Main Menu

[Slacker]

But for the record, mine has been working since my VPN/Internet plan kicked in.

[bradyr]

I tried it last night and it works fine now - thanks a bunch for the help

I had tried to get to someone in tech support to help me and was told I was escallated as high as I could go and no one knew how to configure this. I even saw the T-mobile guys at Tech-Ed and asked them - they said that T-mobile hadn't decided yet when they would support a smartphone and couldn't help me.

too bad - great service otherwise, just a bit of a pain if they can't help you configure your phone.

[nickpoore]

1) Install Exchange 2003 (Small Business Server is the best option for a single server implementation)
2) Install a certificate (self-signed, purchased, whatever)
3) Configure Outlook Web Access to use "Forms Based Authentication" (you can Google this if you don't know how)
4) Open port 443 (HTTPS) and direct it to your Exchange server
5) MAKE SURE OWA WORKS from OUTSIDE your network!

Just to add a couple of things...

2. Thawte certificates are one of the cheapest public certs around, but you can use the MS Cert if you choose.

3. Forms based authentication can cause some functionality problem on OWA (eg the inability to click on a URL link in an email.) For that reason I am unable to run Forms Based Authentication.

When using a single-server system, with HTTPS being forced on the /exchage server (which is always a good idea.), you need to bypass some security for the OMA & Active Sync tools.
This MS article describes the problem and gives step-by-step instructions.
http://support.microsoft.com/default.aspx?...kb;en-us;817379

Also, Exchange 2003 SP1 is now out, which give some help with RPC over HTTPS. If you use Outlook 2003 / Exchange 2003 you NEED to run RPC over HTTPS in order to allow your remote users to sync.. But that is a whole other topic.

Hope the MS link helps.

-=Nick=-

[Slacker]

The article you linked refers to OMA (Outlook Mobile Access). This is not what is used for ActiveSync and therefore doesn't apply. And so far I have had no issues with OWA (Outlook Web Access) since setting it up 2 months ago.

Thawte does provide cheap certs. Unfortunately they are not free.

[nickpoore]

Slacker.
The article refers to both.
"When you try to access a Microsoft Exchange Server 2003 computer by using Microsoft Outlook Mobile Access or Microsoft ActiveSync, you may experience one of the following symptoms..."
Since ActiveSync uses the OMA conduit, this is understandable.

You provided a great article, and I just wanted to add to it.

I currently have two live Exchange 2003 implementations, and both are using Server ActiveSync. The users love them.
I'm waiting to get a smartphone myself (mpx220) and already have a PocketPC Phone up and running - but it's too large to carry around all the time so I just have it sitting in the car acting as an email client.

To discribe the problem quickly, when ActiveSync speaks to the server, the front-end server speaks to the client on port 80/443. However the traffic from the front-end server to the back-end server only happens on port 80. If you have a single-server environment (most people probably do) then this front-end to back-end is really happening on the same server, and so you have to configure a custom folder to handle this communication. So, if anyone has a single-server configuration, and has forced SSL on the /exchange folder, and wants to use ActiveSync, then this article is for them.

Thanks again for a great article.

-=Nick=-

[Slacker]

I appreciate the information. I guess I just don't understand. You talk about a custom folder for the front-end / back-end communication to happen on the same box. I am using SBS2k3 and didn't have to set up any type of custom folders. Once I did the basic install of 2k3 and configured the phone it worked fine. Same with my iPaq 5455. So can you explain exactly what you are referring to with this custom folder?

[nickpoore]

The way Microsoft want you to set up Exchange in a large organisation, it to have a "front end" server. This server speaks to the internet and handles all the public traffic. So, inbound/outbound SMTP, as well as OWA, OMA and ActiveSync are all handled by this server. The font end server does not contain any mailboxes or public folders.
Then there is a "back end" server, that is completely private and is not responsible for sending anything to the internet - it just sends it to the front-end server and that server then sends it. Kind of like a proxy thing. The back end server is where the data (ie mailboxes) is stored.
Now, in LARGE organisations, this makes a lot of sense.
In small organisations, this is expensive, and very few small companies will do it.

Now, having said all that, some applications, such as OMA, and RPC Proxy, take the traffic from the front end server, and relay it to the back end server. They're just designed that way.
If you happen to have a single server (which most of use will) then the front end / back end functionality is all happening on one server.

Now, if you read the MSKB article that I posted, you will see that it describes how OMA/ActiveSync traffic is received on the front end server, and sent as a request to the /exchange folder on the back end server. Since a back end server is designed to not be public, the assumption is that the back end server will not be running SSL, and so the traffic is directed to the /exchange folder on the back end server using HTTP (port 80).

If you happen to have a single server environment, and have forced SSL on the /exchange folder (good practice) then the front end request to the back end server will fail, as the back end server will not allow HTTP traffic to the /exchange folder. (ie the OMA folder is making an HTTP request of the /exchange folder, which has security prohibiting such requests.)

The solution here is to make a new virtual directory. Since the /exchange folder already exists, the solution (in the MSKB article) is to COPY the exact settings of this folder, and then to creat a new folder (call it anything you like, they suggest "/exchDev") using the same paramaters as the /exchange folder. You the decrease the security on this new folder, to allow traffic on port 80, while simultaneously increasing the traffic on the folder to only allow traffic from the server's IP address (so only the server can request traffic on this special folder.) Lastly, haveing created the security on this new folder, you edit the registry to redirect the OMA/ActiveSync requests from the front end server to go the new folder, instead of the /exchange folder.

Yes, it sounds kinda complicated.

The simple thing to do is to see if the server activesync is working for you.
Try it with a device such as a PocketPC (wifi models make this easy) and see if you can sync or not.
If you are having problems, then you may need to run through the instructions in the MSKB article.

I hope I have not confused the issue too much.

I don't know about MS SBS, as I have not used a recent version of it. I would not be surprised if they had done a few tweaks in order to make it play nicer with itself.

Okay, this has gone on a LONG time. If anyone has any questions, please just email me directly at npoore _at_ bde3d.com.

Thanks.

-=Nick=-

[bradyr]

it works great now - thanks for all the help

[Slacker]

I guess my server doesn't have the issue, because it has worked with my PocketPC great since day 1, and with my MPx200 most of the time.

[billz89]

I guess my server doesn't have the issue, because it has worked with my PocketPC great since day 1, and with my MPx200 most of the time.

Hi Slacker.

I finally got T-Mobile to get my account setup with the proper internet & vpn access. I can get to the internet, but I'm getting an error on my phone:

"Synchronization failed due to an error on the server. Try again. Error code: HTTP_500"

... and on the server

Event Type: Error
Event Source: Server ActiveSync
Event Category: None
Event ID: 3005
Date: 2/12/2005
Time: 5:37:43 PM
User: Domain\UserID
Computer: ServerName
Description:
Unexpected Exchange mailbox Server error: Server: [ServerName.Domain.local] User: [EMailName@Domain.com] HTTP status code: [501]. Verify that the Exchange mailbox Server is working correctly.

I'm running Windows SBS 2003 on a single server and I can access Remote Web Workplace, etc. Any ideas?

Thanks.

Bill

[Slacker]

Check this page

[billz89]

Check this page

Hi Slacker.

Yep. Checked that page out and saw similar pages to that and tried the SSL disabling and making sure that anonymous access isn't checked, that external IP addresses are blocked and that Integrated Windows Authentication and Basic Authentication are checked. Everything appears to be the way it should be. Bizzarre. It I don't have the proper port on my Proxy name:port for T-Mobile could it cause that type of error?

Bill

[Slacker]

port on my Proxy name:port for T-Mobile

huh? Where is this setting you are asking about? How do you get to the screen to see it?

[billz89]

huh? Where is this setting you are asking about? How do you get to the screen to see it?

T-Mobile support gave me a port to add to my IP address for WAP Proxy. It hasn't made a difference whether or not it is there. I've reported to T-Mobile that I'm still getting an error, hopefully they can fix it.

Bill

[Slacker]

I didn't use any ports except what is listed in the instructions. Works great for most of the other folks that have used them. I suggest deleting all of your data settings and starting over. Once you can browse the web and secure sites, THEN try to set up OTA activesync.

[billz89]

I didn't use any ports except what is listed in the instructions. Works great for most of the other folks that have used them. I suggest deleting all of your data settings and starting over. Once you can browse the web and secure sites, THEN try to set up OTA activesync.

I did go back to what the instructions have for T-Mobile settings and everything is working on the internet side, but OTA sync is still not working. The weird thing is, if I go into activesync on the MPX200 and change my userid/username so it is different from any userid in my 'domain' my server logs in security events "Unknown user name or bad password". Which seems to indicate that from an authentication level it must be talking to the server. This would lead me to believe that it is a 'path' error in Exchange/IIS.

Update: 2/15/2005: I have confirmed that my Exchange/IIS setup is corrupted. Most likely the phone and T-Mobile service are fine. Now I just have to find a way to restore the service back to the way it was.

Bill

This post has been edited by billz89: Feb 15 2005, 06:45 PM

[billz89]

I didn't use any ports except what is listed in the instructions. Works great for most of the other folks that have used them. I suggest deleting all of your data settings and starting over. Once you can browse the web and secure sites, THEN try to set up OTA activesync.

Hi Slacker.

Well, my SBS2k3 server is royally messed up. I can't get OMA to work via a PC based web browser so I know that for sure.

I have another SBS2k3 server that I found had a setting that was correct as far as the initial installation was concerned, but when I added an e-mail domain that wasn't the same it got confused quickly. Here is a brief description:
***
In IIS 6.0, Default WebSites, the /exchange-oma and /exchange folder paths don't match the SMTP e-mail address domain.

The original installation folder paths look something like this: \\.\BackOfficeStorage\domain.local\MBX

However in the instance in which I fixed it the path needed to be \\.\BackOfficeStorage\domain.com\MBX

Where domain.com would be the internet address after the '@' symbol in the users primary e-mail address.
***

Once this correction was made I tried my MPX200 against it and it worked great! The sad thing is that I have to rebuild my SBS2k3 server this weekend.

Hopefully once I have completed that step everything will work okay with it.

Thanks again for all the help you provided to me and also to others in this forum. It is greatly appreciated. Have a great weekend!

[bradley_st]

To receive updates on activesync with the exchage server, you will need to make sure that basic authentication is set in IIS on either the mailbox server or front end. Really it just needs to be set on whichever server you are pointing to. I could not get this to work for awhile, and then I came acroos the fact that basic authentication wasn't checked. This is a by product of running IISlockdown on your exchange servers. Hope this helps.