?
Solved

Need Help IPhone with Exchange 2003 and ISA 2006

Posted on 2010-01-11
40
Medium Priority
?
698 Views
Last Modified: 2013-11-29
I am wanting to get Iphones working with our exchange servers and there is just too much conflicting information out there so I am posting questions.

I am running Exchange 2003 SP2 with ISA 2006

My first question is do I have to download and install ActiveSync to Exchange 2003 or is there just something I enable that is related to ActiveSync. I keep running across things saying simply to enable IMAP??  Its just getting confusing

2. I need help with the SSL portion on ISA 2006, what rule do I need to write to bind my SSL into an ISA rule.
0
Comment
Question by:redvipergts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 13
  • 9
  • +2
40 Comments
 
LVL 16

Accepted Solution

by:
Raheem05 earned 308 total points
ID: 26284553
Please take a look at an excellent article Alanhardisty wrote on his website:

Regarding ISA treat it as a firewall just make sure the right ports are open as per Alans article

http://www.it-eye.co.uk/faqs/readQuestion.php?qid=1

Also to test exchange active synch:

https://www.testexchangeconnectivity.com/
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26284656
So do I have to install active sync on the exchange server????
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26284702
The active synch virtual directory will already exist in IIS as part of the exchange install if you expand your default website just follow Alans article and set the settings required and your done
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 16

Assisted Solution

by:Raheem05
Raheem05 earned 308 total points
ID: 26284739
I think your getting confused with Active Sych as a client and Active Synch as a virtual directory in exchange if you open IIS on your exchange server

Expand your default website and you will see the exchaneg active sych directory this is what we mean when we say active synch:

Please follow this guide as I was in the same boat and a lot of other frustrated exchange admins, Alans article was the light on the other side of the tunnel there is a lot of confusion on the web and the reason for Alan writing this article was to clear this up

Copied from Alans article as per above link:

 Why can't I get my iPhone / Windows Mobile Phone to sync to my Exchange 2003 Server?
Answer

Firstly, you need to make sure that you have Exchange Server 2003 Service Pack 2 Installed. To check if you have it installed, open up Exchange System Manager - Start, Programs, Microsoft Exchange, System Manager. Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not. If you do not have SP2 installed you can download it here - http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity. The test will fail if you use a self-signed SSL certificate, in which case, you'll need to check the "Ignore Trust for SSL" checkbox. On the ActiveSync test page, you are asked whether you wish to use Autodiscover to detect the settings or to manually specify server settings. Exchange 2003 does not have native autodiscover, so you will most likely need to choose the latter option and provide the server name.

If you are trying to make an iPhone work, then you can also download the free iPhone App 'Activesync Tester' and this should identify any problems with your configuration or you can click on the following link: https://store.accessmylan.com/main/diagnostic-tools

You also need to ensure that TCP Port 443 is open and forwarded on your firewall to your Exchange server. You don't need to open up any other ports to get Activesync working, just TCP port 443.

Please check and mirror the settings below (Open up IIS, expand the default website then expand the relevant Virtual Directory, right-click on the Virtual Directory and choose properties, then click on the Directory Security Tab):

Exchange Virtual Directory
" Authentication = Integrated & Basic
" Default Domain = NETBIOS domain name - e.g., yourcompany
" Realm = yourcompany.com
" IP Address Restrictions = Granted Access
" Secure Communications = Require SSL NOT ticked

Microsoft-Server-Activesync Virtual Directory
" Authentication = Basic
" Default Domain = NETBIOS domain name - e.g., yourcompany
" Realm = NETBIOS name
" IP Address Restrictions = Granted Access
" Secure Communications = Require SSL and Require 128-Bit Encryption IS ticked

ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

No other virtual directories are involved when using Activesync (apart from exchange-oma on SBS 2003 or when Forms Based Authentication is enabled) - despite having seen other postings suggesting that there are.

Although requiring SSL on the virtual directories mentioned above would be recommended, Microsoft actually recommend disabling it as per the following article in their knowledgebase: http://support.microsoft.com/kb/817379 Nevertheless, ActiveSync and OWA access should still run over a secure HTTPS session (port 443), as standard procedure states you should not open port 80 to the Exchange Server through your firewall.

Please also check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Direcory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA).

For Small Business Server 2003 Users - please check this MS article - http://support.microsoft.com/kb/937635

Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync - for example, mail.microsoft.com. If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

Activesync is much easier to get working with a purchased SSL certificate (installed on the default website but you can generate your own and still make it work). GoDaddy seem to be offering the cheapest SSL certificates (at the time of writing this article).

Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS, Right-Click the Default Website). If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync!

If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.

Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is -- read http://support.microsoft.com/kb/817379

Once all of the above has been checked, if you have made any changes, please re-visit https://testexchangeconnectivity.com and your test should now pass all checks and Activesync should be working happily for you.

If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in KB Article 883380 http://support.microsoft.com/kb/883380 and this should resolve the issues. This essentially deletes the Metabase (which can be corrupted) and rebuilds it. Rebuilding it often clears up problems that all the other steps above does not resolve.

After following KB883380 and if Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

" Disable Forms Based Authentication - Exchange HTTP Protocol (if enabled)
" Remove SSL settings from the Exchange IIS virtual directory
" Run iisreset
" Test activesync without SSL selected - hopefully this should work or give the OK result
" If okay - right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
" Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as 'EntireRegistry' and save the backup of the registry to the desktop
" In regedit - locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
" Close Regedit
" Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the 'Select a configuration to import' section and click on OK. Select 'Create a new virtual Directory' and name the directory 'exchange-oma' and click OK.
" Right-click on Exchange-OMA virtual directory you just created and click Browse - you should see OWA open up happily
" Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
" Close regedit
" Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory
" Enable Forms Based Authentication (if you want to use it) on Exchange> Protocols> HTTP
" Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
" Check that the Exchweb virtual directory does not have SSL enabled
" Run iisreset
" Test Activesync - should hopefully be working now

Please also check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

I have had Activesync work despite seeing "An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: HTTP/1.1 403 Forbidden" at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26284797
Treat ISA just as a firewall and you are opening trouble for yourself before you start - it is hardly just 'a firewall'.
The MS walkthrough of publishing Exchange 2003 via ISA 2006 can be found here.
http://technet.microsoft.com/en-us/library/bb794845.aspx

This covers all aspects from the smtp traffic itself through to OWA, OMA, Activesync etc. Bear in mind that with ISA, you only get the one attempt to use Active Sync - and that is when you run the publishing rule wizard. If you do not tiock the Active Sync box, you cannot later add Active Sync from the ISA gui, you would need to run the publishing wizard again.

Keith - ISA Forefront MVP
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 156 total points
ID: 26284798
Active sync will already be installed on the Exchange/iis box.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26284826
Hi Keith have I missed something...ISA is a firewall OK it does more but still classed as a firewall excuse my ignorance but maybe you could correct me :)

http://www.isaserver.org/articles/What-is-ISA-2006-Firewall.html

0
 
LVL 3

Expert Comment

by:jPDave
ID: 26285045
Microsoft officially pronounce it as a 'Security Gateway'!
That's more than a firewall ;)
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26285056
lol apologies "Security Gateway" it is :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26285123
ISA is a forward/reverse application gateway covering layer 3 through to layer 7.  You may have noticed but I use Microsoft documentation as opposed to a third party site. You will also have seen that 'firewall' has never appeared in the MS naming nomenclature, being a firewall is simply one of its functions at the lower layers of the OSI.

As you likely know yourself, if you tried publishing Exchange through ISA in the same way you would with a simple firewall then you would have serious issues.
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26285136
Agreed Keith my back thanks for clearing this up :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26285825
@raheem05 - just a little heads-up about copying content from websites.  This is generally not allowed on EE due to copyright infringement etc.  I don't mind personally, but please be aware of doing so in other questions ;-)

Best practice on EE is to post the link which Demazter has already done.

I started posting in EE from a word doc, but it kept getting updated, so created the FAQ so I could link to it and it would always be up-to-date.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26287913
guys that link that was also pasted on here is to me, vague at best... I think I have gone through the steps properly but honestly dont know for sure, there is alot there I have never dealt with before.

As of now I am trying to get my Ipod to connect, I have gone through the setup steps

Entering my Email address
Server Name
Username
Password
Description

As listed in this tutorial
http://blog.fosketts.net/2008/07/10/how-to-set-up-iphone-exchange-activesync/

But everything keeps failing... Seems there is nothing out there that is just cut and dry.   I need something that says this is what you do, AND this is how you do it.   The instructions written by alan  were pretty much this is what you do now go figure out how to do it
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287948
You learn something everyday sorry Alan and thanks for pointing this out to me I was not aware of this.

Redvipergts I disagree because I followed Alan's article step by step and nailed it within mins what does the exchange active synch test result bring back? I posted the link above

Alan maybe you can pitch in here :)
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26287962
Also what part of the steps do you not understand just post on here and we will clear it up we will get there :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26288062
No problems Raheem - just making sure you don't fall foul in the future.

@redvipergts - my FAQ cannot give a step-by-step guide because there are too many possible problems.

1st place to start is to make sure you have Exchange 2003 Service Pack 2.  If you have, then visit https://testexchangeconnectivity.com and run the Exchange Activesync test, entering the server settings manually.  If you are using a self-signed certificate, tick the ignore trust for ssl and then post your results.

Once I know what is not working, I can guide you as to what to do next and hopefully get you working quickly.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26288134
Well for one thing, i have seen where it says use the name of the active sync server.  Is this going to be the same my server name???  
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26288144
Thanks Alan :), I will leave this will Alan now your in good hands redvipergts

The active synch server will the domain name of your OWA Server so https://company.com
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288145
That should be something like mail.yourdomainname.com.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26288241
Here are the results of the activesync test, obviously I have removed and replaced our personal data with X's  

Attempting to resolve the host name mail.xxxxx.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: x.x.x.x
 
 Testing TCP Port 443 on host mail.ns-llc.com to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The certificate passed all validation requirements.
   Test Steps
   Validating certificate name
  Successfully validated the certificate name
   Additional Details
  Found hostname mail.xxxxx.com in Certificate Subject Common name  
 
 Testing certificate date to ensure validity
  Date Validation passed. The certificate is not expired.
   Additional Details
  Certificate is valid: NotBefore = 10/18/2008 12:11:45 AM, NotAfter = 10/18/2010 12:11:45 AM"  
 
 
 
 Testing Http Authentication Methods for URL https://mail.xxxxx.com/Microsoft-Server-Activesync/ 
  Http Authentication Methods are correct
   Additional Details
  Found all expected authentication methods and no disallowed methods. Methods Found: Basic  
 
 Attempting an ActiveSync session with server
  Errors were encountered while testing the ActiveSync session
   Test Steps
   Attempting to send OPTIONS command to server
  Testing the OPTIONS command failed. See Additional Details for more info
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown  
 
 
 
 
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26288322
also,  it says that we have to have IMAP 4 open on the firewall, is that TCP port 143 outbound????
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288331
A 401 error is usually an incorrect username / password problem.

Please check the credentials and try again.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288340
IMAP is not needed for Activesync
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26288409
well if it a username password combo then im really confused

I am using the same name and password I would use for OWA

Example    
Mail.XXXXX.com\Name
Password

Is there a problem with that format??

Also when doing the test I am checkin the tab "Manually Specify Server Settings " and entering the same Mail.XXXXX.com as I input in the domain\name field
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288437
When entering the username, you don't need the domain part.

Try without and see what you get then.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26288473
it wont even let me run the test without the domain entered into that field

As soon as I remove the domain I get an immediate message that says

Error
This field is in an invalid format or has invalid characters
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288515
I'll be back in abot 35 minutes, just doing some cycling on a static bike.

I can give you my undivided attention once I have done.  Only so much you can achieve on an iPod!
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26288854
Okay - sorry about that.  I meant iPhone not iPod above - not much you can do on the web with an iPod (yet)!
Anyway, the test site requires the following details:
Activesync Server: e.g., mail.yourdomain.com (something that resolves in DNS to the IP Address of your mail server
Domain\Username: self explanatory but should be your internal NETBIOS domain name (from a command prompt type SET (press return) and see what the USERDOMAIN shows - enter this as the domain.
Password:
Confirm Password:
Sync All Items: Please tick
Ignore Trust for SSL: Tick if using a self-certified SSL certificate
I acknowledge.....: Tick or no test!
If you have done all that and still get the 401 error, then I will be a little surprised.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26289063
well im not at my Data center anymore, but the last thing I tried before leaving was installing the active sync on my Ipod,   the result was

"Active sync is available but there is a certificate error"     Now we do have a self signed SSL, so if that is the only issue we have left to work around then I think we are closing in on the solution

0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26289092
Does the name in the certificate match the name you are using to access your server via the iPhones e.g., mail.yourdomain.com?  If not, this will be a problem.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26294004
I believe it does but I may be looking at the wrong thing... How do I verify the certificate matches the server
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26294028
would it affect things that were using RPC over https
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26294125
No - unrelated.

Cert name should be visible if you open it using iis.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26294208
Please provide the steps to verify in IIS I want to make sure im lookin at the exact right thing
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26294649
Ok at this point here is where Im at.... I can get the activesync tester via the PC to work just fine by changing the input of the domain\username field, for example the server input field is MAIL.XXXX.COM, however when inputting the  domain\username field i just put   XXXXX.com\Name

is this right?  It did the test successfully when entered like that...   However I am still returning the certificate error for the activesync on the Iphone.  
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26294853
Open up IIS.  Expand to your default Website - Right-Click on it and choose properties, click on the Directory Descurity Tab, then click on View Certificate.
Issued To is the relevant detail - does Issued to match your FQDN?
Do you want to drop me an email with your domain details and details of a test account, so I can run test for you?  If so, please drop me a line to alan @ it-eye.co.uk
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26295010
ok now how do I verify my FQDN???  

after following those steps I believe my certificate is issued right  mail.XXXXX.com

But I am a bit confused, when running the activesync test  when I  fill the field
"manually Specify server settings" I enter Mail.XXXXX.com

under domain\username I entered XXXXX.com\Name

So should my certificate be issued to Mail.XXXXX.com or XXXXX.com
or is this even relevant??
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1536 total points
ID: 26295063
The FQDN is the name you are using to access Activesync externally in the format of mail.yourdomain.com or similar - basically if it resolves in DNS to your server and the name matches the certificate name, then that is what you should be using in Activesync.
When testing Activesync, you should be entering XXXXXX\Name not XXXXXX.com\Name - the XXXXXX should match the internal NETBIOS domain name found on the server if you type SET from a command prompt and the setting is the USERDOMAIN detail.
0
 
LVL 1

Author Comment

by:redvipergts
ID: 26308191
All this combined and I got it figured out, thanks so much for you help Alan, the final key was the username field, once I changed it to xxxxx\Name and removed the .com everything started working.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26308212
Excellent news - glad you got it going in the end.  Thanks for the points.

Alan
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question