Further Dealings with Event 1040 MS Exchange ActiveSync
Further to the previous article: Dealing with Event ID 1040 MS Exchange ActiveSync we are still experiencing this problem. Apparently the only port required for Direct Push to work from Exchange 2007 Server with ActiveSync is HTTPS on port 443. The recommendation is to increase the firewall time-out for this path to between 15 and 30 minutes (see Configuring Direct Push to Work Through Your Firewall).
Using our SonicWALL firewall I have made this change however the event is still appearing with regularity in our Exchange event logs. Up until now I have considered the requirement to only affect TCP connections however I did an experiment to increase the timeout for UDP to this value – for a while I thought this might have resolved the issue but it looks like it hasn’t.
The particular message in the event logs states
Event Type: Warning
Event Source: MSExchange ActiveSync
Event Category: Requests
Event ID: 1040
The average of the most recent  heartbeat intervals used by clients is less than or equal to .
Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and Direct Push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.
For more information about how to configure firewall settings when you use Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=905013).
The 540 seconds (exactly 9 minutes) setting is bugging me and for these tests I set the firewall to 30 minutes for HTTPS so the problem has to lie some other configuration setting.
The Knowledge Base 905013 article is a little thin at Enterprise firewall configuration for Exchange ActiveSync Direct and I didn’t get very far with SonicWALL support as they were asking me to identify the particular user device which was causing the event. This isn’t very practical as there are a whole bunch of devices out there and little information to help me identify which one (or ones) it may be.
I have re-enabled detailed logging on the W3SVC for OWA to see if that sheds any light on the situation.