In this configuration, the mobile device utilizes the mobile operator’s cellular data network to communicate using the Internet to an outer firewall that the organization uses to restrict traffic. The outer firewall port forwards the EAS traffic (via SSL port 443) inbound to the inner third party device to forward to the Exchange Server 2003 for processing.
The figure below illustrates an end-to-end example of a typical over the air Exchange ActiveSync deployment.
To ensure that Microsoft Exchange ActiveSync functions correctly in this scenario, Microsoft recommends that port 443 inbound be opened on both third party firewall products so that the Windows Mobile device can communicate directly with the Exchange Server. This is a network requirement for Exchange ActiveSync to work properly whether using Microsoft direct push technology (default setting) and/or Always Up-to-Date Notifications (optional).
Deployment on a Single-Server
If your mobile messaging solution uses a single Exchange server, you may have to establish some special configurations to avoid conflicts on the virtual directory.
In a single-server configuration, Exchange Server ActiveSync accesses the Exchange virtual directory via port 80 by using Kerberos authentication. Exchange ActiveSync cannot access the Exchange virtual directory if either of the following conditions is true:
The Exchange virtual directory is configured to require SSL.
Forms-based authentication is configured.
For more information about, and workarounds for, these configurations, see the following article in the Microsoft Knowledge Base:
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003. http://go.microsoft.com/fwlink/?LinkId=62660
When deployed in a single-server configuration, the Exchange ActiveSync Mobile Administration Web tool requires the default configuration on the ExAdmin virtual directory. By default, SSL is not turned on and the virtual directory has Windows Integrated authentication.
In a single-server configuration, we recommend that you do the following on the ExAdmin virtual directory:
The Exchange ActiveSync Mobile Administration Web tool should run in the ExchangeAppPool.
For more information, see the following article in the Microsoft Knowledge Base:
Error message when you try to use the Microsoft Exchange Server ActiveSync Web Administration tool to delete a partnership or to perform a Remote Wipe operation on a mobile device in Exchange Server 2003 SP2: "(401) Unauthorized". [Add link to http://support.microsoft.com/kb/916960/en-us]
RSA SecurID Compatibility
RSA SecurID provides token-based authentication that requires user input and was not compatible with direct push technology, in which the device synchronizes automatically. RSA has updated the RSA Authentication Agent for Windows so that direct push technology and scheduled synchronization features function smoothly.
ISA Server 2006 works with SecurID token authentication. See the ISA Server 2006 documentation.
If you are using the RSA SecurID product, be sure to get the latest RSA SecurID software from the RSA Security Web site: http://go.microsoft.com/fwlink/?LinkId=63273.
If you have forms-based authentication set up on an Exchange organization for Exchange ActiveSync on an Exchange Server with no back-end, additional configurations may be required. For more information about these configurations, see the following article in the Microsoft Knowledge Base: http://go.microsoft.com/fwlink/?LinkId=109221
Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003
Exchange Server 2003 SP2 forms-based authentication does not allow you to set the default domain setting in IIS to anything other than the default domain setting of \. This restriction is in place in order to support user logons that use the User Principle Name format. If the default domain setting in IIS is changed, Exchange System Manager resets the default domain setting to "\" on the server.
You can change this behavior by customizing the Logon.asp page in the OWA virtual directory in IIS to specify your domain or to include a list of domain names. However, if you customize the Logon.asp page in the OWA virtual directory in IIS, your changes may be overwritten if you upgrade to, or re-install, Exchange Server 2003 SP2.
Deployment with the Exchange Front End Server in a Perimeter Network
If your deployment configuration has the Front-End Exchange server inside the DMZ or perimeter network, you may have to change the firewall settings to facilitate the direct push technology.
This option is not recommended for new mobile messaging solutions.
With direct push technology, whenever the back end server receives e-mail or data to be transmitted to a mobile device, it sends a UDP notification to the front-end server. This transmission requires that UDP port 2883 be open on the firewall to allow one-way traffic from the back-end server to the front-end server.
For more information about the deployment of direct push technology and its impact on firewall configuration, see the Exchange Server blog article "Direct push is just a heartbeat away" at http://go.microsoft.com/fwlink/?LinkId=67080.
For more information about configuring a front-end server in the DMZ, see "Front-End and Back-End Server Topology Guide for Exchange Server 2003 and Exchange 2000 Server" at http://go.microsoft.com/fwlink/?LinkId=62643.