Link to home
Start Free TrialLog in
Avatar of Trevor Local
Trevor Local

asked on

ActiveSync requiring SSL question

Hello

I am running Exchange ActiveSync and using RPC over HTTP/S, as well as OWA. I noticed that OWA requests were being accepted using HTTP instead of requiring HTTPS. So I looked at some documentation, tested and found that when I hit the "require SSL" and "require 128 bit" on the Exchange virtual directory, it breaks the EAS and I get the 3029 Event ID in the Event Viewer. Playing around a bit I also noticed that when I just require the SSL withouth the 128 bit, EAS works properly and OWA only responds to HTTPS requests.
So my configuration in IIS is this: on the RPC directory it has require SSL and 128 encryption. On the Default Web Site, OMA, and Microsoft-Server Active Sync directories, there is no requirement for SSL. On the Exchange directory there is require SSL but no 128 bit encryption.

Is there anything adverse to running it this way? My RPC works, HTTPS-only works, and Active sync works.

thanks.
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Surprised that is working. Require SSL on the /exchange virtual directory usually breaks EAS.
The way that I secure my servers is quite simple - I don't open port 80. The only port that works is 443 which is https.
Have you reset IIS since you set the require SSL option? Before getting too excited about it working you should do that.
Are you using forms based authentication? That can also break EAS.

Simon.
Avatar of Trevor Local
Trevor Local

ASKER

ahh- I didn't have to do iisreset, as it's not working now. I am not using forms based authentication.

So I can just block port 80 at the firewall, and that will still allow me to use the SSL for EAS/OMA and also RPC over HTTP/S, but not accept the HTTP requests?
I would suggest that you do use forms based authentication, otherwise your OWA is at risk from the back button or old sessions.
If you simply allow port 443 through the firewall, then user have to use https in the URL and the Windows mobile devices will come in on 443 with the SSL option enabled in their configuration. You do not need port 80 open for any of the Exchange web based services to work.

Simon.
OK I turned on forms based auth. and now ActiveSync fails. When enabling forms I got a warning box about if SSL encryption is not being offloaded, to configure SSL and restart IIS. So I disabled forms auth. and it's still failing. OWA and RPC are working.
OK actually forms are disabled and EAS is working.
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'll give your instructions a shot. As for removing the SSL cert., do I export it to a .pfx file and reimport that later?
You don't need to do anything as drastic as that.
Simply choose the option in the wizard to remove the certificate. The certificate will remain in the certificate store. Then when you are done, use the wizard again and choose the option to assign an existing certificate.

Simon.
thanks again Simon!