Solved

ActiveSync on Exchange 2003 through ISA 2006 not working

Posted on 2011-02-25
9
1,720 Views
Last Modified: 2012-05-11
At a loss as to why ActiveSync isn't working to my Exchange 2003 environmentt. Here's the details:

ISA 2006 servers (NLB)
Exchange 2003 with SP2 (2 x Frontend NLB, 2 x Backend cluster)
One publishing rule for OWA, OMA and ActiveSync.

OWA and OMA work great. I have my certificate (Verisign wildcard) installed on the ISAs. Bridging converts HTTPS traffic to HTTP from ISA to frontend servers.

When ActiveSync connection comes in I get the following:

Denied Connection MYISA02 25/02/2011 12:15:33
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: MUS Exchange Internet Services
Source: (85.237.231.144)
Destination: (111.222.10.3:443)
Request: POST http://webmail.mycompany.com/Microsoft-Server-ActiveSync?User=testuser&DeviceId=200B8257E75C28F8386303F4FEEDFE3F&DeviceType=PocketPC&Cmd=GetHierarchy 
Filter information: Req ID: 11a38c72; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Additional information
Client agent: MSFT-PPC/5.2.5082
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 31 ms
MIME type:
 

I ran the Exchange Remote Connectivity Analyser and got the following:

Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Any suggestions?
0
Comment
Question by:AWGMorrison
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34979198
Your error is clearly

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  

in the publishing rule in the Paths tab do you have the /Microsoft-Server-ActiveSync/*

??

can you share a screen shot of this tab in your publishing rule ?

thanks
0
 

Author Comment

by:AWGMorrison
ID: 34979388
Screen shot attached.

One thing to add to the mix is that we use a Radius server to validate connections. On the listener I have HTML Form Authentication enabled with the RADIUS OTP set.  The OWA and OMA present the login form which has username, password and radius passcode fields. I've just noticed that when ActiveSync connects the numbers of failed tries on our Radius console increases by 2 each time. I thought that when an ActiveSync connection came in the ISA server recognised it as such and bypassed the RADIUS validation?
Capture.JPG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979497
excuse me but at the end does it have a /* just like the others ?
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 

Author Comment

by:AWGMorrison
ID: 34979601
Yes it does end /*

The rule was created using ISA 2006 Exchange Web Client Access Publishing rule. The Paths were created automatically.

I've just read that RADIUS can break ActiveSync. I'm thinking this could be the problem.

http://blog.stealthpuppy.com/isa-server/strengthening-owa-authentication-with-isa-2006-and-rsa-securid/

So if I create a second listener that does not have RADIUS OTP and have a seperate rule just for ActiveSync this might work? Not sure, can I have two listeners using the same IP address? or would I need to us a separate IP for Activesync?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979624
another listener would mean another IP  address

can you do me a favor so I test something ?

that first entry you have external path / Internal path /exchange\ can you remove it and add another one with External path <same as internal> and internal path /*

and test ?
0
 

Author Comment

by:AWGMorrison
ID: 34980681
Same result

I'm going to try second IP, listener and rule dedicated to ActiveSync.
0
 

Accepted Solution

by:
AWGMorrison earned 0 total points
ID: 35006436
Now working. It was down to the fact that OWA uses RADIUS OTP. I created a new subdomain and allocated it an IP address on my firewall. I created a seperate rule for ActiveSync on the ISA server and tested. Connection now syncing fine and email working great. Thanks for you help anyway.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35006458
THanks for the update
0
 

Author Closing Comment

by:AWGMorrison
ID: 35045332
Solution was to setup seperate rule and subdomain for ActiveSync as RADIUS was preventing it working with OWA rule.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now