Exchange Server Active-Sync and Direct Push E-mail

ITdude

Hi,

I want to be able to push e-mail and do active-sync with clients using Treo 700WX devices. I was wondering what most people were doing and are you satisfied with it?

I know one option is RPC over HTTP and another is just using SSL with either a third party certificate or internal certificate. Have you tried both or found one more desirable?

This will be running on a SBS 2003 with Exchange SP2 installed already. Any thoughts or configuration advice would be greatly appreciated.

Thanks

royal

You can use OMA. You basically throw a public trusted certificate on the IIS server, configure OMA folder to use SSL, and then configure OMA settings on the server, and then configure a user to be allowed to connect. You can have direct push if you upgrade your Exchange 2003 to Service Pack 2. Keep in mind, that to support Direct Push, your Mobile devices will need to be at least Windows Mobile 5.0 Messaging and Security Pack Feature. You can read more about this at the following urls:

http://www.microsoft.com/windowsmobile/business/directpushemail.mspx
http://www.petri.co.il/how_to_sync_ppc_with_exchange_2003.htm
http://www.petri.co.il/configure_oma.htm
http://www.petri.co.il/configure_ssl_on_oma.htm

ITdude

Thanks royal. Well I already upgraded the Exchange Server 2003 to SP2 and all the devices are brand new Treo 700 WX running Windows Mobile 5.0

How pricey do the thrird party security certificates usually run?

Thanks for the links.

ajs1976

third party certs are around $300 a year. We get ours from Verisign. I tried using an internal cert, but depending on the device it can be a pain to get the to get the root certificate added, so it is easier to do a 3rd cert that already has the root in the device.

ITdude

That is kinda what I was thinking too. However, this client is very tight with the budget, so it might be a hard sell!

sprkymrk

ITdude wrote:

That is kinda what I was thinking too. However, this client is very tight with the budget, so it might be a hard sell!

Just tell him it will cost $500 extra to set up a CA, and another $299/year to support it. :P

ajs1976

I'm not using Exchange to push the email, but I did have the device set to sync every 30 minutes automatically. I found that the battery wasn't lasting a full day. I now have it set to manual sync. I have a verizon phone, so it might not be an issue with all makes and models.

ITdude

Sounds like you have the same kind of evil streak that I do, sprkymrk! This guy is funny. He will spend all kinds of money for toys on his sailboat but pinches pennies when it comes to his network.

These Treos are on Verizon too...

royal

At my last client, we got a Verisign SSL certificate. Verisign started to sign their certificates with a subordinate CA instead of their root. The mobile devices for some odd reason wanted the subordinate certificate on the device or they would throw out certificate errors; which is odd since it should only require the root certificate.

ITdude

Interesting!

blargoe

royal wrote:

At my last client, we got a Verisign SSL certificate. Verisign started to sign their certificates with a subordinate CA instead of their root. The mobile devices for some odd reason wanted the subordinate certificate on the device or they would throw out certificate errors; which is odd since it should only require the root certificate.

We had a similar problem this past week after a reinstall of our OMA server. Compounding the problem was that the subordinate cert as registered in the local computer store was expired on our new server - the expiration date was sometime in 2006 I think. This was on a fresh Windows 2003 SP2 installation with root certificates updated.

After pressing MS Premier support I was able to influence some modifications to an MS KB article on synchronization failures (cool, huh?)

http://support.microsoft.com/kb/927465

royal

The thing is, both the root certificate as well as the subordinate certificate was correctly installed and not expired on both the ISA server as well as the Exchange server. The mobile devices still wanted the subordinate CA installed on the mobile devices. Do you know who you spoke to or have a direct number to the Microsoft guy you talked to? I'd like to speak to him as why this is happening. The clients should only need the root certificate installed.

royal

Well, just contacted Verisign and found that mobile devices don't support certificate chanining which is why the subordinate certificate needs to be installed on the mobile devices. Verisign apparently allows you to request certificates signed by the root still for this very reason. Here's the e-mail response I got back:

Dear Customer

Unfortunately at this stage Windows Mobile devices do not accept certificate chaining. Thus it was not able to recognize the intermediate root certificate installed on the server. If you requested the secure site certificate you can generate a new csr, then revoke and replace the certificate. You can choose "server does not support chaining" to have a certificate without the intermediate certificate.

Following are the instructions for replacing your Digital ID. Within 30 days of the issue date, the Digital ID may be replaced at no additional charge. Beyond 30 days of the issue date, the replacement incurs a $100.00 processing charge.

ajs1976

Thanks for the info. I just did a renewel and got one of the subordinate certs, but did not have any problems with it.