Solving iPhone and Exchange 2010/2007 coexistence issues

During my testing of our Exchange 2010 implementation I came across a rather annoying issue – iPhones users with Exchange 2007 mailboxes no longer can connect after moving the client access across to 2010.

So – what is supposed to happen? Well – as iPhone is supposed to implement EAS protocol version 12.1 (i.e. it supports AutoDiscover), it should be redirected to the legacy Exchange 2007 Client Access array. Problem is, it doesn’t work.

Of course not all ActiveSync clients support AutoDiscover and those that implement EAS protocol 12.0 or lower are automatically proxied by the Exchange 2010 Client Access array back to Exchange 2007 client access servers.

This is all explained in more detail (including an acknoledgement not all clients implement EAS protocol 12.1 correctly!) over at the Microsoft Exchange Team blog in their article, Upgrading Exchange ActiveSync to Exchange 2010.

Whilst looking for solutions, I’ve unfortunately only came across verification this is a known issue, with the solution to simply wait for Apple to fix the iPhone. However I have a deadline to meet and getting IT staff to visit hundreds of iPhone users to change EAS settings isn’t an option, it’s not an option to move all those mailboxes at the same time, and we can’t wait for a fix from Apple.

The most simple solution, as it stands – is to force all ActiveSync clients to be proxied. As noted in the MS Exchange Team blog article above, all non-internet facing site mailbox ActiveSync access is proxied anyway, so it will work. And thankfully, the proxying isn’t based on AD sites. It’s simply based on the ExternalURL on the ActiveSync virtual directory – if it’s set to $null on the Client Access servers in the site of the user’s Mailbox it will proxy instead of redirect.

If you want to do this via the Exchange Management Shell – it’s simple – do this for each Internet facing client access server during the switchover:

Get-ActiveSyncVirtualDirectory -Server E2007CA | Set-ActiveSyncVirtualDirectory -ExternalURL:$null

The implication of this is that there will be extra overhead associated with proxying Exchange 2007 ActiveSync users, so this would need to be factored into your plans should you implement my solution.

40 thoughts on “Solving iPhone and Exchange 2010/2007 coexistence issues

  1. My company migrated from 2007 to 2010- since then I am unable to receive my Microsoft email
    On my iPhone or iPad- any suggestions?

    • Point your IT department at this blog post and/or ask them to re-setup the account on your iPhone/iPad. It might be that you just need to login to your Exchange 2010 webmail, note down the web address (e.g. legacy.company.com) and update the settings in “Mail”

      Steve

  2. Pingback: Todays lesson learned–Exchange 2010 upgrade with Active Sync and MobileIron | Ultimate Communications

  3. Hi Steve,

    We just completed moving all mailboxes in one continuous move from 2003 to 2010. Once the mailboxes were moved, iPhone users weren’t able to access their Mail; it’ll validate the settings when they re-create the the profile, but it just tells them ‘unable to connect’ when they use their Mail icon. Both EAS tests and both Outlook test on the MS exchange connectivity site pass. Any suggestions?

  4. I am attempting the redirect and couldn’t make it work. Just to clarify, Exchange 2007 external sites = null, Exchange 2010 external sites = external URL. The bit I am a bit mystified about is what authentication to set on what sites?

    Is it Windows Auth on both Activesync sites in 2007 and 2010, or just Windows Auth on Activesync sites in 2007?

    A little clarification will be awesome as I can finally do the 2010 switchover!

  5. Hey Steve, I am in the middle of a 2010 SP2 deployment into a 2007 SP2 deployment. I do not have the 2010 internet facing yet on the mail.domain.com address but have made a new A record to make it partially internet facing on newmail.domain.com. Both of these servers are in the same AD site.

    I can see that OWA redirection is working perfectly. If a 2007 user goes to newmail.domain.com they get redirected to their 2007 mailbox. If that same user connects via iPhone they get the iPhone cannot connect to server error.

    I have not modified any URL’s yet. Do you think if I set the ExternalURL on the 2007 to $Null that the redirection will work? I tried this with my own iPhone device that is on 5.1 IOS.

    Thanks

  6. So, how about Exchange 2003–>2010?
    iPhones worked fine on 2003, and if you migrate the user to 2010 it works fine on 2010, but nothing we tried (Integrated Windows Authentication) seems to work and I am not sure how to translate the above to 2003 from 2007?

  7. Steve;

    Thanks for being cool and sharing your thoughts in this issue. I have been searching for days for a viable solution and clearly Apple had no idea what I was talking about… The infrastructure team recently made a move from Exchange 2007 to 2010 and as soon as that happened all the iPhones that were moved from from the old exchange to the new one stopped working. In the iPhone device logs we got this:

    Tue Jul 26 10:59:48 ITphone1-iPhone Preferences[109] : EAS|Autodiscover task failed with status 0 and error Error Domain=NSURLErrorDomain Code=-1200 “An SSL error has occurred and a secure connection to the server cannot be made.” UserInfo=0x66f0270 {NSErrorFailingURLStringKey=https://joerns.com/Autodiscover/Autodiscover.xml, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSErrorFailingURLKey=https://joerns.com/Autodiscover/Autodiscover.xml, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSUnderlyingError=0x66b3c80 “An SSL error has occurred and a secure connection to the server cannot be made.”}
    Tue Jul 26 10:59:48 ITphone1-iPhone Preferences[109] : EAS|Autodiscovery encountered an error. Status code 1. Message: No external URL is available to access this mailbox with Exchange ActiveSync. Your Exchange server configuration needs to be adjusted to allow access.

    The phone doesn’t give me an error in the test phase, but when you try to pick up the mail, it gives a “Cannot Get Mail, The connection to the server failed.”

    Do you think your solution will help?

  8. We had a similar issue – our new Exchange 2010 CAS arrays were not yet set up, had no reverse proxy to the Internet and we had no E2010 mailbox servers. But, as soon as I finished setup of the CAS arrays, iPhone and iPad users on Exchange 2007 stopped working with a mixture of authentication issues and unable to connect. One user saw that their iPhone was trying to connect to the new OWA external FQDN that I enterd during Exchange 2010 setup. Outlook Web Access to Exchange 2007 was still working, so were Windows Phone7 and non-iOS devices using Active Sync. Interestingly, iPad and iPhone users in our Internet facing Exchange 2007 site were working. The non-Internet facing site users were affected, but as soon as I went to the new Exchange 2010 servers in the non-Internet facing site and removed the configuration for ExternalURL for the Exchange ActiveSync site, iPhone and iPad 4.3.x worked within a few minutes.
    This article really helped me find this solution – seems obvious now!

  9. Hi Steve,

    Thanks for your reply, the problem we are facing now, is that we kept EAS on Exchange 2007 $null for externalURL, and on Exchange 2010 the externalFQDN for Active Sync, now Exchange 2010 users can connect to Exchange 2010 Server, but when Exchagne 2007 Server users can not use the the same FQDN, it shows that Iphone got connected, but we can not receive or send any email.

    and on my Exchange 2010 CAS, I’m getting below transactions getting logged:

    2011-04-28 09:56:36 10.200.20.30 POST /Microsoft-Server-ActiveSync/default.eas

    User=movetest5&DeviceId=Appl791092M8A4S&DeviceType=iPhone&Cmd=FolderSync&Log=RdirTo:https%3a%2f%2flegacy.domain.com%2fMicrosoft-Server-ActiveSync_LdapC1_Cpo20000_Fet20014_Error:MisconfiguredDevice_Mbx:NDCMSG1.child.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F942134b0-b244-4357-a749-57b7d504df8e%2cNorm_ 443 child.domain.com\movetest5 10.200.3.16 Apple-iPhone3C1/803.148 451 0 0 20014

    2011-04-28 09:56:48 10.200.20.30 OPTIONS /Microsoft-Server-ActiveSync/default.eas

    &Log=PrxTo:ndcmsg1.child.domain.com_LdapC2_LdapL16_Mbx:NDCMSG1.child.domain.com_Dc:ndcdc4.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F942134b0-b244-4357-a749-57b7d504df8e%2cNorm%5bResources%3a(DC)ndcdc4.domain.com(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 child.domain.com\movetest5 10.200.3.16 Apple-iPhone3C1/803.148 200 0 0 78

  10. Hi Steve, as soon we are going to build the co-existence b/w our Exchange 2007 and Exchange 2010 environment, I want to ask that specially for ActievSync, so please correct me if I’m wrong:

    I will change the EXTERNAL URL for EAS on Exchange 2007 (CAS) with legacy.domain.com, and on my Exchange 2010 (CAS) EWS External URL will stay $null, which will allow NON-AUTODISCOVER devices (Iphone specially) to proxied for Exchange 2007 CAS.

    And also tell me, when the above proxing process will occurr, weather it will happen for INTERNAL URL or EXTERNAL URL of Exchange 2007 CAS EAS?

    Zahir

  11. Pingback: How to get info about your ActiveSync, EWS and WebDAV clients before migrating to Exchange 2010 « Steve Goodman's Exchange Blog

  12. Not only during the day but also at night, with lighted tapers, in the harsh winter, they went in a great throng from church to church, prostrating themselves humbly before the altars, preceded by priests with candles and banners

  13. Hi, do you know if its possible to connect iphones to shared mailboxes in exchange 2007? Do we just need to put the owa path to that mailbox in or do we need to do something else.

    eg webmail.company.com/owa/sharedmailbox@company.com

    • Hi John,

      If you want to connect to it natively on the iPhone you need to set a password on the shared mailbox, then enable the mailbox; then setup the connection on the iPhone using the shared mailbox username/password combo.

      Steve

      • thanks for the advice, thats excatly what we ended up doing! was hoping we could do it using the shared mailbox features instead of instead of creating a “user” mailbox

  14. We’re about to start some testing with iPhones and changing over to the legacy namespace. Has there been any confirmation that the redirect works fine with iPhone 4.0 or 4.1 software? Otherwise I’ll force the proxy…. Thanks!

    -Brian

    • I’ve not tested it yet (my bad!).. We’ve seen enough problems with 4.0 and 4.1, that we’re leaving iPhone 3GS and earlier on OS 3 until it’s more stable.

      I’ve been meaning to test it for a while actually though so I’ll leave myself a reminder and update the blog post.

  15. In regards to changing the externalurl to $null. I was reading the TechNet proxying and redirection documentation for Exchange 2010, and there’s a note stating that proxing between virtual directories using basic authentication will not work, it must be Windows Integrated Authentication. Did you find this to be true?

    Thanks

      • I don’t know yet. I would assume so.. But as the rest of the iPhone Activesync stack on 4.0.x is so broken, it’s been the least of my worries!

        I believe there is a load of fixes in 4.1 and if so… That will probably be when we recommend upgrading older models.

        Steve

        • I can confirm that this hasn’t been resolved in 4.2.1.
          Apart from a string of certificate issues (ActiveSync is ridiculously picky when it comes to certs), i still had to run the command listed above for it to work properly on the iPhone.
          Next test is the iPad tomorrow…

Leave a Reply

Your email address will not be published. Required fields are marked *