Download Zetalink Technical Overview

e
ZLO
BMm
Zetalink Technical Overview
This document answers many common technical questions about Zetalink, particularly in relation to security, to
help technical staff understand how it works and how it would be installed. For a fuller explanation, please see
the Zetalink Implementation Guide.
Zetalink features
System architecture
Zetalink provides fast, secure access to business
information using an Internet-enabled PDA or mobile
phone. It allows real time interaction with Microsoft
Exchange and other corporate data sources, including a
range of CRM and accounts applications.
The core Zetalink components are typically installed
on several different computers in the organization.
The components are as follows:
The main features of Zetalink are:
• Browse mailbox – users can access their Inbox,
Calendar and other mailbox folders quickly and
securely, using a WAP enabled PDA or mobile phone.
Items can be modified or added, and account
settings such as the PIN changed.
• Exchange public folders - users can read and update
information stored in public folders on the Exchange
server. “Favorites” make it simple to access
frequently used folders.
• Send email – Zetalink allows users to write, forward
or reply to email messages, respond to meeting
requests and update task and contact lists.
• CRM and accounts data – Zetalink users can read
and update customer information stored in their
corporate CRM or accounts systems.
• Print to fax – users can print email messages by
forwarding them to a fax machine, and with the
optional rendering module can print attached files in
the same way.
• SMS alerts – Zetalink can be configured by individual
users to send SMS text alerts using their Web
browser. Examples include setting event reminders
and email receipt alerts from specified addresses.
• Timed summaries – users can request summary
information to be sent automatically at specific
times. Examples include a summary of the day's
appointments, to be sent at a set time each morning
by SMS or fax.
• Text messages – users can send text messages from
their desktop to colleagues who are out of the office.
• Simple administration – administration of the
Zetalink server is done using a Microsoft
Management Console (MMC) snap-in, providing a
standard and intuitive interface.
• Zetalink Server – the centre of the system,
coordinating the operation of other components
and applying the security policy. The server can
be installed on existing or dedicated hardware
depending on specific needs, along with other
Zetalink components.
• Zetalink Database – created during the Zetalink
Server install, to store configuration and
dynamic data. It may either run on the Zetalink
Server computer (using the database server
supplied with Zetalink), or on a separate
corporate database server (using Microsoft SQL
Server).
• Exchange Components – installed on each
Microsoft Exchange server which hosts
mailboxes, to process alerts and requests from
the Zetalink Server. Zetalink supports any
combination of Exchange 2000 and Exchange 5.5
servers.
• User Configuration Components – allow users to
configure their settings and alert rules using a
standard Web browser. They use Microsoft
Internet Information Server (IIS), and may be
installed either on the Zetalink Server or an
existing corporate Intranet server.
• External Web Site – created on a Web server
visible from the Internet, to generate pages
requested by Zetalink users' Internet-enabled
PDAs and mobile phones. The site must be able
to access information from the Zetalink server,
either directly or through a firewall.
• Communications Server – manages the devices
used to send SMS alerts and fax messages.
Based on Equisys' market leading network fax
server, Zetafax, a restricted version of which is
supplied with Zetalink. Customers already using
Zetafax can use their existing server as an
alternative.
• Application Connectors – installed on the
application server or on the Zetalink server, to
allow Zetalink to read and update the application
data. Zetalink connectors are available for Sage
Line 50, Goldmine and ACT!
Security
Security considerations are at the core of Zetalink. A
range of industry-proven techniques ensure that
corporate information and systems are fully
protected.
Internet protection
Zetalink works in conjunction with firewalls,
protecting the Zetalink Server and other corporate
computers from malicious attack via the Internet.
For Zetalink, firewalls only need be configured to
pass through standard browser protocols HTTP and
HTTPS, leading to a highly secure configuration.
Zetalink fully supports systems where the externally
visible Web server is protected from the main
corporate network using a demilitarized zone (DMZ)
or standalone server configuration. This is described
in more detail below.
User accounts and passwords
Zetalink users must enter a unique personal
numeric PIN code, which is separate to their
network password, in order to access their data. The
unique PIN is simple to enter from a mobile phone,
and protects the main corporate network in the
event of the mobile handset being compromised.
The Administrator controls which users can access
data using Zetalink, and can set policies such as the
minimum PIN length allowed. Each PIN is stored in
an encrypted form, and can not be read by the
Administrator or any user.
User accounts can be restricted to a specific device
(PDA or mobile phone), where supported by the
phone network operator. This provides protection
against someone looking at the PIN being entered.
All requests pass through the Zetalink Server, which
applies the security policy. It ensures that only
authorized users may use the Zetalink system, and
that they only see information which they are
entitled to view.
PIN re-entry
GPRS devices, providing ‘always on’ connectivity,
allow users to keep sessions open for a long period.
Whilst providing faster access to information, loss or
theft of the handset could potentially allow
unauthorized access to a user's information.
As a security measure against this, Zetalink allows
the Administrator to preset a ‘PIN re-entry period’
after which users must re-enter their PIN. Access is
denied until they do so successfully.
Secure transmission
Information passed over the Internet may be
encrypted using the HTTPS secure protocol, which is
fully supported by Zetalink. HTTPS is the industrystandard mechanism for secure e-commerce sites,
and offers a very high level of protection against
interception of information as it passes between the
Web server and the WAP Gateway.
Zetalink can be configured to switch automatically
to HTTPS after the initial welcome screen, without
the need for user intervention.
Information is usually passed between the WAP
Gateway and the mobile handset over the carrier's
private network, or via a secure link. The WAP
security model includes protection on this link, and
newer mobile handsets support encryption over this
link where additional protection is required.
Browsing from the Internet
Zetalink uses Wireless Application Protocol (WAP) to
allow mobile handset users to interact with their
Exchange Inbox and associated folders, Calendar,
Contacts and Task lists, as well as the CRM and
accounts applications for which they have selected
Zetalink Connectors.
WAP system architecture
WAP is a method of requesting pages of information
over the Internet from a mobile device. It was
designed to overcome the restrictions of accessing
Internet data via a mobile handset, and to make
requesting and displaying information on those
handsets as simple and quick as possible.
WAP includes some special features, such as menus
and ‘softkeys’ which make mobile software
applications such as Zetalink quick and easy to use.
It also uses a separate server called a WAP Gateway
to reduce the amount of information being sent to
and from the mobile handset. Users connect via the
WAP Gateway, which stores information about the
user and session. Requesting information using
WAP is very similar to the way a Web browser
obtains information from a Web server. The page
required is specified with a URL and the mobile
device's browser requests that information from the
WAP Gateway. The information is then requested
from the Web server using HTTP or HTTPS.
Pages sent from the Web server to the phone are
constructed in ‘WML’ rather than ‘HTML’ which is
used for most Web pages. However, the Web server
and Internet link are configured in the same way for
both Web browser and WAP access.
Further security measures allow Administrators to
disable individual accounts or to change a PIN,
without affecting the user's network account
settings.
2
Connecting to the Internet
Because Zetalink is designed to work with
commercial WAP gateways, there is no need to
purchase and install a separate WAP gateway of
your own.
The installation requirements for Zetalink are the
same as those for installing a Web server. You will
need to do the following:
• Ensure that your organization has a permanent
Internet connection, with a fixed IP address.
• (Recommended) Register a domain name to that
IP address.
• (Recommended) Obtain a certificate from a
‘trusted certification authority’ (e.g. Verisign) to
allow information to be protected with HTTPS.
• Configure the main company firewall to
recognise requests for the Zetalink URL, and to
allow them to pass from the Internet to the
Zetalink Web server.
These requirements are described further in the
following sections.
Installing a permanent Internet connection
Zetalink users request information from their mobile
handset using WAP, as described above. To enable
this, your company requires a permanent Internet
connection with at least one fixed IP address. Dialup links (e.g. ISDN) are not sufficient. Other forms of
Internet access, which use internally allocated or
temporary IP addresses which cannot be accessed
from the Internet, are also not suitable. Your ISP can
give advice on the options available.
Registering a domain name
Equisys recommends registering a domain name for
WAP access. Although most mobile devices can be
configured to access the site via an IP address, it is
simpler to use a domain name, and this is also
required to obtain a certificate for secure
transmission.
If you already host your own company Web site e.g. ‘www.equisys.com’ you can use this same
domain name with Zetalink.
If the main company web site is hosted at a different
location, you may need to register a separate
domain name for access – e.g. ‘extranet.acme.com’.
Once the domain name is registered, Zetalink will
then be accessed on a subfolder – e.g.
‘extranet.acme.com/zetalink’. Most firewalls allow
different subfolders to be redirected to specific
servers, meaning that separate domains are not
required for each server at a location.
Obtaining a certificate for secure transmission
Zetalink supports two browsing protocols: HTTP and
HTTPS. Both give the same information, however
HTTPS provides greater security by encrypting data
as it is passed across the Internet using SSL (Secure
Sockets Layer), and requires a security certificate
which identifies your company.
An SSL certificate is usually purchased from a
‘trusted certifying authority’ (e.g. Verisign), and
most WAP gateways only support SSL certificates
purchased from trusted sources.
Having obtained your certificate you must configure
your system to support HTTPS. This is often done on
the Web server so that it interprets the HTTPS
requests directly. Alternatively, the firewall can be
configured to translate HTTPS requests into HTTP
before passing them on to the Web server. Zetalink
supports both methods of operation.
Configuring the outer firewall
Security is important in any environment which
allows network access from outside the
organization. The main tool to protect against
malicious access from the Internet is the company
firewall, which monitors traffic passing to and from
the Internet and uses rules set by the Administrator
to determine which traffic it will allow to pass.
Zetalink is designed so that the link to the Internet
(the ‘outer firewall’) can be made as secure as
possible. It requires only browser access to the
external Web site – HTTP and HTTPS incoming traffic
to the Zetalink site only. Most organizations which
already host an external web site will have this
configuration in place. Check with your firewall
Administrator.
Use with a Demilitarized Zone (DMZ)
Some organizations install a second firewall
between their Web servers and the main corporate
network to prevent direct access to servers on the
main network.
The area between this ‘inner firewall’ and the main
‘external firewall’ is known as the Demilitarized
Zone (DMZ) or Screened Subnet. Zetalink supports
this configuration, and can be installed simply in
this environment.
The External Web Site Components are installed on
a Web server in the DMZ, while the Zetalink Server
and other Zetalink components are installed within
the main corporate network. In this configuration
the External Web Site Components communicate
with the Zetalink Server by making HTTP requests
(using an industry standard called SOAP). The inner
firewall is then configured to publish a specific URL
on the Zetalink Server for use by the Web server.
This method of operation is referred to in Zetalink as
‘firewall support’, and is selected during
installation. It may also be used in other cases
where the Web server is isolated for security, even
when there is no inner firewall – e.g. where the Web
server belongs to a separate domain or workgroup,
3
so does not have access to network user accounts.
contains full details of the devices supported.
Sending SMS alerts
Whichever device you use, you should ensure that
there is a phone point connection situated
conveniently close to the communications servertypically residing on the Zetalink Server.
Zetalink notifies users when key events occur,
depending on the rules which each user has
configured. For example sends meeting reminders,
or notifies you when an urgent email is received.
These events are notified using SMS (Short
Messaging Service) – the GSM phone standard for
sending text messages to a mobile device.
Zetalink submits SMS messages using a GSM
modem. This is similar to a standard data modem –
it connects to the computer via the serial port, but
instead of plugging into a phone socket it has an
aerial, and looks like a mobile device to the phone
network.
The GSM modem is purchased separately to the
Zetalink software, and is connected to the Zetalink
communications server which must be located
somewhere with sufficient GSM phone signal
strength.
The GSM modem requires an airtime agreement and
SIM card, like any mobile phone. This is usually
obtained separately from the modem as a ‘SIM only’
pack. The option most suitable for your needs is
likely to depend on the number of alerts you expect
to send, and the phone networks to which your
users subscribe.
Zetalink users can also send text messages from the
user configuration screen of Zetalink i.e. from their
PCs. This feature is a useful way for department
managers to alert their mobile teams to specific
events or to contact customers directly.
Fax support
Zetalink allows users to print files and attachments
by using any fax machine as a remote printing
device. This means users can print items in their
mailbox, (such as emails or summaries of the day's
appointments) and records (such as customer
contact details) from the CRM or accounts
applications.
Zetalink sends these faxes via the Zetafax
communications server – using either an existing
Zetafax installation or a restricted version of Zetafax
supplied with Zetalink.
Fax devices
The version of Zetafax supplied with Zetalink can be
configured with a single fax modem. It supports
Class 1 and Class 2 fax standards, so can be used
with most fax modems. Additional line licences are
available as an option for sites which require more
than one fax line due to high volume usage.
Faxing attachment files
The standard version of Zetalink will fax the text part
of mailbox messages or other items, ignoring any
attached files.
An option is available to fax the attachment files as
well. This uses the Zetafax email gateway rendering
engine to convert attachment files into the correct
format for sending by fax. This is done using the
application which created the attachment file
directly, in the same way as if you were viewing it
from your workstation.
System requirements
Common server requirements:
Windows 2000 or Windows NT 4.0 (SP 6a)
Zetalink Server:
Microsoft Management Console 1.2 or later (includedkl,)
For internal firewall support:
Internet Information Server 5.0 (on Windows 2000)
Internet Information Server 4.0 (on Windows NT 4.0)
Zetalink Database:
SQL Server 7.0 or later, or MSDE 1.0 (included)
Exchange Server Components:
Windows NT 4.0 Option Pack (on Windows NT4)
Exchange 2000 Server or Exchange 5.5 (SP 3)
Exchange Event Service (an optional component with Exchange
5.5)
User Configuration Components:
Internet Information Server 5.0 (on Windows 2000)
Internet Information Server 4.0 (on Windows NT4)
Internet Explorer 5.5 or later
External Website Components:
Internet Information Server 5.0 (on Windows 2000)
Internet Information Server 4.0 (on Windows NT4)
Internet Explorer 5.5 or later
Communications server:
Zetafax 7.5 Server or later (restricted version included)
Also requires one serial port for each GSM modem and fax
modem being used
ACT! Components:
ACT! 5 (2000) or 6
GoldMine Components:
GoldMine Business Contact Manager 5.7 or 6; or GoldMine Sales
& Marketing 5.7
Sage Components:
Sage Line 50 v8
Firewall support:
Most hardware and software firewalls supported; requires ports
80 (HTTP) and 443 (HTTPS) to be opened to the computer with
the External Website Components.
Mobile device browser:
WAP 1.1 or later browser.
The full version of Zetafax supports a wider range of
fax devices, including Brooktrout and Dialogic
intelligent fax boards. These can also be used on
ISDN lines (BRI and PRI). The Equisys Web site
Equisys House, 32 Southwark Bridge Road, London SE1 9EU, UK
Tel +44 (0)20 7203 4000 Fax +44 (0)20 7203 4005 Email [email protected]
Ee
www.equisys.com
4