Solved

Exchange 2010 - ActiveSync (Internal and External)

Posted on 2014-11-05
17
580 Views
Last Modified: 2014-11-07
Hi Guys,

Got a small issue that I can't seem to get my head around.

I have one Exchange 2010 server running with a Geo Trust SSL certificate with services such as OWA, Activesync etc.  Everything is working fine, apart from one small problem - ActiveSync.

ActiveSync works externally, however, it will not work internally. I believe this to be a DNS issue.   So I just want to run through the config, to see if anyone can spot my mistake.

Mobiles devices are currently pointing at:

mail.company.co.uk  (I have a SANs cert for this domain)

Question.

** When using a browser for webmail - I use the address mail.company.co.uk/OWA (this works fine with my SSL cert)

However, when configuring ActiveSync on a mobile device  you can ONLY use the address mail.company.co.uk.  Even though in EMC it's mail.company.co.uk/activesync - So there must be a way the system knows it's an ActiveSync connection?

Which comes to my question.

I have an internal DNS entry for mail.company.co.uk which points to my Exchange server.  When a device is connected internally, this address resolves correctly to the Exchange box, however, the ActiveSync mail does not work unless I use the internal address that's set in EMC.  ie severname/Microsoft-Server-ActiveSync

So, how do I get the devices to work Externally and Internally.  My gut feeling is, DNS.  But I just can't figure out what needs to be done.

Any help offered will be greatly appreciated.

IM
0
Comment
Question by:ianmclachlan
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 13

Expert Comment

by:Andy M
Comment Utility
Typically with activesync you only require the mail.company.co.uk address - Activesync uses port 443 same as OWA.

The fact that it is working externally (i'm guessing on the same phones) indicates Activesync is working and the internal issue would lean towards either a config issue on the server or dns.

Looking at your information I would firstly change the internal EMC activesync address on the exchange server to match the external one - mail.company.co.uk. You already have a dns record in place for this and as you have noted it resolves fine. Remember to include the activesync parts after the address (just copy and paste the external one) - the server requires this but the devices do not.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi Guys,

Thanks for your replies.

Alan - This is exactly my problem.  However the solution doesn't seem to work in my case.  Have create the zone and a blank host record pointing at the Exchange box.  I am using an iPad and have networking tools installed.  And although I can ping mail.company.co.uk from my internal wifi, Activesync will still not work, yet externally it's fine.

I've tried Andy's solution of changing the internal address in the EMC to mail.company.co.uk, but again, no luck.  There are no errors coming up in the event log on the exchange box.  So I really don't have a lot to go on.

Can you think of anything else.

Really appreciate your time and help.

IM
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
What errors in the event log?
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi,

There are no errors in the events log.

IM
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Sorry, I misread above. You are using an iPad on the internet network right? A few questions:

- Is there a firewall between the production LAN and the WLAN (wireless LAN)? Is TCP 443 nat'ed to that?
- What is your InternalURL for ActiveSync (EAS) and your settings?
- What is your internal DNS A records look like?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Can you get to https://mail.company.co.uk/owa from the iPad using Safari on WiFi?
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi Guys,

Again, thanks for your reply.

Adam :

No there is no firewall between the wireless lan and the corporate lan.  The wireless lan is on the same subnet as the exchange box.
Have tried both internal urls as :   https://mail.copmpany.co.uk/microsoft-server-activesync   as well as :  https://servername.domain/microsoft-server-activesync - both fail (issued cmd iisreset after making both changes)
I have create a new zone in my DNS called :  mail.company.co.uk in which have created a blank A record to point to the exchange box.

Alan :

Interestingly enough, I can't access the OWA internally from the ipad.   Yet, if I ping mail.company.co.uk from the ipad, I get a response from the exchange box (on the internal IP)

There is no doubt it's a DNS issue.  I just can't see it.  On paper this should work.  The DNS server address is issued by DHCP when connecting to the WLAN.

Found that if I change the URL in the ipad to the local address :  servername.domain/microsoft-server-activesync it works, but not with the public name.

IM
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 12

Expert Comment

by:Md. Mojahid
Comment Utility
It is a dns issue. Create a new zone in DNS for your mail server called domain.com.
Then create an A record for mail.domain.com that points to the private ip of your exchange server.

If they can access OWA through Safari via the wireless then we have prooved that there is no DNS problem (as long as you are using the same domain name in the active sync configuration)..

Do you have any IP restrictions applied to any of the exchange virtual directories? I am running out of ideas...

For more
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27974749.html
https://social.technet.microsoft.com/Forums/en-US/7f7b9d96-84b3-46ed-a888-adeee1543f39/exchange-2010-activesync-internal-vs-external-networks-issues
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi Guys,

I have since discovered this isn't an issue with my split-dns.  I hooked up an Android device in the same senario and it works fine.  It's an issue with the iphones/ipads.  This KB touches on it:

http://support.apple.com/en-us/TS1868   (point 3)

The only probable fix for this is by setting up a reflected NAT on my Firewall and using external DNS servers to resolve the address.  I'm not happy about doing this.  Does anyone know of a better solution?  

I have a feeling that with the popularity of the device and platform, there must be a better fix.

Again, thanks for your help and support.

IM
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That only says what's already been touched upon above.

Adding the relevant DNS zone / A record should resolve the issue unless you have some funky wireless filtering / restrictions going on whilst on WiFi.

What WAP are you using?
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi,

The DNS is working and resolving correctly.  I had originally set the zone up properly.  The red herring was the fact I was using an ipad to test this.  Had I picked an Andriod device, I would of quickly came to the conclusion (when they didn't work) that the Apple devices are at fault.  I can confirm this as I have setup an Andriod tablet using mail.company.co.uk, then moved it to my corporate wifi ... and it works.  It doesn't work with an ipad.  Same setup.

My wifi is pretty standard WPA with Radius.  There is no filtering or restrictions.  I can rule out wifi as well as DNS to a point.  The issue appears to be the relationship between Apple devices and resolving the activesync URL internally - (which DNS has to play a part of).

I am no expert with Apple devices, so I can't understand why it finds this a problem.

Again thanks for yor reply.

IM
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
I've never known a problem with an Apple device not working internally when the DNS zones are working as suggested.

I've never used WiFi with Radius, so that might be something that the Apple Devices struggle with.  Can you disable the Radius element for testing and just use simple Wi-Fi security, then if it works, you have something to chew on.

Thanks

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The following Apple article might help you:

http://support.apple.com/en-us/HT6187

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Read the last 2 or 3 comments from the link below:

https://discussions.apple.com/thread/6536955?start=15&tstart=0

Which is where my first link is from.
0
 

Author Comment

by:ianmclachlan
Comment Utility
Hi Guys,

Thanks for the feedback.  You're right, it's something to do with the WPA enterprise WLAN.  I plugged in an unsecured AP to the corporate LAN and it worked fine.

So now I need to find a way of configuring iPads/iPhones for my wifi.  It strange though.  I'm getting a DHCP address and if I use imap instead of exchange the mail runs ok over the WPA (E).

This has been one long saga.  I would have never of guessed it was the wifi causing the issues.

So I'll Google this out and see if I can find a fix.

Again, thanks for all your help.
0
 

Author Comment

by:ianmclachlan
Comment Utility
Finally ....  Fixed it.

So obvious.  The ipad connects onto the WPA(E).  We manually set a proxy address for the ipad for web access.  What appears to happen is that the system tries to "sync", and pushes to mail.company.co.uk - this then squirts it straight to the proxy to deal with, without first, trying to resolve the address using our internal DNS.  As we have not setup reflective NAT it fails.  Therefore, I set a static route on the proxy to push the trafffic back to the Exchange box.

I assume it worked with imap as I used the IP address and it knew it was on the same subnet.

Been round the houses with this one guys.

Alan, I will award you the points as you pointed me in the right direction suggesting the wifi.

Many thanks for everyones help.

IM
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now