We have setup our Exchange 2007 environment similar to the instructions outlined in http://www.isaserver.org/tutorials/Generating-SSL-Certificates-Exchange-2007-ISA-Server-2006.html. ActiveSync is working well with our users connecting from outside the organization, however when they arrive in the office and use activesync and connect there pda's to their pc's internally they get an error message stating "the security certifcate on the server is not valid". When connecting outside they use the same dns name as they do internally. We have a 3rd party issued certifcate installed on the ISA server and an internally issued certifcate installed on the client access server.
I can get the pda's working internally if I install our internal root certificate manually on each device but I was wondering if there was any way to get them all working without needing to do this. Can I use the externally issued certificate on the client access server and the ISA server or is this not a recommended configuration?
Note we are already using a public cert for the ISA server. My question is since we have a split DNS configuration and use an internally generated SSL certificate on the Exchange server and a public SSL certificate on the ISA Server, do we need to install the internal root cert on each mobile device for activesync to work properly? Clients connecting externally to the ISA server already work fine without having to change anything. Sorry first time configuring this...
From: United Kingdom
Actually, that is not quite true
You could publish ActiveSync internally so that mobile devices use the route via ISA.
To do this you would need to configure internal DNS to resolve the activesync DNS address to the ISA internal interface and then configure the listner used for activesync to listen on both the external and internal addressses.
I have used this solution a couple of times to minimise on data calls when customers have a lot of internal users that are WLAN connected when in the office.
I'm still having issues with this. When I point directly to the ISA server I get a message saying "The server you are synchronising with is not an Exchange Server, or is runnning incompatible software" When I look in the IS logs on the CAS server I can see for some reason the URL is being passed through incorrectly via the ISA box. The URL gets passed through as below. 2008-10-01 00:03:36 W3SVC1 xx.xx.xx.xx OPTIONS /Microsoft-Server-ActiveSync/default.easicrosoft-Server-ActiveSync
This gives a 404 error....Any ideas, been working on this for ages but keep getting the same results.