You should use the same external FQDN SSL certificate on both the ISA server and Exchange server. Otherwise the SSL connection "breaks".
-----Original Message----- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Tuesday, August 18, 2009 5:41 PM To: MS-Exchange Admin Issues Subject: RE: Microsoft Exchange ActiveSync Mobile Administration Web Tool install I appreciate the input and will pass it on, but more than likely it will be ignored. Bottom line is that I still need to set this up. Can anyone give me their thoughts on the original post. -----Original Message----- From: Steven Peck [mailto:sep...@gmail.com] Sent: Tuesday, August 18, 2009 4:49 PM To: MS-Exchange Admin Issues Subject: Re: Microsoft Exchange ActiveSync Mobile Administration Web Tool install We tested them because we 'had to'. The chief proponent of this was bragging about how he was going to get it approved. Because his iPhone was part of the test, our security guy had his iPhone hacked when it connected to the wireless LAN. They added this example/demo as part of their commentary on iPhone suitability and security in our environment. End result: We do not allow iPhones Caveat: We have to answer to HIPAA. As there is limited/no real case law on violations, no one wants to be the case that is quoted as a foundation decision for the next 25 years. Steven Peck On Tue, Aug 18, 2009 at 2:44 PM, Maglinger, Paul<pmaglin...@scvl.com> wrote: > Yeah, like that's going to work. > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Tuesday, August 18, 2009 4:32 PM > To: MS-Exchange Admin Issues > Subject: Re: Microsoft Exchange ActiveSync Mobile Administration Web > Tool install > > The following is not terribly helpful, but I just can't help myself. > > I'm working on banning iPhones in my environment: > > http://www.wired.com/gadgetlab/2009/07/iphone-encryption/ > > http://arstechnica.com/apple/news/2009/07/new-iphone-hardware-encrypti > on-not-even-close-to-hack-proof.ars > > http://wikee.iphwn.org/howto:iphones_at_defcon > > http://www.youtube.com/watch?v=5wS3AMbXRLs > > http://www.youtube.com/watch?v=kHdNoKIZUCw > > > If you value your org's data, don't allow iPhones to connect.They > might be great personal tools, but given the current state of their > security, I would not put any data on them that I wanted to keep > private. > > > On Tue, Aug 18, 2009 at 14:09, Maglinger, Paul<pmaglin...@scvl.com> wrote: >> We're struggling with implementing iPhones into our environment. We >> have set up an ISA server and when we try testing from >> https://www.testexchangeconnectivity.com/ for ActiveSync using SSL >> authentication, we get this: >> >> Testing Exchange Activesync for host >> https://telstar.scvl.com/Microsoft-Server-Activesync/ >> Exchange Activesync test Failed >> Test Steps >> Attempting to Resolve the host name telstar.scvl.com in DNS. >> Host successfully Resolved >> Additional Details >> IP(s) returned: 12.156.139.141 >> >> Testing TCP Port 443 on host telstar.scvl.com to ensure it is >> listening/open. >> The port was opened successfully. >> >> Testing SSL Certificate for validity. >> The SSL Certificate failed one or more certificate validation checks. >> Test Steps >> Validating certificate name >> Successfully validated the certificate name >> Additional Details >> Found hostname telstar.scvl.com in Certificate Subject Common name >> >> Validating certificate trust for Windows Mobile Devices >> Certificate trust validation failed >> Tell me more about this issue and how to resolve it >> >> Additional Details >> The certificate chain did not end in a trusted root. Root = >> CN=StartCom Certification Authority, OU=Secure Digital Certificate >> Signing, O=StartCom Ltd., C=IL >> >> >> Okay, so I understand the SSL portion of this is failing. This free >> certificate was obtained from Startcom Ltd., which was mentioned in >> this article >> http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free- >> 3rd >> Party-Certificate.html . >> >> Okay now... Let me write this out and see if I've gotten this right. >> >> We have our Exchange server on the inside of our firewall. We have >> our ISA server between the Exchange server and the iPhone. We need >> two certificates. One certificate will be generated by our internal >> CA and will used between the Exchange server and the ISA server. The >> other certificate is public and goes between the ISA server and the iPhone. >> >> Now... >> Is it necessary for the ISA server to mimic the FQDN of our internal >> mail server? If so, then we generate a certificate from our mail >> server and use it to obtain the SSL certificate from the provider, >> then import that certificate on the ISA server. If it is not >> necessary and we generate the certificate from the ISA server itself >> and use it, as long as the the name of the ISA server and the name >> the client points to is the same as what's in DNS, that's all that >> matters, right? And ActiveSync should be part of the ISA server >> because that is what the client is going to hit rather than be >> installed on the internal Exchange server. >> >> - Paul >> >> >> > > > > >
