Avatar of ZBI-IT
ZBI-IT
 asked on

Exchange ActiveSync not pushing email to tablets

Recently setup ActiveSync.  Double-checked the configuration using alanhardisty's article from February 2010.  Tested on an iPad as well as a PlayBook and got the same result.  I can send email all day long but no email will sync with the device.  Any suggestions?
Exchange

Avatar of undefined
Last Comment
Alan Hardisty

8/22/2022 - Mon
Alan Hardisty

What were the results of the Activesync test on https://testexchangeconnectivity.com?

Did you go through my article with a fine toothcomb?
ZBI-IT

ASKER
Results of the active sync test were...
Potential compatibility problems were identified with some versions of Windows Phone.
The certificate is not trusted on any version of Windows Phone device.

Yes, I went through it with a fine tooth comb, but I have a few questions.

The OMA virtual directory is not addressed when not part of a small business server.  I have this directory, so I set up to match what you had listed under part of small business server.  Is this correct?

Under the Exchange and Public virtual directories you have the Realm needing to be yourcompany.com.  However, the variable USERDOMAIN is just our internal domain name.  Not the one used with mail.company.com.

Under the Public virtual directory, does Require 128-Bit Encryption need to be checked?

I have not tried it with the Domain left as \ and Realm left blank.  

I don't have questions on anything else as it all matches your article exactly.
Alan Hardisty

The warning can be ignored (sounds like a GoDaddy cert) unless you have an old Windows 5.0 mobile phone.

Are you running SBS or just Exchange 2003?  If the latter - is it just a single server?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ZBI-IT

ASKER
It's a Comodo cert.

Running Exchange 2003.  We have 5 servers.  OWA and RPC HTTPS are both working fine.
Alan Hardisty

Okay - GoDaddy certs throw up the same alert!

Is that 5 Exchange Servers or just the one Exchange Server?
ZBI-IT

ASKER
Yep, as do a few others.

One Exchange server.  Everything working great except this.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

Okay - then please just look at the Non-SBS section of my article for the IIS settings.

Don't worry about the OMA virtual directory.

Beyond the Certificate warning - are there any errors at the bottom of the test?
ZBI-IT

ASKER
No other errors.  

I've looked at the non sbs section two or three times.  The only concerns I have were the questions I raised a couple of posts ago.

Under the Exchange and Public virtual directories you have the Realm needing to be yourcompany.com.  However, the variable USERDOMAIN is just our internal domain name.  Not the one used with mail.company.com.

Under the Public virtual directory, does Require 128-Bit Encryption need to be checked?

I have not tried it with the Domain left as \ and Realm left blank.
Alan Hardisty

The Realm / Domain MS set as \ and blank - but I have fixed Activesync a few times by adding the settings in my article.

Yes to the 128-Bit for the Public Folder - looks like I need to add this to my article!  Sorry.

Okay - so if no errors, what happens on the Tablets?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ZBI-IT

ASKER
The tablets accept the settings with no trouble at all.  On the iPad, the folder structure of the mailbox downloads instantly but and it just continually shows the status of checking for mail.  If I draft a message and send, it sends and I receive it.  I'm not so concerned with the PlayBook, but no folder structure appears and no mail is brought in.  But if I draft a message,  it sends and I receive it.
Alan Hardisty

Okay - how many days worth of emails are you pulling down and is there mail in the Inbox received within the same time period?  Default is the last 3 days and only the Inbox is set to sync by default.
ZBI-IT

ASKER
I've tried anywhere from 3 to 30.  I've set additional folders to be sync'd.  Even when I send an email successfully, it doesn't show in the sent items but yet shows in the sent items in the Outlook client.  Yes, mail is being received within the same time period.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

Weird!!

Have you got Anti-Virus software installed on the Exchange Server?  If you do - what is it?
ZBI-IT

ASKER
Symantec Endpoint Protection.cloud
Alan Hardisty

Okay - have you looked at the Inconsistent Sync Section of my article and checked the Registry setting is present?  If not - please do and add accordingly.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ZBI-IT

ASKER
Yes, it is present.
Alan Hardisty

Okay - I'm getting confused now.

How many accounts have you tried to add to the Tablet?  If only one, please try others.

Have you factory reset the tablet and tried adding an account again?

Have you tried adding a problem account to a known good working tablet / mobile device?
ZBI-IT

ASKER
I've tried adding two different accounts on two different tablets.

I have not factory reset either of the tablets as it is happening on multiple tablets on different platforms.  Highly unlikely this is needed.

The accounts aren't problem accounts and the tablets are both good and working fine otherwise.

I am a bit surprised that no one else has had this specific issue where email won't push to an iPad or other tablet from Exchange 2003 and have some sort of straightforward fix.

Any chance the changes haven't taken and a server restart is needed?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

Okay - would you consider setting me up an account on your server so that I can add the account to my iPad / iPhone for testing?

Everything sounds like it should be okay, so why it isn't is a bit of a mystery at the moment.

Do you have Activesync working happily to other devices?

A reboot is always a good idea - sometimes the most stupid of problems get ironed out with a reboot
ZBI-IT

ASKER
I just set up ActiveSync within the past week or so, so I do not have it working on any devices yet.  We run a BES and I've never had a need for it.  We are issuing iOS and Android devices to certain users now so that's what prompted me to set it up.  

I've run IISRESET and ran the ActiveSync tester inside and outside my network and everything checks out.  

However, I just noticed Event ID 3005 in the logs.  Other than that, the logs are clean.
Alan Hardisty

A lot of the 3005 errors can be ignored.  Do any of the users with the 3005 errors have more than 5,000 items in a single folder in their mailbox?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ZBI-IT

ASKER
No, not in a single folder.  Over the span of their mailbox, yes.

There is one 3005 error for every time I setup up a mailbox on a mobile device and it's exactly the same every time.

Unexpected Exchange mailbox Server error: HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.
Alan Hardisty

Have you installed the patch KB967046 yet?

I have it available if you would like it download it rather than call MS for it.
ZBI-IT

ASKER
I have not.  If you can save me from waiting on MS for it that would be appreciated!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Where can I get it from you?
Alan Hardisty

As soon as I get into evening mode, I'll look up my download link and post it for you.

Just cooking dinner and being a dad at the moment.
Alan Hardisty

Okay - random file name, but then that's down to Microsoft and not me!

http://www.sohotechnology.co.uk/372368_intl_i386_zip.exe

Let me know if you have any problems.

Alan
Your help has saved me hundreds of hours of internet surfing.
fblack61
ZBI-IT

ASKER
Thanks.  

Just noticed that OWA isn't working properly now.  I've never had any problems with OWA.  It looks like it's trying to use basic authentication now.  When trying to log off, it returns...

To complete the log off process and prevent other users from opening your mailbox, you must close all browser windows and exit the browser application.

Can't seem to figure out where I ticked basic authentication that is causing this.
Alan Hardisty

OWA uses the .Exchange virtual directory and this should have Integrated and Basic Authentication, so please re-enable the Integrated Auth and then run IISreset from a command prompt.

When you login to OWA, do you get a plain Windows login box or a pretty login screen?
ZBI-IT

ASKER
I've had it set to integrated and basic.  Ran iisreset.  Same problem.

Always have had the OWA login screen.  Now it's just a basic login window.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Found the issue.  When setting up ActiveSync I unchecked Require SSL per your article.  I rechecked this and OWA is working again.  However, I assume this will prevent ActiveSync from working now.
Alan Hardisty

Okay - so it sounds like you had Forms Based Authentication working.

If you have Forms Based Authentication running, you need to follow KB817379.  This means that the Exchange virtual directory should have SSL enabled and the new exchange-oma virtual directory doesn't have SSL enabled.

FBA can be checked using Exchange System Manager - find the protocols and then expand to show HTTP, then right-click and choose properties, then click on the 2nd tab (can't recall the name) and see if FBA is enabled.  If you want pretty OWA login Screen enabled - this should be ticked.

Again - if you change anything, run iisreset.
ZBI-IT

ASKER
See my post right before yours.  How will this affect getting ActiveSync to work?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Alan Hardisty

That is randomly covered by my answer just after yours!
ZBI-IT

ASKER
I already have all of that set like that so I assume then it should work.  I will restarting our Exchange server shortly and retesting on an iPad later tonight.
Alan Hardisty

Okay - so you have the exchange-oma virtual directory without SSL enabled?

Do you have a redirect for the default website to redirect HTTP traffic to HTTPS and if you do - how has this been done, because if done incorrectly, it can cause Activesync issues!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Yes, the exchange oma virtual directory is without ssl enabled.  I wasn't intending on changing anything in there because it's not a small business server.  But it matches what you have in your article for a sbs.

Yes, I have a redirect for OWA.  It was done using KB839357.
Alan Hardisty

And that is probably where your problem lies.

If you try to visit http://whatever.yourdomain.com/exchange-oma, does it try to redirect you to https://whatever.yourdomain.com/exchange-oma ?
ZBI-IT

ASKER
/exchange-oma returns page cannot be found.

/oma prompts for user name and password via basic authentication and then returns Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server.

I had tested /oma previously and it would load the folders in the browser window.  Now it's returning the above message.  

Re-ran the remote connectivity analyzer just now and it looks like they've updated it over the past couple of days.

It's now is successful right up until the very end and returns....

The test of the FolderSync command failed.
Exchange ActiveSync returned an HTTP 500 response.

A number of new things going on here.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Alan Hardisty

Yes - the test site got a new version yesterday apparently.

The HTTP 500 error isn't great.  It can be easy to fix or it can be a PITA to fix.

The usual fix is to follow Method 2 of KB883380 (also delete the exchange-oma virtual directory), then when the virtual directories have re-appeared, follow KB817379 to put back the exchange-oma virtual directory too.

After that, run iisreset and re-test and worst case, reboot.

If the 500 error won't go away then my article tends to run out of steam!
ZBI-IT

ASKER
I have no delete option on the Exchange virtual directory and I've already deleted Exadmin.  Should I continue with the rest?-
Alan Hardisty

What?  You can't right-click and delete it?

A little odd.

Possibly down to the redirection setup.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Not the Exchange virtual directory.  The others needing to be deleted per the article, yes.
Alan Hardisty

All the ones listed should be deleted, including the exchange-oma virtual directory.

Can you / have you been able to delete the Exchange virtual directory?
ZBI-IT

ASKER
I was just able to delete it.

I've re-created all of the virtual directories and verified the settings are matching your article for ActiveSync, with the exception of the Exchange virtual directory.  I have SSL ticked.  Is it possible for ActiveSync to work with SSL ticked for the Exchange virtual directory?

I assume nothing needs to be touched with the OMA directory since it's not a sbs.    

Also, I'm filling in the domain and realm.  I asked you previously about the realm being our internal domain name and not ourcompany.com domain name and you said it didn't matter.  I just want to be sure I have the right name in there.  I put what was returned for the variable userdomain.  Not the domain used with OWA.  

I ran iisreset, rebooted, and tested through the rca and got the same result.  

I am going to test from an iPad in a bit to see if anything has changed but I suspect it hasn't.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Alan Hardisty

With Exchange 2003 (not part of SBS), Exchange normally has SSL disabled and the microsoft-server-activesync has SSL enabled.

If you use Forms-Based Authentication, then the Exchange Virtual Directory will have SSL enabled and then you need to add the exchange-oma Virtual Directory without SSL to compensate.

The Domain / Realm I would leave as \ and blank as this is the MS way.

Activesync can work without SSL, but it isn't recommended and passwords will be flying around the ether unsecured.
ZBI-IT

ASKER
Your article says to select integrated and basic for the oma virtual directory.  The kb article says to only select one but doesn't specify which one.  What's your recommendation?
Alan Hardisty

Which KB article relates to the OMA virtual directory?

I would follow my article.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Whether I select one or both for authentication, the result is the same.
ZBI-IT

ASKER
When testing from an iPad now, the account creates fine but instead of checking for mail, it automatically says the following.

Cannot Get Mail
The connection to the server failed.

I am no longer able to send an email either.

Looks like we've taken a couple of steps backwards.
ZBI-IT

ASKER
Got a bit further.  The result of the connectivity test is now returning the following.

An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Alan Hardisty

Okay - the 403 error suggests you are missing the exchange-oma virtual directory, so please review KB817379 and make sure all settings are in place and correct.

Database corruption could also be a possibility.
ZBI-IT

ASKER
Everything is setup correctly according to the article.  Since I'm not running a small business server, I assume I only need one OMA directory and not both exchange-oma and OMA.  Is this correct?

Also, I am noticing in the logs now when attempting to setup an account on a tablet the following event is logged.

Server ActiveSync 3031

The mailbox server does not allow "Negotiate" authentication to its [/OMA] virtual directory. Exchange ActiveSync can only access the server using this authentication scheme.  For information about how to configure Exchange virtual directory settings, see Microsoft Knowledge Base article 817379, "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003"
ZBI-IT

ASKER
I'm revisiting this as I am now at the point where I really need to get it working.  

When I run the ActiveSync Connectivity Tests with any user account I get the following error at the very end.

An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>

We are not running a Small Business Server.  I went through your Exchange 2003 - Activesync Connection Problems FAQ article with a fine toothcomb and found the following differences on our Exchange server.  

1.  Require SSL is ticked under the Exchange Virtual Directory.
2.  Forms Based Authentication is turned on under Exchange Virtual Server.

I have a couple of questions.

1.  Since we are not using a Small Business Server, does it matter what settings the OMA Virtual Directory has?

2.  We do not have an Exchange-oma Virtual Directory.  You first say it is not needed when Exchange is not part of a Small Business Server but then later say to install it if using Forms Based Authentication and getting the HTTP 403 Error.  So which is it?

One or both of the differences above is causing it not work.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Alan Hardisty

The reason why you need the Exchange-OMA virtual directory is because you use port 443 to the microsoft-server-activesync virtual directory and then Exchange makes an internal call to port 80 to the Exchange virtual Directory.

When FBA is enabled, SSL is also enabled on the Exchange virtual Directory, meaning no internal call to port 80 can happen, so you add the registry key and create the exchange-oma virtual directory to handle the internal calls on port 80 and bingo, it works.
ZBI-IT

ASKER
OK.  Once I add the Exchange-oma virtual directory do I then follow the virtual directory settings for the SBS section OR keep the settings I have and just change the OMA and Exchange-oma settings?  

For the Exchange Virtual Directory, I already have Require SSL ticked.  For the Microsoft-Server-Activesync virtual directory, I currently do not.  Do I keep these as is, or change the Microsoft-Server-Activesync to Require SSL per your SBS settings?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
OK.  I have completed that and I am no longer getting the HTTP 403 Error when attempting the FolderSync command, but I am getting the following error when attempting the initial sync to the Inbox folder.

This initial sync won't return any data.

An error occurred while the Sync command was being tested.
       
Additional Details
Exception details:
Message: The operation has timed out
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()

The Application Event Log has the following 3005 error...

Unexpected Exchange mailbox Server error: HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.

So I increased the Default Website Timeout value from 120 to 480 and restarted IIS.  I got the same result on the test but no errors in the Application Event Log.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Alan Hardisty

Okay - that's better but not there yet sadly.

Most of the 3005 errors can be ignored.

Any other Event Log entries of note relating to Exchange or Activesync you can see?

What sort of firewall do you have?

Alan
ZBI-IT

ASKER
There are no other warnings or errors relating to Exchange or Activesync in the logs.  

I see nothing being blocked by our SonicWall firewall.
Alan Hardisty

Is your SonicWall doing any form of HTTP / HTTPS traffic Inspection?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Yes, inbound inspection.  The logs indicate what is being prevented and nothing related to Exchange or ActiveSync is present after running the test.

The Exchange server logs are still clean as well.

I've tried setting up accounts on a couple of phones and tablets and they all accept the information and pull down the full folder structure but nothing beyond that.
Alan Hardisty

Can you disable the inbound inspection please and then re-test.

Also test locally on the LAN without using the firewall.
ZBI-IT

ASKER
Not sure what is wrong with the Analyzer today but I've tried verifying the characters a few dozen times throughout the day and it fails every time.  I will re-test as soon as it is working again.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Alan Hardisty

Try the tool linked in my article.  The Access My LAN tester works both locally and via the internet, so can test with/without your firewall being in place.

Alan
ZBI-IT

ASKER
Both inside and outside return the same result... ActiveSync IS available.

When I click on Diagnose... it indicates that our Exchange Server environment is correctly configured.  It also has a note to Reconfigure SSL/session timeouts to 30 minutes.  We started at 2 minutes and bumped it up to 4 minutes.  I guess I can try bumping it to 30 minutes seeing as everything else checks out.  Our firewall is correctly configured as I indicated yesterday.
Alan Hardisty

Can you humour me and turn off the HTTP / HTTPS firewall inspection, test and then if no joy, turn it back on again?

Alan
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
I already did that prior to my tests last night.  It tests as working both on and off.

The Analyzer verification is working today.  I just ran the tests both inside and outside and it returned Connectivity Test Successful.  

Just tested on a BlackBerry tablet and an iPad and both are able to send and receive.
Alan Hardisty

Excellent news - glad it is working and thanks for the points.

Alan
ZBI-IT

ASKER
Looks like I spoke too soon.  It stopped working late this afternoon after working all day, although mail was trickling in at times much later than when it hit the server.  We were getting errors 3015 and 3024 in the logs every 15 minutes.  I added 2883 to the reserved ports, rebooted, and that stopped those errors.  Logs are clean since on both the Exchange server and the firewall.  Tested again with inbound inspection on and off and it made no difference.  When I test with the Analyzer it fails with a timeout error syncing the Inbox.  When I test with the desktop tool, it says it is available and configured correctly.  I thought it could possibly be our Symantec Endpoint Protection blocking it for some reason but when I disable and retest I get the same result.  

Any ideas?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ZBI-IT

ASKER
We finally received an error in the Exchange logs..  It's error 3007 and we received it once at around 4:15 AM this morning.  

Exchange ActiveSync Server failed to communicate with the Exchange mailbox server in a timely manner. Verify that the Exchange mailbox Server is working correctly and is not overloaded.

What's odd is the test account had three emails hit it since yesterday at 5 PM when it stopped working.  Only one of those emails made it to the devices and that was at 12 midnight.

Thinking back through things, it stopped working when I added 2883 to the list of reserved ports.  I haven't had a chance to undo that and retest as I am in the middle of a backup.  

Let me know if you have any ideas other than that.  Thanks.
ZBI-IT

ASKER
Email is being received as normal for two of three test devices without any changes being made.  However, the Analyzer still fails with a timeout error syncing the Inbox.
Alan Hardisty

What AV Software do you have on your server?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Symantec Endpoint Protection.  As I said, I completely disabled it and the problem still existed.  The Exchange server logs remain clean over the past three days where we've had issues.  This is what we've seen over the past three days....

Friday AM - Analyzer tests successful and email can be sent and received on all three test devices.

Friday 5PM to Saturday PM - Analyzer Inbox sync fails.  Email received intermittently on all three test devices.

Saturday PM to Sunday PM - Analyzer tests successful but email can only be sent and received on two of three test devices.

Monday AM - Analyzer tests successful and email can be sent and received on all three tests devices again.
Alan Hardisty

Okay - disabling AV isn't usually sufficient enough.  You need to uninstall it and reboot to make sure it isn't getting in the way.
Alan Hardisty

What version of SEP are you using?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ZBI-IT

ASKER
The latest version of SEP.cloud.  It was disabled and all related services were stopped.  

The Analyzer was failing for a ~30 hour period from Friday 5PM - Saturday 9PM.

We run full backups on the weekends during that time but the Exchange logs are completely clean and free of any warnings or errors related to ActiveSync, Exchange, SEP.cloud, BEX.cloud.
Alan Hardisty

The trouble with any AV it is get's it claws into an OS, and even when disabled, it can still mess with everything.

Removing it is the only real way to know it isn't causing you problems.

Alan
ZBI-IT

ASKER
I guess I'm left to see if it works through the week and what happens this upcoming weekend during the times it didn't work this past weekend.  If the same thing happens, it's most likely our backup.  The issue then is figuring out why because it's not affecting any of the BlackBerry's running off of our BES.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

BES uses different protocols / ports to communicate.

Activesync uses port 443 and something has to be interfering with the server / causing it problems and usually it is AV that causes the biggest problems.

I'd be happy to take a look remotely, but we are not allowed to ask via EE for security reasons.

Alan
ZBI-IT

ASKER
Yes I know.  I'm simply offering information to see if any valid ideas arise besides the AV route.  There are three places logs are created for SEP.cloud and they're all clean.  I know MSE causes issues with ActiveSync.  Knowing how robust of an AV that SEP is and the ability to control every aspect of it, it'd be a stretch for it to be causing problems especially when we recently did a clean install of it.  Exchange server logs are clean.  Firewall logs are clean.  The problem I'm having now is that the full backup that ran this past weekend pretty much matches when the ActiveSync Inbox sync failure occurred.  That doesn't leave me with many options as moving when the backup runs will only shift the issue.  I'll keep an eye on how it's functioning through the week and report any changes.  I'm expecting it to stop working Friday evening when the full backup starts for the weekend and begin working again when it's finished.  Other confirming that at that point, I won't be left with any options to resolve.  Will post as I have updates.  Thanks.
Alan Hardisty

Okay - so what backup software are you using to backup the server with?

Are you running Exchange 2003 Standard or Enterprise?

If Enterprise, how many database do you have and what sort of sizes are they?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ZBI-IT

ASKER
So from last night around 5PM to this morning around 10AM email stopped being received by the test BlackBerry using ActiveSync.  Emails were able to be sent though and the receipients received them as normal.  The two test tablets did not stop receiving email and were able to send and receive during that time.

We are running Exchange 2003 Standard and we use Symantec Backup Exec.cloud for our incrementals through the week and Backup Exec locally for our full backups on the weekend.  The incrementals run 5PM - 7AM and the full runs from 7PM Friday until it's done, which is usually Saturday evening.  Both of these very closesly match when we have experienced issues with the test BlackBerry using ActiveSync.  This is a BlackBerry 10 device that we are testing with ActiveSync prior to upgrading our BES to BES 10, which uses ActiveSync.  I need to be sure ActiveSync is fully working prior.
Alan Hardisty

So by the sounds of it, the Cloud backup is sending your data offsite down your internet connection.  Is that right?

If so - what speed connection do you have and can you reserve bandwidth for port 443 in/out on your firewall so that the backup doesn't flood the connection to the detriment of everything else?
ZBI-IT

ASKER
Yes, that is right.  We have 50Mbps down / 10Mbps up.

I have come across a default setting on our firewall that may be causing the issue.  By default the TCP connection inactivity timeout is 5 minutes and is applied to all rules.  This default can be changed globally to apply to all rules or on each individual rule as needed.  I am going to bump it to 20 minutes for our Exchange rules and see if it makes a difference.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

That might well help as Activesync keeps a permanent connection open to the server and if it is getting knocked out, that might cause issues.

As for the 10Mb up - how much data is being pushed to the Cloud during an average daily backup / weekly full backup?
ZBI-IT

ASKER
Average daily incremental backup is ~100GB.

Average weekly full backup is ~500GB.
Alan Hardisty

Ouch. 100gb pushed up a 10mb pipe means a backup will last about 23 hours.

A weekly backup would take about 4 days!

Does the backup take that long?  It would explain why Activesync doesn't get much of a look in.

Have you considered a second line for backups?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ZBI-IT

ASKER
Incremental backups go to the cloud Monday through Friday and take between 12 - 17 hours.  We are in the process of bringing these back from the cloud once we get a dedicated storage server in place for those backups.

Full backups are done locally starting Friday evenings and take between 24 - 30 hours.

So, no it doesn't take that long, and yes we have considered a second line for backups.  The decision we made was to put a dedicated storage server in place and pull back from backing up to the cloud.  Cost, control, efficiency, and effectiveness makes it a no brainer.

Again, ActiveSync works all day long on 2 of 3 test devices.  The third, a BlackBerry Z10, has been intermittent.  I just got a pile of Q10's and have to put the upgrades on hold.  Since BES 10 works off of ActiveSync, we can't roll it out and start upgrading our users until this ActiveSync issue is resolved.
Alan Hardisty

So all devices apart from the Blackberries (Z10 / Q10) are working correctly?
ZBI-IT

ASKER
Haven't tested a Q10 yet but yes the Z10 that I've been using for testing from the beginning works intermittently while the other devices work fine.  The others are a mixture of tablets.  For example, the Z10 worked from last Friday from 12 midnight to 5PM.  Then from that point until Sunday around 12 midnight emails were not being received but I could send from the device.  Then from that point until around 11:45AM yesterday morning, emails were able to be sent and received from the Z10.  From 11:45AM until 12 midnight again, emails could be sent from the device but were not received.  Then from that point all of the emails for the day came through and I have been able to send and receive since that time.  Based upon how things have gone since Friday, I would expect it to stop receiving emails in the next hour or so.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
As of 11:53AM I stopped receiving emails on the Z10.  I had two emails hit Outlook at 11:53AM, one was delivered to the Z10 and the other was not.  Since then, I have only had one email come through to the Z10.  I am able to still send from the Z10 without any issues.
Alan Hardisty

Are you using the same accounts on the different phones or different accounts?
ZBI-IT

ASKER
Same account for all devices being tested.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ZBI-IT

ASKER
It appears that since 11:53AM, only emails delivered to the Inbox are hitting the Z10.  Any emails delivered to subfolders of the Inbox are not hitting the Z10.  Yesterday nothing hit the Z10 from 11:45AM - 12 midnight.  So there isn't that consistent of a pattern here.
Alan Hardisty

Okay - do you have to subscribe to the folders on the Z10 like you do on an iPhone before they get pushed?

The same account rules out problems with the account (sadly).
ZBI-IT

ASKER
There is a Sync All Email Folders option that can be turned on or off.  I have it turned On.  You can turn it off directly or by unselecting any folder.  The fact that it works half the day and not the other half is what is making this issue so difficult to figure out.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
I've also tried different combinations of the Push and Sync Interval options and the issues persist either way.  When leaving Push on the device still has the issues.  When turning push off and setting the Sync Interval to 15 or 30 minutes the device still has the issues.
Alan Hardisty

Okay - so the non BB devices work happily but not the BB ones?
ZBI-IT

ASKER
Yes.  Unfortunately, we have 15 Blackberry devices that will eventually be migrated to BES 10 and only a handful of iOS and Android devices.  I'm ready to migrate as soon as I know ActiveSync is working properly.  It's testing successfully since Saturday evening but still have the intermittent issues on the Z10.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Alan Hardisty

It does rather sound like a bad implementation of Activesync on the BB devices.  Are there any device updates available?

Does the test site work for the same account that you are using on the BB's?

Alan
ZBI-IT

ASKER
No.  All devices are up to date.  

Yes, the account works across the board everywhere it is used.
Alan Hardisty

Sounds like a specific BB problem with Activesync then as it works with the same account on different devices and the only common problem is on a BB device!

Sorry
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ZBI-IT

ASKER
Yes, other than the ActiveSync inbox sync errors that happen intermittently.
Alan Hardisty

Exchange 2003 Activesync is a very early implementation and lots of enhancements have come along since the 2003 days and it sounds like if you want to continue to use BB's, you had best upgrade to Exchange 2007 / 2010 or 2010, then 2013 (no direct upgrade to 2013 is available).