I have a multi-tennant Exchange environment and am working on a migration from Exchange 2007 to 2013. I am having trouble with ActiveSync for mailboxes on 2007, through my 2013 CAS. Here is what my environment looks like:

- Internet-facing Exchange 2007 CAS 2007cas1/10.1.1.2/204.228.1.2 (name/internal IP/external IP)
- Non-Internet-facing Exchange 2007 CAS 2007cas2/10.1.1.3 (name/internal IP)
- Internet-facing Exchange 2013 CAS/MBX 2013casmbx1/10.1.1.4/204.228.1.4 (name/internal IP/external IP)
- 2007 URL: webmail.hosteddomain.com
- 2013 URL: testmail.hosteddomain.com
- Certificate: Third-party CA wildcard cert

I have verified that OWA out OutlookAnywhere work. When I try to connect to my Exchange 2007 mailbox (and only 2007) through ActiveSync, my phone says "Can't connect to server" and I see the following entries in my IIS logs (2013casmbx1):

Front-end: 
2015-06-15 16:28:32 10.147.0.34 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=PYSJZZTTUA9DOEHLZDW&cafeReqId=3b8bbbeb-f258-4f82-8ae2-85ddb58433f7; 443 mtest2@customerdomain.com 10.2.1.2 Android/5.1.1-EAS-2.0 - 500 0 0 124

2015-06-15 16:47:44 10.147.0.34 GET /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=YGEGSFJYKEWUKETSAGG&cafeReqId=96b81a28-90ab-45cf-9d7d-c117c7cba7d9; 443 domain\mtest2_customerdomain 10.2.1.2 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.124+Safari/537.36 - 500 0 0 21612

Back-end:
2015-06-15 16:28:32 fe80::24f5:677f:e642:1b83%12 OPTIONS /Microsoft-Server-ActiveSync/Proxy/default.eas &Log=PrxTo:2007cas2.domain.local_PrxFrom:fe80%3a%3a24f5%3a677f%3ae642%3a1b83%2512_V0_HH:testmail.hosteddomain.com_SmtpAdrs:mtest2%40customerdomain.com_Error:SendFailure_Mbx:2007mbx1.domain.local_Dc:dc01.domain.local_SBkOffD:L%2f-470_TmRcv16:28:32.7702994_ActivityContextData:ActivityID%3d3b8bbbeb-f258-4f82-8ae2-85ddb58433f7%3bI32%3aADR.C%5bDC01%5d%3d1%3bF%3aADR.AL%5bDC01%5d%3d1.1509%3bI32%3aADS.C%5bDC01%5d%3d3%3bF%3aADS.AL%5bDC01%5d%3d2.216033%3bI32%3aADS.C%5bdc01%5d%3d1%3bF%3aADS.AL%5bdc01%5d%3d1.7718%3bI32%3aATE.C%5bdc01.domain.local%5d%3d1%3bF%3aATE.AL%5bdc01.domain.local%5d%3d0%3bI32%3aATE.C%5bDC01.domain.local%5d%3d3%3bF%3aATE.AL%5bDC01.domain.local%5d%3d5%3bS%3aWLM.Bal%3d480000%3bS%3aWLM.BT%3dEas_Budget:(D)Owner%3aSid%7eDOMAIN%5cMTest2%5Fcustomerdomain%7eEas%7efalse%2cConn%3a0%2

I verified that the AS virtual directories on our 2007 CAS server look like this:
- InternalURL: webmail.hosteddomain.com
- ExternalURL: $null
- BasicAuthEnabled: True
- WindowsAuthEnabled: False

Finally, I verified that my test user as inheritance enabled.

Since all the other mail clients work and ActiveSync works when I'm not trying to proxy through Exchange 2013, I'm not sure what else to check. Thoughts? Thanks.

• Edited by mhashemi Monday, June 15, 2015 7:38 PM

Jim-Xu,

1. Verified 

2. Verified

3. Autodiscover still points to webmail.hosteddomain.com, so it bypasses Exchange 2013. Once I can set up the account manually, I will update DNS to point to 2013.

4. The Remote Connectivity Analyzer failed and showed the following (truncated)

Attempting to send the OPTIONS command to the server.

An HTTP 500 response was returned from IIS7.
HTTP Response Headers:
request-id: 3adc6cca-9188-467c-ac47-73b2aae2ee18
X-CalculatedBETarget: 2013casmbx1.domain.local
X-MS-BackOffDuration: L/-470
X-DiagInfo: 2013casmbx1
X-BEServer: 2013casmbx1
Cache-Control: private
Content-Type: text/html
Set-Cookie: ClientId=VIULIVZSYEUZMVDFBTJBG; expires=Wed, 15-Jun-2016 19:57:13 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-320083725-3346028824-3299231156-52809=u56Lnp2ejJqBnZ3HnJnMnMbSy8rPmdLLz5nM0p6eyprSz57Hy8vLncvPx86ZgYHNz87K0s/I0s7Jq87GxcrIxc7M; expires=Thu, 16-Jul-2015 19:57:13 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319

I also verified that the Microsoft-Server-ActiveSync virtual directory in IIS 6.5 is setup for Basic auth only. Does it matter if the default domain is specified or not?

• Edited by mhashemi Tuesday, June 16, 2015 8:18 PM

Hi ,

We could install .Net 4.5.2 by the following link:

https://www.microsoft.com/en-us/download/details.aspx?id=42643

If the issue persist, we could refer to the following steps to rebuild ActiveSync virtual directory:

https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

I have verified that .Net 4.5.2 is already installed. 

I'm not sure that rebuilding the virtual directory is the answer, an here's why. For simplicity, I left out of my original post, that the Internet side of my Exchange 2013 environment is an F5 and that there are actually three 2013 servers. I tested with all three of them in the load-balanced pool, and saw this issue. To more easily identify which server my client is talking to, I took two of the servers out of the pool. Since the issue has been present on three CAS servers, I doubt it is something wrong with the virtual directory.

On top of that, I'm not sure that it isn't the backend virtual directory that would need to be reset.

Check out this video from F5 on Exchange coexistence, the video is for 2007/2010 but the same thing works for 2013. This is what we implemented with our F5 APM.

Basically you query the user mailbox account and determine what mailbox server the users mailbox resides on.  An attribute is set in the users session variables.  That variable is then used to assign the user to either the 2007 or 2013 pool depending on the value returned from the query.  We were able to use the same public URL's for both exchange environments using this method and it worked perfectly.  The only thing we did differently was to direct the autodiscover request to the 2013 cas server pool for everyone.  Otherwise, free/busy lookups failed when users on 2007 tried to query 2013 users.

Exchange F5 coexistence:

https://www.youtube.com/watch?v=xRsUqWp1Ngs

If I remember correctly, I also believe NTLM needs to be enabled on the 2007 CAS server AS virtual directory since the 2013 server is doing the proxy request.

Also, the 2013 Autodiscover response includes additional information related to the 2013 environment and service URL's.  Using the 2007 autodiscover XML and trying to proxy through the 2013 server could be the problem.