I had a loong evening a couple of weeks ago struggling to get my shiny new Motorola Droid (running Android 2.1) to synchronize Contacts, Calendar and Mail with my Microsoft Exchange 2007 server. Although I love the phone as a stand-alone phone, obviously for work purposes the ability to sync and sync properly with Exchange is a make-or-break feature.

There have been numerous reports of issues with Exchange synchronization and Droids. I spent the better part of yesterday afternoon and well into the night pouring over them. In the end my problem was simply a faulty configuration of the firewall rule that prevented the Droid from making an SSL connection to our server on port 443. Doh!

In fact, most of the issues I read about seem to involve server configuration problems, not Droid feature related. Once I got my server configuration and firewall settings sorted, everything worked a treat with no third party applications required.

If you are an end-user without control of your company’s servers, most of this will be useless to you. For Exchange admins, here is the rundown.

System Requirements

• Exchange 2000 Not supported.
• Exchange 2003 Service Pack 2 required. I would recommend at least R2. But if you don’t have R2 and it doesn’t work, you are probably going to want to upgrade to 2007 anyway.
• Exchange 2007 Service Pack 2 required.

Sync Methodology
Droid prefers Exchange ActiveSync. This will produce the best results with regards to synchronization of sub-folders and inclusion of attachments.

SSL is supported. Forms-based authentication with Active Sync is not. See the awesome Daniel Petri for a breakdown of your options and implementation. They are basically: turn off forms-based authentication (bad!), install a dedicated front-end server (very good but expensive), create a virtual OWA directory that does not require FBA (okay but kind of tricky).

Also not supported: Pasword security and remote wipe. (As of Android 2.1) Be aware that these are deal-breakers for many businesses that have strict regulatory requirements.

Client Certificates are a bit of a problem. There are work-arounds. Manual install of certs can be an issue. The consensus seems to be to configure Outlook Web Access to push a certificate to the client. Then use the Droid browser to go the OWA site and accept the cert.

Configuration
The official Motorola Exchange configuration settings are here. It breaks down like this:

• Exchange 2003 SP3
  1. In Exchange System Manager expand Global Settings. Select Mobile Services and get properties.
  2. Make sure the Enable Unsupported Devices box is checked. Click the Device Security button.
  3. In the Device Security dialog check the bottom option, Allow access to devices that do not fully support password settings. Note, this will not affect devices that support the other features. They will still be enforced.
• Exchange 2007 SP2
  1. Open Exchange Management Console, expand Organization Configuration, then Client Access
  2. You will need to either change or create a new Active Sync Mailbox Policy by checking the box, “Allow non-provisionable devices.” This setting and policy will not affect other devices that do fully support Exchange security policies. They will continue to function normally.
  3. If you changed the default policy you are done, otherwise proceed to the next step.
  4. Now go to Recipient Configuration and select the mailbox(es) that you wish to allow Droid access. Select the mailbox properties, then the mailbox features tab, select Active Sync and click the properties button.
  5. If you created a new policy, apply the new non-provisioned device policy to this mailbox. Apply, close all windows.

Once I got that all done the Droid mail, calendar and contacts all synchronized flawlessly, including sub-folders using the native programs. I get my attachments properly and the push synchronization works fairly well. Sometimes I do have to manually refresh the link. I haven’t tried out-of-office yet.

For some users whose Excahnge servers and profiles are just too… weird for the native Droid apps, Nitro Desk makes a very good third-party Exchange sync and mail-calendar-contact-task management app called Touchdown. A 30 day demo is free on the Marketplace but the full version is $19.99.
Troubleshooting

• The Exchange Remote Connectivity Analyzer is awesome. It provides a test bed for the authentication methodologies available to Droid and gives connection logs that can help pinpoint problems. In my case it was the tool that told me that the server was not responding to requests to set up the SSL connection.
• In order for folders to sync they have to be nested within the Inbox. Folders outside of that hierarchy may not sync at all.

“Almost all of the commercial internet service providers now supply their customers with WiFi enabled routers. Many of these come with instructions for enabling the wireless but the default condition is often an open system; one that allows anyone to connect,” explained Riverfront Technology Systems Engineer, Zach Peters, who was in charge of the survey.

“If the system is open, then not only can anyone connect to the Internet through that connection, but that also puts them ‘inside’ the firewall and exposes all the computers in that residence or business to an intruder,” Peters continued.

Riverfront Technology conducted its survey in early November. In 30 minutes, using about $60 in hardware and free software they collected data on 530 unique access points while driving on city streets in a normal manner, at the speed limit. The software used only collected information that the access points actively broadcast to the world. Riverfront Technology did not connect to any network during this survey.

Google Maps mashup of Clinton wireless survey results.

Of the 530 access points surveyed, 171 (32%) had no security or encryption turned on at all, meaning they were open to anyone. 27 (5%) leaked information about the internal network without even connecting and 15 (2.8%) access points revealed their location within the building including floor, wing or room number. Of the 359 access points that did have security enabled, 148 (87% of encrypted, 28% of all access points) used the weakest security system, Wired Equivalent Privacy or WEP.

Riverfront Technology Vice President, Connor Anderson asserted that these results are probably a pretty good sample of any community. “I expect we could repeat this anywhere in the United States and get results within just a few percentage points of what we see in Clinton,” he said.

The Internet router provides a basic security barrier between the Internet “on the wire,” and the computers in the house. However, the WiFi connection is part of the inside of the network and connects the residential PC’s. “An open wireless connection is like leaving your house doors locked but leaving the bay window facing the street open all the time,” said Peters.

Anderson stated, “The market if now full of devices that are wireless enabled; from handheld smart phones, to netbook and laptop PC’s that can now be purchased for about $500 or less. This means we are seeing an explosion of businesses and residences adding wireless service.”

For most people the solution is pretty straightforward. Most of these devices come with instructions or software “wizards” that allow the users to set the security on their wireless networks. Riverfront Technology recommends that users who don’t understand the instructions either contact tech support at their internet service provider, the device manufacturer, or contact someone who can help them set this up.

Anderson said that businesses especially need to be aware of the problem and not think that just because they ran the WEP wizard they are secure. Credit Card fraud is a multi-billion dollar global business. “If your business handles credit card transactions, of if you are a financial services or health care provider then you need to make sure you are using proper encryption and authentication. WEP is just barely okay. It’s like putting a hook on your screen door and leaving the inside door open. WEP can be cracked by any reasonably skilled hacker in just a few minutes. It is not good enough for business,” he said.

A google map of the results is available here: here. Riverfront Technology is publishing these results for several reasons: 1) the data does not give any information on how to get into a secured network, 2) Unsecured networks are just that, unsecured. Obscurity does not equal security and considering the utter simplicity of gathering this data, it does no harm, 3) it is sincerely hoped that those who find their unsecured networks in this survey will take steps to fix that condition.