[Ed Hansberry]

Quote:

Originally Posted by BigDaddyJ

Speaking of which, does anyone know of known ActiveSync-over-IP vulnerabilities with 3.5/12007?

LOL! :lol: Given AS was never intended to be used in this manor, I would say the holes are as big as my house. I wouldn't put this on a corporate network until you had a security guy check it out.

[Ed Hansberry]

Quote:

Originally Posted by BigDaddyJ

Speaking of which, does anyone know of known ActiveSync-over-IP vulnerabilities with 3.5/12007?

LOL! :lol: Given AS was never intended to be used in this manor, I would say the holes are as big as my house. I wouldn't put this on a corporate network until you had a security guy check it out.

[Terry]

Anybody know what ports Active Sync over TCP/IP uses?
That might help begin to answer the security questions.
Now I'm going to need to pressure Cisco for a VPN client for my PPC (as if...).

[fmcpherson]

Wouldn't the answer to your question be the ports listed in the article?

[Qman]

Thanks for this great how-to. I just got it working with Earthlink Wireless,
Yea Baby! 8)

[Underwater Mike]

Any suggestion for a host with a dynamically assigned IP? How do you make sure the Pocket Hosts association is accurate all the time?

[msprague]

Quote:

Originally Posted by BigDaddyJ

Quote:

Good point, except he does appear to be on a DHCP DSL address, so just do a release/renew and hopefully you'll be on your way

Speaking of which, does anyone know of known ActiveSync-over-IP vulnerabilities with 3.5/12007?

--bdj

Actually, last week our ISP switched our block of IPs to a whole new subnet so you were poking around someone else's machine today.
Thanks Ed, for blurring the IP though.

[aner]

Hello,
Thanks for the great tip. I am continually struggling to connect my pocket PC to work.
This is what happens:
I disabled the firewall just to be sure. My Ipaq connects to the internet through my ericsson T68i (GPRS). Active sync shows the 'connecting' animation, but there it stops: after a few minutes I get an error about a critical connection fault and are advised to reboot. Any thoughts?
Desktop: winXP on mxstream DSL modem !!Active sync 3.6!
Pocket PC: Ipaq 3970, bluetooth connection to ericsson T68i GPRS

[TeQuilYa]

The scenario with a critical connection fault typically means either there is a firewall in the way or you are perhaps behind a NAT router or some other form of Internet connection sharing. Network Address Translation means that you have many machines with private IP addresses all sharing one incoming "real" IP address.

I'll give more detail about the client side since I'm very familiar with it. I may be able to provide more server (desktop) side details in a day or two, but don't hold me to that

On the client side, the firewall must be configured to allow port 990 to come in and be routed to your PocketPC. This can just be opening a port on a firewall, or in the case of NAT you must tell the router what internal address should handle this request. You have to either statically set your IP on the PocketPC or, if your router handles it you can set up a "special application".

I have worked with DLink DI-713p and DI-614+ routers and they are very similar for setting up "special applications". The idea is to figure out an outgoing trigger port, and when that outgoing trigger is used open up an incoming port to that IP address. There are two nice things about this approach: The incoming port isn't open when not being used and you don't have to statically tie the incoming port to one IP address (more than one PocketPC can use activesync, though probably not at the same time).

For clients it works to set the trigger port to 5679 and the incoming public port to 990. If you can't use trigger ports then you'll have to tie the incoming 990 port to the static IP you'll always assign to your PocketPC.

As far Activesync on the desktop side goes, I know the trigger approach won't work. This is because the request for ActiveSync is originated by the PocketPC and there is no trigger before that request to open the incoming port. So you must either have a non-NAT address or be able to configure the incoming ports to be forwarded to your private IP address. The incoming ports are one or more of 999,5678 and 5679 (I will try to do some testing or talk to the firewall guy at work to see if I can narrow this down a bit - I've always meant to).

If you area already non-NAT on the desktop side and still having trouble then it is likely a firewall issue needing to open the same ports.

Hope that all makes enough sense to be useful.

[TeQuilYa]

I just had another thought about this ActiveSync remote stuff. While VPNs (Virtual Private Networks) can help with the port opening stuff, they don't seem to be a panacea. This is because they seem to rely on any NAT (Network Address Translation) routers between you and the VPN back at the office support the VPN protocol you are using.

The short answer is: use VPN if you can as this enables all ports between you and your desktop PC. However, if NAT is involved you may be out of luck.

I experienced this issue while traveling last week in DC. My hotel had high-speed ethernet connection in every room, but as is typical I was behind a NAT router. I thought "No prob, I've already tested this out from home behind my own NAT router and can just fire up the PocketPC's built-in VPN support". No dice. The routers at the hotel did not seem to have the PPTP routing support enabled and I was SOL.

I switched to downloading the PocketPC IPSEC VPN client for securemote since my office also has that but had similar trouble using it. I am not 100% certain that IPSEC was stopped by the hotel's router as my tech support back at the office was unable to help at that time. However, it seems likely that there could have been similar router support issues since my home router has checkboxes to enable both PPTP and IPSEC VPN support.

FYI: I haven't yet set up my own VPN, I've only been using the clients to access a VPN already configured back at my office. That means I can't yet help much with setting up VPN's. I'd be happy to clarify anything client-side though if this post wasn't clear.

[Ed Hansberry]

Quote:

Originally Posted by TeQuilYa

I experienced this issue while traveling last week in DC. My hotel had high-speed ethernet connection in every room, but as is typical I was behind a NAT router. I thought "No prob, I've already tested this out from home behind my own NAT router and can just fire up the PocketPC's built-in VPN support". No dice. The routers at the hotel did not seem to have the PPTP routing support enabled and I was SOL.

Sounds like the hotel had the VPN port blocked. They don't have to support VPN, but they do have to open the port. Some cell phones and ISPs block this port unless you pay an extra fee - knowning as a business traveler you will be more likely to pay.