Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2

This section provides information about troubleshooting tools and detailed information and specific troubleshooting steps around Microsoft direct push technology so that you can better isolate mobility issues within your network infrastructure.

This section contains information on the following subjects:

Logging and Troubleshooting Tools

The following troubleshooting and logging tools should help you track and resolve mobility issues.

Monitoring Mobile Performance on Exchange Server 2003 SP2

To track the performance, availability, and reliability of Exchange ActiveSync and other mobile messaging components, you can use the Exchange Server Management Pack. The Exchange Server Management pack includes rules and script components that validate the availability of communication services, send test e-mails to verify operations, and measure actual delivery times.

With Exchange Server 2003 SP2, the following new rules were added:

The Exchange Management Pack Configuration Wizard provides a graphical user interface (GUI) to configure Exchange 2000 and Exchange 2003 Management Packs, including test mailboxes, message tracking, and monitoring services.

You can download the Exchange Management Pack from the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=55885.

The Exchange Server Management Pack Guide for MOM 2005 explains how to use the Exchange Management Pack to monitor and maintain messaging resources.

You can download the management pack guide from the Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=58794.

ISA Server Best Practices Analyzer

To determine the overall health and diagnose common configuration errors, download and run the Microsoft ISA Server Best Practices Analyzer Tool at the Microsoft Download Center.

Top of page

Issues Related to Direct Push Technology

Refer to Understanding the Direct Push Technology in this document for details on how direct push works.

General Direct Push Troubleshooting Tips

In general, there are three troubleshooting steps that an administrator can take to troubleshoot connectivity issues:

Path Troubleshooting Direct Push

In many cases, a single firewall or gateway in the network can cause timing issues that impede the direct push path.

In all mobile messaging scenarios, you will need to ensure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. While each network infrastructure varies, the following illustration depicts a typical network infrastructure where the firewall idle session timeouts need to be adjusted to 30 minutes.

Certificate Information
See full-sized image

Using a heartbeat interval of 30 minutes has positive implications for battery life and bandwidth consumption. When direct push sessions are permitted to live longer (such as 30 minutes), there are fewer HTTP round trips, less data sent and received, and less power consumed by the device.

In other infrastructure scenarios, idle session time out settings may also include any other packet-forwarding networking devices or web appliances between the Exchange 2003 Server and mobile device. To modify the idle session timeout settings for your third party firewall or reverse proxy device, please refer to the hardware manufacturer’s documentation to do so. Additionally, Microsoft has worked with mobile operators to increase the idle connection timeouts on their outgoing firewalls, but the enterprises that are deploying direct push technology will also need to increase those timeouts on their incoming firewalls per the instructions above. In Microsoft’s own deployment, the timeouts on the firewall are set to thirty minutes.

Verify Direct Push Initialization

The Exchange Product team has written an article that explains steps that an administrator can take to help isolate direct push technology issues. For additional information and the full context of this article please visit the following link. http://go.microsoft.com/fwlink/?LinkId=67080.

Event Type: Information
Event Source:     Server ActiveSync
Event Category:   None
Event ID:   3002
Date:       3/19/2006
Time:       12:44:08 PM
User:       N/A
Computer:   1B25A
Description:
Microsoft Exchange ActiveSync has been loaded: Process ID: [3048].

Event Type: Information
Event Source:     Server ActiveSync
Event Category:   None
Event ID:   3025
Date:       3/19/2006
Time:       12:44:19 PM
User:       N/A
Computer:   1B25A
Description:
IP-based AUTD has been initialized.

Before

Proto       Local Address     Foreign Address   State       PID

UDP         0.0.0.0:1985      *:*                           1928
UDP         0.0.0.0:3456      *:*                           3356

After

Proto       Local Address     Foreign Address   State       PID

UDP         0.0.0.0:1985      *:*                           1928
UDP         0.0.0.0:2883      *:*                           3048
UDP         0.0.0.0:3456      *:*                           3356

Netstat provides the Process ID which matches the EAS process per the initialization event in the application log.

Another way to check if the server is listening on the AUTD port is to use PortQry (available on Microsoft.com). The following lists the process that is listening on the port:

Process ID: 3048 (w3wp.exe)

PID   Port        Local IP          State             Remote IP:Port
3048  TCP 31479  172.29.8.222      ESTABLISHED       172.29.9.107:3268
3048  TCP 31480  172.29.8.222      ESTABLISHED       172.29.9.107:389
3048  UDP 2883    0.0.0.0                             *:*

Troubleshooting Direct Push Using Logs

POST Microsoft-Server-ActiveSync?User=administrator&
DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&
DeviceType=PocketPC&Cmd=Ping
MS-ASProtocolVersion: 2.5

PUT /exchange/Administrator@1b1domain.lab/NON_IPM_SUBTREE/
Microsoft-Server-ActiveSync/PocketPC/
6F24CAD599A5BF1A690246B8C68FAE8D/AutdState.xml

  Note

The AUTDState.XML is created on receipt of the 1st PING request and is updated only when the heartbeat or folder list changes. So you may not see this command for every Ping request.

AUTD state information is maintained on the mailbox server in the NON_IPM_SUBTREE of each user's mailbox. 

In IE, you can Choose File, Open, check the box to "Open as Web Folder" and type in

http://server/exchange/user/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/Autd-State.XML

The following is a sample AUTDState.XML file.

<?xml version="1.0" encoding="utf-8"?>
<AutdState xmlns="Ping:">
   <Version>1.0</Version>
   <HeartbeatInterval>680</HeartbeatInterval>
                <Folders>
  <Folder>
         <Id>7529a5b36290aa458b9e1fc2d5ff85a6-3aaa2</Id>
      <Class>Email</Class>
   </Folder>
   <Folder>
    <Id>7529a5b36290aa458b9e1fc2d5ff85a6-2cfb8</Id>
    <Class>Calendar</Class>
    </Folder>
 </Folders>
</AutdState>

UDP: Src Port: Unknown (33660); Dst Port: Unknown (2883); Length = 162 (0xA2)
    UDP: Source Port = 0x837C
    UDP: Destination Port = 0x0B43
    UDP: Total length = 162 (0xA2)
    UDP: UDP Checksum = 0xC233
    UDP: Data: Number of data bytes remaining = 154 (0x009A)
00000:  00 0E 0C 06 CA C0 00 D0 B7 24 86 2B 08 00 45 00   ....ÊÀ.Е$†+..E.
00010:  00 B6 C8 73 00 00 80 11 07 3A AC 1D 09 71 AC 1D   .¶Ès..€..:¬..q¬.
00020:  08 DE 83 7C 0B 43 00 A2 C2 33 4E 4F 54 49 46 59   .Þƒ|.C.¢Â3NOTIFY
00030:  20 68 74 74 70 75 3A 2F 2F 31 62 32 35 61 2E 31    httpu://1b25a.1
00040:  62 31 64 6F 6D 61 69 6E 2E 6C 61 62 3A 32 38 38   b1domain.lab:288
00050:  33 2F 33 35 33 39 35 63 65 34 2D 31 35 30 34 2D   3/35395ce4-1504-
00060:  34 61 63 34 2D 39 37 32 31 2D 66 31 35 32 63 36   4ac4-9721-f152c6
00070:  34 36 65 61 33 35 20 48 54 54 50 2F 31 2E 31 0D   46ea35 HTTP/1.1.
00080:  0A 53 75 62 73 63 72 69 62 65 2D 67 72 6F 75 70   .Subscribe-group
00090:  3A 20 55 73 50 43 57 77 46 4C 32 30 71 37 44 2B   : UsPCWwFL20q7D+
000A0:  6E 61 76 6F 4D 71 79 41 3D 3D 0D 0A 53 75 62 73   navoMqyA==..Subs
000B0:  63 72 69 70 74 69 6F 6E 2D 69 64 3A 20 32 37 0D   cription-id: 27.
000C0:  0A 0D 0A 00         

Push Mail and GAL Lookup missing when syncing to Exchange 2003 SP2 with a MSFP Device.

The following is a reprint of a blog on Microsoft TechNet that explains steps that an administrator can take to help isolate issues around direct push email and GAL Lookup when synching to Exchange 2003. For additional information and the full context of this article, please see the following TechNet blog. http://blogs.technet.com/vik/archive/2006/10/17/push-mail-and-gal-lookup-missing-when-syncing-to-exchange-2003-sp2-with-a-msfp-device.aspx.

During deployments you may run into the issue where your server is up and you are syncing without a problem but you aren’t getting the option to sync as items arrive as well as the option to do Lookup Online is missing. This is normally caused by a firewall issue where the Options verb is being blocked.

We see we are not returning the expected response for the OPTIONS command from the following entry on the device logs. Enable Verbose logging on the device from server settings in Advanced in device to see these logs.

=-= Build 14847 =-=
=-= No XIP Information Available =-=
Mail.company.com
=-=- [12/10/2006 2:28:59.0] -=-=
=-=-=-= Client Request =-=-=-= 
OPTIONS Microsoft-Server-ActiveSync?User=dptest&
DeviceId=6F24CAD599A5BF1A690246B8C68FAE8D&DeviceType=PocketPC 
Accept-Language: en-us
X-MS-PolicyKey: 0 
-=-=-=- Start of Body -=-=-=-
=-=- [12/10/2006 2:29:4.0] -=-=
=-=-=-= Server Response =-=-=-
HTTP/1.1 500 Internal Server Error 
( The system cannot find the file specified.  )
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 2014

The HTTP 500 is the response from the server for the OPTIONS command sent by the device.

We normally get this response if URLScan is blocking the verb. So we have to check for URLScan in the server. If URLScan is present, then we can add OPTIONS to the AllowVerb section of URLScan.ini file.

The above symptom is confirmed from the IIS logs as well.

2006-10-10 04:01:13 W3SVC1 SCIDUBMSG01 10.251.99.165 POST
/Microsoft-Server-ActiveSync User=username&
DeviceId=02563C023942F3E168000050BF1977E0&DeviceType=PocketPC&
Cmd=Sync&Log=V1TCaSSC:0A0C0D0FS:0A0C0D0SP:1C3I3040S122000R0S0L0H0P 443 
consoto\username 209.95.228.19 HTTP/1.0 Microsoft-PocketPC/3.0 - - 
mail.company.com 200 0 0 326 516 249

Notice the entry Log=V1 in the above log entry.

It indicates that Airsync protocol version 1.0 is being used, whereas with Push functionality Airsync version 2.5 is the latest and to be used.

Ideally we should use Airsync protocol version 2.5 which will be represented as Log=V4.

So permitting the OPTIONS verb in URLScan or whatever software is blocking it should resolve the issue.

Sample Server response=-=- [16/9/2006 1:15:23.0] -=-=
=-=-=-= Server Response =-=-=-
HTTP/1.1 200 OK
Date: Fri, 15 Sep 2006 19:45:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Length: 0
Public: OPTIONS, POST
Allow: OPTIONS, POST
MS-Server-ActiveSync: 6.5.7638.1
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5
MS-ASProtocolCommands: Sync,SendMail,SmartForward,
SmartReply,GetAttachment,GetHierarchy,
CreateCollection,DeleteCollection,MoveCollection,
FolderSync,FolderCreate,
FolderDelete,FolderUpdate,MoveItems,
GetItemEstimate,MeetingResponse,
ResolveRecipients,ValidateCert,Provision,
Search,Notify,Ping

Based on the list of commands returned by the server as above, the device will decide which version of AirSync protocol to use. Different features like direct push technology or AUTD etc depend on the version of the protocol being used for communication.

Check for URLScan on your Exchange server and check if any other device or software device is blocking OPTIONS command.

URLScan is an add-on tool that can be used by Web site administrators. The administrators can control the actions of URLScan and can restrict the type of HTTP requests that the server processes. URLscan.ini file is the configuration file of this tool and URLscan tool will not function after we rename this file and once we rename it back it will start working again, nothing else will be affected.

For more information see the Microsoft Knowledge Base article, "Using URLScan on IIS" (http://support.microsoft.com/kb/307608/). The purpose of this article is to ensure effective distribution of the Internet Information Services (IIS) security tool URLScan.

After you edit your URLSCAN.ini file a Server reboot is not required just restart the IIS & WWW services.

Top of page

Issues Related to ISA Server 2006

The following issues have been discovered in early deployment of ISA Server 2006.

Double Authentication Required after Upgrading from ISA Server 2004

After upgrading from ISA Server 2004, when an Exchange publishing rule was defined with forms-based authentication, users are prompted twice for their credentials. In ISA Server 2004, when you create a rule with the New Mail Server Publishing Rule Wizard, authentication delegation is not required, because it is handled by ISA Server itself. When this rule is upgraded to ISA Server 2006, authentication delegation for the rule is set to No delegation.

The solution is to manually configure authentication delegation for the affected rule to Basic Authentication.

Log Off when the User Leaves Site Feature Removed

The Log off when the user leaves site setting has been removed from ISA Server 2006. Users should always use the log off button to properly log off from Outlook Web Access.

Windows Mobile Users Receive Error 401 Unauthorized

When a Windows Mobile user tries to access a published Outlook Web Access or Windows Mobile Access Web site published with the New Exchange Publishing Rule Wizard, the user receives error 401 instead of the Exchange logon forms.

This error appears when the required HTML form directories for Windows Mobile access are missing from the Exchange HTML form set directory

The solution is to manually create the two directories, cHTML and xHTML, in the %programfiles%\Microsoft ISA Server\CookieAuthTemplate\Exchange folder. Then, copy the contents of the %programfiles%\Microsoft ISA Server\CookieAuthTemplate\Exchange\HTML folder to the cHTML and xHTML folders.

Users Receive Access Denied Error Message

When a user attempts to connect to a published Outlook Web Access site and does not add the /exchange suffix to the end of the URL, such as https://mail.contoso.com, instead of receiving the forms-based authentication logon screen, the user receives an "Access denied" error message. This error can be difficult to troubleshoot because ISA Server is behaving as expected.

A workaround is to publish the root of the Exchange front-end server, with an action of Deny, and redirect users to the proper URL, such as https://mail.contoso.com/exchange.

Perform the following procedure to automatically redirect users to the proper Outlook Web Access URL.

To create an Exchange Web client access publishing rule

Page	Field or property	Setting
Welcome	Web publishing rule name	Type a name for the rule, such as Exchange Redirect.
Select Rule Action	Action to take when rule conditions are met	Select Deny.
Publishing Type	Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites	Select Publish a single Web site or load balancer.
Server Connection Security	Choose the type of connections ISA Server will establish with the published Web server or server farm	Select Use SSL to connect to the published Web server or server farm.   Note A server certificate must be installed on the published Exchange front-end servers, and the root CA certificate must be installed on the ISA Server computer.
Internal Publishing Details	Internal site name	Type the internal FQDN of the Exchange front-end server. For example: exchfe.corp.contoso.com.   Important The internal site name must match the name of the server certificate that is installed on the internal Exchange front-end server.   Note If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.
Internal Publishing Details	Path (optional)	Type / in the Path box.
Public Name Details	Accept requests for Public name	This domain name (type below) Type the domain name that you want ISA Server to accept connections for. For example, type mail.contoso.com.
Select Web Listener	Web listener	Select the Web listener you created previously, such as Exchange FBA.
Authentication Delegation	Select the method used by ISA Server to authenticate to the published Web server	Select Basic authentication.
User Sets	This rule applies to requests from the following user sets	Select the user set approved to access this rule. This should be the same user set that you used in the Exchange publishing rule.
Completing the New Web Publishing Rule Wizard	Completing the New Web Publishing Rule Wizard	Finish to complete the wizard.

Top of page

Certificate Implementation Issues on the Server

For information about troubleshooting Certificate implementation on Server, see "Certificate Revocation and Status Checking" on the Microsoft TechNet Web site.

http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx

Top of page

Communication Issues between the Front-end and Back-end Exchange Servers

For information about front-end and back-end communication issues, see the Microsoft Support Webcast, "Troubleshooting Microsoft Exchange Server 2003 ActiveSync Issues."

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fen%2Ftranscripts%2Fwct032504.asp

Top of page

Frequently Asked Questions

The Exchange Product team has written an article that explains steps that an administrator can take to help isolate direct push technology issues. For more information about the deployment of direct push technology, see the Exchange Server blog article "Direct push is just a heartbeat away" at http://go.microsoft.com/fwlink/?LinkId=67080.

Top of page

17 of 18