Hello,

I am currently migrating from Exchange 2010 to Exchange 2013 (CU5) and am encountering problems with the proxying of ActiveSync from 2013 to 2010.

Users who still have a mailbox on Exchange 2010 will receive an error that the server cannot be reached on their iPhones. We are using Client Certificate-based Authentication, which is working fine for users that have a mailbox on Exchange 2013.

We are using self-signed certificates and have made sure the root cert and client cert are on the phones with the iPhone Configuration Utility.
The iPhones are connecting to the Exchange 2013 CAS Servers from the Internet via a NAT rule on the firewall, which was used for the 2010 CAS servers before. We only changed the destination IP. It is not working on the LAN either.

All other Exchange services work fine. OWA via Exchange 2013 is running smoothly for users who are still on Exchange 2010.

I hope anyone can shed some light on this issue for me. I will gladly supply any further information needed.

Regards,
Arjan.

Hi Arjan

Certificate based authentication for EAS will not work for Exchange 2013.

Workaround: Increase uploadReadAheadSize from 0 to 49152 then restart MSExchangeSyncAppPool and see the results.

Refer below blogs
http://blog.jasonsherry.net/2013/11/25/exchange-2010-sp3-ru3-2013-cu3-released/
http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=73761DD5C968244909F2E09FB6F2645B?externalId=KB34678&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Hi Arjan

Certificate based authentication for EAS will not work for Exchange 2013.

No.  It is supposed to work with CU5.  That is one of the new features of CU5.

Hi Satish,

As MyGposts already stated, Certificate Based Authentication is supposed to be back in play again with CU5, which is the version I am currently  running.

As a matter of fact, it is working for people that are already migrated to Exchange 2013. It is just that the people still on Exchange 2010 do not get their connection proxied on to the correct servers for some reason.

Cheers,
Arjan.

Hi Satish,

As MyGposts already stated, Certificate Based Authentication is supposed to be back in play again with CU5, which is the version I am currently  running.

As a matter of fact, it is working for people that are already migrated to Exchange 2013. It is just that the people still on Exchange 2010 do not get their connection proxied on to the correct servers for some reason.

Cheers,
Arjan.

How are people doing the EAS Certificate Based Authentication with 2013 CU5?

I can't believe after all these months I still can't find any instructions on this that are not intended for older versions of  Exchange.

CU6 is out now and Microsoft still is not providing documentation on this feature from CU5!!!

It is frustrating indeed that there are no instructions to be found anywhere yet.

I have set it up using the instructions for Exchange 2010 and it seems to work, except for the proxying...

Did you ever get this working?  I am having the same issues with the ActiveSync CBA proxy from 2013 to 2010.  I just installed CU7.

Unfortunately not. I ended up moving all users without ActiveSync first and then did all users that did have an ActiveSync relationship set up, in one weekend. Proxying never worked properly.