SSL certificate buy from Godaddy.com cannot be used on Exchange ActiveSync for iPhone

We purchased SSL certificate from GoDaddy.com recently, we installed this certificate per their instructions. We can use this SSL certiciate for OWA access, and Outook Anywhere access without problem when Require Secure Channel (SSL) option is enabled.

But when this option is enabled, iPhone mobile client cannot reach the server.
If we turn off this option, iPhone can connect to Exchange no problem. The SSL option can be turned on or off, no matter. but this is not what we want. We want all connection to be secured.

This problem does not happen when we use our own self signed SSL certificate.
AdvantekAsked:
Who is Participating?
 
ScovndrelConnect With a Mentor Commented:
It sounds to me as if you need to uncheck the SSL box on the virtual directory you are using for OMA (often called exchange-oma), make sure your IP restrictions are set up on that folder, and DO require SSL on the Exchange virtual directory. But this is a stab in the dark, not enough information to really go on.
0
 
Alan HardistyCo-OwnerCommented:
If you have installed the GoDaddy cert correctly and have configured your server correctly there shouldn't be any problems.

Please have a read of my article and make sure you are configured correctly - run the test on the test site and shout if you need any help.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Alan
0
 
AdvantekAuthor Commented:
The givien suggestion works.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ScovndrelCommented:
Thanks! Let's make sure you did not open yourself up to a security hole though.

The way the exchange-oma directory works, only the exchange server needs to access it. Since you are not requiring SSL on the exchange-oma virtual directory, you want to apply IP restrictions on that folder so that the only connections that work to that virtual directory are from the local server accessing itself.

In the attached screen shot, the Exchange server is 192.168.1.10, and so the exchange-oma virtual directory is locked down to only accept connections from 192.168.1.10.

Good luck!

exchange-oma IP restrictions screen shot
0
 
AdvantekAuthor Commented:
If I setup require SSL for OMA, do I still need to set IP restriction?
0
 
ScovndrelCommented:
I believe that requiring SSL on that folder breaks ActiveSync. Isn't that what you found when you read my answer and tried it, and it started working? You disabled SSL and it started working, right?

Here is the article that I follow when I set up ActiveSync on a new Exchange 2003 / IIS6 server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;817379
Assuming you've got a single-server environment, jump down to Method 2.

Your setup, if it is working now, is mostly done. I offer this document as a guideline to check your security after the fact.

0
 
AdvantekAuthor Commented:
I did not enable require SSL on the defaul web level, I only set required SSL at the OMA virtual folder. After I set it, iPhone SSL option needs to be turned on then it can access.
0
 
ScovndrelCommented:
Suggest you go through that article and compare it with your setup. Just talking SSL checkboxes, though:

Root of website: NOT required.
/Exchange virtual directory: Optional, but if you want it to be secure, use REQUIRED.
/exchange-oma virtual directory: NOT required, but do turn on IP-based restrictions.
0
 
Alan HardistyCo-OwnerCommented:
Everything that has been posted here, including the selected answer is contained in my article which was posted first!

exchange-oma doesn't exist naturally on an Exchange 2003 server but only if you enable Forms Based Authentication, then you follow KB817379.
0
 
ScovndrelCommented:
I'm sorry you feel that way, but your answer was the equivalent of throwing a set of encyclopedias at someone asking what an iguana is. I narrowed it down and led the asker straight to the setting that needed adjustment, making it easy. If I had been wrong, perhaps he would eventually have followed your comprehensive, many-page document and found the misconfiguration. But he was looking for a quick solution.

Did your answer contain the solution? Probably. Did it lead the asker directly to the solution without making him dig for it? No. Mine fixed the problem right away. The extra information I posted was for follow-up, after the fact, to be sure that in fixing the problem, new ones were not created.
0
 
Alan HardistyCo-OwnerCommented:
The OMA virtual Directory has nothing to do with Activesync and exchange-oma is only added, as I have advised, when Forms Based Authentication is Enabled because SSL is then enabled on the Exchange virtual directory and to get around this, the exchange-oma virtual directory is created instead and this has SSL NOT enabled.

The OMA virtual directory used for Outlook Mobile Access - is called OMA - not Exchange-oma - they have two separate functions and are not related.

The long and the short - you got lucky posting something you don't seem to know much about.  You even stated that this was a stab in the dark.

Either way - Advantek has a solution and that is what is important here.

Alan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.