TechAgility

Thanks to Gears at CoolSmartPhone, I’ve worked through the details of their post and it does exactly what it says on the tin.

So, if like me you have issues with the infrastructure and/or security concerns that are stopping you from deploying this at your office, then try this as an alternative by having your emails forwarded. It’s not ideal, but it is a guaranteed way of being able to demonstrate to your colleagues how good MS Push Email is and how very much like the Blackberry Service it is in reality and getting the all important "buy-in".

Just watch the managers faces when you can demonstrate this, and then explain how it works, they’ll be on the IT Admin’s case before very long and helping you get things in motion.

One thing to be mindful of though is that it *appears* as if the Scheduling for ActiveSync is taken from the time of the Server - NOT the client? (I’d be grateful if someone else could confirm or deny?) and this service would appear to be based in the US - so keep an eye out for that? 

Fantastic, Thanks Gears.
UPDATE - A mate of mine Dave tried this and had it working in 35 minutes, the hardest part was typing in the Phone!

written by dcaddick

I found a colleague at work with a new O2 Xda mini was having the same issues as I was a month ago with my Orange C600 in trying to add a ROOT Certificate to the WM5 device once you have upgraded to the MSFP/AKU2 standard and now found that it has upgraded your security to higher a level.

For disabling handset Security on Orange SmartPhones visit this Link, but be aware that if you have the C600 you will have to submit a request via email and await a reply with the security tool that will be “hand-crafted” to your IMEI number.

So in an effort to help him and others I have compiled this post, please let me know if it helps or hinders?

Thanks ;-))

Here is an FAQ from MS explaining why the issue exists:

Q: What is required to install a new certificate to the ROOT store?
A: Adding ROOT certificates currently requires trusted code or manager access. On most Pocket PC devices this won’t be a problem, but some Smartphone devices are deployed in a restricted configuration where this will be a problem.

Q: Okay, I have a restricted Smartphone device. What are my options for getting a root certificate on there?
A: In the general case, you will need a signed certificate installer. Some operators provide this tool. There’s a more in-depth discussion of this issue at the blog post here.

Q: Does Windows Mobile support wildcard certificates?
A: Not in the current versions.

Q: Does the certchk tool work for disabling SSL validation for Exchange ActiveSync?
A: Not on Windows Mobile 5.0 devices. There is currently no workaround for this beyond adding the root certificate as described above, or disabling SSL altogether.

Next, if you are looking for a resolution to SP5 have a look at the second post here at MoDaCo by Sidsmut, this is pretty good effort.

1. Go to http://www.modaco.com/INFO_Decert_SIM_Unlo…50-t222786.html.
2. Download the HTC-signed “regeditSTG.zip” and move it to your smartphone.
IMPORTANT: Put it on the phone, not on a memory card - this was my first
sticking point.
3. Extract the zip file using Explorer on the device (if it’s a WM5 device).
4. Run the Regedit exe and follow the instructions on the page above for
registry changes to make. It was also suggested by a Microsofty a few posts
down to change 00001017 (4119) to 144 (in the same part of the registry),
although I’m not sure what each entry does. I did all three.
5. Download SDA_ApplicationUnlock.exe from
http://www.modaco.com/Motorola_MPx220_and_…0_app_locked...,
connect the device, run this app, click “Unlock” or whatever, then restart
the device.
6. Export the root certificate from the Certificate Authority in your domain
(in DER format), copy it to the phone (again NOT the memory card) and simply
run it from Explorer. Bob’s yer uncle.
In case you don’t know how to export the root cert, follow these
instructions:
1. Run MMC on the CA server.
2. File, Add/Remove Snap-in.
3. Add… select Certification Authority, and select Local Computer.
4. Finish, Close, OK.
5. In MMC, right-click the CA, select Properties. View Certificate, go to
Details tab, select Copy to File…
6. Next, make sure DER encoded binary is selected, Next, put something like
“c:\rootcert”.
7. Finish and you’re done. Copy it to the phone, run it and you’re done.

Comments from MS Windows Mobile Team Blog:
Adding Root Certificates for Exchange Activesync

How can I add root certs to my Windows Mobile 5.0 device?

In WM 5.0, the certchk tool no longer works for disabling SSL certificate verification on the Exchange ActiveSync connection. What are the options for secure connections to the server?

- Buy a SSL certificate from a major vendor. You should be able to get one for < $100. If you do this, the connections will just work. Launchpad page to find a SSL cert vendor here.

- If you have management access to the device, you can add your self-signed cert to the ROOT store directly via rapiconfig, a CAB file, or the certinst.exe tool. This depends on the security configuration of the device. On a Pocket PC in the default configuration this will be possible, but on a default Smartphone, you cannot. In some cases you will need to add the intermediate certs as well. (details)

- Some OEMs or mobile operators provide certificate installers for their platform.

Another Post from the Windows Mobile Team Blog
Adding SSL Certificates 201

Advanced issues you might run into when trying to add your own SSL certificates to the device for browsing or Exchange ActiveSync. (summary and discussion of the core problem here)

Some servers do not send down the entire certificate chain at the beginning of the SSL session. This is a configuration option on the server. Windows Mobile 5.0 devices do not have the ability to dynamically get the intermediate certificates. (big Windows can do this) A symptom of this is that you have added the root certificate for your site, but the browser on the device still isn’t recognizing the certificate. To make this scenario work, you need to grab the intermediate certs (every cert except the first and the last) and add them to the device using the XML method previously discussed on this blog. When creating the XML for the intermediate certs, change the certificate store in the XML from “ROOT” to “CA”. Another way to figure out if you have this problem is to check out the site in Firefox. Firefox doesn’t chase down the intermediate certs either, so if it complains about the SSL connection then you probably have this problem.

The browser and the sync client use the same underlying APIs for SSL connections, so if the browser can make a secure connection to your site without prompting that the SSL connection is bad, then SSL is not the problem. It’s easiest to use this method to isolate any SSL problems - once the browser can connect to your server then move on to troubleshooting the sync connection. (check Exchange server logs, etc.)

Alert - Security permission was insufficient to update your device
from Bernt Lervik
If you’re like me and just got out and bought the new i-mate SP5 (or QTek 8310) getting it up and synchronizing with Exchange 2003 sort of fails when you try to install a (private) root certificate.

This is because the default security settings on the SP5 prohibits such an action. Now, personally I’m all in favour of security, but if I can’t install my own root certificate, how on earth will I get my phone to synchronize?

Here is how:
1) Download regeditSTG.zip (24.01 KB) (or from Modaco.com regedtSTG.zip where I found it myself), this is a freeware registry editor made by PHM but digitaly signed by HTC (the actual hardware maker behind the SP5 model).
2) Copy the zip file (don’t unpack it) over to your phone using ActiveSync (or an SD card if you have that)
3) Unzip the file through the SP5s own File Explorer. If you unpack this file on your computer first, copying it over to your phone through ActiveSync will fail.
4) Start regeditSTG and navigate to the hive key HKLM\Security\Policies\Policies
5) Change the following three registry keys (hint: hit Values first)
a. 00001001 to 1 (was 2)
b. 00001005 to 40 (was 16)
c. 00001017 to 144 (was 128)
6) You can now doubleclick your .cer certificate. The import will now silently succeed
7) To make sure that is worked, go to Start – Settings – Security – Certificates – Root – Moore and verify that your root certificate is installed
Optional, you can now set the registry back to it’s original settings, this will prevent future certificates to be installed but we want that don’t we, mr EveryoneFullControl?

Edit:
Added regeditSTG.zip as direct download from my page. Kept the original link to Modaco as well

The way I figure it is that if you’ve got this far - you’re desperate right? so if you have US based Smartphones you may find these Registry tools will let you in?

From MS’s How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile 2002 Smartphone

These downloads were designed for earlier versions, but as they are *Security Signed and Certificated* Applications from the Carrier, the likelyhood is that they should work?

Verizon Smartphones

Microsoft has worked with VerizonWireless to create a signed version of the SPAddCert.exe utility to run on VerizonWireless Windows Mobile Smartphones. Download the VZW_SPAddCert.exe file.

Sprint Smartphones

Microsoft has worked with Sprint PCS to create a signed version of this SPAddCert.exe utility to run on Sprint PCS Windows Mobile 2003 SmartPhones. To download the SPCS_signed_SPAddCert.exe file.

Microsoft has worked with Sprint to create a signed version of this SPAddCert.exe utility to run on Sprint iDEN Windows Mobile 2003 SmartPhones. To download the SprintIden_signed_SPAddCert.exe file.

Failing all of this you could always resort to hacking the WM5 device? Advice available here:Hacking your Windows Mobile 5.0 Registry
Devin Ganger at 3Sharp blogged about the inability to add Root SSL certificates on some WM 5.0 devices, which is true. What isn’t mentioned much of anywhere (you have to look around pretty hard) is that you actually can still disable Certificate Checking - you just can’t use the old DisableCertChk tool from Windows Mobile 2003. Microsoft doesn’t recommend this, but it’s a necessary evil in some situations. Two that I can think of are:
1. Your company uses a Wildcard SSL Certificate. (i.e. *.company.com). Windows Mobile 5.0 (or any other version for that matter) does NOT support wildcard certs. Why, I’m not sure, but it doesn’t.
2. You have a manufacturer locked device that prevents you from adding additional Root Certificates. Again, WHY a manufacturer would prevent folks from adding additional root certificates is beyond me, but it happens.

Now as this is an old post of mine that I am porting across from a previous site AND it has had 18,000 hits I thought it might be useful to add the the previous Feedback

Feedback

# re: Comprehensive guide to Adding ROOT Certificates to WM5 Devices like C600, O2’s Xda mini, iMate SP5, HTC Typhoon, HTC Wizard, etc. 6/17/2006 6:07 AM PEM

Excellent comments. Open and direct. Good advice.
Remove Comment 82158

# Windows Mobile devices and SSL Certificates 7/20/2006 7:25 PM Joel Stidley’s blog
One of the frustrating things is that Windows Mobile 5 no longer allows you to use the DisableCertChk…
Remove Comment 85848

# re: Comprehensive guide to Adding ROOT Certificates to WM5 Devices like C600, O2’s Xda mini, iMate SP5, HTC Typhoon, HTC Wizard, etc. 11/28/2006 8:46 PM whitey

I have tried all of the above suggestions and none of them work for my WM5 Verizon Treo 700. I have even tried setting the secure flag to zero as discussed in other pages on this topic.
Remove Comment 99363

# re: Comprehensive guide to Adding ROOT Certificates to WM5 Devices like C600, O2’s Xda mini, iMate SP5, HTC Typhoon, HTC Wizard, 5/6/2007 6:57 AM Chad

The process to deploy the self signed or corporate certificate authority certs are horrible. So we built something better:
http://www.digitallabs.net/mcb
This will take your root cert from your desktop’s certificate store, massage it to the right format, build the cab files, and even build a standalone .exe installer for your users to run themselves.
The standalone runs on the desktop, connects to the handheld, moves the cab to the handheld, and installs it all automatically.
Remove Comment 116867

# you can import certs without registry hacks 8/30/2007 9:05 PM wizdude

after a lot of searching, i managed to find a better solution to importing root certificates onto my windows mobile 5 device.
http://blogs.msdn.com/windowsmobile/archive/2006/01/28/making_a_root_cert_cab_file.aspx

the technique described above shows you how to incorporate a root key into an XML file and then roll it into a CAB which can be installed onto the mobile device. no additional utils required. the makecab utility is included with windows.
cheers, wizdude
Remove Comment 142590

written by dcaddick

Update - I got a note from Stefan Vermeulen at http://www.printingsupport.com regarding some info from Brian Madden’s forum and have posted it in the Comments - this includes the Registry tweak to increase the buffer to 16Mb per session.

I’ve been asked about multi-monitor support for Citrix ICA Sessions twice in the last week or so from two different sources so I thought it useful to pop this in as a post?

Using Multiple Monitors with Seamless Windows

Seamless Windows Problem with NVidia Dual Screen Client

But this should give a very clear idea on what is possible? As you can see Dual Screens is really only the starting point?

Graphical Display Issues with One or More Monitors

A variety of issues surrounding the graphical display on the client device can be a result of memory setting per ICA session.

The maximum memory allowed for use as a buffer by each client connection on a MetaFrame server is 7,680,000 bytes. This maximum is a limit to the operating system and is not configurable. Up to the maximum amount of memory can be set in the Citrix Management Console at the farm or server level, but this also can be application-dependent. When the memory limit is exceeded in a seamless connection, the session is displayed in a fixed window with scroll bars. Seamless mode factors in the entire resolution of all monitors in a multi-monitor configuration. This chart shows various combinations of color and resolutions with various numbers of monitors and the amount of memory required for the ICA session.

Don’t forget that this is a maximum limit "per session" and ICA will always try to utilize "session sharing" where ever possible to limit the number of licences consumed, so if you are trying to run two large display applications in Seamless mode - and they are sharing the session - then you will have to add together the memory required for each application and ensure that it doesn’t exceed the max. 

posted on Wednesday, April 12, 2006 6:18 AM

Feedback

# re: Multi-monitor support for Citrix ICA Sessions - dual screens and the like 4/15/2006 11:30 PM Stefan Vermeulen

Here is a quote from a post from Claudio overruling the 8mb limit on a 2k machine:
http://www.brianmadden.com/forum/tm.aspx?m=12743
Not sure if it’s stull there today and if the total limit is still 16mb.
Remove Comment 75282

# re: Multi-monitor support for Citrix ICA Sessions - dual screens and the like 4/16/2006 5:35 AM Dave Caddick

Thanks Stefan, I’ll post that here as well just in case others find it useful?
Here’s a story from Cláudio he once posted somewhere on how he did so you can use it for your own basis:
I have no idea if it is already fixed on Windows 2003 as none of my monitors can handle such resolutions.
And I have only one monitor so I cannot even try multi-monitor setups.
Although Citrix may allow you to do this, it is still limited on the resolution, color and number of sessions. This means a certain number
(memory allocated to the client) has a maximum value. What means the more resolution you have, you will not be able to have as many sessions as you want in high color for example.
More information:
"Citrix says with there Metaframe for W2k and ‘Feature Release 1′ upgrade, you can support ‘multiple monitors’ and ‘greater colour resolution’. in actuality, the correct word is OR not AND ! Which means it can support 8 screens but only in 2-bit colour mode OR 1 screen at 16 million colours. The reason is due to the amount of memory that Citrix reserves for the video memory for the client.
By default, it is exactly 7680000, which is the maximum value the Citrix utility, "TWConfig", will accept. Now this value is out of 16Mb of total client session memory space. However, running the minimum 3 monitors for the traders at 16-bit requires 7,864,320 bytes, which is 184320 more than the default. So, we asked Citrix why their stuff didn’t work. Finally after almost 2 months of playing email tag, they came back with a Registry entry change.
Here is what they sent us:
Win2k has a session pool limit of 16MB. The ICA pseudo frame buffer comes out of this session pool, and the maximum size of the frame buffer is specified by the registry value:
HKLM\System\Current Control Set\Control\TerminalServer\Wds\icawd\thin16\MaxLVBMem
The MaxLVBMem value specifies (in bytes) the maximum memory that thinwire will allocate for the frame buffer.
It can be modified using twconfig.exe; however, twconfig will not let you specify a value larger than 7680000 bytes.
The remaining 8.4 MB is taken up by other things that we have little or no control over (e.g. GDI itself, printer drivers, etc.).
Microsoft will not modify the 16 mb session limit before WHISTLER. Now, what we found out is that this key can be modified to other values. So when we need to support 4 monitors, we calculated the required memory in bytes (1280 x 1024 x 2 words (or 16-bit) x 4 monitors) and this equals 10,485,760. So, this was the value we entered into this key. And it worked. So, keep this in mind."
As I said it may be fixed with Windows 2003 but I could not try. Microsoft, if they read this post, can shed some light on this.
Cláudio Rodrigues, MVP
Windows 2000/NT Server
Terminal Services
Remove Comment 75291

written by dcaddick

So Microsoft has posted this article for those who want to deploy Push email but this is interesting that I’ve noticed this today almost immediately after going through an online discussion with some of the security team at my end that has seen us decide (read - me capitulate under overwhelming numbers??) to try using Nokia’s Intellisync to achieve push email.

OK, I’m gutted, and not just because I’ve spent so much spare time over the last 9 months or so trying to line this up but the reality of it is that some stage I have to liaise with the security team to establish the path that is to be traversed by the Mobile Devices to connect with the Exchange Server.

Now I’m sure that in some ways we are almost indicative of most of the small to medium companies out there in that I’m trying to get this working around a single Checkpoint Firewall and talk to a single Exchange Server without upsetting the present Production System.

So this is what I’ve come up with so far, and I hope it’s useful for others? Essentially what I have done is talk this through with Jason Langridge as to the most secure method of deploying the push email while trying to work within what is going to be the typical constraints of a production environment - if you have any questions please drop me a line?

Cheers, Dave

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Existing:
What makes this somewhat tricky is that we only have the one Exchange Server, and that also does justice for the Regular Outlook Clients, OWA, OMA and ActiveSync as it stands today and whatever changes we introduce will have to be done in such a way as to cause no impact what so ever on the normal Production System?

So what I’m trying to do here is *introduce* ActiveSync Push as securely as possible without it impacting the regular OWA.

Separate the Production Exchange usage from the new ActiveSync?
Given this constraint - what I am proposing is to create an additional Virtual Folder/Server on the IIS component of the Exchange 2003 server for the ActiveSync to point at (this could be called EAS? for Exchange ActiveSync?) This way we could leave the existing OWA setup as it is, and create a separate and independent FW rule for the new ActiveSync?

Allowing ActiveSync Securely:
After a healthy discussion with Jason at MS (who deals primarily with the Mobility side of things) I believe I have managed to understand the possible scenarios of how we could implement Active Sync for Push email.

The options are:

• Continue to use FW-1 as it is - create a rule allowing direct ActiveSync traffic thru to the Exchange (new Virtual Server?) - BUT only allowing Certificate based Authentication.
• Use ISA 2004 - with User Authentication on/from the device (no Certificate based Authentication is possibly from this)
• Use ISA 2006 - with Certificate based Authentication

My understanding of why it’s preferable to use ISA is that it enables far greater control over checking the ActiveSync traffic is what it says it is before allowing to even be passed to the Exchange Server, as well as:

• SSL to SSL bridging (SSL termination)
• Advanced HTTP Security Filtering
• OWA/OMA/ActiveSync wizards that create secure publishing rule by default
• Secure Exchange RPC filtering

However the limitation with ISA 2004 is that you cannot combine this with Certificate Based Authentication for the devices. This is something that our Admin would like to implement as an additional layer of security and control, as well as making Administration easier. With the release of ISA 2006 there is much more support for Certificates in general, as well as allowing Certificate Based Authentication when using ActiveSync to connect to Exchange.

Appendix:
Microsoft Exchange Server ActiveSync Certificate-Based Authentication Tool
Creating additional Virtual Servers on Exchange:
Microsoft Exchange Team Blog article
Securing Exchange Server 2003 & Outlook Web Access: Chapter 5 on MSExchange.org
MS Exchange Blog - OWA and multiple SMTP domains

written by dcaddick

If anyone is contemplating applying R01 for Presentation Server 4 you might want to just check this out beforehand? This has been found at a Customers Site by one of our Consultants and he has confirmed this by duplicating it in a VMware environment.

Issue:
Java client through CSG with Session reliability turned on only works if the STA is on a Citrix PS4 server which doesn’t have R01 installed.

If, as usual, all Citrix servers have R01 installed then it simply stops working. The Java client fails with:

Error connecting through Citrix Secure Gateway

Error reading from proxy server - Error connecting through Citrix Secure Gateway

Error reading from proxy server - Unknown error: java.lang.

Exception: null

Please contact your Citrix representative etc….

The Event log of the STA on the Citrix server gives:

Service received error: Invalid-Ticket from STA STAxxxxxxx, Client IP xxxxxx connection dropped.

Socks Session [x] failed ticket check. Client IP [xxxxx]

written by dcaddick

I came across this little nugget at the Windows Mobile Team’s Blog that I thought was worth sharing?

Smartphone Specific
Easy access to numbers.   In both T9 and ABC mode, you can usually get a number by pressing and holding the button.  For instance, the 2 button can be a, b, c, or 2.  Press it once and you’ll get a letter.  Press and hold it and you’ll get the number.  This is a lot faster than switching to 123 mode if you just need to type a few numbers.

Lock the keypad.  On Smartphone that have a separate power button, pressing and holding the End key (the red button) locks the keypad.  Some Smartphones don’t have a separate power button.  On them, the press and hold of the End key is usually power off.  In that case, there’s often some other key that you can press and hold for lock.

Quicklist.  On Smartphones that have a separate power button, pressing the power button quickly (not press and hold) brings up the "Quicklist."  The Quicklist lets you do things like toggle flight mode and set profiles.  Press and hold the power button shuts the phone off.  On devices without a separate power button, one of the other keys will bring up the Quicklist (often press and hold Home).

Getting symbols.  If you’re typing in T9 or ABC mode, there are two ways to type things like period, comma, etc.  You can get a table of them by pressing and holding the # key.  Or you can get to many of the more common ones with the 1 key. 

Speed dial apps.  You can assign phone numbers to speed dial keys.  Go into the contact, select the phone number you want to put on a speed dial, and then choose Menu->Add To Speed Dial.  But you can also assign applications to speed dial keys.  From the home screen, hit Start, select the application you want, and then choose Menu->Add To Speed Dial.  Once you have a number or application on speed dial, you can go to the home screen and press and hold that number to call or run it.  For instance, if you assigned my ToggleBTh button to speed dial slot 2, you can turn Bluetooth on and off by just pressing and holding 2 from the home screen.

Speed dial voicemail.  On most phones, speed dial slot 1 is voicemail.  So you can dial your voicemail by going to the home screen and pressing and holding 1.

PocketPC Specific
Better hardware navigation.  Some WM5 devices have dedicated "Start" and "Ok" buttons (e.g. the Treo 700w and the Sprint 6700).  Some WM5 devices don’t have those buttons, but do have two buttons that launch apps (e.g. the T-mobile MDA and the Cingular 8125).  Having Start and Ok buttons makes it much easier to control the device without touching the screen.  You can change the existing application buttons to do Start and Ok instead.  Go to Start->Settings->Buttons.  Select the button you want to change and drop down the menu at the bottom.  The two you care about are near the top of the list (<Start Menu> and <OK/Close>).

Symbols not on the keyboard.  If you have a hardware keyboard that has a "Sym" button (often Fn + Space) you can use it to type symbols that aren’t on the keyboard.  For instance, say the keyboard has a "/" but no "\".  Type "/" then hit Sym.  It’ll switch.  Hit Sym again and it’ll switch to "|".  This is also a somewhat convenient way to get non-English characters.  For instance, if you want an o with an umlaut over it, hit o and then hit the Sym key a few times.  It’ll cycle through the various accents.  Or, if you need the Spanish ñ, hit n then Sym. 

What happened to my backlight? On many PocketPCs, if you press and hold the power button it will turn off the backlight and keep it off.  This may be what you want, or it may be something you did accidentally and now you’re wondering why your backlight never turns on anymore.  Press and hold power again to turn the backlight back on.  (On at least one PocketPC I’ve seen recently, press and hold power is a full shut down instead.)

Make the SIP stop coming up.  The PocketPC has a "Soft Input Panel" (SIP).  This is the little software keyboard that pops up at the bottom of the screen. (It can also be various types of handwriting recognizers, etc.)  If the device has no hardware keyboard, the SIP will pop up automatically whenever you get to a place where you can enter text.  If there’s a hardware keyboard, though, we assume you want to use the keyboard instead of the SIP and don’t make it pop up automatically.  However, if you tap the little SIP button once, we suddenly decide that you want the SIP to deploy automatically again, even though you’ve got a hardware keyboard.  Maybe you did, or maybe you let a friend look at your PocketPC and he said, "Hey, what’s this do?" and tapped it.  If you want it to stop coming up automatically, let it pop up once and use the hardware keyboard as though the SIP wasn’t there.  When you use the hardware keyboard, the SIP will go away and won’t come up again until you tap the icon.  (The common mistake people make here is to put the SIP away and then start typing on the hardware keyboard.  That will put it away, but it’ll come back again when you go to a new text field.)

Both PPC and SP
Put the call on hold.  While in a call, press Send (the green button).  That will put the call on hold.  Do it again to start the call back up.

Switch to/from speakerphone.  While in a call, press and hold Send (the green button) to switch to speakerphone.  Press and hold it again to switch back.

written by dcaddick