Exchange ActiveSync with internal domain?

I have a customer that has Exchange 2003 setup as an internal server only. It is setup to host domain.local only. Several of the customers use pop3 accounts for outside email which dumps into their mailbox via Outlook.

They now want to start using Exchange ActiveSync for their iPhones. I have setup everything and requested and SSL certificate. When performing the MS Exchange Remote Connectivity Analyzer this is what I receive:

Testing Exchange ActiveSync  
  Exchange ActiveSync test Failed
   Test Steps
   Attempting to resolve the host name (external IP address) in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: (external IP address)
 Testing TCP Port 443 on host (external IP address) to ensure it is listening and open.
  The port was opened successfully.
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
   Test Steps
   Validating certificate name
  Certificate name validation failed
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name (external IP Address) does not match any name found on the server certificate CN=fam01, OU=Domain Control Validated, O=fam01  

I obviously recreated the SSL certificate incorrectly. Anyone know what I would need to do to create a valid SSL? I created/purchased SSL through and choose the option for internal certificate. I did this since their exchange isn't available to the outside world.

Thanks for the assistance in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Have a read of my Exchange 2003 / Activesync article and cheks your settings.
It also sounds like your certificate has not been setup properly.  The FQDN you use to access the server with on your phones needs to match the name on the certificate otherwise it will fail.
If you use an IP address to connect via Activesync, the cert needs to have an IP address in it, but you should not really be using an IP address as they can change.
Have a read of my article and shout if you need any further help: 
Ah well, You need to create crtificate request from IIS default website. And when you are entering th information make sure that you put your external URL (OWA) or your external IP Host (A) record matches in the certificate.
I think ActiveSync will still connect although with warnings. Better to straighten this out.
"I did this since their exchange isn't available to the outside world.""

>>> This is debatable. It is obviously available to outside world if port 443 is open for it on the firewall. So you will still need a certificate that matches the external IP address. Do these people use Outlook Web Access ?
btw here is a good article for you to use:
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

SureTechAuthor Commented:
alanhardisty: I have previously read your article and a fine one it is. Thank you for taking the time to post it. It was very helpful. I was not sure how to setup the FQDN since the exchange server isn't processing mail from the outside world. Typically, you would use something along the line of, but ours would be mail.cvmc.local which wouldn't work. I realize using an IP address isn't the best idea, but it is a static IP and should never change unless customer decides to change ISP. Since they have been with current ISP for over 10 years, I don't see things changing anytime soon.

Hilal1924: I did request the certificate through the IIS Default Website. I can't remember what information I filled out, but must have not used the external IP address. I have not tried to connect the iPhone yet as I was unable to pass the MS Exchange Remote Connectivity Analyzer. However, I did just try to connect to the exchange server via: external ip\exchange and I was greeted with a message stating the certificate had a problem and whether or not I wish to proceed - I said yes and then prompted for username/password and once provided got in flawlessly. I'm now wondering if Activesync would work as well? BTW, I understand with 443 open through the firewall - exchange is availabe to the outside world. I meant it to read that it does not process mail from the outside world. They do not use OWA and until now it was not available.

So, if I understand correctly: I need to remove my current certificate. Request new certificate using the external ip address (x.x.x.x). Purchase new certificate and once received add to the Default Website in IIS. Then I should be able to setup the iPhone?

Thanks for both of your great insight and assistance!
"Request new certificate using the external ip address (x.x.x.x)."
Actually IP address is never entered in a certificate request. All you need is External Host (A) record which is published on your external DNS. For Exam my internal servername is hilal.local and I have assigned it a public IP On my External I will set up a Host Record and point it to Then when I am generating CSR I will make sure that I use as the Common Name.
This is a really good article ( You will see that when you generate the certificate it will ask you for a common name and that is where you will need to pur an Externally published address.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
If your External domain name is and your Fixed IP Address is, then to get Activesync working, all you need to do is setup an A record with your Fixed IP Address in your Domain's DNS records (not on your server) and then call it remote (or whatever you like) and then you request / rename your certificate to use the FQDN (Fully Qualified Domain Name) of
The only port you need to open up to the outside world is port 443 , then once the correct certificate is installed, you access the server using the FQDN.
Your internal domain of cvmc.local is not relevant to Activesync (apart from when entering the domain, where you should enter cvmc).
DNS Stuff To Create in Your External Domain's DNS Records:
Name           Type           Detail
remote             A    
Once the record is created, any requests to will forward to your Exchange server and Activesync will work, providing your server configuration is correct, which is where my article comes in handy: 
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.