Wednesday, December 4, 2013

Exchange 2013 CU3 upgrade removes the ActiveSync virtual directory ExternalURL

Microsoft released Exchange Server 2013 Cumulative Update 3 on November 25, 2013.  CU3 includes fixes for many customer reported issues, minor product enhancements and previously released security bulletins.  A complete list of customer reported issues resolved in Exchange Server 2013 Cumulative Update 3 can be found in Knowledge Base Article KB 2892464.

Although it's not listed in the Description of Cumulative Update 3 for Exchange Server 2013, one of the important things that Exchange 2013 CU3 fixes is OWA redirection for OWA 2010.  I discussed this in my article, OWA 2013 CU1 Redirection is Broken for Legacy Mailboxes.

Unfortunately, one important fix did not make it into CU3: Upgrading Exchange 2013 blanks out the ActiveSyncVirtualDirectory ExternalUrl property.  This only affects Exchange 2013 upgrades from RTM through CU2 - it does not affect new installations of Exchange 2013.

Exchange 2013 ActiveSyncVirtualDirectory URL values before CU3

Exchange 2013 ActiveSyncVirtualDirectory URL values after CU3

This problem was actually introduced back in the Exchange 2010 timeframe and has been present since Exchange 2013 CU1.  If you perform a RecoverServer operation in 2010, the operation should reconfigure the recovered server with the existing values stored in Active Directory.  At some point code was introduced that reset the URL values and security configuration of the OWA, ECP and ActiveSync to their default values (InternalURL uses the FQDN of the server and ExternalURL is blank).  Since Exchange 2013 servicing is a build-to-build upgrade it behaves pretty much like a RecoverServer operation and the problem becomes apparent.

On an important side note, I'd like to point out that it was the Microsoft Certified Masters on the Exchange TAP program who discovered this issue and brought it to Microsoft's attention.

The Exchange Team was able to address this behavior for the OWA and ECP virtual directories, but unfortunately did not address it for ActiveSync (it's still being tracked).  Fixing the issue for OWA and ECP virtual directories was high priority since this affects users' ability to access ECP and options from Outlook.

ActiveSync, however, only uses the external URL value once when a mobile device is first configured for email.  EAS devices do not periodically check Autodiscover and reconfigure themselves like Outlook does, so if the value is blank devices configured prior to the CU3 upgrade will still work.

This does affect new devices, however.  If the ExternalURL value for the ActiveSync is blank when a user tries to configure a new EAS mail client, the device has no idea how to connect to Exchange.  EAS will then prompt the user for the server name, which they may or may not know.

The fix is simple: After upgrading Exchange Server 2013 to CU3 reconfigure the ActiveSync virtual directory ExternalURL property using the following cmdlet:
Set-ActiveSyncVirtualDirectory -Server <servername> -ExternalUrl https://<external fqdn>/Microsoft-Server-ActiveSync
You may also need to reconfigure security settings for the ActiveSync virtual directory (i.e., if you use user certificates for authentication).  I recommend making note of your ActiveSync virtual directory URLs and security settings prior to the upgrade.  Unfortunately, none of this made it into the release notes.

Hopefully, this will be completely addressed in Exchange 2013 SP1 due early 2014.

1:44 PM