0

We are doing a complete server and infrastructure update with a Migration from Exchange 2007 to 2010. Along with the server upgrade we're doing a migration from an old antiquated 192.0.2.x internal class c to 10.x.x.x internal class a. At this time my Exchange server is at 10.0.1.5 and my Wireless and VPN is still issuing 192.0.2.x IPs. All of my Outlook and Droid users are being routed properly from 192.0.2.x to 10.0.1.x, connecting to the exchange server no problem. My iPhones (running iOS 6.1.3) on the other hand just will not connect. No matter what I try to change in settings, whether on wireless or through the VPN, I keep getting "Connection to the server has failed." Also when setting the server (IP or DNS) I get a "Cannot verify server, do you want to continue." I've tried SSL on and off. I've tried domain\username and just username. I've double checked the password multiple times. I've tried IP address and DNS name for the server. Nothing seems to work.

Does the iPhone have problems crossing subnets even if they're routed property? Does v6.1.3 have problems with Active sync? Anything?

Thanks

EDIT: I've tested the iPhones on wireless and through the VPN to the Exchange server's OWA in Safari. That works perfect all around.

-Craig

Albion
  • 465
  • 2
  • 6
  • 16
  • 1
    Since when are IP addresses "antiquated"? – GregD Jul 29 '13 at 14:52
  • It's antiquated to my network. It was added to an AIX box 20 years ago before there was ethernet on site. When ethernet was added, the Windows guys used the class c so they wouldn't have to muck around with the AIX accounting server. Now that I am here I am changing it. – Albion Jul 29 '13 at 15:41
  • Since when do people still use classes with IP addressing? Calling this "class A/B/C" is more antiquated than the addressing scheme. – Rex Jul 29 '13 at 15:42
  • Are we really arguing semantics here? – Albion Jul 29 '13 at 15:45
  • Yes.. I am :) On a more related note - did you change certificates during all this? – Rex Jul 29 '13 at 15:59
  • The problem was in the permissions, see my answer below. – Albion Jul 29 '13 at 16:44

2 Answers2

2

Your "antiquated" "internal" IP addresses are not in the block set aside for us in private networks (192.168.0.0/16). They are in TEST-NET-1 (192.0.2.0/24), which IANA specifically say SHOULD be non-routeable and filtered:

This block is reserved for use in documentation.

Network operators SHOULD add these address blocks to the list of non-routeable address spaces, and if packet filters are deployed, then this address block SHOULD be added to packet filters. This block is not for local use, and the filters may be used in both local and public contexts.

If you're hitting a correctly-configured router or packet filter anywhere in your route between your iPhone and your Exchange server then you have no hope of getting this working.

My suggestion would be abandon trying to fix this and accelerate your process of moving out of the reserved address space.

Community
  • 1
Colin Pickard
  • 1,261
  • 2
  • 16
  • 28
  • My router is routing packets between the two subnets just fine. I've read and understand the IANA specifications. It's the reason for my conversion. But it's impossible at this time to speed up the conversion without heavy downtime. As I mentioned in my edit above I can get to OWA on the exchange server from Safari. The only thing that seems to be malfunctioning is Active Sync. – Albion Jul 29 '13 at 15:39
  • FWIW, the iPhone users in my company have no problem with our Exchange 2010, and we did nothing special in our setup. I don't believe there's anything fundamentally wrong with the "iPhone <-> Exchange 2010" pairing. – Colin Pickard Jul 29 '13 at 15:56
-1

I fixed this by inheriting permissions on the user account in Active Directory.

  1. Open ADU&C on a domain controller.
  2. Right click the user-> Properties
  3. Click Security Tab
  4. Click Advanced.
  5. Check "Include inheritable permissions from this object's parent"
  6. Click ok
  7. Click ok
  8. Delete and re-add the Exchange account on the iPhone.
Albion
  • 465
  • 2
  • 6
  • 16
  • This fixes issues creating a device partnership with an admin or otherwise privileged account. You should be using a separate admin account from your regular use mailbox. – Jeremy Lyons Jul 29 '13 at 18:35