Support for ActiveSync

Support for the ActiveSync protocol allows users to synchronize their email, calendars, contacts and tasks with mobile devices with Microsoft Windows Mobile, Palm OS, Symbian and OS X operating systems. The ActiveSync protocol is based on HTTPHypertext Transfer Protocol - A protocol for exchange of hypertext documents in HTML.(S). For network connections, it uses WiFi, GPRS, UMTS and other technologies.

Kerio Connect includes direct support for the protocol and therefore there is no need to install any supportive utility if the device also supports ActiveSync. If the device does not support the protocol, it is necessary to install an application which allows the synchronization on the device. Descriptions of configuration are provided in manuals of the particular devices, as well as in the knowledge base category ActiveSync where simple guidelines for setting of synchronization are provided for each device supported.

And also, no settings in Kerio Connect are required for the support. The only requirement is that the HTTP(S) service must be running on the default port (i.e. port 80 for HTTP and port 443 for the SSLSecure Sockets Layer - A protocol that ensures integral and secure communication between networks.-secured version). On most of supported mobile devices, ports cannot be changed to non-standard ports.

Synchronization methods

For synchronization of Kerio Connect data with mobile devices, two methods can be applied:

1. Direct synchronization with the server.
2. Synchronization by using a desktop application installed on the workstation.

The methods can usually also be combined.

Direct synchronization with Kerio Connect

This synchronization method does not require connection of the device to a desktop computer. The technology allows to connect over HTTP(S) ActiveSync protocol directly to the mailserver and synchronize mailbox folders with folders on the mobile device. On devices with an Internet connection, users can synchronize their data any time and, on newer devices, it is also possible to perform online synchronizations by using the DirectPush technology.

This synchronization method allows synchronization of the following folder types:

• mail folders,
• contacts,
• calendar,
• tasks — tasks synchronization is available only on devices with Windows Mobile 5.0 and later.
• The following parameters must be set for the direct synchronization with the server:
• The HTTP(S) service must be running in Kerio Connect. For connections to the server from the Internet, it is necessary to enable an appropriate port (usually only for the HTTPS service) at the firewall behind which Kerio Connect is running.
• It is necessary that network connection is set properly on the device.
• For connections via the HTTPS protocol (recommended for security reasons), it is necessary to have installed a trustworthy certificate.
• The configuration of the device must allow connection to Kerio Connect. The configuration requirements depend on device:

Device	Configuration
Windows Mobile	In Windows Mobile systems, it is necessary to set the ActiveSync application so that it can connect to the server. The configuration may vary in different versions of Windows Mobile. It usually works like this: in ActiveSync open Menu and in the Add Server Source field enter the Kerio Connect's Internet name along with username and password for connection to the account.
Nokia E-series	Nokia Eseries and some of the Nokia Nseries mobile devices support the ctiveSync protocol if the Mail For Exchange application (developed by Nokia) is installed on the device.
Mobile devices with RoadSync	The DataViz's RoadSync application allows synchronization of email, calendars and contacts over the ActiveSync protocol. The application and the mobile device's settings are focused at http://www.dataviz.com/.
Apple iPhone OS 2.0	Apple iPhone 3G 2.0 and 3.0 requires an Exchange account which supports the ActiveSync 2.5 synchronization protocol.
Apple iPhone OS 3.0	Apple iPhone OS 3.0 requires an Exchange account which supports the ActiveSync 12.1 synchronization protocol.

Synchronization by the ActiveSync desktop application

This synchronization method is performed out of Kerio Connect and its description can be found in ActiveSync user's guides and in device manuals.

For successful data synchronization by using the ActiveSync desktop application, the following conditions must be met:

• The mobile device must include any version of the ActiveSync application (all supported versions of Windows Mobile operating systems include the application).
• Microsoft Outlook is required on the user's desktop computer. It is necessary that an account connected to Kerio Connect is created in Microsoft Outlook (it is recommended to use a Kerio account extended with Kerio Outlook Connector since this allows also synchronization of Notes folders).
• The ActiveSync desktop application installed on the user's desktop computer is required.

Synchronization with the server via desktop applications is performed in a way that Microsoft Outlook can access the data on the server (thanks to the connected and authenticated email account). Microsoft Outlook is synchronized along with the ActiveSync desktop application while the desktop application can be synchronized with the device upon a connection. The process also works the other way round. After a successful connection, new data is synchronized via the ActiveSync desktop application with Microsoft Outlook. This client applies the data in Kerio Connect folders.

One of the advantages of synchronization via Microsoft Outlook and the desktop application is the possibility to synchronize all folder types stored at the server (including tasks and notes in any device versions).

Supported versions of ActiveSync and mobile devices

The list of supported devices can be viewed at Kerio Connect product pages.

RoadSync

Kerio Connect supports RoadSync 4.0 and higher developed by DataViz. RoadSync enables synchronization between Kerio Connect and mobile devices. The synchronization is performed by the ActiveSync protocol.

RoadSync supports synchronization of the following folder types:

• Email,
• Calendar,
• Contacts,
• Tasks (only Symbian S60),

The RoadSync application can be installed on the following mobile devices:

• Symbian UIQ,
• Symbian S80,
• Symbian S60 3rd Edition,
• Palm OS (synchronization is available for email only),
• Java MIDP 2.0 (synchronization is available for email only),

For details on RoadSync and supported devices, see the DataViz website at http://www.dataviz.com/.

SSL encryption

For the traffic, ActiveSync uses the HTTP or the HTTPS protocol.

The following conditions must be met to make certificates valid:

• The certificate must be issued by a trustworthy certification authority. Trustworthy means that the mobile device needs to know the server's root certificateA certificate issued by a trusted certificate authority (CA). In the SSL, anyone can generate a signing key and sign a new certificate.. Windows Mobile includes root certificates of several certification authorities. List of these authorities can be found at the Microsoft Corporation website.
• Date of the certificate must be valid and correct date and time must be set in the device.
• The certificate must include a valid name of the email domain for which Kerio Connect is used.

Valid certificates for encrypted traffic can be either certificates issued by or certificate issued by or so-called self-signed certificate generated in Kerio Connect.

• trustworthy certification authorities (no settings or installations are required), or
• internal certification authority (the root certificate must be installed on the device), or
• self-signed certificate generated in Kerio Connect (the root certificate must be installed on the device)

Windows Mobile requires certificate encoded in the DER X.509 format (.cer extension). The simplest method to get and install a certificate is to download it to the device by a browser.

Kerio Connect's self-signed certificate in the required format is available at http://server_name/server.cer

Installation of the Kerio Connect's self-signed certificate

The Kerio Connect's self-signed certificate can be installed as described below:

1. On the mobile device, run a web browser.
2. In the URLUniform Resource Locator is the address of a web page on the world wide web. textfield, enter the server's address following the pattern (http://server_name/server.cer, for example http://mail.company.com/server.cer) or (https://server_name/server.cer, for example https://mail.company.com/server.cer)
3. Click OK to download the certificate.
4. Click on the OK button to install and use the certificate.

Now, the certificate is installed.

Allowing installation of a root certificate in WM 5.0 Smartphone Edition

The security policy of Smartphone devices with Windows Mobile 5.0 or Windows Mobile 5.0 AKU2 forbids installation of root certificates issued by other than trusted certification authorities.

To allow installation of root certificates issued by authorities not supported by the particular device (an internal certificate or the Kerio Connect's self-signed certificate), it is necessary to install a mobile device registry editor on the mobile device and use this editor to allow installation of untrustworthy root certificates. One of the options is for example application regeditSTG.zip (24.01 kB).

1. Find and download regeditSTG.zip (available for free) and unpack it.
2. Move the editor to the mobile phone (e.g. by using the MS ActiveSync desktop application).

3. Run regeditSTG.exe and findHKLM\Security\Policies\Policies.
4. Change the following registry items:

• 00001001 overwrite the 2 with 1
• 00001005 overwrite the 16 with 40
• 00001017 overwrite the 128 with 144

5. Now, it is possible to download the certificate from the server and install it as described in section SSL encryption.

SSL encryption in Sony Ericsson devices

If the Kerio Connect's self-signed certificate is installed, the device does not require confirmation for each synchronization with the server:

[Security Information ?]
The certificate could not be
verified.
Select 'Certificate details' to get
more information about the
certificate.
Do you want to accept the
certificate and proceed?
[ Yes ]  [  No  ]  [ Details ]

Therefore, it is recommended to install a certificate signed by a trustworthy certification authority.

Remote deletion of the device data (Wipe)

The wipe feature allows the Kerio Connect administrator to remove content of synchronized folders or even of the whole mobile device (so called hard reset) by a single click. This feature may be helpful when the device gets lost or stolen.

In addition to data clear-out, this action also disables further connections of the device to Kerio Connect by the original user login data.

Since the device types and operating systems are different, it depends on these conditions whether it is possible to reset the device completely or only to clear out synchronized folders. Remote hard restart is supported only by Windows Mobile 5.0 AKU2 and higher. Since older versions of Windows Mobile do not support this feature, only data synchronized by ActiveSync can be removed remotely.

To perform remote wipe-out, go to the Accounts > Users section of the administration interface:

1. Select the user whose data will be removed from the device.
2. Right-click to open the pop-up menu and select More Actions > Mobile Devices.
3. This opens a dialog where mobile devices of the particular user can be administered.
4. Select the device where the data should be wiped out and click on Wipe.

Details of the wipe process are recorded in the Security log.

User confirmation of the wipe action

On Windows Mobile operating systems, user confirmation of the synchronizations security policy is required for wipe actions. In other words, it is necessary that the user agrees that the administrator performs the wipe action. Therefore, a dialog appears which must be confirmed by the user during the first data synchronization between the device and Kerio Connect (usually immediately upon the moment when login data for ActiveSync is set in Kerio Connect). if not confirmed, it is not possible to complete the synchronization process.

This measure is applied for security reasons.

Removing a device from the administration of mobile devices

As the time goes on, users often buy new devices. Their older types are still connected to Kerio Connect. Although these items do not cause any collisions or other problems, it is recommended to remove unused devices to keep the server well-organized.

Unused mobile devices can be removed as follows:

1. In Accounts > Users, select a user whose devices are not used any longer.
2. Right-click on the account to open a pop-up context menu and select Mobile Devices.
3. This opens a dialog where mobile devices of the user can be administered.
4. Select the device where the data should be wiped out and click on Remove.

Synchronization logs

The entire synchronization process can be monitored and logged by using special tools. These tools can be found both in the Kerio Connect's administration interface and in the mobile device. This section provides description and settings instructions for these tools:

Synchronization logging in Kerio Connect

Kerio Connect Administration includes a special option in the Debug log. The traffic log can be started as described below:

1. In the Kerio Connect's administration interface, go to the Logs > Debug section.
2. Right-click on the log window to open the pop-up menu.
3. Right-click on the log window and click Messages.
4. Select ActiveSync Synchronization.
5. Click OK to confirm settings.

Once the log is set, run the synchronization of the device and the server to make the log.

Logging synchronization on mobile devices

On Windows Mobile, the ActiveSync application includes special logs for each synchronization performed that can be helpful when solving traffic issues. Logs can be enabled/disabled in the Advanced section of the ActiveSync application.

Windows Mobile stores logs in \Windows\Activesync. Each synchronization process is saved in a stand-alone file whereas the three most recent logs are kept in the directory mentioned above. Names of the log files are:

• Exchange Server0.txt
• Exchange Server1.txt
• Exchange Server2.txt

These logs may be helpful especially when solving issues in cooperation with the Kerio Technologies technical support.

Troubleshooting

Problems with synchronization of a single folder on Windows Mobile

Problem descritpion

User's attempts to synchronize a subscribed folder fail..

Solution

In ActiveSync configuration, perform these settings:

1. In ActiveSync configuration, remove the folder from the list of synchronized folders.

Removing a damaged folder from the list of synchronized folders

2. Use so called soft reset to reboot the device.
3. Synchronize the device with the server (without the damaged folder).
4. If the synchronization has been completed successfully, add the folder to the list and repeat the synchronization.
5. If even now the synchronization is not successful, please contact Kerio Technologies technical support.

Problems with synchronization of all folders on Windows Mobile

Problem descritpion

User's synchronization of folders subscribed for synchronization fail.

Solution

In ActiveSync configuration, perform these settings:

1. In ActiveSync configuration, remove (uncheck) all folders from the list of synchronized folders and save settings.

Removing all folders from the list of synchronized folders

2. Use so called soft reset to reboot the device.
3. Add the removed folders to the list again and repeat the synchronization.
4. If even now the synchronization is not successful, please contact Kerio Technologies technical support.

Connection of the device to the server fails

Various solutions can be applied. Above all, it is necessary to check if the following conditions are met:

• It is necessary that Internet connection is set properly on the device so that the device can connect to Kerio Connect.
• In ActiveSync configuration, check that the appropriate login data is used.
• in Kerio Connect, the HTTP(S) service must be enabled on standard ports (most devices do not support setting of non-standard ports for traffic).
• If the device uses for communication an SSL-secured protocol, it is necessary to check whether a valid SSL certificateSSL certificates are used to authenticate an identity on a server. is used (see section SSL encryption).
• If the user connects to the server from the Internet, it is necessary to check that standard ports of the HTTP(S) protocol are enabled at the firewall.