Microsoft Exchange 2003 Direct Push and the Apple iPhone 3G

Posted on Feb 26, 2014 in Technical  | No comments

Like any good technophile I picked up a new iPhone 3G on Friday the 11th and the very first thing I did when getting back to the office was to try to get my Exchange Server to do Direct Push. I have had some small frustrations from the wide distribution of documentation on the subject so hopefully this post will save someone some time.

For the sake of simplicity this article will deal with the simple case of:

  • Stand alone Exchange, i.e. not a front-end/back-end setup
  • No proxy server, e.g. ISA
  • Single firewall

Frankly if your setup is more complicated than that you probably already know how to do this and aren’t reading this anyway. Moving right along…

This is what you’ll need before you get started:

  • An iPhone 3G (it doesn’t work on the v1 phone)
  • Exchange Server 2003 SP2 or later
  • Access to your firewall/router
  • A fixed IP address on the internet
  • Access to your domain settings
  • A valid SSL certificate on your Exchange server – get one, they’re not that expensive

Background

Direct Push works because the internet is slow. That’s the headline.

Basically the iPhone will make an HTTPS connection to your Exchange Server’s “Microsoft-Server-ActiveSync” virtual folder (most likely on the default web site). It will hold each connection open as long as possible, or until some pre-configured timeouts occur. Should you receive an email during this open connection, Exchange will send notification down to the iPhone which will tell you that you have new mail. Simple as that. The reason it works is because the internet protocols were designed to not receive an instant response from the server when making a request (see “slow” above). Direct Push takes advantage of this extended open connection.

To prevent your battery from draining in 25 minutes flat the chatter on the connection is kept to a minimum. It’s very clever.

Before You Start

If you have a Wi-Fi connection active on the phone it won’t work. Direct Push only works over the air (the 3G connection). This is because the Wi-Fi radio will kill your battery. With Wi-Fi enabled I believe the phone reverts to a pull model, based on observation, but I can’t confirm that.

Setup

Is your iPhone’s Wi-Fi off?

Step 1. Router/Firewall Setup

  • Go to the “Port forwarding” or “Services” setup
  • Open port 443 on TCP to enable the HTTPS communication – do not be tempted to do this using HTTP. It’s possible, but don’t do it. You have been warned.
  • Make sure the endpoint is your Exchange server’s internal IP address
  • Restart the router/firewall

Step 2. Domain Name Setup

  • Add a new host to your internet domain called “exchange” and point it to your router’s fixed internet IP address – not absolutely necessary but it makes everything a bit clearer if you ask me.

Step 3. Exchange 2003 SP2 Setup

  • Open Exchange System Manager
  • Expand “Global Settings”
  • Right-click “Mobile Services” and select “Properties”
  • There are several options required to support older technologies but the ones you want right at the moment are as follows:
    • Enable user initiated synchronisation – get the whole thing started
    • Enable Direct Push over HTTP(S) – the bit we want
  • Optionally configure Device Security – I recommend it cause then if you lose the thing you can do a “remote wipe”. These are the settings I like:
    • Enforce password on device – makes you enter a PIN to get into the iPhone which is a bit of a pain but worth it for the security. Do you want anyone who finds your phone to have access to all your email and contacts? Cause that’s what will happen.
    • Wipe device after failed attempts – this means if you get the password wrong enough times the phone will wipe itself. Set this number as low as you dare.
    • Refresh settings on the device – set this to 24 to ensure the security policy is checked for updates daily

Step 4. Configure Your Users

  • Open Active Directory Users and Computers on the Exchange server
  • Right-click the user to configure and select “Exchange Tasks”
  • Select “Configure Exchange Features” from the task list
  • Under “Mobile Services” ensure that “User Initiated Synchronisation” and “Up-to-date Notifications” are set to Enabled – the Enable and Disable buttons are cleverly hidden at the bottom of the Features grid

Step 5. Configure IIS

  • On the Exchange server open up Internet Information Services Manager
  • Locate the web site containing the virtual folder named “Microsoft-Server-ActiveSync”
  • Right-click the web site in the left pane tree and select “Properties”
  • On the “Web Site” tab enter 443 in the “SSL port” – note this may cause a problem if you already have an SSL site on the server
  • On the “Directory Security” tab setup your SSL certificate – setting this up is beyond the scope of this article but very straight forward. Google it. Remember: if you have been following along the server will be named exchange.mydomain.com and not www.mydomain.com. Make sure your SSL certificate has the correct name.

Step 6. Test Your Server Setup

  • Open a web browser and point it to https://exchange/OMA where “exchange” is the name of your Exchange server (mine is called exchange)
  • You might get a certificate error, that will be because the server name on the certificate does not match the server name – that’s OK when connecting to the server from the inside – just continue
  • Enter your network credentials (i.e. login) in the form DOMAINusername for the “User name” field
  • You will probably get a warning page saying the device type is not supported, just click OK
  • If you’ve got it right you will see a text version of your mailbox – if not see Troubleshooting below

Step 7. Setup your iPhone

  • Turn Off Wi-Fi
  • Tap “Settings”, “Mail, Contacts, Calendars”
  • Under “Accounts” tap “Add Account…”
  • Tap “Exchange”
  • Enter your email address, username (in the form DOMAINusername) and password
  • Ensure SSL is on
  • Set the “Server” field to exchange.mydomain.com (substitute mydomain for whatever your domain name is, obviously)

That’s it – should be up and running now. Send yourself an email and see.

Troubleshooting

In my brief time setting this up here are the places where you might come unstuck:

  • Router/firewall – make sure the you have 443 pointed at your exchange server
  • Exchange test failed? It did for me! – I got a bunch of errors the first time I ran the Exchange test. To resolve them check the following:
    • The ASP.Net version on the OMA virtual folder is set to 1.1.4322 (the Microsoft-Server-ActiveSync can stay at 2.0.50727)
    • The App Pool account (normally Network Service) has read/execute privilege on the appropriate Exchange folders (e.g. “C:Program FilesExchsrvrOMABrowse”)
    • The App Pool account has read/write privilege on BOTH ASP.Net framework versions temp folders (i.e. “C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET Files” and “C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files” )
  • DNS name – make sure you have allowed sufficient time for the new name “exchange” to have fully delegated. This can take 24 hrs.
  • Firewall problems – Some firewalls have an idle connection timeout that will need to be increased to at least 15 minutes (by Microsoft’s recommendations). This means that your firewall is disconnecting you – check your documentation or, as always, Google

Helpful Links

Some of the pages that helped me:

Microsoft – Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology

Exchange Team Blog – Direct Push is just a heartbeat away

Brian M Posey (Exchange MVP) – Microsoft Exchange Direct Push Technology (seems to be broken)

Apple’s less that complete instructions (don’t worry, it’s Apple, it just works! Right?)