (OMA) to work on his K-JAM so I thought I'd easily get mine to work. In case you do not know, EAS is that really cool thing that lets you sync your Windows SmartPhone or Phone Edition device with Exchange using Pocket Outlook. OMA (called OMA Browse) originally, is a web site that allows any WAP device to browse e-mail in a text-based interface more than a little reminiscent of Gopher.

To start with I was having problems connecting to OMA altogether. which lead me to rerun CEICW, which deleted the publishing cert, which broke ISA, which broke all the web sites, which I fixed by re-running CEICW again, which now allowed the default web site to work, which allowed me to fix OMA by adding the host name to the host header on the site, which then allowed me to get the rest of the sites up and running.

Let's take that slowly. Oddly enough, Nick's experiences are slightly different than mine. First, I can't use EAS since Windows Mobile still can sync only with one Exchange server and I already need it to sync with the Microsoft  corporate Exchange server. OMA I can use off my own Exchange server though. I was even able to get it to work, eventually.

The core problem was that I am too cheap (or maybe not highly paid enough) to go buy a cert, so I let Small Business Server generate one. Now, according to Nick, that is not supposed to work. And, it didn't, at first. The Windows Mobile team made the devices only trust the built in certs, and then made it devilishly difficult to add new trusted root certs to the devices. Turns out there are a number of things you need to do to get the device to accept the self-signed certs.

1. Configure the OMA hosting web site with a host header that holds the hostname of the system hosting it

2. Re-run the Configure E-mail and Internet Connection Wizard (CEICW) to publish OMA

3. Re-add the rule in ISA that allowed all the other sites to be published. When I ran CEICW, it decided I really did not want to publish any of the non-SBS sites that were hosted on this server

4. Open MMC and add the Certificate Manager snapin for this computer (the SBS computer)

5. Export the public keys for the two certs used by SBS (one is called "publishing.<hostname>" and the other is the name of your external web server). Save them as .cer files.

6. Download those certs to the Windows Mobile device. Put them somewhere you can find them, like on a storage card

7. Run File Explorer and run the cer files. The Windows Mobile team post talks about having to use the certinst.exe tool (located in the Windows directory on the device, but on my K-JAM .cer files are already linked to that executable.

At this point we have OMA working on the device, with one exception. It will not work if it is on the internal network inside the SBS Server. The reason is that SBS Premium sets up ISA as a proxy server on port 8080, even for SSL. The device will try to connect to OMA over 443, which will generate a RST (TCP Reset) as soon as you connect and the device sends the first request. If you use http instead of https, it will work. Basically, to fix this you have to set up a proxy server on the device. My preferred option is to use GPRS to access OMA. It was painful enough to set this up to start with. However, if you want to use the proxy approach you need to go to the Settings option, Connections tab, Connections icon, then Add a proxy server. Keep in mind, you will need to go back in there as soon as you leave the home network you will need to turn off the proxy.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment