beefonthebone
asked on
exchange push email certificate issue
Hi,
I am having a bit of a problem with push email ( obviously this is the topic de jour). I have orange c600 phones with wm5, exchange 2003 sp2 all upgrades.We also have owa and oma running on the same single exchange server and this works great. We have configured the server so that for owa we have another web server redirecting all traffic requests ( http://owa) to the https server on the exchange server iis. We have now configured the wm5 devices for activesync push and these work fine without the ssl certificate required. To do this we published another external ip address and allowed 80 and 443 through the firewall with nat to the exchange server, and as stated this works fine without ssl. on the exchange server default web site we have an equifax certificate that on the wm5 devices works fine wor oma. However when we try activesync it fails repeatedly with "syncronisation could not be completed. try again later
support code:0x80072f17".
I know therefore that it is something to do with the certificate, but what the problem is I'm not sure. I think that it requires the certificate to be issued to the published IP address of the exchange server for activesync. However as the certificate is for the default web site this is the ip address of the owa etc so if I purchase one for this address I will have to use this certificate for owa and I think ( although am not sure) that this will stop owa using ssl.
Can anyone give me some pointers for how to configure the server in this instance?
I am having a bit of a problem with push email ( obviously this is the topic de jour). I have orange c600 phones with wm5, exchange 2003 sp2 all upgrades.We also have owa and oma running on the same single exchange server and this works great. We have configured the server so that for owa we have another web server redirecting all traffic requests ( http://owa) to the https server on the exchange server iis. We have now configured the wm5 devices for activesync push and these work fine without the ssl certificate required. To do this we published another external ip address and allowed 80 and 443 through the firewall with nat to the exchange server, and as stated this works fine without ssl. on the exchange server default web site we have an equifax certificate that on the wm5 devices works fine wor oma. However when we try activesync it fails repeatedly with "syncronisation could not be completed. try again later
support code:0x80072f17".
I know therefore that it is something to do with the certificate, but what the problem is I'm not sure. I think that it requires the certificate to be issued to the published IP address of the exchange server for activesync. However as the certificate is for the default web site this is the ip address of the owa etc so if I purchase one for this address I will have to use this certificate for owa and I think ( although am not sure) that this will stop owa using ssl.
Can anyone give me some pointers for how to configure the server in this instance?
ASKER
so if I attach a domain name to the ip address then this should work?let me try..
ASKER
closer and closer.....ok.....bit of a tricky one then.I have tried this with the certificate we have for owa pointing to owa website as this has 443 open, however 80 is redirected to 82 on the exchange server. When I try directing the device to go to the address of the certificate then I get "the security certificate is invalid support code 0x80072f0d".
When you access OMA, are you using SSL?
The security certificate is invalid means exactly that.
It could be a non-trusted certificate (if home grown it will be non-trusted)
The name on the certificate doesn't match what you are putting in to the device.
Remember that you should be entering
host.domain.com
Not
https://host.domain.com
https://host.domain.com/exchange
192-168-1-1.domain.com
Simon.
The security certificate is invalid means exactly that.
It could be a non-trusted certificate (if home grown it will be non-trusted)
The name on the certificate doesn't match what you are putting in to the device.
Remember that you should be entering
host.domain.com
Not
https://host.domain.com
https://host.domain.com/exchange
192-168-1-1.domain.com
Simon.
ASKER
the certificate in question is owa.mysite.co.uk, an equifax certificate, and works fine for our owa/oma traffic, but not for activesync. The devices have equifax as a root authority and are all certificate locked from orange. Do I need to purchase a separate cert for this use and if so how will replacing the default site cert effect owa as this is where owa resides.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the cert works for oma on the device. I'll give the above a bash..
ASKER
just tried, can't see how to get the encrypted certificate in the details, and trying to do this for all the devices (25) at the mo looks a bit much, also as oma is working that would kind of indicate that the root is working on the device??? any other suggestions?
Pocket IE is more forgiving than ActiveSync, which is why it would work for OMA.
The fact that PIE is more forgiving means that you can actually distribute the file via your existing SSL web site. The users will simply click on the resulting cab file. I deployed it out to 150 users recently without any issues.
The process works very well, but that page on my web site is very new. If something isn't clear in the instructions, then let me know and I will correct/clarify the point.
As you are using a certificate that isn't trusted by the device, you will have to find a way to deploy the certificate in bulk.
Simon.
The fact that PIE is more forgiving means that you can actually distribute the file via your existing SSL web site. The users will simply click on the resulting cab file. I deployed it out to 150 users recently without any issues.
The process works very well, but that page on my web site is very new. If something isn't clear in the instructions, then let me know and I will correct/clarify the point.
As you are using a certificate that isn't trusted by the device, you will have to find a way to deploy the certificate in bulk.
Simon.
Furthermore, the name on the certificate needs to match what you are putting in to EAS on the device. If it doesn't then the process will fail.
As the certificate works for OMA, you are almost there. Look at the names you are putting in to device. If you are using SSL then you CANNOT use an IP address.
Simon.