Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology

Applies to: Exchange Server 2003 Service Pack 2


After you install Microsoft Exchange Server 2003 Service Pack 2 (SP2), a Warning event that is similar to the following is logged in the Application event log:This issue may occur if the firewall has not been configured to let HTTP(S) requests live longer than the minimum heartbeat interval that is configured on the server that is running Exchange Server 2003 SP2. By default, the minimum heartbeat interval at which the Exchange server triggers this event is nine minutes.

More Information

To resolve this issue, modify the firewall time-out values for HTTP(S) connections to the Exchange server to be greater than the default time-out limit of eight minutes.

Note This connection is not referring to the Connection Timeout field that is in the IIS MMC snap-in. Alternatively, modify the minimum heartbeat interval. We recommend that the firewall time-out value be set to a minimum of 15 minutes for the Exchange Direct Push Technology Always-up-to-date (AUTD) feature to perform optimally.

The heartbeat interval is how much time that a mobile device calculates should pass between pings to the server from the mobile device. The session between the server and the mobile device ends if one of the following conditions is true:
  • No e-mail messages arrive in the mailbox to initiate a notification.
  • There is no response from the server before the heartbeat interval elapses.
Exchange Direct Push Technology uses this heartbeat interval so that the server and the mobile device can maintain connectivity. Therefore, a session is open for the server to use to notify the mobile device when an e-mail message arrives.

Exchange Server 2003 maintains a sliding window of the most recent heartbeat intervals that are supplied to the server by mobile clients. The default value for this sliding window is 200 heartbeat intervals. You can configure this value in the HbiSampleSize registry key. However, it is not expected that the default value will ever need to be adjusted. See the table in this section for the values of the HbiSampleSize registry key.

An event is logged in the Application event log when boththe following conditions are true:
  • The average of the heartbeat intervals in this sliding window is less than or equal to the alert threshold.
  • There are HbiSampleSize samples.
The default alert threshold is 540 seconds (9 minutes). However, you can configure the alert threshold in the HbiAlertThreshold registry key. See the table in this section for the values of the HbiAlertThreshold registry key.The event will not be logged more than one time per hour. It is not expected that the default value will ever need to be adjusted.

We recommend that you increase the firewall time-out values for HTTP(S) requests to the Exchange Server Microsoft-Server-ActiveSync virtual directory to provide a richer, "always-up-to-date" experience. The method that you use to increase the firewall time-out values depends on which firewall product you use. Refer to the firewall documentation for information on about how to increase the firewall time-out values.

To configure Microsoft Internet Security and Acceleration Server (ISA) 2004 idle session time-out values for Exchange Direct Push Technology

  1. In the console tree of ISA Server Management, click Firewall Policy.
  2. On the Toolbox tab, click Network Objects.
  3. Expand the Web Listeners node, and then view the properties of the applicable Web Listener.
  4. Click the Preferences tab, and then click Advanced.
  5. Modify the Connection Timeout from the default 120 seconds (2 minutes) to 1800 seconds (30 minutes).
  6. Click OK two times to accept these changes.
  7. Click Apply.
The following table contains the values that can be modified as they relate to the heartbeat interval. These registry values are not present in a fresh installation of Exchange Server 2003 SP2. The server reverts to hard-coded defaults if these registry values are missing. The administrator must manually create these registry values if he or she wants to set the values. These values can be set in the following registry key:
NameData typeValuesDefaultDescription
MinHeartbeatIntervalDWORD1 - MaxHearbeatInterval60 secondsMinimum heartbeat interval
MaxHeartbeatIntervalDWORDMinHeartbeatInterval -35402700 seconds (45 minutes)Maximum heartbeat interval
HbiSampleSizeDWORD1 or higher200 samplesHeartbeat interval sample size
HbiAlertThresholdDWORD1 or higher480 secondsHeartbeat interval alert threshold
  • In this table, the value "1 - MaxHearbeatInterval" indicates any value between 1 and the value of MaxHearbeatInterval. Also, the value "MinHeartbeatInterval -3540" indicates any value between the value of MinHeartbeatInterval and 3540.
  • If any one of these values is set in the registry, and the specified value falls outside the listed values for that parameter, initialization of Exchange ActiveSync will revert to the defaults. Additionally, an event is logged in the Application event log. However, an event is not logged in the Application event log if the value is set to zero. When a value is set to zero, the behavior is as if the value were absent. In other words, the hard-coded default is used.
  • Exchange ActiveSync reads these values one time at startup. Therefore, if an administrator decides to change the values, the IIS Admin Service must be restarted for the changes to take effect.
In the release version of Exchange 2007, these registry settings have been moved to the Sync web.config file.

Release version of Exchange 2007
  1. In Notepad, open the Sync web.config file on the Client Access Server. By default, that location is under \Program Files\Microsoft\Exchange Server\ClientAccess\Sync.

  2. Search for and modify the following values as needed:
    <add key="MinHeartbeatInterval" value="60"></add> <add key="MaxHeartbeatInterval" value="3540"></add>