Azure Application Proxy

To proxy or not to proxy??

​

While on assignment at a client I was working through an issue where mobile devices using ActiveSync would stop receiving push notifications from the Exchange server, a reboot of the mobile device would fix the issue and mail would flow again. 

​

But why?

​

Let’s find out.

​

Step 1 check the Exchange server logs to see if there is anything out of the ordinary, in this case I did see ActiveSync warnings indicating that: Event Id 1040

​

"The average of the most recent heartbeat intervals [320] for request [Ping] used by clients is less than or equal to [540].

​

“Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.”

​

Yes this confirms what I am seeing in the field on the mobile devices.

​

Step 2:  Ask the network team to inspect the firewalls for connections that are closed by the firewall and to make sure the timeout values match the settings on the Exchange server.  Check.

​

Step 3: Trace the urls that Exchange uses for service entry, in this case the ActiveSync URL was using the parent URL for the Exchange Server.   Upon further investigation and tracing the URL in question was sitting behind an Azure Application Proxy, ah ha!  Another server to check.

​

Step 4: Log into Azure and find the app proxy servers that are servicing the Exchange Application group.  Upon logging on I was able to find that the app proxies where complaining of connections being left open by ActiveSync clients.  Note: By default the app proxy connector limits idle connections to 85 seconds with a high limit setting of 180 seconds, nowhere near long enough for the ActiveSync protocol.  ActiveSync can keep an HTTP heartbeat connection open for 900 seconds to help save battery life of the mobile device.

​

How to fix this issue now we know the problem?

​

Utilize a URL for ActiveSync that is not part of the Application Proxy group servicing the other components of the on premise Exchange Servers.

​

Once I reconfigured Exchange to utilize a new URL and then pushed the update, the mobile devices were responding directly to exchange and working as expected, no more mail delays or spinning wheels for ActiveSync clients.

​

In closing the Azure App Proxies are a great tool for securing applications in your on premise environment, but one must work within the protocol limits to achieve customer satisfaction.

​

-Joseph Noga, CTO, of  Komodo Cloud