I also could not get a clean Test-OutlookWebServices in Exchange 2007 SP1 as Joel Stidley mentions on his post here. 

But prior to that I was getting “403: Permission Denied” errors.  Nothing I tried worked. 

So I ended up removing just the Exchange Web Services or EWS with Remove-WebServicesVirtualDirectory and recreating it with New-WebServicesVirtualDirectory.  This restored EWS to its defaults.  That fixed my 403 problem quickly.

Then I started getting the “401: Unauthorized” as Joel mentions on his post.  I opted for Method 2 (no reboot). 

After that, my EWS came up without any issues…

I tested inside and outside hosts with Outlook and Communicator, all passed.

Test-OutlookWebServices ran clean. 

Outlook connection status (ctrl-right click on running icon) and Test Autoconfiguration all were clean and reconnected quickly. 

Event logs were all clean to boot!!!!!

To make things even better, I was then able to switch Outlook RPC/HTTP authentication to NTLM and it worked flawlessly!  For some reason previously it only worked in Basic mode, and under some circumstances would annoy outside users with unnecessary credential checks. 

We in IT are responsible to enforce the fewest credential checks necessary, while not compromising anyone’s security.   Credential checks should also use the most secure and resilient form of communication available at the time of that check.

So if your Outlook RPC/HTTP and/or Communicator are complaining about communicating with Exchange, my first step would be to rebuild EWS. 

Before you install the Unified Messaging Role in Exchange 2007, you’ll need to have the following updates already installed.

Windows Media Encoder 9 Series x64 Edition
Fix KB917312. Info on fix here.

All of the system and role requirements are listed in the Exchange 2007 System Requirements document.

After the UM role is setup, you can enable integration with Office Communications Server 2007 by running “exchucutil.ps1″ from the scripts directory of your Exchange 2007 install media/directory.  Run this from the Exchange Management Shell.  Then reboot your OCS server. Verify all is working by looking at the events with source “OCS Exchange Unified Messaging Routing” in the OCS category in your Event Log.

When building a Query-based Distribution Group in Exchange 2003/2007, the GUI does not allow you to filter out disabled users or hidden users.

This has greatly limited the effectiveness of such groups for my work, until now!

Using ADSIEDIT.MSC you can modify the LDAP filter easily to resolve this issue.

Steps:

1. start ADSIEDIT.MSC
2. under the Domain branch, find the group your created through the Active Directory Users and Computers (ADUC)
3. double-click on the group
4. find the msExchDynamicDLFilter attribute and edit it
5. just in the last ‘)’ add the following: (!userAccountControl:1.2.840.113556.1.4.803:=2)(!msExchHideFromAddressLists=TRUE)
6. go back to ADUC and find your group, and run the preview and make sure it works
7. fin!

I hope Apple doesn’t leave the iPhone this way.  It’s too important for IT people to know the phones with their corporate data are safe. You only have to look at CNN any given week to see all the ways that corporate data ends up leaving the office and becomes susceptible.

IMAP is *NOT* a long term solution for Corporate America.  Its fine for your home email, but not your work.

If you do use IMAP with your iPhone, make sure its at least IMAP/SSL.  This is supported with Exchange 2003 and Exchange 2007.

One employee in our office got the iPhone the day it came out, without any warning to us IT folks ;), and we had to open IMAP/SSL for him.  It’s working fine for him, but lack of push or calendaring is limiting, but its better than nothing.

There has been a lot of speculation about the iPhone and its abilities to connect to Microsoft Exchange Server. For instance, Wall Street Journal columnist Walt Mossberg mentions in his June 26 All Things Digital column that, “It [the iPhone] can also handle corporate email using Microsoft’s Exchange system, if your IT department cooperates by enabling a setting on the server.”

Technically this is correct, as today iPhone users can connect to Microsoft Exchange using IMAP.  There are, however, some significant differences in the mobile device experience and IT professional capabilities supported by IMAP on the iPhone and those enabled by Exchange ActiveSync (EAS) for compatible devices.  EAS is a protocol that provides rich messaging experiences for over 200 different smartphones right out of the box.  These smartphones include Windows Mobile devices as well as phones from a broad range of 3^rd parties including Helio, Motorola, Nokia, Palm, Sony Ericsson and others.

Comparing IMAP and EAS at a high level: IMAP provides an adequate mobile email experience (but is subject to some important limitations), whereas EAS provides a more secure, complete companion experience to Outlook and Outlook Web Access (OWA) for the mobile device.  To better understand this comparison, let’s look at IMAP on the iPhone and EAS in a bit more detail from several perspectives:

1. Mobile email
2. The mobile experience beyond email
3. Security

IMAP enables an adequate mobile email experience; EAS enables the additional pieces that make mobile email great

Both IMAP and EAS give the mobile client the capability to read email with rich html formatting, and view their inbox as well as subfolders of their inbox and reply/reply-all/forward/compose email (technically, the iPhone uses SMTP to send email.  SMTP for outbound email is configured along during IMAP/Exchange account setup on the device).

EAS also supports capabilities for:

• Direct Push, which provides an up-to-date messaging experience designed for mobile networks
• Email flagging to improve the triage experience on the device
• AutoDiscover to simplify the process of setting up a new device over-the-air
• Server-side logic to preserve the formatting of rich email on reply/forward if the mobile client doesn’t support rich html editing (most don’t)
• Numerous bandwidth optimizations to reduce data charges and improve battery life

EAS enables a rich collaboration experience beyond email

A significant part of the Exchange user experience goes beyond email.  The IMAP protocol only supports email.  EAS is designed to enable a great over-the-air companion experience to Outlook and OWA and supports many facets of Exchange beyond email, including:

• Contact synchronization - view, create and update contacts
• Calendar synchronization - view, create & update appointments, schedule meetings, and accept/decline/propose new time for meeting requests
• Global Address List (GAL) lookup - look-up users in your corporate directory
• Tasks synchronization
• Out-of-office (OOF) email responses - turn on/off and change the OOF message directly from your mobile phone
• Access to documents stored in Sharepoint document libraries and UNC shares
• Search your entire mailbox on the server regardless of what’s cached on the mobile phone
• Allowing users to manage their mobile device(s) using OWA - see device activity, help retrieve forgotten PIN, remotely wipe lost device, etc

EAS and IMAP both secure data on the network; EAS also protects data once it’s on the device

From an IT department’s perspective, this is a highly important distinction between IMAP and EAS.

Both IMAP and EAS allow IT to ensure data and credentials are protected on the network by encrypting them via SSL.

Many IT departments require support for additional security measures to protect data on the device as well (not just over the network) to guard against loss or theft before they are willing to let users connect to Exchange from the Internet using a given protocol.  Only EAS addresses this requirement by enabling IT to implement and enforce security policies that protect the data once it’s on the device. There are a number of these policies supported by EAS today and we continue to add more, some key examples are:

• Requiring a PIN lock on the device
  • IT also has a number of controls dictating the strength of the PIN, timeout, etc. as well as the ability to recover forgotten PINs
• Local and Remote Wipe
  • IT can require that the device erases all data (including data on the SD card) in the event that (1) the PIN is incorrectly entered an IT-specified number of times or (2) IT or the user issues a remote wipe command from the admin console or OWA.
• Blocking attachment download to the device
• Limiting which Sharepoint libraries / UNC shares the user can access

Because IMAP does not support these security policies, many IT departments have decided not to enable mobile device (or any Internet client) access to email via IMAP. EAS on the other hand is seeing increasingly broad adoption by IT departments.

Summary

Microsoft Exchange does have IMAP support that provides for an adequate email experience. The iPhone can access email via IMAP if the IT department has enabled IMAP connectivity for users.  However, IMAP has limitations from both an IT and user standpoint with respect to security and richness of experience that prevent it from being a complete solution for mobile device access to Microsoft Exchange.

Exchange ActiveSync on the other hand provides a very rich email and collaboration experience for end-users as well as support for the important security measures needed for IT.

Feature

Exchange ActiveSync

IMAP4

IMAP client for iPhone

Email

Push Email

Yes

Yes (through IDLE command)

No – pull email only

HTML email formatting

Yes

Yes

Yes

Attachment download

Yes

Yes

Yes (view only)

Search

Yes

Yes

No

Calendar

Calendar Sync

Yes

No

No

Accept/Decline meeting requests

Yes

No

No

Contacts

Contact Sync

Yes

No

No

Global Address List (GAL) lookup

Yes

No

No

Tasks

Task Sync

Yes

No

No

Out of Office

Out-of-office (OOF) email settings

Yes

No

No

Document Access

Fileshare (SMB) and/or Sharepoint Document Library Access

Yes

No

No

Security

Enforce security policies to protect data on device

Yes

No

No

* All were tested using Exchange Server 2007

- Paul Limont

Mobile Device Connectivity to Exchange using IMAP vs Exchange ActiveSync

I kept getting MSExchange ActiveSync 1040 warning events on many client’s Exchange servers (2003 and 2007).  The event itself sent me to http://support.microsoft.com/kb/905013 (thanks Microsoft, that does help!) which pointed to a firewall issue.

Since we are using Cisco routers at these sites, I did a quick Google and turned up nothing.  Darn, time to hit the books

I threw the following command in to modify the timeout in the CBAC inspect of HTTPS.  I set the timeout to 10 minutes.

ip inspect name <inspectname> https timeout 600

So far the warning event hasn’t shown back up…