SBS 2011 Standard – iPhone & iPad Exchange Email
June 22, 2011 18 Comments
EDIT – 28/10/2011 If you just want to know the settings required to connect your iPhone to your SBS Server, look at this post.
I use an iPhone, and i have blogged before on how to use the iPhone configuration utility in order to make deployment of the phones easier for clients.
I didn’t cover the iPhone’s ability to use ‘Autodiscover’ in that post, it didn’t occur to me at the time.
It didn’t occur to me until the other day, and then i set about confirming how it works, and in what scenarios you can use it to auto-configure a clients phone.
To follow me through this post you will need:
A Small Business Server 2011 Standard (you should have run the ‘Connect to internet’ ‘Set up your address’ ‘add a trusted certificate’ wizard)
An iPhone or iPad
Internet connectivity!
Note: When i say External IP of either SBS Server or Exchange Server, i mean the address you would type if you were going to Remote Web App / Remote Web Workplace, eg. remote.domain.com = 123.123.123.123 – this applies even if you are using a third party to provide anti spam or filtering services to your email.
So, from the ‘home’ screen find ‘settings’
Find ‘mail contacts and calendars’..
Choosing Add Account.. we can then choose a Microsoft Exchange Account.
You are then faced with 5 configurable settings.
- Email Address (your email address)
- Domain (your internal domain name, i.e.. sbs.local)
- Username (the username you use on your office computer)
- Password (the password for your office computer)
- Description (a description of this account – i.e. Company Email)
If you fill out these details with the settings relevant to you, you can then click Next. (if you click return it will automatically attempt the next stage)
You will see at the top of the screen ‘verifying..’
This is the part that has interested me, and i went to some lengths to find out what the iPhone is actually doing here.
However if i had used my brain at all i could have guessed it actually just follows the same behaviour you can see if you run the ‘Autodiscover’ tests here (at testexchangeconnectivity.com)
The iPhone will use DNS to query for your domains ‘default’ record – this is usually represented as an @ in your dns zone file.. but not something you are likely see if you are using a third party to host your DNS. Your default record like any other record translates ‘domain.com’ to an IP Address.
So for example, if you type in http://domain.com in to your browser, you MAY end up at your website, but you may end up elsewhere. It depends on the configuration of that record.
Suffice to say, it most likely does NOT point to your Exchange server. That is a problem.
If this query does return an IP address, then the iPhone will attempt the next stage of verification.
If you do not have an @ default record, for your domain, which is a valid configuration, then of course that query will fail and failover to query for ‘autodiscover.domain.com’.
At next stage of verification the iPhone will attempt an HTTPS connection to either – https://domain.com/autodiscover/autodiscover.xml or https://autodiscover.domain.com/autodiscover/autodiscover.xml
This XML file is located on your exchange server, you can see it within Windows Explorer.
You can open the file in notepad if you are interested to see the content
Please note THIS SHOULD NOT BE EDITED
You may be presented with a certificate warning if you are using a self signed – or single name certificate that is not for ‘autodiscover.domain.com’
It will attempt to login to the server with the username and password provided. If successful – your iPhone will be auto configured for your Exchange servers address.
You can then continue to finish the setup of your account.
If an HTTPS connection fails, then the process is repeated on HTTP.
If any of the above steps fail, or cannot complete – then you will be presented with a new box on your screen, and that will be for ‘Server Address’
Of course that’s fine to just enter at that stage – but it may be useful for some to know how to get this bit to work.
So to recap – to get the autodiscover feature to work:
- You must either point your domains @ record to the your Exchange Servers public IP address.
Or
- Delete the @ record from DNS and then setup a new A Host record, for ‘Autodiscover.domain.com’ and point that to your Exchange Servers public IP address.
I am making no recommendation on which option to choose, however i personally chose to delete my ‘default’ record and nothing bad has happened.
What other things will prevent a smooth auto configure? A self issued, or incorrectly named certificate.
Now most people will know with an iPhone you can simply ignore invalid certificates, BUT this is an extra prompt, and in the spirit of removing those obstacles to your users you should consider getting a UCC certificate for your SBS Server.
SBS Server will run perfectly well with a single name certificate – in fact it is designed with this in mind.
However the price difference between a single name certificate and a UCC certificate has come down considerably so now there is a good case for using a UCC instead. If the iPhone could use the DNS SRV record method for attempting autodiscovery – like Outlook clients can, then we could stick with a single name certificate.
About Robert Pearman
Title (Required) 
Hi, I read through your post and say Thank you!
I am interested if Office 2010 and actually log in to the SBS 2011 server from an ipad can be accomplished. I keep hearing conflicting answers and am told we need a Cintrix server inorder to get it to sync with our Company Drive and Office 2010.
thank!
Lara
I am not sure what it is you are asking – could you provide some more information?
Hi
Using the standard mail program from an IPad, you can sync with an Exchange server. The setup is the same as with this connection to an IPhone. No VPN is required.
Also found this post quite useful
http://simultaneouspancakes.com/Lessons/2010/06/24/connecting-an-iphone-4-to-exchange/
I found the easiest was to map the Exchange server to a Dyndns address and then use that address as opposed to getting the “remote.smallbizco.net” to work. The autodiscovery can be setup in the above post by Robert Pearman but I did not find this as requirement, if you use the dyndns address.
Have not connected company drives via VPN to a company network.
Can the ipad be synced directly with SBS Exchange 2008 and SBS server 2011, the same way it configures with iphone? And the way it can sync with a VPN and direct access to drives?
Or is it true you need a Cintrix server (or another one) to act as a bridge?
Thanks
The iPad can sync directly with Exchange, 2003, 2007, or 2010. So it can sync with any version of SBS.
Access to documents is a little trickier, but can be achieved, but potentially you would need to use another App to accomplish that. Im going to check with somone who has an iPad and comment back a little later.
Sorry if I’ve missed a post somewhere, but did you ever come a conclusion on what is needed to access documents from an iPad to a SBS 2011…..naively referred to me as a VPN sort of access?
Wow, thank you so much! This is really useful to me.
It is me too; we want to make the transition but the extra servers we keep getting quoted are too much for our non-profit budget.
Thank you!
Great instructions. Thanks
My Autodiscovery does not work, just like you discribe above. Can you expand on on your recommendations a bit more? Which is the @ record in the DNS setup?
And can I assign the ‘Autodiscover.domain.com’ to a dynamic dyndns ‘compnay.dyndns.org’ record?
The @ record is just the record that resolves your domain name. Not a sub domain. When you view a zone file any record that is empty is usually shown as an @ sign.
(an example zone file)
; A Records
remote 1800 IN A 123.123.123.123
@ 3600 IN A 12.34.56.78
So in this example, remote is a sub domain record for sbsessentials.co.uk (remote.sbsessentials.co.uk) and resolves to the given IP.
The record shown as an @ sign is just for sbsessentials.co.uk – so if i were to go to sbsessentials.co.uk by ping, or through a web browser it would direct me to the given IP address.
I am not sure if the AutoDiscover service will work with with a CNAME record, i guess it should.
The Cname record did resolve to the dynamic DNS “company.dyndns.org”.
Thanks for the expansion on the theme.
My ITouch connects and fills in the server “remote.company.com” but I still get the “Unable to verify account information”.
Any ideas?
Usually that is down to a username or password issue.
Do you know if you can access Public excahnage folders from an Iphone?
Not by default no I don’t think so.
Hi Robert–I’ve really found your blog helpful. Thank you for sharing your expertise.
One thing I don’t think anyone has made sufficiently clear (at least for my pea brain) is what exactly is necessary to prevent the:
1. Cannot verify server identity popup
2. Step where the end user must manually enter the server name
I think that #1 and #2 are essentially the same thing, but I ask separately just in case they aren’t. I’m in the process of setting up an SBS 2011 Standard site with about 20 iPhones for exchange connectivity. Granted it’s a small deployment, and it is not the end of the world to instruct users past the prompt and give them the server name to input.
But in my perfectionist mind it should not be necessary. The whole point of autodiscover is that it’s supposed to remove the need for the end user to know and need to enter anything other than his/her own domain username and password.
As such I’ve been scouring the net to see what I need to eliminate this pesky part of the process. I’ve seen posts from SBS people swearing that all you need is a single server cert from a trusted authority for SBS–and actively trying to steer them away from UCC or wildcard certs. And I know that’s well-intentioned advice. With a SRV record Outlook Anywhere (at least in the most recent versions of Outlook) can autoconfigure properly in such a case. But what I think I’ve gathered from your post is that the SRV record is useless for iOS devices. As a result, the iPhone, since it can’t trust autodiscover.domain.com (even though it’s redirected properly) will throw up the error and then require manual entry of the server name.
So is the only answer to this a trusted UCC/SAN or wildcard certificate? I am fully willing to go that route, despite the added costs (and it looks like maybe some additional configuration required to use such a cert on SBS). So, is a UCC or wildcard certificate that will verify autodiscover.domain.com as trusted the only way to avoid the message and requirement to manually enter the server name?
Sorry for the long message, and thank you again for providing so much useful info on your blog. I bet there are a few other perfectionists like me out there that are willing to put in some money and effort to see autodiscover work properly on iOS devices.
OK in reading again I think maybe I understand now.
To solve #1 requires a UC/SAN or wildcard certificate–something that will allow a trusted SSL connection to autodiscover.domain.com
To solve #2 merely requires one of the two options you presented in red above–either a default record or an A record for autodiscover.domain.com that points to your exchange server’s public IP.
Maybe you could affirm if I’m correct in these assumptions–and that a UC/SAN or wildcard certificate is indeed the only solution to remove that prompt.
I guess there’s also hope that Apple will improve its activesync component to be able to use the SRV record method… but probably not in the time frame I’m looking at.
Thanks again!
Yes i believe you are correct.
Because the iPhone does not make use of SRV records, it will attampt an HTTPS connection to autodiscover.domain.com.
So you will need a UCC/SAN Cert that matches.
However you may find that still does not work if the iPhone does not read the SAN cert correctly to look for alternate names.
Thanks for the quick answer, Robert. That’s a good point that there’s no guarantee the iPhone will understand a SAN cert. Maybe it would be best to just do a wildcard cert in that case.
If anyone has any experience using a wildcard cert on Exchange 2010 (or 2007) I’d be interested to know your results.