What is the best way to set up an ActiveSync port on an Exchange 2003 server without allowing OWA on the same port?
Users should have access to OWA within the corporate network, via port 443 on the mail server. However, as a matter of policy, OWA access from public IP addresses is prohibited.
The company wants to enable ActiveSync access from the outside (using trusted mobile devices) without also enabling OWA access from the outside.
I believe that the way to accomplish this is to set up a separate site in IIS Manager, which includes the items necessary for ActiveSync while excluding items that are used only by OWA.
With Exchange 2007 or 2010, it appears that the New-ActiveSyncVirtualDirectory cmdlet would make this quite easy. However, this is an Exchange 2003 server.
I have tried using IIS Manager to create a site on a separate port with only the "Microsoft-Server-ActiveSync" and "OMA" items, then enabling a NAT policy on the firewall mapping that port to :443 on a public IP address. Although an iPhone can connect and set up an account with just those two services, it cannot send/receive mail.
What else needs to be enabled? Or, is it simply impossible for an Exchange 2003 server to offer ActiveSync services without enabling OWA on the same port?
(The company plans to move to hosted mail services within months and is therefore not interested in migrating to Exchange 2010.)
OWA and OMA (ActiveSync) are two faces of the same thing. You can block access to the URL OWA uses, by default it's
/exchange
, while allowing access to OMA, which defaults to/oma
.Note, someone could still pull up the OMA site (it's not user friendly, but any advanced user could figure it out) unless you require client certificates. Even then, they have access to the phone and could figure it out if they were really determined.