Allow ActiveSync for Android through Microsoft’s Web Application Proxy

While moving to Web Application Proxy for our reverse proxy, which is replacing TMG 2010 servers, we had an issue with Android devices connecting to Exchange.

After much playing around I discovered the issue was due to Server Name Indication (SNI). According to Wikipedia:

Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

My understanding is that Android supports this, but for some reason it wasn’t working. This was tested with a few devices i.e. Samsung Galaxy Note (Cyanogen and Stock), Samsung Galaxy S3 & S4, & HTC One.

I found this article that explains how to resolve this issue. You simply need to add a binding by running this command:

netsh http add sslcert ipport= certhash=<your certificate's hash> appid={f955c070-e044-456c-ac00-e9e4275b3f04}

This acts as a legacy non-SNI binding. Once this is done you should be able to use Android devices through WAP.


2 thoughts on “Allow ActiveSync for Android through Microsoft’s Web Application Proxy

  1. Greate posting – only 2 questions: what’s the preauthentication on the WAP for AS – ADFS or PassThrough? At the moment I have PassThrough and the SSL-Cert is only installed on the WAP. On the Exchange I have not set the 443-bindings with that cert because it would have an effect on all the client since the cert contains no internal server names. Connecting iOS-Devices via AS works fine, can’t connect Android devices. Any ideas?

    1. You shouldn’t really be using internal names for access at any stage. Microsoft has been recommending against internal domain names like .local for some time now. If you don’t have split-DNS set up I would recommend looking into that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s