• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ActiveSync/OMA certificate issues with ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> ActiveSync/OMA certificate issues with ISA 2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
ActiveSync/OMA certificate issues with ISA 2006 - 29.May2007 7:06:13 AM   
jmlab

 

Posts: 3
Joined: 29.May2007
Status: offline
Hi all,
 
I'm stuck and hope someone can help:
 
- I had an exchange 2003 (SP2) FE server running OWA and OMA with a public (verisign) certificate (secure.mydomain.net) on it. All ran no problem, including activesync (even using  FBA, never had to install certificates on the smartphone as it is a public cert).
 
- Now I've installed an ISA 2006 in front of the mail FE server, moved the certificate to the new ISA server and published OWA and other resources through it. I've made internal and external DNS changes to reflect the changes. All  (OWA and other published sites) work fin except OMA/ActiveSync.
 
My smartphones keelp throwing an 0x80072F0D (invalid certificate) error.
 
I've tried the following:
- set internal authentication from ISA to mail server to basic with and without SSL (created an internal certicficate: mail.mydomain.net)
- turned off FBA on internal mail server
- exported the internal certificate (mail.mydomain.net) and installed it on my smartphone.

But no matter what variation I try keep getting the same error message though OWA and RPC/HTTP still work fine.
 
If all else fails I'll have to get a second public cert for the mail server and punch a hole through the ISA to  allow direct communication from my smartphone to the mail sever instead of using it's publish OMA feature (which almost defeats the purpose of putting ISA there in the first place)
 
My understanding is that as long as I have a valid public cert on the ISA server that will be proxying OMA requests then that should be fine, shouldn't it? It certainly works fine for OWA, RPC/HTTP and other services.
 
Any ideas?
 
Thanks in advance for your help
 
JM :)
Post #: 1
RE: ActiveSync/OMA certificate issues with ISA 2006 - 5.Jun.2007 10:47:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi JM,

The CA certificate needs to be installed on the phones, not the Web site certificate.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jmlab)
Post #: 2
RE: ActiveSync/OMA certificate issues with ISA 2006 - 4.Jul.2007 12:24:10 PM   
jmlab

 

Posts: 3
Joined: 29.May2007
Status: offline
Hi Tom,

Many thanks for your reply I really enjoyed your ISA2004 book!.

I've installed the CA certificate of our domain on the phone as suggested but the problem persists.

I don't think I should need to install anything on the smartphone anyway as the smartphone communicates with the ISA server that has a valid Verisign certificate (matching FQDN) installed and the phone accepts it as valid (or at least it did when this same certificate was directly on the exchange FE server before putting ISA in front of it).

The only reason I installed an 'internal' certificate on the exchange server is to SSL communications between ISA and the exchange server but whether I use SSL or not between ISA and Exchange the error message is the same.

As I understand, the smatphone should communicate only with ISA (with the valid verisign certificate) and ISA 'proxies' on to the exchange server (either SSL with privert cert or http) so the smartphone shouldn't need a certificate for the internal exchange server. Or have I misunderstood?

All other services published behind ISA and using this certificate (including OWA) work fine so not sure where the problem may be.

Thanks for any help or suggestions

JM

(in reply to tshinder)
Post #: 3
RE: ActiveSync/OMA certificate issues with ISA 2006 - 6.Jul.2007 2:41:41 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi JM,

That's true -- if the Web Listener has a Versign cert bound to it you don't need to install the private CA certificate on the client.

Is this a Symbian based phone by any chance? There was a typo in the ISA config that prevented fallback to basic for Symbian phones.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jmlab)
Post #: 4
RE: ActiveSync/OMA certificate issues with ISA 2006 - 10.Jul.2007 9:18:51 AM   
jmlab

 

Posts: 3
Joined: 29.May2007
Status: offline
Hi Tom,

Thanks for your reply. They run  Windows Mobile 5 (OS 5.1.195 build 1487.2.0.0).
http://www.msmobilenews.com/windows-mobile/reviews/orange-spv-c600-review.html

I've managed to make it work by using an access rule allowing https to the exchange FE server (not using web publishing) and using the internal private certificate (installing CA cert on the phones). In other words punching a 'hole' through ISA and getting the phone to communicate directly with the exchange server. Which works, but I wanted to use the OMA publishing feature in ISA and the public Verisign cert instead. But running out of ideas now.

Thanks again for any help and advice.

Regards

JM :)

(in reply to tshinder)
Post #: 5
RE: ActiveSync/OMA certificate issues with ISA 2006 - 10.Jul.2007 1:10:43 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Wow is that weird.. So the same cert installed on ISA fails but on the FE it succeeds.. 

First I would try to connect with another https client (not the failing phone) and see if that shows anything suspicious.  Confirm that the cert being used is the right one, that it shows as valid, etc.

The only other thing I can think of is that maybe IIS is responding using a different revision of SSL/TLS protocol than ISA is..  But that's kind of a long shot idea and I don't have a very high accuracy with those :)

(in reply to jmlab)
Post #: 6
RE: ActiveSync/OMA certificate issues with ISA 2006 - 13.Jul.2007 4:56:18 PM   
akwoolf

 

Posts: 1
Joined: 13.Jul.2007
Status: offline
This sounds familiar to an issue that I once faced.  In my scenario, I performed the following steps to fix the issue:
1. Created a cert from my internal Enterprise CA
a.  Cert must include the INTERNAL name of the FE server, not public name (webmail.company.com).
  -  If your FE server name is OWA01, the friendly name of the cert must match OWA01 (machine name)
2.  Connection between ISA server and FE server must be SSL protected with the cert you created in step 1. (Edit listener)
3.  These simple steps should fix your issues. 

Please let us know if you were able to get things working...

< Message edited by akwoolf -- 13.Jul.2007 8:53:04 PM >

(in reply to ferrix)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> ActiveSync/OMA certificate issues with ISA 2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts