Exchange 2003 / ISA 2006 active sync problem

My CEO just got a new iPad, and she has instructed me that I have to get it synchronizing with our Exchange server.  I have not tried to use Active Sync on this server until now, and am having difficulty.

I have a single Exchange 2003 STD server, behind an ISA 2006 server.
I have Outlook Web Access published through the ISA server, using forms based authentication on the ISA server.
Forms based Authentication is turned off on the Exchange server.

There is a certificate from Go Daddy installed on the Exchange and ISA servers – this seems to be working since OWA works fine.  

I also have some users connecting using RPC over HTTP, again through the ISA server, and this also works fine.

I used the Microsoft Remote Connectivity Analyzer ( to test Active Sync.

I was getting an error using this tool which pointed me to this MS article:

This basically involves setting up an alternate virtual directory for Exchange that does not require SSL, and then adding a registry value to point to the new virtual directory.

I followed those steps and got the following error:

“An HTTP 403 error was received because ISA Server denied the specified URL.”
Looking in the ISA log I saw that the MRCA tool was attempting to go to the default virtual directory “Microsoft-Server-ActiveSync”.  So I went into the ISA server rule and set external path to “/Microsoft-Server-ActiveSync/*” and the path to the new virtual directory “/ExchActiveSync/*”

Now the MRCA tool is giving me the following error:
“Testing of the OPTIONS command failed. For more information, see Additional Details.”
And gives me a link here which talks about ISA Server 2000, third party reverse proxy servers, and having “URL Scan” installed – none of which apply.

On the ISA Server I get:

Denied Connection ISASERVER 9/22/2011 4:16:58 PM
Log type: Web Proxy (Reverse)
Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  
Rule: External Active Sync
Source: (
Destination: (
Request: OPTIONS 
Filter information: Req ID: 084c5d4d; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous

Anyone have any suggestions?  


Who is Participating?
footechConnect With a Mentor Commented:
I think the paths that you have specified in the firewall rule should be
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
Although you created a new virtual directory, that is a replacement for the /Exchange VD.  With the registry key, MS Active Sync knows to use the /ExchActiveSync (this appears to be the name you used) VD instead of /Exchange.  With the rule as you have it now it just directs to OWA - not what you want.
Are you using the same web listener as for OWA?  What authentication methods is it set to use?

I believe this might come down to an authentication setting, either on ISA on in IIS.
AmitIT ArchitectCommented:
I don't think you have installed active sync service. Check this first
I don't think you can use Apple products with ActiveSync (unless something new has happened, which is always possible)  Why don't you just use Imap or even pop3?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

misgciAuthor Commented:
I have followed the MS procedure for setting up Active Sync.

Apple products can indeed use Active Sync and are pretty widely used this way.  I could use imap or pop3 but that is not my preferred solution.  The problem I am having is not specific to Apple devices, it is a problem with my ISA / Exchange Server setup that I want to resolve so that I can use active sync with other devices as well.
Ok then, so let's try normal t/s...  Can you access the oma page from outside?
misgciAuthor Commented:
Nope.  I get a 403 Forbidden error.
Try to use ActiveSync on the iPad from inside the network (assuming you have DNS set up to resolve to the internal IP of your Exchange) to avoid going through ISA as a troubleshooting step.  Once you know ActiveSync is working properly, then you can move on the firewall rule.

I assume you created a new Exchange publishing rule for ActiveSync in ISA, correct?
misgciAuthor Commented:
With the iPad if I change the server to the internal IP address of my Exchange server I get a message: "Cannot Get Mail The connection to the server failed."  This is the same if I use the URL for the server from either inside or ouside the network.  I can't find any way on the iPad to get more detailed information, or any way to ping the server to see if it is even able to connect to it.

From within my network, if I go to https://myechangeserver.mydomain.local/oma in a web browser I can log in and see my mailbox with no problem.

If I go to https://myechangeserver.mydomain.local//Microsoft-Server-ActiveSync/ it opens Outlook Web Access and I can also access my mailbox.

I actually have DNS set up so that resolves to my ISA server.  I did this so that employees can use OWA from within the network and get the same forms based authentication I set up on the ISA server as they would get from outside the network.

I'm takng a look at a Windows Mobile emulator so I can test active sync from inside the LAN, but right now I'm sure how else I can test it.

I did create a new rule in ISA server using the wizard for creating an Exchange web client access rule.
I know you said the Apple uses Activesync, but do you have a Windows Mobile device to test it using footech's suggestion of the internal IP url?  The Windows mobile emulator is a good idea (the one included with VS?) but I've never played with it enough to configure a network adaptor, so I don't know if it will work.
misgciAuthor Commented:
I don't have any Windows Mobile devices. I actually only have occasional access to the iPad since it is the CEO's device.  The only mobile devices we currently use are Blackberry phones for which we have a BESx server set up.

The emulator seems to be the one included with VS but can also be installed stand alone from what I've read.
Haven't had a chance to try it out yet.
The reason I ask for the wm device is because I am familiar with the error codes you will recieve when trying to get it working, whereas it doesn' t look like the apple is giving them to you.
misgciAuthor Commented:
Great - as soon as I get the emulator working I'll post the results.
misgciAuthor Commented:
Thanks for the suggestions so far.
I had to jump through some hoops to get the Windows Mobile Emulator running on my Win 7 PC, but got it going now.  I had to install the Go Daddy certificate on the phone.  From inside the network on the emulator I get an error that the server has an invalid certificate - possibly because the FQDN on the certificate doesn't match the internal name(?).

There is/was something going on with the path on the ISA rule and the new virtual directory.

I tried putting (as footech suggested) and testing it from outside my network:
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
and it failed to sync

then I put
internal - /*  (which is publish the entire site)
external - /Microsoft-Server-ActiveSync/*
and the emulator synced up great, although if I test the rule in ISA Server I get:
"An unexpected response was received from the server. HTTP response: 400 Bad Request"

Then I went back to footech's suggestion of:
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
and now it works - althogh I still get the error on the ISA server, and the Microsoft Remote Connectivity Analyzer  still fails with "An HTTP 403 forbidden response was received. The response appears to have come from Unknown."

But since the emulator is syncing I'm not sure how much I should care about the errors.

I can't test the iPad because it is asking for a passcode and the CEO says she did not put in a passcode, so for the moment at least we are locked out of the iPad.
So, you're saying the internal syncing with the emulator is working?  Very cool - I'll have to play with that sometime :)

Anyway, instead of having an specific rule naming the paths, why don't you just try adding a rule for Port 80 and/or 443 that redirects to your exchange server.  This is how I have it running with my ISA installation as well as regular firewalls.  The added advantage of this is that it also opens the OWA with the same rule.  
If ISA is a member of the domain I would suggest using authentication on the web listener as shown in the screenshot.  Are you using a single web listener for all Exchange services?
web listener settingsAlso try this; in the properties of your web listener go to the Forms tab > Advanced > uncheck "apply session timeout to non-browser clients".

You might also want to check the Device Security settings under Mobile Services in Exchange System Manager.  On our server we have all of these cleared.
I believe for the actual Web Publishing rule (not the listener), you will want to select Basic Authentication for the Authentication Delegation setting.  This is what the MICROSOFT-ACTIVE-SYNC VD is set to under Directory Security.
misgciAuthor Commented:
That is how I have the web listener set up, thanks.

I actually have two rules in ISA using the same listener.  The reason is that the first rule only listens on the ISA internal interface, and this one allows all authenticated users.

The second one listens only on the external interface, and allows only users in a specific security group.  

This is set up this way because we have a need for any employee to be able to access OWA from within the network, but only non-hourly employees are allowed to access their web mail from outside the network.  This has to do with a Dept. of Labor issue in which, according to our HR department,  we would have to pay hourly employees overtime if they access their company email outside their normal working hours.

So both rules are set up the same except for the users and the 'from' network.
We have split DNS so that the same URL resolves externally to our public IP address for the ISA server, and internally to the internal NIC on the ISA server.

Thanks for the tip about the device security settings under Mobile Services.  I missed that and it was set to enforce passwords.  Apparently at some point the iPad connected to Active Sync and applied that policy and set the passcode to the password of the test email account I was using.

At the moment things seem to be working - I gave the boss back her iPad and asked her to test it out from home, so I'll find out how it goes.
So, just for my own curiosity, did you add in the settings for ActiveSync to the rules you mentioned above, or did you create new rules?

Glad you got the device unlocked and hopefully it will continue to sync.

Are you still getting the errors in ISA?  Based on some reading, those with status 12239 usually come along with the ActiveSync user having to re-enter their credentials after a period of time.  The "apply session timeout to non-browser clients" setting (unchecked) should help with this.
misgciAuthor Commented:
I added the active sync settings to the existing rules.  I think my problem was thinking that the path should have been internal pointing to the alternate VD I created in IIS, and the external path being the default directory.  It still seems more logical to me that way, but changing the path as you suggested made it work, so I must be misconceptualizing something.

If I use the "Test Rule" button in the rule properties on ISA I get:

Testing URL
Category: General error
Error details: An unexpected response was received from the server. HTTP response: 501 Not Implemented
Action: Verify that the intended server is published and that virtual directories exist. Ensure that you can browse the published site directly from an internal client computer.

The same error on http also.

If I browse to that folder internally I get the OWA login form, but after entering logon credentials I get the "501 not Implemented error" in the browser.
Haven't had a chance to investigate this yet.  I can no longer browse to the */oma folder at all - I get a " 403 Forbidden" error.
Maybe it would help to think of it this way.  The /Exchange VD is just a resource to be used by ActiveSync, not the actual path.  So when you created the alternate VD, you specified ActiveSync to use it instead of the /Exchange VD, but the path didn't change, just the resource it's drawing on.

When browsing, and you see the OWA login form, I think the explanation is that ISA is set to use FBA.  When not using a browser (i.e. in the case of ActiveSync), it falls back to Basic Authentication.  So that's why you get the form.  However, I can tell you that when I try to browse to my ActiveSync, I get the same "501 Not Implemented" error.  So I don't think that's a problem.

Regarding /oma, I probably wouldn't worry about it, unless you plan on having phones that use it.  Of course your ISA firewall rule should have a path entry for /oma* as the internal path.  Then I would check under the Mobile Service settings to see if Enable Outlook Mobile Access is enabled.  But like I said, it's unlikely you actually need this.
misgciAuthor Commented:
That does make sense, thanks.
I actually can browse to the /oma folder internally using the internal server name.  Must have miskeyed the url yesterday.

Since everything seems to be working now I'll close this and award the points.  Thanks again for your help.
misgciAuthor Commented:
The biggest problem was applying the paths wrong in ISA, so thanks footech for the clarification.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.