Exchange 2003/2010 ActiveSync Coexistence – Lesson Learned
When wearing my consultant cap, I usually deal with relatively large Exchange environments consisting of multiple Exchange servers. But occasionally, I face scenarios where I need to upgrade a single Exchange 2003 server to one or multiple Exchange 2010 servers.
Although the Exchange 2010 library on TechNet, the MSExchangeTeam blog and the Exchange Deployment assistant contains great information on how to approach an upgrade form Exchange 2003 to Exchange 2010, sometimes minor but important details are missing.
So recently I had to upgrade a single Exchange 2003 server to an Exchange 2010 HA solution consisting of two Exchange 2010 servers. Outlook Web Access (OWA) and Exchange ActiveSync (EAS) was published to the Internet using ISA 2006 SP1.
So one of the first steps after deploying and configuring the Exchange 2010 solution is to point client access to the Exchange 2010 CAS server/array. After having created the necessary ISA web publishing rules and redirected users to Exchange 2010, OWA worked just fine, but ActiveSync didn’t.
Note: This specific customer did not allow Outlook Anywhere access to the Exchange environment.
The ActiveSync devices failed to synchronize and I saw this error in the ISA 2006 log:
In the IIS logs on the Exchange 2010 servers, I found a similar 403 forbidden error:
2011-05-12 19:08:04 10.0.17.26 POST /Microsoft-Server-ActiveSync/default.eas User=xhew2003&DeviceId=Appl82032Y1GA4T&DeviceType=iPhone&Cmd=Ping&Log=PrxTo:2003server.domain.local_
-4167-a55a-c60f56e17cc2%2cNorm_ 443 domain\xhew2003 10.0.17.10 Apple-iPhone3C1/806.190 403 0 0 15
So Exchange 2010 accepted the ActiveSync connection, but when it tried to proxy to Exchange 2003, the Exchange 2003 server denied the requests with a 403 forbidden error. But why? I had of course done the following to prepare Exchange 2003 ActiveSync for the coexistence:
- Enabled integrated authentication on the Microsoft-ActiveSync-Server vdir using the Exchange System Manager
- Installed this hotfix
- Also verified that the msExchAuthenticationFlags attribute on the Microsoft-Server-ActiveSync had a value of “6”
For a moment I was blank. Since I’ve had this working several times in larger environments, I started to think about what stuff is different in regards to ActiveSync in large versus small environments. And then while looking at the conceptual diagram in this post by Ross Smith, it finally struck me. Exchange 2010 will proxy the request to Exchange 2003 using HTTP not HTTPS. Doh!
I quickly disabled the SSL requirement on the Microsoft-Server-ActiveSync vdir on the Exchange 2003 server followed by an IIS reset and voilá things started working.
If the customer have had an Exchange 2003 front-end and back-end topology in place, the issue would never had occurred.
Technology Architect/Writer/MS Vendor
MCM: Exchange 2007 | MVP: Exchange Architecture