Problem solve Get help with specific problems with your technologies, process and projects.

Adjust your firewall to avoid Exchange 2007 Direct Push failures

Read how Direct Push works with Exchange Server 2007 and how to adjust firewall session timeout periods to avoid mobile device connection failures.

Microsoft Direct Push allows users to synchronize their mobile devices with Exchange 2003 or Exchange 2007 mailboxes. This tip focuses on Direct Push use with Exchange Server 2007, and explains how to adjust firewall session timeout periods to avoid mobile device connection failures.
Microsoft designed Direct Push so that it can establish an HTTP or HTTPS session with Exchange Server 2007, send a ping request called a heartbeat message, and then go to sleep until it receives a response. At this point, one of two things can happen:

  • If no new email messages arrive, the session will eventually time out. When a session's time limit expires, Exchange 2007 transmits an HTTP 200 response to the mobile device client, indicating that no changes have occurred. The client then issues another HTTP or HTTPS request, and the process starts again.

  • If a new email message arrives in the user's inbox before the HTTP or HTTPS session times out, then Exchange Server 2007 will respond and inform the mobile device client which folder to synchronize. When the mobile device client receives this response, it issues a synchronization request. Once all of the data has been synchronized, the client reissues an HTTP or HTTPS ping request, and the process begins again.

The longer the timeout period is, the fewer the number of HTTP or HTTPS ping requests that must be sent between the mobile device and the Exchange server. Fewer ping requests result in less battery consumption and lower cellular bills.

So why not make the timeout period infinite? If a connection never times out, there is no way of knowing if it failed. Essentially, the longer the timeout period, the longer it takes a mobile device to detect a communications failure.

Exchange 2007 dynamically adjusts HTTP and HTTPS timeout periods based on the connection's reliability. When a connection is initially established between a mobile device and an Exchange server, the timeout period is relatively short. But over time, the timeout period is extended gradually as the connection proves to be reliable.

The firewall session timeout period controls the length of time that an HTTP or HTTPS connection is allowed to exist without any traffic after a session has been fully established. Most firewalls are configured by default with timeout periods shorter than 28 minutes.

If the timeout period is set too low, then the firewall will disconnect the session and force the mobile device to reconnect. Email remains unsynchronized until the mobile device reconnects, possibly leading to longer periods of time in which the mobile device is out of sync with the Exchange server. To avoid this problem, Microsoft recommends setting your firewall's idle connection timeout period to 30 minutes.

More on firewalls and Direct Push:
Tip: Firewall problems with Exchange 2007 email attachments

Tutorial: Configuring Microsoft Exchange Direct Push technology

Step-by-Step Guide: How to secure mobile devices in Exchange Server 2007

KB Article: Understanding Direct Push

You Had Me at EHLO: Direct Push is just a heartbeat away

Direct Push has four heartbeat registry keys. The HeartbeatMax registry key controls the Direct Push maximum heartbeat duration. By default, the maximum heartbeat duration is set to 28 minutes. You can adjust the registry key to extend heartbeat durations, but your network settings may prevent Exchange from being able to use the default maximum heartbeat duration.

If you choose to configure an Exchange 2007 Client Access Server to extend the heartbeat duration, then you must adjust your firewall's timeout settings accordingly. I recommend configuring your firewall's timeout period about two minutes longer than the heartbeat duration that Exchange Server uses.

About the author: Brien M. Posey, MCSE, is a four-time recipient of Microsoft's Most Valuable Professional Award for his work with Windows Server, Internet Information Server (IIS) and Exchange Server. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit Brien's personal Web site at

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Outlook management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.