Solving iPhone and Exchange 2010/2007 coexistence issues
During my testing of our Exchange 2010 implementation I came across a rather annoying issue - iPhones users with Exchange 2007 mailboxes no longer can connect after moving the client access across to 2010.
So - what is supposed to happen? Well - as iPhone is supposed to implement EAS protocol version 12.1 (i.e. it supports AutoDiscover), it should be redirected to the legacy Exchange 2007 Client Access array. Problem is, it doesn't work.
Of course not all ActiveSync clients support AutoDiscover and those that implement EAS protocol 12.0 or lower are automatically proxied by the Exchange 2010 Client Access array back to Exchange 2007 client access servers.
This is all explained in more detail (including an acknoledgement not all clients implement EAS protocol 12.1 correctly!) over at the Microsoft Exchange Team blog in their article, Upgrading Exchange ActiveSync to Exchange 2010.
Whilst looking for solutions, I've unfortunately only came across verification this is a known issue, with the solution to simply wait for Apple to fix the iPhone. However I have a deadline to meet and getting IT staff to visit hundreds of iPhone users to change EAS settings isn't an option, it's not an option to move all those mailboxes at the same time, and we can't wait for a fix from Apple.
The most simple solution, as it stands - is to force all ActiveSync clients to be proxied. As noted in the MS Exchange Team blog article above, all non-internet facing site mailbox ActiveSync access is proxied anyway, so it will work. And thankfully, the proxying isn't based on AD sites. It's simply based on the ExternalURL on the ActiveSync virtual directory - if it's set to $null on the Client Access servers in the site of the user's Mailbox it will proxy instead of redirect.
If you want to do this via the Exchange Management Shell - it's simple - do this for each Internet facing client access server during the switchover:
Get-ActiveSyncVirtualDirectory -Server E2007CA | Set-ActiveSyncVirtualDirectory -ExternalURL:$null
The implication of this is that there will be extra overhead associated with proxying Exchange 2007 ActiveSync users, so this would need to be factored into your plans should you implement my solution.
March 16th, 2010 - 02:10
Awesome! Saved me a bunch of time researching the answer when yours was top of the list in Google!!
April 10th, 2010 - 01:53
Hey Steve the word is this is fixed in iPhone 4.0 (finally!).
April 12th, 2010 - 19:45
Fantastic news – I was hoping that was the case. Do you have a source?
August 31st, 2010 - 15:59
So, this is fixed with 4.0?
August 31st, 2010 - 16:07
I don’t know yet. I would assume so.. But as the rest of the iPhone Activesync stack on 4.0.x is so broken, it’s been the least of my worries!
I believe there is a load of fixes in 4.1 and if so… That will probably be when we recommend upgrading older models.
Steve
August 31st, 2010 - 16:02
In regards to changing the externalurl to $null. I was reading the TechNet proxying and redirection documentation for Exchange 2010, and there’s a note stating that proxing between virtual directories using basic authentication will not work, it must be Windows Integrated Authentication. Did you find this to be true?
Thanks
August 31st, 2010 - 16:12
Yes I do.
IIRC, it’s because Kerberos delegation is used to authenticate between IIS>IIS.
Steve