Link to home
Start Free TrialLog in
Avatar of ZappaMang
ZappaMang

asked on

Exchange ActiveSync, IPhone integration

I'm hoping to find some guidance with integrating IPhones into my org. Our current infrastruction consists of the following;
Exchange 2003 Server Std. Ed. . We have a SonicWall NSA 3500 Firewall, as well as a SonicWall SSL VPN 4000 appliance. Everything I have looked at, well almost everything, indicates that a front end Exchange server is a must for security. I understand that, & I also understand what needs to happen on my Firwall to allow ActiveSyn through. But, my concerns/questions are these...
How does my SSL VPN fall in this scenario? It uses port 443, since it is an SSL VPN device, & ActiveSync also calls for port 443 to be opend up on the Firewalll. As it sits, my plan is to get the Front End exchange server in place & make the neccassary changes to the firewall. But, I want to make sure that I am not missing anything in this with the SSL VPN appliance also being in play. Is there possibly some way to use that as a more secure "pass-thru" to forward the ActiveSync communication through to my Exchange Server? Or is there a more "ideal" or alternate way to set things up? Thanks for the input & guidance everyone.
Avatar of LLMorrisson
LLMorrisson
Flag of United States of America image

How many public IP addresses do you have in your external block? If you need to run different services over the same port you'll need to use a second IP address. You can then direct the SSL traffic for AS to your Exchange server via your firewall's NATing capabilities and avoid any risk to disrupt your VPN traffic/connections.
Avatar of ZappaMang
ZappaMang

ASKER

Thanks for the expediant responce LLMorrison. We actually have 7, one of which is not in use :^) I like your suggestiona bout directing that SSL traffic for AS that way. So, everything else should remain the same then? But a Front End server in the DMZ zone and tweak the firewall for AS to communicate with the backend Exch. server? Thanks again man.
Your VPN connections presumably come in from the Internet to the firewall on the outside of your DMZ. Your Exchange AS connections will do the same. So you'll need to assign a spare external IP for AS and have a NAT rule to direct to whatever server is hosting your AS services, either in the DMZ if thats where you have it, or inside your network through the 2nd firewall on the inside of the DMZ.

The specific configuration will obviously depend on your own actual topology but providing you have a spare external IP that you can use to accept the incoming connections you will have no problem running AS over port 443 together with your VPN traffic because despite sharing a port they will be bound to separate IPs. This is a fairly common scenario.

Thanks for the responces all! I am very close, but still not quite there. I am running into one issue, or at least I hope it is one issue... I have installed the "AS Tester" on my IPhone & Front End Exchange Server. The AS tester goes through & successfully verifies that AS is running & available for my FE Exchange Server. When I run the AS Sync utility on my FE Exchange server it passes all the tests when I choose to "Test the SSL on the Internet" it passes all the tests fine. When I choose to test the SSL On LAN it errors out with a FAIL on the Verifying Certificate test.  

Another thing I have discovered, & I'm not sure why, is that when I run the AS Tester & test "One LAN" & I use my FQDN it passes all the tests... It passes the tests using the FQDN for "On LAN" & "On Internet" tests. If I attempt to run those tests using IP addresses, using the external for Internet test & the FE Exchange private address they both fail in the same spot. Could this be a DNS issue?

Whenever I attempt to get my phone setup with my Exchange account it just errors out saying that the connection to the server failed. I dont' see anything in my Event logs to help troubleshoot where the problem is occuring.

I am aslo attaching the output from the "Testexcahngeconnectivity.com" output. That seems to pass everything but has a warning about Windows Mobile Devices. Not sure if a hold up could be @ that point as well.

I have attached screenshots in the hopes that further assistance can be provided.
 Document1.pdf ExchangeRemoteConnAnalyzer.pdf
I would expect it to fail if you use the IP address because the name in the certificate has to match the name of the server you connect to. When you connect to the IP address you are not passing that name and so it doesn't match.

What phone do you have and what OS and version does it have?

Do you have another device you could try it with in case it is device related?

Ahh my bad you said iPhone ;)

Have you tried this site to check your settings too?

https://testexchangeconnectivity.com/

Thanks for the responce LL. I actually posted the output of the "testexchangeconnectivity.com" site. It is my above attachment entitled "ExchangeRemoteConnAnalyzer.pdf". Everything passed minus one scetion, witch is reflected in my attachment. I'm kinda at a loss at this point. Currently looking @ blowing away all Exch Virtual directories, recreating & making sure its not a Metabase issue, or some sort of "prior" change in IIS or ESM that may have some unseen impact? I'm willing to believe anything at this point. I am using IPhone4, new Verizon flavor. Have two users with them & I am testing the connectivty on both. I can set the Exchange account up on my phone & it verifies it... it doesn't error out... until you attempt to check the account.... Strange... The app I downloaded onto my IPhone, AS tester, shows all tests a go, so yeah... I'm sumped ;/
OK.... I blew away the Exchange Virtual directores following the directions I found here; http://www.msexchange.org/tutorials/Fixing-Damaged-Incorrectly-Configured-OWA-2003-Installation.html . I went back through the "Exchange 2003 - ActiveSync Connection Problems FAQ" document referanced above... Everything now pretty much checks out, for example.
- https://testexchangeconnectivity.com run on the FE Exch server passes with flying colors, no warnings or anything now
- canyouseeme.org shows that port 443 is ready for work on my FE Exch Svr
- AccessMyLan's ActiveSync tester runs flawlessly on my FE Exch Svr when I use "On Internet (outside Firewall) test.  It also runs 100% succesfully when I test using "On LAN (inside Firewall), for both tests I am using the FQDN for my FE Exch Svr.
- The ActiveSync App that I loaded onto my IPhone also shows all tests are 100% passed when testing AS capabilities between my IPhone & the specified Exchange server.
I am not seeing any errors anywhere, so I am once again at a big "wall". One thing I did notice, & I wasn't really sure on was the following. I removed the defined Exchange account on my IPhone & re-added it. I input my Email address, Domain, UN, PW, & clicked "next". It says Verifying & then comes up with "Cannot Verify Server Idnentiy. Exchange can't verify the identity of "www.domainname.org". Would you like to continue anyway?" If I click details it states *.worldsecuresystems... Global Root CA, Not trusted.. Description Server Authentication Expires Sep 9, 2011 8:27:23 PM. If I choose "Accept" it goes past that warning & I can finish setting up my account, I really only need to define my "Server" address, so I input owa.domainname.org & then click next again. The next screen is showing the items that will be sync up, mail, contacts, calendar,... I click on save.. It says its configuring sync, then it says configured sync. It seems like it makes that connection... but when I go back out to actually pull messages, then I get the lovely "cannot get mail" "the connection to the server failed.". Soooo.... any other help is welcomed @ this point... I'm not sure if this is all due to that initial Certificate issue when the account is added? Is there anything else I should test? Possibly front end communication? Thanks.  
I could be wrong but it seems to me you have some issues with your certificate. Was their an intermediate certificate provided with the one you purchased? Did you install it to your server as per their instructions? It could be related to that.
Create a new account and mailbox with at least 1 item in it. Test via the www.testexchangeconnectivity.com and your other tools. Confirm that is Ok, then try that account on the iPhone.
LL, there was an "intermediate" cert provided when I downloaded my SSL cert from GoDaddy. The "Intermdiate" cert ended in .p7b & my SSL cert itself was a .crt file. I follwed the instructions on GoDaddy's website when I installed the certs as well. I have tried "un-installing the cert" via IIS on the default website, & I have re-keyed my cert twice now via GoDaddy & re-walked thru the setup/install procedures for the intermediate cert & SSL cert. No issue were encountered during any of this....DO YOU THINK, I need to do some other "un-install" processes before attempting to re-key & re-install my SSL on my FE Exchange server? For instance, do I have to manually remove anything from the "Certificates" snap-in or anywhere else to make the re-install a little cleaner? Just curious.

Mega & LL, all tests seem to be good.. with two exceptions & hopefully you can tell me whether or not those may be the hold up. The AS test runs great on my IPhone, all tests pass. The AS tester runs great on my FE Exchange Server, passes all tests when I test & set my location to either "On Internet" or "On LAN" , but I have to use owa.domain.org for the tests to work. IF I test "On Internet" & use the the public IP that my external host record points to it "Fails" on the "Verifying Certificate" test under SSL Certificate... the same "FAIL" message is displayed if I choose to run the test "On LAN" & I use my private IP... I'm not sure if the "FAIL' while running that is normal given how I am choosing to run those two tests? Does anyone know for sure?

If I use www.testexchangeconnctivity.com, again... everything goes through great.. no 1 error... But if I run the test & choose to "uncheck" "Ignore trust for SSL" then the test has a "warning" & here are the details;

Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name owa.stairwaysbh.org was found in the Certificate Subject Common name.
 
 Validating certificate trust for Windows Mobile devices.
  The test passed with some warnings encountered. Please expand the additional details.
   Additional Details
  The certificate is only trusted on Windows Mobile 5.0 with the Messaging and Security Feature Pack and later versions. Windows Mobile 5.0 devices won't be able to sync. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

Again, I'm not sure if that result is by design since I chose to take the "tick" off of "Ignore trust for SSL" Can anyone verify whether or not that behavior is by design?

Mega, I did attempt to use a different account in my organization... all the same tests passed with the same results.. My IPhone did the same song & dance... I added the account... It acts like it verifies my server/account settings & then goes through... I choose to sync, mail, calendar, & contacts, & click save & then it says at the top "Syncing.. Sync" & it seems like that that moment it makes the connection... But when I go to check my Exchange account on my IPhone it still says it cannot connect... Thanks gentz!
 
 
 
Ensure the server you are listing on the IPhone matches the name on the cert, this name should resolve to the external IP of your frontend server.

If the above is in place, then change the password on the test account and it to Domain Admins and re-add it to the iPhone and see if it synchs. Ensure the account doesn't have "user must change password at next logon" ticked
Mega, the server I am listing on my IPhone does match the name on the cert, owa.mydomain.org, & that name does resolve to the external IP of my FE Exch server.

I changed the password on my test account & added them to the Domain Admin's group.... Re-added the account to my IPhone & the same thing happens... The passoword for this acct is set to never expire.... WTF am I missing here....

Another interesting thing... when I got to https://owa.mydomain.com/OMA it comes up with login credentials... .when I provide those, it does login but I am presented with an error that the device I am connecting from is unsupported...& it says something about using a Windows Mobile phone & such.... SO it appears that my FE Exch server is behaving properly correct?? Thanks for your continued efforts gents!
Sorry I should have clarified.... busy morning.... But what I meant with my above comment about going to https://owa.mydomain.com/oma" was that I tested that connection from outside my network via a computer... just to claify sorry.
Oma has nothing to do with ActiveSync. Oma is the rubbish WAP version of OWA
I was under the impression that OMA was something to do with EAS ... Sorry... I think I may be attempting to get ahold of Microsoft tomorrow... I simply can't see a problem here.... Hmmmm....
Can't remember if this setting exists in Exchange 2003, but ensure in IIS that the ActiveSync and exchange virtual directory are set to ignore client certificates, also look on the properties of the web site.
Do you have a wildcard cert?
On the FE check the ActiveSync VD and make sure it is set to ignore client certificates (this setting does exist in E2k3) make sure this VD has Basic Auth ONLY. SSL is optional, you can try turning it off to see if the iPhone will sync then.

On the Back End server (ensure you are allowing port 80 from the FE to the BE):
On the Exchange VD ensure that there is NO SSL and that Integrated Auth and Basic Auth are allowed.
On the properties of the web sites in IIS on the FE and BE ensure that HTTP keep alives are ON and are set to "600"

if the above fails you can try adding that account to the device exceptions list:
Open Exchange System Manager--> Global Settings-->Mobile Services-->Properties-->Device Security-->Exceptions--> then add the account to the exceptions list


Otherwise check the logs on the FE and BE to see what is really happening:
You can see ActiveSync connections in the IIS log under C:\Windows\logfiles\W3SVC1
OK, I am pretty sure this is the client certificate setting messing things up.

Go to your FrontEnd ActiveSync VD properties --> 'Directory Security' Tab --> 'secure communications' box--> Edit--> tick 'ignore client certificates' and ensure the 'enable client certificate mapping' is unticked -->OK -->OK

Then try synch the iPhone or www.testexchangeconnectivity.com and make sure that warning about Windows Mobile 5 devices is gone. if not you may need to iisreset your FE
Mega, first I want to thank you for your continued help through this lovely issue. Firstly, I do not have a wildcard cert, so the only cert I have is for owa.mydomain.org. All of my settings were already as you specified, so I didn't have to change anything, minus the HTTP keep alives, I set those to 600. My FE ActiveSync VD properties were set exactly like you suggest to do... but I am assuming that I will get the same Cert error since I have changed nothing...

Do you think it would be worth, uninstalling my cert again & re-keying it? I was thinking of uninstalling cert, going into my Cert manager snap-in & removing all traces of my cert from the FE exch server. I was then going to purch the FE & BE VD's again & take out of the Metabase... I was going to re-create all VD's & then re-key my cert & attempt to re-install it... in your opinion, do you think that has any merit? Attached is a copy of my W3SVC1 log... let me know what your thoughts are man. Again, many thanks for sticking this out with me.  ex110218.log ex110218.log
Is your BE Exchange Virtual Directory set to ignore client Certs too? Is the BE Exchange VD set for Basic and Integrated auth too?

Have you tried removing the Exchange mail account from the iPhone and starting again? You could also try resetting the iPhone.

I feel we are really close to solving this, so wouldn't want you to go down the whole recreation of VDs yet...
Yes sir, the BE VD is set to Ignore client certs & it is also set for Basic & Integrated Auth.  

I have removed the Exchange mail account from the IPhone about 80x's lol.  I did reset the IPHone & ran through the process again but the results were the same.

I did install the IPhone config utility & I have atttached the "Console" output from when I re-added the Exch acct. to my IPhone & then the whole process of attempting to sync my mail.  IPhone-Config-Log.txt

I hope we are close :) The "Console" log does show some errors.. but I'm not sure what to make of em. Thanks Mega!
Can you post the w3svc log off the backend?
Are you seeing any ActiveSync events in the application log on the FE or BE?
I'm not seeing any ActiveSync events on the FE or BE server... Should I be looking for anything in particular? I hope we can figure this out... I'm ready to see how the IPhone works with a sledge hammer! Thanks man.  BE-Exchange-w3svr-log-2-18-11.txt
3005 event? Do you have any other devices to test with? Like another iPhone or windows mobile or android?

Can you also confirm that you can access OWA from external and that works fine? Basically you are on E2k3 so autodiscover will not work.

Can you also confirm if you have any exchange-oma virtual directories? These aren't needed for FE/BE scenarios.
On my BE Exch Svr, I do have one Event ID 3005, but it was logged on 2/14/11.  BE-Exch-3005-app-log-error.txt

On my IPhone via Safari, I can browse to https://owa.mydomain.org/oma & I get prompted for a login... If I provide my credentials it says unsupported device on the page it pulls up. If I attempt to go to https://owa.mydomain.com/exchange , I also get prompted for a login...I Put in my credentials & I have my Outlook Web Access ... so that seems to be functioning just fine... at least I think.  

I do have OWA VD's on both my FE & BE.... they aren't called Exchange-oma, simply OMA & the icon looks like a "gear" just like the Active Sync VD... If you need any more info let me know. .
OH yea, I should have finished answering your questions... I do have another IPhone here that my co-worker has been attempting to sync as well. I do not have any other type of device, out side of a Black berry, that we can test with.
Are you using Forms based authentication? Try disabling it on the FE pressing apply then reenabling it. You aren't running FBA on the BE are you?
No sir, not using FBA on the FE or BE Exch servers. Didn't see to do that in any of the articles I have come across yet.

I am currently updating both servers.... I did notice that my FE Exch Svr was on a different build.. perhaps there could be an issue there, or some file that didn't get fully "installed" when SP was applied... I'm willing to try anything at this point since on the surface everything should be working :^( WTF IPhone... Should i ditch you for a Droid X...
According to your FE logs you are getting error 400, which should be fixed by following the solution here:
http://social.technet.microsoft.com/Forums/en/exchangesvrmobility/thread/6669620d-160c-44fc-8a6d-ae372f425735
If you read on EE you will see that Droid have more problems synching with Exchange than iPhones... Hopefully that will change in the future.
Thanks for the "reassurance" Mega! I really like the Iphone, this is just stumping the hell outta me. My FE Exch server is still updating, it is quite a bit slower than my BE box :)

I'm not sure if the above article will work for me. I have looked through it & the common thing that is working for alot of folks is;
1. Open IIS Manager

2. Navigate to Websites -> right click on "Default web site" and click on properties.

3. On the web site tab click on advanced

4. Under "Multiple identities for this website" click on the default entry and click on edit

5. I made the following changes - IP address: (All Unssigned), TCP port:80, Host Header Value: "Blank"

6. click ok and restart IIS Admin Service (warning will disconnect clients) to be sure!
I looked at both my FE & BE Exch servers & they are already set in the fashion. My FE Exch server does have 2 NICs on different subnets, but network communication is not an issue, at leat I don't believe it is, but if there was I would like to think that EAS wouldn't work at all or atleast show more problematic signs.
I wonder if I should attempt to set the "Assigned IP" to a NIC restart IIS... test it, then take it off reset IIS & see what happens. Guess its worth a shot... but I can't see how that would "fix" anything..

Will post as soon as my slow FE box finishes choking these updates down. Thanks again for hanging in there with me Mega!
Alas..... nothing has changed.... all remains the same. :( Back to the drawing board.... But what is left to do...
Keep an eye on the application event log for ActiveSync errors and also keep an eye on the IIS logs for the account you are doing the ActiveSync with
ASKER CERTIFIED SOLUTION
Avatar of MegaNuk3
MegaNuk3
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
BE Exchg Svr massync.dll v. 6.5.7638.1
FE Exchg Svr massync.dll v. 2.0.3274.0

I also discovered something else, & I'm not sure what this means. I attempted to login to https://owa.mydomain.org/exchange this minutes ago from my Iphone. It came up with my logon box, but would not accept my credentials. That struck me as "strange" due to this working yesterday. I then attempted to go to https://owa.mydomain.org/oma & attempted to use my credentials @ that prompt. I was able to login & get the error stating "this is an unsupported device" blah blah blah. The for the heck of it I tried https://owa.mydomain.org/exchange & bam... I was in, it didn't even prompt me for my login... But it appears as though I have to login to the OMA first & then I can change the web address & put EXchange in place of oma & my mail becomes available to me via Outlook Web Access...  I found the below error in my App log on the FE Exch server. The one below that was from the Security log of my FE Exch server, & it appears one of those events is logged each time I attempted to login to owa.mydomain.org/exchange before going to the owa.mydomain.org/oma first & validating my credentials & then changing the oma to exchange on the end. Hopefully that isn't too confusing. I am not seeihng anything worth posting in the IIS logs though... I really can't look at my IPhone config utility log until I am back in the office @ my desk.. hopefully the below can shed some light on the subject?

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            2/19/2011
Time:            8:41:49 AM
User:            NT AUTHORITY\SYSTEM
Computer:      OWA
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jgamble
 Source Workstation:      JGambleHome
 Error Code:      0xC0000064


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Warning
Event Source:      EXPROX
Event Category:      None
Event ID:      1000
Date:            2/19/2011
Time:            8:29:31 AM
User:            N/A
Computer:      OWA
Description:
 Microsoft Exchange Server has detected that NTLM-based authentication  is presently being used between this server and server 'MAIL'. NTLM is  still a secure authentication mechanism and protects users' credentials.   However, this indicates that there may be a configuration issue preventing  the use of Kerberos authentication.   If this condition persists, please verify that both this server and server 'MAIL'  are properly configured to use Kerberos authentication.  After applying any  changes it may be necessary to restart Internet Information Services on both  the front-end and back-end servers.  

For more information, click http://www.microsoft.com/contentredirect.asp.

 
FIXED FIXED FIXED FIXED>>>>>>>> ^) Many many many thanks goes out to MegNuk3 for his extreme patiance through this mess. Mega, I re-applied SP2 to my FE Exch server, after realizing that the file version all say that it did not have SP2, although the Exch Mgt. console was telling me it was SP2,... After that... my iphone started buzzing & ringing & bam... I started to cry when I see my folder structure show up & my emails started to come through... WOW... .A big round of appluase to Mega!
This is why I continue to subscribe to EE. Extremely helpful folks with alot of know how & this is the best "sounding" board to hash out issues. I love EE. Thanks for all the help Mega, you truely are a great tech!
Fantastic! That has made my weekend!
:^) MegaNuk3 again, kudos man. Take the relief by you feel & multiply that by 100 & thats how I feel! Keep up the good work man! I love EE for this very reason & suggest it to all my fellow IT folks, wonderful place for he stumped! Enjoy man, I hope anything else you are working on goes smoothly & less painlessly than this particular one.

FYI for anyone in my boat... compare file versions & make sure that things are what they say they are within the GUI's.. the devil is really in the details.
Yep, next time I participate in a ActiveSync question, I am going to ask the Author to upgrade to the latest public version of ActiveSync which is version 6.5.7654.7 http://support.microsoft.com/kb/957191/en-us  and then troubleshoot after that is installed if the problem still exists...

There is a later non-public version http://support.microsoft.com/kb/967046/en-us