Solved

ActiveSync on Exchange 2003 through ISA 2006 not working

Posted on 2011-02-25
9
1,765 Views
Last Modified: 2012-05-11
At a loss as to why ActiveSync isn't working to my Exchange 2003 environmentt. Here's the details:

ISA 2006 servers (NLB)
Exchange 2003 with SP2 (2 x Frontend NLB, 2 x Backend cluster)
One publishing rule for OWA, OMA and ActiveSync.

OWA and OMA work great. I have my certificate (Verisign wildcard) installed on the ISAs. Bridging converts HTTPS traffic to HTTP from ISA to frontend servers.

When ActiveSync connection comes in I get the following:

Denied Connection MYISA02 25/02/2011 12:15:33
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: MUS Exchange Internet Services
Source: (85.237.231.144)
Destination: (111.222.10.3:443)
Request: POST http://webmail.mycompany.com/Microsoft-Server-ActiveSync?User=testuser&DeviceId=200B8257E75C28F8386303F4FEEDFE3F&DeviceType=PocketPC&Cmd=GetHierarchy 
Filter information: Req ID: 11a38c72; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Additional information
Client agent: MSFT-PPC/5.2.5082
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 31 ms
MIME type:
 

I ran the Exchange Remote Connectivity Analyser and got the following:

Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Any suggestions?
0
Comment
Question by:AWGMorrison
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34979198
Your error is clearly

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  

in the publishing rule in the Paths tab do you have the /Microsoft-Server-ActiveSync/*

??

can you share a screen shot of this tab in your publishing rule ?

thanks
0
 

Author Comment

by:AWGMorrison
ID: 34979388
Screen shot attached.

One thing to add to the mix is that we use a Radius server to validate connections. On the listener I have HTML Form Authentication enabled with the RADIUS OTP set.  The OWA and OMA present the login form which has username, password and radius passcode fields. I've just noticed that when ActiveSync connects the numbers of failed tries on our Radius console increases by 2 each time. I thought that when an ActiveSync connection came in the ISA server recognised it as such and bypassed the RADIUS validation?
Capture.JPG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979497
excuse me but at the end does it have a /* just like the others ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AWGMorrison
ID: 34979601
Yes it does end /*

The rule was created using ISA 2006 Exchange Web Client Access Publishing rule. The Paths were created automatically.

I've just read that RADIUS can break ActiveSync. I'm thinking this could be the problem.

http://blog.stealthpuppy.com/isa-server/strengthening-owa-authentication-with-isa-2006-and-rsa-securid/

So if I create a second listener that does not have RADIUS OTP and have a seperate rule just for ActiveSync this might work? Not sure, can I have two listeners using the same IP address? or would I need to us a separate IP for Activesync?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979624
another listener would mean another IP  address

can you do me a favor so I test something ?

that first entry you have external path / Internal path /exchange\ can you remove it and add another one with External path <same as internal> and internal path /*

and test ?
0
 

Author Comment

by:AWGMorrison
ID: 34980681
Same result

I'm going to try second IP, listener and rule dedicated to ActiveSync.
0
 

Accepted Solution

by:
AWGMorrison earned 0 total points
ID: 35006436
Now working. It was down to the fact that OWA uses RADIUS OTP. I created a new subdomain and allocated it an IP address on my firewall. I created a seperate rule for ActiveSync on the ISA server and tested. Connection now syncing fine and email working great. Thanks for you help anyway.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35006458
THanks for the update
0
 

Author Closing Comment

by:AWGMorrison
ID: 35045332
Solution was to setup seperate rule and subdomain for ActiveSync as RADIUS was preventing it working with OWA rule.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question