Solving iPhone and Exchange 2010/2007 coexistence issues
During my testing of our Exchange 2010 implementation I came across a rather annoying issue - iPhones users with Exchange 2007 mailboxes no longer can connect after moving the client access across to 2010.
So - what is supposed to happen? Well - as iPhone is supposed to implement EAS protocol version 12.1 (i.e. it supports AutoDiscover), it should be redirected to the legacy Exchange 2007 Client Access array. Problem is, it doesn't work.
Of course not all ActiveSync clients support AutoDiscover and those that implement EAS protocol 12.0 or lower are automatically proxied by the Exchange 2010 Client Access array back to Exchange 2007 client access servers.
This is all explained in more detail (including an acknoledgement not all clients implement EAS protocol 12.1 correctly!) over at the Microsoft Exchange Team blog in their article, Upgrading Exchange ActiveSync to Exchange 2010.
Whilst looking for solutions, I've unfortunately only came across verification this is a known issue, with the solution to simply wait for Apple to fix the iPhone. However I have a deadline to meet and getting IT staff to visit hundreds of iPhone users to change EAS settings isn't an option, it's not an option to move all those mailboxes at the same time, and we can't wait for a fix from Apple.
The most simple solution, as it stands - is to force all ActiveSync clients to be proxied. As noted in the MS Exchange Team blog article above, all non-internet facing site mailbox ActiveSync access is proxied anyway, so it will work. And thankfully, the proxying isn't based on AD sites. It's simply based on the ExternalURL on the ActiveSync virtual directory - if it's set to $null on the Client Access servers in the site of the user's Mailbox it will proxy instead of redirect.
If you want to do this via the Exchange Management Shell - it's simple - do this for each Internet facing client access server during the switchover:
Get-ActiveSyncVirtualDirectory -Server E2007CA | Set-ActiveSyncVirtualDirectory -ExternalURL:$null
The implication of this is that there will be extra overhead associated with proxying Exchange 2007 ActiveSync users, so this would need to be factored into your plans should you implement my solution.
Related posts:
- iPhone with Exchange 2010 – Business Integration and Deployment available for pre-order now
- Setup Multiple Exchange Accounts on your iPhone
- How to get info about your ActiveSync, EWS and WebDAV clients before migrating to Exchange 2010
- Review – Exchange 2007 to 2010 Migration Guide
- Writing Powershell scripts that target Exchange 2007 and 2010
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
Find Me On…
Important Notice
Categories
Recent Posts
- iPhone with Exchange 2010 – Business Integration and Deployment available for pre-order now
- A look back at 2011, and a look forward to 2012
- How to use Multi-Valued Custom Attributes in Exchange 2010 SP2
- Updated – Disabling Auto-mailbox mapping in Exchange 2010
- Updated – Recommended Exchange Reference Material
- Guest Post – How to Improve Your Exchange Performance
Top posts
- Solving iPhone and Exchange 2010/2007 coexistence issues
- Using the Exchange 2010 SP1 Mailbox Export features for Mass Exports to PST files
- Auto-mapping shared mailboxes in Exchange 2010 SP1 with Outlook 2010 and Outlook 2007
- Generate Exchange Environment Reports using Powershell
- Managing iCal Calendar Sharing with Exchange 2010 SP1 [Updated]
Blogroll
- Aaron Tiensivu's Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Microsoft Messaging and Mobility User Group UK
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- Nuttin but Exchange
- VMlover by Daniel Eason
March 16th, 2010 - 02:10
Awesome! Saved me a bunch of time researching the answer when yours was top of the list in Google!!
April 10th, 2010 - 01:53
Hey Steve the word is this is fixed in iPhone 4.0 (finally!).
April 12th, 2010 - 19:45
Fantastic news – I was hoping that was the case. Do you have a source?
August 31st, 2010 - 15:59
So, this is fixed with 4.0?
August 31st, 2010 - 16:07
I don’t know yet. I would assume so.. But as the rest of the iPhone Activesync stack on 4.0.x is so broken, it’s been the least of my worries!
I believe there is a load of fixes in 4.1 and if so… That will probably be when we recommend upgrading older models.
Steve
January 26th, 2011 - 14:17
I can confirm that this hasn’t been resolved in 4.2.1.
Apart from a string of certificate issues (ActiveSync is ridiculously picky when it comes to certs), i still had to run the command listed above for it to work properly on the iPhone.
Next test is the iPad tomorrow…
January 26th, 2011 - 22:38
Oh, that’s not great news. From testing iPads myself, I don’t hold up much hope for it to be any better – but good luck
Steve
August 31st, 2010 - 16:02
In regards to changing the externalurl to $null. I was reading the TechNet proxying and redirection documentation for Exchange 2010, and there’s a note stating that proxing between virtual directories using basic authentication will not work, it must be Windows Integrated Authentication. Did you find this to be true?
Thanks
August 31st, 2010 - 16:12
Yes I do.
IIRC, it’s because Kerberos delegation is used to authenticate between IIS>IIS.
Steve
October 18th, 2010 - 18:14
We’re about to start some testing with iPhones and changing over to the legacy namespace. Has there been any confirmation that the redirect works fine with iPhone 4.0 or 4.1 software? Otherwise I’ll force the proxy…. Thanks!
-Brian
October 18th, 2010 - 23:34
I’ve not tested it yet (my bad!).. We’ve seen enough problems with 4.0 and 4.1, that we’re leaving iPhone 3GS and earlier on OS 3 until it’s more stable.
I’ve been meaning to test it for a while actually though so I’ll leave myself a reminder and update the blog post.
December 9th, 2010 - 11:44
Hi, do you know if its possible to connect iphones to shared mailboxes in exchange 2007? Do we just need to put the owa path to that mailbox in or do we need to do something else.
eg webmail.company.com/owa/sharedmailbox@company.com
December 9th, 2010 - 13:18
Hi John,
If you want to connect to it natively on the iPhone you need to set a password on the shared mailbox, then enable the mailbox; then setup the connection on the iPhone using the shared mailbox username/password combo.
Steve
December 9th, 2010 - 13:37
thanks for the advice, thats excatly what we ended up doing! was hoping we could do it using the shared mailbox features instead of instead of creating a “user” mailbox
December 9th, 2010 - 13:50
Hi Jon,
Yeah it isn’t a great solution but as the ActiveSync protocol doesn’t support delegate access (as far as I know) it’s the best solution.
Steve
April 4th, 2011 - 09:36
Not only during the day but also at night, with lighted tapers, in the harsh winter, they went in a great throng from church to church, prostrating themselves humbly before the altars, preceded by priests with candles and banners
April 13th, 2011 - 08:50
Hi Steve, as soon we are going to build the co-existence b/w our Exchange 2007 and Exchange 2010 environment, I want to ask that specially for ActievSync, so please correct me if I’m wrong:
I will change the EXTERNAL URL for EAS on Exchange 2007 (CAS) with legacy.domain.com, and on my Exchange 2010 (CAS) EWS External URL will stay $null, which will allow NON-AUTODISCOVER devices (Iphone specially) to proxied for Exchange 2007 CAS.
And also tell me, when the above proxing process will occurr, weather it will happen for INTERNAL URL or EXTERNAL URL of Exchange 2007 CAS EAS?
Zahir
April 26th, 2011 - 19:19
I would suggest moving the namespace to Exchange 2010 then setting the ExternalURL on Exchange 2007 EWS to $null to force proxying
Steve
April 28th, 2011 - 11:19
Hi Steve,
Thanks for your reply, the problem we are facing now, is that we kept EAS on Exchange 2007 $null for externalURL, and on Exchange 2010 the externalFQDN for Active Sync, now Exchange 2010 users can connect to Exchange 2010 Server, but when Exchagne 2007 Server users can not use the the same FQDN, it shows that Iphone got connected, but we can not receive or send any email.
and on my Exchange 2010 CAS, I’m getting below transactions getting logged:
2011-04-28 09:56:36 10.200.20.30 POST /Microsoft-Server-ActiveSync/default.eas
User=movetest5&DeviceId=Appl791092M8A4S&DeviceType=iPhone&Cmd=FolderSync&Log=RdirTo:https%3a%2f%2flegacy.domain.com%2fMicrosoft-Server-ActiveSync_LdapC1_Cpo20000_Fet20014_Error:MisconfiguredDevice_Mbx:NDCMSG1.child.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F942134b0-b244-4357-a749-57b7d504df8e%2cNorm_ 443 child.domain.com\movetest5 10.200.3.16 Apple-iPhone3C1/803.148 451 0 0 20014
2011-04-28 09:56:48 10.200.20.30 OPTIONS /Microsoft-Server-ActiveSync/default.eas
&Log=PrxTo:ndcmsg1.child.domain.com_LdapC2_LdapL16_Mbx:NDCMSG1.child.domain.com_Dc:ndcdc4.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F942134b0-b244-4357-a749-57b7d504df8e%2cNorm%5bResources%3a(DC)ndcdc4.domain.com(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 child.domain.com\movetest5 10.200.3.16 Apple-iPhone3C1/803.148 200 0 0 78
May 5th, 2011 - 11:51
We had a similar issue – our new Exchange 2010 CAS arrays were not yet set up, had no reverse proxy to the Internet and we had no E2010 mailbox servers. But, as soon as I finished setup of the CAS arrays, iPhone and iPad users on Exchange 2007 stopped working with a mixture of authentication issues and unable to connect. One user saw that their iPhone was trying to connect to the new OWA external FQDN that I enterd during Exchange 2010 setup. Outlook Web Access to Exchange 2007 was still working, so were Windows Phone7 and non-iOS devices using Active Sync. Interestingly, iPad and iPhone users in our Internet facing Exchange 2007 site were working. The non-Internet facing site users were affected, but as soon as I went to the new Exchange 2010 servers in the non-Internet facing site and removed the configuration for ExternalURL for the Exchange ActiveSync site, iPhone and iPad 4.3.x worked within a few minutes.
This article really helped me find this solution – seems obvious now!
July 27th, 2011 - 15:37
Steve;
Thanks for being cool and sharing your thoughts in this issue. I have been searching for days for a viable solution and clearly Apple had no idea what I was talking about… The infrastructure team recently made a move from Exchange 2007 to 2010 and as soon as that happened all the iPhones that were moved from from the old exchange to the new one stopped working. In the iPhone device logs we got this:
Tue Jul 26 10:59:48 ITphone1-iPhone Preferences[109] : EAS|Autodiscover task failed with status 0 and error Error Domain=NSURLErrorDomain Code=-1200 “An SSL error has occurred and a secure connection to the server cannot be made.” UserInfo=0x66f0270 {NSErrorFailingURLStringKey=https://joerns.com/Autodiscover/Autodiscover.xml, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://joerns.com/Autodiscover/Autodiscover.xml, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0x66b3c80 “An SSL error has occurred and a secure connection to the server cannot be made.”}
Tue Jul 26 10:59:48 ITphone1-iPhone Preferences[109] : EAS|Autodiscovery encountered an error. Status code 1. Message: No external URL is available to access this mailbox with Exchange ActiveSync. Your Exchange server configuration needs to be adjusted to allow access.
The phone doesn’t give me an error in the test phase, but when you try to pick up the mail, it gives a “Cannot Get Mail, The connection to the server failed.”
Do you think your solution will help?
July 27th, 2011 - 15:51
Oh it’s affecting iPhones running 4.3.5, 4.2.10 (Verizon iPhone) and iOS5 b4 (we have a couple fo developer iphones)…
September 6th, 2011 - 21:57
Hi, I have enjoyed your informative website. I have bookmarked your site so, will check in now and then. Thank you!
September 7th, 2011 - 13:03
What if I told you could AUTOMATE your blogging completely and start profiting from it? Did it sparkle your interest? Read about it here: http://lnkgt.com/7qk
November 4th, 2011 - 09:22
So, how about Exchange 2003–>2010?
iPhones worked fine on 2003, and if you migrate the user to 2010 it works fine on 2010, but nothing we tried (Integrated Windows Authentication) seems to work and I am not sure how to translate the above to 2003 from 2007?
November 22nd, 2011 - 16:20
the 5.0 iphone software doesn’t work with exchange 2010 either. Any ideas?
November 30th, 2011 - 23:28
Hiya,
By doesn’t work, do you mean the co-existance issues still remain?
Steve