Solved

ActiveSync on Exchange 2003 through ISA 2006 not working

Posted on 2011-02-25
9
1,675 Views
Last Modified: 2012-05-11
At a loss as to why ActiveSync isn't working to my Exchange 2003 environmentt. Here's the details:

ISA 2006 servers (NLB)
Exchange 2003 with SP2 (2 x Frontend NLB, 2 x Backend cluster)
One publishing rule for OWA, OMA and ActiveSync.

OWA and OMA work great. I have my certificate (Verisign wildcard) installed on the ISAs. Bridging converts HTTPS traffic to HTTP from ISA to frontend servers.

When ActiveSync connection comes in I get the following:

Denied Connection MYISA02 25/02/2011 12:15:33
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: MUS Exchange Internet Services
Source: (85.237.231.144)
Destination: (111.222.10.3:443)
Request: POST http://webmail.mycompany.com/Microsoft-Server-ActiveSync?User=testuser&DeviceId=200B8257E75C28F8386303F4FEEDFE3F&DeviceType=PocketPC&Cmd=GetHierarchy
Filter information: Req ID: 11a38c72; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Additional information
Client agent: MSFT-PPC/5.2.5082
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 31 ms
MIME type:
 

I ran the Exchange Remote Connectivity Analyser and got the following:

Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Any suggestions?
0
Comment
Question by:AWGMorrison
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34979198
Your error is clearly

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  

in the publishing rule in the Paths tab do you have the /Microsoft-Server-ActiveSync/*

??

can you share a screen shot of this tab in your publishing rule ?

thanks
0
 

Author Comment

by:AWGMorrison
ID: 34979388
Screen shot attached.

One thing to add to the mix is that we use a Radius server to validate connections. On the listener I have HTML Form Authentication enabled with the RADIUS OTP set.  The OWA and OMA present the login form which has username, password and radius passcode fields. I've just noticed that when ActiveSync connects the numbers of failed tries on our Radius console increases by 2 each time. I thought that when an ActiveSync connection came in the ISA server recognised it as such and bypassed the RADIUS validation?
Capture.JPG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979497
excuse me but at the end does it have a /* just like the others ?
0
 

Author Comment

by:AWGMorrison
ID: 34979601
Yes it does end /*

The rule was created using ISA 2006 Exchange Web Client Access Publishing rule. The Paths were created automatically.

I've just read that RADIUS can break ActiveSync. I'm thinking this could be the problem.

http://blog.stealthpuppy.com/isa-server/strengthening-owa-authentication-with-isa-2006-and-rsa-securid/

So if I create a second listener that does not have RADIUS OTP and have a seperate rule just for ActiveSync this might work? Not sure, can I have two listeners using the same IP address? or would I need to us a separate IP for Activesync?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 49

Expert Comment

by:Akhater
ID: 34979624
another listener would mean another IP  address

can you do me a favor so I test something ?

that first entry you have external path / Internal path /exchange\ can you remove it and add another one with External path <same as internal> and internal path /*

and test ?
0
 

Author Comment

by:AWGMorrison
ID: 34980681
Same result

I'm going to try second IP, listener and rule dedicated to ActiveSync.
0
 

Accepted Solution

by:
AWGMorrison earned 0 total points
ID: 35006436
Now working. It was down to the fact that OWA uses RADIUS OTP. I created a new subdomain and allocated it an IP address on my firewall. I created a seperate rule for ActiveSync on the ISA server and tested. Connection now syncing fine and email working great. Thanks for you help anyway.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35006458
THanks for the update
0
 

Author Closing Comment

by:AWGMorrison
ID: 35045332
Solution was to setup seperate rule and subdomain for ActiveSync as RADIUS was preventing it working with OWA rule.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now