• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Activesync issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Activesync issue Page: [1]
Login
Message << Older Topic   Newer Topic >>
Activesync issue - 22.Sep.2008 2:01:29 AM   
rick_d

 

Posts: 3
Joined: 21.Sep.2008
Status: offline
Hi

We have setup our Exchange 2007 environment similar to the instructions outlined in http://www.isaserver.org/tutorials/Generating-SSL-Certificates-Exchange-2007-ISA-Server-2006.html.  ActiveSync is working well with our users connecting from outside the organization, however when they arrive in the office and use activesync and connect there pda's to their pc's internally they get an error message stating "the security certifcate on the server is not valid".  When connecting outside they use the same dns name as they do internally.  We have a 3rd party issued certifcate installed on the ISA server and an internally issued certifcate installed on the client access server.

I can get the pda's working internally if I install our internal root certificate manually on each device but I was wondering if there was any way to get them all working without needing to do this.  Can I use the externally issued certificate on the client access server and the ISA server or is this not a recommended configuration?

Thanks
Post #: 1
RE: Activesync issue - 22.Sep.2008 4:28:11 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
The only way to solve this is to purchase certificates for Exchnage from a third party CA. The only real downside to this is cost, as you will need a CA that provides SAN (or wildcard) certifictates.

Depending upon the number of mobile clients you have, you could maybe look at System Center Mobile Device Manager which may be able to automate the Root CA certificate deployment for you.

Cheers

JJ 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rick_d)
Post #: 2
RE: Activesync issue - 22.Sep.2008 5:29:16 AM   
rick_d

 

Posts: 3
Joined: 21.Sep.2008
Status: offline
Thanks JJ

Note we are already using a public cert for the ISA server. My question is since we have a split DNS configuration and use an internally generated SSL certificate on the Exchange server and a public SSL certificate on the ISA Server, do we need to install the internal root cert on each mobile device for activesync to work properly? Clients connecting externally to the ISA server already work fine without having to change anything. Sorry first time configuring this...

Thanks again

(in reply to Jason Jones)
Post #: 3
RE: Activesync issue - 22.Sep.2008 7:45:09 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
No, I understood.

Yep, if you have a private CA, you will need to import the CA certificate to mobile devices as they do not trust it by default.

If you purchase a third party CA for Exchange, all mobile devices will trust this and hence negate the need to install a private Root CA certificate.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rick_d)
Post #: 4
RE: Activesync issue - 22.Sep.2008 7:53:46 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Actually, that is not quite true

You could publish ActiveSync internally so that mobile devices use the route via ISA.

To do this you would need to configure internal DNS to resolve the activesync DNS address to the ISA internal interface and then configure the listner used for activesync to listen on both the external and internal addressses.

I have used this solution a couple of times to minimise on data calls when customers have a lot of internal users that are WLAN connected when in the office.

Cheers

JJ  

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Jason Jones)
Post #: 5
RE: Activesync issue - 12.Oct.2008 7:54:46 PM   
rick_d

 

Posts: 3
Joined: 21.Sep.2008
Status: offline
Hi JJ

I'm still having issues with this.  When I point directly to the ISA server I get a message saying "The server you are synchronising with is not an Exchange Server, or is runnning incompatible software"
When I look in the IS logs on the CAS server I can see for some reason the URL is being passed through incorrectly via the ISA box.  The URL gets passed through as below.
2008-10-01 00:03:36 W3SVC1 xx.xx.xx.xx OPTIONS /Microsoft-Server-ActiveSync/default.easicrosoft-Server-ActiveSync
 
This gives a 404 error....Any ideas, been working on this for ages but keep getting the same results.
 
Appreciate any help.

(in reply to Jason Jones)
Post #: 6
RE: Activesync issue - 13.Oct.2008 8:03:10 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You should be using the same rule/listener for both forms of access, so I don't see how one would work and one wouldn't???

I have used this setup a few times and never had an issue...

Can you describe how you have implemented it and the rules you have defined?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to rick_d)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Activesync issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts