Solved

Concerns over security having fixed Exchange ActiveSync Problems

Posted on 2007-11-29
9
448 Views
Last Modified: 2013-12-05
Hi Guy's.

I had all sorts of problem getting ActiveSync for exchange set up and working. I found Sembee's very helpful article here: http://www.amset.info/exchange/mobile-85010014.asp I followed it, and it worked a treat - thank you very much Sembee :)

However, the one thing I can't do, having run through all the instructions, is that I cannot turn encryption back on on the newly created virtual directory, mentioned in the article as "exchange-oma", and keep things working. All the other Exchange related folders have encryption turned on. If I turn the encryption back on on the "exchange-oma" folder though, ActiveSync stops working. Turn it back off, and everything is happy straight away.

Is it important to have on, or is the encryption on the other folders enough to guarantee encryption across all access? Also, what exactly is in / linked to the "exchange-oma" folder? As it was created from meta data gathered from the original "exchange" virtual directory, and registry key was added, does it not contain content that needs encrypting?

Sorry to waffle, I look forward to any input.

Many thanks,

Bluemercury
0
Comment
Question by:bluemercury
  • 5
  • 4
9 Comments
 
LVL 1

Author Comment

by:bluemercury
ID: 20374187
Adding on, am I ok because I have 'form based authentication' switched on?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20374520
Do you have port 80 open to the internet? If not then everything will be SSL secured anyway. I never open port 80 on my deployments and then I don't need to worry about whether it is secure or not because the SSL certificate will be used.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20374730
This is a good call, and had accured to me also. The only problem is that we have port 80 open so that people can just type webmail.company.com into their browser. It then loads a web page from our IIS server root that redirects to https://webmail.company.com (our OWA site). Is there a better way of doing this, whilst still using the same host name for the both of these, as our certificate is all linked up with this?

Many thanks,

Bluemercury
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 104

Expert Comment

by:Sembee
ID: 20378670
I am actually one of those cruel people who do not allow the users to enter the http variant. I find they quickly learn. I do not want http traffic coming anywhere near the Exchange server. Too many people in IT now who don't remember the Code Red worm which spread on port 80.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20380989
You know Sembee, I think you've got a good point. I never did open port 80 before recently - it's only this firm I'm at which I've opened up this port. There's some people here that, let's say, need it made as simple as possible. I think I'm going to take your 'cruel' line though, and tell them to learn!

Of course, an alternative is that I direct port 80 to one of our other internal servers that has no Exchange on it, and a clean install of IIS, that simple hosts the forwarding page.

Back to the question, do you know whether "exchange-oma" needs to be secured anyway, and what exactly is in it? If I browse to the virtual directory from a browser, it doesn't load up correctly in the way the original "exchange" folder does.... Logic tells me they should be same, so I don't quite get how it is configured.

Many thanks for your input.

Best wishes,

Bobby
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20381372
exchange-oma directory should be identical in operation to the main /exchange virtual directory just without the forms based authentication setting. It should load OWA. You don't want to enable require SSL or anything like that on it because it is used by OMA and EAS to get their data for the PDA devices. That is an internal call on port 80.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20381732
You're right - it is loading up now. So am I right in thinking that in order to get ActiveSync working and to have a secure link, you would always need to setup this additional "exchange-oma" virtual folder? I have always ticked the require encyption / 128 bit settings on the "Exchange" folder, so in fitting with this does it mean you have to create this replica folder for all Exchange Servers that you want ActiveSync on? (this would explain why I've always experienced this problem with ActiveSync)

Many thanks,

Bluemercury
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20381764
The reason the additional folder is required is when you are using forms based authentication and/or require SSL.
The internal call is on port 80 and uses integrated authentication. When you enable forms based authentication integrated authentication is disabled. Require SSL basically generates an error in the browser, which also stops the internal process.

However don't forget that require SSL is NOT a required setting to make the connection secure. If you only open port 443 and have an SSL certificate in place then the certificate will work. Require SSL is only to protect something that has both http and https access.  

As with many things and Microsoft, they want you to use a frontend/backend scenario. In that case you don't need to make any changes. Same goes for RPC over HTTPS. In FE/BE you get a nice GUI to setup, single server you have to make the manual registry changes.

SBS R2 of course makes the exchange-oma and related changes for you.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20381833
This is very insightful. So you're saying that the tick box to require encryption and set the required security level at 128-bit (on a virtual directory in IIS) is simply not required if I have the certificate in place (therefore simply making it a method of enforcement only)? It will all happen automatically if users coming in on 443? Presumably an internal call to port 80 is still achievable given this setup.

Your internal call point is understood. Does integrated authentication use the Kerberos protocol?

I hold an MCSE in the current (and last) syllabus with Exchange electives, and on occasion it surprises me (well not too much, being Microsoft) that Microsoft miss these little details out.

It is also helpful to know that SBS creates the "exchange-oma" folder for users. Looks like every single server installation of Exhange 2003 I do, I shall implement using your clearly defined method.

Many thanks,

Bluemercury
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question