Needed ports and front-end/back-end server configuration
Exchange communication requires configuration of appropriate ports for computers and devices that are outside your network. You should ensure that you have configured ports to allow traffic and to forward that traffic to the appropriate server(s). As an additional layer of security when configuring mobile device access, Microsoft recommends using Windows ISA Server and Exchange front-end and back-end servers (in which devices outside your network communicate only with the front-end server and not directly with the server that processes internal transactions). Refer to the Microsoft documentation listed at the end of this article for additional details on all of these configuration variables.
You will also need to verify that all network devices, such as routers, firewalls and other security appliances, that will process communication between your Exchange servers and iPhones outside your network are configured with timeout limitations that will not interfere with the heartbeat interval used for direct push. Using too-short timeouts for network communication devices could result in overall notification and sync failures for mobile devices, including the iPhone.
Forms-based authentication, SSL and single-server environments
Environments where Exchange is configured using a single server (as opposed to a front-end/back-end server configuration) can present their own challenges. As documented by Microsoft (along with details of the cause and potential resolutions), such environments will not properly support mobile device access if SSL is used to secure the related virtual directories used by Exchange and forms-based authentication is enabled.
Similarly, forms-based authentication can require additional configuration in any Exchange environment in relation to virtual directories, SSL and the use of a default domain. These issues can be resolved by implementing a front-end/back-end environment or by creating a secondary virtual directory for Exchange and adjusting the server's Windows registry to point to it.
Virtual directory permissions
Exchange relies on virtual directories in IIS for several pieces of functionality, including the implementation of Outlook Web Access, Outlook Mobile Access (a variation of OWA intended for mobile browsers) and ActiveSync with mobile devices. Altering the permissions or security properties of these virtual directories can result in problems or failures for accessing Exchange services from the iPhone.