Cannot connect to Exchange 2007 with Windows Mobile or Palm OS based phones (ActiveSync)
I have been doing quite a bit of research with Exchange 2007 Front-End services regarding mobile devices. I have found that some mobile devices, especially Palm Treo’s and Windows Mobile 5, among others, do not play well with Exchange 2007 SP1. From what I have read, it is an issue with older devices failing to apply the default (global) ActiveSync Mailbox Policy within Exchange 2007. The apparent fix is to delete the default ActiveSync Mailbox Policy, which in its current state, is fairly unrestricted. Older clients must also trust the Root Certificate Authority that signed the certificate and be able to handle Subject Alternate Names, if applicable. Adding the Root CA to its Trusted CA list fixes most devices, others may have to disable certificate checking altogether.
To take it a step further, the results of my testing were mixed as I could get some Exchange 2007 mailboxes to work:
Scenario 1: Mailbox is homed on an Exchange 2007 Mailbox Server, it’s ActiveSync connection is behind ISA 2006 and Exchange 2007 CAS. The Palm Treo CANNOT sync. (VeriSign Cert). iPhones work fine.
Scenario 2: Mailbox is homed on an Exchange 2003 Mailbox Server, it’s ActiveSync connection is behind ISA 2006 and Exchange 2007 CAS. The Palm Treo CAN sync as expected. (VeriSign Cert). iPhones work fine.
Scenario 3: Mailbox is homed on an Exchange 2007 Mailbox Server, it’s ActiveSync connection is behind Exchange 2003 Front-End Servers. The Palm Treo CAN sync. (VeriSign Cert). iPhones work fine.
After churning on the idea a bit further, I decided to look at the CAS IIS logs. I found these:
2009-08-12 18:51:31 192.168.0.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &Log=V25_LdapC1_LdapL16_RpcC0_RpcL0_ 443 domain\username 192.168.0.30 PalmOne-TreoAce/2.01m01 200 0 0 500
Note the corresponding HTTP 449 post from ISA 2006:
2009-08-12 18:51:32 192.168.0.3 POST /Microsoft-Server-ActiveSync/default.eas Cmd=FolderSync&User=domain\username&DeviceId=PLMO36DB0515&DeviceType=PalmOneTreoAce&Log=V25_Ssnf:T_LdapC9_LdapL15_RpcC25_RpcL93_Ers1_Pk0_Error:DeviceNotProvisioned_ 443 domain\username 192.168.0.30 PalmOne-TreoAce/2.01m01 449 0 0 484
The ISA 2006 and Exchange 2007 are passing the traffic as expected. It seems the problem stems from where the mailbox is homed and what front end system it tries to connect to. If CAS Servers are in play, the ActiveSync connection fails since the Default ActiveSync Mailbox policy is created and applied when the CAS server role is services the connection.
THE FIX: From an Exchange 2007 CAS server run: Remove-ActiveSyncMailboxPolicy -Identity "Default"
1.) In order for your Exchange 2003 Backend server to work, you must enable integrated auth on the MicrosoftActiveSync virtual directory within IIS. See: http://msexchangetips.blogspot.com/2007/11/exchange-2007-activesynch-does-not-work.html
2.) If you reinstall a CAS server, the default ActiveSync Mailbox policy is recreated. You will have to remove it again.