Sunday, September 20, 2015

Configuring Exchange 2013 Activesync in a Lab Environment


When we install Exchange server 2013, the exchange activesync gets installed automatically as part of deployment. To know more about prerequisites and installation of exchange 2013 click
 Installing Exchange Server 2013.

Microsoft Exchange server 2013 activesync let user access mail, contact, tasks and calendar information directly from their mobile devices. The mobile device must be configured for activesync and activesync feature must be enabled for exchange 2013 users. Also user should consider using a service provider that supports direct push for their mobile clients because activesync works on both HTTPS and direct push.

In this article, we will configure a simple windows mobile 6.1 emulator for exchange activesync for a exchange sever 2013 mailbox user.

There is two part in this configuration
  1. Exchange server 2013 configuration
  2. Windows Mobile 6.1 configuration
Before we proceed, you must configure exchange sever 2013 client access role for external access. You need a certificate from known trusted certificate authority or Windows Enterprise Certificate Authority to secure communication between exchange server 2013 and Windows Mobile 6.1. This configuration works with other versions of Windows mobile Emulators also.

Exchange Server 2013 Activesync Configuration Steps

If you have already deployed exchange server 2013, then open Exchange Admin Center, you can access it from the following URL.

https:// <server_name>/ecp/?ExchClientver=15

Click on recipients and right above recipient's display name, click on + and open newUserMailbox wizard.

Exchange Admin Center

Type in the user name, display name and log on name of the user.

Create a new user

Click Save to save the user information.

Verify Activesync feature for new user

Select the new user and view it's property on right side of the windows. You should see activesync enabled for the user by default. Click Server from left to view server related configurations.

Avtivesync virtual directory

Under Server > click Virtual Directories and select Microsoft-Server-Active Sync (Default Web Site) virtual directory. This virtual directory must be configured for internal and external URL. The internal URL for activesync is for devices that connect through corporate network. For example,

https://exch2013.wt.com/Microsoft-Server-Active Sync (Default Web Site)/

It points to the exchange server 2013 client access host name for name resolution. Note that all activesync request from mobile clients are sent to activesync virtual directory. The external URL is no different, but the only difference is host name that should be published with a external dns server.For example,

https://mail.wt.com/Microsoft-Server-Active Sync (Default Web Site)/

The above is true for other virtual directories if you have not configured Exchange server 2013 client access role.
Activesync virtual directory settings
Type the appropriate internal and external url as discussed previously. There are some other important settings under authentication. SSL must be true for this virtual directory because we are going to use SSL certificate for Activesync. 
Since, most of the mobile users are external to the domain and connect from Internet, we will make sure that authentication method is basic. So when we select basic the password is sent in clear text and that is why it is necessary to secure the exchange server 2013 and mobile device communication using certificate.
Do not select any other setting and click Save to save the information.

Authentication settings for ActiveSync virtual directory

Configuring Certificate for Exchange Server 2013 Client Access Server for ActiveSync

Next we will configure certificate for exchange server 2013 client access server, click Certificate tab under Server.

Certificates Configuration

This part requires that we already have access to a certificate authority or Windows Enterprise Root CA in the domain. We have a Enterprise Root CA for the purpose for this lab. Select the Client Access Server which you want to configure and click + to open New Exchange Certificate. Note that you can also create a certificate request through Exchange 2013 Management Shell using New-Exchange Certificate cmdlets.

Create a new Certificate Request

There are two options to create a.certificate request.
  1. Create a certificate request from a Certificate Authority.
  2. Create a self-signed certificate.
The difference between self-signed  and certificate from CA is the root certificates that validates the certificate. In case of self-signed there is not root certificate in the absence of a CA. That's way you need to click on Create a certificate request from a CA option.

Friendly name for Certificate

Type a friendly name for the certificate and click next to continue. The next page is to enable Wild card for the certificate. The certificate has *.domain entry which make sure that the host name is resolved dynamically.
Skip this option as we do not want any wild card certificate, instead we will create a SAN certificate that supports multiple url names, meaning certificate will honor multiple dns names for various client access services such as auto discover, activesync, owa, ecp, etc.

Do not choose wild card options

In the next screen, you will receive an option to change the domain name of all the client access services.
Select Activesync and click the Edit option to change its url that match the url on the Activesync virtual directory.

Change Domain url that match virtual directory settings

The summary of all the URLs for the certificate is displayed and the one highlighted on the top will be the common name of the certificate. A common name of the certificate is the one which will be shown on top when you view certificate information, other URLs will be under Subject Alternative Names field.

Summary of the URLs

Now provide other information about the certificate such as Company name, Country, Department, City, etc. Click on Next to continue.

Save your request  as .REQ file

The certificate request is almost complete and the only thing remaining is to save the request file as .REQ file to a safe location. The request must be generated from a server where we plan to install it later. 

View the Certificate request status

When you review the Certificate section, the status of you certificate request is Pending. That's because we need to submit our certificate request and get a valid certificate and import it on the server.

Certificate Request information

Go to the location where you have saved the .REQ file and open it and you should see information similar to the above screenshot. Copy the information to clipboard. Open the CA Web Enrollment page as follows

type http:// < server name or IPaddress >/Certsrv and type domain administrator credentials to log on.
You should see the page for Certificate Server Web Enrollment.

Web Enrollment

Click on Request a Certificate option and then click Advanced Certificate Request and click on Submit a certificate request by using base64......

Submit your request to base64 encoded...

Now it is time to submit your request information, paste you certificate information copied earlier and select Web sever as certificate template. Click Submit to submit your request.

Submit you request and click Submit

Once you have received a certificate from your CA, you can save it to disk drive. Open the Exchange Admin Center > Server > Certificates.

Import the certificate

Now click on the three dots just above the server name and Import/ Export Exchange Certificate option will appear. Select Import Exchange Certificate option.

Alternatively, you can import using Exchange Management Shell cmdlets.

Import certificate using Exchange Management Shell.

Verify the status of the certificate under Exchange Admin Center and you will find that it shows Valid.

Exchange Certificate Status is Valid

It is not enough to create a certificate, but you must assign the certificate to client access services.

Assign Exchange Certificate to Services.

We will assign this certificate to IIS service only and click Save to save the settings. There are other activesync settings but we can set those after a proper communication between device and the server is established.


In this first part of article, we have configured exchange server 2013 for Activesync. Though the configuration is straight forward , we must be careful about few things such as

  1. Do not choose wrong authentication settings for activesync virtual directory.
  2. Configure proper certificates for Client Access sever and it must not be an expired one.
  3. External and internal URLs for ActiveSync virtual directory must be included in the certificate properly.
We now come to end of our first part, these configurations are only for a test lab setup, to implement the same on a production you must plan the deployment thoroughly.We recommend to test it out in a lab first and understand  the deployment completely.
In the next part we will configure a Windows Mobile 6.1 client and test out our server configuration and discuss few troubleshooting steps to resolve activesync issues.

No comments:

Post a Comment