• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1094
  • Last Modified:

ActiveSync in Exchange 2007 on Server 2008

We are in the process of migrating from Exchange 2003 to 2007. We are a small organization so we have 1 2003 server and 1 2007 server with HS, CAS, & MB roles installed. Although frowned upon, we are maintaining 2 seperate links for OWA/ActiveSync access. Everyone that is on the 03 server works fine, both owa & activesync. We got the owa to work besides not having a trusted certificate, but ActiveSync will not work at all. We are currently trying to do it under http traffic since we don't have a certificate currently, but it still doesn't sync. Is that required? Under the External URL for activesync I have owa.domain.com and that's what I have in the phone as well. I don't have redirect on for OWA. I'm not real familiar with II7 so any help on settings would be appreciated.
0
TVAN01
Asked:
TVAN01
  • 3
  • 3
  • 2
1 Solution
 
KaffiendCommented:
If you want ActiveSync to work using a self-generated cert, it is possible (I wouldn't recommend it, though.  A public certificate authority can issue you one for less than $100 per year, so why put yourself through the headache?)

What you basically need to do to make this (ActiveSync) work, is to import your certificate into each and every phone that you want to ActiveSync.  There are some phones out there that make it difficult to do this, but you should be able to do this for most windows Mobile phones.

HTTPS security is put there for a reason.  Use a private certificate if you must, but please don't remove SSL security to make it work.
0
 
TVAN01Author Commented:
Well, ideally we wanted to move the certificate off the old exchange unto the new exchange and rename the box and change the IP so it looks exactly like the old 2003 server, just on a new box, but for testing purposes we just wanted to get it to work for now. I totally agree, this self signed stuff is already turning out to be a bigger headache than I'd like it to be.
0
 
KaffiendCommented:
If your Exch 2007 box is not in production, you can make it (testing) work and not impact any of your users.  You might even find it good practice for when you do put it into production  :-)

If you have a spare public IP (so that the production server is not impacted in any way), access to DNS for your domain (create a record like testactivesync.yourpublicdomain.com), and are able to make changes to your firewall (port forward 443 for that DNS record), it would be a good exercise.

And, you can definitely re-use the existing cert when you are ready with the E2K7 box.

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MesthaCommented:
First - a self generated certificate is not supported with Exchange ActiveSync with Exchange 2007. You must use a commercial certificate.
Second - while you could move the certificate off the original machine, I wouldn't recommend it. While Exchange 2007 can be made to work with a single name certificate, the requirements to do so are very strict. If your public DNS host does not support SRV records then you cannot use the original certificate. You will need to switch to a SAN/UC certificate. You can get these for less than US$70/year from a GoDaddy reseller https://DomainsForExchange.net/ . The GoDaddy certificates are also trusted by most Windows Mobile devices. I have full instructions on getting the certificate here:
http://www.sembee.co.uk/archive/2008/05/30/78.aspx

Forget about renaming the server, unless you want to practise DR. That is not supported and will break Exchange.

-M
0
 
KaffiendCommented:
I respectfully disagree.  

While it may be more difficult, if you have your own internal Windows CA, you can use that to create a certificate that would work, with ActiveSync, as well as with Outlook 2007.
0
 
MesthaCommented:
While you can get it to work - it isn't supported.

This is Microsoft's official stance on the use of the self signed certificate: http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx

One of the key lines is this:

"Important:  The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync.  "

Using a Windows CA is simply a lot of hassle. You have to import the certificate in to every device - to save $60. Now I don't know what your hourly rate is like, but that doesn't seem worth the bother.

-M
0
 
TVAN01Author Commented:
Mestha,

We will probably go with something like you suggested. Well, pretty much exactly since you have it outlined so nicely. Just for testing purposes, is it possible to sync over non https channels? I know not recommended, but just so I know the settings are correct in Exchange? If the IP address is changed, is that an issue? Thanks for the help.
0
 
MesthaCommented:
I don't even attempt to test the feature without using SSL. Many of the issues with this feature are down to certificate problems, so I prefer to wrap up everything in one go. I also don't open port 80 on the firewall at all.

-M
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now