?
Solved

exchange push email certificate issue

Posted on 2006-06-06
11
Medium Priority
?
778 Views
Last Modified: 2010-05-19
Hi,

I am having a bit of a problem with push email ( obviously this is the topic de jour). I have orange c600 phones with wm5, exchange 2003 sp2 all upgrades.We also have owa and oma running on the same single exchange server and this works great. We have configured the server so that for owa we have another web server redirecting all traffic requests ( http://owa) to the https server on the exchange server iis. We have now configured the wm5 devices for activesync push and these work fine without the ssl certificate required. To do this we published another external ip address and allowed 80 and 443 through the firewall with nat to the exchange server, and as stated this works fine without ssl. on the exchange server default web site we have an equifax certificate that on the wm5 devices works fine wor oma. However when we try activesync it fails repeatedly with "syncronisation could not be completed. try again later
support code:0x80072f17".

I know therefore that it is something to do with the certificate, but what the problem is I'm not sure. I think that it requires the certificate to be issued to  the published IP address of the exchange server for activesync. However as the certificate is for the default web site this is the ip address of the owa etc so if I purchase one for this address I will have to use this certificate for owa and I think ( although am not sure) that this will stop owa using ssl.

Can anyone give me some pointers for how to configure the server in this instance?

0
Comment
Question by:beefonthebone
  • 5
  • 4
9 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16841651
Certificates are attached to host names, not IP addresses.
Furthermore, the name on the certificate needs to match what you are putting in to EAS on the device. If it doesn't then the process will fail.
As the certificate works for OMA, you are almost there. Look at the names you are putting in to device. If you are using SSL then you CANNOT use an IP address.

Simon.
0
 
LVL 1

Author Comment

by:beefonthebone
ID: 16841983
so if I attach a domain name to the ip address then this should work?let me try..
0
 
LVL 1

Author Comment

by:beefonthebone
ID: 16842174
closer and closer.....ok.....bit of a tricky one then.I have tried this with the certificate we have for owa pointing to owa website as this has 443 open, however 80 is redirected to 82 on the exchange server. When I try directing the device to go to the address of the certificate then I get "the security certificate is invalid support code 0x80072f0d".
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 104

Expert Comment

by:Sembee
ID: 16843551
When you access OMA, are you using SSL?
The security certificate is invalid means exactly that.
It could be a non-trusted certificate (if home grown it will be non-trusted)
The name on the certificate doesn't match what you are putting in to the device.

Remember that you should be entering

host.domain.com

Not

https://host.domain.com
https://host.domain.com/exchange
192-168-1-1.domain.com

Simon.
0
 
LVL 1

Author Comment

by:beefonthebone
ID: 16870844
the certificate in question is owa.mysite.co.uk, an equifax certificate, and works fine for our owa/oma traffic, but not for activesync. The devices have equifax as a root authority and are all certificate locked from orange. Do I need to purchase a separate cert for this use and if so how will replacing the default site cert effect owa as this is where owa resides.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16870939
Not all of the Equifax root certificates are in the Pocket PC devices.
Does it work for OMA on the pocket device?

You may want to try the cabinet file method for getting the certificate on to the device. I have been having some success with that process on locked devices.

http://www.amset.info/pocketpc/certificates3.asp

Simon.
0
 
LVL 1

Author Comment

by:beefonthebone
ID: 16894769
the cert works for oma on the device. I'll give the above a bash..
0
 
LVL 1

Author Comment

by:beefonthebone
ID: 16894944
just tried, can't see how to get the encrypted certificate in the details, and trying to do this for all the devices (25) at the mo looks a bit much, also as oma is working that would kind of indicate that the root is working on the device??? any other suggestions?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 16896894
Pocket IE is more forgiving than ActiveSync, which is why it would work for OMA.

The fact that PIE is more forgiving means that you can actually distribute the file via your existing SSL web site. The users will simply click on the resulting cab file. I deployed it out to 150 users recently without any issues.

The process works very well, but that page on my web site is very new. If something isn't clear in the instructions, then let me know and I will correct/clarify the point.

As you are using a certificate that isn't trusted by the device, you will have to find a way to deploy the certificate in bulk.

Simon.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
How to effectively resolve the number one email related issue received by helpdesks.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month16 days, 23 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question