Nowadays there are so many active sync enabled applications which end users can  download, install on their mobile devices and access emails .

In this article lets have a look at some troubleshooting guidelines that we can perform to block users trying to access the emails from their mobile device through any third party active sync enabled application.

 

How to find the Active Sync connections coming from different mobile applications ?

You can  filter and see the active-sync requests in the reverse-proxy/firewall. There should be a reverse proxy that sits in front of exchange for auth purposes.

This is the best way and you can find them easily.

To find the users who are using any app to access emails via active-sync  perform the following :-

  1. 1) Filter the active sync requests in your firewall or reverse proxy accordingly and start the query.
  2. 2) Usually in most of the firewall and reverse proxy it will show you the source,destination and the request after the filter.

You need to concentrate on the request alone

Below is an example of normal active sync request

POST http://domain.com/Microsoft-Server-ActiveSync?User=userID&DeviceId=00ijhsad6564g2fd&DeviceType=iPhone&Cm 

If the user device is connected through any application  Eg: cloudmagic you can see the word “cloud magic” in the request URL. By this way you can identify the users . It should be easy.

POST http://domain.com/Microsoft-Server-ActiveSync?User=userID&DeviceId=00ijhsad6564g2fd&DeviceType=iPhone&Cm=CloudMagic 

Also you can use the exchange commands query string parameter and filter device access rule.This will help you to identify what type of devices are connecting .Use the below command to see the type of the connections through Active-sync

Get-ActivesyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, Accesslevel -AutoSize

Note: 

You will get any output of the above only if you have created any device access rule for the same.

In the Query String parameter you can see the type of the software that the active sync is used for connecting.

There is one more method to identify the type of devices that connect through active-sync from the IIS logs

Just an example below of how the log entry shows for the android device type.

POST http://domain.com/Microsoft-Server-ActiveSync?

default.eascmd=sync&deviceID=5a5d4d5fg8755gf5gh5g&DeviceType=Andriod 

Now how do we block all these types of connections and allow only Native client ?

Few points which will definitely help in address these kind of issues:

1. New device access rule

Create a new device access rule and block the applications through which end users should not connect through

In my example i have created a new device access rule to stop the connections coming from cloudmagic application.

New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceType -QueryString “CloudMagic”

2. Web.config file

Add a query string value in the web.config file to stop the connection from specific applications

Edit the web.config file on the mailbox server and add the below string to block the users accessing the emails through application in my case its cloud-magic

<denyStrings>

     <add string=”CloudMagic” />

</denyStrings>

do an iisreset after this

Note: Make sure that you take a backup of the web.config file before making this change.

3. Firewall rule

Also additionally create a rule in the firewall,reverse proxy stating that any active-sync requests that come with the url “cloud magic” drop the connection and do not proceed.

After performing the above log into your  reverse proxy perform a filter and see if this query type with cloud magic is getting blocked(definitely it should be).