Exchange ActiveSync not working properly for iPhone and Android

Hi

We have Exchange 2003 on SBS 2003 32-bit 3.5GB of RAM (I know it is outdated but please spare me these kind of comments).
We have iPhones and Androids connecting to it to get emails. Weirdly, it works quite intermittently, for example: works on iPhone 6 iOS 8.2 but not on iPhone 5 iOS 8.2 and the same story with Androids. We tried removing and adding it so many times. During the removing and troubleshooting steps on iPhones I did the power + home buttons. We tried emails over wifi in the office and wifi outside as well as 3g in the office and outside of the office.
Our SBS certificate has expired recently so we renewed it on our SBS using the Internet Connection Wizard on SBS this has changed some of the permissions on the websites in IIS but I managed to change it and it started working.
The server doesn't seem under big load as the CPU is only few % in use and we have about 350MB RAM free and another 400MB in System Cache. We don't get any errors in the event viewer from Exchange regarding the performance.
We also have Blackberry server on SBS and while it alright and quick 95% of the time, occasionally we will get emails delayed.
There is over 25% free space on the server.
We have enough licences in the server 30 and it reports the maximum usage at 13.
We only have port 443 and port 25 open on our Draytek router which forwards straight to the server.
We have our PTR record in place.
However, we only have the forwarded port for our ActiveSync. We don't have autodiscover A record or the DNS SRV record but I am just about to create them.
I ran the Exchange Connectivity Test for ActiveSync (https://testconnectivity.microsoft.com) and it fails not even being able to connect to OWA over my port 443 which is weird because I can go to that website.
I restored older firmware on the router to the point when we didn't experience any problems and I am able to telnet my server on port 443.
We will be moving to Office 365 within the next 3 months but it is then and my server doesn't work now.

Any ideas?

Thank you for all your help.
Kind Regards,
Tom
Tom SkowyrskiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
Please have a read of and work through my Exchange 2003 / Activesync article and let me know if you get stuck anywhere:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Not being able to get past port 443 is the 1st problem to tackle.

If you are switching to 365 - you will need to install a trusted 3rd party SSL certificate to perform a migration, so I'd look to getting that sorted soon.

Alan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tom SkowyrskiAuthor Commented:
Alan, I went through your article and got the point where you check Exchange connectivity. I normally do the email address test but this time I selected the option to specify the server's address. everything was green except the server's SSL certificate. Seems that there is a mismatch on the certificate:
"Host name mail.mydomainl.co.uk doesn't match any name found on the server certificate CN=server.mydomain.co.uk"
0
Alan HardistyCo-OwnerCommented:
You can re-issue the self-issued certificate with the correct FQDN in it if you like.  That should fix the problem for now and then purchase one to get the 365 Migration working.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Tom SkowyrskiAuthor Commented:
Alan, I ran the ActiveSync tool on my pc and it came back with the following results:


"Testing mail.mydomain.co.uk (SSL, On Internet):

Communications:
      Doing DNS lookup on mail.mydomain.co.uk  OK (**.**.**.**)
      Testing TCP to **.**.**.** port 443 ... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. OK
      Checking version ......................... OK (6.5.7638.1)
      Checking protocols ....................... OK (1.0,2.0,2.1,2.5)
User Permissions:
      Checking "domain\user1" ............. FAIL
Result:
      ActiveSync detected, but access denied. [HTTP 403: Disabled for this user]"
Please note that I ran it for admin.

I am also checking the ActiveSync permissions as per your guide:
1. http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx
I have "Enable up-to-date notifications" not selected at all.
2. http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx
I have it right, all enabled even for the admin which got Access Denied in the ActiveSync test software above.
0
Tom SkowyrskiAuthor Commented:
Please see the list of all the certificates on IIS. it seems like some of them expired but have not been removed. Even the latest one I installed for mail.mydomain.co.uk was supposed to replace the server.mydomain.co.uk but it didn't and it looks it is taking the precedence.
Please let me know which one I should remove or replace.
Addtionally, In Exchnage 2010 I was able to one certificate for many subdomains. Am I right thinking that for Exchange 2003 I will need a separate one for each subdomain i.e. autodiscover.mydomain.co.uk; mail.mydomain.co.uk?
certif-issue.jpg
0
Alan HardistyCo-OwnerCommented:
You only need a single name very in 2003 so just re-run the Connect to the Internet Wizard, leave everything as is except when it comes to the cert and just create a new one with your public FQDN in and complete the wizard.  Ignore what's already installed - the wizard will replace the cert correctly.

Then check the IIS permissions again using my article as they will have changed, then test on the test site using manual settings.

Alan
0
Tom SkowyrskiAuthor Commented:
Alan, I ran Connect to the Internet Wizard last time I was onsite about 3 weeks ago and it looks like it didn't replace the certificates. And yes, it does change the permissions as I found out last time.
Shall I re-run it again? Doesn't make sense but knowing Microsoft...
0
Alan HardistyCo-OwnerCommented:
Yes please - follow my last instructions and you should be fine.
0
Tom SkowyrskiAuthor Commented:
Do I just have to restart IIS after that or do I have to restart the server? If restart of IIS is enough can I do it through IIS Manager console?
0
Alan HardistyCo-OwnerCommented:
No restart required at all.
0
Tom SkowyrskiAuthor Commented:
I have done it. The certificate is still wrong, it is for serve.mydomain.co.uk instead of mail.mydomain.co.uk.
0
Alan HardistyCo-OwnerCommented:
Did you create a new certificate using the wizard as you went through the options?
0
Tom SkowyrskiAuthor Commented:
Yes, just like in your guide.
0
Alan HardistyCo-OwnerCommented:
Well that's odd because the wizard should create a new cert and apply it to the default website.

Can you check the default website in IIS and see what cert is currently installed please.  is it the one you recently created?

Alan
0
Tom SkowyrskiAuthor Commented:
I assume that the new certificate would have the expiration date which corresponds to today's date of issuing. So there are no new certificates on the list, just the ones I provided in screenshot earlier.
0
Tom SkowyrskiAuthor Commented:
Just the quick update:
The "Connect to Internet" was succeeding but it was not issuing new certificates! Even Microsoft couldn't believe it! Anyway, we removed the mismatched certificate and ran the "Connect to Internet" wizard. After that, we create new certificate using IIS Manager. Then I had to change permissions as per your guide. Although, I am still getting 403 error when running connectivity test, the emails are coming through like crazy and just had other users reporting that it started working. I would just mention that the certificate warning came up on my iPhone and I accepted it and asked users to do the same. We have Blackberry server as well which started working after issuing new certificate.
Alan, do you think I should worry about 403 error or just leave it as it is running. I know that eseutil is to repair and defragment database but what is: "isinteg -s servername -fix -test alltests" from your guide?
0
Alan HardistyCo-OwnerCommented:
Sounds very odd!  Never seen an SBS 03 server do that before.

Working is working!  If you still see the 403 error it is odd - but as it's working then you can always follow the "If it ain't broke - don't fix it" route.

Would love to know what's going on as it is very odd.  Wondering if you will have issues migrating to 365 or if you will have to export mailboxes to .PST as a way around it.

Have you gone through the 403 Error section of my article?

Alan
0
Tom SkowyrskiAuthor Commented:
Alan, I have gone through the section and my iPhone is working but another user's iPhone and iPad isn't. I wonder if it is slow connection or timing out because he says that emails are being sent out of his mobile devices but not appearing in sent items. I didn't run the eseutil or isinteg tools. Hopefully I can do it today.
Should "Enable up-to-date notifications" be selected at all under Mobile Services Properties in System Manager?
0
Tom SkowyrskiAuthor Commented:
Still getting 403 forbidden access when viewing my OWA through the external address even on the server but the internal link is fine.
Obviously I checked the permissions and restarted IIS.
Any idea?
0
Alan HardistyCo-OwnerCommented:
Wondering if your iPhone is working because you are using HTTP not HTTPS and the fact that other iPhone don't suggests they are using HTTPS.  This is backed up by OWA not working and the test on the test site failing.

Suggests problems with your router config to me if OWA works internally but not through the firewall.

What firewall / router do you have?

Alan
0
Tom SkowyrskiAuthor Commented:
We don't have port 80 opened on the router, just 443 for OWA. Not sure what you mean by iPhone working over HTTP and not HTTPS?
The error I am getting when viewing the OWA externally is:
"HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)"
We have firewall Draytek 2860, I have increased time out for TCP WWW to 240s from 60s on the router.
It is passing the test alright now, although I have enabled Forms based authentication.
People report that Blackberry users have problems now too.
I wonder if it is just something to do with exchange, maybe it is not handling it anymore or being overloaded. We have Blackberry Server, GFI Antispam which may keep Exchange busy, I guess.
0
Alan HardistyCo-OwnerCommented:
Check the IP restrictions on the Exchange virtual directory as it's set wrong.

Should be set to as per my article.

Alan
0
Tom SkowyrskiAuthor Commented:
It is set as per your article (I checked twice). Just restarted the server because it looks like IIS wasn't restarting properly.
0
Alan HardistyCo-OwnerCommented:
There are IP restrictions somewhere if that is the result you got from OWA externally.

Please check the restrictions on the other virtual directories as well and test again.

Thanks

Alan
0
Tom SkowyrskiAuthor Commented:
Shall I check any other Virtual Directories beside the ones I already checked as you mentioned:
* Default Web Site
* Exchange
* Exchange-oma
* Microsoft Active Sync
* OMA?
0
Alan HardistyCo-OwnerCommented:
No - they don't play a part in Activesync / OWA (other than Public) see lower down my article.
0
Tom SkowyrskiAuthor Commented:
Alan, sorry but can't find the references to Public Virtual Directory in your guide. Could you copy that part here please?

Also, Should I do that:
Inconsistent Sync:
 If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
 ProactiveScanning      REG_DWORD      1

Additionally, my EXCHWEB Virtual Directories settings for Authentication are the way you say but they have require SSL ticked (those settings are default, I didn't change them yet)
0
Alan HardistyCo-OwnerCommented:
Sorry - seems my EE article is a bit behind my blog article!

https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/

What AV do you have on the server (if any)?
0
Tom SkowyrskiAuthor Commented:
I have Public settings right.
We have Kaspersky Endpoint 10.
I have enabled virus scanning in registry.

I have noticed the following:
*As soon as I change the sync period on IPhone to more than 1 week, it doesn't work.
*It looks like something is wrong with the IIS. Occasionally when I go into IIS Manager, the Web Sites Pool has got red asterisk/cross so I right click on the server and choose Restart IIS and from there I choose Start IIS on the Server and the red asterisk/cross goes away.
What do you think?

I have asked some users to delete their accounts and add them back on smartphones. I want to try the Outlook app on iPhone as well.
0
Alan HardistyCo-OwnerCommented:
Doesn't sound too happy.

What event log errors are you seeing that might give a clue about the IIS Application Pools?
0
Tom SkowyrskiAuthor Commented:
There is nothing in the Event Viewer regarding the IIS.
Also, when the incremental backup was running on Monday. we use Acronis, it came up with the errors as it wasn't able to read of the disk. It was weird, it was like 8pm, nobody in the office so the server not so much under the pressure and I ran check disk on both partitions on Saturday (2 days before the backup).
Recently, I checked the disks using HP array and all are healthy and online.

What does it all sounds to you?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.