Microsoft Exchange 2003 Direct Push and the Apple iPhone 3G
Like any good technophile I picked up a new iPhone 3G on Friday the 11th and the very first thing I did when getting back to the office was to try to get my Exchange Server to do Direct Push. I have had some small frustrations from the wide distribution of documentation on the subject so hopefully this post will save someone some time.
For the sake of simplicity this article will deal with the simple case of:
- Stand alone Exchange, i.e. not a front-end/back-end setup
- No proxy server, e.g. ISA
- Single firewall
Frankly if your setup is more complicated than that you probably already know how to do this and aren’t reading this anyway. Moving right along…
This is what you’ll need before you get started:
- An iPhone 3G (it doesn’t work on the v1 phone)
- Exchange Server 2003 SP2 or later
- Access to your firewall/router
- A fixed IP address on the internet
- Access to your domain settings
-
A valid SSL certificate on your Exchange server – get one, they’re not that expensive
- http://www.completessl.com from USD$49
- http://www.instantssl.com from USD$65
- http://www.trustico.com.au from AUD$20
Background
Direct Push works because the internet is slow. That’s the headline.
Basically the iPhone will make an HTTPS connection to your Exchange Server’s “Microsoft-Server-ActiveSync” virtual folder (most likely on the default web site). It will hold each connection open as long as possible, or until some pre-configured timeouts occur. Should you receive an email during this open connection, Exchange will send notification down to the iPhone which will tell you that you have new mail. Simple as that. The reason it works is because the internet protocols were designed to not receive an instant response from the server when making a request (see “slow” above). Direct Push takes advantage of this extended open connection.
To prevent your battery from draining in 25 minutes flat the chatter on the connection is kept to a minimum. It’s very clever.
Before You Start
If you have a Wi-Fi connection active on the phone it won’t work. Direct Push only works over the air (the 3G connection). This is because the Wi-Fi radio will kill your battery. With Wi-Fi enabled I believe the phone reverts to a pull model, based on observation, but I can’t confirm that.
Setup
Is your iPhone’s Wi-Fi off?
Step 1. Router/Firewall Setup
- Go to the “Port forwarding” or “Services” setup
- Open port 443 on TCP to enable the HTTPS communication – do not be tempted to do this using HTTP. It’s possible, but don’t do it. You have been warned.
- Make sure the endpoint is your Exchange server’s internal IP address
- Restart the router/firewall
Step 2. Domain Name Setup
- Add a new host to your internet domain called “exchange” and point it to your router’s fixed internet IP address – not absolutely necessary but it makes everything a bit clearer if you ask me.
Step 3. Exchange 2003 SP2 Setup
- Open Exchange System Manager
- Expand “Global Settings”
- Right-click “Mobile Services” and select “Properties”
-
There are several options required to support older technologies but the ones you want right at the moment are as follows:
- Enable user initiated synchronisation – get the whole thing started
- Enable Direct Push over HTTP(S) – the bit we want
-
Optionally configure Device Security – I recommend it cause then if you lose the thing you can do a “remote wipe”. These are the settings I like:
- Enforce password on device – makes you enter a PIN to get into the iPhone which is a bit of a pain but worth it for the security. Do you want anyone who finds your phone to have access to all your email and contacts? Cause that’s what will happen.
- Wipe device after failed attempts – this means if you get the password wrong enough times the phone will wipe itself. Set this number as low as you dare.
- Refresh settings on the device – set this to 24 to ensure the security policy is checked for updates daily
Step 4. Configure Your Users
- Open Active Directory Users and Computers on the Exchange server
- Right-click the user to configure and select “Exchange Tasks”
- Select “Configure Exchange Features” from the task list
- Under “Mobile Services” ensure that “User Initiated Synchronisation” and “Up-to-date Notifications” are set to Enabled – the Enable and Disable buttons are cleverly hidden at the bottom of the Features grid
Step 5. Configure IIS
- On the Exchange server open up Internet Information Services Manager
- Locate the web site containing the virtual folder named “Microsoft-Server-ActiveSync”
- Right-click the web site in the left pane tree and select “Properties”
- On the “Web Site” tab enter 443 in the “SSL port” – note this may cause a problem if you already have an SSL site on the server
- On the “Directory Security” tab setup your SSL certificate – setting this up is beyond the scope of this article but very straight forward. Google it. Remember: if you have been following along the server will be named exchange.mydomain.com and not www.mydomain.com. Make sure your SSL certificate has the correct name.
Step 6. Test Your Server Setup
- Open a web browser and point it to https://exchange/OMA where “exchange” is the name of your Exchange server (mine is called exchange)
- You might get a certificate error, that will be because the server name on the certificate does not match the server name – that’s OK when connecting to the server from the inside – just continue
- Enter your network credentials (i.e. login) in the form DOMAIN\username for the “User name” field
- You will probably get a warning page saying the device type is not supported, just click OK
- If you’ve got it right you will see a text version of your mailbox – if not see Troubleshooting below
Step 7. Setup your iPhone
- Turn Off Wi-Fi
- Tap “Settings”, “Mail, Contacts, Calendars”
- Under “Accounts” tap “Add Account…”
- Tap “Exchange”
- Enter your email address, username (in the form DOMAIN\username) and password
- Ensure SSL is on
- Set the “Server” field to exchange.mydomain.com (substitute mydomain for whatever your domain name is, obviously)
That’s it – should be up and running now. Send yourself an email and see.
Troubleshooting
In my brief time setting this up here are the places where you might come unstuck:
- Router/firewall – make sure the you have 443 pointed at your exchange server
-
Exchange test failed? It did for me! – I got a bunch of errors the first time I ran the Exchange test. To resolve them check the following:
- The ASP.Net version on the OMA virtual folder is set to 1.1.4322 (the Microsoft-Server-ActiveSync can stay at 2.0.50727)
- The App Pool account (normally Network Service) has read/execute privilege on the appropriate Exchange folders (e.g. “C:\Program Files\Exchsrvr\OMA\Browse”)
- The App Pool account has read/write privilege on BOTH ASP.Net framework versions temp folders (i.e. “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files” and “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files” )
- DNS name – make sure you have allowed sufficient time for the new name “exchange” to have fully delegated. This can take 24 hrs.
- Firewall problems – Some firewalls have an idle connection timeout that will need to be increased to at least 15 minutes (by Microsoft’s recommendations). This means that your firewall is disconnecting you – check your documentation or, as always, Google
Helpful Links
Some of the pages that helped me:
Microsoft - Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology
Exchange Team Blog – Direct Push is just a heartbeat away
Brian M Posey (Exchange MVP) – Microsoft Exchange Direct Push Technology (seems to be broken)
Apple’s less that complete instructions (don’t worry, it’s Apple, it just works! Right?)
Tags: Exchange 2003, IIS, iPhone, Microsoft
July 17th, 2008 at 1:43 am
In the Exchange 2003 settings, does the “Enable Outlook Mobile Access” option need to be selected? This is in the “Mobile Services Properties” pane, just beneath the ActiveSync settings you mention.
July 17th, 2008 at 2:02 am
This is great and all except if push doesnt work over WIFI, it is completely useless. The iPhone will stay on the WIFI whenever it can, and push still stop working….imagine you walk into a coffee shop, WIFI is detected. Push will not work for the time of your stay…..
July 29th, 2008 at 2:16 am
You state that push only works with the 3G iPhone. That is not the case. I’m running the 1st gen iPhone with the 2.0 firmware and I can say this for fact: Push email works with Exchange 2007. Not only does email push work, but calendar and contacts as well.
July 31st, 2008 at 12:04 am
This was by far the best explanation I have found on the web of Exchange Direct Push working with the iPhone (and I’ve been searching through dozens of sites). Thank you so much for an insightful article.
August 3rd, 2008 at 9:46 am
>> David
Hi David, I have heard of first gen iPhones being set up to work over IMAP, and you can set uo the second gen this way too I believe. The 2nd gen’s “push” uses Exchange ActiveSync and this is an event-driven model, rather than the pull model for IMAP (and WiFi).
If you have push setup properly, you can sit in front of your PC/Mac and send yourself an email and the email will show up on the phone as fast or faster than when it hits your Outlook/Entourage client. That’s “push”. With WiFi on and the same settings it takes many minutes and the phone has to be on (i.e. not in standby), thats the timer.
>>Yalag
Hi Yalag, I agree its stupid. Actually the longer I use the thing the more stupid “features” I discover. I would definately not class this as a business-ready device yet. On the other hand, my plan carries 500MB per month and with WiFi off (note you can’t download tunes or software over the air, only on WiFi or in the cradle) I am still barely using 100MB so I just have WiFi off now. 3G is more than enough for email.
>> Tom
Hi Tom, I can’t remeber - I’ll check and get back to you.
August 3rd, 2008 at 9:50 am
Update: Sorry but the excellent article I’ve linked written by Brian Posey seems to have moved or perhaps requires a password - at any rate I can’t seem to find it just now.
August 3rd, 2008 at 10:10 am
>>Tom
Hi Tom, the Outlook Mobile Access feature has two components, neither of which is required for the Push to work, 1) Outlook Mobile Client which is MS Outlook for a mobile device - obviously a Win Mobile device; and 2) Web access for mobile devices i.e. HTML, xHTML, or cHTML.
On my phone I can access my email via the iPhone’s email client or the web browser using the full web client at “https://mail.mydomain.com/exchange” or the mobile client at “https://mail.mydomain.com/oma”.
The short answer is no, you don’t need that checked.
August 3rd, 2008 at 10:13 am
>>Tom Update:
OK - while technically you don’t need the “Enable Outlook Mobile Access” setting on for push to work you will need it to follow my instructions, because the test in Step 6 hits the OMA (Outlook Mobile Access) site.
August 9th, 2008 at 6:24 am
Ok.. GREAT article… but can I get some more info..
I think I am having an IIS issue, but unsure….
We use Webmail while on the road and SSL port 443 was already open in the firewall.
When I browse to our exchange/OMA I get the following: After logging in:
“Item no longer exists. The item you are attempting to access may have been deleted or moved.”
Is this a permissions thing? Where do I check?
August 10th, 2008 at 10:20 pm
is there any information about this in other languages, maybe german or other else?
August 13th, 2008 at 7:14 pm
>>IIS_Jon
Hi Jon,
If it’s an IIS thing it may help to look at the site logs and make sure you’re accessing the URL you think you are - it should have info about HTTP response codes, URLs and security info.
If it’s a permissions problem I’d guess Exchange and not IIS so maybe make sure the user account is allowed to access OMA. From AD Users and Computers on the Exchange box right-click the user and check the “Exchange Features”.
dil okulu>>
I’m sure other people have written about this stuff in other languages but I only speak English. Can I suggest Google translate or Babelfish?
August 14th, 2008 at 12:09 am
Hi , I have a 3G Iphone and my issues seem to be very different from all others. I connected to my exchange server over WIFI when I first set up the phone. My account verfiyed and was working as expected. I left for work this morning and turned off WIFI and the 3G/ Edge cell network took over. I continued to recevie email for some time over the cell network. However I have noticed that if I use Safari or AIM on the phone it will server my connect to exchange and will not reconnect untill I get another WIFI connection. Is there anyone out there having this issue? Also I am able to setup a Moto Q for push without any problems.
August 19th, 2008 at 11:36 am
Fantastic article. Just what I was looking for… Thanks for the help.
August 22nd, 2008 at 1:52 am
Great article, thanks for the info, which finally got my push to work. However I’m confused about the security of this.
I’ve got 3 different places to enable or disable SSL.
2 of which I’ve had to disable otherwise push won’t work because I have a single exchange server.
The first is my IIS Virtual directory. Under secure communications tab I’ve had to uncheck the “require secure channel (SSL)”
Second is my mobile phone. I’ve had to uncheck the “server requires an encrypted SSL connection”. If either of these are checked them I get various errors and push doesn’t work.
However, in Exchange manager under mobile services I have “Enable Direct Push over HTTP(S)” turned on.
So based on this configuration I’m pretty sure that I’m running without SSL, leaving usernames and password in the clear. Does anyone know how to secure this without building a front-end exchange server?
Thanks.
September 6th, 2008 at 10:02 am
>> Raul
Hi Raul, haven’t come across that myself - maybe check in with the Genius bar at your local Apple store??
>> Shannon
Hi Shannon, I wouldn’t run Push without SSL cause your email content is being transmitted in the clear, I will check about passwords cause I have a feeling they are still encrypted. At any rate you are definitely not using SSL in your setup and you should be. You will need to get a commercially signed certificate to get it to work properly in my experience.
September 8th, 2008 at 11:25 am
it would be better with other languages support, but thanks..
September 9th, 2008 at 4:12 pm
Great Article - Thankyou very much. Been trying to get this working for hours, noticed you mention that if Wifi is turned on it wont work - my problem fixed!!! Just tested it then when the phone is locked and it took less time to to showup on the iphone as it did in outlook. Thanks again!
September 14th, 2008 at 2:56 pm
for those that are still having issues even with firewall settings properly set, SSL cert installed, etc.
Send this to your IT guys and ask if this applies to your org. I have a single exchange server at home and SSL enabled so fell into this category.
Once I did the steps here (method 2) I was all good.
http://support.microsoft.com/kb/817379
Good luck!
October 4th, 2008 at 9:59 am
Hi there, I was looking around for a while searching for firewall microsoft and I happened upon this site and your post regarding ft Exchange 2003 Direct Push and the Apple iPhone 3G | 5 Limes Blog, I will definitely this to my firewall microsoft bookmarks!
October 11th, 2008 at 4:53 am
Very interesting post, i bookmarked your blog, thanks for share
i will visit your blog later