Why Exchange ActiveSync fails with NAT firewalls

The basic idea behind NAT is that there aren't enough IPv4 addresses to go around, so most ISPs give subscribers a single, publicly accessible IP address. This address is assigned to the NAT firewall, and all machines behind the firewall have private IP addresses that are only valid from within the network perimeter.

When a machine needs to communicate externally, it sends the request to the NAT firewall. The NAT firewall then acts as a proxy and makes the request on behalf of the machine. When the response comes back, the NAT firewall forwards the response to the requesting machine.

When servers are made available to the outside world, but those servers are behind a NAT firewall, port forwarding is often used. For example, an organization may have an Exchange server behind a NAT firewall, and that server must be able to receive external SMTP messages.

In such a case, the MX record on the DNS server that is authoritative for the domain would point to the NAT firewall, not to the Exchange server itself since that IP address isn't accessible externally. The NAT firewall is then configured with a port-forwarding rule that forwards any inbound SMTP traffic to the Exchange server's private IP address.

The first problem with using Exchange ActiveSync in conjunction with NAT is that many ISPs only lease dynamic IP addresses. For example, the ISP that I use reassigns IP addresses every few hours to prevent subscribers from hosting their own servers.

Frequently changing public IP addresses can cause some problems with trying to host services, because the DNS records for the domain must point to the organization's public IP address. There are technologies for keeping DNS records up-to-date, but some mobile devices cache DNS records. This cache may not be renewed frequently enough to keep pace with IP address changes.

If you have static IP addresses and Exchange ActiveSync isn't working correctly, then the problem most likely is related to your SSL certificates. Typically, when you enable Exchange ActiveSync, wireless clients synchronize using SSL encryption. SSL encryption requires the use of an SSL certificate, which contains the server's fully qualified domain name (FQDN) and IP address. This can be problematic.

When clients attempt to synchronize, they connect to the NAT firewall, not directly to the Exchange Client Access server (CAS). The NAT firewall forwards the request to the server, which responds. The server attempts to establish SSL encryption using its certificate. However, the server's output is proxied back through the NAT firewall, which has a different IP address than the server.

Because the organization has one public IP address, that address is used for all outbound communications. The client thinks that the response is coming from the NAT firewall's IP address, rather than the Exchange server's IP address. The SSL certificate contains the server's IP address; therefore, the client thinks the certificate is invalid.

One solution for this involves creating a host entry on the mobile device that maps to the FQDN to which the SSL certificate is assigned. Windows Mobile devices don't support the use of host files, but you can add the necessary host record to the device's registry. Host information can be entered into the mobile device's registry at: HKEY_LOCAL_MACHINE\comm\tcpip\host.

More Exchange ActiveSync resources: How to solve common ActiveSync error messages Exchange ActiveSync tips and tutorials ActiveSync and front-end DNS aliases

Another possible solution is to replace your NAT firewall with an ISA Server. This is a viable option because ISA Server can act as a NAT firewall and offers a feature called SSL bridging, which allows the end user to establish an SSL session with the ISA Server. It doesn't have to establish the session with the Exchange server that sits behind it. The ISA Server can establish a separate SSL session with the Exchange server and act as a type of SSL proxy.

Configuring SSL bridging can be tricky because you must export your Client Access server's SSL certificate and add it to the ISA Server's certificate store. Microsoft offers more information on SSL bridging.

About the author: Brien M. Posey, MCSE, is a four-time recipient of Microsoft's Most Valuable Professional Award for his work with Windows Server, Internet Information Server (IIS) and Exchange Server. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit Brien's personal web site at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Is it time to upgrade users' Windows Mobile devices? Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures How to solve common ActiveSync error messages How to configure ActiveSync and manage mobile devices in Exchange 2007 Use Exchange 2007 ActiveSync logs to track mobile device activity Configure Windows Mobile devices to local wipe after failed logons Moving mobile user mailboxes from Exchange 2003 to Exchange 2007 OWA and OMA failures on Small Business Server 2003 Two versions of MAPI32.DLL cause BlackBerry PIM sync issue ISA Server and Firewalls for Microsoft Exchange Server Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures OWA stops working from external network connection Enhance OWA logon security using Microsoft ISA Server Firewall problems with Exchange Server 2007 email attachments How and why to disable certain ESMTP verbs Creating an ethical firewall in Exchange Server 2007 Beware of firewalls that block Exchange Server's SMTP/POP3 communications How HTTP verbs can 'hang' Outlook Web Access Protect Exchange ActiveSync from premature firewall connection timeouts Microsoft Exchange Server 2003 Is it time to upgrade users' Windows Mobile devices? Top 10 Microsoft Exchange Server 2003 registry hacks Use Performance Monitor to detect Exchange 2003 message queue problems How to set up email disclaimers on a single, back-end Exchange server How to customize OWA authentication logon in Exchange Server 2003 Can a deleted transaction log be restored in Exchange Server 2003? Improve Exchange 2003 Internet connectivity, mail flow and performance Can I selectively archive Exchange Server 2003 email messages? How to back up and restore Exchange data with recovery storage groups Troubleshoot Exchange 2003 email that gets stuck in the SMTP queue Microsoft Exchange Server 2003 Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary reverse proxy server  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.