Users connection to Exchange/ActiveSync breaks after changing MX to point to new 2010 server

I changed our NAT policy to point to our new Exchange 2010 server this morning, with legacy.mycompany.com created as a legacy domain name.  Everything seemed to be flowing just fine (internal email, OWA, etc...), except all my 2003 users lost connection from their mobile devices (iPhones).  What am I missing for ActiveSync to work?  Again, all users are still on the Exchange 2003 server.  I was getting ready for the 2010 to "go live", and as soon as I switched the MX record, everything was fine except the ActiveSync clients.

What did I forget to do?
tenoverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Are you migrating?  Have you finished the migration?

Have you moved the mailboxes from the 2003 server to the 2010 server?

Have you purchased and installed a 3rd party SSL certificate and installed it on the Exchange 2010 server with the following names included:

mail.externaldomain.com
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername

Have you checked your inherited permissions as per my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2861-Activesync-Working-But-Only-For-Some-Users-On-Exchange-2007-2010.html
0
e_aravindCommented:
Just curious, Do you see this issue only with the iphone(s) or with other mobile devices too??

> what is the result if you create\re-create a new profile on those iphone devices
0
tenoverAuthor Commented:
Are you migrating?  Have you finished the migration?
We are doing a transition from Exchange 2003 to 2010.  Both servers are up and running, but the 2003 is the external facing server right now, because of this issue.  I can easily replicate the problem by simply pointing our MX record to the 2010 server...It's immediate.

I have purchased a SAN certifiacte and installed it on both Exchange servers.  Our internal and external domain names are the same.  Here is what is on my certificate:
mail.mydomain.com
legacy.mydomain.com
autodiscover.mydomain.com
servername.mydomain.com

I just pointed the MX to my 2010 server and ran the connectivity test for ActiveSync....Here are the results....This has to be an easy fix that I'm just missing....

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.mydomain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps

FAIL       Checking the IIS configuration for client certificate authentication.
              Client certificate authentication was detected.
        
        Additional Details
       Accept/Require client certificates were found. Set the IIS configuration to Ignore Client      Certificates if you aren't using this type of authentication.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

e_aravindCommented:
Can you access the URL
https://servername/microsoft-server-activesync

> do you see the basic auth. prompt (or) Choose the client-certificate window??

Reason:
Accept/Require client certificates were found. Set the IIS configuration to Ignore Client      Certificates if you aren't using this type of authentication
(for the microsoft-server-activesync v.directory!))
0
Alan HardistyCo-OwnerCommented:
Your SSL cert needs the following names to make life simple:

mail.externaldomain.com
autodiscover.externaldomain.com
servername.internaldomain.local
servername

I would complete the migration if I were you - there can be issues mid-migration and you appear to be finding them.
0
tenoverAuthor Commented:
"Can you access the URL
https://servername/microsoft-server-activesync"

You mean internally?  I'm assuming so if it's "servername"....
0
tenoverAuthor Commented:
When my MX is pointing to the 2003 server, Activesync works just fine.  It's only when I switch it over to the 2010 server.  Seems like there's some type of authentication/permission issue?  
0
Alan HardistyCo-OwnerCommented:
Are you testing on mailboxes that have moved to the 2010 server or ones that are still sitting on the Exchange 2003 server still when your MX record points to the new IP Address?
0
e_aravindCommented:
So, in this case, the testing should be @ https://E2010-server-name/microsoft-server-activesync

Alternatively you can use the URL
https://OWA.domain.com/microsoft-server-activesync (Expecting that the owa.domain.com would be pointing to the E2010 CAS server)

0
tenoverAuthor Commented:
Aarrgghh....The problem is that everytime I switch it over, all the iPhones start throwing up the error and people start flowing into my office "Whats wrong with the network??"  "What password is it asking for?".  I may have to wait until this next week.
0
tenoverAuthor Commented:
Here's the results testing the 2010 server against my own account that is still on the 2003 server:

      ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.mydomain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing HTTP Authentication Methods for URL https://mail.mydomain.com/Microsoft-Server-ActiveSync/.
       The HTTP authentication methods are correct.
       
      Additional Details
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       An HTTP 401 Unauthorized response was received from the remote IIS7 server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
0
e_aravindCommented:
Just one more point:
Microsoft-server-ActiveSync v.directory on the E2k3 server got the Integrated-Authentication or not?
(you can also check the Application logs and IIS logs to get more clue -- both on E2010 and E2k3 servers)

http://blogs.technet.com/b/exchange/archive/2009/12/08/3408985.aspx
0
tenoverAuthor Commented:
Yes, Integrated and Basic authentication on the ActiveSync directory is set on the 2003 server.
0
tenoverAuthor Commented:
I moved one oser over from 2003 to 2010.  This last time when testing, I tried to add the 2010 users account to an iPhone with the same errors, so it seems that it's an ActiveSync issue and not particularly an issue with one server or another....
0
e_aravindCommented:
If E2010 MSAS v.directory has got some problem, this would be breaking
- direct EAS access to the E2010 mailboxes
- Proxy request\access to the E2k3 mailboxes via. E2010 CAS servers

So, i would be double-checking the
- SSL settings
- if the "client cert" should be IGNORE!!
0
Alan HardistyCo-OwnerCommented:
Finish the migration.
0
tenoverAuthor Commented:
And, when the 2003 server is internet facing, I CAN add the 2010 Exchange user to a mobile phone and use Activesync just fine.
0
tenoverAuthor Commented:
You mean just move everyone over?  That's difficult if all my users are going to lose mobile connectivity for who knows how long?  Since right now, I can't even get ActiveSync to work with a 2010 account!  That's not going to fly.  
0
Alan HardistyCo-OwnerCommented:
When you point the MX record to the new server are you changing the firewall rules for port 443 to point to the 2010 server at the same time?
0
Alan HardistyCo-OwnerCommented:
What Service Pack / rollup have you installed on Exchange 2010 so far?
0
tenoverAuthor Commented:
Yes, I've created rules to allow 443 to both for testing purposes.  I've installed EX2010 SP1.  I just used an Activesync tester app from an iPhone.  This is interesting and may be related.  When I run this test for ActiveSync agains my 2003 user account, everything checks out.  When I run the same test against my 2010 user, it fails and tells me the following:

ActiveSync is NOT availble.
(ActiveSync detected, but not correctly configured.  [HTTP 500: Forms-based auth enabled?]

I'm assuming it's asking me to turn on Forms Based authentication, but WHERE?  On the 2010 ActiveSync directory in IIS??
0
Glen KnightCommented:
FBA is enabled by default, however, to proxy to another exchange server it must be disabled on the second server.

If I recall correctly the 2010 CAS will not proxy/redirect for the 2003 server unless it's a separate CAS server.

Therefore, your only option is to switch everything (firewall rules) to point to the 2010 server then move mailboxes over.

Users will reconnect once their mailboxes have been moved.

Manage their expectation and tell them this is what is happening.

"we are currently migrating to the latest version of our mail server software blah blah blah.  As part of the transition you will temporarily lose access to mobile devices.  Once your mailbox has been completely moved it will be able to reconnect."
0
e_aravindCommented:
Can you also check @ the IIS logs for the E2010 CAS server

Refer: http://support.microsoft.com/kb/943891 ...to translate the reason for the http-500!
0
Glen KnightCommented:
e_aravind, I am reading your posts and I am finding them quite obstructive.  Can you please tone down the frequency and give the author time to respond.
0
tenoverAuthor Commented:
demazter-
That would mean cutting off mobile access for about 30 users for a few days.  Is there a way I can test this first to be sure that ActiveSync WILL work after their accounts are moved over?
0
tenoverAuthor Commented:
Actually, I already HAVE tested it, and it doesn't work.  I moved a user over from 2003 to 2010, made the 2010 server internet facing, and the user couldn't connect to ActiveSync.
0
Glen KnightCommented:
Have you moved a test account over to 2010? Once you do and reconfigure your external access to go to 2010 does that mailbox work?
0
Glen KnightCommented:
Create a new user on 2010 not an existing user.

There are reasons why one that has been moved wont work (identified in Alan's article above).  But it won't effect all users.
0
tenoverAuthor Commented:
I moved a user from 2003 to 2010.  Outlook and Outlook Web Access function as they should for this user (Outlook automatically points to the new server, OWA points to the new server,etc...).  This user CANNOT add an ActiveSync email account on their phone though.  

I don't doubt that creating new users will not be a problem, but are you suggesting that I just recreate 30-40 domain user accounts because Activesync doesn't work?
0
Glen KnightCommented:
I didn't say that.  I asked you to create a new user for testing.  I want to ascertain if it's a problem with the user you moved or the server setup.

The user you moved is there anything special about it? Does it have admin rights? Is it a member of any other built in groups?
0
tenoverAuthor Commented:
Nothing special about it at all, just a regular user account.  I'll create a "test" user on 2010 now, and plan an outage when I can do testing without having the entire company breathing down my back because Activesync isn't working.  
0
Glen KnightCommented:
The only way you are going to get a mixed environment to work externally is of you have more than 1 public IP address.

Otherwise, it's one or the other.
0
tenoverAuthor Commented:
Ok, I just did some testing for the past 15 minutes with the Exchange 2010 as the internet facing server.  All mailflow, internall, externally, OWA, etc... works just fine.  ActiveSync fails on all fronts.  2003 users, 2010 users, etc....

When trying to access https://mail.mydomain.com/microsoft-server-activesync, I get prompted for credentials, and when I put them in, I get:
HTTP://1.1 501 NOT IMPLEMENTED

When testing from an iPhone App for ActiveSync I get: ACTIVESYNC NOT AVAILABLE

0
tenoverAuthor Commented:
And demazter-
I do have two public IPs.  I set up a NAT policy for legacy.mydomain.com which maps to the 2003 server when I'm testing and ready to go live.  

so it seems at this point that there is something glaringly wrong with my Activesync configuration on the 2010 server, no?  I don't know what it would be or how to find out.  It's almost like it's not even setup or something.
0
Glen KnightCommented:
>>When trying to access https://mail.mydomain.com/microsoft-server-activesync, I get prompted for credentials, and when I put them in, I get:
HTTP://1.1 501 NOT IMPLEMENTED

That's correct, exactly what you should get.

What exchange roles did you install? Which version of Windows 2008 or 2008 R2?
What else is this server doing?
0
tenoverAuthor Commented:
The server is doing nothing else, it's a brand new dedicated Exchange 2010 server.  I installed the Hub, Client Access and Mailbox roles.  Windows 2008 R2.
0
Glen KnightCommented:
And you have checked the inherited permissions as per Alan's guide above?
0
tenoverAuthor Commented:
Yes, I cheked the permissions on the my account (2003 Exchange) as well as the user I moved from 2003 to 2010, which were already checked.
0
tenoverAuthor Commented:
Is there a place I can look that will tell me what the proper permissions and authentication settings SHOULD be on the 2010 and 2003 ActiveSync directories and/or in IIS?
0
Glen KnightCommented:
Not sure, you shouldn't need to change them.

The redirection won't work for active-sync regardless of what you do. 2010 proxies AS but redirects OWA.  Bit that shouldn't stop it from working.

How did you install the Windows per-requisites for Exchane 2010?

0
Glen KnightCommented:
Also, with everything setup for the 2010 server to be Internet facing have you run the test at https://www.testexchangeconnectivity.com/
0
tenoverAuthor Commented:
Windows prerequisites were done via command line as instructed by Microsoft. That link goes to a site with no tools...Maybe a typo?
0
tenoverAuthor Commented:
I got the site, and yes, that's what I've been using since Day one to test.  That's what these results are:

 ExRCA is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Test Steps
       
      Attempting to resolve the host name mail.mydomain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing HTTP Authentication Methods for URL https://mail.mydomain.com/Microsoft-Server-ActiveSync/.
       The HTTP authentication methods are correct.
       
      Additional Details
      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       An HTTP 401 Unauthorized response was received from the remote IIS7 server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
0
Glen KnightCommented:
That's odd, the link works OK for me.

What migration guide are you following?
0
Glen KnightCommented:
How are you entering the username?

Make sure you use DOMAIN\Username
0
tenoverAuthor Commented:
Yup, entering the username as you suggest when testing from Exchange connectivity website.  
0
tenoverAuthor Commented:
Again, AS tests out just fine when my mail.mydomain.com is pointing to my 2003 server.
0
tenoverAuthor Commented:
I take that back.  IT tests fine for a user on 2003 Exchange server, but not a 2010 user.
0
Glen KnightCommented:
You want to setup a test user so I can test it from this end and see what's happening?
0
Glen KnightCommented:
Can you also confirm that:

Whilst setup with 2010 as Internet facing you are able to get ActiveSync on a 2003 mailbox using the URL for OWA?
0
tenoverAuthor Commented:
I can't test anymore today..It breaks Activesync, people freak out and domain accoutns end up locking out.

When 2010 is Internet facing, I can access OWA(2010) by using:  mail.mydomain.com/owa without any problem.

The URL that we currently use for OWA is simply: mail.mydomain.com

All iPhone simply point to mail.mydomain.com in the "server" field.  Do I need to modify that on the phones?  In Exchange2010 OWA or ActiveSync URL fields??

Could that be the issue?  
0
tenoverAuthor Commented:
Sorry, the current OWA address for the 2003 server is:  https://mail.mydomain.com/exchange  The rest of my post stands as is.
0
Glen KnightCommented:
So you are redirecting in Exchange 2003 to remove the /exchange ?

If so then , yes, this needs to be removed.

You don't need to add /owa on to the servername just the URL without https:// is enough.

Can you connect an iPhone to a wifi network and test using the internal servername? With a user on the 2010 server what do you get?
0
Glen KnightCommented:
OK, then that's fine.

There is no reason why this shouldn't work.

If the 2010 is Internet facing it will proxy for ActiveSync to the 2003 server.
0
tenoverAuthor Commented:
This is soooooo frustrating.  I would even be fine if it just meant reconfiguring each iPhone once a user has been moved over to the new server, but now it seems that ActiveSync on the 2010 server isn't even working at ALL.
0
Glen KnightCommented:
It works by default with a standard installation.

It must be a configuration issue.

So, give me a step by step run down of your configuration.
0
tenoverAuthor Commented:
Existing single 2003 Exchange server on LAN.
Users use Outlook, OWA and Activesync. All is working fine.
Internal LAN IP is NAT'd on the firewall to a public IP, which is resolves to "mail.mydomain.com".
Firewall rule allows http,https,ping, telnet and smtp" in.
I had our ISP create another A record for "legacy.mydomain.com" which resolves to a separate public IP address.
I built a NAT policy on the firewall which points the internal IP of the 2003 server to this new public IP.  This rule stays disabled until I go to test.

Built a new Exchange 2010 server on new hardware as per instructions.  This will be a single server to replace the old one.  Same configuration, behind firewall, serving Outlook,OWA and ActiveSync users(hopefully).


When testing, I simply change the NAT rule on the firewall to point to the internal LAN IP of the 2010 server instead of the 2003 server, and then enable that "legacy" NAT policy so that both servers are accessible from outside.  

Both servers have identical access rules on the firewall to allow http,https. smtp, telnet.

If you want specifics of the 2010 server, let me know, but it's pretty much all default.  If you can think of a way to maybe set Activesync on that server back to defaults or something, I'm all for trying since there are no real users on it yet.
0
tenoverAuthor Commented:
Thanks.  For Microsoft Active Sync in IIS, both "Basic" and "Windows Authentication" is enabled.  Could that be causing the problem?
0
Alan HardistyCo-OwnerCommented:
Could well be - I only have Basic enabled on mine and mine works 100%!  Please disable Windows Auth and run iisreset, then wait for about 10 minutes (Exchange takes it's time to catch up with itself) and then test.
0
tenoverAuthor Commented:
With the old server still internet facing, shouldn't I be able to test active sync on the new server by joining our wireless network and adding a mail account on my phone using the internal server name?
0
Alan HardistyCo-OwnerCommented:
Not necessarily.  Sometimes it will work - other times not.  Depends on your internal / external domain names and how the server is configured.
0
tenoverAuthor Commented:
Ok, just changed the NAT setting and tested again, same thing. "Cannot Connect to Server" on all mobile devices.  MS Exchange Remote Connectivity Analyzer says:

      An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
       
      Test Steps
       
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
       
      Additional Details
       A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown.


0
Alan HardistyCo-OwnerCommented:
Have you downloaded the Access My Lan Test app / program and tested internally?

https://store.accessmylan.com/main/diagnostic-tools
0
tenoverAuthor Commented:
when I go to the Exchange Server, open IIS and on the right try to access the link that says: Browse *:80(http) I get the following error on a webpage:

HTTP Error 403.4 - Forbidden

The page you are trying to access is secured with Secure Sockets Layer (SSL).

when I then try the "Browse :443(https), I am prompted for a login, and after doing so, get the following message on the page:

Error Summary
HTTP Error 505.0 - Http Version Not Supported

The page cannot be displayed because the HTTP version is not supported.

Detailed Error Information



Module

ManagedPipelineHandler



Notification

ExecuteRequestHandler



Handler

AirSyncHandler



Error Code

0x00000000





Requested URL

https://localhost:443/Microsoft-Server-ActiveSync/default.eas



Physical Path

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\sync\default.eas



Logon Method

Basic



Logon User

mydomain\myuseraccount




Most likely causes:•The server does not support the HTTP version requested by the client.
 

Things you can try:•Verify that the client is requesting an invalid or unsupported HTTP version.
 
0
tenoverAuthor Commented:
Yes, I've downloaded that, and when used internally, I get the same thing:


Testing ambit-mail.ambitbio.com (SSL, On LAN):

Communications:
      Doing DNS lookup on myserver.mydomain.com  OK (LAN IP address)
      Testing TCP to LAN IP Address port 443 ..... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... OK
ActiveSync:
      Checking for application ................. FAIL

Result:
      Failed to detect ActiveSync [HTTP Status: 505]

      (For more detailed diagnosis and possible solutions, see www.accessmylan.com )
0
Alan HardistyCo-OwnerCommented:
Okay - what sort of user account are you trying with?  Does the user belong to any of the groups mentioned on my article included in my first post?

Is Activesync enabled for the user?

Does the user have the Inherited permissions mentioned in my article?
0
tenoverAuthor Commented:
Basic "test" user I created just for this.  Not a member of any of the groups you mention in your article.  ActiveSync is enabled for the user.  The box was already checked, but I went ahead and unchecked/checked it again.  Still get the same thing:

      Failed to detect ActiveSync [HTTP Status: 505]
0
Alan HardistyCo-OwnerCommented:
Okay - back to Exchange 2010 installation.  What pre-requisites did you install and did you use a powershell command (if so - what command)?
0
tenoverAuthor Commented:
I see this in the Event Logs on the Exchange server...

Exchange ActiveSync device requests for your users are being blocked. This problem frequently occurs when the HTTP OPTIONS method request isn't allowed by the firewall. Please check the firewall that filters requests in front of your Client Access server and the Microsoft-Server-ActiveSync virtual directory.

0
tenoverAuthor Commented:
I did my homework and installed all the prerequisites that Microsoft says to, as well as everything I've found on Experts Exchange.  I also purchased a transition booklet by Paul Cunningham to use as a guide.  I prepped the domain, schema, etc....All done via PowerShell.  If there's something I can do to simply "reinstall" Activesync, I'm all for it at this point.  There is nobody using this new 2010 server yet, just me trying to get things working!
0
Alan HardistyCo-OwnerCommented:
Okay - what firewall do you have?  Anything Cisco perhaps?
0
tenoverAuthor Commented:
It is a Sonicwall NSA3500, but I can't even get Activesync to work from BEHIND the firewall.  the Windows firewall on the Exchange server is off.  I'm on a PC that is on the same subnet as the server, behind the firewall, running the Activesync tester you recommended.  I still get the following error when running it internally:

Testing ex2010.mydomain.com (SSL, On LAN):

Communications:
      Doing DNS lookup on ex2010.mydomain.com  OK (172.16.1.204)
      Testing TCP to 172.16.1.204 port 443 ..... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... OK
ActiveSync:
      Checking for application ................. FAIL

Result:
      Failed to detect ActiveSync [HTTP Status: 505]

I can run the same test against the 2003 Exchange server just fine and ActiveSync is detected.
0
tenoverAuthor Commented:
I found this in another thread, and it "seems" that this might be my issue.  How can I verify/test?

The problem occurs when HTTP OPTIONS requests are prevented from reaching IIS on the Exchange client access server.  HTTP OPTIONS request/response is the mechanism that the Active Sync protocol uses to negotiate which version of the protocol should be used between client and server.  Older Active Sync client behavior when protocol version negotiation fails is to fall back to version 1.0.  But support for version 1.0 of the protocol has been deprecated on Exchange 2010 and the service will return HTTP 505.

 

The solution is to make sure that HTTP OPTIONS requests reach the Active Sync service on the Exchange client access server.
0
Alan HardistyCo-OwnerCommented:
Hmmmm!!!

Any firewall software / AV software on the Exchange server at all?  Is the Windows Firewall enabled?
0
Alan HardistyCo-OwnerCommented:
Might be time to reset the Activesync Virtual Directory:

Please open the Exchange Management Console and go to Server Configuration> Client Access.  In the Actions Pane, please click on Reset Virtual Directory......

Run through the wizard and pick the Microsoft-Server-Activesync virtual directory and complete the wizard then run IISRESET and test again please.

0
tenoverAuthor Commented:
Ok, just did exactly what you typed there, plus rebooted the server.  Exact same error! I've even tried running the ActiveSync tester ON THE Exchange server.....
0
Alan HardistyCo-OwnerCommented:
Okay - what about my comment prior to the Wizard?
0
tenoverAuthor Commented:
Firewall services is off and disabled.
No AV software installed whatsoever.  This is a fresh Exchange 2010 build on a brand new 2008 R2 server. Nothing else installed except Exchange.
0
Alan HardistyCo-OwnerCommented:
I have pinged a message to Demazter - he should hopefully take a look tomorrow.  I am running out of ideas at this stage.  Sorry.
0
Alan HardistyCo-OwnerCommented:
Sorry if I have asked this already - what Service Pack is Exchange running / what rollup and have you exhausted Windows Updates?
0
tenoverAuthor Commented:
I installed Exchange Service Pack 2 last week.
0
Alan HardistyCo-OwnerCommented:
What about other Windows Updates?
0
tenoverAuthor Commented:
Here's another guy with the same problem that you were trying to help.  It looks like he fixed the issue, and it had to do with bindings, but I'm not sure how to fix that....Do you know?
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26878034.html
0
tenoverAuthor Commented:
All Windows updates installed as of last week.
0
Alan HardistyCo-OwnerCommented:
In IIS Manager, expand until you see the default website, then select the Default website.

In the Actions Pane - select Bindings.

Mine are:

http - 80 - *
https - 443
http - 80 - 127.0.0.1
https - 443 - 127.0.0.1
net.tcp -  -  - 808:*
net.pipe -  -  - *
net.msmq -  -  - localhost
msmq.formatname -  -  - localhost
0
tenoverAuthor Commented:
Yep, mine are exactly the same.
0
e_aravindCommented:
As per my understanding the summary is:
1. E2010 URL to reach E2k3 mailbox fails
2. E2k3 URL directly accessing to the E2k3 mailbox, EAS works fine

3. E2010 URL directly accessing E2010 mailbox-- Is this working fine?
If not, should you check on accessing this test-case?
0
Glen KnightCommented:
Let me try and sumarise how this should work.

In a mixed environmnent the Exchange 2010 CAS server will redirect requests for legacy systems to the legacy URL.
For this to work, in your external DNS you need to have the following (they are examples so may not be exactly the same as the way you have it setup.

legacyexchange.domainname.com should point to a public IP address dedicated for your legacy exchange environment.  This needs to be routed to port 443 on your legacy system using the source IP address associated with this A record.

cas2010.domainname.com should point to a public IP address dedicated for your new Exchange 2010 CAS server.  This would normally be your existing A record reconfigured to use your Exchange 2010 CAS server instead of the 2003 server.

This is true for OWA.

However, for ActiveSync it doesn't redirect, it does actually proxy therefore the legacyexchange.domainname.com is not used when ActiveSync is being requested.  The mobile device will connect directly to the CAS server.

The other thing that is confusing me is you talk about an MX record.  The MX record is what other servers use to connect to your exchange server to send it email.  This in turn should be configured to use an A record.  In a lot of cases, this will be the same as the OWA A record.  In the example I have used here it should be cas2010.domainname.com.

So your external DNS should look like this, assuming you have 2 pubilc IP addresses of 1.1.1.2 and 1.1.1.3

MX Records should have the data of cas2010.domainname.com
A record for cas2010.domainname.com should be 1.1.1.2
A record for legacyexchange.domainname.com 1.1.1.3

Your router should be configured to forward port 1.1.1.2 to the Exchange 2010 internal IP address and 1.1.1.3 to the internal IP address of the Exchange 2003 server.
The only ports that need to be forwarded are port 443.

You will also need to have a SAN/UCC certificate with the following names in it, installed on BOTH Exchange servers.

cas2010.domainname.com (the external URL for the 2010 server)
legacyexchange.domainname.com (the external URL for the 2003 server)
autodiscover.domainname.com (where domainname.com is the part after the @ in your email address)
cas2010.domainname.local (the internal fully qualified domain name of the Exchange 2010 server)
legacyexchange.domainname.local (the internal fully qualified domain name of the Exchange 2003 server)

Also, if you could confirm the following:

1. Exchange 2010 URL used externally allows access to OWA for a mailbox on Exchange 2003
2. Exchange 2010 URL used externally allows access to OWA for a mailbox on Exchange 2010
3. Exchange 2010 URL used externally allows access to EAS for a mailbox on Exchange 2003
4. Exchange 2010 URL used externally allows access to EAS for a mailbox on Exchange 2010

Just yes or no for the above 4 points will be fine :)
0
tenoverAuthor Commented:
Thanks. Everything is setup exactly as you've described above. As for your four questions,
1.) yes
2.) yes
3.) no
4.) no
0
Glen KnightCommented:
In Exchange Management Console, under Server Configuration > Client Access

Select the Exchange ActiveSync tab, do you have Microsoft-Server-ActiveSync (Default Web Site) listed?
0
tenoverAuthor Commented:
Yes, and Alan had me reset it yesterday to defaults just to make sure.
0
Glen KnightCommented:
Does the server have multiple IP addresses and/or Network Cards?
0
tenoverAuthor Commented:
The server has multiple network cards with multiple network ports in each card, however only one is in use and the server only has one IP address.
0
Glen KnightCommented:
Are the other ports disabled in device manager?
If not please disable them and restart the server.
0
tenoverAuthor Commented:
Disabled and rebooted.  No difference.
0
tenoverAuthor Commented:
The Activesync test fails, even when running it internally, using the FQDN of the server (myservername.mydomain.com).

Testing myservername.mydomain.com (SSL, On LAN):

Communications:
      Doing DNS lookup on myservername.mydomain.com  OK (172.16.1.204)
      Testing TCP to 172.16.1.204 port 443 ..... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... OK
ActiveSync:
      Checking for application ................. FAIL

Result:
      Failed to detect ActiveSync [HTTP Status: 505]

      (For more detailed diagnosis and possible solutions, see www.accessmylan.com )
0
tenoverAuthor Commented:
ti should have NOTHING to do with AS settings on the current Exchange 2003 server, right?  I'm simply trying to test ActiveSync on the new 2010 server, from inside(heck, even from the server itself), using a general test account I created ON the new 2010 server.
0
Glen KnightCommented:
This is very bizzare!
Do you have any security software on the server? If so can you remove it?
0
tenoverAuthor Commented:
I had an installation of an Exchange anti-spam tool that was installed but not registered or in use.  I was waiting to get Exchange 2010 working beofre doing that.  I went ahead and completely uninstalled that product.  Still get the same error.

Here's a twist:
I still get all the same errors when testing EAS against the new server, internally, from any device, however I just added the one 2010 Exchange user to my iPhone using the internal server name and can send and receive email ONLY USING WIRELESS INTERNALLY.  I'm thinking this might just be 2003 doing the work though somehow?
0
Alan HardistyCo-OwnerCommented:
How did you configure the iPhone (i.e., what server name did you use) and what are your internal server names (both please).
0
tenoverAuthor Commented:
I configured the phone while on an internal wireless connection on our LAN.  I used the exchange 2010 user account I had created, and for the mail server name, I used the internal server name (exchange2010server.mydomain.com).

Exchange 2003 server is called exchange2003server.mydomain.com
0
tenoverAuthor Commented:
What's interesting, is when I use the ActiveSync tester on the same phone, while connected to the wireless, it fails with the same error:

ActiveSync is NOT available. (Major Code: 0xffffffff, Minor Code; 0x0)
0
Glen KnightCommented:
Well...that's a start.

On your internal DNS please configure the external URL as per my guide here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3703-Use-iPhone-on-wifi-network-without-the-need-to-reconfigure.html

Then test the iPhone on the wifi again using the external name instead of the internal one.  What's the result?
0
tenoverAuthor Commented:
The current external name that we use is mail.mycompany.com.  

Internal DNS currently has an A record entry for:
exchange2003server.mycompany.com > internal IP
exchanmge2010server.mycompany.com > internal IP
CNAME: mail.mycompany.com > exchange2003server

0
tenoverAuthor Commented:
From my iphone, when connected wirelessly, I can already ping exchange2010.mycompany.com.

Could this issue be related to the fact that my internal and external domain name are the same?  Even though I have the proper entries on both internal and external DNS servers?
0
tenoverAuthor Commented:
Since I can ping the internal name and IP of the exchange 2010 server from a device that is connected wirelessly, I don't see wh y Activesync would fail to be detected when doing the EAS test from the same device, even though I can send and receive email from this account (only when connected wirelessly).  Again, thanks a TON for your help with this....I feel like we're close to figuring it out somehow.  
0
Alan HardistyCo-OwnerCommented:
Having both the internal and external domain names the same isn't going to help, but it isn't the end of the world.

What are you using for External DNS to point Activesync to your server?  What FQDN are you using?  mail.domain.com or similar?  Have you got a separate FQDN for the 2003 server and the 2010 server?
0
tenoverAuthor Commented:
Yes, exactly.  I can't switch over yet because of all these issues, but here's what I have ready to go.

Our ISP hosts our external DNS.  They have created the following records for me:

MX > our 1st external IP address
A > mail.mydomain.com > our 1st external IP
A > legacy.mydomain.com > our 2nd external IP

On the firewall, I have the 1st public IP NAT'd to the 2003 server.

When I go to test, I simply change the NAT policy to point to the new 2010 server and then enable a second NAT policy that points the 2nd external IP(legacy) to the 2003 server.

(There are rules on the firewall for both to allow 80, 443, 25).
0
Alan HardistyCo-OwnerCommented:
Okay - thanks.  And are you using mail.mydomain.com on the iPhones to configure Activesync once the NAT policy has been switched?
0
tenoverAuthor Commented:
Since they are already using that address, I was assuming they wouldn't need to do anything, since it's the same address, just changed on the NAT side.  But yes, when I've switched over, I've tried using mail.mydomain.com to create a new EAS connection.
0
tenoverAuthor Commented:
I also tried deleting the 2010 user account from my phone, and then adding it again over 3G (not internal wireless) using the current "mail.mydomain.com" address and it failed.  I'm assuming this is because this user is on the 2010 server and the current 2003 server, who is answering to mail.mydomain.com doesn't know how to get it there though....
0
tenoverAuthor Commented:
Just to eliminate firewall policies, external DNS, etc...., Can you verify that I *should* be able to test EAS successfully against the new server from WITHIN my LAN?  Just trying to rule out ANY other potential possiblities here....
0
tenoverAuthor Commented:
Here is what is logged in the IIS log when running the ActiveSync tester from my LAN to the new server:

2012-01-04 20:47:36 172.16.1.204 GET / - 443 - 172.16.3.254 AMLAgent/1.0 200 0 0 202
2012-01-04 20:47:38 172.16.1.204 GET /Microsoft-Server-ActiveSync/default.eas &Log=Error:BlockFallbackDevice_ 443 mydomain.com/ex2010 172.16.3.254 AMLAgent/1.0 505 0 0 249
0
Alan HardistyCo-OwnerCommented:
Yes - you should be able to test EAS internally.

Did you install Forefront AV when installing Exchange?

Are you sure port 443 is being forwarded by your firewall / router to the 2010 server?
0
tenoverAuthor Commented:
On the phone with Microsoft right now...they've basically walked me through everything we've already tried.  We were able to, for testing purposes, change the legacy namespace to point to the 2010 server and successfully verified that ActiveSync is in fact working for any use that was created on the 2010 server.  The issue is that when looking in the Exchange Management console at all my current 2003 exchange users, when you look in the "Exchange Features" tab, ActiveSync is not enabled, and both the "Enable" and "Disable" buttons are grayed out.  These same users are currently using Activesync on the 2003 Exchange server just fine.  If you have any ideas, please let me know......Thanks.
0
Alan HardistyCo-OwnerCommented:
Interesting.  If you move a user to the 2010 server, does Activesync work for them?

Is Activesync enabled on the 2003 server under Global Settings> Mobile Services?
0
tenoverAuthor Commented:
Yes.  I created a test user on the 2003 server, logged into OWA, then moved the user to 2010 and I could use ActiveSync.

Yes, it is enabled on the 2003 server, just checked.

It was very odd to see that all the legacy mailboxes show ActiveSync as blank (not enabled, not disabled).....
0
tenoverAuthor Commented:
"It was very odd to see that all the legacy mailboxes show ActiveSync as blank (not enabled, not disabled)....."

That is, when you look at the mailboxes on the Exchange 2010 server.
The same mailboxes, when viewed in ADUC show Outlook Mobile Access enabled, and these users have been happily using Activesync on 2003 for years.
0
Alan HardistyCo-OwnerCommented:
Okay - so going back to comment http:#a37331296:

"I would complete the migration if I were you - there can be issues mid-migration and you appear to be finding them."

Move the mailboxes to the 2010 server and then removed Exchange from the 2003 server.  All will no doubt be good from that point forward.
0
tenoverAuthor Commented:
Right, but that will take a few days to move the mailboxes over, and in the meantime, all users who are still on the 2003 box are not able to use ActiveSync.  Dealbreaker with a big convention happening this weekend!
0
Alan HardistyCo-OwnerCommented:
When you look at the mailboxes on the 2010 server - they are Legacy mailboxes and you won't be able to manage them until you move them to the 2010 server.
0
tenoverAuthor Commented:
Understood, but why is ActiveSync not enabled, when it is supposed to be by default???
0
Alan HardistyCo-OwnerCommented:
Understood - but I mentioned moving them on the 23rd December, so you could have moved them across over the Xmas / New Year break and then all would be good by now.
0
Alan HardistyCo-OwnerCommented:
I've never pulled a mid-migration configuration apart to look at why things don't work - I install the new server, install an SSL cert, move the mailboxes, move the NAT on the firewall and then the users are on the new server and happy.  I then kill the old server and job done.

You are mid-migration and not moving forward because of a hitch - which is perfectly understandable, but you will have to move forward and I don't think you have done that yet because of the problem.  If you had moved a mailbox or two for testing to the 2010 server and then tested, you would have found that Activesync worked, so then you could move all your Activesync users over as priority (hopefully not all of them) and then move the non Activesync users afterwards.
0
Alan HardistyCo-OwnerCommented:
I believe that Activesync won't proxy to the 2003 server, so as you are pointing port 443 to the 2010 server and no users are on that server - Activesync is failing.
0
tenoverAuthor Commented:
So, Microsoft wanted me to replace the store.exe and MASsync.dll files, as they weren't the latest and greatest.....But that made me a bit nervous, as everything on the 2003 server is running just fine as-is.  I did a ton of research last night and found an older thread from someone who was having this same issue:

2010 users and 2003 users who migrated over could use ActiveSync, but 2003 users who were still on the 2003 server could not use ActiveSync because the 2010 couldn't/wouldn't proxy to the 2003 server.  It turned out the fix was simply going into Custom Errors on the Exchange virtual directory on the 2003 server and setting the 403;4 error back to default.  It WAS set like so:
403;4  URL  /owaasp/owahttps.asp

After setting that back to default I can successfully access ActiveSync using EXRCA against the new 2010 server as both a 2010 and 2003 user.

Thanks for your help in trying to get this resolved, I can't tell you how much it is appreciated.
0
tenoverAuthor Commented:
From the original thread that I found the fix for:

"Ok, I have figured out the issue for my setup.  Hopefully, it will help others.  If you're getting the 503 error stated above, it could be because you've enabled HTTP redirect to HTTPS for your Exchange virtual directories.  When I did this years ago, I used the following article - http://support.microsoft.com/kb/839357.

The 2010 server doesn't like the 300~ redirect code that the 2003 server is sending back which causes it to send the 503 back in response.  To fix this issue, I had to disable the HTTP redirect.  If you used the KB article above, you would just go to the \exchange virtual directory, click on the "Custom Errors" tab and set the 403.4 error back to default.

When I did this, I started getting another error while testing with testexchangeconnectivity.com.  This error was "An HTTP 403 forbidden response was received. The response appears to have come from IIS7."  This error was due to the option "Require secure channel (SSL)" on the Directory Security tab of the Microsoft-ServerActiveSync virtual directory. "

"I have a little bit of insite for you.  It appears that in this scenario (Exchange 2003/2010 coexistence) that using activesync is not a redirect but a proxy.  The proxy does/will not use port 443 it uses port 80.  So when you have SSL required on the Microsoft-Server-Activesync directory on exchange 2003 it will break the proxy from the 2010 server.

This isn't a big deal because it is a proxy (ie client --(SSL)--> Exch 2010 --(http)--> Exch 2003).

I discovered this while troubleshooting with MS support.

So the proper way to have this setup:

    Make sure you do not have any site redirection on 2003 websites in IIS.   If you do change it back to default.  (we had it on the default website as well as the activesync virtual directory).
    Disable SSL on 2003 ActiveSync virtual directory.
    Follow all the other normal steps in this scenario (install hotfix, etc...).  Follow the deployment assistant or see this article http://msexchangeteam.com/archive/2009/12/08/453472.aspx 

Hope this can help others.  I have spent easy 20+ hours on this issue. :-)"
0
Alan HardistyCo-OwnerCommented:
Ah - well that would have been a very hard one to resolve without seeing the server and finding that thread.

Redirection was one possibility I was going to explore next - but as you were talking to MS - thought it would be best left to them.

Massync.dll won't upset anything - done it a dozen times.  Store.exe should also be fine, but as you said - probably unnecessary.

A lesson learned in messing with Exchange using Custom errors vs leaving standard ones in place.  Bound to have been a very good reason for it being that way, but unless documented - hard to pin down.

Anyway - very glad it is all sorted and hopefully you can complete the migration at your own pace now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.