Deploying Exchange ActiveSync
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Microsoft Exchange ActiveSync is a synchronization protocol that lets you synchronize your Exchange mailbox with a mobile device. Exchange ActiveSync works with high-latency or low-bandwidth networks and low-capacity clients that have limited memory storage and processing power. Exchange ActiveSync communicates by using the HTTPS protocol.
By default, when you install the Client Access server role on a computer that is running Exchange Server 2007, Exchange ActiveSync is enabled. However, there are several post-installation deployment tasks that you can perform to enhance the security and performance of Exchange ActiveSync.
Note
If you are upgrading from Exchange Server 2003 to Exchange 2007 SP1, users will be unable to synchronize using Exchange ActiveSync until Active Directory replication has completed after the upgrade. As soon as Active Directory replication has completed, all caches must also clear. The maximum time for this process is up to one hour after Active Directory replication has completed.
Note
When you move a user’s mailbox from Exchange Server 2003 to Exchange Server 2007 Service Pack 1, users with Windows Mobile 6.0 or Windows Mobile 6.1 will receive an alert that tells them they will lose all the changes from their last successful synchronization. This happens because the synchronization state stored in the user’s mailbox cannot upgrade from Exchange Server 2003 to Exchange 2007 Service Pack 1. During the next synchronization, Exchange ActiveSync will resynchronize all items in the user’s mailbox. Users with Windows Mobile 5.0 will not experience a resynchronization as a result of an upgrade from Exchange Server 2003 to Exchange 2007 Service Pack 1 because Windows Mobile 5.0 does not support the upgraded implementation of the Exchange ActiveSync protocol. Users with Windows Mobile 5.0 will experience a resynchronization as a result of an upgrade from Exchange Server 2003 to Exchange 2007 RTM.
Configure Direct Push to Work with Your Firewall
Direct Push is the mechanism by which Exchange ActiveSync keeps your mobile devices up to date with your Exchange mailbox. A long-standing HTTPS request is created by the mobile device and sent to the Exchange server. Direct Push requires port 443 to be open on your firewall.
For more information about Direct Push, see the following topics:
Configure Policies for Exchange ActiveSync
Exchange ActiveSync mailbox policies let you apply a common set of policy or security settings to a user or group of users. Some of the settings that you can configure include the following:
Password requirements and settings
Device encryption
Access to Windows file shares and Windows SharePoint Services files
Attachment settings
For more information about Exchange ActiveSync policies, see the following topics:
Configure Mobile Devices to Synchronize with Exchange Server
After the Client Access server role is installed, users can configure devices to synchronize with the Exchange server. For more information about how to configure mobile devices for synchronization, see:
Configure Security Settings for Exchange ActiveSync
When the Client Access server role is installed, the Exchange ActiveSync virtual directory is configured for Basic authentication. Basic authentication sends information in clear text. By default, Secure Sockets Layer (SSL) is enabled. You can configure an additional authentication method on your Exchange ActiveSync virtual directory. You can use Basic authentication, Integrated Windows authentication, certificate-based authentication, or RSA SecurID.
Note
Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2007 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This enables the Exchange 2007 Client Access server and the Exchange 2003 back end server to communicate using Kerberos authentication.
For more information about Exchange ActiveSync security, see:
Configure the Autodiscover Service for Exchange ActiveSync
The Autodiscover service provisions a user's device when the user's e-mail address and password are supplied. The Autodiscover service returns the address to a computer that is running Exchange 2007 that has the Client Access server role installed. If you have multiple Client Access servers in your organization, you can configure the Autodiscover service to return the URL of the Client Access server that you want the users to use for synchronization.
Note
The ability to use the Autodiscover service depends on the mobile device operating system that you are using. Not all mobile device operating systems that support synchronization with Exchange Server 2007 support processing information from the Autodiscover service. For more information about operating systems that support processing information from the Autodiscover service, contact the manufacturer of your device.
For more information about the Autodiscover service, see Understanding Exchange ActiveSync Autodiscover.