We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

ActiveSync in Exchange 2007 on Server 2008

TVAN01
TVAN01 asked
on
Medium Priority
1,102 Views
Last Modified: 2012-05-06
We are in the process of migrating from Exchange 2003 to 2007. We are a small organization so we have 1 2003 server and 1 2007 server with HS, CAS, & MB roles installed. Although frowned upon, we are maintaining 2 seperate links for OWA/ActiveSync access. Everyone that is on the 03 server works fine, both owa & activesync. We got the owa to work besides not having a trusted certificate, but ActiveSync will not work at all. We are currently trying to do it under http traffic since we don't have a certificate currently, but it still doesn't sync. Is that required? Under the External URL for activesync I have owa.domain.com and that's what I have in the phone as well. I don't have redirect on for OWA. I'm not real familiar with II7 so any help on settings would be appreciated.
Comment
Watch Question

Commented:
If you want ActiveSync to work using a self-generated cert, it is possible (I wouldn't recommend it, though.  A public certificate authority can issue you one for less than $100 per year, so why put yourself through the headache?)

What you basically need to do to make this (ActiveSync) work, is to import your certificate into each and every phone that you want to ActiveSync.  There are some phones out there that make it difficult to do this, but you should be able to do this for most windows Mobile phones.

HTTPS security is put there for a reason.  Use a private certificate if you must, but please don't remove SSL security to make it work.

Author

Commented:
Well, ideally we wanted to move the certificate off the old exchange unto the new exchange and rename the box and change the IP so it looks exactly like the old 2003 server, just on a new box, but for testing purposes we just wanted to get it to work for now. I totally agree, this self signed stuff is already turning out to be a bigger headache than I'd like it to be.

Commented:
If your Exch 2007 box is not in production, you can make it (testing) work and not impact any of your users.  You might even find it good practice for when you do put it into production  :-)

If you have a spare public IP (so that the production server is not impacted in any way), access to DNS for your domain (create a record like testactivesync.yourpublicdomain.com), and are able to make changes to your firewall (port forward 443 for that DNS record), it would be a good exercise.

And, you can definitely re-use the existing cert when you are ready with the E2K7 box.

Expert of the Quarter 2009
Expert of the Year 2009
Commented:
First - a self generated certificate is not supported with Exchange ActiveSync with Exchange 2007. You must use a commercial certificate.
Second - while you could move the certificate off the original machine, I wouldn't recommend it. While Exchange 2007 can be made to work with a single name certificate, the requirements to do so are very strict. If your public DNS host does not support SRV records then you cannot use the original certificate. You will need to switch to a SAN/UC certificate. You can get these for less than US$70/year from a GoDaddy reseller https://DomainsForExchange.net/ . The GoDaddy certificates are also trusted by most Windows Mobile devices. I have full instructions on getting the certificate here:
http://www.sembee.co.uk/archive/2008/05/30/78.aspx

Forget about renaming the server, unless you want to practise DR. That is not supported and will break Exchange.

-M

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
I respectfully disagree.  

While it may be more difficult, if you have your own internal Windows CA, you can use that to create a certificate that would work, with ActiveSync, as well as with Outlook 2007.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
While you can get it to work - it isn't supported.

This is Microsoft's official stance on the use of the self signed certificate: http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

One of the key lines is this:

"Important:  The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync.  "

Using a Windows CA is simply a lot of hassle. You have to import the certificate in to every device - to save $60. Now I don't know what your hourly rate is like, but that doesn't seem worth the bother.

-M

Author

Commented:
Mestha,

We will probably go with something like you suggested. Well, pretty much exactly since you have it outlined so nicely. Just for testing purposes, is it possible to sync over non https channels? I know not recommended, but just so I know the settings are correct in Exchange? If the IP address is changed, is that an issue? Thanks for the help.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
I don't even attempt to test the feature without using SSL. Many of the issues with this feature are down to certificate problems, so I prefer to wrap up everything in one go. I also don't open port 80 on the firewall at all.

-M
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.