Scribd Logo
Upload

Welcome to Scribd!

  • Final ActiveSync Troubleshooting Guide For EMM

    Uploaded by

    msepic123
    131 views7 pages
    McAfee EMM

    Original Title

    Final ActiveSync Troubleshooting Guide for EMM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    McAfee EMM

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    131 views7 pages

    Final ActiveSync Troubleshooting Guide For EMM

    Uploaded by

    msepic123
    McAfee EMM

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    McAfee EMM:

    Troubleshooting connections to ActiveSync.



    Many times after an installation of EMM, the email, contacts, and calendar will not
    sync to the devices. You will need to troubleshoot the connection to ActiveSync in
    order for the Sync of email. The typical symptom that you have a problem
    connecting to ActiveSync is that the iPhone, iPad, or iPod will display Cannot
    Connect to Server when checking email on the smartphone. There are a few
    reasons that this can occur to include certificate, protocol, and misconfiguration
    issues. This technical whitepaper will discuss the most common issues related to
    the connection failures and how to resolve them. One important item to note is
    that all items in this technical review can apply to Exchange or Domino Traveler
    servers. This document will explain the 4 most common items that will cause the
    EMM solution to not connect to an email server.


    Version 2.0

    Troubleshooting connections to ActiveSync
    2

    Push Notifications are not working correctly ................................................................................................ 3
    Incorrect ActiveSync information in the EMM Console ................................................................................ 4
    Incorrect address of FQDN defined for the ActiveSync proxy ...................................................................... 5
    Wrong protocol used by the proxy to connect to the mail server ................................................................. 6
    Feedback on This Document ....................................................................................................................... 7

    Troubleshooting connections to ActiveSync
    3
    Push Notifications are not working correctly
    If the push notifications are not able to be sent out to Apples Push Notification Servers, then the iOS device will never receive
    the MDM profile that contains the EAS (Exchange ActiveSync) information. The cause for this issue is that the Hub services on
    the internal EMM server cannot successfully connect to Apples Push Notification servers. This is can occur if the firewall
    between the EMM Hub server and the internet does not have the correct ports open.

    Device
    Symptom
    On the device the second EMM Profile will not be present and the email will look as if it has not been setup at
    all. On the iOS device, navigate to Settings\General. Scroll to the bottom and look for Profiles. You should
    have 2 profiles installed as seen below, if not, then you have an issue. Check for the Server Symptoms to
    verify:

    Server
    Symptom
    On the server you will see errors in the Event Viewer for McAfee EMM that the Hub service was unable to
    connect to the Apple Push system. You also may not see the device listed in the EMM Console Helpdesk
    screen. The system will try 5 times to connect and will then give up trying to send the provisioning profile:

    Verify
    Issue
    Testing can confirm that the issue is present and provide information as well as proof that the Hub services
    cannot connect to the Apple Push system. In order to test, try to launch a telnet session from the hub to
    Apples push system by running the following command from command prompt on the Hub server. It is
    important that this be done from the HUB server and not the proxy server.

    telnet gateway.push.apple.com 2195

    This command will try to make a connection from the HUB server to Apples Push servers on port 2195. You
    should be able to make the connection and the command window will blank out with a flashing cursor in the
    upper left corner of the command window. This indicates that you have successfully connected. If the
    command just reveals Connecting!.., it will eventually timeout. If it times out, then this is the proof that the
    firewall is not allowing a connection from the HUB server to Port 2195 and 2196 to the internet.

    Note: Telnet is not a native command on Windows Server 2008. You will first have to install the telnet
    client from the server manager in Server 2008. Open the Features and then add a feature. Look
    for the Telnet Client and check that to install telnet before you try to run the above command.

    Troubleshooting connections to ActiveSync
    4



    How to Fix Have the customer open TCP ports 2195 and 2196 from the HUB server to the internet. Once they are open,
    you should be able to make the connection to the Apple Push servers with telnet. For more specific
    information, here are the exact FQDNs to Port mappings.
    !"# %&'( )* +,)-.,/012340,115-06*7
    !"# %&'8 )* 9--:;,6<012340,115-06*7

    Testing
    the Fix
    Verify that you can telnet to the push servers. Then provision an iOS device again. You will get the first
    profile immediately and the push profile should come within 1 to 2 minutes after the provisioning is complete.
    Verify that there are no errors in the EMM Console with pushing the MDM profile to the iOS devices.

    Incorrect ActiveSync information in the EMM Console

    Device
    Symptom
    When you open the native email application on the iOS device, you will get the Cannot Connect to Server
    error. You will have 2 profiles on the device, but Email, Calendars, and Contacts will not sync.
    Server
    Symptom
    The Device may show up in the EMM Console Helpdesk. There will be no ActiveSync errors in the McAfee
    EMM event logs.
    Verify
    Issue
    Check the EMM Console to see if you have entered in the ActiveSync proxy FQDN correctly. Log into the
    EMM Console\System Settings\Auth Directory. It is important for this setting to be correct as this is the
    setting that tells the device where to find the ActiveSync Server.

    How to Fix Remember, this should be the FQDN for the public DNS name of your Proxy server that resides in the DMZ.
    This is not the Email server FQDN. If this is not correct, then the iOS devices will be programmed with the
    wrong EAS information and thus not be able to make the connection. Change the External ActiveSync DNS
    Address to match the public FQDN (Fully Qualified domain name) of the proxy server.
    Testing
    the Fix
    Open the EMM Agent on the device and tap the Update Configuration. This will take you through the
    process of provisioning again and send you a profile with the corrected EAS connection information. Wait for
    the MDM push policy to arrive on the phone. Try to open the email on the iOS device. If it fails to connect,
    turn the power off on the iOS device and restart. Email should start to Sync. If not, continue Troubleshooting.

    Troubleshooting connections to ActiveSync
    5
    Incorrect address of FQDN defined for the ActiveSync proxy

    Device
    Symptom
    When you open the native email application on the iOS device, you will get the Cannot Connect to Server
    error. You will have 2 profiles on the device, but Email, Calendars, and Contacts will not sync.
    Server
    Symptom
    You will see ActiveSync errors in the McAfee EMM server Event Viewer that state the remote name could not
    be resolved. You may also see refused connections.

    Verify
    Issue
    Verify that you cannot get email on the device. Look at the entry in the event and verify that the address for
    the Mail Server is correct. For the Example above, it was set at email.tdsedemo.com. Also Verify that you
    can Telnet from the Proxy server to the Mail server that is hosting the ActiveSync function on port 443.
    How to Fix If that address is not the FQDN for the Mail server or you see that it has been misspelled, follow the
    instructions below to change the settings.
    You need to change the parameters in 2 web.config files.
    1. Locate the web.config files in the two following locations on the server in the DMZ, or the proxy
    server. Each file needs to be changed.

    C:\Program Files(x86)\McAfee\EMMPlatform\EAS Filter\trustdigital-server-activesync\web.config
    C:\Program Files(x86)\McAfee\EMMPlatform\EAS Filter\proxy-server-activesync\web.config

    2. In each file, locate the line that begins like this: <easFilter EasTimeout="1000000"
    ResponseTimeout="1200000"

    3. At the end of that line, you will see the location of the server you pointed to when you installed the
    proxy server. Just change that IP or FQDN to the appropriate address if it is wrong.


    Troubleshooting connections to ActiveSync
    6

    4. Save the file and then run an iisreset from the command prompt.
    5. If all of the above was correct and you cannot Telnet from the proxy server in the DMZ to the Mail
    server that is hosting the ActiveSync Functions, then you have a firewall problem. Have the
    Customer open port 443 between the Proxy server and the Mail server.

    Note: Telnet is not a native command on Windows Server 2008. You will first have to install the telnet
    client from the server manager in Server 2008. Open the Features and then add a feature. Look
    for the Telnet Client and check that to install telnet before you try to run the above command.


    Testing
    the Fix
    Try to open the email on the iOS device. If it fails to connect, turn the power cycle the iOS device. Email
    should start to Sync. If not, continue Troubleshooting.

    Wrong protocol used by the proxy to connect to the mail server

    Device
    Symptom
    When you open the native email application on the iOS device, you will get the Cannot Connect to Server
    error. You will have 2 profiles on the device, but Email, Calendars, and Contacts will not sync.
    Server
    Symptom
    You will see ActiveSync errors in the McAfee EMM server Event Viewer that state their are refused
    connections.

    Verify
    Issue
    Verify that you cannot get email on the device and that the other troubleshooting issues have been covered.
    How to Fix To change the proxy to use HTTP instead of HTTPS, follow the instructions below.
    You need to change the parameters in 2 web.config files.
    1. Locate the web.config files in the two following locations on the server in the DMZ, or the proxy
    server. Each file needs to be changed.

    C:\Program Files(x86)\McAfee\EMMPlatform\EAS Filter\trustdigital-server-activesync\web.config
    C:\Program Files(x86)\McAfee\EMMPlatform\EAS Filter\proxy-server-activesync\web.config

    2. In each file, locate the line that begins like this: <easFilter EasTimeout="1000000"
    ResponseTimeout="1200000"

    3. At the end of that line, you will see the location of the server you pointed to when you installed the
    proxy server. Just change HTTPS to HTTP.



    4. Save the file and then run an iisreset from the command prompt.

    Testing
    the Fix
    Try to open the email on the iOS device. If it fails to connect, turn the power cycle the iOS device. Email
    should start to Sync.
    Troubleshooting connections to ActiveSync
    7

    Feedback on This Document
    If you would like to see additional information included in this guide or you discover any errors, please contact
    mike_burr@mcafee.com. Your feedback is welcome!

    You might also like