Category Archives: Active Sync

Event Viewer Warning 1040- Active Sync Direct Push technology

We Might notice this error on the Event Viewer on Exchange Servers for the source MsExchangeActiveSync


Event Type: Warning
Event Source: MSExchange ActiveSync
Event Category: Requests
Event ID: 1040
Date: 3/10/2016
Time: 12:54:22 PM
The average of the most recent [513] heartbeat intervals used by clients is less than or equal to [540].
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and Direct Push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.

This warning is not an issue on the Exchange Servers.This is something mismatch value configured on the Network Load Balancer which serves the Client is not configured correctly.

Active Sync Uses Direct push Technology to retrieve the emails from the server. Inorder to initiate a direct push communication between the ActiveSync Client and the Exchange Server it uses the heart beat interval values.

In order for the Direct Push Technology to Work it involves 2 process one request from the ActiveSync Mobile(Client) and the response from the Exchange Server.When the Client notifies any changes on the users mailbox the changes are transmitted over persistent http or https connection through direct push.

Below is the process of ActiveSync Request to the server:

1)The Client issues a http request to Exchange Server asking for any changes occurred in the user mailbox in the specified time.Basically it queries inbox,contacts,calendar etc…

2) After Exchange Receives this request it looks for the specific mailbox and sees the changes in the folders until the specified time limit expires.After the time out period exceeds it issues an http 200 OK response to the clients. It then gives a response request to the client with all the update about the folders.

3)The Client then receives the response from Exchange and can be any of the below :

HTTP 200 OK – No Change on Folders . If this is the case the client will reissue the ping request on next heartbeatinterval value.
HTTP 200 OK – Change in folders – And will get the updates on each folders that was changed. After the sync is done it will reissue the request in next interval.
NO Response – It lowers the time interval in the ping request and then re-issues the request again in the minimum heartbeatinterval value to get the update.

So basically these HearBeatInterval values should match between the values set on Network Load Balancers and the Exchange .Servers.

Lets have a look at the values of HearBeatInterval on Exchange Servers.

Where are these Values Stored in Exchange 2016 ?

These Values can be seen in the web.config file in the below location in the installation directory

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Sync

There are 4 values as below

MinHeartBeatInterval – The minimum number of seconds that the client waits between issuing heartbeat commands to the server.The default value in Exchange 2016 is 60 seconds. If this value is too small the client will send the http request very often and will consume the power of the device.

MaxHeartBeatInterval –The maximum number of seconds that a client waits between issuing heartbeat commands.The Default value is 59 Minutes on Exchange 2016 Server.

HeartBeatSampleSize- This is a bucket where the server collects all the recent heart beat intervals that the server received from the Active Sync Clients.It keeps this value to see how the clients are sending the activesync http request to the server and ensures they are matching with the specified values. The default value is it waits for 200 heart beat intervals.

HeartBeatAlertThreshold- If the collected HBsamplesize  value is more than or not meeting the configured value heartbeat maximum or minimum value in this specified time interval then it logs an event in the application log. The default value configured is 9 minutes.

Lets say if the HTTP(S) connections time out value is not configured as longer than 59 minutes on the firewall and if its value is lesser than the value on Exchange Servers, Once a ActiveSync http request is timeout on the F/W, ActiveSync Mobile client will sent another Http request which may cause connection overload.
In-order to avoid this the Exchange server will trigger an alert and mark an event in the event log.

A short living time-out value will initiate new http requests from the mobile device more frequently.This will also drain the battery of the device very quickly considering more http requests are initiated from the device.

The best practice is to increase the firewall Time Out Values for http requests to Exchange Servers Active Sync Virtual Directory to give a better experience to the users. The time out value on the firewall can be equal to or greater than the values specified on the Exchange 2016 servers.

Thanks & Regards
Sathish Veerapandian
MVP – Office Servers & Services.

Restrict end users from using third party active sync enabled applications

Now a days there are so many active sync enabled applications which end users can  download, install on their mobile devices and access emails .

If we have any MDM solutions in place to control the end users mobile devices then we don’t need to worry about this part.

In most of the MDM solutions the implementation will be segregation of the devices own device policy ,corporate device policy and applications that can be downloaded and accessed from the devices.

The challenge comes when we do not have an MDM solution in place and users accessing the emails from their mobile devices without any active sync policies configured.

In this article lets have a look at some troubleshooting guidelines that we can perform to block users trying to access the emails from their mobile device through any third party active sync enabled application.


How to find the Active Sync connections coming from different mobile applications ?

You can  filter and see the active-sync requests in the reverse-proxy/firewall.This is the best way and you can find them easily.
To find the users who are using any app to access emails via active-sync  perform the following :-

1) Filter the active sync requests in your firewall or reverse proxy accordingly and start the query.

2) Usually in most of the firewall and reverse proxy it will show you the source,destination and the request after the filter.

You need to concentrate on the request alone

Below is an example of normal active sync request


If the user device is connected through any application  Eg: cloudmagic you can see the word “cloud magic” in the request URL. By this way you can identify the users . It should be easy.



Also you can use the exchange commands query string parameter and filter device access rule.This will help you to identify what type of devices are connecting .Use the below command to see the type of the connections through Active-sync

Get-ActivesyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, Accesslevel -AutoSize


You will get any output of the above only if you have created any device access rule for the same.

In the Query String parameter you can see the type of the software that the active sync is used for connecting.

There is one more method to identify the type of devices that connect through active-sync from the IIS logs

Just an example below of how the log entry shows for the android device type.



Now how do we block all these types of connections and allow only Native client ?

I have mentioned few points which will definitely help in address these kind of issues

1) Create a new device access rule and block the applications through which end users should not connect through

In my example i have created a new device access rule to stop the connections coming from cloudmagic application.

New-ActiveSyncDeviceAccessRule -AccessLevel Block -Characteristic DeviceType -QueryString “CloudMagic”

2) Add a query string value in the web.config file to stop the connection from specific applications

Edit the EWS web.config file on the mailbox server and add the below string to block the users accessing the emails through application in my case its cloud-magic

Below is the location – 
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews


     <add string=”CloudMagic” />



Better to add this value in the CAS front end proxy server as well

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync

do an iisreset after this

Note: Make sure that you take a backup of the web.config file before making this change.
Also additionally create a rule in the firewall,reverse proxy stating that any active-sync requests that come with the url “cloud magic” drop the connection and do not proceed.

After performing the above log into your  reverse proxy perform a filter and see if this query type with cloud magic is getting blocked(definitely it should be).

Hope this helps


Sathish Veerapandian

MVP – Exchange Server

Lost and Stolen Active Sync enabled Devices and procedure to handle them in EAS environment

Today mobile devices comes up in different flavours , versions , operating systems , hardwares etc,..This creates a big security hole in terms of managing the Active Sync devices enabled on these devices.

If we plan up to bring a MDM solution then lots of study on the product needs to be done since it comes up with different platforms , console, management, vendors , licenses , team to handle and finally cost factor in terms of resources and hardware is also considered.

So planning for managing this mobile devices is very much important.

In this article lets have a look at the best procedure to handle the lost and stolen active sync enabled devices.

There are many best practices to be followed in the web and i have mentioned few points that can be taken.


Note : – This point is applicable only of we have EAS enabled devices without any MDM and EMM integration.

If a user lost/stolen his EAS enabled device below procedure can be handled


First Run the below command to check what are all the EAS devices associated with the users account

Get-ActiveSyncDevice -Mailbox “email address” | select Name



Run the command Get-ActiveSyncDeviceStatistics -Mailbox “Email Address” to see the last sync time of the device


If the user changes his password as soon as the device is lost then there is no way that the device can be authenticated , synced with his mailbox and will not receive the remote wipe command.

So it is better to leave the victim’s password unchanged so the sync attempt is successful and the device gets wiped


Run the below command to send you a notification email when the device is wiped out


Clear-ActiveSyncDevice -Identity Name -NotificationEmailAddresses


Note :

EAS doesn’t have the option to delete only the emails and the remote wipe command deletes the entire data present on the phone. Its better to inform the user before  you perform this action to ensure that he will be losing all of his data present on the device.

Also you can make use of the log parser tool along with this excellent script which will give you detailed information on Active sync devices in which you can see the last connection attempts made if any


Sathish Veerapandian

%d bloggers like this: