Exchange 2019: Presenting Outlook Anywhere With WAP

KB ID 0001548

Problem

Note: Applies to Exchange 2019, 2016, and 2013.

This is pretty much PART TWO, of presenting ‘Exchange Web Services’ using Web Application Proxy. Back in PART ONE we looked at publishing OWA and ECP, and that required having an ADFS server. To present the other web services, e.g Outlook Anywhere, Exchange Active Sync, Offline address book etc. You don’t need ADFS, you simply use ‘pass through‘ authentication with your WAP Server, directly to Exchange.

Solution

Before you start, you need to make sure in addition to the DNS records we used for OWA and ECP, you also need to be able to publicly resolve your Autodiscover record. I prefer doing this with public SRV records, see the following article for clarification;

Creating an AutoDiscover SRV Record

You now need, to make sure that the URLs that Exchange uses for it’s web services are set correctly, to do that use the following PowerShell commands;

[box]

Get-OutlookAnywhere |select InternalHostname,ExternalHostname
Get-OABVirtualDirectory |select InternalUrl,ExternalUrl
Get-ActiveSyncVirtualDirectory |select InternalUrl,ExternalUrl
Get-WebServicesVirtualDirectory |select InternalUrl,ExternalUrl
Get-MapiVirtualDirectory |select InternalUrl,ExternalUrl
Get-ClientAccessService |select AutoDiscoverServiceInternalUri

[/box]

 


Make sure your internal URLS are resolvable inside and your external/public URL’s are resolvable outside, (To the public IP address of your WAP Server).

Exchange URLS To Publish with WAP

As with the URLs we published previously remember to publish them with a trailing ‘slash’. You need to publish and ‘Reverse Proxy‘ the following URLs;

Outlook Anywhere: https://mail.ubique.com/rpc/  
Offline Address Book: https://mail.ubique.com/oab/
Active-Sync: https://mail.ubique.com/Microsoft-Server-ActiveSync/
Exchange Web Services: https://mail.ubique.com/EWS/  
MAPI: https://mail.ubique.com/MAPI/
Autodiscover: https://mail.ubique.com/Autodiscover/

Note: Obviously your domain will have a different name!

Publish Outlook Anywhere with WAP

From the ‘Remote Access Management Console’ > Publish > Next.

Select ‘Pass-Through’ > Next.

Give the Published rule a sensible name like “Outlook Anywhere” > Enter the URL’s, and select your public certificate > Next.

Publish.

Close

Publish Active Sync with WAP

Active Sync is required for phones and mobile devices that cannot use Outlook Anywhere. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Offline Address Book with WAP

Offline Address Book is required by devices to download a cached copy of the global address list. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange Web Services with WAP

Exchange Web Services allow clients to access calendars, contacts and scheduling information remotely. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange MAPI with WAP

Mail Application Programming Interface (over HTTPS) if the default connection protocol in modern Exchange deployments. To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Publish Exchange Web Services with WAP

If you’ve used Exchange since version 2007, you will know how important Autodiscover is, (probably because of the headaches caused when it’s not setup correctly!) To publish this rule repeat the procedure above, but at the Publishing Setting page use the following settings.

Final Sanity Check

When complete, your WAP settings should look like this, (this is for all the pass-through, AND ADFS published settings).

Once setup correctly, Outlook should work fine externally, like so;

Related Articles, References, Credits, or External Links

NA

I’m Going on Holiday, What do I need to Disable on my iPhone?

KB ID 0000622 

Problem

Here in Europe the big mobile Telco’s are being forced to keep roaming prices down. But going abroad with all your data services turned on can mean you might come back to a big bill.

Solution

1. On most peoples phones “Data Roaming” is already disabled (Mines always off).Data Roaming is designed to let you use another provider’s phone network if your carrier signal is too weak. On some sites it says you cant use your phone abroad if you have this disabled I DISAGREE, I’ve got it disabled and I use my phone every time I’m out of the country?

Settings > General > Network > Data Roaming.

2. If you see ActiveSync and/or have mail pushed to your phone, you might want to also disable “Mobile Data” to stop that happening while your away.

Settings > General > Network > Mobile Data.

3. That’s Data stopped but your phone will still function as a phone. WARNING you may still be charged “call forwarding” if your phone rings and you let it go to answer phone while you are away. I don’t mind that, because I prefer to keep my phone on. If you want to disable the phone and text features as well, e.g. You Just want to use the Camera, iPod, and Alarm capabilities. Then just put the phone in Airplane mode, (which isn’t a word Apple! The word is Aeroplane!)

Settings > Airplane Mode.

Related Articles, References, Credits, or External Links

NA

Event ID 3033

KB ID 0000130 

Problem

You receive an Event ID 3033 error, with the following description,

‘The average of the most recent <?> heartbeat intervals used by clients is less than or equal to <?>. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”

Solution

If you have an ISA Firewall the fix is Here http://support.microsoft.com/?kbid=905013

However thats not much help if you have a Cisco ASA, if that’s the case do the following,

If you have Active Sync already running through the outside Interface, skip to step 2

1. Allow the https Traffic in;

[box]

Newer than version 8.3 Commands

Petes-ASA# configure terminal
Petes-ASA(config)# object network OBJ-Exchange-Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# access-list inbound permit tcp any object OBJ-Exchange-Server eq http
Petes-ASA(config)# access-group inbound in interface outside 
8.3 and Older Commands

Petes-ASA# configure terminal
Petes-ASA(config)#
access-list inbound extended permit tcp any interface outside eq https
Petes-ASA(config)#access-group inbound in interface outside
Petes-ASA(config)#static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255

[/box]

Note: Above assumes 192.168.1.1 is the inside IP address of the Exchange Server.

If your Mail server has a Static Public address you will not need to do port forwarding (Like the example above) in that case you would have;

[box]

Newer than version 8.3 Commands

Petes-ASA# configure terminal
PetesASA(config)# access-list inbound permit tcp any host 192.168.1.1
PetesASA(config)# access-group inbound in interface outside
PetesASA(config)# object network OBJ-Exchange-Server
PetesASA(config-network-object)# host 192.168.1.1
PetesASA(config-network-object)# nat (inside,outside) static 123.123.123.123
PetesASA(config-network-object)# exit
8.3 and Older Commands 
Petes-ASA# configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp any host 123.123.123.123 eq https
Petes-ASA(config)#access-group inbound in interface outside

[/box]

Note: Above assumes the Exchange servers public IP address is 123.123.123, and 192.168.1.1 is the private IP address.

2. Create Class Map and apply bind it to an access-list.

Note: For versions older than 8.3 use the public IP address in the ACL.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# access-list ACL-HTTPS-INSPECT permit tcp any host 192.168.1.1 eq https
Petes-ASA(config)# class-map CM-HTTPS-INSPECT
Petes-ASA(config-cmap)# match access-list ACL-HTTPS-INSPECT
Petes-ASA(config-cmap)# exit

[/box]

3. Create a Policy Map and add the class map you created above and set your timeout, (here it’s set to 9 minutes).

[box]

Petes-ASA(config)# policy-map PM-HTTPS-TIMEOUT
Petes-ASA(config-pmap)# class CM-HTTPS-INSPECT
Petes-ASA(config-pmap-c)# set connection timeout tcp 0:09:00 reset
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

4. Apply Policy map to the Interface using a Service-Policy command.

[box]

Petes-ASA(config)# service-policy PM-HTTPS-TIMEOUT interface outside

[/box]

Note: You can only have one Global Policy, but you can also have one policy applied to an interface

Related Articles, References, Credits, or External Links

Original Article Written 10/11/09

Exchange ActiveSync Not Working for Some Users “Post Migration”

KB ID 0000695

Problem

Error seen on some users on both Exchange 2007 and 2010, (post migration) form earlier versions of Exchange. When it fails you will also see this error.

Event ID 1053 MSExchange ActiveSync

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN={User Name},OU=<OU Name>,DC={Domain Name},DC=com” container under Active Directory user “Active Directory operation failed on servername.domain-name.com This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Make sure the user has inherited permission granted to domainExchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions that block such operations.

Solution

Note: This can happen if the user is a member of any of these groups.

Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

If your user IS a member of any of these groups, then have their ActiveSync device ready to be configured, as this fix will “revert” back every hour. If you get it connected and working before it reverts you will be fine.

Note: Users and mailbox’s created post migration are NOT affected.

1. On your Exchange Server > Launch the Exchange Management Console > Server Configuration > Select your CAS Server > Properties > Security Settings > Locate the DC that it is using.

2. Go the that Domain Controller, and press Windows Key+R > dsa.msc {enter} > Active Directory Users and Computers should open.

3. View > Ensure Advanced Features is enabled > Locate the problem user > Properties > Security > Advanced > Ensure Exchange Servers is present > Tick the box to “Allow inheritable permissions from this objects parent” > Apply.

4. Now attempt to connect your ActiveSync client.

Related Articles, References, Credits, or External Links

NA

ActiveSync Error Support Code: 0x85010014

KB ID 0000367 

Problem

This error is so common, every time I fix it I berate myself for not documenting it for the site. It’s easier to do it, than to write it down, so see the video below.

 

Solution

 

Related Articles, References, Credits, or External Links

NA

Exchange 2003 – ActiveSync Stops working after IP change

KB ID 0000345

Problem

My colleague swapped over one of our clients to a new IP range last week, all went well except ActiveSync stopped working on the clients phones, it took a while for the penny to drop. But this problem was caused by the “fix” for the “Active Sync Support Code:85010014” that’s outlined in MS KB817379.

You need to grant access to the servers new IP address.

Solution

1. Lets make sure that this is the problem, on the Exchange server, Start > Run > Regedit > Navigate to > HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMasSyncParameters.

2. If there is a string value in the right hand windows called ExchangeVDir this IS the problem > Take note of what its set to (In the example below its called “exchange-oma”).

3. On the server, Start > Administrative Tools > Internet Information Services (IIS) Manger.

4. Expand your servername > Web Sites > Default Web site > Locate the directory you noted in step 2 > Right click > Properties > Directory Security > IP address and name restrictions > Edit > Ensure the servers new IP address and 127.0.0.1 are in there.

5. Click OK > Apply > OK > Close IIS manager.

6. Click Start > Run > services.msc > Locate the IIS admin service > Right click it > Restart.

Related Articles, References, Credits, or External Links

NA

Active Sync on Small Business Server 2003 with iPhone

KB ID 0000336 

Problem

I don’t know why but ActiceSync will NOT work out of the box with SBS 2003, for a long time I’ve just told my clients “it can’t be done”. However after the problem went off the boil for a while, it was the topic of conversation in the office, I did some searching and came up with a solution.

You don’t need IMAP – you don’t need ISA server – you just need 5 minutes.

Solution

1. It may seem daft to say this, but you need to install and configure ActiveSync before you do anything, if its not set up it will never work with an iPhone!

ActiveSync setup and tested with a Windows Mobile Device.

Note: for use of the Windows Mobile Emulator click here

2. On the SBS Server, click Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand Web Sites > Default Website > Locate the “Microsoft-Server-ActiveSync” folder >Right Click > Properties.

3. Select the “Directory Security” Tab > “IP address and domain name restrictions” section > Edit > Select “Granted access” > OK > Apply > OK.

4. Then either reboot the server, restart the IIS Admin service, or issue an “iisreset /noforce” command.

 

Related Articles, References, Credits, or External Links

NA