Exchange 2007 to 2010 Migration-Activesync
Posted on 2014-02-21
I am in the process of migrating from SBS 2008 to Windows Server 2008 R2 and Exchange 2010. So far, the migration has gone well, but I am running into a bit of a snag as far as Outlook Anywhere, Outlook Autodiscover, Exchange ActiveSync and Exchange ActiveSync Autodiscover are concerned. We have installed a UCC SAN certificate from Go Daddy on both servers (EXCHANGE2007 and EXCHANGE2010) with the following names: autodiscover.domain.com, legacy.domain.com, mail.domain.com, EXCHANGE2007.domain.com, EXCHANGE2010.domain.com, domain.com. The certificate is working just fine from outside the network (i.e., no errors). I have added the "autodiscover" name to the DNS that is hosted by our ISP and have added A records to our internal DNS for both "legacy" (points to EXCHANGE2007) and "autodiscover" (points to EXCHANGE2010) and changed the internal DNS record for "mail" to point to EXCHANGE2010. From inside the network, everything seems to work as expected. To test, I created two test users (TEST1 and TEST2) and moved the mailbox of TEST2 to the EXCHANGE2010 server (after populating both mailboxes with test emails). Internally, the user (TEST1) whose mailbox resides on EXCHANGE2007 is being redirected to that server when they log in using OWA 2007 and the user whose mailbox is on EXCHANGE2010 (TEST2) is going to OWA 2010.
To test externally, I have opened ports 443 and 80 on our Sonicwall firewall and pointed it to the internal IP of the EXCHANGE2010 server. Everything seems to work well as far as OWA is concerned. By that I mean it mirrors what I see internally. However, all users who use an IPhone to connect remotely lose their connection to the server. When I use Microsoft's Remote Connectivity Analyzer to check Exchange ActiveSync, it results in an error of "Testing of OPTIONS command failed with a 403 forbidden response, Forbidden: Access is denied, You do not have permission to view this directory or page using the credentials that you supplied".
Since we have several users who connect with their IPhone from outside, I panicked and disabled the firewall rule that opened ports 443 and 80 to the EXCHANGE2010 server. I don't know if this matters or not, but the original firewall rules pointing ports 443 and 80 to EXCHANGE2007 were still active when I created the firewall rules to EXCHANGE2010 and I am not sure if I should have disabled these first.
I am sorry for such a longwinded post, but I feel I am very close to getting this to work and I need help!
Thank you very much and please let me know if additional information is needed.