Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ActiveSync on Exchange 2003 through ISA 2006 not working

Posted on 2011-02-25
9
Medium Priority
?
1,824 Views
Last Modified: 2012-05-11
At a loss as to why ActiveSync isn't working to my Exchange 2003 environmentt. Here's the details:

ISA 2006 servers (NLB)
Exchange 2003 with SP2 (2 x Frontend NLB, 2 x Backend cluster)
One publishing rule for OWA, OMA and ActiveSync.

OWA and OMA work great. I have my certificate (Verisign wildcard) installed on the ISAs. Bridging converts HTTPS traffic to HTTP from ISA to frontend servers.

When ActiveSync connection comes in I get the following:

Denied Connection MYISA02 25/02/2011 12:15:33
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: MUS Exchange Internet Services
Source: (85.237.231.144)
Destination: (111.222.10.3:443)
Request: POST http://webmail.mycompany.com/Microsoft-Server-ActiveSync?User=testuser&DeviceId=200B8257E75C28F8386303F4FEEDFE3F&DeviceType=PocketPC&Cmd=GetHierarchy 
Filter information: Req ID: 11a38c72; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Additional information
Client agent: MSFT-PPC/5.2.5082
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 31 ms
MIME type:
 

I ran the Exchange Remote Connectivity Analyser and got the following:

Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Any suggestions?
0
Comment
Question by:AWGMorrison
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34979198
Your error is clearly

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  

in the publishing rule in the Paths tab do you have the /Microsoft-Server-ActiveSync/*

??

can you share a screen shot of this tab in your publishing rule ?

thanks
0
 

Author Comment

by:AWGMorrison
ID: 34979388
Screen shot attached.

One thing to add to the mix is that we use a Radius server to validate connections. On the listener I have HTML Form Authentication enabled with the RADIUS OTP set.  The OWA and OMA present the login form which has username, password and radius passcode fields. I've just noticed that when ActiveSync connects the numbers of failed tries on our Radius console increases by 2 each time. I thought that when an ActiveSync connection came in the ISA server recognised it as such and bypassed the RADIUS validation?
Capture.JPG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979497
excuse me but at the end does it have a /* just like the others ?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:AWGMorrison
ID: 34979601
Yes it does end /*

The rule was created using ISA 2006 Exchange Web Client Access Publishing rule. The Paths were created automatically.

I've just read that RADIUS can break ActiveSync. I'm thinking this could be the problem.

http://blog.stealthpuppy.com/isa-server/strengthening-owa-authentication-with-isa-2006-and-rsa-securid/

So if I create a second listener that does not have RADIUS OTP and have a seperate rule just for ActiveSync this might work? Not sure, can I have two listeners using the same IP address? or would I need to us a separate IP for Activesync?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979624
another listener would mean another IP  address

can you do me a favor so I test something ?

that first entry you have external path / Internal path /exchange\ can you remove it and add another one with External path <same as internal> and internal path /*

and test ?
0
 

Author Comment

by:AWGMorrison
ID: 34980681
Same result

I'm going to try second IP, listener and rule dedicated to ActiveSync.
0
 

Accepted Solution

by:
AWGMorrison earned 0 total points
ID: 35006436
Now working. It was down to the fact that OWA uses RADIUS OTP. I created a new subdomain and allocated it an IP address on my firewall. I created a seperate rule for ActiveSync on the ISA server and tested. Connection now syncing fine and email working great. Thanks for you help anyway.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35006458
THanks for the update
0
 

Author Closing Comment

by:AWGMorrison
ID: 35045332
Solution was to setup seperate rule and subdomain for ActiveSync as RADIUS was preventing it working with OWA rule.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question