Friday, 19 March 2010

Exchange ActiveSync and the iPhone: Problems Connecting (solved)

I think I have just about tried every trick in the book to get these iPhones connected to my client's SBS 2003 server... from deleting the Virtual Servers in Exchange Admin, removing them from the IIS MetaBase, DS2MB and letting SBS recreate them, checking through all the authentication and access settings, testing SSL, check User-level ActiveSync settings/Outlook Mobile Access and Global-level ActiveSync/OMA settings...

Up for a breather... and ... every time I ran IISRESET it would hang on HTTP SSL service - HTTP Filter.. so then there's no way that IISADMIN would restart... and then IIS is down because W3SVC won't come back up... so it meant a reboot every time...

[One of the problems on the SBS was that 2 updates had failed... .NET 2.0 SP2 (KB976569) was failing over and over - it appeared to take hours (14 hours - I tried to cancel the update and reboot the server - I should have made sure the Update was stopped before rebooting - since I was working on a server 200 miles away I had to wait till the client came in to find the server stuck on shutdown before I could get access again.) - after some investigation into the log files I found it failed because IISADMIN did not restart when asked. The other update was an Intelligent Message Filter for Exchange 2003 SP2 update from Feb 2010 (KB907747). Neither told me why they failed. Both failed due to IISADMIN not restarting (due to HTTP SSL not stopping)... I had to disable IISADMIN, reboot, install the updates, re-enable IISADMIN, reboot. And try to figure out why HTTP SSL was not stopping in a timely fashion.]

So my main focus became digging around in IIS... making sure the OWA and OMA applications in Default Website were attached to the correct ApplicationPool, ExchangeApplicationPool or the ExchangeMobile one...

Errors 3005 3007 for ActiveSync... really just tell me something's up... maybe a timeout... maybe the server is overloaded... but for a big server like that with a handful of users ... hardly likely... must be a setting somewhere... Number of concurrent connections .. in Performance on Default Website properties... that did something.

Check the log files under C:\Windows\System32\LogFiles\HTTPerr and ..\W3SVC1 - go to the end of each file and look for PROPFIND and POST and GET statements from ActiveSync... go to the end of each line and check if you get 409, 207, 403 ... if you're not getting a nice round number like 200, 400 etc then something's up... and it's another pointer in some direction...

You can view which devices have connected by connecting and visiting (using any browser):
https://mail.mydomain.com/exchange//NON_IPM_SUBTREE/Microsoft-Server-ActiveSync

Having fixed a few glitches here and there... and having been up all night and day... mostly waiting for reboots... something was holding HTTP open... and slowing this process down.. people don't reboot every time they make a change to IIS? duh....

I started to run combinations of the installed programs through Google... and there .. lo and behold ...

Antivirus... AVG ... You should not install AVG Online Shield, AVG Firewall and Email Scanner on a Windows Server running Exchange (and definitely not Exchange ActiveSync)

The Online Shield scans HTTP, HTTPS traffic - it has a hook into the HTTP SSL/HTTP Filter service ... and was not specified as a DependsOnService (or vice versa...) so there's no call to it to stop and start... HTTP SSL sits and waits for AVG Online Shield to stop using it for AVG to stop ... but that won't happen...

Avg Email Scanner just adds another layer around POP3 and SMTP ... with it scanning ports 25 and 110 on a machine with Exchange running... adds another layer in the timeout values possibly...

Once Online Shield and Email Scanner were switched off ... IISRESET worked without rebooting .. what a joy I did it several times over and over ...

An hour or two later the client texted me to say his iPhone was getting emails ... marvellous...

These websites were helpful:
Henrik Walther's in-depth Chapter 5 from his book "Securing Exchange Server 2003 & Outlook Web Access" - perfect for understanding the nitty-gritty bits of Exchange HTTP Virtual Folders etc...

AVG - What AVG components are not designed for server operating systems?

Microsoft's Exchange ActiveSync Test Website:

Microsoft Exchange ActiveSync Administration Tool ... a tool that you can use to delete old devices from ActiveSync Administration Tool... I should let my client know about it since his old iPhone that he replaced in December is still in the system.
Microsoft Exchange ActiveSync Certificate-Based Authentication Tool:

GoDaddy SSL Certificates - works well with most PDAs, iPhone, Windows Mobile, Android and Exchange ActiveSync - also quite cheap at the moment for secure authentication...

If anyone still needs help ... leave a comment...

2 comments:

  1. Simply... you're great!!! I was fighting with this problem for a long time and you solved it for me :)
    Thank you very much!
    Greetings from Italy

    Gian Luigi Scarpa

    ReplyDelete