How to configure Exchange 2010 & Threat Management Gateway for iMExchange 2 or Other EWS-based Apps

We recently began a whole migration of users over to our Exchange 2010 environment after a successful months-long pilot program. One of our users reported that they could no longer successfully sync iMExchange 2 on their Apple iPhone and iPad after they were migrated from Exchange 2003 to Exchange 2010.

iMExchange 2 is a great program you can use to synchronize your tasks & notes with your iPhonei/iPad/iPod as well as manage your Out-of-Office settings. I only downloaded it for troubleshooting purposes, but it’s an app I’ll keep and use.

In order to troubleshoot it, I installed iMExchange 2 on my own iPhone and began to troubleshoot it.  It was a little puzzling because we didn’t have anything restricted any more than we did in Exchange 2003.  We still had ActiveSync and Outlook Web Access enabled, so one would think everything should work just as well under Exchange 2010.

However, iMExchange 2 doesn’t appear to use Outlook Web Access or ActiveSync under Exchange 2010 (and I would suspect the same is true with Exchange 2007). It actually uses Exchange Web Services, which would normally be set up as a component of Outlook Anywhere. Unfortunately, we don’t use Outlook Anywhere in this environment due to erroneous InfoSec concerns, so I needed to enable some of the functions while still restricting Outlook Anywhere.

So, in order to support it or any apps like it, you need to configure your environment with some of the same things that are used for Outlook Anywhere, but you don’t have to go all the way with it.

On Forefront Threat Management Gateway, you’ll need to use the Exchange Publishing Wizard to publish Outlook Anywhere (note: enable the option for Outlook 2007 extra folders when you come to it) just as you would have for ActiveSync & Outlook Web Access. You can use the same Listener you set up for the other services as well… no need for a unique IP or certificate.

In addition, you’ll likely need to enable Basic Authentication for the /EWS and /OAB folders in IIS Manager on each of the Client Access Servers.

At this point, iMExchange 2 should work great and all you have changed is that you are now publishing the /EWS and /OAB folders. They still require authentication, they are still protected via SSL, and Outlook Anywhere still will not work… leaving your end users’ and InfoSec needs satisfied.

10 Responses to “How to configure Exchange 2010 & Threat Management Gateway for iMExchange 2 or Other EWS-based Apps”

  1. Hello Rebecca.

    Thank you for this article, I tried configured Exchange 2010 with IMExchange 2 but still have problem with connectivity.
    I’m not using Forefront Threat Management Gateway and Exchange 2010 has public IP (firewalled) if I make a quick test this file is available from internet, but somehow iPhone can’t sync or received any data into IMExchange at same time of course Active-Sync wok properly and all calendars, email, contacts are synced.

    Please let me know if you have any idea why it may not work.

    • You may want to read my other article titled “Critical Commands to Get Autodiscover Working Properly in Exchange-2010” and pay particular interest to the part about setting the web services virtual directory. Also, make sure you have a proper SSL certificate assigned to the server, such that you do not get an invalid certificate warning when using Outlook Web App from an external computer.

  2. Excellent article! I’ve been trying to get this working on our UAG/TMG server without exposing Web Access or Outlook Anywhere. Are you saying that all I need to do is publish /ews and /oab? Thanks very much and love the site. Definitely bookmarking it.

    • Sorry for the late reply, I’ve been on vacation for a bit. I believe /ews is all you actually need to publish if you don’t want to support Outlook Anywhere.

      ….and thanks for the compliments 🙂

  3. Hi, I’m hoping you can maybe give me some more details on how you got this working please? I’ve been working on this (finally) off and on today most of the morning. Here is what I have setup so far…
    I’ve published OWA, ActiveSync and the EWS directory (I removed OAB) through the UAG on a single trunk, but IMExchange2 still fails to connect. If I test it over our internal WiFi directly into Exchange it’s fine. So, I’m not sure what I am missing in the UAG.
    I disabled the Outlook Anywhere application that publishes /rpc/rpcproxy.dll\?(?!localhost).*
    I hate to bother you with this, but any help you can offer would be greatly appreciated. I’ve been beating my head on my desk for hours over this one.

    • It’s hard to know without seeing your specfic configuration, but I would start by looking at the authentication methods that you have enabled for the /EWS virtual directories on your client access servers and make sure those are conistent with the /OWA directories. I do have /OAB published, but I don’t think IMExchange 2 uses it. Also, I did not specifcally disable any component of Outlook Anywhere, I just didn’t enable it on my cient access servers.

  4. Rebecca,

    Great article, i have been struggling with this since we moved up to 2010 and the APP developer has not responded or been very helpfull.

    Nice Work!


  5. Very great post. I simply stumbled upon your weblog and wished to mention that I’ve really enjoyed browsing your blog posts. In any case I will be subscribing on your feed and I am hoping you write once more very soon!

  6. Thanks for all of the great info in the article. With your help i was able to get my users to connect to the server without an error message. However, they were still not syncing any task or notes. Finally was able to get imExchange2 working with our new exchange 2010/Forefront TMG 2010 environment. the last thing I had to change to get this working was to enable Anonymous logins for EWS on our Exchange client access server. As soon as I made that change and applied it, my users were able to sync and obtain their notes and tasks.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s