Using an iPhone for e-mail with Exchange Server

Whilst I’m not trying to suggest that the Apple iPhone is intended for business users (I’d suggest that it’s more of a consumer device and that businesses are wedded to their Blackberries or, more sensibly in my opinion, Windows Mobile devices) it does seem to me that there’s been a lot of talk about how it can’t work with Microsoft Exchange Server – either blaming Apple for not supporting the defacto standard server for corporate e-mail or Microsoft for not being open enough. Well, I’d like to set the record straight – the iPhone does work with Exchange Server (and doesn’t even need the latest version).

My mail server is running Microsoft Exchange Server 2003 SP2 and has nothing unusual about it’s configuration. I have a relatively small number of users on the server, so have a single server for secure Outlook Web Access (OWA, via HTTPS) and Outlook Mobile Access (OMA, via HTTP) and mailbox access (MAPI-RPC for Outlook, IMAP for Apple Mail, WebDAV via OWA for Entourage). I have also enabled HTTP-RPC access (as described by Daniel Petri and Justin Fielding) so that I can use a full Outlook client from outside the firewall.

It’s the IMAP access that’s the critical component of the connection as, whichever configuration is employed, the iPhone uses IMAP for communication with Exchange Server and so two configuration items must be in place:

  • The server must have the IMAP service started.
  • The user’s mailbox must be enabled for IMAP access.

Many organisations will not allow IMAP access to servers, either due to the load that POP/IMAP access places on the server or for reasons of security (IMAP can be secured using SSL, as I have done – Eriq Neale has written a step by step guide on how to do this for Windows Small Business Server 2003 and the process is identical for Exchange Server 2003).

In addition, firewalls must allow access to the Exchange server on the appropriate TCP ports – IMAP defaults to port 143; however secure IMAP uses TCP port 993. SMTP access will also be required (typically on TCP port 25 or 587). Using telnet to test port access for IMAP and SMTPYou can confirm that the ports are open using telnet servername portnumber.

Note that even if the connection between the iPhone and Exchange Server is secure, there are no real device access controls (or remote wipe capabilities) for an iPhone. Eriq Neale also makes the point that e-mail is generally transmitted across the Internet in the clear and so is not a secure method of communication; however it is worth protecting login credentials (if nothing else) by securing the IMAP connection with SSL.

Interestingly, the iPhone has two mail account setup options that could work with Exchange Server and experiences on the ‘net seem to be varied. IMAP should work for any IMAP server; however there is also an Exchange option, which didn’t seem to work for me until I had HTTP-RPC access properly configured on the server. That fits with the iPhone Topic article on connecting the iPhone to Exchange, which indicates that both OWA (WebDAV) and HTTP-RPC are required (these would not be necessary for pure IMAP access).

The final settings on my iPhone are:

Settings – Mail – Accounts – accountname
Exchange Account Information Name displayname
Address username@domainname.tld
Description e.g. Work e-mail
Incoming Mail Server Host Name servername.domainname.tld
User Name username
Password password
Outgoing Mail Server Host Name servername.domainname.tld
User Name username
Password password
Advanced – Mailbox Behaviors Drafts Mailbox Drafts
Sent Mailbox Sent Items
Deleted Mailbox Deleted Items
Advanced – Deleted Messages Remove Never
Advanced – Incoming Settings Use SSL On
Authentication NTLM
IMAP Path Prefix
Server Port 993
Advanced – Outgoing Settings Use SSL On
Authentication NTLM
Server Port 25

(Advanced settings were auto-configured.)

A few more points worth noting:

15 thoughts on “Using an iPhone for e-mail with Exchange Server


  1. Hi, I’ve just finished putting together an article that shows the steps to get an iPhone running with Small Business Server 2003 including how to create the SSL certificate for the Small Business Server (non self-signed) and configure Entourage and iTunes on the user’s Mac – all of which are necessary to get the iphone syncing email, calendar and contacts securely. I’ve also added steps to activate to the iPhone itself so hopefully the article is fully comprehensive. The article can be found here http://www.o2iphone.com Hope it helps someone


  2. Confirmed that this works well with Exchange 2003 and the iPhone.
    Thank you very much for this helpful information!

    -dj


  3. There are a number of things you are not considering. For one, it is far easier to use native Windows VPN connections that allow remote users to do anything from Remote Desktop to “full Outlook client from outside the firewall.” I have scripted the VPN creation on an autoplay CD so anyone can take it home and have it installed in seconds. If you set it up with split tunnel then you can check email while browsing the web. Also, many smaller organizations use Certificate Server to created there own SSL certificates. I can import those into a Windows mobile device. How do I get it on an iPhone? If I walk thru the many articles to find all of your details I’m basically being told to reconfigure my network so someone can use an iPhone. If Apple has so little understanding of how people use Microsoft products maybe they should hire some folks who do.


  4. Larry, at the time I wrote this post (six months ago), the iPhone was just a consumer device – at least in the UK, where O2’s terms and conditions specifcally prohibit commercial use of mobile data and Wi-Fi.

    And because Apple’s folks got a grip on how people wanted to use the iPhone in a business environment, they licensed ActiveSync and got ready to release an SDK to application developers. I expect there will be more about that at Apple’s worldwide developer conference (WWDC) next week.

    The iPhone is not ready for business, yet, but it is just about to grow up – with real push e-mail, calendar integration, contact synchronisation, global address list lookup, IPSec VPNs, two-factor authentication (certificate-based), enterprise Wi-Fi (WPA2/802.1x), security policy and device configuration tools, and remote wipe capabilities.

    BTW:

    “If I walk thru the many articles to find all of your details I’m basically being told to reconfigure my network so someone can use an iPhone.”

    What I think you meant to say was “Thank you for giving up your personal time to write up some notes with the intention of helping people to get an iPhone working with Exchange Server’s IMAP functionality. This post doesn’t cover everything I need and I couldn’t be bothered to search for anything more recent on the site – but after having followed a few links from this page, I’m not convinced this is the right solution for me”.

    A few manners wouldn’t go amiss.

    I’d also add that there seem to be a number of things you are not considering – like that a full VPN is an unnecessary security risk if all your users want is remote desktop and a “full Outlook client from outside the firewall” – HTTP is just one port to open and as for full Outlook access from outside the firewall, that’s what RPC over HTTP is for. Some security guys would also consider split tunnelling to be a security risk because if the client device is attacked from the ‘net whilst the VPN is active then the VPN is also potentially exposed.


  5. Hi Mark,

    I stumbled across this article while looking for a way to connect my iPhone 3G to our company’s LAN. We have two access points; one that requires a key and offers internet access only, and one that you don’t enter a key for, but allows access based on a certificate server. I’m not a network guy, so I’m not sure how the latter works, but that’s the one I’d like to connect to so I can see webpages on our intranet website.

    Is there a way for the iPhone to connect to the wireless access point that uses a certificate server?

    Thanks in advance,

    Bill


  6. I have had customers asking for this sort of functionality with exchange. It is great to have this additional information handy.
    I will be able to put this to good use.

    Awesome info!


  7. @Ron – glad you found it useful but I should caution that this advice is old. Since the v2.0 software was released, iPhone users have had native support for Exchange ActiveSync.


  8. Mark, yes this advice is outdated now. But, at the time I made a post last June I was getting upset at management level people buying iPhones because their teenage children told them how great they were. I eventually simply told them I wasn’t going to support them until the v2 release.

    Just want to apologize to you for my remarks back then. Thanks for all of the helpful information.

    Larry


  9. I’ve had no problems with iPhones connecting through our cisco asa500’s over vpn and wifi, everything works, email. calender, contacts and synchs no problem even from Honduras and the Dominican Republic where our buyers go. Our or rather my problem started as it’s my stuff, started when some higher ups bought 3.0 phones, at that point they could no longer connect using vpn over 3g, my 2.2.1 phones that I got on friday all dropped right in.
    One user upgraded from 2.x to 3.x and the 3g vpn exchange part broke off the bat. I’m still puzzled why palm did not put a cisco vpn client on their new one right off the bat, thats why we have iPhones now.


  10. Outgoing port definitely works on 25, but has anyone gotten Exchange 2003 and iphones to work on port 587? Microsoft and Android phones work fine with 587, so I’m assuming its configured correctly.

Leave a Reply