ActiveSync stopped working

We have an SBS 2003 server running Exchange 2003 and a few days ago users stopped being able to get email on their phones through ActiveSync. They are getting messages like network unavailable, or security certificate errors. Even when trying to re-setup the account or add new phones we get server unavailable on some androids, and on others "There are problems with the security certificate for this site" followed by "Unable to open connection to server, Security error occurred". I have taken many steps to try and resolve the issue including:

1. Checking 443 is open and pointed at the exchange server
2. Turning off our GFI Mail Essentials and testing
3. Using Server Manager wizard to re-create the certificate
4.Ran the Microsoft Exchange ActiveSync Connectivity Tests on their analyzer, and the failures that were produced per below:
5. Going through all these steps: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

None of this has been successful, and I would greatly appreciate any help you can provide. All phones are affected, and PC's work normal.

testconnectivity.microsoft.com results:

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       The Exchange ActiveSync test failed.
       
      Additional Details
       
Elapsed Time: 795 ms.
       
      Test Steps
       
      Attempting to resolve the host name mail.xxxxx.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: xxx.xxx.xxx.xxx
Elapsed Time: 306 ms.
      Testing TCP port 443 on host mail.xxxxx.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 253 ms.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 235 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.xxxxx.com on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
       
      Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 182 ms.
ckleavitt2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I QasmiTechnical LeadCommented:
check the certificate hasnt expired.

Type in powershell

Get-Exchangeccertificate |fl

check the certificates for your fqdn : mail.contoso.com etc.

Also check for event 12014, 12015 ,12016, 12017 ,12018 in the event viewer
0
Simon Butler (Sembee)ConsultantCommented:
The self signed SSL certificate created by SBS 2003 wizard is not supported for use with ActiveSync.
You should switch to a trusted SSL certificate. A standard single name certificate will be fine - something like GoDaddy or one of their resellers will be the cheapest option.
If you have recreated the self signed certificate, for the ActiveSync clients to trust it, it will have to be installed on to each device - simply not worth the headache - switch to a trusted certificate instead.

Although SBS 2003 is very old, I would suggest an upgrade in the very near future. You will find some ActiveSync devices simply do not work properly with a server of that age.


@ Irfan Ahmed - read the question. SBS 2003 is Exchange 2003. No PowerShell/EMS.

Simon.
0
ckleavitt2Author Commented:
Simon, this has been working up until a few days ago using a self signed certificate with no problems. And the certificate had not expired and was using the correct fqdn, even before creating a new one.  However, I will definitely look into the trusted SSL right away, but I would like to figure out why it just stopped working with our current setup. Upgrades are already in the approval process, but that is 30-60 days out. Do you think this would be acceptable: https://www.ssl2buy.com/comodo-multi-domain-ssl.php

What are the chances the Trusted SSL doesn't solve the issue? Although I imagine this is the option I will want regardless.
Thank you for your help.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I QasmiTechnical LeadCommented:
Thank you simon,

ckleavitt2

please check the configuration settings for SBS and standard server for exchange 2003 Activesync configuration

and what needs to be rectified here is an amazing article by alan :

http://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/
0
ckleavitt2Author Commented:
I Qasmi,

Please see my original question. I already went through the steps that Alan Hardisty put together.  You have simply provided a link to the same information. I appreciate your willingness to respond, but I am afraid your lack of comprehension or unwillingness to read is an impediment to the process.
0
Simon Butler (Sembee)ConsultantCommented:
Without a valid certificate the testing site at Microsoft is going to fail, due to the lack of trust. Therefore if a trusted certificate fails then at least it will allow the tools to work for diagnosis.

Previous behaviour is not an indication that it was configured correctly or will continue to work.

If it was working, what changed? Things don't usually stop working on their own.

The comodo certificates will work, but they are usually more expensive than other providers.
As this is Exchange 2003 you need a standard certificate, nothing more. If the upgrade is taking place in the near future, get the cheapest trusted certificate you can find. In many cases you get a certificate from GoDaddy with coupons for US$10/year. You would only need one year. Then get a new certificate for the new deployment.

Simon.
0
ckleavitt2Author Commented:
So the ignore trust for SSL option on the testing site does not do what I thought then. I will purchase a standard SSL and re-test. Thank you.
0
Alan HardistyCo-OwnerCommented:
You don't need to buy a 3rd party SSL to get this working.  It will work happily with a self-issued SSL cert and you can choose the Ignore Trust for SSL check box on the test site and it will work happily.
0
Alan HardistyCo-OwnerCommented:
As this is SBS - just re-run the Connect To The Internet Wizard and generate a new SSL certificate using the Public FQDN you are currently using and then re-test.  Steps are outlined in my article that you have referenced.

Alan
0
ckleavitt2Author Commented:
Alan, I was hoping you would chime in at some point.
I followed your article and did the Internet Wizard to generate the new cert, making sure the fqdn was correct. I did this before posting my question. However, this did not resolve my issue :(. The test results above were post following your article. Oddly, when I set things up for the first time a few years back I referenced your article and everything worked great from that point up until a couple days ago. Any other suggestions?
0
Alan HardistyCo-OwnerCommented:
Sorry - busy weekend!

What Antivirus software is on the server?

What changed recently (or did nothing change)?

The certificate should be fine if you just reissued it.  What router do you have and is in on the latest firmware?
0
ckleavitt2Author Commented:
Avg cloudcare is the AV, and we use a Watchguard XTM router. I will update that software while I am at it as I think there is a newer software version available. And there have been no changes to the server software or hardware since well before the problem occurred.
0
Alan HardistyCo-OwnerCommented:
Hmm!  Odd.  Might be worth trying a 3rd party certificate to rule out the self-issued one, but it shouldn't be necessary.  Should cost about $30 - link in my article if you want to use that one.
0
hecgomrecCommented:
Is the ActiveSync working inside the organization? Did you run IISRESET and restart Information Store?

Make sure all your databases are in good health, Check your DNS server(s) are working properly if the external request is mapping to the wrong server it will never find the SSL.
0
ckleavitt2Author Commented:
I ran a tool called AccessMyLan activesync tester, and did the tests for inside and outside the firewall. They both failed with the same SSL negotiation error. Testing 10.10.200.20 (SSL, On LAN):

Communications:
      Doing DNS lookup on 10.10.200.20 ......... OK (xxxxxxxxxxxx-SBS.xxxxxxxxxxx.local)
      Testing TCP to 10.10.200.20 port 443 ..... OK
SSL Certificate:
      Receiving ................................ FAIL

Result:
      Failed to negotiate SSL with the server.

I ran through Alan's article once more. I made sure to do IISRESET when instructed.
Also, I installed a 3rd party cert and made sure the FQDN matched what the phones connected to.
In addition I have checked DNS is working fine.

As far as making sure the databases are in good health, I can use  ISINTEG and run particular tests. Do I need to run all tests, or just run a particular test for this issue?
0
Simon Butler (Sembee)ConsultantCommented:
I don't think this has anything to do with the databases.
The problem is around SSL.

It could be that you have a corrupt SSL certificate (does happen unfortunately). Could also be something interfering with the SSL transport.

If you browse to https://host.example.com/exchange - do you get SSL prompts? It should give you the OWA login screen.

Simon.
0
ckleavitt2Author Commented:
I started out with a self signed cert, re-issued it, and then moved to a 3rd party cert. The same issue remains. When I browse to exchange I get page cannot be displayed.
0
ckleavitt2Author Commented:
The test results:

You have selected First Storage Group / Mailbox Store (xxxxxxx-SBS).
Continue?(Y/N)y
Test Search Folder Links result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s);
time: 0h:0m:2s
Test Global result: 0 error(s); 0 warning(s); 0 fix(es); 1 row(s); time: 0h:0m:0
s
Test Delivered To result: 0 error(s); 0 warning(s); 0 fix(es); 23 row(s); time:
0h:0m:0s
Test Repl Schedule result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test Timed Events result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time: 0
h:0m:0s
Test reference table construction result: 0 error(s); 0 warning(s); 0 fix(es); 0
 row(s); time: 0h:3m:28s
Test Folder result: 0 error(s); 17 warning(s); 0 fix(es); 1510 row(s); time: 0h:
2m:21s
Test Deleted Messages result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test Message result: 0 error(s); 0 warning(s); 0 fix(es); 96420 row(s); time: 0h
:0m:39s
Test Attachment result: 0 error(s); 0 warning(s); 0 fix(es); 91613 row(s); time:
 0h:0m:3s
Test Mailbox result: 0 error(s); 0 warning(s); 0 fix(es); 27 row(s); time: 0h:0m
:0s
Test Sites result: 0 error(s); 0 warning(s); 0 fix(es); 106 row(s); time: 0h:0m:
0s
Test Categories result: 0 error(s); 0 warning(s); 0 fix(es); 252 row(s); time: 0
h:0m:0s
Test Per-User Read result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time:
0h:0m:0s
Test special folders result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); time
: 0h:0m:0s
Test Message Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 253 row(s);
time: 0h:0m:0s
Test Folder Tombstone result: 0 error(s); 0 warning(s); 0 fix(es); 0 row(s); tim
e: 0h:0m:0s
Test reference count verification result: 0 error(s); 8 warning(s); 0 fix(es); 0
 row(s); time: 0h:0m:3s
Now in test  19(Row Count/Dumpster Count) of total  19 tests; 100% complete.
0
Alan HardistyCo-OwnerCommented:
Can you follow Method 2 in KB883380 to reset the Exchange Virtual Directories and then re-test to see if that improves anything.  Can't hurt and if the problem is SSL, then you would have thought a 3rd party one would have fixed it.

Alan
0
ckleavitt2Author Commented:
Alan,

I did a certificate test from another site SSLChecker and it resolves the domain, but says there were no SSL certs found. Also, I went back through the Internet Wizard to re-install the 3rd party cert, and I get  "The specified certificate file is not properly formatted....." error. I recall installing the certificate under IIS when this happened the first time, however the cert shows up properly under View Certificate in the IIS folders. I certainly do not want to get side tracked, as the issue has persisted a week now, and we are eager to get it up, but do I need to be concerned with this format error prior to KB883380? Thank you!!
0
Alan HardistyCo-OwnerCommented:
As per Simon's last comment, can you browse the site he mentioned internally?

I'm wondering if port 443 isn't configured on the default website or is being grabbed by another service.

Alan
0
ckleavitt2Author Commented:
No, the page cannot be displayed when I try and browse to it from inside the network.
0
Alan HardistyCo-OwnerCommented:
Okay - in that case can you please post a screen-shot of the websites under IIS Manager (select the level on the left above the sites) showing the sites on the right with the relevant ports they are assigned.

Thanks

Alan
0
ckleavitt2Author Commented:
IIS Ports
0
Alan HardistyCo-OwnerCommented:
Okay - that looks normal port-wise.

The Mailessentials directories aren't normal.

Is there any redirection going on on the default website.
0
ckleavitt2Author Commented:
The Mailessentials directories were installed with GFI antispam gateway, but they have a way to completely disable the system for troubleshooting, which I did. I got the same result whether enabled or disabled. As far as redirection, the Default Web Site has  "A directory located on this computer" selected for the Home Directory. Path C:\Inetpub\Wwwroot
0
Alan HardistyCo-OwnerCommented:
Can you right-click the Default Website and Browse to it using IIS?
0
ckleavitt2Author Commented:
No. "This program cannot display the webpage".
0
Alan HardistyCo-OwnerCommented:
Can you run the SBS Best Practices Analyzer and see what errors that throws up please:

http://www.microsoft.com/en-gb/download/details.aspx?id=5334

Alan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
What was the problem (or were the problems)?

Alan
0
ckleavitt2Author Commented:
I don't know exactly Alan, but there were several issues caught by running the best practices. After resolving those issues, the problem was corrected. I wish that I could be more specific at this point. I really appreciate all the help though.
0
Alan HardistyCo-OwnerCommented:
Oh well - a fix is a fix, even if you don't know what it was, but I'm glad it is resolved and glad I could help.

Long may it stay fixed too :)

Alan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.