Exchange Activesync over SSH tunnel?

upwardbound
upwardbound used Ask the Experts™
on
Hi Folks,

I'm trying to get a Windows Mobile 6.5 device to synchronize with Exchange through a SSH encrypted tunnel and Activesync says it can't find the Exchange server. The SSH tunnel works and I can connect to the command line on the Windows server, but I can't get Outlook on the mobile to sync with the server.  I'm using zaTunnel on the WM6.5 device and FreeSSHd on the server.

The environment is a Windows Small Business Server 2003 SP1 network. I don't want to expose the server directly to the Internet so it is behind an Untangle firewall. I turned on port-forwarding for SSH (port 22).  There are no public certificates.

Our laptops use OpenVPN to connect to the Untangle firewall and Outlook works just fine with that.  I couldn't get OpenVPN to work on Windows Mobile 6.5 through Verizon Wireless broadband. Untangle doesn't work well with PPTP and we use NAT so IPSEC doesn't work either. I also tested with a WM5 device and got the same results with SSH.

I tried forwarding all of these ports without success:
• 990 (RAPI)
• 999 (Status)
• 5721 (DTPT)
• 5678 (Legacy Replication)
• 5679 (Handshake & Legacy Replication)
• 26675 (Airsync)

and separately 443.

I feel like I'm close but I don't know what is missing. So this is the mission should you choose to accept it.

TIA,
Upwardbound
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Activesync only uses port 80 (without SSL), or 443 (with SSL).  You cannot control this, so you would need to open up port 443 if you want Activesync to work.
Once open, please run the test at https://testexchangeconnectivity.com and report back the results.

Author

Commented:
What if I just forward port 80 or port 443 to the server within the ssh tunnel?

Also, doesn't the use of port 443 require a public certificate?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
The creation of the tunnel using SSH (as far as I am aware) will not necessarily force Activesync down the tunnel.  It wants to use port 443 or 80 if no SSL is enabled, and forcing this down the tunnel might be tricky.
You can create a Self-Signed SSL certificate which can be installed on each and every device you wish to connect with, but using a 3rd Party SSL certificate can be much easier to administer and manage as the clients do not need to have the certificate installed if they trust the provider.  Places like GoDaddy are trusted by most phones (apart from the older Windows Mobile 5.0 phones, but there is a certificate that can be downloaded to get round that too).
As you have mentioned SBS in your Zones, you can just run the Connect to the Internet Wizard and create a new SSL certificate that matches your Fully Qualified Domain Name e.g., mail.yourdomain.com and then use that for Activesync.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
alanhardisty,

I will try it. I don't have time to try it until next week.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
No problems.  I will still be around and will wait for your feedback.

Author

Commented:
I'm still trying to set aside time to do this. I just moved and it's been very time consuming. I plan to work on this today or this weekend.  Thanks for your patience.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
No probs. Good luck.

Author

Commented:
Didn't get to it yet, plan to try it tomorrow.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
No worries - appreciate the update.

Author

Commented:
The creation of the tunnel using SSH (as far as I am aware) will not necessarily force Activesync down the tunnel.  It wants to use port 443 or 80 if no SSL is enabled, and forcing this down the tunnel might be tricky.

> I setup port forwarding for 443 (and 80) in the tunnel. It only forwards data sent to 127.0.0.1 on those ports. I had to put 127.0.0.1 in activesync for the Exchange server. That may be messing me up?

You can create a Self-Signed SSL certificate which can be installed on each and every device you wish to connect with...

> I did this and it did not help.

 I don't like opening up port 443 on my firewall and server to the world.  Am I correct in my concerns about exposing my Exchange server on port 443 through my firewall or is it low risk?
Co-Owner
Top Expert 2011
Commented:
You cannot change the ports for the default website / activesync.  They are what they are and have to stay that way.
Activesync uses HTTPS (TCP Port 443) and only HTTPS, so forwarding port 80 won't help or hinder Activesync, but changing the ports in IIS will screw it up big time.
Opening up Port 443 is a slight rish, but the rest of the world operates this way and I have this port open on my server as all my customers do and not one of them has ever been compromised as a result.
IIS also should be set to All Unassigned for the default website otherwise this can cause problems.
My EE Article should get you up and running with Activesync - once that is working, then I would worry about the SSH part, but to be perfectly honest, you are wasting your time trying to secure the process using SSH as it is totally unnecessary:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2003-Activesync-Connection-Problems-FAQ.html

Author

Commented:
Thanks for your quick response.

The only reason I started this quest was because I was looking for a way for a Windows Mobile 6.5 phone to connect through a VPN to the server to get Outlook data. All of the laptops we have do this (using OpenVPN to the gateway), so I don't have to expose Exchange to the Internet.  I tried OpenVPN but the client for Pocket PC doesn't work on WM6. I tried PPTP, but my gateway/router (Untangle) doesn't support it. I can't do L2TP/IPSec because of the use of NAT inside the network.  

That's why I tried SSH since I knew it can be used for tunnels. I didn't change any ports on the server, only forwarded them through the tunnel on the WM6 phone.

This is for a client and I don't want to have to constantly monitor the IIS/Exchange server and worry about some new exploit.  Is there any other way to accomplish this?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
A bit of useful reading here suggests that you need to have a WINS servers setup to achieve this:
http://www.tomshardware.co.uk/forum/17664-21-activesync 

Author

Commented:
I didn't think I need name resolution since I didn't use the server name in ActiveSync, I used the IP address.

Author

Commented:
If I have a good VPN connection (ie. OpenVPN) and use the IP address in ActiveSync for the server, synchronizing works - but OpenVPN only works on WM5, not WM6.

That leads me to believe that I don't need WINS since that is for name resolution and in my test I don't need name resolution.

Am I wrong about this?

Thanks
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If you know the IP address, then WINS / DNS is not used at all, so you can continue to use the IP Address and not have to worry about WINS etc.
If you don't want to use an IP address, then to resolve the name to an IP address, you will have to use DNS or WINS for the computer name.

Author

Commented:
Okay, so a WINS server will not help.  

When I use the SSH tunnel, it only forwards communication for the ports I configure. In order to use the tunnel (after it's established) I have to put in IP address 127.0.0.1 for the server.

I believe the data path is like this:

ActiveSync on WinMobile-->127.0.0.1:443(SSH Tunnel starts)-->Internet gateway (forwards port 22)-->(SSH server on SBS2003 server)10.0.0.5-->127.0.0.1:443(SSH Tunnel ends)-->Exchange

But in my testing it doesn't work. Perhaps the certificate is not correct? I copied the server's self-signed certificate to the WM device.  When I go into ActiveSync and go into the advanced config for email, I don't see any certificates to choose from, but I think that is only for sending(?).

Anyway, I'm just trying to decide if I should totally abandon the use of SSH and tell my client that we have to expose the server to the Internet.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Not sure about the path, but it sounds about right.
IMHO - The rest of the world opens up port 443 using an SSL certificate happily and I have yet to see an issue that has arisen because of it.

Author

Commented:
Thanks for all of your help!
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You are welcome - hope you can resolve the HTTPs issue without having to resort to SSH.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial