Background
ActiveSync was first made a feature of the Exchange product line with the release of Exchange Server 2003; it was previously available as a separate product called Mobile Information Server (MIS). Since its introduction to the Exchange product its adoption by organizations has been very limited.
This limited adoption is unfortunate because it is such a great feature. On a regular basis I hear of users with PocketPC or Windows Mobile devices, which are configured to Sync from Outlook on their desktops or POP/IMAP off their Exchange Server. It’s hard to say if this is because ActiveSync is a little trickier to setup correctly on these devices or because user and/or administrators are not accustomed to this feature. That being said the purpose of this article is to help Exchange administrators deploy ActiveSync within their organization by giving them an easy to follow guide and pointing out some things to watch out for during the process.
Requirements
A Certificate Authority (your own or 3rd Party)
Exchange 2003 Server
A Pocket PC or Windows Mobile Device
Overview
-
Generate request for web server certificate
-
Submit certificate request to CA & obtain Certificate
-
Install web server certificate on Exchange Server
-
Configure Pocket PC or Windows Mobile device
Generate request for and obtain web server certificate
1. This first task involves logging onto your Exchange server and from IIS generating the web server certificate request.
Open IIS Manager then from Start | All Programs
Expand Servername (local computer) | Web Sites
Right click Default Web Site, click properties
2. In the “Default Web Site Properties” window click the Directory Security tab then click “Server Certificate”
3. In the IIS Certificate Wizard select “Create a new certificate” then click Next. As shown in figure 1 below.
Figure 1 “IIS Certificate Wizard – Create New Certificate”
4. On the next screen “Delayed or Immediate Request” select “Prepare the request now, but send it later” then click Next
5. The Next Window “Name and Security Setting” in the name field type the name of the certificate, naming it something that describes the server or its role, here I normally use the name of the server, but it could be anything. The other option in this window is bit length of the encryption key. I normally leave this at default (1024).
6. In the Organization Information Window type the name of your Organization & Organization unit, then click next
7. This next window “Your Site’s Common Name” is the important one which is sometimes entered incorrectly, causing mobile devices not to be able to connect. Here you need to specify the FQDN of your server as shown in figure 2 below.
Figure 2 “Your Site’s common name window”
Why should this field be the FQDN of the server?
The most important thing to remember when generating the certificate request is to ensure the common name of the server is the name users will enter into their device to connect to the Exchange server. By default the host name is populated in this field i.e. mail. For a valid/trusted connection to be established the server name entered into the device must match the common name typed into this field. So if only the host name was used in the field (i.e. mail), users could only connect to the server mail, you can see there could potentially be a problem if users connect via their own/external ISP or wireless networks.
8. In the “Geographical Information” window select your country/region from the drop down box, and then type your State/province as well as City/locality in the appropriate fields.
9. The final window of this wizard is the “Certificate Request File Name” window, in here specify the location and name of the request file, which will in the next part be submitted to a CA. See figure 3
Figure 3 “The Certificate Request File Name Window”
Submit certificate request to CA & obtain Certificate
1. Open the Microsoft Certificate Services webpage of your Certificate Authority this page is used to submit the certificate request file you created earlier. The address of this website will normally be http://CertAuthorityName/certsrv you will be presented with a window similar to figure 4 below.
Figure 4 “Microsoft Certificate Services webpage”
2. On this page click “Request a certificate” as above in figure 4.
3. The next window Request a Certificate click “advanced certificate request”
4. In the “Advanced Certificate Request” window click the second option. “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.” As shown below in figure 5.
Figure 5 “The Advanced Certificate Request Window”
5. On the next window “Submit a Certificate Request or Renewal Request”, Open the Certificate request file you generated earlier in IIS and copy the contents of the certificate request file, into the “Saved Request” window.
Note there is an option to browse for the file but this does not on work most servers because of security settings in Internet Explorer.
6. In the certificate template dropdown box select “Web Server” click submit as shown below in figure 6.
Figure 6 "The Submit a Certificate Request or Renewal Request Window"
7. In the “Certificate Issued” window click download Certificate and save the Web Server certificate on your local file system so you can use it in the next stage to, process the pending request in IIS and install this certificate.
8. Now to install the certificate, again open up IIS Manager, on your Exchange server and right click on the Default Web Site clicking properties.
9. When in the Properties window opens click on the “Directory Security” tab then click next in the “Welcome to the Web Server Certificate Wizard” Window.
10. In the “Pending Certificate Request” window select “Process the pending request and install the certificate” and click next as shown in Figure 7.
Figure 7 “The Pending Certificate Request Window”
In the “Process a Pending Request” window browse to the certificate file you saved earlier, and click next. The web server certificate is now installed; you can now proceed to configure your Pocket PC or Windows Mobile device to your Exchange Server.
Configure your PocketPC or Windows Mobile Device
1. The first step here requires that you have the CA certificate of the root CA that issued your web server certificate earlier. To do this proceed to the Microsoft Certificate Services webpage, that was used earlier to submit the certificate request (http://CertAuthorityName/certsrv) and on the first window select “Download a CA certificate, certificate chain or CRL” and save the certificate for the next stage where you install the CA certificate on your device.
2. Copy the CA certificate to your Device either via a memory card or using the desktop version of ActiveSync, and install.
3. If you are running Windows Mobile 2003 you can click on the certificate to install it, if you are running the earlier version, Microsoft
Pocket PC you will need to run the tool AddRootCert.exe to install the CA certificate. Figure 8 below shows the AddRootCert.exe tool
Figure 8 "The AddRootCert.exe tool"
AddRootCert.exe can be downloaded from here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322956
Configure Pocket PC or Windows Mobile device
Now that your server is configured with a web server certificate and you have installed the CA certificate on your device it is time to configure ActiveSync from your device to connect to your Exchange server.
1. The first step is to open ActiveSync on your device, from here go to Tools then Options. You will notice a tab at the bottom named “Server” click on it select the Exchange items you want to synchronize, then below in the Server Name field type the full name of your server. As I mentioned earlier you need to enter the same name that was specified for the Common Name of the web server in the certificate. Figure 9 Below shows the ActiveSync Server tab on the PDA.
Figure 9 "The ActiveSync Server tab on the PDA"
2. Now click the Advanced button and specify your username and password, see figure 10 below.
Figure 10 ”The ActiveSync Advanced connection options window”
Finally ….. you device is now configured and you can attempt to synchronize with ActiveSync on your Exchange server.
3. Go back to the main ActiveSync window on your device and click Sync. If everything is configured correctly your device will sync, to check go back to the main window of your device and open the inbox program on your device it should display your recent email, and if you selected calendar and contact items they will also be available from the “Calendar” and “Contacts” programs on your device. Figures 11 & 12 below show the inbox program and items from my exchange server.
Figure 11 “The inbox on the Inbox program”
Figure 12 “An email item in the inbox program”
Main things to remember when setting up Exchange ActiveSync
If you are still having problems, have a look at the Exchange ActiveSync Frequently Asked Questions page or post a message to one of the following Microsoft public newsgroups:
Microsoft.public.exchange.admin
Microsoft.public.exchange.mobility
Microsoft ActiveSync Frequently Asked Questions page:
http://www.microsoft.com/technet/prodtechnol/exchange/2003/actsyncfaq.mspx