Using ActiveSync without a front-end Exchange server

If an organization doesn't use a dedicated front-end Exchange server, it's very common for users to receive the HTTP_500 error, along with a message stating that "Synchronization failed due to an error on the server." This occurs because Exchange ActiveSync uses the /Exchange virtual directory to access DAV on the back-end Exchange server. While this isn't a problem, there are two conditions that can prevent the /Exchange virtual directory from working properly.

• If no front-end server is present, the /Exchange virtual directory cannot be configured to require Secure Sockets Layer (SSL). If SSL is required, directory access will fail. This is only the case for back-end Exchange servers. If the /Exchange virtual directory is located on a front-end server, then SSL is supported and recommended.
• If forms-based authentication is enabled, you can't enable it on a back-end Exchange server if you want to use ActiveSync. Enabling forms-based authentication on a front-end Exchange server isn't problematic.

There are two ways to correct a forms-based authentication failure. The preferred method is to deploy a front-end Exchange server. If you're trying to use ActiveSync without a dedicated front-end server, deploying one may not be an option because of budgetary issues. A workaround that involves editing the mailbox server registry can be helpful in this situation. I recommend making a full-system backup before continuing.

More on Exchange ActiveSync: How to solve common ActiveSync error messages Exchange ActiveSync tips and tutorials ActiveSync and front-end DNS aliases

If you have SSL and/or forms-based authentication enabled, there is probably a logical reason for this. They don't need to be disabled permanently. Instead, we will create a second instance of the /Exchange virtual directory that doesn't require SSL or use forms-based authentication. Before beginning this procedure, disable forms-based authentication on your /Exchange virtual directory. You can re-enable it afterward.

1. Open the Internet Information Services (IIS) Manager, and navigate through the console tree to the \Web Sites\Default Web Site\Exchange container.
2. Right click on the Exchange container, and choose the All Tasks -> Save Configuration to a File commands from the menu. You will be prompted to enter a path and a filename. You can name the file anything that you want.
3. Go into the IIS Manager's console tree to the Default Web Site container. Right click on this container, and choose the New -> Virtual Directory (From File) commands.
4. Windows will display the Import Configuration dialog box. Click Browse, choose the file that you created earlier and click Open and then Read File. You should now see the Exchange virtual directory listed in the Import Configuration dialog box (Figure 1).


Figure 1. The Exchange virtual directory will be listed in the Import Configuration dialog box.

5. Select your virtual directory, and click OK. A screen will ask if you want to create a new virtual directory or replace the existing one. Select the option to create a new virtual directory, and enter Exchange-OMA as the directory's alias. The virtual directory that you have just created should now be listed among the list of virtual directories, as shown in Figure 2.


Figure 2. The new Exchange virtual directory will be listed in the IIS Manager console.

6. To configure the new virtual directory, right click on it and choose Properties from the menu. The console will display the virtual directory's properties sheet.
7. Go to the Directory Security tab and click Edit from the Authentication and Access Control section. The console then will open the Authentication Methods dialog box. Make sure that either the Integrated Windows Authentication or Basic Authentication checkbox is selected – not both. Figure 3 shows what this will look like.


Figure 3. Select either the Integrated Windows Authentication or Basic Authentication checkbox.

8. Click OK, and then click the Edit button found in the IP Address and Domain Name Restrictions section.
9. When the IP Address and Domain Name Restrictions dialog box appears, click the Denied Access button and then click Add. Choose Single Computer, enter the server's IP address and then click OK.
10. Click Edit in the Secure Communications section. When IIS displays the Secure Communications dialog box, be sure that the Require Secure Channel (SSL) checkbox isn't selected.
11. Click OK twice and then close the IIS Manager.

You must modify the server's registry to make Exchange Server aware that the virtual directory you created exists. To do so:

1. Open the Registry Editor and navigate through the tree to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MassSync\Parameters
2. Right click on the Parameters container and choose New -> String Value.
3. Enter ExchangeVDir as the value's name. NOTE: This value name is case sensitive.
4. Right click on the value you created, and choose Modify from the menu. Enter the name of the new virtual directory -- /Exchange-OMA.
5. Click OK, close the Registry Editor and reboot the server.

About the author: Brien M. Posey, MCSE, has previously received Microsoft's MVP award for Microsoft Exchange, Windows Server and Internet Information Server (IIS). He has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Exchange Server Administration Tips Remove Exchange 2003 objects from AD to install Exchange 2010 Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Digging deeper into Exchange Server 2010 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.