March 26th, 2005


Geek triumphs over computer and phone (or How To set up Exchange Active Sync)

After a momentous struggle I have beaten the house server into submission. Oh, and tamed my phone.

One of the promises of the Windows Smartphone platform is the ability to sync directly with a server, wherever you are, over a GPRS connection. Now, with IMAP connections, you might wonder why anyone might want to do that, but over GPRS uncompressed IMAP can be rather slow (especially if you're using SSL and have as many folders on your mail server as I use). Microsoft's synchronisation protocol, with its compressed data, promises to be a lot faster...

Unfortunately, setting up server-based synchronisation isn't as easy as it might be. For one thing, it's really intended for corporate Exchange servers, neatly arrayed in metal racks, rather than a Small Business Server in a Shuttle case sat in an Ikea bedside table.

It's a system that needs you to have a Exchange 2003 with a working Outlook Mobile Access server, and you also really need a friendly mobile operator to hand, ready to hold your hand and help with some of the more awkward parts of the process. If you're a smaller business, or someone on their own, things are a little harder. It helps if you're a deft hand with configuring IIS server applications. Oh, and have the tools to hack your phone.

Getting OMA working on our home mail server was easy enough, just a couple of clicks in the Exchange Manager tool, and pointing the phone's browser at the right URI. Then came the harder task, getting Server Sync working. I'd tried in a desultory manner before, but had always fallen short - mainly due to my internal naming scheme being different from the other side of my NATed DSL connection. I could get the phone to sync inside the firewall, but not outside.

The neat bit was realising that I had to set up an internal DNS that would map the external server name to the internal network, so the phone would be able to do a pass-through IP connection on my PC, while still using the same settings in the outside world. That would let me synchronise email while charging the phone over a USB connection. So first I had to learn how to set up a Windows 2000 DNS beyond the basic Active Directory work. Luckily it wasn't much different from my UNIX days at UKOL...

Then I discovered that my SSL certificate was out of date, so I had to revoke it and create a new one. Except of course, I managed to break the Windows CA on my server and had to reinstall it, before I could create any server certificates. As my old root certificate was about to expire, it was easiest to set up my new certificate authority with a 10 year root certificate. With the certificates installed, I then had to tweak the authentication profile of my web server, to make sure that it would support the DAV hack that is Exchange Active Sync.

Oh yes, server-based synchronisation isn't a direct connection to the mail server, it's DAV over SSL to an IIS virtual directory that's hooked up to the guts of the mail server. Still, I was pretty sure that what I'd done was going to work. OMA was still working, after all...

Then it was time to work on the phone. Orange aren't particularly friendly to the SOHO user. Their phones are locked to only support root certificates from a few trusted certificate authorities, like Thawte and Verisign. Getting a site certificate from one of these can be expensive, however the documentation for Exchange Sync says you need to connect over a certified SSL connection. If you're a small business or a home user, this can be prohibitive. Self-certification is the way to go, but you appear to need to install a root certificate onto the phone if you're self-certifying your servers. If only you could get your Orange phone to support your own certificates. If you're a big corporate with a business account, Orange will happily set up all your phones for you. On your own, well it's a different story...

Searching through some of the smartphone community sites, I managed to track down some software that promised to install new root certificates on any Windows Smartphone. Unfortunately Orange's phone locks managed to defeat it. I could completely unlock the phone, but £20 from a someone with a paypal account and no physical address seemed a bit steep for a service that might not work. A bit more googling, and I managed to find that Microsoft had developed a tool (ostensibly for testing secure sites) that allowed you to disable root certificate checking. This worked, and I could connect to my servers without any reports of untrusted certificates from the web browser. It was time to try a server synchronisation.

A few simple configurations in Active Sync, and I was ready to go. I turned on the phone, and began a synchronisation. The phone connected to the server, and the blue progress bar fair stormed across the screen. A few seconds later I was reading my Inbox on the tiny phone screen, without all the hassle of making a slow IMAP connection.

It worked.

And it hadn't taken too long.

Now if only Orange had an email to SMS gateway. Then I could get the push sync working.
  • Current Music
    Peter Gabriel - Plays Live - No self control