Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ActiveSync on Exchange 2003 through ISA 2006 not working

Posted on 2011-02-25
9
Medium Priority
?
1,803 Views
Last Modified: 2012-05-11
At a loss as to why ActiveSync isn't working to my Exchange 2003 environmentt. Here's the details:

ISA 2006 servers (NLB)
Exchange 2003 with SP2 (2 x Frontend NLB, 2 x Backend cluster)
One publishing rule for OWA, OMA and ActiveSync.

OWA and OMA work great. I have my certificate (Verisign wildcard) installed on the ISAs. Bridging converts HTTPS traffic to HTTP from ISA to frontend servers.

When ActiveSync connection comes in I get the following:

Denied Connection MYISA02 25/02/2011 12:15:33
Log type: Web Proxy (Reverse)
Status: 12232 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  
Rule: MUS Exchange Internet Services
Source: (85.237.231.144)
Destination: (111.222.10.3:443)
Request: POST http://webmail.mycompany.com/Microsoft-Server-ActiveSync?User=testuser&DeviceId=200B8257E75C28F8386303F4FEEDFE3F&DeviceType=PocketPC&Cmd=GetHierarchy 
Filter information: Req ID: 11a38c72; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Additional information
Client agent: MSFT-PPC/5.2.5082
Object source: (No source information is available.)
Cache info: 0x8 (Request includes the AUTHORIZATION header.)
Processing time: 31 ms
MIME type:
 

I ran the Exchange Remote Connectivity Analyser and got the following:

Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
 
Any suggestions?
0
Comment
Question by:AWGMorrison
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34979198
Your error is clearly

The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  

in the publishing rule in the Paths tab do you have the /Microsoft-Server-ActiveSync/*

??

can you share a screen shot of this tab in your publishing rule ?

thanks
0
 

Author Comment

by:AWGMorrison
ID: 34979388
Screen shot attached.

One thing to add to the mix is that we use a Radius server to validate connections. On the listener I have HTML Form Authentication enabled with the RADIUS OTP set.  The OWA and OMA present the login form which has username, password and radius passcode fields. I've just noticed that when ActiveSync connects the numbers of failed tries on our Radius console increases by 2 each time. I thought that when an ActiveSync connection came in the ISA server recognised it as such and bypassed the RADIUS validation?
Capture.JPG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979497
excuse me but at the end does it have a /* just like the others ?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:AWGMorrison
ID: 34979601
Yes it does end /*

The rule was created using ISA 2006 Exchange Web Client Access Publishing rule. The Paths were created automatically.

I've just read that RADIUS can break ActiveSync. I'm thinking this could be the problem.

http://blog.stealthpuppy.com/isa-server/strengthening-owa-authentication-with-isa-2006-and-rsa-securid/

So if I create a second listener that does not have RADIUS OTP and have a seperate rule just for ActiveSync this might work? Not sure, can I have two listeners using the same IP address? or would I need to us a separate IP for Activesync?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34979624
another listener would mean another IP  address

can you do me a favor so I test something ?

that first entry you have external path / Internal path /exchange\ can you remove it and add another one with External path <same as internal> and internal path /*

and test ?
0
 

Author Comment

by:AWGMorrison
ID: 34980681
Same result

I'm going to try second IP, listener and rule dedicated to ActiveSync.
0
 

Accepted Solution

by:
AWGMorrison earned 0 total points
ID: 35006436
Now working. It was down to the fact that OWA uses RADIUS OTP. I created a new subdomain and allocated it an IP address on my firewall. I created a seperate rule for ActiveSync on the ISA server and tested. Connection now syncing fine and email working great. Thanks for you help anyway.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35006458
THanks for the update
0
 

Author Closing Comment

by:AWGMorrison
ID: 35045332
Solution was to setup seperate rule and subdomain for ActiveSync as RADIUS was preventing it working with OWA rule.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question