Chris De Herrera's Windows CE Website

Discuss.Pocket PC FAQ Forum

Add Pocket PC FAQ to your Favorites
RSS    RSS Feeds
Wiki    Lost?
Custom Search
Subscribe    Print
Table of Contents
Mobile Format

[an error occurred while processing this directive]

Pocket PC Magazine Best Site

Website Awards
Website Updates

By Chris De Herrera 
Copyright 1998-2007
 All Rights Reserved
A member of the Talksites Family of Websites

Windows and Windows CE are trademarks of Microsoft
and are used
under license from owner.
CEWindows.NET is not
associated with Microsoft 

All Trademarks are owned
by their respective companies.

ActiveSync 4.x Troubleshooting Guide - Firewall, VPN, Proxy Issues
By Chris De Herrera, Copyright 2005, 2006, 2008
 Version 1.21  Revised 9/7/2008

[an error occurred while processing this directive]


    1. Installation

    2. Initial Configuration

    3. USB Issues

    4. Guest Issues

    5. Firewall and Proxy Issues

    6. Outlook Errors

    7. Synchronization Errors

    8. Mobile Information Server / Outlook Mobile Access

    9. Exchange ActiveSync Error Codes and Solutions

    10. Missing Calendar, Contacts or Tasks Items

    11. Security Advisories

    12. ActiveSync 4.x Troubleshooting Guide - General

    13. ActiveSync 4.x Troubleshooting Guide - Limitations

    14. ActiveSync 4.x Troubleshooting Guide - 85010014

    15. ActiveSync 4.x Troubleshooting Guide - Firewall, VPN, Proxy

    16. ActiveSync 4.x Troubleshooting Guide - Logs & Services

    17. ActiveSync 4.x Troubleshooting Guide - Connection Flow

    18. USB Advanced Network Functionality

    19. Microsoft ActiveSync 4.2 Troubleshooting

    20. Using ActiveSync 4.x and Visual Studio 2005 and the Emulator

    21. Understanding ActiveSync or WMDC Partnerships


With the recent release of Windows Mobile 5.0, Microsoft has released ActiveSync 4.0.  ActiveSync 4.0 continues to build on prior version of ActiveSync with some significant changes for Windows Mobile 5.0 devices including support for synchronizing Media, support for USB 2.0 devices, Internet Explorer Favorites synchronization for Smartphone. These updates are only available for Windows Mobile 5.0 devices. Microsoft released ActiveSync 4.1 to improve the user's experience with networks (specifically VPNs, firewalls, and parental controls) and Outlook. This article covers some common issues and solutions for users of ActiveSync 4.x.  I recommend that users of ActiveSync 4.0 upgrade to ActiveSync 4.1 to see if their problem has been solved with the upgrade. Also, Microsoft has just released ActiveSync 4.2.   The latest version of ActiveSync is 4.5  which supports through Windows Mobile 6.1.    Microsoft also has a ActiveSync 4.0 USB Connection Troubleshooting Guide which may be helpful as well.

List of Firewall, VPN and Proxy Issues

  1. If you are using a software firewall on your PC, you need to allow ActiveSync to use TCP/IP. ActiveSync uses the programs WCESCOMM.EXE,  WCESMGR.EXE, RAPIMGR.EXE, and CEAPPMGR.EXE.

    ActiveSync uses the following TCP and UDP ports (the number, use and direction of these ports is not guaranteed with future releases of ActiveSync):

    Port Direction Type Description
    990 Inbound TCP Remote API (RAPI)
    999 Inbound TCP Status
    5678 Inbound TCP Legacy Replication
    5679 Outbound UDP Legacy Replication
    5721 Inbound TCP Desktop Passthrough (DTPT)
    26675 Inbound TCP AirSync

    Also, ActiveSync uses for your PC and for your Windows Mobile 5.0, 6 or 6.1 device.  When you install ActiveSync 4.x on Windows XP, Service Pack 2 and Windows Server 2003 it should configure the firewall exceptions for ActiveSync automatically for you.  To configure the firewall settings visit:

    • Sygate Personal Firewall
    • TrendMicro PC-cillin Internet Security 2005
    • Norton Personal Firewall
    • Zone Alarm Security Suite
    • McAfee Personal Firewall
    • If you wish to reconfigure Windows XP, SP2 back to the default firewall exceptions for ActiveSync 4.1, I have created the following .REG file - ActiveSync_4.1_XPSP2_Firewall_Exceptions.reg  Just click on it and it will install the registry changes to allow ActiveSync 4.1 to operate.
    • Sygate Security Agent 4.1  Sygate Security Agent requires the maximum transmission unit (MTU) for the network connection to be set to 1514 which is the same as the default for Ethernet.
      You need to use a Registry Editor on the Mobile Device to change the following settings:

      Registry Sub Key: [HKEY_LOCAL_MACHINE\Drivers\USB\FunctionDrivers\RNDIS]
      Name of the Value to add: MTU Type : DWORD Data: 1514 (Value is Decimal)

      Registry Sub Key: [HKEY_LOCAL_MACHINE\Drivers\USB\FunctionDrivers\RNDIS]
      Name of Value to add: MaxOutTransfer Type: DWORD Data: 1642 (Value is Decimal)

      Please note that modifying the registry on your mobile device or PC is not supported by Microsoft or your OEM.

  2. If you are using a Virtual Private Network (VPN) or other network software, you may not be able to sync with your Pocket PC.  This is because ActiveSync is using the NDIS Intermediate Drivers to connect.  This problem may occur if your VPN's security profile does not allow a split horizon (accessing the VPN and the internet or Pocket PC).  See the Microsoft article ActiveSync 4.0 USB Connection Troubleshooting Guide to unbind these drivers.  Also, if you are using ActiveSync 4.0, I suggest that you upgrade to ActiveSync 4.1.
  3. If you are using the Cisco VPN client and you can't sync after installing ActiveSync 4.x, try uninstalling ActiveSync 4.x and the Cisco VPN client. Then install ActiveSync 4.x followed by the Cisco VPN client.   Another alternative is to disable the stateful firewall by going into the option menu and selecting the option to disable the Stateful Firewall.
  4. If you have SSH Sentinel installed this can prevent you from synchronizing.  If you uninstall SSH Sentinel you will be able to sync.
  5. If you are using Microsoft's ISA Firewall Client, you need to create a file called c:\program files\microsoft activesync\wspcfg.ini with the following in the text file or download and execute create_wspcfg_activesync.bat:


    Also, the network administrator may have to setup the ISA server's Local Address Table (LAT) to allow and (for Windows Mobile 5.0 devices) and and (for Windows Mobile 2003, 2003 SE and prior devices).

  6. If you are using a CheckPoint VPN and cannot sync try the following:
    1. Install the ActiveSync 4.x software on the target PC. Following successful installation, reboot the PC.
    2. Connect the USB cable from the mobile cradle into a USB port on the target PC.
    3. Click on Start - Run and type CMD and enter
    4. Type CD "C:\Program Files\CheckPoint\SecuRemote\boot\modules"
    5. Then type fwkern.exe -re
    6. Place the mobile device into its cradle and allow the device to perform sync.
    Upon successfully completing this procedure, use the sync software and verify that the PC & the mobile device do successfully sync.
  7. If you are using the DLink VPN (a repackaged CheckPoint VPN client) there is no known option to allow an exception for ActiveSync.

If your problem is not resolved here, try Bev Howard's Solving ActiveSync Issues, the Microsoft ActiveSync Troubleshooter or Microsoft's Knowledge Base search on ActiveSync or Microsoft's Knowledge Base search on Mobile Information Server.

[an error occurred while processing this directive]

Return to Chris De Herrera's Windows CE Website