Hi,

Bit of an odd issue but I'll try to keep it simple.

We have a working 2013 Exchange environment and use Application Request Routing (ARR) as a Reverse Proxy for external users to access ActiveSync (among other services). So far everything works fine but when I added an HTTP Redirect rule on the root of the ARR server to help users get to the /rdweb sub folder, ActiveSync stops working from the iPhone 6 devices.

If I use the MS Connectivity Analyzer to check ActiveSync it reports Success so I'm wondering if the iPhone 6 implementation of ActiveSync might be causing the problem?

If I disable the HTTP Redirect rule, the iPhones start to work perfectly!

Cheers for now

Russell

 

Hi Russell,

If ActiveSync for other devices and for earlier iOS versions work. Then it would be bug specific to iPhone6.

When we configure ActiveSync account on a mobile device it should directly hit the https://mydomain.com/Microsoft-Server-ActiveSync and not look for https://mydomain.com/ to get redirected to https://mydomain.com/rdweb which would obviously fail.

You might want to track the IIS connection logs, to identify what is happening.

Default location:

C:\inetpub\logs\LogFiles\W3SVC1

s-ip :- The IP address of the server on which the log file entry was generated.

cs-uri-stem: The target of the verb, for example, Virtual Dir

c-ip: The IP address of the client that made the request.

cs-username: The name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen.

cs(Referrer): The site that the user last visited. This site provided a link to the current site.

References:

A script to troubleshoot issues with Exchange ActiveSync

W3C Logging - Codes

Satyajit

Thanks for the reply, I've just tested a Windows 8 phone and it also fails to connect when the "top level" redirect is enabled on the Proxy Server so it's not just an iPhone issue.

I had a look at the IIS logs and could see a couple of requests for \rdweb\microsoft-server-active-sync which would be why it's failing.

I'll have to try and figure out another way of redirecting http traffic from the root of the site to https:\\sub.domain.co.uk/rdweb.

Cheers for now

Russell

Hi Russell,

Instead of a "HTTP Redirect rule" you might try IIS DefaultWebSite HTTP Redirect.

Below example is for OWA, but should very well work for your custom /rdweb virtual directory

Simplify the Outlook Web App URL

When you configure redirection from a top-level directory in Windows Server 2008, the settings are propagated to lower-level directories. For example, when you configure redirection on the default website to the /owa virtual directory, the settings that you configure also appear on the HTTP Redirect page of all the virtual directories, such as /Autodiscover, /Exchange, and /Public. Therefore, you must remove redirection from all the virtual directories except the one that you want redirected.

To clean your ActiveSync VD:

You may not be able to use the GUI procedure to remove redirection from a virtual directory that doesn't have a physical path, such as /Exchange, /Exchweb, or /Public. Use the following procedure to remove redirection from a virtual directory that doesn't appear in IIS Manager.

1. Open a Command Prompt window.

2. Navigate to <Window directory>\System32\Inetsrv.

3. Run the following command:

appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" /section:httpredirect /enabled:false -commit:apphost 

   4.  Finish by running the command iisreset/noforce.

References:

Simplify the Outlook Web App URL

How to configure Exchange to redirect OWA HTTP requests to HTTPS requests in IIS 7

Satyajit,

Thanks again for the comprehensive reply, much appreciated.

The problem is that the server in question is a Reverse Proxy and as such is just IIS running the ARR components so there is only the Default Site and no sub-sites.

There are 3 Server Farms configured with rules that look for key words after the site name, so for example if the URL includes the word "activesync" the request is forwarded to the internal Exchange Servers. Likewise there's also a search for the word "rdweb" which is redirected to the internal RD Web Access servers.

I would have thought that a URL Rewrite at the top level of this server (Default Site) would only affect a URL that didn't include anything after the / i.e. http://subdomain.domain.co.uk should be redirected to https://subdomain.domain.co.uk/rdweb. If I add such a rule to the Default Site it then seems to affect the other rewrite rules that are looking for certain words and they stop working.

All I'm looking for is a way to redirect anyone who only types http://subdomain.domain.co.uk to the HTTPS equivalent and add the /rdweb parameter to the end of the URL.

Cheers for now

Russell

 

Hi Russell,

Usually this is how its done at Exchange Server level. We use a dedicated ARR\Reverse Proxy most of the time.

Any reason you are using the same ARR server for other subdirectory, are you proxying the request to some other server alltogether for /rdweb.

This seems tricky and more of a IIS ARR question than an Exchange one. As you have found out by now, you might try posting to iis.net forums, to find out more details how ARR works.

References:

ARR and URL Rewrite

How did you configure the redirect? If you do it in the IIS GUI, there is an option that says 'Only redirect requests to content in this directory (not subdirectories)'. Which should be selected.

Lee,

That's the option I used and the re-direct from http://subdomain.domain.co.uk to https://subdomain.domain.co.uk/rdweb worked fine. The problem is that it then stopped the ActiveSync traffic from being directed to the internal server farms.

I'm looking for a way to provide the above re-direct on the Proxy Server (ARR) that won't effect the other 3 rules that direct the ActiveSync, RDWEB or RD Gateway traffic to the internal server farms.

Cheers for now

Russell

Satyajit,

We're just trying to save resources by using a single ARR server to reverse proxy requests for the 3 external facing services (ActiveSync, RDWEB and RD Gateway). As it stands it works fine, it's just when we try to setup the http to https redirect that it all falls over.

It's frustrating that we're so close but can't quite find the answer to the last bit of the puzzle.

Thanks for your assistance though, it's much appreciated.

I've asked the question on the IIS forum but as yet nobody has made any useful suggestions :-)

Cheers for now

Russell

Well, I've never used ARR, so I can't really suggest anything. But have you referred to specific articles like this series

http://www.msexchange.org/articles-tutorials/exchange-server-2013/mobility-client-access/iis-application-request-routing-part1.html

Is your situation anything like this one, where the solution was to add a second IP address to the NIC

https://social.technet.microsoft.com/Forums/exchange/en-US/d3f555ac-84f1-4902-92bb-7cd2cd1ba788/exchange-owaactivesync-conflicting-with-rd-gateway-role

Lee,

That's one of the articles that I used when originally setting up the ARR Server.

Thanks anyway

Russell

Lee,

I don't think that will help in this situation as it's a dedicated Reverse Proxy server and we can redirect ActiveSync, RDWEB and RD Gateway traffic to the internal Server Farms OK, it's just the redirect at the top level (Default Site) that I'm struggling with and adding a second IP wouldn't help.

Cheers for your input

Russell

Hi Russell,

Can you share your web.config contents or "root of the site to https:\\sub.domain.co.uk\rdweb." redirect rule part atleast.

Satyajit,

Sorry for the delay, I'm not sure how I stand with posting some or all of the configuration but will speak to the internal IT guys on Monday and see what they're happy with.

Cheers for now

Russell

Hi Russell,

I can understand.

What I'm wondering is if the requests are going to domain.com/rdweb/Microsoft-ActiveSync then how come MS Connectivity Analyzer ActiveSync reports it as Success.

Check the IIS logs when you attempt a connection from testconnectivity.microsoft.com

Put the rules in this order: (Have you put it as Server level or Site Level rules)

1. Autodiscover rewrite rule
2. ActiveSync rewrite rule
3. OWA rewrite rule, EWS, etc
4. Rdweb rewrite rule
5. RD rewrite rule
6. RDweb URL rewrite - Redirect rule (Don't use HTTP Redirect of the IIS)

Satyajit,

I've just had a look at the web.config on the proxy server and there's surprisingly little in it!! There's a line related to the HTTP Rewrite Rule that I tried (now set to false) and that's about it. I had expected to see some information about the 3 x Server Farms that are configured?

Just to add to the stress levels it seems that the Network Provider has now disabled HTTP to the external IPs so I can no longer test the HTTP to HTTPS redirect that I'm desperately looking for!!

As soon as I get the above issue resolved I'll get back to you.

Thanks for your help and patience.

Cheers for now

Russell 

Hi Russell,

I think you have Global Rewrite Rules defined, as you mentioned Server Farms.

There are atleast two files\locations involved for rewrite rules.

<ApplicationHost>.config C:\inetpub\temp\appPools\apppoolname\ - Global rewrite rules - Filename varies as per pool name.

Web.config - C:\inetpub\wwwroot - Distributed rewrite rules  - These are for every website hosted

Using the URL Rewrite Module

Global and distributed rewrite rules. URL Rewrite uses global rules to define server-wide URL rewriting logic. These rules are defined within the applicationHost.config file, and they supercede rules configured at lower levels in the configuration hierarchy. The module also uses distributed rules to define URL rewrite logic specific to a particular configuration scope. This type of rule can be defined on any configuration level by using Web.config files.

To create a global rule by using URL Rewrite UI in IIS Manager follow these steps:

1. Go to IIS Manager
2. In the navigation tree view select the server node.
3. In the Feature View click URL Rewrite Module"
4. You can move rules up and down here.