We have a guest wifi network that is in a DMZ-like zone on the firewall. Our Exchange 2010 servers are in the "inside" zone of the firewall, with 1-1 NAT to public IP addresses in the "outside" zone.
Autodiscover and Activesync work just fine in all situations from "outside" (note that this means the Microsoft Remote Connectivity analyzer passes all tests).
Going from the guest wifi zone to the inside zone where the Exchange servers are involves "hairpinning" or a "u-turn" on the external interface of the firewall because the guest wifi clients use public DNS for Autodiscover and Activesync (we don't want guests to be able to see our internal DNS, of course). The firewall manufacturer (Palo Alto) has a configuration guide for u-turn configurations which I have followed and which works, except with one quirk:
An iOS device on the guest wifi can connect to Exchange for both Autodiscover and Activesync using the Microsoft Outlook app for iOS, but cannot use Autodiscover or Activesync using the built-in iOS Mail app.
I can't figure out why those two would behave or work differently. So far I have suspected that Apple is trying to use different ports or something to synchronize, even though my expectation is only HTTPS 443 and (possibly) HTTP 80 would be needed. Currently the ports I have open to the Exchange servers from the guest wifi zone are 80, 443, and 143 (for IMAP as a stab in the dark).
What's the difference between Outlook for iOS and iOS Mail in terms of Activesync?
Edit – more information
I've done a couple things to try to get to the bottom of this. First, I opened up all the ports between the guest wifi zone and the Exchange servers, and nothing changed. This makes me think somehow the u-turn configuration might not be working but somehow the Outlook for iOS app is working around that.
Second, I filtered the firewall logs for connections from the guest wifi zone to the Exchange servers and there is nothing logged, even when the Outlook for iOS app is retrieving mail.
So my current theory is that Microsoft has built some resilience into their Outlook for iOS app by allowing it to use a kind of Activesync proxy service to help it reach destination servers in all situations, or something like that.
Best Answer
The Outlook app doesn't connect to Exchange directly - that is the difference.
All traffic for the Outlook app goes to servers under Microsoft's control (they were in Amazon AWS, I think they have now been brought to Azure). The Microsoft server then makes the connection to your Exchange server.
The Microsoft Outlook app for iOS and Android is based on another app called Accomli, which Microsoft bought in 2014. Here is an old blog post on the concerns with it (the only thing that has changed is the data centres used):
https://blog.winkelmeyer.com/2015/01/warning-microsofts-outlook-app-for-ios-breaks-your-company-security/
You need to review your firewall configuration again - so that the traffic for your internal servers goes out the correct way.