Exchange ActiveSync On SmartPhones Not Working For WiFi Users

We have a single Exchange 2010 server on domainA.local

It HAD a NAT entry in the firewall for exchange01.domainA.local to using ALL services.

The problem was that exchange01 was unable to reach any device in domainB.local (another domain we have in the same data center).

Our theory was that the NAT forced all traffic to change the IP to the address and screwed up internal routing. To test, we changed the NAT from ALL services to only ports 25, 587,443 and ICMP.

Now, exchange01 can reach domainB.local all day long but internal WiFi users can't get email on their ActiveSync configured smartphones. It DOES work if they are on 4G LTE.

What works:
- All internal Outlook Clients
- All external Outlook Clients
- All external smartphone/tablet connections
- All internal OWA site connections
-All external OWA site connections

- All internal Activesync connections

I don't think this is DNS. When I ping exchange01.domainA.local, I get replies and it resolves to the right IP address. The name resolution is the same for internal/external OWA connections.

From an internally connected smartphone, I CAN get to the OWA site ( but it just won't do it on ActiveSync apps.

I know that something is somehow being blocked by limiting my ports from ALL down to 25, 587, 443 and ICMP, but I can't imagine what it would be since ActiveSync uses 443.

Any ideas?
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
It is DNS, at least partially.
You need to setup a split DNS system so that the external name resolves internally to the internal IP address.

When you are using NAT and/or VPNs, most network hardware will not allow the traffic to go out and come back in again on the same interface. So if it resolves to an external IP address, then the traffic will fail to connect.

If you have systems in the same data centre, then in effect you need to have look at the routing as separate items. For example, if you need to send email between the two domains, then using a Send Connector to send to the internal IP address of the other domain (so connector on each server) would work.

Paul WagnerFriend To Robots and RocksAuthor Commented:
The access points had a setting to block traffic from touching the "wired network". I allowed wifi traffic to talk to the wired network and smartphones started talking to exchange.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul WagnerFriend To Robots and RocksAuthor Commented:
I had to find the solution on my own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.