The PIX is just blindly passing the connections through, the ISA Firewall is terminating the connections. However, if blind SSL passthrough worked for those clients, it does indicate that the clients are configured correctly. In that case, you might want to check the rules and the certificates on the ISA Firewall.
One of the major security benefits of using the ISA Firewall for OWA and Mobile access is pre-authentication at the ISA Firewall in order to prevent anonymous attacks against the Exchange Server. You might want to consider auth'ing at the ISA Firewall in the future to shore up your network security design.
Sorry for the delay. Changing to "client is allowed to authenticate directly" took care of the problem. Again, I know this is not ideal, and I am working on changing that. Thanks for the excellent and friendly help. Regards, Mark
Just a quick tip for your smartphones. If you are using a self-signed certificate, you will eventually have to deal with getting the root certificate into the smartphones (or any other windows-based devices for that matter). activesync will not like syncing over SSL based on a PKI it doesn't trust. But i guess you have already noticed this in some way. =) In mobile 2003 you could do a simple reghack on the phone to make it ignore the cert validation error, but in 2005 it's a bit harder. And now with mobile 6 on the way i would really get my stuff together.
The simplest test is always to use the webbrowser in your phone and try to connect to the OWA website. If no warnings there, then the certificates are ok for your device.
I haven't had a chance to play with WM6 yet, but from what I read, the certificate manaagement process is supposed to be a lot easier. And one piece of very good news is that WM6 is supposed to support Wildcard Certs on the Web listener! Yay!!
Well we'll just have to wait and see. I'm sure some of them will come our way at work. We do a lot of work with cellphones. Unfortunately, all these non-disclosure agreements makes it hard to know what you can say and not say though.