Solved

SSL certificate buy from Godaddy.com cannot be used on Exchange ActiveSync for iPhone

Posted on 2011-03-01
12
915 Views
Last Modified: 2012-05-11
We purchased SSL certificate from GoDaddy.com recently, we installed this certificate per their instructions. We can use this SSL certiciate for OWA access, and Outook Anywhere access without problem when Require Secure Channel (SSL) option is enabled.

But when this option is enabled, iPhone mobile client cannot reach the server.
If we turn off this option, iPhone can connect to Exchange no problem. The SSL option can be turned on or off, no matter. but this is not what we want. We want all connection to be secured.

This problem does not happen when we use our own self signed SSL certificate.
0
Comment
Question by:Advantek
  • 5
  • 3
  • 3
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If you have installed the GoDaddy cert correctly and have configured your server correctly there shouldn't be any problems.

Please have a read of my article and make sure you are configured correctly - run the test on the test site and shout if you need any help.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Alan
0
 
LVL 4

Accepted Solution

by:
Scovndrel earned 500 total points
Comment Utility
It sounds to me as if you need to uncheck the SSL box on the virtual directory you are using for OMA (often called exchange-oma), make sure your IP restrictions are set up on that folder, and DO require SSL on the Exchange virtual directory. But this is a stab in the dark, not enough information to really go on.
0
 

Author Closing Comment

by:Advantek
Comment Utility
The givien suggestion works.
0
 
LVL 4

Expert Comment

by:Scovndrel
Comment Utility
Thanks! Let's make sure you did not open yourself up to a security hole though.

The way the exchange-oma directory works, only the exchange server needs to access it. Since you are not requiring SSL on the exchange-oma virtual directory, you want to apply IP restrictions on that folder so that the only connections that work to that virtual directory are from the local server accessing itself.

In the attached screen shot, the Exchange server is 192.168.1.10, and so the exchange-oma virtual directory is locked down to only accept connections from 192.168.1.10.

Good luck!

exchange-oma IP restrictions screen shot
0
 

Author Comment

by:Advantek
Comment Utility
If I setup require SSL for OMA, do I still need to set IP restriction?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:Scovndrel
Comment Utility
I believe that requiring SSL on that folder breaks ActiveSync. Isn't that what you found when you read my answer and tried it, and it started working? You disabled SSL and it started working, right?

Here is the article that I follow when I set up ActiveSync on a new Exchange 2003 / IIS6 server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Assuming you've got a single-server environment, jump down to Method 2.

Your setup, if it is working now, is mostly done. I offer this document as a guideline to check your security after the fact.

0
 

Author Comment

by:Advantek
Comment Utility
I did not enable require SSL on the defaul web level, I only set required SSL at the OMA virtual folder. After I set it, iPhone SSL option needs to be turned on then it can access.
0
 
LVL 4

Expert Comment

by:Scovndrel
Comment Utility
Suggest you go through that article and compare it with your setup. Just talking SSL checkboxes, though:

Root of website: NOT required.
/Exchange virtual directory: Optional, but if you want it to be secure, use REQUIRED.
/exchange-oma virtual directory: NOT required, but do turn on IP-based restrictions.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Everything that has been posted here, including the selected answer is contained in my article which was posted first!

exchange-oma doesn't exist naturally on an Exchange 2003 server but only if you enable Forms Based Authentication, then you follow KB817379.
0
 
LVL 4

Expert Comment

by:Scovndrel
Comment Utility
I'm sorry you feel that way, but your answer was the equivalent of throwing a set of encyclopedias at someone asking what an iguana is. I narrowed it down and led the asker straight to the setting that needed adjustment, making it easy. If I had been wrong, perhaps he would eventually have followed your comprehensive, many-page document and found the misconfiguration. But he was looking for a quick solution.

Did your answer contain the solution? Probably. Did it lead the asker directly to the solution without making him dig for it? No. Mine fixed the problem right away. The extra information I posted was for follow-up, after the fact, to be sure that in fixing the problem, new ones were not created.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The OMA virtual Directory has nothing to do with Activesync and exchange-oma is only added, as I have advised, when Forms Based Authentication is Enabled because SSL is then enabled on the Exchange virtual directory and to get around this, the exchange-oma virtual directory is created instead and this has SSL NOT enabled.

The OMA virtual directory used for Outlook Mobile Access - is called OMA - not Exchange-oma - they have two separate functions and are not related.

The long and the short - you got lucky posting something you don't seem to know much about.  You even stated that this was a stab in the dark.

Either way - Advantek has a solution and that is what is important here.

Alan
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now