The following figure shows a typical Exchange 2010 topology that's configured for Direct Push. This figure assumes you have the Client Access and Mailbox server roles installed on two separate Exchange computers. You can also install both server roles on the same physical Exchange 2010 computer.

Direct Push network design

Direct Push operates in the following way:

1. A mobile phone that's configured to synchronize with an Exchange 2010 server issues an HTTPS request to the server. This request is known as a PING. The request tells the server to notify the device if any items change in any folder that's configured to synchronize in the next 15 minutes. Otherwise, the server should return an HTTP 200 OK message. The mobile phone then stands by. The 15-minute time span is known as a heartbeat interval.
   
   
2. If no items change in 15 minutes, the server returns a response of HTTP 200 OK. The mobile phone receives this response, resumes activity (known as waking up), and issues its request again. This restarts the process.
   
   
3. If any items change or new items are received within the 15-minute heartbeat interval, the server sends a response that informs the mobile phone that there's a new or changed item and provides the name of the folder in which the new or changed item resides. After the mobile phone receives this response, it issues a synchronization request for the folder that has the new or changed items. When synchronization is complete, the mobile phone issues a new PING request and the whole process starts over.
   
   

Direct Push depends on network conditions that support a long-standing HTTPS request. If the carrier network for the mobile phone or the firewall doesn't support long-standing HTTPS requests, the HTTPS request is stopped. The following steps describe how Direct Push operates when a mobile phone's carrier network has a time-out value of 13 minutes:

1. A mobile phone issues an HTTPS request to the server. The request tells the server to notify the device if any items change in any folder that is configured to synchronize in the next 15 minutes. Otherwise, the server should return an HTTP 200 OK message. The mobile phone then stands by.
   
   
2. If the server does not respond after 15 minutes, the mobile phone wakes up and concludes that the connection to the server was timed out by the network. The device reissues the HTTPS request, but this time it uses a heartbeat interval of 8 minutes.
   
   
3. After 8 minutes, the server sends an HTTP 200 OK message. The device then tries to gain a longer connection by issuing a new HTTPS request to the server that has a heartbeat interval of 12 minutes.
   
   
4. After 4 minutes, a new e-mail message is received and the server responds by sending an HTTPS request that tells the device to synchronize. The device synchronizes and reissues the HTTPS request that has a heartbeat of 12 minutes.
   
   
5. After 12 minutes, if there are no new or changed items, the server responds by sending an HTTP 200 OK message. The device wakes up and concludes that network conditions support a heartbeat interval of 12 minutes. The device then tries to gain a longer connection by reissuing an HTTPS request that has a heartbeat interval of 16 minutes.
   
   
6. After 16 minutes, no response is received from the server. The device wakes up and concludes that network conditions cannot support a heartbeat interval of 16 minutes. Because this failure occurred directly after the device tried to increase the heartbeat interval, it concludes that the heartbeat interval has reached its maximum limit. The device then issues an HTTPS request that has a heartbeat interval of 12 minutes because this was the last successful heartbeat interval.
   
   

The mobile phone tries to use the longest heartbeat interval the network supports. This extends battery life on the device and reduces how much data is transferred over the network. Mobile carriers can specify a maximum, minimum, and initial heartbeat value in the registry settings for the mobile phone.

For Direct Push to work through your firewall, you must open TCP port 443. This port is required for Secure Sockets Layer (SSL) and must be opened between the Internet and the Client Access server.

In addition to opening ports on your firewall, for optimal Direct Push performance, you should increase the time-out value on your firewall from the default of 15 minutes to 30 minutes. The maximum length of the HTTPS request is determined by the following settings:

• The maximum time-out value that's set on the firewalls that control the traffic from the Internet to the Client Access server
  
  
• The Firewall time-out values that are set by the mobile service provider
  
  

A short time-out value causes the device to initiate a new HTTPS request more frequently. This can shorten battery life on the device. For more information about how to configure your firewall, see the ISA Server Product Documentation.