Configure ActiveSync with a single Exchange server (Exchange sync for an iPhone)

I recently picked up a first-generation iPhone from a friend and after playing around with it for a while I decided that I needed to have my email synchronized on it. For my business I run my BES, Exchange with RPC over HTTPS and ISA on a Server 2003 virtual machine, so my infrastructure was almost ready.

Almost, but not quite. A typical ActiveSync deployment consists of a front-end Exchange server, an ISA server and a second Exchange server. I've only got a single VM (more for convenience than anything else), so I had to make a few changes.

Assumptions

I'm assuming that you've got Exchange and ISA working, either on a single box or two individual servers. You also have a valid SSL certificate and port 443 is open.

Exchange Configuration

Enable ActiveSync

Open the Exchange System Manager (ESM) and expand the Global Settings tree. Right click on Mobile Service, choose Properties and ensure that the ActiveSync options are all checked.

IIS Configuration

These steps are identical to the ones in Microsoft KB 817379 - Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003.

  1. Start Internet Information Services (IIS) Manager.
  2. Locate the Exchange virtual directory. The default location is as follows:
  3. Web SitesDefault Web SiteExchange
  4. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
  5. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
  6. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
  7. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
  8. Under Select a configuration to import, click Exchange, and then click OK.
  9. A dialog box will appear that states that the "virtual directory already exists."
  10. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type ExchDAV. Click OK.
  11. Right-click the new virtual directory. In this example, click ExchDAV. Click Properties.
  12. Click the Directory Security tab.
  13. Under Authentication and access control, click Edit.
  14. Make sure that only the following authentication methods are enabled, and then click OK:

    • Integrated Windows authentication
    • Basic authentication
  15. On the Directory Security tab, under IP address and domain name restrictions, click Edit.
  16. Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK.
  17. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
  18. Click OK, and then close the IIS Manager.
  19. Click Start, click Run, type regedit, and then click OK.
  20. Locate the following registry subkey: 
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMasSyncParameters
  21. Right-click Parameters, click to New, and then click String Value.
  22. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.
  23. Note ExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the ExchDAV folder.
  24. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /ExchDAV. Click OK.
  25. Quit Registry Editor.
  26. Restart the IIS Admin service. To do this, follow these steps:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. In the list of services, right-click IIS Admin service, and then click Restart.

ISA Configuration

You'll want to increase the heartbeat to 30 minutes per Microsoft KB 905013 - Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology. If you don't do this you'll receive Event ID 3033 in your Application event log with the message:

The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [540]. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

  1. Open ISA Server Management and click Firewall Policy.
  2. On the Toolbox tab, click Network Objects.
  3. Expand the Web Listeners node, and then view the advanced properties of the applicable Web Listener.
  4. Click the Preferences tab, and then click Advanced.
  5. Modify the Connection Timeout from the default 120 seconds (2 minutes) to 1800 seconds (30 minutes).
  6. Click OK two times to accept these changes.
  7. Click Apply.

The End

That's really all there is to it. If you've got RPC over HTTPS working then your ISA server should be ready to handle traffic on port 443, and you're only a few steps away from ActiveSync glory.

Tags: , , , ,
Posted in Technology, iPhone on August 5th, 2008 at 09:08pm

Comments (1)  | 

Cisco VPN connections from an iPhone

While there currently isn't any BES-like point of entry for an iPhone to gain access to a corporate network, it's trivial to establish a Cisco IPsec VPN connection.

Getting Started

You'll need the following information:

  • VPN Server
  • User account name
  • User password
  • Group name
  • Group password

You should know your user account name and password and you can obtain the VPN Server, Group name and Group password from your .pcf file. A PCF file typically contains an encrypted password which you can decrypt using my Cisco VPN Password Decryption page. You can also ask your VPN administrator for the plain text password.

Sample PCF File

The VPN server can be found after Host= in the pcf file. Group Name is after GroupName=, Group Password is after enc_GroupPwd= or GroupPwd=. Asterisks added below for emphasis.

[main]
Description=Connect to Company VPN
****Host=your-vpn-server.coreygilmore.com
AuthType=1
****GroupName=accounting
GroupPwd=
****enc_GroupPwd=9196FE0075E359E6A2486905A1EFAE9A11D652B2C588EF3FBA15574237302B74C194EC7D0DD16645CB534D94CE85FEC4
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=CorpDomain
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=1
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
PeerTimeout=90

Adding the Connection

From the Home screen on the iPhone open the Settings application. Navigate through General > Network > VPN. Tap Add VPN Configuration and choose IPSec.

Using the information provided to you by your VPN administrator or gleaned from the PCF file, fill out the fields. If you use a SecurID for authentication leave the Password field empty and you will be prompted for it each time you connect. Below is a sample VPN connection configuration:

Connecting

Once the fields are populated and the connection is saved you can connect to your VPN server by opening
Settings > VPN and sliding the toggle into the On position.

Tags: , ,
Posted in Technology, iPhone on July 29th, 2008 at 03:07pm

Comments (1)  | 

Bulk delete messages on a BlackBerry

Have you ever received a slew of messages on your BlackBerry, none of which you want or need? One of my BIS accounts receives a moderate amount of spam, all of which is flagged by SpamAssassin with [SPAM] in the subject line. I've tried setting filters at BIS, but they never seem to work. Fortunately there's an easy way to quickly delete all of the offending messages at once.

Step 1 - Searching

From the Mail window open the menu and choose Search. Enter parameters that will find all of the messages you want to delete, and only the messages you want to delete. In my case it's anything with [SPAM] in the subject.

Step 2 - Search Results

Review the search results and make sure they don't contain any messages you do not want to delete. If the results do contain messages you don't want to delete you will need to refine the search parameters to exclude them.

Step 3 - Delete Prior

This is where the magic happens. Select a date heading, open the menu and choose Delete Prior. If a message is highlighted and not a date heading you will not have a Delete Prior option.

In the context of search results, Delete Prior will only delete messages that were found by the search, not everything prior to the date of the first result.

Wait, what about BES users?

No guts, no glory. Go ahead and try it.

If you're more timid, Delete Prior only removes messages from the handheld, not the desktop. I've never tested this with any of the bi-directional sync BIS email options like GMail or Yahoo, so if you're using one of those services you should test first.

Confirm that you want to delete the messages and after a moment you'll see that all of the messages have been deleted and you're free of spam, printer notices or emails from Wiskus. Let's see your iPhone do this!

Tags: , , , , ,
Posted in Blackberry, Technology on June 24th, 2008 at 11:06am

Add Comment »  |