Configure Exchange 2003 & Apple iPhone

Date: Dec 08 2008

Let me just start off by saying that anyone with a RIM Blackberry should throw it up against the wall when it comes to exchange account support. I was a long time verizon customer and bought the new blackberry storm to try out and it was absolutely the worst. Returned it 12 days later and switched to the iPhone. I am not going to get off on a “My iPhone is better rant” but I do want to post this for people who may be in the same situation. Bottom line true OTA exchange account support with Blackberry Snap on for Exchange with cost you about $2,999 for 1 user; iPhone native exchange support for unlimited users is $0 dollars. In this article I will explain what it takes to get exchange setup.

Overview of Configuration

  • Configure IIS & Exchange for RPC over HTTP/S
  • Self Sign secure certificate (optional for SSL support)
  • NAT/Firewall Configuration (if needed)
  • Setup your account on your iPhone

Preequsit Software

  • IIS (6.0 used in this tutorial)
  • Exchange 2007 w/ Service Pack 1
  • iPhone 2.1 or greater software

INSTALL RPC over HTTP/S on Server

  1. On the Exchange Server 2003 computer that is running Windows Server 2003, click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add Remove Windows Components, click Networking Services, and then click Details.
  3. Click to select the RPC over HTTP Proxy check box, click OK, and then click Next. Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.
  4. When Windows Component Wizard has completed configuring components, click Finish.

Configure RPC with Internet Information Services

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand servername (local computer), expand Web Sites, expand Default Web Site, right-click Rpc, and then click Properties.
    Note: Windows Server 2003 Service Pack 1 (SP1) adds a new virtual directory called RpcWithCert. This virtual directory points to the same location as the Rpc virtual directory. You do NOT need to modify this virtual directory.
  3. Click the Directory Security tab, and then click Edit under Authentication and access control.
  4. Click to clear the Enable anonymous access check box.
  5. Click to select the Basic authentication (password is sent in clear text) check box.
  6. You receive the following message:The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS(orSSL) connections.

    Are you sure you want to continue?
  7. Click Yes
  8. I recommend entering the domain name in the Default Domain box (you can press Select to browse to the domain name).
  9. Click OK.
  10. When finished Click Apply, and then click OK.

Configure RPC SSL in Internet Information Services

The RPC virtual directory is now configured to use basic authentication. As stated in the Recommendations section of this article, you must configure SSL on your RPC Proxy server (i.e. on your single server). To enable SSL on the RPC virtual directory you must obtain and publish a certificate or use the self signed method I will discribe bellow. If you want to just access exchange without SSL (port: 80) you can skip the next two section.

To configure the RPC virtual directory to require SSL for all client-side connections, follow these steps:

  1. In Internet Information Services (IIS) Manager expand Web Sites, expand Default Web Site, right-click Rpc, and then click Properties. Where you were at for the previous step.

  2. Click the Directory Security tab, and then click Edit under Secure communications.
  3. Click to select the Require secure channel (SSL) check box and the Require 128-bit encryption check box.
  4. Click OK, click Apply, and then click Ok.

Self-Sign an SSL certificate for Internet Information Services

Next we want to either provide an signed SSL certificate or Self Signed Certificate (iPhone works with both). I did not feel the need to pay for a cert so I just did a self signed. I will describe the steps I took here.

You will need a free tool provided by microsoft SelfSSL which comes with IIS 6.0 Resource Kit Tools.You can download IIS 6.0 Resource Kit Tools from here.

After downloading and executing this kit, make sure you either choose Complete installation option or if you choose Custom installation option, make sure you have selected the SelfSSL feature. See below step by step screen shots for the Custom installation option.

  1. Click on Start > All Programs > IIS Resources > SelfSSL > SelfSSL to run the SelfSSL utility. On doing so, you should see the command prompt along with help instructions (see below screen shot).
  2. Type selfssl.exe and press enter, it would use the default settings to install the SSL certificate which are equivalent to:/N:CN=<YOUR COMPUTER NAME> (common name of the certificate)
    /K:1024 (key length of the certificate)
    /V:7 (validity of the certificate in days)
    /S:1 (ID of the site to which the certificate needs to be installed)
    /P:443 (SSL port)
  3. Press enter, then type y and press enter again to confirm the installation.

    The most important option here is the site id parameter and SelfSSL uses the site id 1 by default which maps to “Default Web Site”.

Port Paramaters in the Registry

Instead of manually editing the registry, I used a small utility that will allow you to perform all the required registry changes by pressing a couple of buttons. The tool is called  RPCNoFrontEnd

Run the tool on your Exchange server, input the server’s names and click “set registry entries now”

Configure Exchange 2007 SP1 to use RPC over HTTP/S

  1. Click Start, point to Microsoft Exchange, and then click System Manager.
  2. Expand your organization, expand Administrative Groups > First Administrative Group > Servers.
  3. Right-click on your server name and select Properties.
  4. On the General tab, verify that you have SP1 installed. Verify that a tab called RPC-HTTP is present.
  5. On the RPC-HTTP tab, click on RPC-HTTP Back-End Server.
    You might get an error

    Acknowledge the error.
  6. Click Ok all the way out.

At this point everything is setup on the servers end. You need to reboot your server for the settings to take place.

Firewall Ports for RPC-HTTP/S

You will need to open the following ports

NO-SSL setup : Port 80 TCP
SSL setup: Port 443 TCP

If you are running NAT you will also need to port-forward those ports to your exchange/iis server.

Configuration of the Exchange Account on the iPhone

  1. Tap Settings, then Mail, Contacts, Calendars, then Add Account, then Microsoft Exchange.
  2. On the next screen, enter your complete email address, domain, username, password, and a description (which may be anything you like). Ask your Exchange server administrator if you are unsure of the domain. If you are unable to view your folder list, or unable to send or receive email, leave the domain field blank.
  3. Your iPhone (or iPod touch) will now try to locate your Exchange server using Microsoft’s Autodiscovery service. If the server cannot be located, the screen below is shown. Enter your front-end Exchange server’s complete address in the Server field. Contact your Exchange server administrator if you are unsure of the address.

    Your iPhone will try to create a secure (SSL) connection to your Exchange server. If you did not setup SSL, it will try a non-SSL connection. To override the SSL setting, go into Settings, then Mail, Contacts, Calendars, select your Exchange account, tap Account Info, then toggle the Use SSL slider.

    After successfully making a connection to the Exchange server, you may be prompted to change your device passcode to match whatever policies may have been set on your server.

  4. Choose which type(s) of data you would like to synchronize: Mail, Contacts, and Calendars. Note that by default, only 3 days’ worth of email is synchronized. To synchronize more, go into Settings, then Mail, Contacts, Calendars, select your Exchange account, and tap on Mail days to sync.

Note that after configuring an Exchange ActiveSync account, all existing contact and calendar information on the iPhone or iPod touch is overwritten. One exchange account is permitted. Additionally, iTunes no longer syncs contacts and calendars with your desktop computer. You can still sync your iPhone  wirelessly with MobileMe services.

Like this article? Please Digg it!

Be Sociable, Share!

facebook comments:

14 Comments to “Configure Exchange 2003 & Apple iPhone”

  1. Achtung 15 December 2008 at 5:18 pm #

    Bottom line true OTA exchange account support with Blackberry Snap on for Exchange with cost you about $2,999 for 1 user

    -Your info is not accurate. BES is available for free then you purchase $100 CALs per blackberry. Any blackberry PIN will allow to download your FREE copy. You cannot even compare and contrast BES’s power over Activesync. Try doing exchange migrations with Windows\Iphones in the picture. Try wiping data off a stolen or lost iphone remotely. With Activesync you can send a wipe command but the user has to approve it and the person in pocession of the phone continues to enjoy all the data from the last sync.

  2. undertoe 15 December 2008 at 5:29 pm #

    You can not just purchase 1 license and have it work with the free-trial snap on. I spoke with them directly. RIM said I had to purchase “BlackBerry Enterprise Server Software v4.1, Service Pack 6 for Microsoft Exchange
    Includes 1 user license” which cost $2,999 USD.

    As for the Wipe aspect, change the persons password and contacts/calendar are wiped. The only thing left behind is emails. That is a downside i’ll give you that. But not worth the $2,999 IMHO.

  3. David Mekalian 17 December 2008 at 10:20 pm #

    You can download the Blackberry Professional Server, it is free and the only requirement is a valid PIN and your phone needs BES data plan (not BIS). Each additional license will cost $95 each, with a limit of 30 (then you need to purchase the Blackbeery Enterprise Server) If you properly follow the detailed installtion instructions and get the permissions correct it works fine. I work for a technology company and setup Blackberry servers, Good Link servers (for Treos), Exchange servers (integrating iPhones with ActiveSync) and they all work well and have their plus and minus. The RIM rep information is correct for the plugin, but our customers don’t blink twice at spending $2999. The SMB accounts usually just use the free download. One issue with Blackberry is support isn’t good at all and the software can break with some Microsoft updates. I like the iPhone 2.0, works well.

  4. Jason 21 March 2009 at 4:17 pm #

    just a note to Actung, you said:

    “Try wiping data off a stolen or lost iphone remotely. With Activesync you can send a wipe command but the user has to approve it and the person in pocession of the phone continues to enjoy all the data from the last sync.”

    This is not accurate. Sending a wipe and clear from exchange to the iPhone does not require the user to “approve” it. The command is executed without user intervention and completely wipes the phone data and takes it to a restore state that requires the unit to be reconnected to iTunes to reinstall the base software on the unit. ALL USER DATA IS DELETED.

  5. ivanmor 16 April 2009 at 1:07 pm #

    Looks like Exchange 2003 to me, not Exchange 2007, can you please provide the settings for Exchange 2007


  6. chris 24 October 2009 at 4:53 pm #

    You better check out blackberry pro, free for 1 user, 100 per additional cals. iphones are horrible for business users.

  7. observer 11 November 2009 at 6:06 pm #

    Definitely not Exchange 2007. You will get stuck at teh “Configure Exchange 2007 SP1 to use RPC over HTTP/S step if you use 2007 so don’t even try. Shame, I would love to get this to work.

  8. erro 19 November 2009 at 5:43 am #

    Do you know the difference between exchange 2003 and 2007?

    you write “configure exchange 2007″ and post 2003 procedure and screenshot…useless

  9. Alexandre Avila 15 March 2010 at 3:29 pm #

    Do you know any issue with exchange 2007 (CAS in NLB) with iphone?
    When I use NLB IP Adress to sync my iphone does not happen… If I use Server IP adrress (CAS1) to sync my iphone, done…

  10. sts 25 April 2010 at 2:13 pm #

    I think you are good writer, keep us posting

  11. Dee 29 April 2010 at 9:31 am #

    The Blackberry works better with Exchange…You do not have to have a BES for Blackberry to work with Exchange. I have never had a problem setting up a Blackberry for Exchange. I can’t say the same for the IPhone.

  12. Grant 30 April 2010 at 6:11 am #

    I have users with Blackberry’s and iPhones, both connecting to exchange server running on sbs2008.
    The Blackberry’s are a disaster, (Pearl and Storm), yet the iPhones are very reliable, folder sync is good.
    Being a PC man, I initially baulked at the iPhones, but they DO work with exchange 2007, and as someone mentioned in an email, Blackberry’s do seem to get corrupted programs and stop communicating with the exchange server when MS send out updates.
    The telephone support for blackberrys is abysmal “you have lost your contact list, and cannot backup the data as the programs are corrupt, so you will have to wipe the device, to see if it works again” not hte answer you want to hear when it is the MD’s phone.

  13. Jeff 1 July 2010 at 10:27 am #

    Great Post but it is exchange 2003 on server 2003. I am having a problem with exchange 2007 on server 2008. The problem is that when I setup the Iphone it requires a passcode. We can get e-mail from the exchange sever but now we have to enter the passcode every time the Iphone is unlocked. Is there away to stop this from happening?

  14. undertoe 1 July 2010 at 1:22 pm #

    Check this out, does that seem to help you out

    Look under Device Password Policies header.

Leave a Reply to undertoe