• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Active sync connection problem in ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Active sync connection problem in ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Active sync connection problem in ISA 2006 - 22.Jan.2007 11:39:09 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Our OWA along with active sync was coming in from outside to internal on a PIX.  Having a fairly new ISA 2006 installed, I moved it to come in via ISA. So it is external to DMZ to ISA to Internal.

Web clients work with no problem, but active sync clients fail with 403 every time.

My path is set to external same as internal with internal as /*

I have checked active sync and mobile access in the publishing rule.

I set logging filters for specific client IP for testing, but the URL field is not showing.

< Message edited by mjgraves@tisecurity. -- 7.Feb.2007 10:27:27 AM >


_____________________________

Mark
Post #: 1
RE: Active sync connection problem in ISA 2006 - 26.Jan.2007 1:44:11 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Do the clients have the certificates installed?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 2
RE: Active sync connection problem in ISA 2006 - 29.Jan.2007 8:30:05 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Tom,
Thanks for the reply. I have asked this, but will check more thoroughly.

This application worked to the same OWA when it was just behind the PIX, and SSL was required at that time.  But I will confirm again the settings of the mobile device.

Thanks

_____________________________

Mark

(in reply to tshinder)
Post #: 3
RE: Active sync connection problem in ISA 2006 - 29.Jan.2007 8:29:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

The PIX is just blindly passing the connections through, the ISA Firewall is terminating the connections. However, if blind SSL passthrough worked for those clients, it does indicate that the clients are configured correctly. In that case, you might want to check the rules and the certificates on the ISA Firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 4
RE: Active sync connection problem in ISA 2006 - 30.Jan.2007 10:14:58 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Tom,

I will do that. However the browser clients work fine. The same cert that was on the internal OWA box when just accessed via PIX is what I installed in on the ISA server.

It went fine into the cert store and ISA implemented it on the listener with no problems.  Browser clients work ok.

I will check again and look for anything obvious I may have overlooked.

This is  self-signed cert created on our domain. 

Any specific logging I can turn on in ISA to gather more information?

Thanks.

_____________________________

Mark

(in reply to tshinder)
Post #: 5
RE: Active sync connection problem in ISA 2006 - 30.Jan.2007 10:39:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Are the OWA and ActiveSync Web Publishing Rules using the same Web listener?

Are there two rules or one rule?

Maybe there's a configuration error in the rule.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 6
RE: Active sync connection problem in ISA 2006 - 30.Jan.2007 1:59:26 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
The OWA and Active sync are the same rule with the same listener and obviously the same Cert.

The are both hitting the same internal machine, so I figured the same listener.

_____________________________

Mark

(in reply to tshinder)
Post #: 7
RE: Active sync connection problem in ISA 2006 - 31.Jan.2007 11:19:27 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Try running the ISA Firewall BPA and see if that helps.

Also, what device are you running ActiveSync on? Windows Mobile or SmartPhone?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 8
RE: Active sync connection problem in ISA 2006 - 31.Jan.2007 11:35:42 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Tom,
Thanks for the quick response. I have done that, but it has been while. I will do so again.

One client is a smartphone and one is a Palm.

ISA is not handling authentication, but the rule was set for "client cannot authenticate directly."  I changed it this morning to "client can authenticate directly."

This had no bearing on browser clients, but possibly could on the mobile devices.

I am waiting for test results.

Thanks!

_____________________________

Mark

(in reply to tshinder)
Post #: 9
RE: Active sync connection problem in ISA 2006 - 31.Jan.2007 11:47:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

One of the major security benefits of using the ISA Firewall for OWA and Mobile access is pre-authentication at the ISA Firewall in order to prevent anonymous attacks against the Exchange Server. You might want to consider auth'ing at the ISA Firewall in the future to shore up your network security design.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 10
RE: Active sync connection problem in ISA 2006 - 31.Jan.2007 1:51:28 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Yes, I plan to do that. It is a gradual change in our architecture, of which ISA is a big part.

I got ISA implemented mainly for Sharepoint and am now moving more other web apps behind it.

I am very pleased with it.

_____________________________

Mark

(in reply to tshinder)
Post #: 11
RE: Active sync connection problem in ISA 2006 - 7.Feb.2007 10:26:35 AM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
Tom,
The rule change took care of the problem.

Thanks for the help.

Mark

_____________________________

Mark

(in reply to mjgraves@tisecurity.)
Post #: 12
RE: Active sync connection problem in ISA 2006 - 7.Feb.2007 11:30:26 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

What change did you make to get it to work?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 13
RE: Active sync connection problem in ISA 2006 - 13.Feb.2007 3:25:26 PM   
mjgraves@tisecurity.

 

Posts: 73
Joined: 19.Jun.2006
Status: offline
 Hi Tom,

Sorry for the delay.
Changing to "client is allowed to authenticate directly" took care of the problem.
Again, I  know this is not ideal, and I am working on changing that.
Thanks for the excellent and friendly help.
Regards,
Mark

_____________________________

Mark

(in reply to tshinder)
Post #: 14
RE: Active sync connection problem in ISA 2006 - 14.Feb.2007 11:01:57 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Got it!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)
Post #: 15
RE: Active sync connection problem in ISA 2006 - 5.Mar.2007 3:24:34 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Hi!

Just a quick tip for your smartphones.
If you are using a self-signed certificate, you will eventually have to deal with getting the root certificate into the smartphones (or any other windows-based devices for that matter). activesync will not like syncing over SSL based on a PKI it doesn't trust. But i guess you have already noticed this in some way. =)
In mobile 2003 you could do a simple reghack on the phone to make it ignore the cert validation error, but in 2005 it's a bit harder. And now with mobile 6 on the way i would really get my stuff together.

The simplest test is always to use the webbrowser in your phone and try to connect to the OWA website. If no warnings there, then the certificates are
ok for your device.

(in reply to tshinder)
Post #: 16
RE: Active sync connection problem in ISA 2006 - 6.Mar.2007 11:22:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patos,

I haven't had a chance to play with WM6 yet, but from what I read, the certificate manaagement process is supposed to be a lot easier. And one piece of very good news is that WM6 is supposed to support Wildcard Certs on the Web listener! Yay!!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to patos)
Post #: 17
RE: Active sync connection problem in ISA 2006 - 6.Mar.2007 6:11:11 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Well we'll just have to wait and see. I'm sure some of them will come our way at work. We do a lot of work with cellphones. Unfortunately, all these non-disclosure agreements makes it hard to know what you can say and not say though.

(in reply to tshinder)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Active sync connection problem in ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts