Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
OMA & OWA 2-External IP Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
OMA & OWA 2-External IP Configuration - 7.Dec.2005 1:01:22 AM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
I just got a PDA phone from sprint. I got my hands on a PPC-6700 which uses Windows Mobile 5.0. I am trying to configure my ISA 2004 / Exchange 2003 Server for Outlook Mobile Access & ActiveSync.
I currently have ISA 2004 publishing my OWA site on 1 of the 2 external IP’s I have. I am using forms-based authentication for OWA which is working successfully. I am able to use the second IP I have for the OMA / ActiveSync Services.
I am having a little bit of a problem getting it setup correctly. I tried binding the owa certificate to the OMA listener, but no goL What rule / listener / certificate do I need to configure or create to get oma configured?
Do I need to create a listener listening for a request to IP or oma.conseptsolutions.com or still continue to use owa.conseptsolutions.com
Any help, links, to articles or anything would he greatly appreciated! Thank you.
Bryan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 7.Dec.2005 2:11:50 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
You'll need a second certificate and create a second listener and bind the certificate to that listener.
You can use the same certificate on the OMA/ActiveSync site, though.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 7.Dec.2005 3:33:40 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Bryan,
You'll need a second certificate and create a second listener and bind the certificate to that listener.
You can use the same certificate on the OMA/ActiveSync site, though.
HTH,
Tom
How do I generate a certificate, or more specifically what type of certificate do I generate for the OMA site? Following the FBA OWA Publishing guide found on this site, the Default Web Site is using the owa.conseptsolutions.com certificate that I requested from my CA. I can't go to the OMA, ActiveSync site and generate a request. I can manually generate a certificate from my CA though, but seing as I have never done it that way I don't really know how.
Would I benefit in any way if I followed the guide to publish FBA and OMA/Active Sync using 1 IP address? I have 2 IP's available, but I just need some clarification on how to configure either one I go with. Thank for any help.
-Bryan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 8.Dec.2005 1:05:05 AM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: bheusmann
quote:
ORIGINAL: tshinder
Hi Bryan,
You'll need a second certificate and create a second listener and bind the certificate to that listener.
You can use the same certificate on the OMA/ActiveSync site, though.
HTH,
Tom
How do I generate a certificate, or more specifically what type of certificate do I generate for the OMA site? Following the FBA OWA Publishing guide found on this site, the Default Web Site is using the owa.conseptsolutions.com certificate that I requested from my CA. I can't go to the OMA, ActiveSync site and generate a request. I can manually generate a certificate from my CA though, but seing as I have never done it that way I don't really know how.
Would I benefit in any way if I followed the guide to publish FBA and OMA/Active Sync using 1 IP address? I have 2 IP's available, but I just need some clarification on how to configure either one I go with. Thank for any help.
-Bryan
Bryan,
You need to request another certificate from your public CA for mobile services, call it mobile.conceptsolutions.com for example. The issue you are seeing is that in IIS you can't generate another cert if one is already assinged to a website. You can get around this by creating a dummy website to do the request from - once the cert has been installed you can then export the cert and put it on ISA and delete the dummy website.
Check out the following guide for the ISA setup which should help quite a bit: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/firewall-exchange2003.mspx
HTH
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 8.Dec.2005 4:24:00 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
JJ, Thanks for the tip on requesting another certificate. I was able to request and add a certificate to the ISA certificate store with no problems.
I used the Mail Server publishing wizard to publish OMA and Active Sync services on the 2nd Public IP I have. I used the certificate I requested (mobile.conseptsolutions.com) for the listner and selected Basic authentication.
This is the error I am getting on my PPC-6700:
(I used the address mobile.conseptsolutions.com for the server configuration)
Result:
The security certificate on the server is invalis. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.
Support code:0x80072FOD
Have any ideas? I don't have a Front-End exchange setup, basically the Front-End exchange server is the one and only Exchange server I have in the Internal LAN. I looked at that document you provided me in the post above and am thinking I may re-do my OWA/OMA/ActiveSync configuration to mimic what it says. Any help you could give would be appreciated. Thank you.
-Bryan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 8.Dec.2005 4:29:51 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
Is this a commercial certificate or a home grown one?
Also, remember the name the external client users to connect to the ActiveSync site needs to match the common/subject name on the certificate bound to the Web listener.
Also, the name on the Web Publishing Rule's TO tab needs to match the name on the Web site certificate bound to the OWA Web site.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 8.Dec.2005 5:09:22 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Bryan,
Is this a commercial certificate or a home grown one?
Also, remember the name the external client users to connect to the ActiveSync site needs to match the common/subject name on the certificate bound to the Web listener.
Also, the name on the Web Publishing Rule's TO tab needs to match the name on the Web site certificate bound to the OWA Web site.
HTH,
Tom
This is a certificate I have issued from my Certificate Authority installed on my Windows 2003 Ent. server. I made sure the name of the cert was mobile.conseptsolutions.com and the common name of the listener was mobile.conseptsolutions.com
I'm a little confused about the second item you mentioned. My TO tab on the Web Publishing rule does not match the cert I have for OWA (which works) but matched the path for the moblie certificate I generated (mobile.conseptsolutions.com) Is that not correct?
I just assumed that snice I was using a second IP for the OMA/ActiveSync services when I configured the publishing rule/listener I would specify the site as mobile.conseptsolutions.com rather than my existing OWA site which uses owa.conseptsolutions.com
If I generated a certificate for OMA and created a new listener with Basic authentication on the second external IP, do I configure the OMA listener just as I did for OWA just using basic authentication? Thanks.
-Bryan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 8.Dec.2005 7:05:01 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
Ok I seem to be getting farther bit by bit. I logged onto my CA and exported the mobile certificate and also the root certificate. I installed these on my PPC-6700 and they show up in the root section of certificates. Now when I try and sync I receive the following:
Result:
ActiveSync encountered a problem on the server.
Support code: 0x85010014
This is trying to connect to mobile.conseptsolutions.com
Any thing else I can try?
Thanks.
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 9.Dec.2005 1:09:55 AM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
I'm getting closer I think...
My ISA Monitoring shows the following when tyring to sync with my 6700:
Dest IP
Dest Port
Protocol
Action
Rule
Client IP
Client Name
Source
HTTP Method
url
10.0.0.3
443
HTTPS
Failed Connection
Exchange Mobile
70.5.189.x
"username"
EXTERNAL
OPTIONS
http://mobile.conseptsolutions.com:443/Microsoft…
10.0.0.4
444
HTTPS
Failed Connection
Exchange Mobile
70.5.189.x
"username"
EXTERNAL
POST
http://mobile.conseptsolutions.com:443/Microsoft…
I think I am getting closer I hope.
-Bryan
< Message edited by bheusmann -- 9.Dec.2005 1:11:29 AM >
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 9.Dec.2005 3:30:01 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
I just setup my new smart phone today on my rebuilt ISA firewall I used for inbound connections (its a best practice to separate the inbound and outbound firewalls, performance really improves).
Anyhow, since you have two IP addresses, you can create two listeners.
I assume the OWA server is the same server that the OMA and ActiveSync sites are located.
Now, follow the bouncing ball:
OWA Listener: Bind the owa.domain.com certificate to the listener.
ActiveSync/OMA Listener: Bind a second certificate named rpc.domain.com to the listener
OWA Web site certificate: You can use the owa.domain.com certificate and leave it bound to the Web site on the internal network.
NOTE: the common names on the certs above are examples. But that's how I ususally set the host names.
Create the Web Publishing Rule for the OWA site using the OWA Listener
Create the Web Publishing Rule for the OWA site using ActiveSync/OMA Listener
On the TO tab of BOTH Web Publishing Rules, use enter the name that is on the Web site certificate bound to the OWA server (which is the same server as the ActiveSync/OMA server). In this example, you would enter owa.msfirewall.org
KEY TO SUCCESS:
Make sure the ISA firewall resolves the name on the TO tab to the actual IP address of the OWA server on the internal network
Make sure external clients resolve the name owa.domain.com to the IP address used by that listener, and the name rpc.domain.com to the IP address used by that listener.
Depending on how many IP addresses the customer gives me to play with, I will ideally create four listeners and four Web publishing rules, one for each service -- OWA, OMA, ActiveSync and RPC/HTTP.
Have fun,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 9.Dec.2005 12:15:21 PM
|
|
|
Jason Jones
Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Tom,
This is a similar setup that we been using lately, based upon Steve's article.
One question though - how do you cope with users using ActiveSync and OWA internally with this config?
The normal practice would be to use split DNS and point owa.domain and mobile.domain to the FE, however the FE only has a cert for mobile.domain??? Do you in this instance push OWA users back via ISA and suffer the fact that users are "looping back" thorough ISA? Normally most customer want to use the same FQDN for BOTH services internally AND externally - am I missing something here???
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 9.Dec.2005 5:24:50 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi JJ,
For internal users, everything is OK for OWA users because I use the same name from end to end and have a split DNS in place at all locations.
RPC/HTTP isn't an issue internally, becuase the clients are configured to use the more efficient Exchange RPC. RPC/HTTP is only used when the clients are external.
The most problematic issues is the ActiveSyn/OMA users. This situation is similar to the ISA FBA for internal and external clients, which means I configure a split DNS to allow them to loop back through the ISA firewall. Not ideal, but it works.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 11.Dec.2005 5:00:54 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jason,
LOL! It works, but I should add that this is a problem for me only at one location.
All my other locations have Windows Mobile phone clients with data plans, so they always end up hitting the sites from an external location and don't need to loop back. I only have one location where they have to use 11b/g to hit the site.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 11.Dec.2005 6:59:44 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Now, follow the bouncing ball:
OWA Listener: Bind the owa.domain.com certificate to the listener.
ActiveSync/OMA Listener: Bind a second certificate named rpc.domain.com to the listener
OWA Web site certificate: You can use the owa.domain.com certificate and leave it bound to the Web site on the internal network.
NOTE: the common names on the certs above are examples. But that's how I ususally set the host names.
Create the Web Publishing Rule for the OWA site using the OWA Listener
Create the Web Publishing Rule for the OWA site using ActiveSync/OMA Listener
On the TO tab of BOTH Web Publishing Rules, use enter the name that is on the Web site certificate bound to the OWA server (which is the same server as the ActiveSync/OMA server). In this example, you would enter owa.msfirewall.org
KEY TO SUCCESS:
Make sure the ISA firewall resolves the name on the TO tab to the actual IP address of the OWA server on the internal network
Make sure external clients resolve the name owa.domain.com to the IP address used by that listener, and the name rpc.domain.com to the IP address used by that listener.
Tom,
thank ypu for all the replies in helping with my configuration. I have done exactly as you noted above and I'm still faced with the same problem. I have been thinking about changing my firewall config., following the "Application Layer Firewall protection for Exchange Server 2003 with ISA Server 2004" but don't know if that will resolve my problem or make it worse.
I would really like to get this service configured so my customers may benefit from it. Any additional help you could provide would be appreciated.
-Byan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 12.Dec.2005 6:55:07 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
I just noticed something:
10.0.0.4
444 <<<===TYPO?
HTTPS
Failed Connection
Is that 444 a typo? If not, that could be a part of the problem.
Tom
I checked the ISA logs again when atempting to connect via activesync, nothing shows on port 444, must be a typo. Also, it shows only 10.0.0.3 which is my exchange server.
-Bryan
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 13.Dec.2005 3:07:49 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
Copy a few lines from the denied connections. Make sure the Filter Information column information is included too.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: OMA & OWA 2-External IP Configuration - 14.Dec.2005 2:48:17 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
Some of the key information is missing. I need to see the error information column and the HTTP filter column and the HTTP status code column.
Also, its hard to tell which column is the source and destination address.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
