Exchange Active Sync and Road Sync with FBA enabled (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing



Message


hla123 -> Exchange Active Sync and Road Sync with FBA enabled (3.Nov.2006 9:09:44 AM)

Hi, we are having problems getting Road Sync to work with EAS. We have installed ISA 2006 standard with one listener publish all Exchange services such as owa, oma, RPC over http, aes. We have installed it according to Tom Shinders guide. The AES works fine with Windows Mobile based devices but when we use Sony Ericsson phones with Road Sync it will not work with FBA enabled. Without FBA it works. If I understand the documentation for ISA 2006, the ISA server translates Forms authentication, when connecting with mobile phone, to Basic Authentication. Why will it not work? I have asked the support guys at Sony Ericsson and they recommended that we disable FBA!! We were not very satisfied with that answer. Has anyone the same problem or has a solution to my problem. A workaround would be to create a second listener but then we would be forced to buy a new certificate.

Regards,
Henrik




ericplan -> RE: Exchange Active Sync and Road Sync with FBA enabled (8.Nov.2006 11:27:49 AM)

Hi, Not of much help, but I face the same problems. Our setup is similar, but I am on the user side.

I contacted Dataviz, they offered support after some time but until now they didn't came with a solution other then turn off FBA. But this is not an advice to an end-user on a system with over 40.000 users in the AD (educational institute). As far as I know now, Exchange Activesync (the Sony productname for Roadsync) is not compatible with this setup, and do you have to wait for a new version [8|]

Regards,

Eric




sullivac -> RE: Exchange Active Sync and Road Sync with FBA enabled (18.Nov.2006 11:08:38 PM)

Interestingly, my Windows Mobile device isn't working with OMA using FBA and one listener for Exchange Web services, even though it sounds like that is working for you.  ActiveSync IS working for me on the Windows Mobile.

I have posted later to this same NG and I am waiting for a response.  My workaround is to create a second listener that uses the same URL (thus the same certificate) and IP address, but a non-standard port.  I then create an Exchange Web Access rule for OMA only using that listener, but bridging the non-standard port to 443 on the Exchange Server. 

To shorten the URL for users, I created a public DNS record called "oma.<MYORG>.com" and a virtual site on the Exchange server with nothing but a redirect to the correct URL ..com/oma">(https://<MAILSERVER>.<MYORG>.com/oma).

I'm not sure if you can do the same thing for Road Sync (assuming it is the same as ActiveSync).  In any case, you would probably skip the last part. The thing that I'm not sure about is if you can enter a custom port in the field where you enter the Exchange server name.  If you can, this should work.




niklas@alltica.com -> RE: Exchange Active Sync and Road Sync with FBA enabled (7.Aug.2007 8:29:56 AM)

Is there any solution to this problem jet?

We have the same problem whit the sony ercisson phones




niklas@alltica.com -> RE: Exchange Active Sync and Road Sync with FBA enabled (7.Aug.2007 8:30:49 AM)

Is there any solution to this problem jet?

We have the same problem whit the sony ercisson phones




rhodesbc -> RE: Exchange Active Sync and Road Sync with FBA enabled (6.Nov.2009 7:51:48 AM)

We have a single ISA2006 IP address for OWA/OutlookAnywhere/ActiveSync - Also a Self Signed Root CA Certificate for the ISA listener.
To get ActiveSync working we needed to do the following:
1. Load our company Root CA certificate (Public Key Only) onto each mobile device. Note: SonyEricsson appears to require the cert (in DER format with .cer file extn) to be
beamed via Bluetooth. Nokia/Windows Mobile can install a cert previously transferred to the phone via USB.
2. Disable Session Timeouts for 'Non-BrowserClients' on ISA2006 (Otherwise ActiveSync intermittantly prompts for passwords).
ActiveSyncFireWallPolicy(Policy)=>Properties(RightClick)=>Listener(Tab)=>Properties(Button)=>Forms(Tab)=>Advanced(Button)=>ApplySessionTimeoutToNon-BrowserClients(Uncheck the
tickbox).
3. The above is enough to get most WindowsMobile Devices and Nokia Devices Syncing via ActiveSync. For other (SonyEricsson) devices you may need to do the following:
4. Allow 'Non-Provisionable' devices. (I'll leave it to you to work out exactly which devices are 'Provisionable' and which devices are not.)
[Provisionable devices allow for 'Device Wipe' if stolen - as well as 'Policy Deployment' such as 'Phone must have a PIN code(key lock) to access all functions']

E2K2007.ExchangeManagementConsole(App)=>OrganisationConfiguration.ClientAccess(Selection)=>ExchangeActiveSyncMailboxPolicies(Tab)=>?????(Selection)... usually
'Default'=>AllowNon-ProvisionableDevices(Check the tickbox).
5. Set Authentication... !!!!!!!!!!!!!!!!! This is usually the show stopper  !!!!!!!!!!!!!!!!!
Background (And a quick test):
5.1. Your Web listener is probably set to "Forms Authentication".
This is a good thing - as this gives you:
a> An HTML form Login for OWA - asking for 'Private/Public' logon. (Usefull - but normally not an issue... see 'b>' for the killjoy..)
b> Forms Auth gives you an auto timeout for OWA - so that users are auto logged out after a pre-determined period. This is a good thing - and the main reason our company
purchased ISA.
5.2. As a test - Change your 'Listener' (see #2 above) Authentication from 'Forms' to 'Basic'.
Note: During this test - you have broken your Forms Auth Security Features! (This is Bad.. But hey - it's only a test! - DO NOT FORGET TO CHANGE IT BACK TO FORMS - After the
test!!).
5.3. Apply - and test ActiveSync from SonyEricsson
Your SonyEricsson should now be able to sync to the users Exchange2007 mailbox.
5.4. Set your 'Listener' back to 'Forms Auth'.
The default listener falls back from 'Forms Auth' to 'Basic Auth' if the client does not support 'Forms'.
ISA2006 uses the "User-Agent" HTML header to determine which type of authentication the connected client should be using - and whether to allow fallback to BASIC.
Unfortunately the default value for "*SonyEricsson*" is incorrect (at least for our phone - the SonyEricssonW995).
To fix:
6. Edit the UserAgent mapping in ISA2006 for *SonyEricsson* and change from 'XHTML-MP forms' to 'Basic authentication' to allow SonyEricsson phones to access ActiveSync.
See:
http://technet.microsoft.com/en-us/library/bb794715.aspx     for HowTo & required scripts to enable UserAgent mapping changes
Our Change log shows:
Mapping in ISA2006 for *SonyEricsson* changed from 'XHTML-MP forms' to 'Basic authentication' to allow SonyEricsson phones to access ActiveSync.
I hope the above process is helpfull to others....

Colin Rhodes
IT Systems Analyst




Page: [1]