Windows phone
Home > Help & how-to >

Troubleshoot ActiveSync 4.1/4.2 in corporate environments

This document recommends best practices to IT departments for configuring their local environments for Windows Mobile devices that connect to PCs running ActiveSync 4.1/4.2. The recommended practices should pose a relatively small security risk.

Windows Mobile phone can't connect to PCs running ActiveSync 4.1/4.2

These solutions are organized by the four potential causes of the problem.

Potential cause: A firewall application may be blocking ActiveSync processes and/or ports

  • Solution 1: Add the following processes to the application exception list of the firewall utility:
    • Wcescomm.exe
    • WcesMgr.exe
    • RAPIMgr.exe
    • CEAPPMGR.exe
Many firewall vendors provide application exception lists that already contain ActiveSync processes. Following is an example of an application exception list within Windows Firewall.
An application exception list within Windows Firewall
Additionally, open port 26675 (open inbound TCP port) in the firewall utility for all applications. You should also specify the scope for the port. Scope is either "*" (for all networks) or a comma-separated list that contains any combination of the following:
  • IP addresses, such as 10.0.0.1
  • Subnet descriptions, such as 10.2.3.0/24
  • The string "local subnet"
Security risk: Low

Solution 2: Open the following ports for all applications in the firewall utility:

  • 990 – open inbound TCP port
  • 999 – open inbound TCP port
  • 5678 – open inbound TCP port
  • 5679 – open outbound UDP port
  • 5721 – open inbound TCP port
  • 26675 – open inbound TCP port
Security risk: Moderate. The ports remain open and applications on the host PC that use these ports are more vulnerable to external attacks. To further reduce risk, specify the scope for port 26675 as described in solution 1.

Potential cause: An antivirus application may be blocking ActiveSync processes

Solution 1: Configure the antivirus application to allow the following processes:
  • CeAppMgr
  • FormInst
  • DBAccess
Security risk: Low.

Solution 2: Configure the antivirus application to allow scripting to enable Windows Mobile devices to sync with Microsoft Outlook on the PC.

Security risk: Moderate.

Potential cause: IPSec or other IT policy or startup script under which
new network interfaces are not allowed

Solution: Deploy an IPSec policy to workstations that allow 169.254.x.x traffic.

169.254.x.x is a local link address that is not routable (if your network enforces this as a local link). This is similar to “split-tunneling,” which allows printers to start up on a network. This policy should not be deployed to high-security servers such as domain controllers; it should be deployed only to workstations where it is reasonable that a user would attempt to run ActiveSync.

Security risk: Low. To attack a workstation to which the IPSec policy described above has been deployed, the attacker would need either physical access to the workstation’s network cabling or remote administrator-level access to the network switch through which the workstation connects. With such access, the attacker could cause the workstation to get an automatically configured IP address on its Ethernet network interface, and then use the attacker’s computer to communicate through that interface.

Potential cause: ActiveSync bypasses the default Layered Service Provider (LSP)
in the Windows TCP/IP handler

Solution: When other applications install additional LSPs, it can cause earlier versions of ActiveSync to have trouble connecting to the device. To avoid that problem, ActiveSync 4.1/4.2 now binds only to the Microsoft TCP/UDP provider, bypassing any subsequently installed LSPs. However, you may want to force ActiveSync to use the default LSP; for example, when it is necessary for firewall protection. After doing this, you may then have to add ActiveSync processes to the firewall application exception list. This is described in the first solution to the first potential cause, "Potential cause: A firewall application may be blocking ActiveSync processes and/or ports."

To force ActiveSync 4.1/4.2 to use the default LSP, set the REG_DWORD value of the following registry key to any value other than zero.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\AllowLSP

Security risk: Low. This setting is used only by ActiveSync processes.

Connectivity and synchronization may require separately purchased equipment and/or wireless products (for example, Wi-Fi card, network software, server hardware, and/or redirector software). Service plans are required for Internet, Wi-Fi and phone access. Features and performance may vary by service provider and are subject to network limitations. See device manufacturer, service provider and/or corporate IT department for details.

 Was this information useful?  Yes  |  No
E-mail this page 

Upgrade now

Troubleshooting firewalls