Customize Exchange ActiveSync Settings for Virtual Directories

As has been the case with recent versions of Exchange Server, ActiveSync is based on the use of Internet Information Server virtual directories. And like any virtual directory, you can customize some settings. Before doing so, it is important to understand a major architectural change Microsoft made in Exchange Server 2013 that could affect virtual directory settings.

In previous versions of Exchange Server, ActiveSync was linked to the Client Access server role. Essentially, a Client Access server is a web server that contains a series of Exchange-specific virtual directories. One of these virtual directories provides ActiveSync functionality.

In Exchange Server 2013, Microsoft divided the ActiveSync functionality between the Mailbox server role and the Client Access server role. ActiveSync is still implemented through the use of virtual directories, but this change means that Client Access servers and Mailbox servers each have ActiveSync virtual directories. As such, ActiveSync-related tasks are split between the two server roles.

The key to customizing ActiveSync related virtual directories in Exchange Server 2013 is knowing which settings correspond to the Mailbox server role and which settings correspond to the Client Access server role. You should also know how to use the Exchange Management Shell to make changes.

Microsoft provides a list of ActiveSync settings specific to each server role. Specific settings for the Client Access server role include:

  • BadItemReportingActivated
  • BasicAuthEnabled
  • ClientCertAuth
  • Compression Enabled
  • External authentication methods
  • External url
  • Internal authentication methods
  • MobileClientCertificateAuthorityURL
  • MobileClientCertificatProvisioningEnabled
  • MobileClientCertTemplateName
  • RemoteDocumentsActionForUnknownServers
  • RemoteDocumentsAllowedServers
  • RemoteDocumentsBlockedServers
  • RemoteDocumentsInternalDomainSuffixList
  • Send the Watson report

These ActiveSync virtual directory settings exist on Client Access and Mailbox servers:

  • ApplicationRoot
  • AppPoolID
  • Metabase path
  • Last name
  • Path
  • ProxySubVdir
  • Virtual directory name
  • Website name

While it is handy to have a list of parameter names, it will not help unless you know how to view and change the parameters. Some of these settings are accessible through IIS Manager, but it is generally easier to use the Exchange Management Shell.

Working with the parameters requires that you know the names of the server and the virtual directory. You can retrieve this information by entering the Get-ActiveSyncVirtualDirectory cmdlet. The cmdlet returns the name of the virtual directory, the name of the server, and the internal URL that the virtual directory uses.

the Get-ActiveSyncVirtualDirectory Sometimes the cmdlet can cut off the name of the virtual directory. If you find that the information you need is cut off, use this command instead:

Get-ActiveSyncVirtualDirectory | Selection object name, server, internal URL | Florida

You can use this same basic technique to retrieve the current state of any of the settings listed earlier. For example, if you want to determine if Basic authentication is enabled, you can use the following command:

Get-ActiveSyncVirtualDirectory | Object name Select, Server, BasicAuthEnabled | Florida

If Basic authentication is enabled for the virtual directory, Exchange returns true (see Figure 1).

You can add the parameter name of an ActiveSync virtual directory to the Select-Object section of the command listed above.

But what if you want to turn off Basic authentication? You will need to specify the identity of the virtual directory. To do this, use the Set-ActiveSyncVirtualDirectory cmdlet instead of Get-ActiveSyncVirtualDirectory cmdlet. The command looks like this:

Set-ActiveSyncVirtualDirectory –Identity ““–BasicAuthEnabled; $ False

disable basic authentication

You would replace by the name of your server and by the name of your virtual directory. You can also use this command to disable Basic authentication on a lab server (see Figure 2).

After handling an ActiveSync parameter in this way, use the Get-ActiveSyncVirtualDirectory cmdlet to verify that the new setting was applied correctly.

It is relatively easy to apply changes to the settings of the ActiveSync virtual directory. The key is knowing which PowerShell commands to use and what settings each server role contains. If you try to manipulate a setting on the wrong server role, you will receive an error message stating that the property is “read-only”.

About the Author:
Brien Posey is an eight-time Microsoft MVP for his work with Windows Server, IIS, Exchange Server, and file system storage technologies. Brien was CIO for a national chain of hospitals and healthcare facilities, and was formerly responsible for IT operations at Fort Knox. He has also served as a network administrator for some of the largest insurance companies in the country.

Comments are closed.