You are on page 1of 13

c 

  

Stephen J. Bigelow, Senior Technology Writer
07.23.2010
Rating: --- (out of 5)

Exchange Server tips, tutorials and expert advice


Digg This! StumbleUpon Del.icio.us

Microsoft has made significant advancements in mobile support


technology with Exchange ActiveSync. The XML-based protocol
synchronizes email, contacts, calendars and tasks between Exchange
Server and ActiveSync-compliant mobile devices. ActiveSync also gives
Exchange administrators the tools to control policies and to manage and secure devices.

Being able to synchronize Exchange data can benefit both users and administrators. For users,
the advantages include mobility with simplicity; they can connect to a corporate Exchange server
with a compatible device and a common cellular carrier, for example.

Exchange ActiveSync also brings an element of control to the mobile environment, allowing
administrators to manage the way that devices access Exchange Server. This is particularly
important as mobile devices continue to mature and slowly transition from simple messaging
devices to more comprehensive unified communication devices. Exchange experts note that the
need to control data and how it's accessed is vital in preventing data leakage.

"If I want control over how those devices connect, what


capabilities they have and can't have, how securely they c 
connect, what happens if a device is lost or stolen« that's the 
 
policy stuff that's built into ActiveSync," said Lee Benjamin, Test your setup before
Exchange MVP and messaging architect with ExchangeGuy connecting iPhone to
Consulting in Boston. Exchange with ActiveSync

c c 


  Identify ActiveSync

  certificate errors in Exchange
Server 2010
Microsoft licenses Exchange ActiveSync to mobile device
manufacturers, and today many major mobile device vendors Which ActiveSync
support ActiveSync, including Windows Mobile/Windows authentication method is best
Phone, Apple iPhone and iPod, Google Android and Palm for your mobile device?
WebOS devices.

However, no two mobile devices support ActiveSync in the same way. Each manufacturer can
select and modify the particular ActiveSync features that its device supports.

For example, one manufacturer may implement bandwidth reduction or multiple folder
synchronization capabilities, while another manufacturer may not. This is an issue with the
mobile device vendor, not Exchange ActiveSync. The onus is on each organization to determine
the features that are needed and then to select a mobile device that supplies them.

Exchange administrators may face additional challenges when device manufacturers implement
their own alternatives to ActiveSync. For example, BlackBerry uses proprietary protocols to
synchronize with Exchange Server, but experts warn that this can be risky.

"You have all these manufacturers that are coming up with their own ways to sync data from
Exchange [Server] that don't leverage ActiveSync technology," said Richard Luckett, president
of SYSTMS of NY, Inc . "Many devices have the ability to bypass ActiveSync, and therefore
corporate policy. That's the real challenge to ActiveSync."

i c 


 

Support for various ActiveSync features also affects mobile device refresh cycles. Since most
mobile devices come with two-year service provider contracts , organizations can't adopt any
new Exchange Server, ActiveSync or mobile device features until service contracts expire.

With the release of Exchange ActiveSync 14.0 in Exchange Server 2010, Windows Phone
devices can update ActiveSync dynamically, easing a technology refresh. Microsoft mobile
devices have taken a piece of this away from cellular providers by providing an over-the-air
update to the messaging client via Exchange Server 2010.

Although ActiveSync has evolved into a safe method to access Exchange Server data remotely,
development of the protocol remains ongoing. The latest version of Exchange ActiveSync
included in Exchange Server 2010 SP1 gives administrators additional control over devices as
well as information rights management, or IRM over EAS. Exchange experts don't predict any
new features on the horizon, but they do expect that ActiveSync will continue to evolve with the
mobile device market.

Rate this Tip


To rate tips, you must be a member of SearchExchange.com.
Register now to start rating these tips. Log in if you are already a member.

Digg This! StumbleUpon Del.icio.us


'); // -->

ëcicici




Deadline looms for iPhone iOS 4 users needing Exchange Online access
Exchange admins await iPhone iOS 4 fix
Sneak peek at Windows Phone 7 for Exchange
Test your setup before connecting iPhone to Exchange with ActiveSync
Configure CA certificates for iPhone and Exchange Server 2007
Resolving a mobile device problem in Outlook 2003
Identify ActiveSync certificate errors in Exchange Server 2010
Requirements for connecting mobile devices to Exchange 2003
Troubleshooting password issues with Windows Mobile 6.1
Exchange Server 2007's tools for securing mobile environments
ëcicëc ëc
2020software.com, trial software downloads for accounting software, ERP
software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise
with your peers and to learn from other enterprise IT professionals. TechTarget provides the
infrastructure to facilitate this sharing of information. However, we cannot guarantee the
accuracy or validity of the material submitted. You agree that your use of the Ask The Expert
services and your reliance on any questions, answers, information or other materials received
through this Web site is at your own risk.
?

?
?

Before you connect iPhone to Exchange on ActiveSync you'll want to test your setup on a
Windows Mobile device or mobile emulator. Our expert explains the process.

The iPhone was designed as a consumer device and Apple has simplified its interface. Therefore,
connecting iPhone to Exchange is easier than connecting a Windows Mobile device to Exchange.
However, if everything isn't configure correctly, you will have a hard time troubleshooting
problems.

Connecting a Windows Mobile device to Exchange first will help you verify that all of the
necessary components are functional before attempting to connect iPhone. If you don't have a
Windows Mobile device, consider using the Windows Mobile Emulator.

If you use the Windows Mobile Emulator to test your Exchange setup, you'll need to manually
verify that your perimeter firewall is configured for traffic to flow through port 443. SSL-
encrypted ActiveSync traffic uses port 443; it's also used when you configure a physical
Windows Mobile device to connect to Exchange.

If the connection works, the port is open. If you use an emulator, connectivity occurs from within
your private network. Since ActiveSync traffic doesn't pass through the perimeter firewall in this
scenario, you must manually verify the firewall's configuration.



 c   

Power on the iPhone and select the 


 option from the menu. iPhone will ask what type of
mail you want to set up. Choose the Microsoft Exchange option at the top of the list.

Next, iPhone will prompt you to enter basic information, including your email address, the name
of your domain and your username and password. You also must enter the name of your
Exchange server. Enter the server's external URL instead of the actual server name.

For example, my mailbox is stored on a server named Mirage, which exists as a part of an
internal domain named production.com. However, the external DNS name that's linked to my
Exchange organization is exchange.brienposey.com. This is the value I entered into the Server
Name field. Although ActiveSync uses SSL encryption, you're not required to enter the HTTPS
portion of the server's URL.

Before you continue, there's a field to enter an optional description of the mail account you're
configuring. When you're done, tap  .

The next screen will prompt you to choose which types of mailbox items to synchronize. The
iPhone displays slide bars you can use to turn synchronization for mail, contacts and the calendar
on or off. All these items are synchronized by default. As the last step in the mailbox set up
process, choose which items you want to synchronize.

In my experience, the iPhone doesn't show messages that were already in an Exchange mailbox
before you established a connection. But all new messages become available once iPhone is
connected to the mailbox.

About the author: Brien M. Posey, MCSE, is a six-time recipient of Microsoft's Most Valuable
Professional (MVP) award for his work with Exchange Server, Windows Server, Internet
Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a
nationwide chain of hospitals and was once responsible for the Department of Information
Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft,
TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
You can visit

?
—

  

 

  

!
14 May 2009 | SearchExchange.com

Exchange Server tips, tutorials and expert advice


Digg This! StumbleUpon Del.icio.us

There are several ways to configure Exchange Server ActiveSync authentication to secure mobile
devices, including basic authentication, certificate-based authentication and token-based
authentication. In this tip, Microsoft Exchange Server expert Brien Posey summarizes these three
ActiveSync authentication methods to help you decide which is best for your Exchange 2007
environment.

ActiveSync certificate-based authentication requires a copy of the trusted root certificate for the
certificate authority (CA) that issued the SSL certificate. The client access server (CAS) will
then use this SSL certificate. Basic authentication also has the same requirements, as long as SSL
encryption will be used.

Windows Mobile has a number of built-in trusted root certificates from various vendors. If CAS
is using an SSL certificate issued by a well-known CA, it's likely that the required trusted root
certificate already exists.

To check if the required root certificate is in place in Windows Mobile 6.1, click on  and
then choose 
. This will open the mobile device's Control Panel. Go to the   tab
and open the 

  applet. The  tab lists all trusted root certificates, as shown in
Figure 1.
V
"#$—
%
&#"' 

 (  
   

 
 

#

If you want to use ActiveSync basic authentication with SSL encryption, you will only need a
root certificate. However, for certificate-based authentication you also need a valid client
certificate that has been issued to the device. This certificate should have been created
specifically for authentication purposes.

Because client certificates are used in the authentication process,


there are a few installation steps you must follow to ensure 
 
device security. For example, if you're using an internal Disable ActiveSync in bulk
Enterprise Certificate Authority, Windows-based certificate with Exchange Management
authorities contain a built-in website that clients can use to Shell commands
perform certificate requests.
Performing a remote wipe on
Prior to the release of Windows Server 2008, Windows Mobile ActiveSync devices in
clients could log on to https://<server name>/CertSrv> and issue Exchange Server 2007
a certificate request. However, Windows Server 2008 certificate
authorities block certificate requests from mobile devices. Analyzing Exchange
ActiveSync data from .CSV
Therefore, you must make a certificate request from a desktop report files
or laptop. The issued certificate must then be manually copied
to the mobile device's file system. Next, double-click on the certificate file to install it on the
mobile device.

Two other requirements of certificate-based authentication include the following:

÷? The computer issuing the certificate request must be a domain member.


÷? The mobile device must communicate with the computer via Desktop ActiveSync 4.5 or
later if Windows XP is being used, or via the Windows Vista Mobile Device Center.


  )* 



Token-based authentication is a two-factor authentication method. ActiveSync supports token-


based authentication, but not out of the box. If you want to use token-based authentication on
your Windows Mobile device, you must install special authentication software on the client
access server. Depending on whether you're using hardware- or software-based authentication,
you may have to install authentication software on the mobile device as well.

Token-based authentication combines a username and password with a user's access token. There
are several different token-based authentication products on the market, but Exchange Server
generally uses token software to generate a six-digit number every 60 seconds.

Each user is also issued a credit card-sized piece of hardware that generates the same six-digit
number as the Exchange server. When a user logs in, he must enter his authentication credentials
and this six-digit number.

Since Exchange Server ActiveSync won't work unless the user's credentials are stored in the
mobile device, some token-based authentication providers offer software-based tokens for
Windows Mobile devices. This software prevents an unauthorized mobile device from
connecting to ActiveSync, even if the device has a valid set of authentication credentials.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable
Professional (MVP) award for his work with Exchange Server, Windows Server, Internet
Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a
nationwide chain of hospitals and was once responsible for the Department of Information
Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft,
TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
You can visit Brien's personal website at www.brienposey.com.

    



! )%#

Please let others know how useful this tip was via the rating scale below. Do you know a helpful
Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the
editors to talk about writing for SearchExchange.com.

?
$
 
 

 

c   +,",
01 Apr 2010 | Brien Posey, Contributor

Exchange Server tips, tutorials and expert advice


Digg This! StumbleUpon Del.icio.us

Most of the ActiveSync problems I've encountered have been certificate-related. If your
certificates are not configured correctly, ActiveSync won't work. This tip will help you get to the
bottom of ActiveSync certificate errors in Exchange Server 2010.

The easiest way to find out if you have a certificate-related problem is to log into Outlook Web
App (OWA). OWA and ActiveSync both require SSL, and use the client access server (CAS).
ActiveSync and OWA also use the same SSL certificate, so if OWA works properly, you can
rule out a certificate issue.

As you test OWA, here are some things to keep in mind:

÷? By default, Exchange Server 2010 is configured to use a self-signed certificate with


OWA. However, self-signed certificates are not compatible with ActiveSync. You need
to use a valid X.509 certificate.
÷? When you enter the URL for OWA, make sure that the URL points to the same CAS that
ActiveSync is using.
÷? Be sure to use the HTTPS prefix in your OWA URL.
÷? When OWA loads, make note of any certificate-related warning messages you receive. If
the certificate has expired, it will not work with ActiveSync.
÷? If you receive a warning that the certificate name does not match the host name, verify
that you have entered the server's fully qualified domain name (FQDN) as a part of the
URL -- --*c+.",##-%, as opposed to  --*c+.",-%.

Entering the URL without using a FQDN can trigger false certificate identity errors. If a
certificate identity error is legitimate, you will need a new certificate.

÷? You will receive a warning message (Figure 1) if the computer does not trust the
certificate authority (CA) that issued the certificate to Exchange Sever 2010. Both
Windows and Windows Mobile are configured to trust most major third-party certificate
authorities by default.
V
"#

 * %
 
  #

If you are using your own CA, you must configure your computers and mobile devices to
trust it. Windows-based CAs have a Web interface you can use to download a CA
certificate. This certificate then must be added to the computer or device's certificate
store. The Web interface is accessible at /CertSrv (Figure 2).

V
+# 

  
(—
  %/
#

÷? An Enterprise certificate authority that is running Windows Server 2008 does not allow
Web enrollment for mobile devices unless you install the Network Device Enrollment
Service. Although it's possible to download the CA certificate, which allows the device to
trust your Enterprise CA, using other methods, it's best to use the Network Device
Enrollment Service.
÷? When you attempt to access OWA using an HTTPS session, Internet Explorer may
display an error message stating that the page cannot be displayed. If this occurs, try
accessing OWA using an HTTP session, instead of HTTPS.

If you receive a message telling you that the HTTP session is forbidden, there is probably
an issue with the server's SSL certificate or its bindings. If you continue to receive the
same error whether you use HTTP or HTTPS, this may signal a DNS problem.


$$ 0

Unlike its earlier versions, Exchange Server 2010 requires Windows Server 2008 and Internet
Information Sservice (IIS) 7. And the process for setting up SSL is quite different in IIS 7 than it
was in IIS 6.

In IIS 7, SSL certificates are applied at the server level. If you look at the IIS Manager and select
the listing for your IIS server, the details pane will contain a Server Certificates icon (Figure 3).
V
1# 

 
 $$ 0    #

When you click the Server Certificates icon, the details pane displays the SSL certificates
currently associated with the server. As you can see, the Actions pane contains an option to
create a certificate request. If you're using your own CA, you'll have to use this link to create a
text file containing the certificate request.

Next, use the certificate enrollment website to perform a certificate request, using the contents of
the text file. When this process is complete, the website will allow you to download a certificate.
After doing so, you must use the Complete Certificate Request link (Figure 4) to make IIS aware
of the new certificate.

V
2#
)
   

 
$$ 0 
  

 


 #

Although SSL certificates are managed at the server level, SSL encryption is actually enabled or
disabled at the individual website level. OWA and ActiveSync are both a part of the Default
Web Site and have SSL enabled by default. You can use the SSL Settings icon to verify that SSL
encryption is enabled (Figure 5).

V
3# 


  %
 #




(



One step that often is overlooked involves configuring a site's bindings. In the case of SSL, site
bindings tell IIS which certificate it should use for a particular site. If you look back at Figure 5,
you'll notice a Bindings link, which is located in the Actions pane. Clicking on this link displays
the existing site bindings.

To make sure that the site is using the correct certificate, select the HTTPS binding and click
c
. The IIS Manager will display the Edit Site Bindings dialog box (Figure 6), lets you choose
the certificate you'd like to use with the site.
V
&#   

  ( 
 %
 %
#

When testing this procedure in the lab, I ran into some problems and discovered they were
related to the bindings. Although the bindings on my Exchange 2010 Server were configured
correctly, they became corrupted -- causing Internet Explorer to display a Page Cannot Be
Displayed error when I attempted to access OWA.

When I viewed the bindings through IIS Manager, everything


seemed normal. I only encountered the problem when I was c   
unable to modify my bindings. Deleting and recreating the +,",
bindings seemed to solve the problem. Microsoft drops free
migration tool for Exchange
About the author: Brien M. Posey, MCSE, is a five-time 2010
recipient of Microsoft's Most Valuable Professional (MVP)
award for his work with Exchange Server, Windows Server, New unified messaging
Internet Information Services (IIS), and File Systems and features in Exchange Server
Storage. Brien has served as CIO for a nationwide chain of 2010
hospitals and was once responsible for the Department of
Information Management at Fort Knox. As a freelance Apply Exchange Server 2010
technical writer, Brien has written for Microsoft, TechTarget, message retention tags for
CNET, ZDNet, MSD2D, Relevant Technologies and other email archiving
technology companies. You can visit Brien's personal website at
?