Solved

SSL certificate buy from Godaddy.com cannot be used on Exchange ActiveSync for iPhone

Posted on 2011-03-01
12
925 Views
Last Modified: 2012-05-11
We purchased SSL certificate from GoDaddy.com recently, we installed this certificate per their instructions. We can use this SSL certiciate for OWA access, and Outook Anywhere access without problem when Require Secure Channel (SSL) option is enabled.

But when this option is enabled, iPhone mobile client cannot reach the server.
If we turn off this option, iPhone can connect to Exchange no problem. The SSL option can be turned on or off, no matter. but this is not what we want. We want all connection to be secured.

This problem does not happen when we use our own self signed SSL certificate.
0
Comment
Question by:Advantek
  • 5
  • 3
  • 3
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35013727
If you have installed the GoDaddy cert correctly and have configured your server correctly there shouldn't be any problems.

Please have a read of my article and make sure you are configured correctly - run the test on the test site and shout if you need any help.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Alan
0
 
LVL 4

Accepted Solution

by:
Scovndrel earned 500 total points
ID: 35014198
It sounds to me as if you need to uncheck the SSL box on the virtual directory you are using for OMA (often called exchange-oma), make sure your IP restrictions are set up on that folder, and DO require SSL on the Exchange virtual directory. But this is a stab in the dark, not enough information to really go on.
0
 

Author Closing Comment

by:Advantek
ID: 35014259
The givien suggestion works.
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014309
Thanks! Let's make sure you did not open yourself up to a security hole though.

The way the exchange-oma directory works, only the exchange server needs to access it. Since you are not requiring SSL on the exchange-oma virtual directory, you want to apply IP restrictions on that folder so that the only connections that work to that virtual directory are from the local server accessing itself.

In the attached screen shot, the Exchange server is 192.168.1.10, and so the exchange-oma virtual directory is locked down to only accept connections from 192.168.1.10.

Good luck!

exchange-oma IP restrictions screen shot
0
 

Author Comment

by:Advantek
ID: 35014334
If I setup require SSL for OMA, do I still need to set IP restriction?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014415
I believe that requiring SSL on that folder breaks ActiveSync. Isn't that what you found when you read my answer and tried it, and it started working? You disabled SSL and it started working, right?

Here is the article that I follow when I set up ActiveSync on a new Exchange 2003 / IIS6 server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Assuming you've got a single-server environment, jump down to Method 2.

Your setup, if it is working now, is mostly done. I offer this document as a guideline to check your security after the fact.

0
 

Author Comment

by:Advantek
ID: 35014438
I did not enable require SSL on the defaul web level, I only set required SSL at the OMA virtual folder. After I set it, iPhone SSL option needs to be turned on then it can access.
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35014462
Suggest you go through that article and compare it with your setup. Just talking SSL checkboxes, though:

Root of website: NOT required.
/Exchange virtual directory: Optional, but if you want it to be secure, use REQUIRED.
/exchange-oma virtual directory: NOT required, but do turn on IP-based restrictions.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35015056
Everything that has been posted here, including the selected answer is contained in my article which was posted first!

exchange-oma doesn't exist naturally on an Exchange 2003 server but only if you enable Forms Based Authentication, then you follow KB817379.
0
 
LVL 4

Expert Comment

by:Scovndrel
ID: 35019015
I'm sorry you feel that way, but your answer was the equivalent of throwing a set of encyclopedias at someone asking what an iguana is. I narrowed it down and led the asker straight to the setting that needed adjustment, making it easy. If I had been wrong, perhaps he would eventually have followed your comprehensive, many-page document and found the misconfiguration. But he was looking for a quick solution.

Did your answer contain the solution? Probably. Did it lead the asker directly to the solution without making him dig for it? No. Mine fixed the problem right away. The extra information I posted was for follow-up, after the fact, to be sure that in fixing the problem, new ones were not created.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35019309
The OMA virtual Directory has nothing to do with Activesync and exchange-oma is only added, as I have advised, when Forms Based Authentication is Enabled because SSL is then enabled on the Exchange virtual directory and to get around this, the exchange-oma virtual directory is created instead and this has SSL NOT enabled.

The OMA virtual directory used for Outlook Mobile Access - is called OMA - not Exchange-oma - they have two separate functions and are not related.

The long and the short - you got lucky posting something you don't seem to know much about.  You even stated that this was a stab in the dark.

Either way - Advantek has a solution and that is what is important here.

Alan
0

Featured Post

Being driven mad by email signature updates?

Having to make a change to your users’ email signatures, yet again? Feel like your head is going to explode? Rely on an Exclaimer email signature management solution to make the process simple!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now