Switched to Exchange 2003 Front end/Back now iPhones wont get email
So I changed from a single Exchange setup to a front end/back end setup using the existing server as a front end server and moved all of the mailboxes to a clustered back end Server. Everything is working(except iPhones), we even have blackberry Enterprise server with blackberry phones that are all working. Before the change iPhone 3G were working and using the OWA external DNS address using IMAP.
Every since I moved mine and everyone's mailboxes to the back end server, the iPhones will not update. I have added the IMAP Clustered service and is started following the microsoft white paper on how to setup the IMAP service on a clustered server. The front end Server IMAP configuration has remained the same. The service is up and running as I can telnet to the ports via 143 and 993 on both the front end and back end servers. What is different is telnet to the front end port 143 gives me "* Bye Connection refused". I assume that is because it is set to "require secure channel" in the IMAP properties under communication.
I assume that in the front end/back end configuration that the front end will get the IMAP request and send it on down to the back end server that has the mailboxes. I have not been able to find a true answer to this. Again this worked before when it was just a single exchange setup where everything was on the one server. What could be the problem here? Email, OWA is flowing just fine.
So with my iPhone it again has not been able to connect since the move to the back end exchange server. And to be even more specific it was not the change "checking the box making it a front end server and rebooting" that did it. I waited to move my mailboxes to the last one. As soon as I moved it to the back end server is when it stopped working. I have not tested this out yet but I am willing to bet that if I create a mailbox on the front end server it will work.
I even tried to take out the exchange account from the iPhone and add it back in. I know it is not a port issue with the phone trying to connect as I have VPN'd from the phone so it is on the inside of the network and it still cannot connect. It is stuck trying to add the account and will not do anything. Any suggestions? Sorry for the long post but I figure the more information the better.
Every since I moved mine and everyone's mailboxes to the back end server, the iPhones will not update. I have added the IMAP Clustered service and is started following the microsoft white paper on how to setup the IMAP service on a clustered server. The front end Server IMAP configuration has remained the same. The service is up and running as I can telnet to the ports via 143 and 993 on both the front end and back end servers. What is different is telnet to the front end port 143 gives me "* Bye Connection refused". I assume that is because it is set to "require secure channel" in the IMAP properties under communication.
I assume that in the front end/back end configuration that the front end will get the IMAP request and send it on down to the back end server that has the mailboxes. I have not been able to find a true answer to this. Again this worked before when it was just a single exchange setup where everything was on the one server. What could be the problem here? Email, OWA is flowing just fine.
So with my iPhone it again has not been able to connect since the move to the back end exchange server. And to be even more specific it was not the change "checking the box making it a front end server and rebooting" that did it. I waited to move my mailboxes to the last one. As soon as I moved it to the back end server is when it stopped working. I have not tested this out yet but I am willing to bet that if I create a mailbox on the front end server it will work.
I even tried to take out the exchange account from the iPhone and add it back in. I know it is not a port issue with the phone trying to connect as I have VPN'd from the phone so it is on the inside of the network and it still cannot connect. It is stuck trying to add the account and will not do anything. Any suggestions? Sorry for the long post but I figure the more information the better.
Any reason you are using IMAP and not ActiveSync?
The usual reason for this kind of failure is an authentication or other mismatch between the frontend and the backend. A self signed SSL certificate can also generate problems as well, and it should be replaced with a commercial certificate on the frontend server only.
Simon.
The usual reason for this kind of failure is an authentication or other mismatch between the frontend and the backend. A self signed SSL certificate can also generate problems as well, and it should be replaced with a commercial certificate on the frontend server only.
Simon.
ASKER
To add more information and testing that I did. I am using a godaddy commercial certificate on the front end server. That has always been the case. So I changed the configuration on my iphone. I VPN'd into the internal network and on the phone put the internal IP address for the backend server that has the mailboxes and took off the setting to use SSL and sure enough it worked and pulled down all email. We are using ActiveSync as I noticed it installed on the front end last night. Sorry I am new to the IMAP and ActiveSync. So I installed ActiveSync on the back end server as well. Does it need to be installed on the back end server as well?
I looked in the event log of the front end server and am getting lots of
EventID:3005
Source:ActiveSync
Unexpected Exchange mailbox Server error: Server: [Servername] User: [Username] HTTP status code: [503]. Verify that the Exchange mailbox Server is working correctly.
I followed an articles out there with deleting the Microsoft-Server-Active-Sy
I also reinstalled ActiveSync on the Front end.
Once thing I noticed is I when I first try to sync up the iphone to connect, I get the certificate warning and click ok. It then usually asks me one or two times to re put in my password even though I know I put it in correct. What is going on here?
I looked in the event log of the front end server and am getting lots of
EventID:3005
Source:ActiveSync
Unexpected Exchange mailbox Server error: Server: [Servername] User: [Username] HTTP status code: [503]. Verify that the Exchange mailbox Server is working correctly.
I followed an articles out there with deleting the Microsoft-Server-Active-Sy
I also reinstalled ActiveSync on the Front end.
Once thing I noticed is I when I first try to sync up the iphone to connect, I get the certificate warning and click ok. It then usually asks me one or two times to re put in my password even though I know I put it in correct. What is going on here?
ASKER
And another update:
I went to this site http://www.chicagotech.net/netforums/viewtopic.php?t=5786
to verify the security settings. The front end server had everything correct. I noticed on the back end server that Integrated Windows authentication was not checked in the Default website directory security. I checked the box and reset IIS.
"Exchange" directory has integrated windows authentication and basic windows authentication checked. I did not change this as I don't want to keep making changes to a default exchange setup on the backend. Does it need to be the same as the front end? Is it different because it is a cluster. I don't want to break the cluster by changing this.
"Microsoft-Server-Activesy
I went to this site http://www.chicagotech.net/netforums/viewtopic.php?t=5786
to verify the security settings. The front end server had everything correct. I noticed on the back end server that Integrated Windows authentication was not checked in the Default website directory security. I checked the box and reset IIS.
"Exchange" directory has integrated windows authentication and basic windows authentication checked. I did not change this as I don't want to keep making changes to a default exchange setup on the backend. Does it need to be the same as the front end? Is it different because it is a cluster. I don't want to break the cluster by changing this.
"Microsoft-Server-Activesy
ASKER
Does the backend exchange server need to have a certificate as well? Does it need to have a commercial certificate installed even though it is not a front end server or access from the internet?
There should be no certificate on the backend servers.
If you suspect that the authentication settings are incorrect, then reset the virtual directories on the backend servers. After doing so, leave them alone.
http://support.microsoft.com/default.aspx?kbid=883380
Simon.
If you suspect that the authentication settings are incorrect, then reset the virtual directories on the backend servers. After doing so, leave them alone.
http://support.microsoft.com/default.aspx?kbid=883380
Simon.
ASKER
I do not know for sure if the authentication settings on the back end server are incorrect. If they were would it let me VPN in to the network and connect to the internal IP of the backend server and it work? The article that I posted a link to is an old article so I am not sure how accurate it is now? It just doesnt seem to make sense to be making changes to IIS, etc when it is freshly built so the IIS settings should be the way they need to be.
Is there anything I need to do to get the ActiveSync to work between the front end and back end servers? That is what seems to not be working.
Some more info the Exchange servers are all running the same version and latest patches. Version 6.5(Build 7638.2: Service Pack 2)
Is there anything I need to do to get the ActiveSync to work between the front end and back end servers? That is what seems to not be working.
Some more info the Exchange servers are all running the same version and latest patches. Version 6.5(Build 7638.2: Service Pack 2)
Sync not working between the two is a classic case of authentication problems. It is perfectly possible for it to work hitting the backend server directly because the frontend/backend servers communicate in a slightly different way. Remember fe/be is inter-server communication, whereas device to server is not.
A standard practise for me when introducing a frontend server is to reset the virtual directories on the backend server, removing forms based authentication and any SSL certificate, require SSL certificate as well. The backend servers need to be as close to out of the box config as possible.
Simon.
A standard practise for me when introducing a frontend server is to reset the virtual directories on the backend server, removing forms based authentication and any SSL certificate, require SSL certificate as well. The backend servers need to be as close to out of the box config as possible.
Simon.
ASKER
Thank you Simon. I too believe that it is an authentication issue from what is happening. For me I introduced the backend server last as the front end server has been there, just not configured as one. The backend server is as close to out of the box as can be being a clustered server.
By default building the Exchange cluster service resources it does not include creating the POP3 and IMAP Resource. In this case is IMAP not even being used since Sync is installed? I am just not sure if Sync uses IMAP or not. This also brings me to another question. Since exchange does not create the IMAP service I had to add it separately. I went by this article http://support.microsoft.com/default.aspx?scid=kb;EN-US;818480 and followed the instructions. Do think it can be possible that by adding the IMAP and well the other Services like Exchange HTTP virtual Server through a cluster would cause the settings to be a little different out of the box compared to installing a normal backend exchange non-clustered server?
Like I had mentioned before with an out of the box installation of IIS and Exchange HTTP Virtual Server
http://www.msexchange.org/tutorials/Implementing-Two-Node-Cluster-Windows-2003-Enterprise.html
The IIS settings seem to be a bit different than this article. http://www.chicagotech.net/netforums/viewtopic.php?t=5786 Can someone else that has a clustered exchange backend server confirm the following settings with me. I am showing you the settings the article say they need to be and below each one underlined is the settings mine are out of the box.
Backend Server
Enable anonymous access and Integrated Windows Authentication are checked in both fault web site
My default Web site has "Enable anonymous access" checked, nothing else checked.
Integrated Windows Authentication is checked in exadmin directory.
My Exchange Virtual Server exadmin directory has "Integrated Windows authentication" checked, nothing else checked.
Only Basic Authentication is checked in Exchange, Microsoft-Server-ActiveSyn
My Exchange directory on my two clustered servers have "Integrated Windows authentication" AND "Basic authentication" checked. This is from an out of the box cluster config. The other two directories only have "Basic Authentication" checked.
Frontend Server
Enable anonymous access and Integrated Windows Authentication are checked in both fault web site
My default Web site has "Enable anonymous access" and "Integrated Windows authentication" checked
Integrated Windows Authentication is checked in exdmin directory.
Exadmin directory has "Integrated Windows authentication" checked, nothing else checked
Only Basic Authentication is checked in Exchange, Microsoft-Server-ActiveSyn
My Exchange, Microsoft-Server-ActiveSyn
So you can see the difference between the two. Do the front end and back end servers need to be identical for the IIS settings?
By default building the Exchange cluster service resources it does not include creating the POP3 and IMAP Resource. In this case is IMAP not even being used since Sync is installed? I am just not sure if Sync uses IMAP or not. This also brings me to another question. Since exchange does not create the IMAP service I had to add it separately. I went by this article http://support.microsoft.com/default.aspx?scid=kb;EN-US;818480 and followed the instructions. Do think it can be possible that by adding the IMAP and well the other Services like Exchange HTTP virtual Server through a cluster would cause the settings to be a little different out of the box compared to installing a normal backend exchange non-clustered server?
Like I had mentioned before with an out of the box installation of IIS and Exchange HTTP Virtual Server
http://www.msexchange.org/tutorials/Implementing-Two-Node-Cluster-Windows-2003-Enterprise.html
The IIS settings seem to be a bit different than this article. http://www.chicagotech.net/netforums/viewtopic.php?t=5786 Can someone else that has a clustered exchange backend server confirm the following settings with me. I am showing you the settings the article say they need to be and below each one underlined is the settings mine are out of the box.
Backend Server
Enable anonymous access and Integrated Windows Authentication are checked in both fault web site
My default Web site has "Enable anonymous access" checked, nothing else checked.
Integrated Windows Authentication is checked in exadmin directory.
My Exchange Virtual Server exadmin directory has "Integrated Windows authentication" checked, nothing else checked.
Only Basic Authentication is checked in Exchange, Microsoft-Server-ActiveSyn
My Exchange directory on my two clustered servers have "Integrated Windows authentication" AND "Basic authentication" checked. This is from an out of the box cluster config. The other two directories only have "Basic Authentication" checked.
Frontend Server
Enable anonymous access and Integrated Windows Authentication are checked in both fault web site
My default Web site has "Enable anonymous access" and "Integrated Windows authentication" checked
Integrated Windows Authentication is checked in exdmin directory.
Exadmin directory has "Integrated Windows authentication" checked, nothing else checked
Only Basic Authentication is checked in Exchange, Microsoft-Server-ActiveSyn
My Exchange, Microsoft-Server-ActiveSyn
So you can see the difference between the two. Do the front end and back end servers need to be identical for the IIS settings?
ASKER
Ok updated information
I have built a brand new backend exchange server with default settings. This is a non clustered exchange back end server with the very basic setup and is up to date with all updates. I am able to email inbound/outbound and OWA from this account but same problem it wont work with mobile device and I get the same 3005 Event error in the event log.
It has to be the front end server, but what??
I have built a brand new backend exchange server with default settings. This is a non clustered exchange back end server with the very basic setup and is up to date with all updates. I am able to email inbound/outbound and OWA from this account but same problem it wont work with mobile device and I get the same 3005 Event error in the event log.
It has to be the front end server, but what??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you again Simon. Exactly what I am doing now is building a new front end. I am sure that something is wrong with the Front end but I would really like to know specifically what. I may try and rebuild the virtual directories and see if that fixes it. Will have to wait till this weekend.
ASKER