I am trying to setup the new Global Data Centre for a client, most of which has already been done. The final part to setup is migrating OWA and Activesync, both of which use the same URL with obviously the part after the forward slash defining which service the client wishes to use.
From testing we have proved that https://www.companyname.net/exchange
works fine on the new systems and there are no SSL certificate errors, to test this I simply changed my host file to point www.companyname.net
to the new systems. We also tested this live by changing live DNS, however at this time we were not made aware of the number of activesync users and as such didnt put too much emphasis on testing activesync, incorrectly assuming that because OWA works and its the same URL and SSL then Activesync would also work (we did test OMA and it worked). However when we migrated over the activesync devices stopped working (some after several days due to DNS propagation times on the mobile operator networks taking around 4 days and the same length of time to revert). There were various errors depending on the version of mobile in use but all of them were concerning invalid/out of date certificates, so we had to revert the change, so for the moment activesync and OWA both point back to the old data centre.
Now obviously devices which use OWA are typically PCs and as such they have a lot more intermediate and root certificates on them than the Activesync windows mobile devices which typically have very few if any intermediates. We did notice that on the front end exchange and ISA servers the intermediate certificate which was in the certificate chain for the www.companyname.net
certificate expired in 2004, so as per instructions on http://support.microsoft.com/kb/927465
(error 1 is the error we receive) I updates the certificates on all front end and ISA exchange servers for the intermediates as well as the root certificates, I also use SSL Chain Saver from Microsoft to ensure the chain presented to the device was the correct chain of SSL certs, and it was, indeed it was the same chain of certs provided by the old setup.
It is my understanding, and id like corrected if im wrong, that if the mobile device doesnt have the correct intermediate or root certs then the exchange/ISA servers will provide them in the chain and present them to the mobile device so that it can verify the certs, however this does not appear to be happening, the only time I have been able to get activesync to work is via my iphone by importing the certs manually, but this is not really an option for the users scattered around the globe, also the fact that it works on the old setup with the same certs baffles me.
For info my testing method has been to setup a virtual server with the DNS zone companyname.net and an A record pointing www to the new servers and then configuring a wireless network for the iphone, Windows mobile 6.1 device emulator and windows mobile to use and spoof them in to going to the new location, my only success so far as Ive said is by importing the certs to the iphone, but im pretty sure that as the certificates are not internal (they are issued by verisign) then certs shouldnt need to be imported. We are using ISA 2006 and it validates all the certificates fine as well as providing access to OWA with no certificate errors.
Any input or experience with SSL/Activesync, ISA and Exchange would be much appreciated.