Couldn't connect iPhone thru ISA Server 2004, Microsoft Exchange 2003

If the ISA rules have been auto-published by running the SBS Connect To The Internet Wizard, then you should be fine with the ISA side of things.

In terms of the SBS side of things, please have a read through my article, check your IIS settings, run the test on the test site and post the results hiding your domain name and IP Address.

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

If I can't help you (because of the ISA element), I'll try to get Keith_Alabaster to assist as he is an extremely good ISA Expert.

Alan

Alan,

Thanks you for quick response.. Just to mention, this is not a Small Business Server. This is an Enterprise Network, they are different servers. I will verify the IIS settings and let you know if any kind of progress. It will be great if you can bring the ISA expert because I believe that the issue is on the ISA. Thanks again...

Ah yes - must have SBS on the brain.  Sorry.

In that case, I'll try and get Keith involved as he can talk you through the settings blindfolded and I can talk you through the Exchange settings blindfolded, so with any luck, we can get you fixed up.

Alan

OK... Thanks... I will verify the Exchange settings as you mention before later today because since I need to restart the IIS Service, I need to do it after hours. I will let you know....

No probs - email sent to Keith.  I just hope he is about.

Alan

Wow - midnight here and just got up for a cigarette and saw Alan's email.

Can you confirm that:

a) You have created a separate publishing rule for each of the Exchange services that ISA is covering (albeit that they use the same listener)?
b) You can active-sync to other devices OK?
c) You have validated your config using the ISA2004 bpa? - http://www.microsoft.com/en-gb/download/details.aspx?id=811

Please advise on the specific settings you chose for the Active Sync rule in respect to the authentication?

Keith

PS - no issue with the certificate is there? If you access via https and OWA, do you get a clean entry or a message about a 'faulty' certificate? OWA can deal with this - active sync cannot.

Thank you Keith.

Alan

Hi Keith and Thanks for your response...

1. There is a Web Listener created for the OWA rule and the same is used only for the OWA rule.
2. This is the first time that we are trying to sync the mobile phones. No used before.
3. I don't know if I will be able to install the tool at this moment but I will let you know.
4. The Microsoft Server ActiveSync Virtual Directory in IIS has the following settings:
Authentication - Basic
Secure Communications - SSL 128bit
About the certificate... I can access OWA internally with a self-signed certificate. The ISA Server Web listener has also a local self-signed certificate.
Any suggestions?

Alan,

I just follow your document, setting the first part that applies to a non SBS environment but same results, no connection. Any other suggestions? What about the Default Web Site configuration? Can you tell me how should be set? Thanks...

Keith or Alan... I'm trying to add a certificate to the Web listener but is not seeing the certificate that I just imported to the ISA Server. Any ideas? I have several certificates in the Personal Store but the Web listener is seeing only one and that one I can't use... : (

As mentioned above - you need to re-run the publishing wizard and create a publishing rule for active-sync in addition to the publishing rule for OWA. You may be saying that you haver done this but I am not sure it is clear.

A web certificate will only appear as valid to the ISA server if:

a) the certificate has been exported from its source (in this case it will be the server where the OWA/IIS service is provided from along with its private key;
b) imported into the ISA to the local machine, computer account.

OK.. Maybe I didn't understand you the first time... Sorry for that. So, you mean that I will need a different web publishing rule and listener for the ActiveSync? One for the OWA and another for the ActiveSync? Different certificates and port numbers for each one right?  Thanks in advance...

I owe you an apology - you are using ISA2004 - the multiple rules (or rather the ability to use them) did not appear till ISA 2006.

http://technet.microsoft.com/library/cc713316.aspx

Have a quick scan through this link and validate the active-sync test it suggests - what message do you get?

In the meantime I will resurrect an isa2004 environment in my labs.

Hi guys... I just went to the document and I'm still not able to connect the iPhone from the Cellular provider, but (we are making process) I was able to connect he iPhone using WiFi in the company or even doing a VPN to the office in the phone thru the cellular provider. So, now we know that it is something in the ISA. Any ideas? We are getting there!!!

Also... I performed the ActiveSync test that suggested the microsoft documentation (connect to the https://published_server_name/Microsoft-Server-Activesync address in Internet Explorer) and internally is OK but from the internet the OWA login page is responding instead of the "Error 501/505 – Not implemented or not supported".

Here are the results from www.testexchangeconnectivity.com
Question... Do I need a 3rd party SSL Certificate in order to work in ISA? I have a local self signed SSL Certificate.

ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.mydomain.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: xxx.xxx.xxx.xxx

Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The SSL certificate failed one or more certificate validation checks.
 Test Steps
 ExRCA is attempting to obtain the SSL certificate from remote server mail.mydomain.com on port 443.
 ExRCA successfully obtained the remote SSL certificate.
 Additional Details
 Remote Certificate Subject: CN=mail.mydomain.com, OU=COMPANYNAME, O=COMPANYNAME, L=City S=STATE, C=US, Issuer: CN=CA-COMPANYNAME, DC=domain, DC=local.

Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name mail.mydomain.com was found in the Certificate Subject Common name.

Validating certificate trust for Windows Mobile devices.
 Certificate trust validation failed.
 Test Steps
 ExRCA is attempting to build certificate chains for certificate CN=mail.mydomain.com, OU=COMPANY, O=COMPANY, L=CITY, S=STATE, C=US.
 A certificate chain couldn't be constructed for the certificate.
 Additional Details
 The certificate chain couldn't be built. You may be missing required intermediate certificates.

Here are more information related to the iPhone connection from the ISA Server Logs:

Closed Connection
4/20/2013 11:32:03 PM
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent a RST segment.
Rule:
Source: External ( xxx.xxx.xxx.xxx:52788)
Destination: Local Host ( xxx.xxx.xxx.xxx:443)
Protocol: HTTPS
User:
 Additional information
      •      Number of bytes sent: 1706 Number of bytes received: 2073
      •      Processing time: 13000ms Original Client IP: xxx.xxx.xxx.xxx
      •      Client agent

Denied Connection
4/20/2013 11:32:03 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
Rule:
Source: External ( xxx.xxx.xxx.xxx:52788)
Destination: Local Host ( xxx.xxx.xxx.xxx:443)
Protocol: HTTPS
User:
 Additional information
      •      Number of bytes sent: 0 Number of bytes received: 0
      •      Processing time: 0ms Original Client IP: xxx.xxx.xxx.xxx
      •      Client agent:

These are not errors (in the ISA logs). the first states that the connection has closed as requested by the service and the second that the final ack has arrived AFTER the closure of the connection - which is normal - and therefore that has been identified and denied.

It only took 20 minutes to rebuild the ISA2004 system (plus a bl00dy hour to rebuild a 2003 server) and mine worked first time but I do use a public certificate (Godaddy including both the main certificate and the intermediary). The ISA 2004 was manually fully updated with SP3 and my 2003 server via my WSUS server.

I also tried the service successfully first by using http rather than https (as per my link above) so did not need to use the certificate - for testing.

Can you connect your phone to the server internally?

My article has a link to a tool that you can use internally to test the server to make sure that it is configured properly.

Once you know the server is happily configured, then you can worry about the ISA part if it isn't working.

Try checking that first and see how you go.

Alan

Hi Alan....
Just for your info.... If I do a VPN in my iPhone to the company I'm able to connect to the Exchange and sync my emails (Send and Receive OK), but when I tried using my cellular provider is giving me the usual message "Unable to verify account". With this in mind, then I assume that the configuration is OK inside the Network. Correct me if I'm wrong....

Ok... I did more testing using the iPhone ActiveSync Test App and here are the results:

TEST from VPN to the office with the iPhone:

Connection OK?  OK
Valid Certificate?  OK
Valid User?  OK
Application present? OK
Valid config? OK
Test sync? FAIL

Error Details:

Server: mail.mydomain.com
user: user
ActiveSync Version6.6 7638.1
Protocols 1.02.0.2.1.2.5

ActiveSync detected, but access denied.
(HTTP 403: Disabled for this user)

TEST from Cellular provider:
Connection OK?  OK
Valid Certificate?  OK
Valid user?  FAILED

No more results....
Major Code: 0xfffffff, Minor Code; 0x0

The funny thing is that I'm able to connect to Exchange (Send and Receive emails) when I'm connected thru VPN although is says that the user is not activated for this user.... :(

Okay - do you have Forms Based Authentication enabled (pretty login for OWA)?

If you do (i.e., you have SSL Enabled on the Exchange virtual Directory, you need to follow KB817379 to create the exchange-oma virtual directory with SSL NOT enabled.

Yes I have Forms Based Authentication enabled but in the ISA Server Web Publishing Rule not in the Exchange http protocol. Also, I can access the OWA internally but not from the Internet. When I tried to access the OWA from the Internet it brings me the logon window but when I provide the credentials and logon, it's giving the following error:

Error Code 403 Forbidden. The server denied the specified Uniform Resource Locator (URL)
Contact the server administrator. (12202)

Just providing you more information..... Thanks for not giving up on me... :)

Okay - concentrate on getting it working without using ISA for now (locally), then once that works, Keith can hopefully get the ISA part going for you knowing that the server is at least ready for ISA.

So - for the user you were testing with, do they have all the Exchange Features (via ADUC) enabled?

If yes - is Activesync enabled globally?

http://technet.microsoft.com/en-us/library/aa997342(v=exchg.65).aspx

Alan

Re the testing - can you download and run the test app on a computer on the LAN and then use the LAN test to see if all is well locally please.

Thanks

Alan

OK... I will do the test and let you know... Thanks

No problems.

Alan,

Here is the ActiveSync Tester results from inside (LAN):

Testing 192.168.xxx.xxx (SSL, On LAN):

Communications:
      Doing DNS lookup on 192.168.xxx.xxx ........ OK (mail.mycompany.com)
      Testing TCP to 192.168.xxx.xxx port 443 .... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. OK
      Checking version ......................... OK (6.5.7638.1)
      Checking protocols ....................... OK (1.0,2.0,2.1,2.5)
User Permissions:
      Checking "MYCOMPANY\user" .......... FAIL

Result:
      ActiveSync detected, but not correctly configured. [HTTP 500: Forms-based auth enabled?]
-----------------------------------------------------------------------------------------------------------------------

Here are the results from the Internet:

Testing mail.mycompany.com (SSL, On Internet):

Communications:
      Doing DNS lookup on mail.mycompany.com  OK (xxx.xxx.xxx.xxx)
      Testing TCP to xxx.xxx.xxx.xxx port 443 .... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... FAIL
ActiveSync:
      Checking for application ................. FAIL

Result:
      ActiveSync detected, but not correctly configured.

Question... under the IIS virtual directories I have one with the name of "OMA". This is the one or we still need to create a new one? See attached file.
Screen-Shot-2013-04-22-at-6.16.4.png

OMA is normal - we need an exchange-oma too.

Where did the owaasp virtual directory come from?

Don't know...

Alan,
I was able to create the exchange-oma virtual directory following the Microsoft Documentation, performed the test again and here are the results. Also, I added my account to the exception list as you mention in your document :

Testing mail.mydomain.com (SSL, On LAN):

Communications:
      Doing DNS lookup on mail.mydomain.com........ OK (192.168.xxx.xxx)
      Testing TCP to 192.168.xxx.xxx port 443 .... OK
SSL Certificate:
      Receiving ................................ OK
      Ensuring not Self-Signed ................. OK
      Verifying certificate .................... OK
ActiveSync:
      Checking for application ................. OK
      Checking version ......................... OK (6.5.7638.1)
      Checking protocols ....................... OK (1.0,2.0,2.1,2.5)
User Permissions:
      Checking "MYCOMPANY\user" .......... OK

Result:
      ActiveSync IS available.

Inside the Network is working fine, but from the Internet we are getting the same results.
"ActiveSync detected but not correctly configured"

OK - will pick this up tonight when I get home from work

That is looking good now - so over to you Keith :)

Alan / Keith,

Just for your info... After creating the virtual directory(exchange-oma) and adding the same in the Publishing rule "Paths" (ISA Server) and changing the authentication method in the WebListener, now is WORKING!!!!! The iPhone is sync with the Exchange Server using the Cellular Network. Here is what I changed in the Web Listener

Web Listener
Properties/
Preferences/
Authentication/
Unselect the OWA Forms Based
Select the Integrated and Basic
Select Require all users to authenticate

I also deactivate the FBA in the Exchange Virtual Directory in System Manager. Running right now without FBA, but is working internally, externally and in the iPhone.

You guys are the best... with all your knowledge and directions I was able to solve the issues.

Excellent news - well done everyone.

Hey guys... Question...
Since i have to set Integrated and Basic authentication in the Web Listener now I'm gave to authenticate twice every time  I log to OWA. But it works. Any ideas or suggestions? Thanks as always...

That's one for Keith ;)

Keith,

What do you recommend?

Thanks...