Exchange 2010 - ActiveSync (Internal and External)

Hi Guys,

Got a small issue that I can't seem to get my head around.

I have one Exchange 2010 server running with a Geo Trust SSL certificate with services such as OWA, Activesync etc.  Everything is working fine, apart from one small problem - ActiveSync.

ActiveSync works externally, however, it will not work internally. I believe this to be a DNS issue.   So I just want to run through the config, to see if anyone can spot my mistake.

Mobiles devices are currently pointing at:  (I have a SANs cert for this domain)


** When using a browser for webmail - I use the address (this works fine with my SSL cert)

However, when configuring ActiveSync on a mobile device  you can ONLY use the address  Even though in EMC it's - So there must be a way the system knows it's an ActiveSync connection?

Which comes to my question.

I have an internal DNS entry for which points to my Exchange server.  When a device is connected internally, this address resolves correctly to the Exchange box, however, the ActiveSync mail does not work unless I use the internal address that's set in EMC.  ie severname/Microsoft-Server-ActiveSync

So, how do I get the devices to work Externally and Internally.  My gut feeling is, DNS.  But I just can't figure out what needs to be done.

Any help offered will be greatly appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andy MIT Systems ManagerCommented:
Typically with activesync you only require the address - Activesync uses port 443 same as OWA.

The fact that it is working externally (i'm guessing on the same phones) indicates Activesync is working and the internal issue would lean towards either a config issue on the server or dns.

Looking at your information I would firstly change the internal EMC activesync address on the exchange server to match the external one - You already have a dns record in place for this and as you have noted it resolves fine. Remember to include the activesync parts after the address (just copy and paste the external one) - the server requires this but the devices do not.
Alan HardistyCo-OwnerCommented:
ianmclachlanAuthor Commented:
Hi Guys,

Thanks for your replies.

Alan - This is exactly my problem.  However the solution doesn't seem to work in my case.  Have create the zone and a blank host record pointing at the Exchange box.  I am using an iPad and have networking tools installed.  And although I can ping from my internal wifi, Activesync will still not work, yet externally it's fine.

I've tried Andy's solution of changing the internal address in the EMC to, but again, no luck.  There are no errors coming up in the event log on the exchange box.  So I really don't have a lot to go on.

Can you think of anything else.

Really appreciate your time and help.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Adam FarageSr. Enterprise ArchitectCommented:
What errors in the event log?
ianmclachlanAuthor Commented:

There are no errors in the events log.

Adam FarageSr. Enterprise ArchitectCommented:
Sorry, I misread above. You are using an iPad on the internet network right? A few questions:

- Is there a firewall between the production LAN and the WLAN (wireless LAN)? Is TCP 443 nat'ed to that?
- What is your InternalURL for ActiveSync (EAS) and your settings?
- What is your internal DNS A records look like?
Alan HardistyCo-OwnerCommented:
Can you get to from the iPad using Safari on WiFi?
ianmclachlanAuthor Commented:
Hi Guys,

Again, thanks for your reply.

Adam :

No there is no firewall between the wireless lan and the corporate lan.  The wireless lan is on the same subnet as the exchange box.
Have tried both internal urls as :   as well as :  https://servername.domain/microsoft-server-activesync - both fail (issued cmd iisreset after making both changes)
I have create a new zone in my DNS called : in which have created a blank A record to point to the exchange box.

Alan :

Interestingly enough, I can't access the OWA internally from the ipad.   Yet, if I ping from the ipad, I get a response from the exchange box (on the internal IP)

There is no doubt it's a DNS issue.  I just can't see it.  On paper this should work.  The DNS server address is issued by DHCP when connecting to the WLAN.

Found that if I change the URL in the ipad to the local address :  servername.domain/microsoft-server-activesync it works, but not with the public name.

Md. MojahidExchange server admin Commented:
It is a dns issue. Create a new zone in DNS for your mail server called
Then create an A record for that points to the private ip of your exchange server.

If they can access OWA through Safari via the wireless then we have prooved that there is no DNS problem (as long as you are using the same domain name in the active sync configuration)..

Do you have any IP restrictions applied to any of the exchange virtual directories? I am running out of ideas...

For more
ianmclachlanAuthor Commented:
Hi Guys,

I have since discovered this isn't an issue with my split-dns.  I hooked up an Android device in the same senario and it works fine.  It's an issue with the iphones/ipads.  This KB touches on it:   (point 3)

The only probable fix for this is by setting up a reflected NAT on my Firewall and using external DNS servers to resolve the address.  I'm not happy about doing this.  Does anyone know of a better solution?  

I have a feeling that with the popularity of the device and platform, there must be a better fix.

Again, thanks for your help and support.

Alan HardistyCo-OwnerCommented:
That only says what's already been touched upon above.

Adding the relevant DNS zone / A record should resolve the issue unless you have some funky wireless filtering / restrictions going on whilst on WiFi.

What WAP are you using?
ianmclachlanAuthor Commented:

The DNS is working and resolving correctly.  I had originally set the zone up properly.  The red herring was the fact I was using an ipad to test this.  Had I picked an Andriod device, I would of quickly came to the conclusion (when they didn't work) that the Apple devices are at fault.  I can confirm this as I have setup an Andriod tablet using, then moved it to my corporate wifi ... and it works.  It doesn't work with an ipad.  Same setup.

My wifi is pretty standard WPA with Radius.  There is no filtering or restrictions.  I can rule out wifi as well as DNS to a point.  The issue appears to be the relationship between Apple devices and resolving the activesync URL internally - (which DNS has to play a part of).

I am no expert with Apple devices, so I can't understand why it finds this a problem.

Again thanks for yor reply.

Alan HardistyCo-OwnerCommented:
I've never known a problem with an Apple device not working internally when the DNS zones are working as suggested.

I've never used WiFi with Radius, so that might be something that the Apple Devices struggle with.  Can you disable the Radius element for testing and just use simple Wi-Fi security, then if it works, you have something to chew on.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
The following Apple article might help you:

Alan HardistyCo-OwnerCommented:
Read the last 2 or 3 comments from the link below:

Which is where my first link is from.
ianmclachlanAuthor Commented:
Hi Guys,

Thanks for the feedback.  You're right, it's something to do with the WPA enterprise WLAN.  I plugged in an unsecured AP to the corporate LAN and it worked fine.

So now I need to find a way of configuring iPads/iPhones for my wifi.  It strange though.  I'm getting a DHCP address and if I use imap instead of exchange the mail runs ok over the WPA (E).

This has been one long saga.  I would have never of guessed it was the wifi causing the issues.

So I'll Google this out and see if I can find a fix.

Again, thanks for all your help.
ianmclachlanAuthor Commented:
Finally ....  Fixed it.

So obvious.  The ipad connects onto the WPA(E).  We manually set a proxy address for the ipad for web access.  What appears to happen is that the system tries to "sync", and pushes to - this then squirts it straight to the proxy to deal with, without first, trying to resolve the address using our internal DNS.  As we have not setup reflective NAT it fails.  Therefore, I set a static route on the proxy to push the trafffic back to the Exchange box.

I assume it worked with imap as I used the IP address and it knew it was on the same subnet.

Been round the houses with this one guys.

Alan, I will award you the points as you pointed me in the right direction suggesting the wifi.

Many thanks for everyones help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.