Solved

Exchange 2003 / ISA 2006 active sync problem

Posted on 2011-09-22
22
1,501 Views
Last Modified: 2012-06-21
My CEO just got a new iPad, and she has instructed me that I have to get it synchronizing with our Exchange server.  I have not tried to use Active Sync on this server until now, and am having difficulty.

I have a single Exchange 2003 STD server, behind an ISA 2006 server.
I have Outlook Web Access published through the ISA server, using forms based authentication on the ISA server.
Forms based Authentication is turned off on the Exchange server.

There is a certificate from Go Daddy installed on the Exchange and ISA servers – this seems to be working since OWA works fine.  

I also have some users connecting using RPC over HTTP, again through the ISA server, and this also works fine.

I used the Microsoft Remote Connectivity Analyzer (https://www.testexchangeconnectivity.com/) to test Active Sync.

I was getting an error using this tool which pointed me to this MS article:
http://support.microsoft.com/?kbid=817379

This basically involves setting up an alternate virtual directory for Exchange that does not require SSL, and then adding a registry value to point to the new virtual directory.

I followed those steps and got the following error:

“An HTTP 403 error was received because ISA Server denied the specified URL.”
Looking in the ISA log I saw that the MRCA tool was attempting to go to the default virtual directory “Microsoft-Server-ActiveSync”.  So I went into the ISA server rule and set external path to “/Microsoft-Server-ActiveSync/*” and the path to the new virtual directory “/ExchActiveSync/*”

Now the MRCA tool is giving me the following error:
“Testing of the OPTIONS command failed. For more information, see Additional Details.”
And gives me a link here which talks about ISA Server 2000, third party reverse proxy servers, and having “URL Scan” installed – none of which apply.

On the ISA Server I get:

Denied Connection ISASERVER 9/22/2011 4:16:58 PM
Log type: Web Proxy (Reverse)
Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.  
Rule: External Active Sync
Source: (207.46.14.62)
Destination: (11.11.11.11:443)
Request: OPTIONS http://mail.gatewayindustries.org/Microsoft-Server-ActiveSync/
Filter information: Req ID: 084c5d4d; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous


Anyone have any suggestions?  

Thanks,

RJS
0
Comment
Question by:misgci
  • 10
  • 6
  • 5
  • +1
22 Comments
 
LVL 41

Expert Comment

by:Amit
ID: 36583538
I don't think you have installed active sync service. Check this first
http://www.msexchange.org/tutorials/exchange-2003-mobile-messaging-part3.html
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 36584229
I don't think you can use Apple products with ActiveSync (unless something new has happened, which is always possible)  Why don't you just use Imap or even pop3?
0
 

Author Comment

by:misgci
ID: 36586504
amitkulshrestha,
I have followed the MS procedure for setting up Active Sync.

rsimsee,
Apple products can indeed use Active Sync and are pretty widely used this way.  I could use imap or pop3 but that is not my preferred solution.  The problem I am having is not specific to Apple devices, it is a problem with my ISA / Exchange Server setup that I want to resolve so that I can use active sync with other devices as well.
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 36589870
Ok then, so let's try normal t/s...  Can you access the oma page from outside?
https://<mailserver>/oma
0
 

Author Comment

by:misgci
ID: 36594161
Nope.  I get a 403 Forbidden error.
0
 
LVL 39

Expert Comment

by:footech
ID: 36596963
Try to use ActiveSync on the iPad from inside the network (assuming you have DNS set up to resolve to the internal IP of your Exchange) to avoid going through ISA as a troubleshooting step.  Once you know ActiveSync is working properly, then you can move on the firewall rule.

I assume you created a new Exchange publishing rule for ActiveSync in ISA, correct?
0
 

Author Comment

by:misgci
ID: 36601034
With the iPad if I change the server to the internal IP address of my Exchange server I get a message: "Cannot Get Mail The connection to the server failed."  This is the same if I use the URL for the server from either inside or ouside the network.  I can't find any way on the iPad to get more detailed information, or any way to ping the server to see if it is even able to connect to it.

From within my network, if I go to https://myechangeserver.mydomain.local/oma in a web browser I can log in and see my mailbox with no problem.

If I go to https://myechangeserver.mydomain.local//Microsoft-Server-ActiveSync/ it opens Outlook Web Access and I can also access my mailbox.

I actually have DNS set up so that mail.mydomain.com resolves to my ISA server.  I did this so that employees can use OWA from within the network and get the same forms based authentication I set up on the ISA server as they would get from outside the network.

I'm takng a look at a Windows Mobile emulator so I can test active sync from inside the LAN, but right now I'm sure how else I can test it.

I did create a new rule in ISA server using the wizard for creating an Exchange web client access rule.
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 36601048
I know you said the Apple uses Activesync, but do you have a Windows Mobile device to test it using footech's suggestion of the internal IP url?  The Windows mobile emulator is a good idea (the one included with VS?) but I've never played with it enough to configure a network adaptor, so I don't know if it will work.
0
 

Author Comment

by:misgci
ID: 36601466
I don't have any Windows Mobile devices. I actually only have occasional access to the iPad since it is the CEO's device.  The only mobile devices we currently use are Blackberry phones for which we have a BESx server set up.

The emulator seems to be the one included with VS but can also be installed stand alone from what I've read.
Haven't had a chance to try it out yet.
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 36601511
The reason I ask for the wm device is because I am familiar with the error codes you will recieve when trying to get it working, whereas it doesn' t look like the apple is giving them to you.
0
 

Author Comment

by:misgci
ID: 36601517
Great - as soon as I get the emulator working I'll post the results.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 36714087
I think the paths that you have specified in the firewall rule should be
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
Although you created a new virtual directory, that is a replacement for the /Exchange VD.  With the registry key, MS Active Sync knows to use the /ExchActiveSync (this appears to be the name you used) VD instead of /Exchange.  With the rule as you have it now it just directs to OWA - not what you want.
Are you using the same web listener as for OWA?  What authentication methods is it set to use?

I believe this might come down to an authentication setting, either on ISA on in IIS.
0
 

Author Comment

by:misgci
ID: 36720101
Thanks for the suggestions so far.
I had to jump through some hoops to get the Windows Mobile Emulator running on my Win 7 PC, but got it going now.  I had to install the Go Daddy certificate on the phone.  From inside the network on the emulator I get an error that the server has an invalid certificate - possibly because the FQDN on the certificate doesn't match the internal name(?).

There is/was something going on with the path on the ISA rule and the new virtual directory.

I tried putting (as footech suggested) and testing it from outside my network:
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
and it failed to sync

then I put
internal - /*  (which is publish the entire site)
external - /Microsoft-Server-ActiveSync/*
and the emulator synced up great, although if I test the rule in ISA Server I get:
"An unexpected response was received from the server. HTTP response: 400 Bad Request"

Then I went back to footech's suggestion of:
external - same as internal
internal - /Microsoft-Server-ActiveSync/*
and now it works - althogh I still get the error on the ISA server, and the Microsoft Remote Connectivity Analyzer  still fails with "An HTTP 403 forbidden response was received. The response appears to have come from Unknown."

But since the emulator is syncing I'm not sure how much I should care about the errors.

I can't test the iPad because it is asking for a passcode and the CEO says she did not put in a passcode, so for the moment at least we are locked out of the iPad.
0
 
LVL 7

Expert Comment

by:rsimsee
ID: 36720299
So, you're saying the internal syncing with the emulator is working?  Very cool - I'll have to play with that sometime :)

Anyway, instead of having an specific rule naming the paths, why don't you just try adding a rule for Port 80 and/or 443 that redirects to your exchange server.  This is how I have it running with my ISA installation as well as regular firewalls.  The added advantage of this is that it also opens the OWA with the same rule.  
0
 
LVL 39

Expert Comment

by:footech
ID: 36720728
If ISA is a member of the domain I would suggest using authentication on the web listener as shown in the screenshot.  Are you using a single web listener for all Exchange services?
web listener settingsAlso try this; in the properties of your web listener go to the Forms tab > Advanced > uncheck "apply session timeout to non-browser clients".

You might also want to check the Device Security settings under Mobile Services in Exchange System Manager.  On our server we have all of these cleared.
0
 
LVL 39

Expert Comment

by:footech
ID: 36720762
I believe for the actual Web Publishing rule (not the listener), you will want to select Basic Authentication for the Authentication Delegation setting.  This is what the MICROSOFT-ACTIVE-SYNC VD is set to under Directory Security.
0
 

Author Comment

by:misgci
ID: 36846816
Footech,
That is how I have the web listener set up, thanks.

I actually have two rules in ISA using the same listener.  The reason is that the first rule only listens on the ISA internal interface, and this one allows all authenticated users.

The second one listens only on the external interface, and allows only users in a specific security group.  

This is set up this way because we have a need for any employee to be able to access OWA from within the network, but only non-hourly employees are allowed to access their web mail from outside the network.  This has to do with a Dept. of Labor issue in which, according to our HR department,  we would have to pay hourly employees overtime if they access their company email outside their normal working hours.

So both rules are set up the same except for the users and the 'from' network.
We have split DNS so that the same URL resolves externally to our public IP address for the ISA server, and internally to the internal NIC on the ISA server.

Thanks for the tip about the device security settings under Mobile Services.  I missed that and it was set to enforce passwords.  Apparently at some point the iPad connected to Active Sync and applied that policy and set the passcode to the password of the test email account I was using.

At the moment things seem to be working - I gave the boss back her iPad and asked her to test it out from home, so I'll find out how it goes.
0
 
LVL 39

Expert Comment

by:footech
ID: 36890110
So, just for my own curiosity, did you add in the settings for ActiveSync to the rules you mentioned above, or did you create new rules?

Glad you got the device unlocked and hopefully it will continue to sync.

Are you still getting the errors in ISA?  Based on some reading, those with status 12239 usually come along with the ActiveSync user having to re-enter their credentials after a period of time.  The "apply session timeout to non-browser clients" setting (unchecked) should help with this.
0
 

Author Comment

by:misgci
ID: 36891327
I added the active sync settings to the existing rules.  I think my problem was thinking that the path should have been internal pointing to the alternate VD I created in IIS, and the external path being the default directory.  It still seems more logical to me that way, but changing the path as you suggested made it work, so I must be misconceptualizing something.

If I use the "Test Rule" button in the rule properties on ISA I get:

Testing URL https://mail.mydomain.com:443/Microsoft-Server-ActiveSync/
Category: General error
Error details: An unexpected response was received from the server. HTTP response: 501 Not Implemented
Action: Verify that the intended server is published and that virtual directories exist. Ensure that you can browse the published site directly from an internal client computer.

The same error on http also.

If I browse to that folder internally I get the OWA login form, but after entering logon credentials I get the "501 not Implemented error" in the browser.
Haven't had a chance to investigate this yet.  I can no longer browse to the */oma folder at all - I get a " 403 Forbidden" error.
0
 
LVL 39

Expert Comment

by:footech
ID: 36893328
Maybe it would help to think of it this way.  The /Exchange VD is just a resource to be used by ActiveSync, not the actual path.  So when you created the alternate VD, you specified ActiveSync to use it instead of the /Exchange VD, but the path didn't change, just the resource it's drawing on.

When browsing, and you see the OWA login form, I think the explanation is that ISA is set to use FBA.  When not using a browser (i.e. in the case of ActiveSync), it falls back to Basic Authentication.  So that's why you get the form.  However, I can tell you that when I try to browse to my ActiveSync, I get the same "501 Not Implemented" error.  So I don't think that's a problem.

Regarding /oma, I probably wouldn't worry about it, unless you plan on having phones that use it.  Of course your ISA firewall rule should have a path entry for /oma* as the internal path.  Then I would check under the Mobile Service settings to see if Enable Outlook Mobile Access is enabled.  But like I said, it's unlikely you actually need this.
0
 

Author Comment

by:misgci
ID: 36893400
That does make sense, thanks.
I actually can browse to the /oma folder internally using the internal server name.  Must have miskeyed the url yesterday.

Since everything seems to be working now I'll close this and award the points.  Thanks again for your help.
0
 

Author Closing Comment

by:misgci
ID: 36893407
The biggest problem was applying the paths wrong in ISA, so thanks footech for the clarification.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now