Exchange Active Sync Direct Push fails when published through ISA Server 2006

This post is about a case where Windows Mobile devices were having problems when enabling Active Sync Direct Push feature. On the device we were receiving the error 0x80072eff. This error means:


err 0x80072eff

# anonymous HRESULT: Severity: FAILURE (1), Facility 0x7, Code 0x2eff

# for hex 0x2eff / decimal 12031

  ERROR_INTERNET_CONNECTION_RESET                                inetmsg.h

  ERROR_INTERNET_CONNECTION_RESET                                wininet.h


To better illustrate the scenario and the troubleshooting line that I followed look the diagram below:


Figure 1 – Network Diagram and tests that were performed


To perform those tests I used Windows Mobile 6.1 Professional Emulator installed on a laptop so we have the flexibility to connect this laptop on each segment. In the above diagram each scenario has an specific result as shown below:

·         Scenario 1 – DirectPush Fails.

·         Scenario 2 – DirectPush Fails.

·         Scenario 3 – DirectPush Works.

·         Scenario 4 – DirectPush Works.

·         Scenario 5 – DirectPush Works.


This pretty much isolates the problem to be either in the first hardware firewall or in the Internet border router. To see where the issue could be located we attached Netmon trace on ISA Server (internal and external interface as shown Figure 1) and also in the Exchange Server. The result was quiet interesting since all the communication went through just fine all the way from the external mobile device to the Exchange.


The only interesting part was found in the trace 1 (ISA External NIC) when the following packet sent from the hardware device to ISA:


HardFirewall      ISAServer   TCP    TCP:Flags=…..R.., SrcPort=49985, DstPort=HTTPS(443), PayloadLen=0, Seq=2504173114, Ack=0, Win=0


A nice TCP Reset sent from the hardware firewall to ISA Server was causing the connection to be reset during the synchronization. To resolve this problem we implemented the following recommendation in the border hardware firewall (the one in front of ISA Server):


Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology


Well, one more ISA Server in sandwich mode that caused days of troubleshooting and ISA Server was only a victim.  Talking about ISA Server in sandwich mode, my previous post (see below) ISA Server was also in sandwich mode and that was the justification to open all ports since they have a hardware firewall to protect. Please DO NOT follow this example and create such rule or you will be owned as Shinder said in his post J.