Solved

Concerns over security having fixed Exchange ActiveSync Problems

Posted on 2007-11-29
9
451 Views
Last Modified: 2013-12-05
Hi Guy's.

I had all sorts of problem getting ActiveSync for exchange set up and working. I found Sembee's very helpful article here: http://www.amset.info/exchange/mobile-85010014.asp I followed it, and it worked a treat - thank you very much Sembee :)

However, the one thing I can't do, having run through all the instructions, is that I cannot turn encryption back on on the newly created virtual directory, mentioned in the article as "exchange-oma", and keep things working. All the other Exchange related folders have encryption turned on. If I turn the encryption back on on the "exchange-oma" folder though, ActiveSync stops working. Turn it back off, and everything is happy straight away.

Is it important to have on, or is the encryption on the other folders enough to guarantee encryption across all access? Also, what exactly is in / linked to the "exchange-oma" folder? As it was created from meta data gathered from the original "exchange" virtual directory, and registry key was added, does it not contain content that needs encrypting?

Sorry to waffle, I look forward to any input.

Many thanks,

Bluemercury
0
Comment
Question by:bluemercury
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 1

Author Comment

by:bluemercury
ID: 20374187
Adding on, am I ok because I have 'form based authentication' switched on?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20374520
Do you have port 80 open to the internet? If not then everything will be SSL secured anyway. I never open port 80 on my deployments and then I don't need to worry about whether it is secure or not because the SSL certificate will be used.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20374730
This is a good call, and had accured to me also. The only problem is that we have port 80 open so that people can just type webmail.company.com into their browser. It then loads a web page from our IIS server root that redirects to https://webmail.company.com (our OWA site). Is there a better way of doing this, whilst still using the same host name for the both of these, as our certificate is all linked up with this?

Many thanks,

Bluemercury
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 104

Expert Comment

by:Sembee
ID: 20378670
I am actually one of those cruel people who do not allow the users to enter the http variant. I find they quickly learn. I do not want http traffic coming anywhere near the Exchange server. Too many people in IT now who don't remember the Code Red worm which spread on port 80.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20380989
You know Sembee, I think you've got a good point. I never did open port 80 before recently - it's only this firm I'm at which I've opened up this port. There's some people here that, let's say, need it made as simple as possible. I think I'm going to take your 'cruel' line though, and tell them to learn!

Of course, an alternative is that I direct port 80 to one of our other internal servers that has no Exchange on it, and a clean install of IIS, that simple hosts the forwarding page.

Back to the question, do you know whether "exchange-oma" needs to be secured anyway, and what exactly is in it? If I browse to the virtual directory from a browser, it doesn't load up correctly in the way the original "exchange" folder does.... Logic tells me they should be same, so I don't quite get how it is configured.

Many thanks for your input.

Best wishes,

Bobby
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20381372
exchange-oma directory should be identical in operation to the main /exchange virtual directory just without the forms based authentication setting. It should load OWA. You don't want to enable require SSL or anything like that on it because it is used by OMA and EAS to get their data for the PDA devices. That is an internal call on port 80.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20381732
You're right - it is loading up now. So am I right in thinking that in order to get ActiveSync working and to have a secure link, you would always need to setup this additional "exchange-oma" virtual folder? I have always ticked the require encyption / 128 bit settings on the "Exchange" folder, so in fitting with this does it mean you have to create this replica folder for all Exchange Servers that you want ActiveSync on? (this would explain why I've always experienced this problem with ActiveSync)

Many thanks,

Bluemercury
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20381764
The reason the additional folder is required is when you are using forms based authentication and/or require SSL.
The internal call is on port 80 and uses integrated authentication. When you enable forms based authentication integrated authentication is disabled. Require SSL basically generates an error in the browser, which also stops the internal process.

However don't forget that require SSL is NOT a required setting to make the connection secure. If you only open port 443 and have an SSL certificate in place then the certificate will work. Require SSL is only to protect something that has both http and https access.  

As with many things and Microsoft, they want you to use a frontend/backend scenario. In that case you don't need to make any changes. Same goes for RPC over HTTPS. In FE/BE you get a nice GUI to setup, single server you have to make the manual registry changes.

SBS R2 of course makes the exchange-oma and related changes for you.

Simon.
0
 
LVL 1

Author Comment

by:bluemercury
ID: 20381833
This is very insightful. So you're saying that the tick box to require encryption and set the required security level at 128-bit (on a virtual directory in IIS) is simply not required if I have the certificate in place (therefore simply making it a method of enforcement only)? It will all happen automatically if users coming in on 443? Presumably an internal call to port 80 is still achievable given this setup.

Your internal call point is understood. Does integrated authentication use the Kerberos protocol?

I hold an MCSE in the current (and last) syllabus with Exchange electives, and on occasion it surprises me (well not too much, being Microsoft) that Microsoft miss these little details out.

It is also helpful to know that SBS creates the "exchange-oma" folder for users. Looks like every single server installation of Exhange 2003 I do, I shall implement using your clearly defined method.

Many thanks,

Bluemercury
0

Featured Post

Database Solutions Engineer FAQs

In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller single-server environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question