Exchange 2k7, Touchdown

Have any of you ever configured Exchange 2k7 to work with Touchdown* (from the perspective of the exchange server)? I am not sure we can do it since our Exchange Server is not accessible online (no webmail). But some people are saying with the right port settings in our firewall it can be done. Any thoughts?

I am talking about the app for Android phones.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Touchdown uses ActiveSync to synchronize with Exchange. If you enable and configure ActiveSync correctly, the Touchdown client setup is easy. In fact, you don't even need Touchdown as Google has licensed bits of ActiveSync and includes Exchange integration in Android. The Froyo update is supposed to include support for advanced policies and remote wipe. Touchdown does have a better-looking interface though.

Overview of Exchange ActiveSync: Exchange 2007 Help

Claymoore wrote: »

Touchdown uses ActiveSync to synchronize with Exchange. If you enable and configure ActiveSync correctly, the Touchdown client setup is easy. In fact, you don't even need Touchdown as Google has licensed bits of ActiveSync and includes Exchange integration in Android. The Froyo update is supposed to include support for advanced policies and remote wipe. Touchdown does have a better-looking interface though.

Overview of Exchange ActiveSync: Exchange 2007 Help

I know activesync is configured on our box. I basically have a week to see if I can get this working for a CEO. I am not very familiar with Exchange and my limited experience with was nothing more than dealing with some bad certificates and stuff. It didn't look that difficult (activesync not exchange) to set up though.

Oh and I know 2.2 will fix this but she wants to see if it is even possible and I will only have access to a Droid X for testing (no 2.2 yet).

It's pretty easy to configure Touchdown, it is what I am running on my phone since it's an old G1 which was before Google implemented ActiveSync in their client. Take a look at www.testexchangeconnectivity.com as that one will make it really easy to validate your ActiveSync setup before you move on to testing on the phone. Do note that you have to use standard 80/443 ports as ActiveSync won't work with a non-standard port.

undomiel wrote: »

It's pretty easy to configure Touchdown, it is what I am running on my phone since it's an old G1 which was before Google implemented ActiveSync in their client. Take a look at www.testexchangeconnectivity.com as that one will make it really easy to validate your ActiveSync setup before you move on to testing on the phone. Do note that you have to use standard 80/443 ports as ActiveSync won't work with a non-standard port.

Yea the test fail. I guess I am going to have to look at exchange on Monday

Or how about this. Do you know if I could put like a VPN client onto the DROID and set it inside our network THEN do the configuration? The other admin is very concerned about putting exchange online.

phoeneous wrote: »

Why? That's what SSL is for. Now would be a good time to prove your Sec+ knowledge . Besides, OWA is an invaluable tool. Just the other day I showed the owner how to access it while he is on vaca, he had no clue he could do that. This will benefit your iPhone users too. It's a win win sell, go for it.

I think mostly because we have never done it and he is big on not doing things like that.

I have been given permission to do whatever testing I need to do on this and the mail server this coming week. As long as I can get it working, then we can get DROIDS over Blackberries. My bosses boss (CEO) wants a DROID so it is important that I can get this working.

phoeneous wrote: »

Even on the G1?

On devices with 2.2 I believe.

So I guess I would just need to do this:

Deploying Exchange ActiveSync: Exchange 2007 Help Anyone ever done this? Well I guess I should say, how difficult was it to do?

It isn't difficult at all, in fact most of the Activesync functionality comes preconfigured out of the box and it is just a matter of tweaking things how you want it and making sure you've got your firewall set up correctly. It doesn't take very long to do either.

As far as Android goes...Contacts, Mail and Calendar will sync natively. For tasks to sync youll have to use touchdown.

I'm reading the exchange 2007 helpfile and I am confused about 1 thing. Basically I would need to just open 443 to the exchange server and that would be enough for syncing the Droid right? or am I missing something?

undomiel wrote: »

It isn't difficult at all, in fact most of the Activesync functionality comes preconfigured out of the box and it is just a matter of tweaking things how you want it and making sure you've got your firewall set up correctly. It doesn't take very long to do either.

So this can be done WITHOUT OWA being configured? The help file isn't very clear and neither are answers on the internet.

Well. I think I got my answer (thanks T!) but I don't like it. Sigh.....

knwminus wrote: »

So this can be done WITHOUT OWA being configured? The help file isn't very clear and neither are answers on the internet.

It's possible I suppose, but ActiveSync is really just another web service. The reason that it's so easy to set up is once you have OWA published, maybe all you need to do is add another address translation rule to your proxy. I think that's just another checkbox in ISA.

Do you not use OWA or have a reverse proxy? What's the issue?

Claymoore wrote: »

It's possible I suppose, but ActiveSync is really just another web service. The reason that it's so easy to set up is once you have OWA published, maybe all you need to do is add another address translation rule to your proxy. I think that's just another checkbox in ISA.

Do you not use OWA or have a reverse proxy? What's the issue?

We don't use OWA at all and we don't want to use it. What I thought I could do was open up 443 to the exchange server from the outside and set up an active sync policy to allow non provisionable device (which I did), apply at setting to my mailbox and enable active sync and I thought it would work. We don't use ISA by the way.

At what point in the process is it breaking down? This is where testexchangeconnectivity.com comes in handy as it'll tell you pretty exactly. Can't say I've ever run it without OWA being configured but on the other hand OWA comes mostly configured out of the box. Unless you've taken steps to disable it.

[IMG]file:///C:/DOCUME%7E1/OWNER%7E1.DES/LOCALS%7E1/Temp/moz-screenshot.png[/IMG][IMG]file:///C:/DOCUME%7E1/OWNER%7E1.DES/LOCALS%7E1/Temp/moz-screenshot-1.png[/IMG]Well this is what im getting on the site. The droid doesn't say anything.

Run the test without autodiscover, unless you're wanting to configure autodiscover as well which from the sound of your setup you aren't really planning on using Outlook Anywhere.

undomiel wrote: »

Run the test without autodiscover, unless you're wanting to configure autodiscover as well which from the sound of your setup you aren't really planning on using Outlook Anywhere.

Yea I tried both ways. Same issue.

[FONT=&quot]ExRCA is testing Exchange ActiveSync. The Exchange ActiveSync test failed. [/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]Test Steps[/FONT]

[FONT=&quot]
[/FONT]
[FONT=&quot]Attempting to resolve the host name in DNS.[/FONT]

[FONT=&quot]Host successfully resolved[/FONT]

[FONT=&quot]
[/FONT]
[FONT=&quot]Additional Details[/FONT]

[FONT=&quot]IP(s) returned: [/FONT]

[FONT=&quot]
[/FONT]
[FONT=&quot]Testing TCP Port 443 on host .com to ensure it is listening and open.[/FONT]

[FONT=&quot]The port was opened successfully.[/FONT]

[FONT=&quot]
[/FONT]
[FONT=&quot]ExRCA is testing the SSL certificate to make sure it's valid.[/FONT]

[FONT=&quot]The SSL certificate failed one or more certificate validation checks.[/FONT]

[FONT=&quot]
[/FONT]
[FONT=&quot]Test Steps[/FONT]

Different issue from what I'm seeing here. Did you put a check in the box for ignoring trust on ssl? I'm guessing you're using a self-signed cert so you may want to check that it hasn't expired and renew it if it has.

undomiel wrote: »

Different issue from what I'm seeing here. Did you put a check in the box for ignoring trust on ssl? I'm guessing you're using a self-signed cert so you may want to check that it hasn't expired and renew it if it has.

I did try to put that checkbox in this time. Still got this message:

ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name in DNS. Host successfully resolved
Additional Details IP(s) returned:
Testing TCP Port 443 on host to ensure it is listening and open. The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated. Certificate name validation failed.
Tell me more about this issue and how to resolve it Additional Details

It looks like you need to do some reading on certificates. Certificate name validation failed reads to me like the certificate isn't using the same name as your website.

Understanding the Self-Signed Certificate in Exchange 2007: Exchange 2007 Help
Certificate Use in Exchange Server 2007: Exchange 2007 Help

And once you've read all of that you'll be needing to use this in one form or another:

The Exchange 2007 Wiki - New-ExchangeCertificate

undomiel wrote: »

It looks like you need to do some reading on certificates. Certificate name validation failed reads to me like the certificate isn't using the same name as your website.

Understanding the Self-Signed Certificate in Exchange 2007: Exchange 2007 Help
Certificate Use in Exchange Server 2007: Exchange 2007 Help

And once you've read all of that you'll be needing to use this in one form or another:

The Exchange 2007 Wiki - New-ExchangeCertificate

Will do. That's the thing though, there is NO website. There is no webmail.XXX.com or owa.XXX.com . That's what we don't want to do. That's why I was asking, can I do this without putting up a site. That's why I've been asking can you do this WITHOUT owa because we don't want that. I'm starting to think you can't.

You could create a self-signed certificate with a CN of the ip address. What's blocking you from creating an A record in your external DNS though? Just having an A record doesn't force you into providing a website. It's just a pointer to an ip address. In IIS you can lock down access to the OWA virtual directory to just your Exchange server.

undomiel wrote: »

You could create a self-signed certificate with a CN of the ip address. What's blocking you from creating an A record in your external DNS though? Just having an A record doesn't force you into providing a website. It's just a pointer to an ip address. In IIS you can lock down access to the OWA virtual directory to just your Exchange server.

Nothing I suppose and I didn't even think about just creating an A record

.

So I could make an A record with our provider to like OWA.COMPANY.COM, create a rule in our firewall to allow request to that address in and then from there set up the virtual directories in IIS and allow just Exchange to access it. I could also make the self assigned cert pretty easily. I believe there was a way that I could allow it only access over 443 as well, I would have to look at Exchange again but I think there was a checkbox in under properties that said secure or something.

Is this a pretty common setup?

Sounds like you have it. By default most of the virtual directories are locked down to HTTPS only. Be careful with the locking down of the virtual directories because external requests do need to hit the Microsoft-Server-ActiveSync vdir.

If by common setup you mean that external requests are translated through a firewall to a server then yes it is pretty common. Normally I would put in a 3rd party certificate as that resolves most issues with devices being extra picky about a self signed cert. Preventing access to owa isn't common. Never had to disable it for any of the companies that we support. They generally get pretty cranky if owa isn't working.

undomiel wrote: »

Sounds like you have it. By default most of the virtual directories are locked down to HTTPS only. Be careful with the locking down of the virtual directories because external requests do need to hit the Microsoft-Server-ActiveSync vdir.

Yea, I have no idea what that is lol. I really need to pick up an exchange 2007 admin guide lol.

undomiel wrote: »

If by common setup you mean that external requests are translated through a firewall to a server then yes it is pretty common. Normally I would put in a 3rd party certificate as that resolves most issues with devices being extra picky about a self signed cert. Preventing access to owa isn't common. Never had to disable it for any of the companies that we support. They generally get pretty cranky if owa isn't working.

I meant not having owa but doing this.

I have sometime that I can try this tomorrow. Before I do that, I am wondering if this is the best way to back up the certificates:
Back Up your Certificates on Microsoft Exchange 2007

So in short here is my plan:

Create A record in public DNS to OWA.Company.Com (completed)

Go to firewall and create a rule to point connections to OWA.Company.Com to the internal ip address of the exchange server

Go to exchange and back up certificates

While on exchange, create a self assigned cert with the cn owa.company.com

lockdown virtual directories in IIS

Test outlook autodiscovry

Test sync with Droid 2

knwminus wrote: »

While on exchange, create a self assigned cert with the cn owa.company.com

You should use a 3rd party UCC certificate instead of a single CN self-signed certificate. A 10-domain UCC cert from GoDaddy costs $165 for a year, which is less than the cost of the Droid 2.

You need a UCC cert because Exchange relies on certificates for internal communication (IIS, SMTP) and that communication uses a variety of names. Not only will you need owa.company.com, but also autodiscover.company.com as well as just plain owa and autodiscover - not every service or connection will use the FQDN. Add in the name of the CAS server itself and you can see why a UCC (aka SAN - Subject Alternative Name) certificate is required. If your cert does not have all of the names, you will start getting certifcate errors in other services.

I found a video walk-through that shows how to install a UCC cert on Exchange 2007:
Screencast: How to Install GoDaddy Multiple Domain (UCC) SSL Certificate in Exchange Server 2007

Screw those guys, they require a subscription. Here's a free YouTube video from DigiCert:
http://www.youtube.com/watch?v=E5qwDt_cMSs

Plus, DigiCert has a handy web tool that will generate the CSR powershell commands for you.
https://www.digicert.com/easy-csr/exchange2007.htm

Claymoore wrote: »

You should use a 3rd party UCC certificate instead of a single CN self-signed certificate. A 10-domain UCC cert from GoDaddy costs $165 for a year, which is less than the cost of the Droid 2.

This is the way we are going to need to go. However, my boss won't approve us spending that until I can prove we can at least do it. We have the droids for free so spending that was easy to justify. I only have 1 day I can test this and to do a change management request for the cert is going to take longer than that. Do you think this is even possible with the way I proposed (assuming I add more cn certs for autodiscovery, owa and etc)?

The problem isn't so much the self-signed part, because Active Directory acts as a trusted third party so the clients will trust the CAS server cert because they are both members of the same domain. The problem is the name of the certficate - owa.company.com - will not match the name of the server - cas.company.com. This will generate errors in the autodiscover service, and thus the availability service, as well as internal OWA problems if anyone uses that.

Exchange also relies on certificates for internal TLS encryption of SMTP traffic, but you can use different certs for different services to avoid problems there.

If you just want to test things, create a different external A DNS record that matches the name of the internal CAS server - cas.company.com instead of owa.company.com - and a different firewall rule. You will be telling the ActiveSync client to ignore certificate errors either way. Just be sure to manually set the server names rather than relying on autodiscover since you won't have that name on the cert.

Once you have it working, buy a real cert and fix your A records and firewall rules. As a bonus, a trusted third party UCC cert will allow your hub transport servers to start using TLS to encrypt external SMTP traffic.

Here is another issue, we don't have a server with the CAS role on it. We only have one exchange server and I don't know if it has the role installed or not.

Quick Links