This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 27%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello, I've got a question in regard to ActiveSync and Autodiscover. Consider the below diagram, I am walking through a design to migrate over from Exchange 2010 to 2016. You'll notice that there is no direct TCP:443 access from the public internet to Exchange 2016, I'm using a reverse proxy device to connect clients via ActiveSync and OWA only. The Outlook client itself will only ever connect over VPN.
The service URLs for Exchange 2016 have all been configured with a common FQDN, post.domain.com. Including the ClientAccessService/Autodiscover URL. However, with the exception of the ActiveSync ExternalURI field, all other ExternalURIs have been set to $null.
I don't plan to create an autodisover.domain.com record internally or externally, the hope being that Outlook clients can retrieve the necessary connection info with access to Active Directory DNS(SRV records). Since they are only allowed to sync Outlook while on VPN.
We rely on an MDM management tool to push out ActiveSync configurations to all mobile devices, so no reliance on Autodiscover there either. So in this example, you can see that the reverse proxy URL on the public internet is as1.subdomain.domain.com. Whereas the internal service URL name is post.domain.com, which the reverse proxy device connects to and resolves internally.
My question is this... Let's say an ActiveSync capable device happened to run the VPN client and now has access to internal DNS/SRV records. Can I expect the ActiveSync device to interact with Autodiscover at any level and overwrite the publicly resolvable as1.subdomain.domain.com to post.domain.com? This would in effect break ActiveSync once the VPN client was disconnected.
Hi @Anonymous ,
Based on my knowledge, the answer is yes. If the Activesync device has the connectivity to the internal DNS, it can connect using Autodiscover SRV method which is one of the discovery steps.
Alternatively, you can also try pushing the ActiveSync endpoint, http://post.domain.com/Microsoft-Server-ActiveSync using MDM once connected over VPN and see if that works. This is nothing but a manual configuration.
If the above answer is helpful, please click on "Accept Answer" and upvote it. Thanks for understanding.
So I’ve been researching this quite a bit. I agree with you that if the ActiveSync device finds an autodiscover XML file using either domain.com, autodiscover.domain.com, or SRV I can expect the settings to get updated with the incorrect address.
Only catch is that none of those autodiscover records exist in both External and Internal DNS. The SRV record isn’t present internally either. I thought this was created automatically, but apparently not.
The only way Outlook clients on domain joined systems are locating Exchange is via the SCP or service connection point set in Active Directory Sites and Services. My hope is that a non-domain joined ActiveSync device won’t ever look at the SCP.
Regards,
Adam Tyler
There is no non-domain joined ActiveSync to my knowledge. For ActiveSync to work, you need to have the external DNS for auto discover and externalURL of ActiveSync virtual directory. If external is not allowed and VPN profile will be pushed through MDM then it needs to connect to internal DNS to reach the Exchange. It cannot connect using SCP. Either DNS or Manual configuration.
I've confirmed that in order for ActiveSync to function it DOES NOT require an autodiscover record whether it be an "A" record or SRV record. I have an extensive lab built with a few Android devices, they are happily doing ActiveSync without AutoDiscover by manually programming the URL into the ActiveSync profile.
-Adam
Yes, that correct and meant in my earlier responses. There are 2 types of configuration - Automatic and Manual. If you want activesync to get configured and sync just with email &password then you need to fulfill auto discover requirements. For manual, reach ability to URL or server name provided while configuration :) Please let us know the exact requirement.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
When I check the procedure that Autodiscover processes for Exchange ActiveSync clients, it seems the url that Outlook client connecting to cannot be customized.
Since you don't have DNS records for autodiscover.domain.com, it should fail in the step1,2,3 and try connecting to the url in srv record. What do you set for that?
You've got MDM to apply configuration for all devices, do you mean manually specify the server inforamtion?
The official doc above may not apply for you situation, you can try enabling ActiveSync device log and testing in EXRCA.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Eric Yin-MSFT , It doesn’t look like the SRV record exists either. Only using the SCP address which appears to be set in the Active Directory database as a result of running the set-ClientAccessService cmdlet.
Regards,
Adam Tyler