Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Still can't get OMA/ActiveSync to Work
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Still can't get OMA/ActiveSync to Work - 15.Feb.2007 12:25:56 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
I've had ISA2004 for over 2 years now and I still can't get OMA/ActiveSync to work. I have everything else in the world, OMA, Citrix, Web Sites, FTP, RDP SSL, but can't get this damn OMA.
I've got 4 external IP's that I have available to me. I have a 3-leg perimeter network, the exchange server is located in the Internal LAN and I have configured the OMA rule on the ISA server using the publishing wizard. I have heard of people having problems with certs, so I was sure to install the cert binded to the web listener to my PocketPC. Anyway, I would really appreciate any help on this issue. Here's a link to the log of the ISA server during the failed connection attempt.
Please please, I really want to get this last feature of my enterprise working. Thanks.
http://www.conseptsolutions.com/oma_log.htm
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 22.Feb.2007 5:56:20 AM
|
|
|
R Stephens
Posts: 23
Joined: 29.Jul.2002
From: England
Status: offline
|
Hi Bryan
What is the problem you are having. I am currently running ActiveSync on over 150 devices from Pocket PC through to the latest HTC devices and so far I am very pleased with the reliability.
I had some issues relating to certificates in so much as loading them onto a device was not something that can be done easily. We therefore purchased a Cert from a Root CA that was already preconfigured into the devices. This saved alot of work and reduced the setup time considerably.
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 7.Mar.2007 4:36:05 PM
|
|
|
joestern
Posts: 3
Joined: 11.Dec.2004
From: Philadelphia, PA
Status: offline
|
I just this morning got ActiveSync working with a Windows Mobile 5.0 phone. Like you, Bryan, I spent years in pursuit of this goal.
My symptom was the user would get Error 0x85010004, no permission to synchronize. The cause of the problem was my ISA 2006 rule, as set up by the Outlook Anywhere publishing wizard, did not include a necessary path (along with /public/* and /Exchweb/*, etc.) That missing line was:
/Microsoft-server-ActiveSync/*
Once that line got added, the phone started getting push e-mail.
I hope this helps.
- Joe Stern
Philadelphia, PA
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 23.May2007 1:20:07 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Bryan,
You need to install the CA certificate on the clients, not the Web site certificate.
HTH,
Tom
Hi Tom,
I installed both the site cert and my CA cert on my mobile device and it's still not working. Any tips?
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 23.May2007 1:25:21 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: joestern
I just this morning got ActiveSync working with a Windows Mobile 5.0 phone. Like you, Bryan, I spent years in pursuit of this goal.
My symptom was the user would get Error 0x85010004, no permission to synchronize. The cause of the problem was my ISA 2006 rule, as set up by the Outlook Anywhere publishing wizard, did not include a necessary path (along with /public/* and /Exchweb/*, etc.) That missing line was:
/Microsoft-server-ActiveSync/*
Once that line got added, the phone started getting push e-mail.
I hope this helps.
- Joe Stern
Philadelphia, PA
I have been running ISA Server 2004 for over 2 years now and this is the last peice of the puzzle. I have ISA 2006 Ent. to upgrade to but haven't done that yet.
I verified that in the path tab of my rule, /Microsoft-server-ActiveSync/* is there. I tired adding:
/public/*
/Exchweb/*
but that didn't work either. I get the same errors. I'll try and post the log details. I see the rule in the firewall monitoring logs as Failed Connection, so hopefully I'm closer than when I started 2 years ago. Any help would be greatly appreciated. Thanks.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 23.May2007 1:41:46 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
Are you using basic authentication for the Web listener? Remember, if you're publishing OWA using FBA, you can't use the same Web listener for the ActiveSync publishing rule. It's different with ISA 2006, but with 2004, you must use a second Web listener listening on another IP address and another certificate.
Finally, make sure that you're using Basic auth on the Web listener and that you're delegating basic auth and the ActiveSync site is configured to use basic auth only and that you're also using SSL to SSL bridging (SSL to HTTP = BAD).
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 23.May2007 2:25:35 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Bryan,
Are you using basic authentication for the Web listener? Remember, if you're publishing OWA using FBA, you can't use the same Web listener for the ActiveSync publishing rule. It's different with ISA 2006, but with 2004, you must use a second Web listener listening on another IP address and another certificate.
Finally, make sure that you're using Basic auth on the Web listener and that you're delegating basic auth and the ActiveSync site is configured to use basic auth only and that you're also using SSL to SSL bridging (SSL to HTTP = BAD).
HTH,
Tom
Hi Tom,
Thanks again. I'm using a differnt web listener that my OWA rule. It is set to basic authentication using SSL with the certificate mobile.conseptsolutions.com which is from my CA. I also have the root CA installed on the PPC. It's lisetning on a different IP that OWA also. At this point since I have Citrix access to my enterprise I'm almost willing to dump OWA if that is causing problems.
I checked my ISS on my exchange server and de-selected the Use 128-bit encryption/SSL that was on the Microsoft-server-ActiveSync and the OMA virtual directories. Also, I changed from integrated to Basic auth on both directories as well.
I'm faced with the same problem though, I try to sync and get 2 Failed Connection attempts for the Outlook Mobile rule I have, with OPTIONS and POST HTTP Methods respectively. Also, on my PPC, I get the error status: ActiveSync entountered a problem on the server. Support code: 0x085010014
Any help is appreciated as I really hope to resolve this issue.
Side note, would upgrading to ISA 2006 help at all? I purchased v.2006 but have not dove into the upgrade yet, for fear of breaking my current setup. I need to keep the Citrix access up and that was my main concern. As long as it worked after the upgrade and I don't have to do anything with my rules, I'm willing to give it a shot. Thanks again.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 8:24:27 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
It sounds like all of your ISA stuff is in place, although its never possible to tell without the exact details.
I remember I once had a problem similar to yours and it was related to an Exchange Server settings regarding SMTPproxy address or something like that.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 10:00:59 AM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
Hi Tom,
I think you're right, ISA looks to be in good order.
I tried this as a bit of troubleshooting to see if I could get anything else. On the root "Default Web Site" I have a certificate owa.conseptsolutions.com that I created with my CA and used for OWA. This cert was imported to the ISA server and used for the OWA Listener. When I was trying to setup OMA, I created mobile.conseptsolutions.com on my CA and imported this to the ISA server and assigned it to the OMA listener, which is on a different IP address than the OWA.
Since I couldn't have a different cert on a virtual directory (Microsoft-server-ActiveSync) different that the root, I removed the owa cert and added the mobile cert to the root.
I tried to connect to ActiveSync and now I get a Green Initiated connection on the ISA server however, I still get an error in ActiveSync saying there was a problem on the server. I'm not sure what to look for, if I need to look on the Exchange Server, I've got my profile set for OWA, OMA, and ActiveSync.
Problem with above setup now is OWA doesn't work.
Any thoughts? Thanks.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 1:14:10 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
OK, maybe we're getting closer.
The name on the TO tab must match the name on the Web site certificate bound to the Exchange Server that you're publishing. The ISA Firewall must also be able to resolve that name to the IP address that the Web site is listening on, on the Internal network.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 1:32:17 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
Hi Tom,
Yes, closer indeed.
On the To tab, I have the following:
server: mobile.conseptsolutions.com, "Forward origional host headers" is checked and the raido button for "Requests appear to come from the origional client" is selected.
For the Web Listener:
external IP is set to: 70.164.41.245, cert selected is: mobile.conseptsolutions.com, Atuhentication is Basic, Authorization Servers, domain is conseptsolutions.com
From the isa server, I can ping mobile.conseptsolutions.com and get the reply address 10.0.0.30 which is my exchange server on the internal network. I have that entery in a host file in c:\windows\system32\drivers\etc
I'm getting ever so closer each time, I hope we can figure this out. Thaks for the help.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 1:49:21 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
I'm not sure about the delegation of basic credentials? I had the users set to All Users. I then changed it to All Authenticated Users, and when syncing I saw my username in the ISA monitor as domain\username but on the device it was prompting me to correct my exchange server password. I typed my correct password like 3 times veryfying it was correct and kept prompting me. Could this be related to what you mentioned before? Thanks.
-bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 25.May2007 2:13:42 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
I checked the box on the Users tab to "Forward Basic authentication credentials (basic delegation)" and now I'm not getting prompted for the password on the device. I'm still getting the status code: 0x85010014 but I see in the ISA monitor my domain\username and allowed when I try and connect.
Also, if I go to https://mobile.conseptsolutions.com/OMA from IE on my phone, I get the page saying my device is not supported, click OK and it forwards me to the text version of my inbox via pocketIE. Not sure if that helps or means OMA is working? Just trying to give all info so I can get this fixed. Thanks.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 26.May2007 2:15:10 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
If you are accessing it via IE from an external computer, then the problem isn't with the ISA Firewall configuration, its likely a problem with the configuratino on the client. Is the IE client asked for a user name and password?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 26.May2007 7:40:16 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
Hi Tom,
Thank you for all your assistance with this issue. I can't explain it but it works!!!! Yay. I verified the configuration on the ISA server a million times. The only other explainable thing that I did was on the exchange server, I reinstalled (or installed?) SP2 for exchange. Right after the SP2 installation completed my phone synced.
Two questions:
1) will it be easy for me to reenable my OWA rule to allow OWA via FBA, since I changed the virtual directory "Exchange" to not use SSL, how will this effect my OWA?
2) If I'm connected to a LAN computer and try to sync, I get a network error, I'll post the status code, but I can ping mobile.conseptsolutions.com from internal and resolve the IP address of the exchange server. I don't know where to start with this one.
Thanks again for all your advice and assistance.
-Bryan
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 27.May2007 6:04:00 AM
|
|
|
mohsindabomb
Posts: 173
Joined: 27.Jun.2003
From: London, UK.
Status: offline
|
Hi Bryan,
Congrats on getting it working. Very recently, I had nearly the same issue with setting up ActiveSync and had "Failed Connection Attempt" coming up in the logs.
In your case, it appears it was an Exchange issue as SP2 reinstall fixed it. I remem having problems with OWA once that were fixed after reapplying SP2. Madness!!
In my case, I sorted it out differently by changing a setting on the ISA box. I changed the setting "Requests appear to come from the original client" to "Requests appear to come from the ISA server". It started working. Madness, right? I've set up ActiveSync before.
Could you check your settings and see how you have set up this setting now as you may have changed it trying to make the thing work? I'm a little curious as to how you and I got it working.
Another funny thing is that my new Exchange box won't access any external resource on http. Appears to definitely relate to ASync not working with requests coming from original clients and working with requests coming from the ISA Server.
Tom and others who're helpful at all times, I'm sure you could help.
For detailed information on the above issues, please see the below.
http://forums.isaserver.org/OWA%2fActiveSync_-_Failed_Connection_Attempt/m_2002044971/tm.htm
http://forums.isaserver.org/m_2002045367/mpage_1/key_/tm.htm#2002045367
Thanks all.
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 28.May2007 10:36:30 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bryan,
1) will it be easy for me to reenable my OWA rule to allow OWA via FBA, since I changed the virtual directory "Exchange" to not use SSL, how will this effect my OWA?
TOM: You don't have to force SSL, it will still be used since the certificate it bound to the Web site.
2) If I'm connected to a LAN computer and try to sync, I get a network error, I'll post the status code, but I can ping mobile.conseptsolutions.com from internal and resolve the IP address of the exchange server. I don't know where to start with this one.
TOM: Not sure about this -- I never use the "cradle" connected to a PC. I suspect that split DNS would fix the problem, but I'm not at all sure.
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Still can't get OMA/ActiveSync to Work - 28.May2007 8:59:18 PM
|
|
|
bheusmann
Posts: 91
Joined: 13.Oct.2004
Status: offline
|
quote:
ORIGINAL: tshinder
Hi Bryan,
1) will it be easy for me to reenable my OWA rule to allow OWA via FBA, since I changed the virtual directory "Exchange" to not use SSL, how will this effect my OWA?
TOM: You don't have to force SSL, it will still be used since the certificate it bound to the Web site.
Bryan: But I removed the owa cert from the default web site? How can I bind a different cert for OWA and enable FBA or do I not need to? owa.conseptsolutions.com is for OWA and mobile.conseptsoluions.com is for OMA? or do I not need to worry about the cert issues?
2) If I'm connected to a LAN computer and try to sync, I get a network error, I'll post the status code, but I can ping mobile.conseptsolutions.com from internal and resolve the IP address of the exchange server. I don't know where to start with this one.
TOM: Not sure about this -- I never use the "cradle" connected to a PC. I suspect that split DNS would fix the problem, but I'm not at all sure.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
