Iphone with MS Exchange

Mark M · 16 Mar 2010 at 13:29

Tried a few guides on the net and havent been able to get it working.

Ive got all the details in but it wont verify? Are there any ports that need opening on the router perhaps or anything else I should look out for as Ive exhausted all options I know of :confused:

King Arthur · 16 Mar 2010 at 13:46

Ill move this to enterprise with it been to do with servers etc.

Is active sync set up? What version of iphone software also what version of exchange.

Phil

ruffneck · 16 Mar 2010 at 13:47

what exchange version are you running?

Mark M · 16 Mar 2010 at 13:49

Sorry, using Exchange which comse with SBS2003.

Not sure about active synch? Where do I need to check for that?

ruffneck · 16 Mar 2010 at 13:52

Exchange System Manager > Global Settings > Mobile Services

Right click > properties

paradigm · 16 Mar 2010 at 14:05

Is your version of exchange fully up-to-date?

Pre SP1, exchange 2003 didn't have mobile push support.

Mark M · 16 Mar 2010 at 15:49

ruffneck said:
Exchange System Manager > Global Settings > Mobile Services

Right click > properties

Everything is ticked: enable user initiated syhchronization, enable uo to date notification and enable notificiations to user specified SMTP addressess.

paradigm said:
Is your version of exchange fully up-to-date?

Pre SP1, exchange 2003 didn't have mobile push support.

I believe everything is up to date, the version is 6.5.7226.0. No mention of any service packs.

malman · 16 Mar 2010 at 16:04

Thats sp1 - I beleive you need SP2 for active sync push mail. Sp1 only did sms activated push AFAIK.

Once you have sp2 on you probably need to re-run the CEICW (config email internet connection wizard) to set it up and open port 443 on any firewall you have. If this is sbs premium in twin card mode then the CEICW will do that in ISA for you

You can also download http://www.microsoft.com/downloads/...23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en which is the admin tool that allows you to remote wipe etc and shows you last sync time etc.

Edit to add if you are using the self signed certificate you will need to put that on the iphone (hope iphone supports that some phone don't) - should be in clientapps\sbscert folder

liquidchild76 · 16 Mar 2010 at 16:25

Here is how I have it set.

For security we are using the iphone configuration utility.

http://www.apple.com/downloads/macosx/apple/application_updates/iphoneconfigurationutility20forwindows.html

On the Firewall I have a Public virtual IP on the outside of the firewall mapped to the internal IP address of our Exchange 2007 server. I have a public DNS entry for public IP with a cert attached to it. I also have firewall policy allowing HTTPS (TCP 443) traffic through on that virtual IP mapping.

I am using Exchange 2007 to host Activesync.

Here are some useful docs I used.

Security Considerations on the Exchange Server -

http://technet.microsoft.com/en-us/library/cc182279.aspx

How to Secure Mobile Devices in Exchange 2007 -

http://searchexchange.techtarget.com/generic/0,295582,sid43_gci1255345,00.html

droyden · 16 Mar 2010 at 20:56

Also, what version of iphone is it? The old/first ones didnt have active sync support.. and were a pain to setup

#Chri5# · 16 Mar 2010 at 22:29

Mark M said:
Everything is ticked: enable user initiated syhchronization, enable uo to date notification and enable notificiations to user specified SMTP addressess.

I believe everything is up to date, the version is 6.5.7226.0. No mention of any service packs.

I've just checked an SBS 2003 box I look after and that reports:

Version 6.5 (Build 7638.2: Service Pack 2).

You should see the SP2 mention against the server in Exchange System Manager (right click the server name > properties).

s0ck · 17 Mar 2010 at 12:53

ruffneck said:
Exchange System Manager > Global Settings > Mobile Services

Right click > properties

He has SBS; this is merely a check box in CEICW to setup, assuming Exchange SP2 is installed

Does OWA over HTTPS work (WAN FQDN)?

What iphone is it?

3G/3GS this is a 5 minute job, even with a self cert.

Mark M · 23 Mar 2010 at 11:24

Right finally got a chance to have another look at this.

The phone is 3G but a newer 3GS will need to be connected in a couple of weeks from another member of staff.

Ive opened port 443 on the router

Ive got the user details and server address from outlook email options

Ive also downloaded and installed the lastest exchange 2003 release from the MS site.

But it still wont verify.

The only thing I can think of which Im not sure if it will be the problem or not is that recently when you try to log on remotely it comes up with a certificate error? Not sure if I should post the link for security reasons? But it basically says:

Code:

There is a problem with this website's security certificate. 
 
   
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  

We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information

It started doing this when the dns setting was changed from https://mail.domain.com/mail to https://mail.domain.com/remote. Not sure why it was changed but it never did it before.

Whether thats the issue or not, any advice on how to solve it would be appreciated.

Thanks

paradigm · 23 Mar 2010 at 11:32

Have you bought an SSL certificate for the domain you are using?

godaddy.com is pretty darn cheap and should resolve all your certificate problems.

Can you detail what you have in the iPhone settings, what your OWA URL is, and whether OWA from internet explorer works from outside the organization?

Mark M · 23 Mar 2010 at 11:35

I believe we bought one yes, when the server was installed. Sadly the IT company we bought it from have gone out of business and we are looking for a new company but havent found one we feel the service levels match the price tag but thats another story.

Do they need to renewed every year or something?

Im sure it happened when we had an IT guy come in to do a few things with the antivirus, he said he changed the DNS settings of the remote log in address and then the certificate problem came about.

Mark M · 23 Mar 2010 at 11:54

Ok just checked the certificate in the IIS properties and its valid until 08/06/11

Issued to mail.domain.com

Issued by mail.domain.com

The address we log onto is https://mail.domain.com/remote.

Cant see anything obvious but is this even anthing which could affect the Iphone verifying or am I barking up the wrong tree?

malman · 23 Mar 2010 at 12:02

Yes it can cause an issue. Thats a self signed certificate and you need to get it onto the iphone as it dosen't trust the certificate authority (which is you in this case). A copy of it should be in clientapps\sbscert on your sbs server. Get it onto the iphone by what ever means then click on it and it should install. Once installed it should show the activesync https server as trusted and robert should be your mothers brother as they say.

#Chri5# · 23 Mar 2010 at 12:03

That's a self signed certificate then, hence the untrusted errors.

Here's a grab from an SBS 2003 box with a Go Daddy SSL:

As Paradigm says, a GD SSL is £20/year, which make self-signed not worth the agro'.

Mark M · 23 Mar 2010 at 12:15

malman said:
Yes it can cause an issue. Thats a self signed certificate and you need to get it onto the iphone as it dosen't trust the certificate authority (which is you in this case). A copy of it should be in clientapps\sbscert on your sbs server. Get it onto the iphone by what ever means then click on it and it should install. Once installed it should show the activesync https server as trusted and robert should be your mothers brother as they say.

Managed to get the cert on the iphone, good old hotmail lets you send anything!! Still doesnt verify though!

#Chri5# said:
That's a self signed certificate then, hence the untrusted errors.

As Paradigm says, a GD SSL is £20/year, which make self-signed not worth the agro'.

Whats the difference between a selfcert and a GD SSL? Im happy to pay the £20 a year but if self cert wont work why will this?

Thanks

bigredshark · 23 Mar 2010 at 12:23

Mark M said:
Managed to get the cert on the iphone, good old hotmail lets you send anything!! Still doesnt verify though!

Whats the difference between a selfcert and a GD SSL? Im happy to pay the £20 a year but if self cert wont work why will this?

Thanks

Because they're a trusted authority for producing certs while you've just generated one yourself. Hence the client doesn't trust yours because you could have just as easily created one for barclays.co.uk or any other domain, if you get it from a trusted provider then the client is essentially trusting the issuer to have verified you are who you say you are...