Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
e ZLO BMm Zetalink Technical Overview This document answers many common technical questions about Zetalink, particularly in relation to security, to help technical staff understand how it works and how it would be installed. For a fuller explanation, please see the Zetalink Implementation Guide. Zetalink features System architecture Zetalink provides fast, secure access to business information using an Internet-enabled PDA or mobile phone. It allows real time interaction with Microsoft Exchange and other corporate data sources, including a range of CRM and accounts applications. The core Zetalink components are typically installed on several different computers in the organization. The components are as follows: The main features of Zetalink are: • Browse mailbox – users can access their Inbox, Calendar and other mailbox folders quickly and securely, using a WAP enabled PDA or mobile phone. Items can be modified or added, and account settings such as the PIN changed. • Exchange public folders - users can read and update information stored in public folders on the Exchange server. “Favorites” make it simple to access frequently used folders. • Send email – Zetalink allows users to write, forward or reply to email messages, respond to meeting requests and update task and contact lists. • CRM and accounts data – Zetalink users can read and update customer information stored in their corporate CRM or accounts systems. • Print to fax – users can print email messages by forwarding them to a fax machine, and with the optional rendering module can print attached files in the same way. • SMS alerts – Zetalink can be configured by individual users to send SMS text alerts using their Web browser. Examples include setting event reminders and email receipt alerts from specified addresses. • Timed summaries – users can request summary information to be sent automatically at specific times. Examples include a summary of the day's appointments, to be sent at a set time each morning by SMS or fax. • Text messages – users can send text messages from their desktop to colleagues who are out of the office. • Simple administration – administration of the Zetalink server is done using a Microsoft Management Console (MMC) snap-in, providing a standard and intuitive interface. • Zetalink Server – the centre of the system, coordinating the operation of other components and applying the security policy. The server can be installed on existing or dedicated hardware depending on specific needs, along with other Zetalink components. • Zetalink Database – created during the Zetalink Server install, to store configuration and dynamic data. It may either run on the Zetalink Server computer (using the database server supplied with Zetalink), or on a separate corporate database server (using Microsoft SQL Server). • Exchange Components – installed on each Microsoft Exchange server which hosts mailboxes, to process alerts and requests from the Zetalink Server. Zetalink supports any combination of Exchange 2000 and Exchange 5.5 servers. • User Configuration Components – allow users to configure their settings and alert rules using a standard Web browser. They use Microsoft Internet Information Server (IIS), and may be installed either on the Zetalink Server or an existing corporate Intranet server. • External Web Site – created on a Web server visible from the Internet, to generate pages requested by Zetalink users' Internet-enabled PDAs and mobile phones. The site must be able to access information from the Zetalink server, either directly or through a firewall. • Communications Server – manages the devices used to send SMS alerts and fax messages. Based on Equisys' market leading network fax server, Zetafax, a restricted version of which is supplied with Zetalink. Customers already using Zetafax can use their existing server as an alternative. • Application Connectors – installed on the application server or on the Zetalink server, to allow Zetalink to read and update the application data. Zetalink connectors are available for Sage Line 50, Goldmine and ACT! Security Security considerations are at the core of Zetalink. A range of industry-proven techniques ensure that corporate information and systems are fully protected. Internet protection Zetalink works in conjunction with firewalls, protecting the Zetalink Server and other corporate computers from malicious attack via the Internet. For Zetalink, firewalls only need be configured to pass through standard browser protocols HTTP and HTTPS, leading to a highly secure configuration. Zetalink fully supports systems where the externally visible Web server is protected from the main corporate network using a demilitarized zone (DMZ) or standalone server configuration. This is described in more detail below. User accounts and passwords Zetalink users must enter a unique personal numeric PIN code, which is separate to their network password, in order to access their data. The unique PIN is simple to enter from a mobile phone, and protects the main corporate network in the event of the mobile handset being compromised. The Administrator controls which users can access data using Zetalink, and can set policies such as the minimum PIN length allowed. Each PIN is stored in an encrypted form, and can not be read by the Administrator or any user. User accounts can be restricted to a specific device (PDA or mobile phone), where supported by the phone network operator. This provides protection against someone looking at the PIN being entered. All requests pass through the Zetalink Server, which applies the security policy. It ensures that only authorized users may use the Zetalink system, and that they only see information which they are entitled to view. PIN re-entry GPRS devices, providing ‘always on’ connectivity, allow users to keep sessions open for a long period. Whilst providing faster access to information, loss or theft of the handset could potentially allow unauthorized access to a user's information. As a security measure against this, Zetalink allows the Administrator to preset a ‘PIN re-entry period’ after which users must re-enter their PIN. Access is denied until they do so successfully. Secure transmission Information passed over the Internet may be encrypted using the HTTPS secure protocol, which is fully supported by Zetalink. HTTPS is the industrystandard mechanism for secure e-commerce sites, and offers a very high level of protection against interception of information as it passes between the Web server and the WAP Gateway. Zetalink can be configured to switch automatically to HTTPS after the initial welcome screen, without the need for user intervention. Information is usually passed between the WAP Gateway and the mobile handset over the carrier's private network, or via a secure link. The WAP security model includes protection on this link, and newer mobile handsets support encryption over this link where additional protection is required. Browsing from the Internet Zetalink uses Wireless Application Protocol (WAP) to allow mobile handset users to interact with their Exchange Inbox and associated folders, Calendar, Contacts and Task lists, as well as the CRM and accounts applications for which they have selected Zetalink Connectors. WAP system architecture WAP is a method of requesting pages of information over the Internet from a mobile device. It was designed to overcome the restrictions of accessing Internet data via a mobile handset, and to make requesting and displaying information on those handsets as simple and quick as possible. WAP includes some special features, such as menus and ‘softkeys’ which make mobile software applications such as Zetalink quick and easy to use. It also uses a separate server called a WAP Gateway to reduce the amount of information being sent to and from the mobile handset. Users connect via the WAP Gateway, which stores information about the user and session. Requesting information using WAP is very similar to the way a Web browser obtains information from a Web server. The page required is specified with a URL and the mobile device's browser requests that information from the WAP Gateway. The information is then requested from the Web server using HTTP or HTTPS. Pages sent from the Web server to the phone are constructed in ‘WML’ rather than ‘HTML’ which is used for most Web pages. However, the Web server and Internet link are configured in the same way for both Web browser and WAP access. Further security measures allow Administrators to disable individual accounts or to change a PIN, without affecting the user's network account settings. 2 Connecting to the Internet Because Zetalink is designed to work with commercial WAP gateways, there is no need to purchase and install a separate WAP gateway of your own. The installation requirements for Zetalink are the same as those for installing a Web server. You will need to do the following: • Ensure that your organization has a permanent Internet connection, with a fixed IP address. • (Recommended) Register a domain name to that IP address. • (Recommended) Obtain a certificate from a ‘trusted certification authority’ (e.g. Verisign) to allow information to be protected with HTTPS. • Configure the main company firewall to recognise requests for the Zetalink URL, and to allow them to pass from the Internet to the Zetalink Web server. These requirements are described further in the following sections. Installing a permanent Internet connection Zetalink users request information from their mobile handset using WAP, as described above. To enable this, your company requires a permanent Internet connection with at least one fixed IP address. Dialup links (e.g. ISDN) are not sufficient. Other forms of Internet access, which use internally allocated or temporary IP addresses which cannot be accessed from the Internet, are also not suitable. Your ISP can give advice on the options available. Registering a domain name Equisys recommends registering a domain name for WAP access. Although most mobile devices can be configured to access the site via an IP address, it is simpler to use a domain name, and this is also required to obtain a certificate for secure transmission. If you already host your own company Web site e.g. ‘www.equisys.com’ you can use this same domain name with Zetalink. If the main company web site is hosted at a different location, you may need to register a separate domain name for access – e.g. ‘extranet.acme.com’. Once the domain name is registered, Zetalink will then be accessed on a subfolder – e.g. ‘extranet.acme.com/zetalink’. Most firewalls allow different subfolders to be redirected to specific servers, meaning that separate domains are not required for each server at a location. Obtaining a certificate for secure transmission Zetalink supports two browsing protocols: HTTP and HTTPS. Both give the same information, however HTTPS provides greater security by encrypting data as it is passed across the Internet using SSL (Secure Sockets Layer), and requires a security certificate which identifies your company. An SSL certificate is usually purchased from a ‘trusted certifying authority’ (e.g. Verisign), and most WAP gateways only support SSL certificates purchased from trusted sources. Having obtained your certificate you must configure your system to support HTTPS. This is often done on the Web server so that it interprets the HTTPS requests directly. Alternatively, the firewall can be configured to translate HTTPS requests into HTTP before passing them on to the Web server. Zetalink supports both methods of operation. Configuring the outer firewall Security is important in any environment which allows network access from outside the organization. The main tool to protect against malicious access from the Internet is the company firewall, which monitors traffic passing to and from the Internet and uses rules set by the Administrator to determine which traffic it will allow to pass. Zetalink is designed so that the link to the Internet (the ‘outer firewall’) can be made as secure as possible. It requires only browser access to the external Web site – HTTP and HTTPS incoming traffic to the Zetalink site only. Most organizations which already host an external web site will have this configuration in place. Check with your firewall Administrator. Use with a Demilitarized Zone (DMZ) Some organizations install a second firewall between their Web servers and the main corporate network to prevent direct access to servers on the main network. The area between this ‘inner firewall’ and the main ‘external firewall’ is known as the Demilitarized Zone (DMZ) or Screened Subnet. Zetalink supports this configuration, and can be installed simply in this environment. The External Web Site Components are installed on a Web server in the DMZ, while the Zetalink Server and other Zetalink components are installed within the main corporate network. In this configuration the External Web Site Components communicate with the Zetalink Server by making HTTP requests (using an industry standard called SOAP). The inner firewall is then configured to publish a specific URL on the Zetalink Server for use by the Web server. This method of operation is referred to in Zetalink as ‘firewall support’, and is selected during installation. It may also be used in other cases where the Web server is isolated for security, even when there is no inner firewall – e.g. where the Web server belongs to a separate domain or workgroup, 3 so does not have access to network user accounts. contains full details of the devices supported. Sending SMS alerts Whichever device you use, you should ensure that there is a phone point connection situated conveniently close to the communications servertypically residing on the Zetalink Server. Zetalink notifies users when key events occur, depending on the rules which each user has configured. For example sends meeting reminders, or notifies you when an urgent email is received. These events are notified using SMS (Short Messaging Service) – the GSM phone standard for sending text messages to a mobile device. Zetalink submits SMS messages using a GSM modem. This is similar to a standard data modem – it connects to the computer via the serial port, but instead of plugging into a phone socket it has an aerial, and looks like a mobile device to the phone network. The GSM modem is purchased separately to the Zetalink software, and is connected to the Zetalink communications server which must be located somewhere with sufficient GSM phone signal strength. The GSM modem requires an airtime agreement and SIM card, like any mobile phone. This is usually obtained separately from the modem as a ‘SIM only’ pack. The option most suitable for your needs is likely to depend on the number of alerts you expect to send, and the phone networks to which your users subscribe. Zetalink users can also send text messages from the user configuration screen of Zetalink i.e. from their PCs. This feature is a useful way for department managers to alert their mobile teams to specific events or to contact customers directly. Fax support Zetalink allows users to print files and attachments by using any fax machine as a remote printing device. This means users can print items in their mailbox, (such as emails or summaries of the day's appointments) and records (such as customer contact details) from the CRM or accounts applications. Zetalink sends these faxes via the Zetafax communications server – using either an existing Zetafax installation or a restricted version of Zetafax supplied with Zetalink. Fax devices The version of Zetafax supplied with Zetalink can be configured with a single fax modem. It supports Class 1 and Class 2 fax standards, so can be used with most fax modems. Additional line licences are available as an option for sites which require more than one fax line due to high volume usage. Faxing attachment files The standard version of Zetalink will fax the text part of mailbox messages or other items, ignoring any attached files. An option is available to fax the attachment files as well. This uses the Zetafax email gateway rendering engine to convert attachment files into the correct format for sending by fax. This is done using the application which created the attachment file directly, in the same way as if you were viewing it from your workstation. System requirements Common server requirements: Windows 2000 or Windows NT 4.0 (SP 6a) Zetalink Server: Microsoft Management Console 1.2 or later (includedkl,) For internal firewall support: Internet Information Server 5.0 (on Windows 2000) Internet Information Server 4.0 (on Windows NT 4.0) Zetalink Database: SQL Server 7.0 or later, or MSDE 1.0 (included) Exchange Server Components: Windows NT 4.0 Option Pack (on Windows NT4) Exchange 2000 Server or Exchange 5.5 (SP 3) Exchange Event Service (an optional component with Exchange 5.5) User Configuration Components: Internet Information Server 5.0 (on Windows 2000) Internet Information Server 4.0 (on Windows NT4) Internet Explorer 5.5 or later External Website Components: Internet Information Server 5.0 (on Windows 2000) Internet Information Server 4.0 (on Windows NT4) Internet Explorer 5.5 or later Communications server: Zetafax 7.5 Server or later (restricted version included) Also requires one serial port for each GSM modem and fax modem being used ACT! Components: ACT! 5 (2000) or 6 GoldMine Components: GoldMine Business Contact Manager 5.7 or 6; or GoldMine Sales & Marketing 5.7 Sage Components: Sage Line 50 v8 Firewall support: Most hardware and software firewalls supported; requires ports 80 (HTTP) and 443 (HTTPS) to be opened to the computer with the External Website Components. Mobile device browser: WAP 1.1 or later browser. The full version of Zetafax supports a wider range of fax devices, including Brooktrout and Dialogic intelligent fax boards. These can also be used on ISDN lines (BRI and PRI). The Equisys Web site Equisys House, 32 Southwark Bridge Road, London SE1 9EU, UK Tel +44 (0)20 7203 4000 Fax +44 (0)20 7203 4005 Email [email protected] Ee www.equisys.com 4