activesync

All posts tagged activesync

The Exchange 2013 alphabet: ActiveSync

We will start this Exchange alphabet blog series with ActiveSync.

Using ActiveSync you will be able to synchronize your mailbox content with mobile devices which support ActiveSync. The ActiveSync feature was originally introduced in Exchange 2000 besides the Outlook Mobile Access (OMA). The last one has been a way for a while but was introduced again with Exchange 2010 SP2 but is not included with Exchange 2013 anymore.

But what is the advantage of ActiveSync compared to other protocols which can be used to sync the content of your mailbox? ActiveSync has the ability to apply policies to mobile devices which include but are not limited to: require a PIN to unlock the phone, disable features of the phone, require encryption of the storage cards, etc. We will have a look at these option and how to configure them later in this article.

How it works

Let’s start with having a look how ActiveSync works.

ActiveSync uses a Direct Push to keep the mobile device up-to-date via the wireless or cellular connection. The Direct Push feature is enabled by default in Exchange 2013. When a mobile device is configured to use ActiveSync and supports the Direct Push technology it issues a long-lived HTTPS request to the Exchange server. In the Technet documentation for Exchange this is sometimes called a PING. With this request the server is informed to send notifications when items change in any folder which the mobile device is configured to sync. This is done the first 15-minutes and is also called the heartbeat interval.

After this 15 minutes the server sends a HTTP 200 OK to device if no items has been changed. When the device receives this response it wakes up and issues another request which restarts the process from sending a long-lived HTTPS request.

But what happens if a change is detected in the mailbox within the 15-minute timespan? For example a new mail is received in the mailbox? In this case the server will send a response to the mobile device that there is a new item and provides the name of the folder where the item resides. Once the mobile device has received this response it will issue a synchronization request for the specific folder. When the synchronization has completed the mobile device issues a new PING request and the process of the long-lived HTTPS request restarts.

The same is valid for items which have changed in the mailbox. OK now we know how ActiveSync works let’s have a look what the requirements are for the network infrastructure.

To make the ActiveSync feature available for end users you will need to open port 443 on your firewall. In most cases you won’t publish Exchange directly to the internet so traffic will first arrive at a reverse proxy and then is forwarded to the Exchange server.

But what about the long-lived HTTPS session does that require any changes to the network-infrastructure? Ideally you would like to change the time-out of your firewall from 15 minutes to 30 minutes. But what if you firewall or maybe the mobile service provider doesn’t support this maximum time-outs? Or maybe organizational policies won’t allow the time-out for HTTPS to be changed to such a long time. Will this cause that ActiveSync won’t work? Well not exactly if the network doesn’t support these high time-out values ActiveSync will act as follows.

Let’s assume that your mobile provider only supports 10 minutes.

The device will send the long-lived HTTPS request to the server. After 15 minutes the device hasn’t received a reply from the Exchange server the device will assume that the connection was timed-out by the network.

In this case the device will send another HTTPS request but changes the heartbeat internal to 8 minutes. After 8 minutes the device receives a response HTTP 200 OK message from the server. The device will try if a higher heartbeat interval is possible. It will send another HTTPS request and changes the heartbeat internal to 12 minutes.

Since the mobile provider only supports 10 the mobile device will not receive a HTTP 200 OK from the server. So after 12 minutes the mobile will assume a network error and will send a long-live HTTPS request only then with a heartbeat interval of 8 minutes.

Environment requirements

So what are the requirements before you can use ActiveSync? I will keep this part short as we already discussed most things in the previous paragraph. The requirements for using ActiveSync are:

  • Exchange is published to the internet (recommended via a reverse proxy)
  • User is enabled for ActiveSync (which is by default)
  • User does have an ActiveSync compatible device
  • A valid certificate has been installed on your Exchange server (and on your reverse proxy if applicable)

The first one is the one which might caught your attention. As you may know Microsoft has announced that they won’t continue their ForeFront Threat Management Gateway (TMG for short). So if you haven’t got one in place you will need to select another product which can be used as a reverse proxy. Once of the solutions which has been announced is from KEMP Technologies. They will come with an update for their Load Balancers which makes it possible to publish Exchange via a secure way. So if you are planning to buy load balancers please take a look at the website of KEMP Technologies for more information. The update is planned to be available the Q1 of 2013.

Configuring

Configuring ActiveSync consists of a few steps:

  • Configure the ActiveSync url
  • Configure the Mobile Device Mailbox Policy

Both steps can either be performed by using the Exchange Admin Center (EAC) or the Exchange Management Shell (EMS).

Configuring via the EAC can be done by performing the following steps:

  • Open the EAC
  • Select servers
  • Select virtual directories
  • Select the  Microsoft-Server-ActiveSync entry
  • Click on the Edit button

Modify both the internal and external URL so they contain the correct FQDN you are using to publish your Exchange server.

The same step can be performed by using the Set-ActiveSyncVirtualDirectory cmdlet using the EMS:

Set-ActiveSyncVirtualDirectory  -Identity “ex01\Microsoft-Server-ActiveSync”  -Internalurl https://mail.johanveldhuis.nl/Microsoft-Server-ActiveSync  -Externalurl https://mail.johanveldhuis.nl/Microsoft-Server-ActiveSync

Next step is to modify the Mobile Device Mailbox Policy, in Exchange 2007/2010 this was called the ActiveSync Mailbox Policy. Compared to these policies the policy options might look limited Exchange 2013 when looking at the GUI:

So the disabling features on devices is not possible anymore via the GUI. But in the EMS you can enable/disable a lot of more options which we will not discuss in this article because it’s a pretty long list. A few examples are:

  • DisableRemovableStorage
  • DisableIrDA
  • DisableDesktopSync
  • BlockRemoteDesktop
  • BlockInternetSharing

For a complete overview have a look at this TechNet article.

If you are using Windows Phone 7 devices you must pay attention to the following.

If you want to let these devices sync their mailbox content either allow non provisionable devices or do not enable the previous mentioned options plus following options:

  • PasswordRequired
  • MinPasswordLength
  • IdleTimeoutFrequencyValue
  • DeviceWipeThreshold
  • AllowSimplePassword
  • PasswordExpiration
  • PasswordHistory
  • DisableRemovableStorage
  • DisableIrDA
  • DisableDesktopSync
  • BlockRemoteDesktop
  • BlockInternetSharing

So let’s assume we want to create a policy which:

  • Allows Bluetooth
  • Allow Browser usage
  • Allows Camera usage
  • Requires a password
  • Enables password recovery options
  • Allows Wifi

We will call this policy IT because it will be a policy applied to all users in the IT department. To create the new policy we will use the New-MobileDeviceMailboxPolicy cmdlet:

New-MobileDeviceMailboxPolicy -Name:”IT” -AllowBluetooth:$true -AllowBrowser:$true -AllowCamera:$true -PasswordEnabled:$true -AlphanumericPasswordRequired:$true -PasswordRecoveryEnabled:$true -AllowWiFi:$true

Once the policy is configured either via EAC or EMS we need to assign it to a user, there is one exclusion for this. The Mobile Device Mailbox Policy called Default which will be assigned to all users which will not match another policy.

Via the EAC you will need to complete this steps:

  • Select Recipients
  • Select Mailboxes
  • Select the mailbox which you would like to modify
  • In the details pane scroll to the Phone and Voice Features select View details to display the Mobile Device Details screen
  • Press browse and select the correct policy
  • Click OK to close the window

Via the EMS you can do it like this:

Get-Mailbox | where { $_.Department -eq “IT” } |

Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy “IT”).Identity

After these things has been configured it’s time to connect your device to you Exchange environment. On most devices you can use the Autodiscover functionality from Exchange to configure your device the easy way. But what if it doesn’t work? Then it is tome for some troubleshooting.

Troubleshooting

For troubleshooting there are a few things which can help you. If you just have built your environment you might want to have a look at the Remote Connectivity Analyzer from Microsoft. This tool gives you a detailed result which helps you to identity the issue easily.

Besides this tool you could have a look at the IIS logging. But keep in mind that these logs are not only used for Activesync but for all Web Services of Exchange. Starting from Exchange 2013 Exchange contains several built-in test functionalities. These test functionalities also cause a lot of IIS logging. So to filter out only ActiveSync related logging it might be handy to filter the logs. This can be done by using the Export-ActiveSyncLog cmdlet, for example:

Export-ActiveSyncLog -Filename:”c:\Inetpub\logs\LogFiles\W3SVC2\u_ex130111.log” -StartDate:”2013-1-11″ -EndDate:”2013-1-12″ -UseGMT:$true -OutputPath:”c:\exreports\eas\”

The cmdlet above will export all ActiveSync related logging from the 11 th and 12th of January. All results will be exported to a directory called eas.

When looking in the directory after running the cmdlet you will see a couple of files have been created:

So which information is included in each file:

  • Servers.csv: does include the average unique devices and hits per server
  • Hourly.csv: ActiveSync activity hour-by-hour
  • StatusCodex.csv: overview of status codes issued in response to ActiveSync requests summarized per status code
  • PolicyCompliance.csv: overview on device compliance with ActiveSync policy
  • UserAgents.csv: gives an overview of hits and unique devices per user agent

The last tool is not really a troubleshooting tool but more a tool to generate nice reports. To generate these reports you could use the Log Parser from Microsoft.

As my test environment doesn’t contain a lot of interesting information I generated it on another Exchange server.

I used the following cmdlet:

logparser “SELECT cs(user-agent), count(*) as Devices into chart.gif from c:\inetpub\logs\logfiles\w3svc1\u_ex*.log WHERE cs-uri-stem LIKE ‘%microsoft-server-activesync%’ and cs-username is NOT NULL GROUP BY cs(User-Agent) ORDER BY Devices desc” -charttype:pieexploded3d -ChartTitle:”Device Activity by Type” -categories:OFF

Using this cmdlet we can generate the following report:

Here ends the first blog in the Exchange ABC series. In this blog we did have a look at ActiveSync: how it works, how you can configure it and troubleshoot it.

Below you will find some useful links to sites containing ActiveSync related information.

Useful links:

Publishing Exchange Server 2013 using TMG:

http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx

Enabling Exchange ActiveSync’s Quarantine Features in an existing organization

http://www.stevieg.org/2013/01/implementing-exchange-activesyncs-quarantine-features/

Understanding Export-ActiveSyncLog:

http://www.windowsitadmin.com/2012/02/02/understanding-export-activesynclog-part-1-2/

Reporting on Mobile Device Activity Using Exchange 2007 ActiveSync Logs:

http://www.simple-talk.com/sysadmin/exchange/reporting-on-mobile-device-activity-using-exchange-2007-activesync-logs/

More fun with Logparser and Exchange logs:

http://blogs.technet.com/b/exchange/archive/2007/09/12/3403903.aspx

Using ActiveSync or BlackBerry you can give users the ability to sync the content of their mailbox to their mobile device. When BYOD will be introduced in a company you might see an explosion of the number of ActiveSync/BlackBerry devices that connect to your Exchange environment.

So before allowing BYOD mobile devices you should do some investigation. There are two parameters which will be affected:

  • IOPS
  • Megacycles

IOPS

Let’s start with looking at the impact a mobile device has on the IOPS Exchange needs to deliver.

Both Activesync and BlackBerry devices will generate additional IOPS per device. RIM did publish a nice document which describes the impact on the IOPS, which depends on the mailbox profile.

Email messages sent or received per mailbox per day Estimated IOPS per BlackBerry device

50

0.06

100

0.12

150

0.18

200

0.24

250

0.30

300

0.35

The numbers above are applicable on an active mailbox copy (DAG) or standalone mailbox copy. The strange thing although is that when you use the HP Sizer for Microsoft Exchange Server 2010 it will multiply the needed IOPS with 2. So it looks like HP did build in some reserves or is using previous values from an earlier Performance Bench Guide from RIM. This because RIM did made some improvements which dramatically decrease the needed IOPS.

I’ve searched for a table which describes the needed IOPS for ActiveSync devices but as far as I know Microsoft did not publish one. When looking at the available sizing tools, for example the HP Sizer for Microsoft Exchange Server 2010, you will see that it multiplies the amount of IOPS with 2. The Exchange 2010 Mailbox Role Requirements calculator will not provide an easy option such as the HP Sizer. The tool from Microsoft does have an option to use a multiplication factor to influence the needed IOPS.

Megacycles

As discussed before the second parameter will be the amount of megacycles needed. In the document mentioned earlier RIM did also publish the megacycles per BlackBerry device which are needed.

Email messages sent or received per mailbox per day Estimated megacycles per BlackBerry device

50

1.5

100

3.0

150

4.5

200

6.0

250

7.5

300

9.0

As you can see the needed megacycles will depend on the amount of messages send/received per day. Compared to the IOPS it has a greater impact. RIM does mention in their document that if you use the sizing recommendations of Microsoft it shouldn’t have a big impact on the CAS Servers. The recommendations RIM points to can be found on this page.

Microsoft also did perform some tests to see the impact on the megacycles when ActiveSync is used. In this case they only did some testing with a specific user mailbox profile.

Client Access

Hub Transport

Mailbox

CPU(MHz/user)

1,60

0,22

1,25

As you can see Microsoft did divide it per Exchange Role. If you use the Exchange 2010 Mailbox Role Requirements calculator you will need the value as listed in the Mailbox column and use the megacycles multiplication factor to increase the megacycles to an additional 1,25 megacycles per mailbox .

What if users will use multiple mobile devices?

Well the answer is quite easy although it is hard to estimate in advance how many users will use multiple devices. When allowing BYOD mobile devices people may use both their mobile phone and their tablet to sync their mailbox content. But it is not limited to two devices.

Throttling policy

Exchange 2010 will allow a maximum of 10 devices which sync via ActiveSync per user. So in worst case users can setup 10 partnerships with devices to your Exchange environment.

The 10 devices limit may be a little bit high. 3 or 4 devices is a reasonable amount. But what if you want to limit the maximum allowed ActiveSync devices per user?

If you want to limit the amount of ActiveSync devices per user you will need to modify the throttling policy settings. Depending on your environment you might decide to create additional throttling policies which will allow more ActiveSync devices for example for the management.

To modify the throttling policy you will need to use the Exchange Management Shell (EMS). The output below is the result of the Get-ThrottlingPolicy:

As you can see the EASMaxDevices is the parameter which will need to be modified to limit the amount of ActiveSync devices which can be used.

To do this you will need to run the Set-ThrottlingPolicy cmdlet:

Set-ThrottlingPolicy Default* -EASMaxDevices 1

The example above will limit the maximum amount of ActiveSync devices to one per user.

Quarantine new devices

By default new users will be allowed to connect to Exchange using ActiveSync. Excluded are users which are a member of a protected group such as administrators. To prevent this you can set the action to quarantine new devices.

Using this option all new devices will be placed in quarantine till an administrator approves the device.

There are two ways to place a device in quarantine:

  • Create a rule for each family
  • Modify the default

Create a rule for each family:

The option can be found in the Exchange Control Panel (ECP) in the Phone & Voice section:

On the ActiveSync Access page scroll down till you see the Device Access Rules and klik on New to create a new rule:

Using the Browse buttons select a family and/or model and select the Quarantine – Let me decide to block or allow later option

Unknown devices

The disadvantage of the rule per family is that not all devices may hit this rule. In this case the default settings are used. These can be changed by pressing the Edit button on top of the page:

This will bring up a new window which gives you the following options:

  • What is the default action taken when an unknown device tries to connect
  • Which user or distribution group must be notified when an unknown device is quarantined
  • Which text needs to be send to the user which tries to connect with an unknown device

How about BlackBerry can this be limited also?

Well in most organizations a BlackBerry Express/Enterprise server is installed which is connected to Exchange. Since the BlackBerry server doesn’t use ActiveSync to sync the EASMaxDevices changed earlier doesn’t have any effect.

A user will need an activation password to connect their device to the BES environment. Administrators will have the option to configure the time a password is valid using the password expiration. Since the password is only valid to activate one device it will prevent the user from connecting multiple devices.  If they want to connect another device they will need to ask their administrator for another activation code.

Monitoring the ActiveSync usage

When allowing BYOD mobile devices to sync with your Exchange environment it might be usefull to perform some kind of monitoring. Using the monitoring features you can see how many ActiveSync devices are syncing with your Exchange environment.

Since the mobile devices will connect to an HTTPS service offered by the CAS most things are logged in the IIS logs.

By default all Exchange related HTTP/HTTPS traffic is logged in the same IIS log. This will cause ActiveSync, EWS, OWA and Powershell traffic to be logged in the same IIS log.

The cause of this is that the default setting is to only have one log file per site:

Since all virtual directories of Exchange are created in the default web site by default all this setting will be applied to these virtual directories to. So reading the log is a little bit difficult although it is possible.

To filter out only the ActiveSync related things you will have to use Export-ActiveSyncLog cmdlet, for example:

Export-ActiveSyncLog –FileName “C:\Windows\System32\LogFiles\W2SVC1\ex12607.log” –UseGMT:$true –OutputPath “C:\ActiveSync Report

This will create a separate file containing only the ActiveSync related stuff.  The example above will only work for one log. If you want to search all the logs for ActiveSync use this:

Get-ChildItem “C:\Windows\System32\LogFiles\W3SVC1” | Export-ActiveSyncLog –UseGMT:$true –OutputPath “C:\Temp\EASReports

There are some useful scripts that can be found on the internet to perform some additional actions on the logs:

Here ends my blog about the impact BYOD mobile device can have on your Exchange environment. More information about the specific cmdlets can be found on the following sites:

Technet: Export-ActiveSyncLog open
Technet: Set-ThrottlingPolicy open

ActiveSync doesn’t work for specific devices

A while ago Microsoft announced the Exchange ActiveSync Logo program. Using this program Microsoft will test the compatability of devices with ActiveSync.

One of the reasons for this is the problems which you may experience with some devices and ActiveSync. As administrator/consultant it is sometimes hard to explain why synchronization doesn’t work to an end user or customer.

At this moment the following devices are certified:

  • Windows Phone 7
  • Windows Phone 6.5
  • Nokia’s using Mail for Exchange 3.0.50
  • Nokia E7
  • Apple devices using iOS 4

When a device doesn’t meet the requirements it may cause issues. One of the issues you may experience is that a device doesn’t synchronize at all. This maybe the case after a mailbox is migrated from Exchange 2003 to Exchange 2010. This last one is an example of one of the issues I experienced myself.

To investigate this issue you will have to use the IIS logs. In the case of the Nokia devices the following could be found in the IIS logs:

2011-05-06 11:29:50 192.168.1.41 OPTIONS /Microsoft-Server-ActiveSync/default.eas User=XXXXXX&DeviceId=IMEIXXXXXXXXXXX&DeviceType=NokiaEmail&Log=V0_LdapC9_LdapL16_Mbx:
MB.DOMAIN.LOCAL_Dc:DC.DOMAIN.LOCAL_Throttle0_Budget:(A)Conn%3a0%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F3006a3a1-0211-447a-99f5-6c0ab8e33c84%2cNorm_ 443 DOMAIN\Username 192.168.100.201 NokiaE721/2.02(0)MailforExchange+3gpp-gba 200 0 0 140

2011-05-06 11:30:11 192.168.1.41 POST /Microsoft-Server-ActiveSync/default.eas User=Username&DeviceId=IMEIXXXXXXXX&DeviceType=NokiaEmail&Cmd=Settings&Log=
V121_Ssnf:T_LdapC4_LdapL16_RpcC45_RpcL125_Ers1_Cpo19781_Fet19999_Pk0_Error:
DeviceNotProvisioned_As:BlockedP_Mbx:MB.DOMAIN.LOCAL_Dc:DC.DOMAIN.LOCAL_Throttle0_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f1%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f1%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F3006a3a1-0211-447a-99f5-6c0ab8e33c84%2cNorm%5bResources%3a(Mdb)MBDB01(Health%3a-1%25%2cHistLoad%3a0)%2c(DC.LOCAL(Health%3a-1%25%2cHistLoad%3a0)%2c(DC)DOMAIN.LOCAL(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 DOMAIN\Username192.168.100.201 NokiaE721/2.02(0)MailforExchange+3gpp-gba 449 0 0 19999

The rules above are just two rules of the logging. In the first rule you can see that the user will authenticate and the webserver reponds with a 200. In the next step you see that something goes wrong during the provisioning process. When searching on the internet you will find out that Nokia devices are not the only devices who cause problems. Also some Andriod based devices may cause issues with ActiveSync. The problem is caused by the fact that these devices won’t work with the ActiveSync policy. Using this policy administrators can specify for example the security settings for a device.

When a user logs in via the Exchange Control Panel (ECP) en visits the Phone page he will see the device is visible their. But when getting the properties of the device the following will be displayed:

Access state:
Access Denied
Access set by: Security Policy Application

In some cases this may lead to unwanted scenarios. Most end-users will not be very happy when synchronization stops working, although the reasons for this may be a device issue.

Because it is difficult to make an inventory of which devices are active in your organization it might be wise to implement a workaround. This workaround is only needed temporarily till all devices have been upgraded to the recommended version.

The workaround for this issue is to disable the default ActiveSync policy during a migration. By default this policy will be applied to every user. To do this you will need to use the Exchange Management Shell (EMC):

Set-ActiveSyncMailboxPolicy -Identity:Default -IsDefaultPolicy:$false

When you will reconfigure the device, although this might not be necessary, you will see it works. Because this creates an unwanted situation it is recommended to solve the real issue.

Beside updating the client it might be necessary to update the firmware of the device. In case of the Nokia devices ActiveSync didn’t work after the upgrade to Mail-for-Exchange 3.0.50.

When all devices are upgraded it is recommended to enable the ActiveSync policy again:

Set-ActiveSyncMailboxPolicy -Identity:Default -IsDefaultPolicy:$true

For more information about ActiveSync policies you can visit the page below:

Technet: Understanding Exchange ActiveSync Mailbox Policies open

Enable/disable ActiveSync

Today I got a question if it was possible to disable ActiveSync in Exchange 2007. The answer: yes this is possible and goes really easy:

  • open the IIS manager
  • double click on the servernaam
  • double click on the applicationpool
  • right click onMsExchangeSyncAppPool and select Stop

If you decide to switch it on again just perform the steps above but choose the option start in the last step.

OWA and ActiveSync won’t work anymore

Today I discovered a strange issue in my Exchange 2007 test environment both OWA and ActiveSync didn’t work anymore. A strange .NET error was displayed that if I wanted more info I needed to change a XML file. As I didn’t had changed many on the system I first looked if all services were running, this was the case. The next step was checking the event logs also there was nothing strange to find. The last step was IIS on first sight everything appeared to be OK but after investigating the .NET tab of the virtual folder OWA I discovered that it was set to 1.1 instead of 2.0. After changing this everything worked OK.

Besides that users can whipe there smartphone/pda within the OWA administrator have the ActiveSync Web Administration tool. This tool is completely web-based and makes it possible for adminstrators to:

  • View a list of all devices that are being used by any user
  • Select/De-select devices to be remotely erased
  • View the status of pending remote erase requests for each device
  • View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to

open