ActiveSync proxy problem from Exchange 2010 CAS to Exchange 2007 CAS

Not open for further replies.



As part of the our pre 2010 migration, I'm trying to test what happens to users still on 2007 mailbox servers when we move the main external url over to the 2010 CAS. I've been following various guides such as

I'm stuck on one problem with ActiveSync (an iPhone).

When the device is set to connect to the 2010 CAS and looking to a 2007 mailbox, the 2010 CAS tries to proxy the connection back to a 2007 CAS (as expected), however it fails. I'm getting the following error in the IIS logs on the 2007 CAS:

2010-11-24 15:55:21 OPTIONS /Microsoft-Server-ActiveSync/Proxy - 443 - Apple-iPhone3C1/802.117 401 2 5 0

2010-11-24 15:55:21 OPTIONS /Microsoft-Server-ActiveSync/Proxy &Log=PrxFrom: 443 DOMAIN\2010CAS$ Apple-iPhone3C1/802.117 441 0 0 0

2010-11-24 15:55:21 POST /Microsoft-Server-ActiveSync/Proxy cmd=ProxyLogin&Log=PrxFrom: 443 DOMAIN\2010CAS$ - 403 0 0 0

( is the 2010 CAS & is the 2007 CAS)

The only other post i can find suggests its an issue with the authentication methods, but I've read that because the 2010 CAS proxies to the /Proxy/ directory withing the active sync directory, you dont need to change the main virtual directory authentication.

Can anybody shed any light on the 'MissingCscCacheEntry' or 'LackingExtendedRights' errors in this context?




To follow up, here are the corresponding IIS logs from the 2010 CAS:

2010-11-29 15:27:47 OPTIONS /Microsoft-Server-ActiveSync/default.eas &Log=PrxTo:2007CAS.fqdn.internal_LdapC1_LdapL15_Error:protocolError.Forbidden_Mbx:2007MBX.fqdn.internal_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F0e0cf308-58ee-4f3d-a19d-8e62f6bcdafb%2cNorm_ 443 DOMAIN\user 90.*.*.* Apple-iPhone3C1/802.117 500 0 0 62
2010-11-29 15:27:47 OPTIONS /Microsoft-Server-ActiveSync/default.eas &Log=PrxTo:2007CAS.fqdn.internal_LdapC1_Error:protocolError.Forbidden_Mbx:2007MBX.fqdn.internal_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F0e0cf308-58ee-4f3d-a19d-8e62f6bcdafb%2cNorm_ 443 DOMAIN\user 90.*.*.* Apple-iPhone3C1/802.117 500 0 0 46

( is the IP of the 2010 CAS NLB containing the above

It actually appears in the logs several times, twice for each 2007 CAS in the AD site (once with " LdapC1_LdapL15" in the sting and once with just " LdapC1" ).

Again i cant find much with this error message, " ProtocolError.Forbidden" either for EAS proxying.

I seem to get the same error whichever combination of 2010 CAS (2) and 2007 CAS (3) gets used - they all fail - so I'm guessing its something to do with the way we have the various IIS directories configured across our network.

The 2010 CAS are running SP1 with the latest Rollup and the 2007 CAS are running SP3 (well 2 of the 3 are).

Any suggestions gratefully accepted.



Hi Andy,

I haven't tested with any other devices, as we only use ActiveSync for iPhones and iPads (everybody else in the organization are on Blackberries through a BES). I'll see if i can borrow something else though just for testing purposes.

iPhones work fine if its a 2010 mailbox connecting via the 2010 CAS or a 2007 mailbox connecting via the 2007 CAS, so its not something blatantly wrong with the EAS install on any of the boxes, its just 2007 mailboxes connecting via the 2010 CAS thats giving me headaches.

Thanks for the link, i did see something about iPhones not supporting the redirect/autodiscover functionality correctly, so i wasn't expecting it to automatically switch to the "" external URL of the 2007 CAS. Everything I've read seems to suggest that in this situation though the 2010 CAS should just proxy the EAS traffic to the 2007 CAS internalurl itself, which is what it is trying and failing to do with the above errors.

I've just spotted that this iPhone is on 4.1, so I will try to install the just released 4.2 on the off chance that helps with the redirection/autodiscover, but I'm not holding up much hope as it does seem to be an Exchange issue where the proxying is concerned.



Possible cause: The account used for CAS to CAS proxying does not have " ms-Exch-EPI-Token-Serialization" extended AD permissions on the non-internet facing CAS


Get-ClientAccessServer -server Exchange2007CASServerName | Add-ADPermission -Accessrights Extendedright -Extendedrights " ms-Exch-EPI-Token-Serialization" -User " DOMAIN\2010CAS$"



Thanks James, that seems to have fixed the errors i was seeing in the IIS logs, and the proxy requests seem to be going through ok now. Any ideas why the new 2010 CAS servers didn't have that permission by default?

Now that the iPhone can talk through to one of the 2007 CAS servers via the 2010 CAS url, it seems to be updating its server URL to the external URL of one of the 2007 CAS servers. So it looks like the iPhone can now accept the redirect/autodiscover requests, but it has to be able to proxy through to the 2007 CAS first before it will update (I.E the 2010 CAS doesn't return all the required information itself if it cant talk to the 2007 CAS).

Thanks for the help James & Andy

Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
E Customer wants a portion of GAL from exchange to sync down to Android contacts via Activesync Using Outlook 2
PMR0001 Exchange cf Exchange ActiveSync Exchange Server Administration 1
B Outlook Anywhere vs Activesync and Enterprise Security Exchange Server Administration 8
A Unable to send with attachments in Outlook 2013 (Exchange ActiveSync) Using Outlook 2
B Outlook syncing -- Outlook 365 and Sky Drive and Exchange ActiveSync Using Outlook 0
J Exchange 2010 + Disable ActiveSync/Outlook Anywhere/POP/IMAP/ By Default Exchange Server Administration 5
M Exchange ActiveSync HTTP 500 Exchange CAS/HUB 2007 and Exchange 2003 BE & MBX CCR 2007 Using Outlook 1
O Exchange Activesync gives support code: 0x86000c01 after Exchange Server Migration Using Outlook 4
S Activesync Device Quarantine issue Exchange Server Administration 1
W ActiveSync redirection Using Outlook 1
T About activeSync v14.0 ,Sendmail status code is 110, means unknown server error. Could you tell Exchange Server Administration 1
M Activesync having difficulty syncronizing large mailboxes Using Outlook 1
M Startcom SSL certificate not working for Exchange 2010 Activesync Exchange Server Administration 3
A Are Public Folders Contacts available through activesync for Windows Phone 7, Iphone, etc? Exchange Server Administration 3
R Outlook support for Exchange ActiveSync protocol Using Outlook 1
S How to set public SSL cert for Activesync? Exchange Server Administration 3
C Help Configuring Exchange Server 2003 SP 2 for ActiveSync with a Droid X Using Outlook 11
R ActiveSync Not Working with Exchange 2010 Using Outlook 3
C How to allow admins to enable ActiveSync and edit address book information in EMC Exchange Server Administration 3
L Re: IPhone and ActiveSync (just ActiveSync). Using Outlook 10
K Exchange 2003 SP2 OWA error 500 / unspecified on Frontend, while OMA and ActiveSync is working, even Using Outlook 3
G MS Exchange ActiveSync 2007 Denying Select Devices Exchange Server Administration 2
S Activesync Quarantine Devices Exchange Server Administration 3
A ActiveSync can't send emails to certain accounts, but problem does not exsit in OWA / Outlook Exchange Server Administration 4
S exchange 2010 activesync not proxying to 2003. "TiSyncStateLocked_Mbx:" Exchange Server Administration 4
L IPhone and ActiveSync (just ActiveSync). Using Outlook 22
J 2010 SP1 Upgrade introduced ActiveSync issues with Windows Mobile via TMG Exchange Server Administration 5
M Quarantine ActiveSync Devices Exchange Server Administration 4
M Exchange 2010 sp1 ActiveSync not working for HTC Desire (Bravo) Anrdoid 2.1 with Telstra firmware (A Exchange Server Administration 39
M SendMail problem with ActiveSync 14.0 (Exchange Server 2010) Exchange Server Administration 3
D ActiveSync Error : 0x85010014 - Exchange 2010, TMG 2010, WM6.5 Exchange Server Administration 7
D IIS Returns HTTP 505 Version Not Supported when accessing Microsoft-Server-ActiveSync Exchange Server Administration 47
W ActiveSync Failure Exchange Server Administration 25
J OL2003 (HTTP proxy) update time Exchange Server Administration 7
G Mail Merge via Proxy Email? Using Outlook 2
J Outlook 2007 Proxy settings changing back to one of our domains Using Outlook 2
V Use Microsoft Outlook 2010 over authenticated proxy Using Outlook 5
Y Outlook MSRPC over HTTPS proxy does not connect even though RPCPing looks ok Using Outlook 1
M Outlook 2003 & msstd:FQDN of RPC Proxy Server & GPO $ wildcard certificate Using Outlook 2
C CAS Proxy problem Exchange Server Administration 5
B OutlookAnywhere Proxy Cert Error, Outlook 2007 Using Outlook 1
Z Outlook connector behind proxy Using Outlook 5
E Event ID 9514 - Two objects in Active Directory have the same proxy address Exchange Server Administration 3
M Outlook 2007 connection to HTTP Proxy Using Outlook 1
D How to do Internet Calendar Publishing without proxy server (ISA)? Exchange Server Administration 3
P Exchange 07 + Outlook 07 - Change Exchange Proxy settings Using Outlook 5
M Outlook 2010 Problem with OutLook 2010 32 bit, after Windows Auto Update Using Outlook 3
Marc2019 Outlook 2016 Font Problem Using Outlook 5
X I have met my waterloo trying to resolve embedded graphics problem with outlook 2007 and now 2016 Using Outlook 1
D Problem with custom form including _DocSiteControl1 Outlook VBA and Custom Forms 0

Similar threads