Log Header Analyzer

muy buena tool para analizar headers online

http://www.mxtoolbox.com/EmailHeaders.aspx

Issue de replica despues de mover el path de logs

 Situacion: disco de logs lleno, panico de corrupcion de base, no se consulta el checkpoint para borrar logs, se decide mover el path de logs previo desmonte de la base y rotura de la replica

Consecuencia: cuando se vuelve al path original los logs y al querer rearmar la replica queda un copy queue length con logs que no existen y la replica queda resincronizandose eternamente perdiendo la redundancia de la replica.

 Solucion:

1- Se rompio la replica

2- Backup del activo para que flusheen los logs asi el el log shiping era minimo

3- Se armo la replica sin que haga seed

4- Desmontar la base activa

5- Borrar todos los archivos viejos en el servidor pasivo, si es que hay logs y base (los dos directorios quedan limpios sin nada, borrar bases logs, carpetas, dejarlos limpios)

6- Iniciar la copia manual de la base del activo al pasivo, esto nos asegura tener una copia exacta en los dos servidores para no depender del log shipping de la replica

7- Mirar de reojo el teléfono de MS por si se me quemaban los papeles :D

7- Una vez que la copia termine montar la base en el servidor activo

8- Resumir la replica

9-el índice estaba en crawling y no me daba mucha confianza porque no veía como se iba generando, lo forcé con -catalogonly

10-Avisarle a mi jefe que me tomo 1 semana en el caribe como premio :D

[PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus -identity D2VIP07

Name                                          Status          CopyQueue ReplayQueue LastInspectedLogTime   ContentIndex

                                                              Length    Length                             State

----                                          ------          --------- ----------- --------------------   ------------

D2VIP07\XXXXXX                            Healthy         255       848351      5/5/2012 3:04:11 AM    Crawling

D2VIP07\XXXXXX                            Mounted         0         0                                  Healthy

[PS] C:\Windows\system32>Resume-MailboxDatabaseCopy D2VIP07\XXXXXX

[PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus -identity D2VIP07

Name                                          Status          CopyQueue ReplayQueue LastInspectedLogTime   ContentIndex

                                                              Length    Length                             State

----                                          ------          --------- ----------- --------------------   ------------

D2VIP07\XXXXXX                           Healthy         0         2941        5/5/2012 3:42:01 AM    Crawling

D2VIP07\XXXXXX                           Mounted         0         0                                  Healthy

[PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus -identity D2VIP07

Name                                          Status          CopyQueue ReplayQueue LastInspectedLogTime   ContentIndex

                                                              Length    Length                             State

----                                          ------          --------- ----------- --------------------   ------------

D2VIP07\XXXXXX                            Healthy         0         0           5/5/2012 3:45:29 AM    Healthy

D2VIP07\XXXXXX                            Mounted         0         0                                  Healthy

The unOfficial PowerShell Website

http://powershell.ws/

¿Que son los registros SPF? ¿Como crearlos en nuestros DNS?

¿Que son los registros SPF? ¿Como crearlos en nuestros DNS?

31 03 2008

En este post os quiero explicar que son los registros SPF así como un par de utilidades on-line para ayudarnos a crear los registros spf en nuestros servidores DNS.

Con estos registros evitaremos entre otras cosas, el spoof de direcciones de nuestro dominio de correo así como evitar que otros servidores de correo rechacen o flitren como spam correos de nuestro dominio.

Este convenio puede significar en un futuro un gran golpe contra el spam y otros males del correo electronico.

SPF son las siglas de Sender Policy Framework, una protección contra las falsificaciones de correos electronicos.

Esta protección se basa en un txt que debemos añadir en nuestros servidores DNS, para identificar a los servidores de correo SMTP de nuestro dominio. Con esto conseguiremos evitar el spoof de nuestras direcciones de correo, ya que estamos definiendo desde que servidores SMTP se pueden enviar correos de nuestro dominio.

Este registro no es algo nuevo, pero desde poco tiempo muchos servidores de correos no estan permitiendo la recepción de dominios que no tengan este registro configurado . Un ejemplo de estos servidores son los de Hotmail, desde hace una temporada estan denegando la recepción de dominios que no tengan el registro SPF.

Para el caso concreto de Hotmail debemos crear nustro registro SPF y posteriormente mandar un mail a senderid@microsoft.com con el asunto en blanco y en el cuerpo del mensaje nuestro dominio. De esta forma Hotmail permitira la recepción de correos desde nuestro dominio.

Un ejemplo de registro SPF para DNS sería:

midominio.com. IN TXT "v=spf1 mx ptr ~all" 

En el ejemplo se indica un registro de texto (IN TXT) para el dominio midominio.com con la siguiente descripción SPF:

• v= define la versión usada de SPF (versión 1).
• mx autoriza a las máquinas con la IP de los registros MX.
• ptr autoriza a las máquinas bajo el dominio midominio.com.
• ~all desautoriza a las máquinas que no encajen en lo autorizado explícitamente.

Aquí os dejo un par de Wizards que nos ayudaran a crear este registro:

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

http://old.openspf.org/wizard.html

Una vez generado debemos hablar con el ISP que gestione nuestros DNS y pedir que añadan este registro.

MUY IMPORTANTE:EL USO DE SPF HA DE REALIZARSE CON MUCHO CUIDADO, YA QUE UN MAL USO DEL REGISTRO PUEDE PROVOCAR QUE OTROS SERVIDORES DE CORREO NO PUEDAN RECEPCIONAR CORREOS DE NUESTRO DOMINIO.

Ejecutar scripts de powershell desde una tarea programada

En este caso necesitaba ejecutar un simple comando basico para extraer la cantidad de usuarios por base; lo que hice fue crear un bat y un PS1, donde el bat llama al PS1

codigo del bat:
cd \
cd C:\Reportescorreo\
powershell ./reporte.ps1

codigo del PS1:
cd \
cd C:\Reportescorreo\salida\
del *.txt
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
Get-MailboxDatabase D1* | Get-Mailbox -resultsize unlimited -Verbose | group Database | select Name,Count | sort Name | ft -a >C:\Reportescorreo\salida\out.txt

guardado los dos archivos procedemos a crear la tarea programada que ejecuta el bat con el schedule necesario.

Change the IIS Log File Directory via PowerShell

Change the IIS Log File Directory via PowerShell

Posted by sptwentyten on 04/13/2010

One of the best things to do in your SharePoint environment is to relocate your log files to a central location. This gets them off of the C drive and easier to find during troubleshooting of issues. This change is pretty simple to do in PowerShell, but could cause an error and confusion if you overlook an important step.

Here is the command to change the log file directory:

Set-ItemProperty ‘IIS:\Sites\SharePoint – 80′ -name logFile.directory -value ‘C:\Logs\IIS’

Make sure to change “SharePoint – 80″ to the name of the IIS site that you would like to change the log directory. Also, change the value parameter to the path that you have designated for your log file location. Note: I would not put the log files on the C drive – I just have it as the C drive since this is a small virtual machine I’m using.

Pop open the SharePoint 2010 Management Shell and enter the above command to change the log file directory: (Start > All Programs > Microsoft SharePoint 2010 Products > SharePoint 2010 Management Shell)

Opps, we got an error! The error states that it cannot find the IIS drive. This tells us that the IIS snap-in has not been loaded. Let’s load that now using Import-Module WebAdministration.
Once you have imported the IIS snap-in, press the up arrow key and re-run the command to change the log directory:

Now, open up the IIS Manager console, expand Sites, click on the site you changed the log directory for and double click on Logging under the IIS section. You should see the new directory location under Log File.

Completed! If you have the schedule set to “Daily”, then you will not see a log file within the new path until the next day. Also, if you desire, you can manually move the old log files into this new location. Keep in mind that this log directory change will not replicate to other servers. So, you will need to perform this on each server.

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Filter.html

blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx

http://technet.microsoft.com/es-es/library/cc441511.aspx

Configuring the Forefront TMG HTTP Filter

A simple Firewall only allows or denies access for the HTTP protocol based on source and destination IP addresses and doesn’t looks deeper into the HTTP protocol to filter HTTP traffic. The HTTP protocol is often called the Universal Firewall Bypass protocol because many Firewall admins allows users from the internal network to access to the outside for the HTTP protocol. The HTTP protocol can be used by applications to encapsulate their specific protocols into the HTTP or HTTPS protocol. Some examples for those applications are Outlook Anywhere, the Remote Desktop Gateway service and applications like Skype, Windows Live Messenger and many more which encapsulates their native protocols into the HTTP/HTTPS protocol, which allows the traffic to bypass the Firewall. With Forefront TMG it is possible to filter HTTP traffic with the HTTP filter for incoming and outgoing access and when you use the new HTTPS inspection feature of Forefront TMG you can also filter outgoing HTTPS traffic. Incoming HTTPS traffic can be filtered by Forefront TMG in Webserver publishing scenarios where the HTTPS bridging feature of Forefront TMG is used.

Let’s start with some basics about the Web filters in Forefront TMG.

Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

What is a Web filter?

A Web filter in Forefront TMG is a set of Dynamic Link Libraries (DLLs) which are based on the IIS ISAPI (Internet Server Application Programming Interface) Model

A Web filter in Forefront TMG will be loaded from the Webproxy Filter. If the Webfilter is loaded all information’s will be forwarded to the Webproxy Filter. The Webproxy Filter is responsible to determine which type of events should be monitored.

Every time such events occurs the Webproxy Filter will be notified.

The following figure shows the HTTP Filter Add in of Forefront TMG.

Figure 1: Forefront TMG HTTP filter Add in

Web filter functionality

advertisement

The Web filter in Forefront TMG is responsible for the following tasks:

• Scanning and modifying HTTP requests
• Analyzing and protocol network traffic
• Scanning and modifying HTTP responses
• Blocking of specific HTTP responses
• Data encryption and compression

And many more.

Important:
The HTTP Filter in Forefront TMG is rule specific except the Maximum Header length setting. The Maximum Header length in Forefront TMG is the same for all Firewall rules with HTTP protocol definitions.

Attention:
The HTTP Filter in Forefront TMG is also capable to filter HTTPS traffic used in reverse web server publishing scenarios where HTTPS Bridging is used and for outgoing HTTPS requests when the HTTPS inspection feature of Forefront TMG is activated.

HTTP Filter configuration

If you want to start configuring the HTTP filter, right click a rule that contains a HTTP protocol definition and select Configure HTTP from the context menu.

Figure 2: Forefront TMG HTTP filter general settings

On the General tab of the HTTP filter it is possible to configure the following settings:

Request Header:

Maximum Headers length (bytes):

The maximum Header length specifies the maximum number of bytes in the URL and HTTP Header for a HTTP request until Forefront TMG blocks the request.

Request Payload:

Maximum payload length (bytes):

With this option it is possible to restrict the maximum length in bytes a user can send via a HTTP POST in a Web server publishing scenario.

URL Protection:

Maximum URL Length (Bytes): The maximum length of an allowed URL

Maximum Query length (Bytes): The maximum length of an URL in the HTTP request

Verify normalization

You can select this checkbox to specify that requests with URLs containing escaped characters after normalization will be blocked. Normalization is the process where URL coded requests will be decoded. After decoding the URL the URL will be normalized again to be sure that no process is using the % character to encode a URL. If the HTTP Filter finds a difference in the URL after the second normalization the requests will be rejected.

Block high bit characters

URLs that contain Double Byte Character (DBCS) or Latin1 will be blocked if this setting is active. An active setting regulary blocks languages that require more than eight bit to display all language specific characters.

Executables

Block responses containing Windows executable content

This option blocks the download and executing of executable content like EXE files.

As a next step we should configure the allowed or blocked HTTP methods

Figure 3: HTTP Methods

In this example we are blocking the HTTP POST command so that nobody can upload content on external websites.

Figure 4: Block the HTTP POST method

Block executables

With this option it is possible to block or allow some specific file extensions in the specific firewall rule.

Figure 5: Using Forefront TMG to block downloading files with the EXE extension

Block requests containing ambiguous extensions

This option instructs the HTTP filter to block all file extensions which Forefront TMG cannot determine.

In this example we are blocking access to the .EXE file extension.

Figure 6: Blocking the .EXE file extension

HTTP Header handling

When a webclient sends requests to a web server or the web server is answering queries the first part of an answer is a HTTP request or a HTTP response. After the HTTP request or HTTP response, the client or Server sends a HTTP Header. The request Header field allows the client to send additional information to the server. HTTP Header contains information about the Browser, operating system information, and authorization details and more, the client Header uses the attribute User-Agent which determines which application is responsible for the request.

With the help of the HTTP filter it is possible to block specific HTTP Header.

Figure 7: HTTP filter Header section

The settings in the Server Header field give Administrators the control to remove the HTTP header from the response or to modify the HTTP Header in the response and some more settings.

In the following example we are using the HTTP Header feature in Forefront TMG to block Kazaa which information resides in the request header.

Figure 8: Blocking Kazaa

HTTP Filter signatures

An HTTP signature can exist in the HTTP body or HTTP header. You can use HTTP signatures to deny the execution from specific applications. To find a specific HTTP signature you must know which signature the application is using. There are some documents on the Internet that can give you some information about specific HTTP signature but it is also possible to use a network sniffer to determine HTTP signatures. I will show you how to use a network sniffer later in this article.

Important:
Filtering HTTP signatures in Forefront TMG only works when the requests and responses are UTF-8 coded.

Figure 9: Blocking HTTP signatures

In the following example we are blocking the access for the Windows Live Messenger protocol.

Figure 10: Windows Live Messenger Block

If you want to know more about application signatures click here.

Important:
Forefront TMG inspects only the first 100 Bytes of the request and response body. It is possible to expand the maximum number of bytes but this could result in some server performance degradation.

HTTP error message if the HTTP filter blocks some content

Figure 11: HTTP Filter access message

How to discover specific HTTP Header

To determine HTTP signatures that are unknown to you, it is possible to use a network sniffer like Microsoft Network Monitor (Netmon) 3.4 to trace the HTTP network traffic.

The following figure shows a sample network trace output from Microsoft Netmon 3.4, but you can use any other Network monitor like Wireshark (former Ethereal).

Figure 12: Netmon HTTP trace

This example shows User-Agent (Mozilla/5.0) and the signature (MSIE 9.0).

HTTPFILTERCONFIG.VBS

You can use HTTPFILTERCONFIG.VBS from the directory C:\Program Files\Microsoft Forefront TMG Tools\SDK\Samples\Admin from the Forefront TMG SDK to import and export HTTP-Filter configurations.

Figure 13: HTTPFILTERCONFIG.VBS from the Forefront TMG SDK

RDP Tabs

una tool indispensable para la administracion de servidores por RDP

http://www.avianwaves.com/tech/tools/rdtabs/

permite tener organizadas todas las conexiones por nombres y favoritos, simplifica enormemente la administracion sin tener que andar memorizando nomenclaturas interminables o IPs o tener que andar busacando todo el tiempo en un excel

Exchange 2010 RBAC Manager (aka RBAC Editor GUI)

http://rbac.codeplex.com/


RBAC Manager puts all efforts to simplify the RBAC administration. Basically it provides the missing GUI to edit RBAC settings on Exchange 2010 systems; including adding/removing cmdlets, cmdlet properties, assignments etc. RBAC tool is written in C# and using Powershell behind the scenes

Pre-Requirement:

1. You need to have Exchange 2010 Management Tools installed prior to running RBAC GUI

------------------------------------------------------------
Understanding Role Based Access Control
http://technet.microsoft.com/en-us/library/dd298183.aspx

Simplifying RBAC management in Exchange Server 2010
http://searchexchange.techtarget.com/tip/Simplifying-RBAC-management-in-Exchange-Server-2010

Exchange 2010 role based access control explained
http://searchexchange.techtarget.com/feature/Exchange-2010-role-based-access-control-explained

Top 10 Microsoft Outlook and OWA tips of 2011

Common Outlook 2010 problems, unsaved passwords and improved Outlook Web App setups are all topics that kept readers clicking in 2011. Here’s a look at your favorite tips of the year.

10. Addressing Outlook Web App 2010 security concerns
Increased OWA 2010 use can amplify security threats to an Exchange 2010 organization. Heed our expert’s advice to avoid security breaches.

9. Identifying Outlook Anywhere connectivity glitches
Outlook Anywhere's initial configuration can be tricky. If you're having trouble connecting, there are a couple tests you can run.

8. Configuring Outlook 2010 send/receive groups
Outlook tasks can overwhelm mailbox servers. Send/receive groups can remove some of that strain if you set them up correctly.

7. Step up your Outlook Web App setup
Outlook Web App is preconfigured on an Exchange 2010 CAS, but default settings aren’t perfect. Tweak your configurations to optimize OWA.

6. Why mssphtb.dll was disabled in Outlook 2010
Admins wonder why Microsoft disabled the mssphtb.dll utility in Outlook 2010. Our expert clears the air on this misunderstood search component.

5. Command-line switches to troubleshoot Outlook 2010 problems
There are several command-line switches you can use with Outlook 2010. These five startup switches will help diagnose and troubleshoot most issues.

4. Four reasons why Outlook passwords are not being saved
Does Outlook continually prompt your users for their passwords? If so, the issue could stem from several different factors.

3. Workarounds for OWA 2010's Web browser limitations
If you’re using Firefox and want to run Outlook Web App 2010 in premium mode, it’ll take a little Internet Explorer spoofing.

2. Free Outlook tool fixes AutoComplete list annoyance
AutoComplete list values in Outlook that you cannot edit. This free tool lets admins and users repair, edit and delete .nk2 files.

1. Repairing three problems that annoy Outlook 2010 users
Outlook 2010 isn't perfect. These three common Outlook 2010 pains may be plaguing your users.

Exchange 2010 role based access control explained

Exchange Server 2007 access control lists posed real challenges to administrators. They had to keep track of ACL content, make changes to permissions and troubleshoot ACL problems. Fortunately, awkward and unreliable ACLs have been replaced in Exchange Server 2010 by a new permissions model called role based access control.

With role based access control (RBAC), Exchange administrators can exercise granular control over the rights and abilities assigned to end users and fellow administrators. Let’s take a closer look at Exchange 2010 RBAC and some basic considerations.

Understanding the RBAC basics
The principal benefit of RBAC is improved security. An ACL only provides limited access control and must be manually updated by an administrator who possesses detailed knowledge of its contents. By comparison, RBAC provides extremely granular permission control, letting admins assign general permissions quickly through the use of pre-established roles. They can also choose to modify existing roles or create specialized roles for users with unusual needs.

Ultimately, RBAC allows users and administrators to perform respective tasks using the least amount of privilege. This level of granularity also enables Exchange administrators to match the permissions given to users and other administrators with the actual roles of those employees.

“It expands the notion of who can do Exchange administration,” said Richard Luckett, president of SYSTMS of NY, Inc., a consulting and services firm. “Now, end users can be granted customized control over self-service options and non-traditional administrators such as HR and legal counsel can be granted administrative rights.”

Exchange 2010 RBAC permissions
RBAC permissions are based on the premise of roles, groups and scopes. A management role is an established set of management rights that allows an individual to view or modify the setup of Exchange 2010 mailboxes, transport rules, recipients and more. There are numerous built-in roles, but it’s also possible to create uniquely defined roles that suit the particular needs of an organization.

Roles can also be combined into larger management groups and associated policies that allow administrators and users to manage Exchange features and recipient setups. In addition, role scopes define the objects a role can manage.

“If an administrator only wants a group to be able to manage a specific organizational unit in Active Directory, they can scope the role to apply to that specific OU,” said Tom Phillips, owner and principal consultant at TG Phillips IT Consulting Inc. in Allen, Texas.

To simplify Exchange Server 2010 administration, RBAC provides more than 10 default role groups. Each group can be assigned to various administrators or users. Experts point out that roles like discovery management, help desk, organizational management and recipient management are the most commonly used default role groups in Exchange 2010.

There are also at least 70 pre-established roles that can be assigned to role groups or combined with assignment policies, depending on how you prefer to assign permissions. None of the pre-established roles are clearly more useful or beneficial than others; their use depends on the unique needs of the organization. But the variety of roles available out of the box means significant time-savings for Exchange managers.

Managing RBAC in Exchange Server 2010
There are three primary ways of managing role based access control in Exchange Server 2010. Admins can use Active Directory (users and computers), the Exchange Management Shell or the Exchange Control Panel. There is also an RBAC Editor GUI on Microsoft's open-source project site, Codeplex.

Exchange administrators also benefit from a variety of acquired skills when managing RBAC. In general, any experience with role-based permission schemes will come in handy, though simple practice with the pre-established roles and groups ease the learning curve.

And while complicated scripts aren’t necessary to customize roles and groups, some mastery over the Exchange Management Shell is necessary to effectively work with RBAC. Fortunately, administrators not comfortable with cmdlets can use the Exchange Control Panel’s easier-to-navigate GUI.

Exchange 2010 Tips

http://searchexchange.techtarget.com/feature/Our-top-10-Exchange-Server-administration-tips-of-2011

top 10 Exchange Server administration tips of 2011

The Exchange Server virtualization hypervisor debate, Exchange 2010 annoyances and iPhone issues were all at the top of admins’ minds in 2011. Take a look at our most clicked-upon Exchange administration tips of the year.

10. Spotting the five most common iPhone and Exchange ActiveSync problems
Are your iPhone users having difficulty connecting to Exchange? Trace the connectivity problem to one of these five common causes.

9. How to build a virtual Exchange test lab
The best way to test a new version of Exchange Server is a virtual test lab. It’s extremely flexible and much cheaper than a physical lab. Here’s how to build your own.

8. Checklist for new Exchange Server administrators
If you’ve inherited an oddly configured Exchange Server infrastructure, use this checklist to correct its flaws.

7. BES 5.0.2 and Exchange 2010 SP1: What you should know
Let’s take a look at what's included in BES 5.0.2 express and find out if your Exchange 2010 setup can handle the full version.

6. Resolving three common Exchange 2010 issues
Exchange 2010 is certainly an improvement over Exchange 2007, but it isn’t perfect. Here are three common problems and their solutions.

5. Do this before virtualizing Exchange Server 2010
Virtualizing Exchange 2010 servers is a smart move and the steps involved are fairly simple. However, the actual virtualization process begins long before you create a VM.

4. Exchange Server 2010 on VMware: Why daily monitoring is a must
Properly monitoring Exchange 2010 on VMware vSphere will ensure you benefit from server virtualization. Check these metrics regularly.

3. Moving from Exchange 2003 to Exchange 2010 in 12 steps
Migrating from Exchange 2003 to Exchange 2010 is a daunting task. Here are the 12 steps you need to use to get the job done.

2. Five things that annoy me about Exchange 2010
There's a lot to like about Exchange 2010 but there are also quirks that irritate IT managers. Read these five annoyances to see if you can relate.

1. Hyper-V versus VMware for Exchange Server virtualization
Deciding between VMware vSphere and Microsoft Hyper-V for Exchange Server virtualization can be tough. See how each stacks up in terms of cost, features and support.

---------------------------------------------------------------------------------------------------------

Spotting the five most common iPhone and Exchange ActiveSync problems

Although the iPhone is designed to connect to Exchange Server with ActiveSync, administrators and users have reported a number of issues. Before you allow your users to connect their iPhones to Exchange, take a look at the five most pervasive iPhone and Exchange 2010 connectivity problems and their solutions.

1. Coexistence challenges
The most widely reported issue is an Autodiscover compatibility problem that prevents an iPhone from connecting to Exchange. It occurs if the iPhone user’s mailbox resides on Exchange Server 2007 in a mixed Exchange 2007 and Exchange 2010 environment.

In this setup, mobile devices that run ActiveSync version 12.0 or lower connect to the Exchange 2010 client access server (CAS) and are then proxied to the Exchange 2007 CAS. Newer versions of ActiveSync use the Autodiscover service to determine which CAS that devices connect to.

The iPhone 4 uses a version of ActiveSync that should be able to use the Autodiscover service. Unfortunately, it does not work correctly. Users that have difficulty connecting an iPhone to an Exchange 2007 mailbox server in a mixed environment have three options:

1. Wait for Apple to fix the problem.
2. Move the mailbox to an Exchange 2010 mailbox server.
3. Force the CAS to proxy the connection. This is done with the following Exchange Management Shell (EMS) command:

Get-ActiveSyncVirtualDirectory –Server | Set-ActiveSyncVirtualDirectory –ExternalURL:$Null

You can read more about coexistence at Microsoft’s TechNet site.

2. Non-provisionable devices
The Exchange ActiveSync Mailbox Policy contains a setting called Allow Non Provisionable Devices. This setting -- which is disabled by default -- controls which mobile devices are allowed to establish ActiveSync connections with Exchange. If the setting is enabled, any ActiveSync-enabled device can connect to Exchange. If the setting is disabled, devices will only connect if they can be automatically provisioned with all of your ActiveSync policy settings.

The iPhone technically qualifies as a non-provisionable device because a number of ActiveSync policy settings cannot be applied to it. If you’re having difficulty connecting an iPhone to Exchange, or if you find that some ActiveSync policy settings are being ignored, compare your company’s ActiveSync policy settings with the ActiveSync settings the iPhone supports.

3. Heartbeat intervals
ActiveSync is based on Direct Push technology. Direct Push uses heartbeats to keep an HTTPS session open even when data is not actively sent or received.

Mobile devices send requests to the CAS, asking to be notified when new items arrive. Requests are valid for a set length of time. The request validity period is also known as the heartbeat. If data is not received from the server within the request period, the device issues another request and another heartbeat occurs, keeping the session alive.

Exchange Server 2010 uses dynamic heartbeats. Exchange 2010 also defines both minimum and maximum heartbeat intervals. The mobile device usually starts with a short heartbeat interval and gradually works up to a longer interval once the session proves stable.

Normally, there’s no reason to change the minimum and maximum heartbeat interval values; Microsoft actually discourages altering the default values. According to Apple however, if an iPhone has difficulty with the existing heartbeat settings, you should set the maximum heartbeat to 59 minutes.

You can find more information on how heartbeats work at TechNet. Additionally, TechNet has instructions on adjusting heartbeat values if you need to do so.

4. Firewall timeouts
An iPhone may experience ActiveSync timeout issues unless all of the firewalls between the iPhone and the CAS are configured with a timeout period of 30 minutes or longer. The method to adjust the timeout depends on your firewall.

5. IP address settings
Some iPhone users find that their devices works well when connected to ActiveSync over the Internet, but that mail flow stops when connecting over corporate networks. This problem is usually traced to a domain name system (DNS) setting.

Your CAS must use a consistent IP address and a fully qualified domain name regardless of how the iPhone connects. If your internal DNS server provides a different IP address for the CAS than the one listed by external DNS servers, mail flow may cease until the device is no longer connected to the corporate network.

The iPhone is generally a solid ActiveSync client. However, every network is different and it’s possible that settings unique to your network may cause problems for iPhone users. If this happens, you can probably trace the problem to one of the causes described here.

------------------------------------------------------------------------------------------