Introduction to Exchange Server 2010 ActiveSync

Exchange ActiveSync is Microsoft’s solution for enabling mobile devices such as smart phones to securely access their email, calendar, contacts and tasks from remote networks.

Exchange ActiveSync is a feature of Exchange Server 2010 that is installed by default when you install the Client Access server role.

This is one of the greatest strengths of Exchange ActiveSync; that it is a built-in feature of Exchange that does not require additional licenses, servers, or software products to be installed in your network or on the end user devices.

This is very attractive for smaller organizations who want the convenience of mobile email access for their staff without having to incur significant additional costs.

With Exchange ActiveSync businesses get the benefits of:

  • Secure mobile access to email, calendar, contacts and tasks
  • Support for a wide range of consumer smart phones and devices, keeping costs down by allowing users to utilize their own personal mobile devices
  • Policy-based control over devices and data, including features such as remote wipe

Here are some more details about the features of ActiveSync in Exchange Server 2010.

Learn even more in the Beginner's Guide to Exchange Server 2010 ActiveSync. Grab your copy here.

Direct Push

Direct Push is an attractive feature for mobile users because it allows a device to be updated instantly when new content is ready to be synchronized.

Although the name “Direct Push” suggests that the server initiates a connection when new content is available, it is the mobile device itself that makes the initial HTTPS request but with a long timeout period of 15 minutes.

Exchange 2010 ActiveSync Direct Push
Exchange 2010 ActiveSync Direct Push

If the mailbox receives a new item the server responds to the HTTPS request. If the 15 minute timeout lapses the device simply opens a new HTTPS request and the process repeats.


Similar to the way AutoDiscover allows an Outlook profile to be automatically configured for a new mailbox user, it also simplifies the configuration of a new mobile device for connectivity to a user’s mailbox.

This helps reduce administrative effort and costs by allowing a user to set up their mobile device to receive email simply by entering their email address and password.

ActiveSync Mailbox Policies

Exchange ActiveSync mailbox policies allow administrators to configure the same features and security settings to apply to each group of users.

Exchange 2010 ActiveSync Policies
Exchange 2010 ActiveSync Policies

This includes settings such as whether email attachments can be downloaded to devices, whether devices require a password to unlock them, and how many days’ worth of mailbox content to keep synchronized on the device.


  1. Carol Ostos says

    Got a question about autodiscover name on multiple SAN certs, we have one Exchange org, one forest, multiple child domains. Exchange 2010 will be installed in two separate child domains (let’s say regions APAC and North America).

    I was planning on requesting a cert from our Internal CA, apply that cert to our CAS Servers and then get a third party cert, install it on the TMG Server and make TMG trust our internal CA (cert).

    It’s my understanding that internal clients on the trusted LAN would all use SCP to resolve autodiscover & use the internal url (FQDN of the CAS) and for external clients such as iphones or android autodiscover would be needed on external DNS.

    What would be your suggestion to have APAC activesync users to go to APAC Exchange Servers and US activesync users to go to the NA Exchange Servers? I have been reading that maybe SRV records could be a suggestion but thought checking with you guys, in case you have seen a similar scenario.

    Thanks so much in advance!

  2. Pete says

    Hey Paul,
    What about the issue where ActiveSync devices continue to sync for several hours after a password change or the account is disabled. I find it very odd that Microsoft hasn’t provided a better solution other than restart IIS. For terminating employees this could cause a problem.

    Any recommendations to help without taking down services for everyone?
    I have seen the follwing suggestions:
    Moving mailbox after account is disabled/password change
    Disable OWA and Active Sync for the user
    Disable the mailbox from the user

    • says

      No better solution I’m afraid. But consider that if the matter is serious enough that you’re trying to lock someone out of EAS, then an IIS reset may be worth it.

  3. Carol Matthews says

    Hi Paul,

    I’m wanting to use this, but am getting a bit confused about how to configure it. I have SBS 2008 and I think currently that my server is only configured as a local server not on the web. I have tried previously to get OWA working but again that only works locally not outside. I am also having the same issue with Activesync in that when I try and configure my iphone it does not recognise my server name, again is this because it is only configured locally. If that’s the case how do I configure the SBS server so that it is recognised outside m company.


    Dear Paul,

    Is there any way to allow opening of attachment at the same time blocking the downloading for the attachement in Mobile using active sync policy ? or any other way.

    In Mobile Device, (We have Exchange 2010 Org, all are exchange servers but no egde)
    1. Need to allow users to open attachement.
    2. Need to block users to download the attcachment.

  5. Tim says

    Hi Paul,

    Thanks for sharing a concise overview of Exchange 2010 Activesync.

    Have a basic querry, if I as an adminstrator create a policy that prevents viewing/downloading of attachments.

    Can end users still bypass the same to succeed in accessing the attachments via some third party apps available in smartphone marketplaces- such as the Google Play ,etc ?

  6. Keith says

    If you wanted to have two ActiveSync servers — one for iPhones and another for MDM clients which use Certificate Based Authentication – would that be possible without convoluting the external namespace/internal namespace?

    The MDM clients would use CAS1 (example) from both the inside network and outside network, using the URL

    The iPhones would use CAS2 with the current URL

    Would that work?

    • says

      I suppose you could run one namespace (the one configured in Exchange) for iPhones that autodiscover their config, and then have the MDM use a different external namespace (because the MDM app itself pushes out the client config via policies).

      But I don’t see the need to use seperate servers. The ActiveSync virtual directory can be configured to accept certificates without actually requiring them.

Leave a Reply

Your email address will not be published. Required fields are marked *