ianmclachlan
asked on
Exchange 2010 - ActiveSync (Internal and External)
Hi Guys,
Got a small issue that I can't seem to get my head around.
I have one Exchange 2010 server running with a Geo Trust SSL certificate with services such as OWA, Activesync etc. Everything is working fine, apart from one small problem - ActiveSync.
ActiveSync works externally, however, it will not work internally. I believe this to be a DNS issue. So I just want to run through the config, to see if anyone can spot my mistake.
Mobiles devices are currently pointing at:
mail.company.co.uk (I have a SANs cert for this domain)
Question.
** When using a browser for webmail - I use the address mail.company.co.uk/OWA (this works fine with my SSL cert)
However, when configuring ActiveSync on a mobile device you can ONLY use the address mail.company.co.uk. Even though in EMC it's mail.company.co.uk/actives
Which comes to my question.
I have an internal DNS entry for mail.company.co.uk which points to my Exchange server. When a device is connected internally, this address resolves correctly to the Exchange box, however, the ActiveSync mail does not work unless I use the internal address that's set in EMC. ie severname/Microsoft-Server
So, how do I get the devices to work Externally and Internally. My gut feeling is, DNS. But I just can't figure out what needs to be done.
Any help offered will be greatly appreciated.
IM
Got a small issue that I can't seem to get my head around.
I have one Exchange 2010 server running with a Geo Trust SSL certificate with services such as OWA, Activesync etc. Everything is working fine, apart from one small problem - ActiveSync.
ActiveSync works externally, however, it will not work internally. I believe this to be a DNS issue. So I just want to run through the config, to see if anyone can spot my mistake.
Mobiles devices are currently pointing at:
mail.company.co.uk (I have a SANs cert for this domain)
Question.
** When using a browser for webmail - I use the address mail.company.co.uk/OWA (this works fine with my SSL cert)
However, when configuring ActiveSync on a mobile device you can ONLY use the address mail.company.co.uk. Even though in EMC it's mail.company.co.uk/actives
Which comes to my question.
I have an internal DNS entry for mail.company.co.uk which points to my Exchange server. When a device is connected internally, this address resolves correctly to the Exchange box, however, the ActiveSync mail does not work unless I use the internal address that's set in EMC. ie severname/Microsoft-Server
So, how do I get the devices to work Externally and Internally. My gut feeling is, DNS. But I just can't figure out what needs to be done.
Any help offered will be greatly appreciated.
IM
It is a DNS problem and Glen's article gives you the ideal solution:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3703-Use-iPhone-on-wifi-network-without-the-need-to-reconfigure.html
Alan
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3703-Use-iPhone-on-wifi-network-without-the-need-to-reconfigure.html
Alan
ASKER
Hi Guys,
Thanks for your replies.
Alan - This is exactly my problem. However the solution doesn't seem to work in my case. Have create the zone and a blank host record pointing at the Exchange box. I am using an iPad and have networking tools installed. And although I can ping mail.company.co.uk from my internal wifi, Activesync will still not work, yet externally it's fine.
I've tried Andy's solution of changing the internal address in the EMC to mail.company.co.uk, but again, no luck. There are no errors coming up in the event log on the exchange box. So I really don't have a lot to go on.
Can you think of anything else.
Really appreciate your time and help.
IM
Thanks for your replies.
Alan - This is exactly my problem. However the solution doesn't seem to work in my case. Have create the zone and a blank host record pointing at the Exchange box. I am using an iPad and have networking tools installed. And although I can ping mail.company.co.uk from my internal wifi, Activesync will still not work, yet externally it's fine.
I've tried Andy's solution of changing the internal address in the EMC to mail.company.co.uk, but again, no luck. There are no errors coming up in the event log on the exchange box. So I really don't have a lot to go on.
Can you think of anything else.
Really appreciate your time and help.
IM
What errors in the event log?
ASKER
Hi,
There are no errors in the events log.
IM
There are no errors in the events log.
IM
Sorry, I misread above. You are using an iPad on the internet network right? A few questions:
- Is there a firewall between the production LAN and the WLAN (wireless LAN)? Is TCP 443 nat'ed to that?
- What is your InternalURL for ActiveSync (EAS) and your settings?
- What is your internal DNS A records look like?
- Is there a firewall between the production LAN and the WLAN (wireless LAN)? Is TCP 443 nat'ed to that?
- What is your InternalURL for ActiveSync (EAS) and your settings?
- What is your internal DNS A records look like?
Can you get to https://mail.company.co.uk/owa from the iPad using Safari on WiFi?
ASKER
Hi Guys,
Again, thanks for your reply.
Adam :
No there is no firewall between the wireless lan and the corporate lan. The wireless lan is on the same subnet as the exchange box.
Have tried both internal urls as : https://mail.copmpany.co.uk/microsoft-server-activesync as well as : https://servername.domain/microsoft-server-activesync - both fail (issued cmd iisreset after making both changes)
I have create a new zone in my DNS called : mail.company.co.uk in which have created a blank A record to point to the exchange box.
Alan :
Interestingly enough, I can't access the OWA internally from the ipad. Yet, if I ping mail.company.co.uk from the ipad, I get a response from the exchange box (on the internal IP)
There is no doubt it's a DNS issue. I just can't see it. On paper this should work. The DNS server address is issued by DHCP when connecting to the WLAN.
Found that if I change the URL in the ipad to the local address : servername.domain/microsof
IM
Again, thanks for your reply.
Adam :
No there is no firewall between the wireless lan and the corporate lan. The wireless lan is on the same subnet as the exchange box.
Have tried both internal urls as : https://mail.copmpany.co.uk/microsoft-server-activesync as well as : https://servername.domain/microsoft-server-activesync - both fail (issued cmd iisreset after making both changes)
I have create a new zone in my DNS called : mail.company.co.uk in which have created a blank A record to point to the exchange box.
Alan :
Interestingly enough, I can't access the OWA internally from the ipad. Yet, if I ping mail.company.co.uk from the ipad, I get a response from the exchange box (on the internal IP)
There is no doubt it's a DNS issue. I just can't see it. On paper this should work. The DNS server address is issued by DHCP when connecting to the WLAN.
Found that if I change the URL in the ipad to the local address : servername.domain/microsof
IM
It is a dns issue. Create a new zone in DNS for your mail server called domain.com.
Then create an A record for mail.domain.com that points to the private ip of your exchange server.
If they can access OWA through Safari via the wireless then we have prooved that there is no DNS problem (as long as you are using the same domain name in the active sync configuration)..
Do you have any IP restrictions applied to any of the exchange virtual directories? I am running out of ideas...
For more
https://www.experts-exchange.com/questions/27974749/ActiveSync-works-internally-but-not-externally.html
https://social.technet.microsoft.com/Forums/en-US/7f7b9d96-84b3-46ed-a888-adeee1543f39/exchange-2010-activesync-internal-vs-external-networks-issues
Then create an A record for mail.domain.com that points to the private ip of your exchange server.
If they can access OWA through Safari via the wireless then we have prooved that there is no DNS problem (as long as you are using the same domain name in the active sync configuration)..
Do you have any IP restrictions applied to any of the exchange virtual directories? I am running out of ideas...
For more
https://www.experts-exchange.com/questions/27974749/ActiveSync-works-internally-but-not-externally.html
https://social.technet.microsoft.com/Forums/en-US/7f7b9d96-84b3-46ed-a888-adeee1543f39/exchange-2010-activesync-internal-vs-external-networks-issues
ASKER
Hi Guys,
I have since discovered this isn't an issue with my split-dns. I hooked up an Android device in the same senario and it works fine. It's an issue with the iphones/ipads. This KB touches on it:
http://support.apple.com/en-us/TS1868 (point 3)
The only probable fix for this is by setting up a reflected NAT on my Firewall and using external DNS servers to resolve the address. I'm not happy about doing this. Does anyone know of a better solution?
I have a feeling that with the popularity of the device and platform, there must be a better fix.
Again, thanks for your help and support.
IM
I have since discovered this isn't an issue with my split-dns. I hooked up an Android device in the same senario and it works fine. It's an issue with the iphones/ipads. This KB touches on it:
http://support.apple.com/en-us/TS1868 (point 3)
The only probable fix for this is by setting up a reflected NAT on my Firewall and using external DNS servers to resolve the address. I'm not happy about doing this. Does anyone know of a better solution?
I have a feeling that with the popularity of the device and platform, there must be a better fix.
Again, thanks for your help and support.
IM
That only says what's already been touched upon above.
Adding the relevant DNS zone / A record should resolve the issue unless you have some funky wireless filtering / restrictions going on whilst on WiFi.
What WAP are you using?
Adding the relevant DNS zone / A record should resolve the issue unless you have some funky wireless filtering / restrictions going on whilst on WiFi.
What WAP are you using?
ASKER
Hi,
The DNS is working and resolving correctly. I had originally set the zone up properly. The red herring was the fact I was using an ipad to test this. Had I picked an Andriod device, I would of quickly came to the conclusion (when they didn't work) that the Apple devices are at fault. I can confirm this as I have setup an Andriod tablet using mail.company.co.uk, then moved it to my corporate wifi ... and it works. It doesn't work with an ipad. Same setup.
My wifi is pretty standard WPA with Radius. There is no filtering or restrictions. I can rule out wifi as well as DNS to a point. The issue appears to be the relationship between Apple devices and resolving the activesync URL internally - (which DNS has to play a part of).
I am no expert with Apple devices, so I can't understand why it finds this a problem.
Again thanks for yor reply.
IM
The DNS is working and resolving correctly. I had originally set the zone up properly. The red herring was the fact I was using an ipad to test this. Had I picked an Andriod device, I would of quickly came to the conclusion (when they didn't work) that the Apple devices are at fault. I can confirm this as I have setup an Andriod tablet using mail.company.co.uk, then moved it to my corporate wifi ... and it works. It doesn't work with an ipad. Same setup.
My wifi is pretty standard WPA with Radius. There is no filtering or restrictions. I can rule out wifi as well as DNS to a point. The issue appears to be the relationship between Apple devices and resolving the activesync URL internally - (which DNS has to play a part of).
I am no expert with Apple devices, so I can't understand why it finds this a problem.
Again thanks for yor reply.
IM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Read the last 2 or 3 comments from the link below:
https://discussions.apple.com/thread/6536955?start=15&tstart=0
Which is where my first link is from.
https://discussions.apple.com/thread/6536955?start=15&tstart=0
Which is where my first link is from.
ASKER
Hi Guys,
Thanks for the feedback. You're right, it's something to do with the WPA enterprise WLAN. I plugged in an unsecured AP to the corporate LAN and it worked fine.
So now I need to find a way of configuring iPads/iPhones for my wifi. It strange though. I'm getting a DHCP address and if I use imap instead of exchange the mail runs ok over the WPA (E).
This has been one long saga. I would have never of guessed it was the wifi causing the issues.
So I'll Google this out and see if I can find a fix.
Again, thanks for all your help.
Thanks for the feedback. You're right, it's something to do with the WPA enterprise WLAN. I plugged in an unsecured AP to the corporate LAN and it worked fine.
So now I need to find a way of configuring iPads/iPhones for my wifi. It strange though. I'm getting a DHCP address and if I use imap instead of exchange the mail runs ok over the WPA (E).
This has been one long saga. I would have never of guessed it was the wifi causing the issues.
So I'll Google this out and see if I can find a fix.
Again, thanks for all your help.
ASKER
Finally .... Fixed it.
So obvious. The ipad connects onto the WPA(E). We manually set a proxy address for the ipad for web access. What appears to happen is that the system tries to "sync", and pushes to mail.company.co.uk - this then squirts it straight to the proxy to deal with, without first, trying to resolve the address using our internal DNS. As we have not setup reflective NAT it fails. Therefore, I set a static route on the proxy to push the trafffic back to the Exchange box.
I assume it worked with imap as I used the IP address and it knew it was on the same subnet.
Been round the houses with this one guys.
Alan, I will award you the points as you pointed me in the right direction suggesting the wifi.
Many thanks for everyones help.
IM
So obvious. The ipad connects onto the WPA(E). We manually set a proxy address for the ipad for web access. What appears to happen is that the system tries to "sync", and pushes to mail.company.co.uk - this then squirts it straight to the proxy to deal with, without first, trying to resolve the address using our internal DNS. As we have not setup reflective NAT it fails. Therefore, I set a static route on the proxy to push the trafffic back to the Exchange box.
I assume it worked with imap as I used the IP address and it knew it was on the same subnet.
Been round the houses with this one guys.
Alan, I will award you the points as you pointed me in the right direction suggesting the wifi.
Many thanks for everyones help.
IM
The fact that it is working externally (i'm guessing on the same phones) indicates Activesync is working and the internal issue would lean towards either a config issue on the server or dns.
Looking at your information I would firstly change the internal EMC activesync address on the exchange server to match the external one - mail.company.co.uk. You already have a dns record in place for this and as you have noted it resolves fine. Remember to include the activesync parts after the address (just copy and paste the external one) - the server requires this but the devices do not.