ActiveSync Architecture and You

An increasing number of people that I know are toting Motorola's MPx200 Smartphone, which is powered by the Windows Mobile OS. This nifty phone can do some valuable things, chiefly synchronize your email, calendar, and contact data wirelessly through Exchange Server 2003's ActiveSync component. I've written about Exchange ActiveSync before (see the UPDATE commentary "Improving Mobile Access to Exchange 2003," )--and my editors will kill me if I try to turn this column into "Smartphone UPDATE"--but with ActiveSync's popularity on the upswing, I want to mention some interesting subtleties that you'll need to be aware of if you're considering using ActiveSync on your network.

First (as always) is security. Exchange ActiveSync uses TCP port 443, period. There's no way to make it use Secure Sockets Layer (SSL) over an alternate port, so you need to make provisions to allow SSL traffic from the Internet to the Exchange server running ActiveSync. Having SSL accelerators or termination devices (such as Microsoft Internet Security and Acceleration--ISA--Server 2000 or later) in the path is fine, as long as you've properly configured those devices. If you like, you can use a self-issued certificate for SSL, but doing so will require you to install the root Certificate Authority (CA) certificate on your phones. Using a Thawte- or VeriSign-issued certificate (or one from another CA whose root certificate is preinstalled on the phones you're using) is well worth the additional expense from a life-cycle-cost standpoint. Loading certificates onto phones is a manual process and doesn't scale well.

Second is segmentation. You can quickly enable or disable ActiveSync for individual users through Exchange System Manager (ESM) or by setting the value of the msExchOmaAdminWirelessEnable Active Directory (AD) attribute to 4. The latter approach works well for enabling ActiveSync access by group. Another suggestion: Set up a separate DNS name, such as, for your ActiveSync users. Doing so gives you the flexibility to change some aspects of your Exchange topology without breaking the users' wireless access.

Fortunately, you don't have to completely move off earlier versions of Exchange to get ActiveSync for your users. Exchange 2003 is perfectly happy to use ActiveSync to serve mailboxes in a mixed-mode Exchange organization, although you will need to update the organization with Exchange 2003's schema changes. In conjunction with a separate DNS name space, using a separate server gives you an easy way to pilot ActiveSync: Add an Exchange 2003 server, publish its SSL port through your firewall, and set up a separate DNS name.

The ability to get Exchange data wirelessly is becoming more and more popular, and I expect continued and widespread adoption of ActiveSync, especially as more manufacturers roll out devices that can use the feature. If you've got stories to tell--good or bad--about deploying ActiveSync in your organization, I'd love to hear them.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.