Solved

SSL certificate buy from Godaddy.com cannot be used on Exchange ActiveSync for iPhone

Posted on 2011-03-01
12
940 Views
Last Modified: 2012-05-11
We purchased SSL certificate from GoDaddy.com recently, we installed this certificate per their instructions. We can use this SSL certiciate for OWA access, and Outook Anywhere access without problem when Require Secure Channel (SSL) option is enabled.

But when this option is enabled, iPhone mobile client cannot reach the server.
If we turn off this option, iPhone can connect to Exchange no problem. The SSL option can be turned on or off, no matter. but this is not what we want. We want all connection to be secured.

This problem does not happen when we use our own self signed SSL certificate.
0
Comment
Question by:Advantek
  • 5
  • 3
  • 3
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35013727
If you have installed the GoDaddy cert correctly and have configured your server correctly there shouldn't be any problems.

Please have a read of my article and make sure you are configured correctly - run the test on the test site and shout if you need any help.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Alan
0
 
LVL 4

Accepted Solution

by:
Scovndrel earned 500 total points
ID: 35014198
It sounds to me as if you need to uncheck the SSL box on the virtual directory you are using for OMA (often called exchange-oma), make sure your IP restrictions are set up on that folder, and DO require SSL on the Exchange virtual directory. But this is a stab in the dark, not enough information to really go on.
0
 

Author Closing Comment

by:Advantek
ID: 35014259
The givien suggestion works.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014309
Thanks! Let's make sure you did not open yourself up to a security hole though.

The way the exchange-oma directory works, only the exchange server needs to access it. Since you are not requiring SSL on the exchange-oma virtual directory, you want to apply IP restrictions on that folder so that the only connections that work to that virtual directory are from the local server accessing itself.

In the attached screen shot, the Exchange server is 192.168.1.10, and so the exchange-oma virtual directory is locked down to only accept connections from 192.168.1.10.

Good luck!

exchange-oma IP restrictions screen shot
0
 

Author Comment

by:Advantek
ID: 35014334
If I setup require SSL for OMA, do I still need to set IP restriction?
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014415
I believe that requiring SSL on that folder breaks ActiveSync. Isn't that what you found when you read my answer and tried it, and it started working? You disabled SSL and it started working, right?

Here is the article that I follow when I set up ActiveSync on a new Exchange 2003 / IIS6 server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Assuming you've got a single-server environment, jump down to Method 2.

Your setup, if it is working now, is mostly done. I offer this document as a guideline to check your security after the fact.

0
 

Author Comment

by:Advantek
ID: 35014438
I did not enable require SSL on the defaul web level, I only set required SSL at the OMA virtual folder. After I set it, iPhone SSL option needs to be turned on then it can access.
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014462
Suggest you go through that article and compare it with your setup. Just talking SSL checkboxes, though:

Root of website: NOT required.
/Exchange virtual directory: Optional, but if you want it to be secure, use REQUIRED.
/exchange-oma virtual directory: NOT required, but do turn on IP-based restrictions.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35015056
Everything that has been posted here, including the selected answer is contained in my article which was posted first!

exchange-oma doesn't exist naturally on an Exchange 2003 server but only if you enable Forms Based Authentication, then you follow KB817379.
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35019015
I'm sorry you feel that way, but your answer was the equivalent of throwing a set of encyclopedias at someone asking what an iguana is. I narrowed it down and led the asker straight to the setting that needed adjustment, making it easy. If I had been wrong, perhaps he would eventually have followed your comprehensive, many-page document and found the misconfiguration. But he was looking for a quick solution.

Did your answer contain the solution? Probably. Did it lead the asker directly to the solution without making him dig for it? No. Mine fixed the problem right away. The extra information I posted was for follow-up, after the fact, to be sure that in fixing the problem, new ones were not created.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019309
The OMA virtual Directory has nothing to do with Activesync and exchange-oma is only added, as I have advised, when Forms Based Authentication is Enabled because SSL is then enabled on the Exchange virtual directory and to get around this, the exchange-oma virtual directory is created instead and this has SSL NOT enabled.

The OMA virtual directory used for Outlook Mobile Access - is called OMA - not Exchange-oma - they have two separate functions and are not related.

The long and the short - you got lucky posting something you don't seem to know much about.  You even stated that this was a stab in the dark.

Either way - Advantek has a solution and that is what is important here.

Alan
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrating OnPremise Exchange 2010 & 2013 to Office 365 with no downtime to users & email flow ? 11 72
iPhone Photos 14 31
Blacked by spamhaus? 26 68
Run an android app on IOS 3 36
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question