RE: Still struggling with iPhone, ISA and SSL certs...

2009-09-02 Thread Maglinger, Paul
Haven't tried that format yet, and doubt I ever will.  As soon as we got
it working they ran off with our test device and are somewhere
gleefully rubbing their fingers across it's glossy surface.  *sigh* 

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, September 01, 2009 9:00 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Did you try Domain\Username?

If you are using NTLM authentication, then ISA or IIS cannot insert the
domain into the user property

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Wednesday, 2 September 2009 1:29 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Okay, we finally got the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA.  We brought in a hired gun,
ended up making a few changes on the ISA server for the Listener.  But
probably the biggest thing, which came as a flash of insight to our
security admin, was to try logging in from the iPhone as
usern...@domain.com instead of just username.  In all the masses of
documents we've downloaded and perused, I don't think we found anything
that said to do that.  Maybe we should have assumed that from the
beginning?  I don't know.  It's working now and I'm done with it.  I'm
going to go back and bang my head against the wall for a few more
minutes before getting on my next project.

Paul

-Original Message-
From: Art DeKneef [mailto:art.dekn...@cox.net]
Sent: Monday, August 24, 2009 2:36 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

I had a similar issue last week. This was with a SBS 2003 server with
Exchange Server 2003 SP2. OWA was working fine from outside. Tried to
setup an iPhone and I think received the same error message. I checked
everything I found on the web and all the settings were correct. It just
wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect
either.
It's
error message stated it was permissions also. Double, triple-checked and
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the
Connect to Internet Wizard, verified the SSL cert, checked in Exchange
Server Manager for the Mobile Access and made sure the settings were
enabled there, checked the users account and verified the mobile
settings were enabled, checked the SBS firewall. Everything looked
correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured
the Server Source again from scratch. Ran a sync and it connected and
started downloading email. Went to the iPhone and deleted the Exchange
Server settings. Configured the Exchange settings from scratch and it
connected to the server and downloaded the email, contacts and calendar.
Success at last.

I don't know what was causing the problem but whatever it was it seemed
to have been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is
using the internal firewall settings. They have a hardware firewall
which I never changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to
connect to the Exchange server using our internal wireless network
without SSL and was able to get that to work through OWA, but the
ActiveSync is still not working.  We're getting Your account in
Microsoft Exchange Server does not have permission to sync with your
current settings.  We've checked Outlook Mobile Access and Outlook Web
Access settings and they're both enabled.  We've Google this and tried
just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working
running an iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to
trust a mutual third party (a CA). A similar concept to Kerberos or even
AD in general (both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing
your CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Friday, 21 August 2009 10:12 PM
To: NT

RE: Still struggling with iPhone, ISA and SSL certs...

2009-09-02 Thread Ken Schaefer
This is not iPhone specific.

If you are using Basic AuthN, then everything is cleartext, so ISA server (or 
IIS or whatever) can alter the supplied username to prepend a domain name. If 
you are using NTLM, then username (including the domain name) is user in part 
of the authentication hash, and IIS (or ISA) cannot alter the username because 
that would change the authentication hash, and ISA or IIS cannot do that 
because the hash is also based on the user's password.

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Thursday, 3 September 2009 2:05 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Haven't tried that format yet, and doubt I ever will.  As soon as we got it 
working they ran off with our test device and are somewhere gleefully rubbing 
their fingers across it's glossy surface.  *sigh* 

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, September 01, 2009 9:00 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Did you try Domain\Username?

If you are using NTLM authentication, then ISA or IIS cannot insert the domain 
into the user property

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Wednesday, 2 September 2009 1:29 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Okay, we finally got the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA.  We brought in a hired gun, ended up 
making a few changes on the ISA server for the Listener.  But probably the 
biggest thing, which came as a flash of insight to our security admin, was to 
try logging in from the iPhone as usern...@domain.com instead of just username. 
 In all the masses of documents we've downloaded and perused, I don't think we 
found anything that said to do that.  Maybe we should have assumed that from 
the beginning?  I don't know.  It's working now and I'm done with it.  I'm 
going to go back and bang my head against the wall for a few more minutes 
before getting on my next project.

Paul

-Original Message-
From: Art DeKneef [mailto:art.dekn...@cox.net]
Sent: Monday, August 24, 2009 2:36 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

I had a similar issue last week. This was with a SBS 2003 server with Exchange 
Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone 
and I think received the same error message. I checked everything I found on 
the web and all the settings were correct. It just wouldn't connect. Tried my 
Windows Mobile phone and it wouldn't connect either.
It's
error message stated it was permissions also. Double, triple-checked and 
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the Connect to 
Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for 
the Mobile Access and made sure the settings were enabled there, checked the 
users account and verified the mobile settings were enabled, checked the SBS 
firewall. Everything looked correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured the 
Server Source again from scratch. Ran a sync and it connected and started 
downloading email. Went to the iPhone and deleted the Exchange Server settings. 
Configured the Exchange settings from scratch and it connected to the server 
and downloaded the email, contacts and calendar.
Success at last.

I don't know what was causing the problem but whatever it was it seemed to have 
been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is using 
the internal firewall settings. They have a hardware firewall which I never 
changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to 
connect to the Exchange server using our internal wireless network without SSL 
and was able to get that to work through OWA, but the ActiveSync is still not 
working.  We're getting Your account in Microsoft Exchange Server does not 
have permission to sync with your current settings.  We've checked Outlook 
Mobile Access and Outlook Web Access settings and they're both enabled.  We've 
Google this and tried just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working running an 
iPhone

RE: Still struggling with iPhone, ISA and SSL certs...

2009-09-01 Thread Maglinger, Paul
Okay, we finally got the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA.  We brought in a hired gun,
ended up making a few changes on the ISA server for the Listener.  But
probably the biggest thing, which came as a flash of insight to our
security admin, was to try logging in from the iPhone as
usern...@domain.com instead of just username.  In all the masses of
documents we've downloaded and perused, I don't think we found anything
that said to do that.  Maybe we should have assumed that from the
beginning?  I don't know.  It's working now and I'm done with it.  I'm
going to go back and bang my head against the wall for a few more
minutes before getting on my next project.

Paul

-Original Message-
From: Art DeKneef [mailto:art.dekn...@cox.net] 
Sent: Monday, August 24, 2009 2:36 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

I had a similar issue last week. This was with a SBS 2003 server with
Exchange Server 2003 SP2. OWA was working fine from outside. Tried to
setup
an iPhone and I think received the same error message. I checked
everything
I found on the web and all the settings were correct. It just wouldn't
connect. Tried my Windows Mobile phone and it wouldn't connect either.
It's
error message stated it was permissions also. Double, triple-checked and
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the
Connect to
Internet Wizard, verified the SSL cert, checked in Exchange Server
Manager
for the Mobile Access and made sure the settings were enabled there,
checked
the users account and verified the mobile settings were enabled, checked
the
SBS firewall. Everything looked correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured
the
Server Source again from scratch. Ran a sync and it connected and
started
downloading email. Went to the iPhone and deleted the Exchange Server
settings. Configured the Exchange settings from scratch and it connected
to
the server and downloaded the email, contacts and calendar. Success at
last.

I don't know what was causing the problem but whatever it was it seemed
to
have been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is
using the internal firewall settings. They have a hardware firewall
which I
never changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to
connect to the Exchange server using our internal wireless network
without SSL and was able to get that to work through OWA, but the
ActiveSync is still not working.  We're getting Your account in
Microsoft Exchange Server does not have permission to sync with your
current settings.  We've checked Outlook Mobile Access and Outlook Web
Access settings and they're both enabled.  We've Google this and tried
just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working
running an iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to
trust a mutual third party (a CA). A similar concept to Kerberos or even
AD in general (both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing
your CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration Guide by Syngress.  The SA came in the morning and showed
me the following section in the book:
 
The topic of Certificate Authorities (CAs)and PKI (Public Key
Infrastructure) is usually enough to drive many administrators away from
even considering SSL.  There are a number of reasons for this:
 - The available documentation on certificate authorities and PKI, in
general, is difficult to understand.
 - The subject has the potential to be extremely complex.
 - You need to learn

RE: Still struggling with iPhone, ISA and SSL certs...

2009-09-01 Thread Don Guyer
That'll do it. When I setup my iPhone, I used domain_name/username. 

Don Guyer
Systems Engineer - Information Services
Prudential, Fox  Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com


-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Tuesday, September 01, 2009 1:29 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Okay, we finally got the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA.  We brought in a hired gun,
ended up making a few changes on the ISA server for the Listener.  But
probably the biggest thing, which came as a flash of insight to our
security admin, was to try logging in from the iPhone as
usern...@domain.com instead of just username.  In all the masses of
documents we've downloaded and perused, I don't think we found anything
that said to do that.  Maybe we should have assumed that from the
beginning?  I don't know.  It's working now and I'm done with it.  I'm
going to go back and bang my head against the wall for a few more
minutes before getting on my next project.

Paul

-Original Message-
From: Art DeKneef [mailto:art.dekn...@cox.net] 
Sent: Monday, August 24, 2009 2:36 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

I had a similar issue last week. This was with a SBS 2003 server with
Exchange Server 2003 SP2. OWA was working fine from outside. Tried to
setup
an iPhone and I think received the same error message. I checked
everything
I found on the web and all the settings were correct. It just wouldn't
connect. Tried my Windows Mobile phone and it wouldn't connect either.
It's
error message stated it was permissions also. Double, triple-checked and
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the
Connect to
Internet Wizard, verified the SSL cert, checked in Exchange Server
Manager
for the Mobile Access and made sure the settings were enabled there,
checked
the users account and verified the mobile settings were enabled, checked
the
SBS firewall. Everything looked correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured
the
Server Source again from scratch. Ran a sync and it connected and
started
downloading email. Went to the iPhone and deleted the Exchange Server
settings. Configured the Exchange settings from scratch and it connected
to
the server and downloaded the email, contacts and calendar. Success at
last.

I don't know what was causing the problem but whatever it was it seemed
to
have been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is
using the internal firewall settings. They have a hardware firewall
which I
never changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to
connect to the Exchange server using our internal wireless network
without SSL and was able to get that to work through OWA, but the
ActiveSync is still not working.  We're getting Your account in
Microsoft Exchange Server does not have permission to sync with your
current settings.  We've checked Outlook Mobile Access and Outlook Web
Access settings and they're both enabled.  We've Google this and tried
just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working
running an iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to
trust a mutual third party (a CA). A similar concept to Kerberos or even
AD in general (both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing
your CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration

RE: Still struggling with iPhone, ISA and SSL certs...

2009-09-01 Thread Ken Schaefer
Did you try Domain\Username?

If you are using NTLM authentication, then ISA or IIS cannot insert the domain 
into the user property

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Wednesday, 2 September 2009 1:29 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Okay, we finally got the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA.  We brought in a hired gun, ended up 
making a few changes on the ISA server for the Listener.  But probably the 
biggest thing, which came as a flash of insight to our security admin, was to 
try logging in from the iPhone as usern...@domain.com instead of just username. 
 In all the masses of documents we've downloaded and perused, I don't think we 
found anything that said to do that.  Maybe we should have assumed that from 
the beginning?  I don't know.  It's working now and I'm done with it.  I'm 
going to go back and bang my head against the wall for a few more minutes 
before getting on my next project.

Paul

-Original Message-
From: Art DeKneef [mailto:art.dekn...@cox.net]
Sent: Monday, August 24, 2009 2:36 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

I had a similar issue last week. This was with a SBS 2003 server with Exchange 
Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone 
and I think received the same error message. I checked everything I found on 
the web and all the settings were correct. It just wouldn't connect. Tried my 
Windows Mobile phone and it wouldn't connect either.
It's
error message stated it was permissions also. Double, triple-checked and 
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the Connect to 
Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for 
the Mobile Access and made sure the settings were enabled there, checked the 
users account and verified the mobile settings were enabled, checked the SBS 
firewall. Everything looked correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured the 
Server Source again from scratch. Ran a sync and it connected and started 
downloading email. Went to the iPhone and deleted the Exchange Server settings. 
Configured the Exchange settings from scratch and it connected to the server 
and downloaded the email, contacts and calendar. Success at last.

I don't know what was causing the problem but whatever it was it seemed to have 
been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is using 
the internal firewall settings. They have a hardware firewall which I never 
changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to 
connect to the Exchange server using our internal wireless network without SSL 
and was able to get that to work through OWA, but the ActiveSync is still not 
working.  We're getting Your account in Microsoft Exchange Server does not 
have permission to sync with your current settings.  We've checked Outlook 
Mobile Access and Outlook Web Access settings and they're both enabled.  We've 
Google this and tried just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working running an 
iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to trust a 
mutual third party (a CA). A similar concept to Kerberos or even AD in general 
(both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing your 
CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the 
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration Guide by Syngress.  The SA came in the morning and showed me the 
following section

Re: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Ben Nordlander
You usually can't add to the list of trusted CA's on a device like the
iPhone. So i find the trick is to find out which SSL cert publishers it does
trust and just stick with that. If you could let us know the issue you are
trying to solve then we can start to help you out.

-BenN

On Fri, Aug 21, 2009 at 7:12 AM, Maglinger, Paul pmaglin...@scvl.comwrote:

 As the Security Admin and I are still trying to get the
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
 al-waste-products to work through our ISA, we referred back to the ISA
 2006 Migration Guide by Syngress.  The SA came in the morning and showed
 me the following section in the book:

 The topic of Certificate Authorities (CAs)and PKI (Public Key
 Infrastructure) is usually enough to drive many administrators away from
 even considering SSL.  There are a number of reasons for this:
  - The available documentation on certificate authorities and PKI, in
 general, is difficult to understand.
  - The subject has the potential to be extremely complex.
  - You need to learn an entirely new vocabulary to understand the CAs
 and PKI.  Often the documentation on these subjects doesn't define the
 new words, or they use equally arcane terms to define the arcane term
 for which you're trying to get the definition.
  - There doesn't seem to be any support for the network and firewall
 administrator who just wants to get a CA setup and running so that he
 can use certificates for SSL and L2TP/IPSec authentication and
 encryption.


 Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
 think that if this opinion is as common as I believe it to be, somebody
 out there could simplify the process somewhat...

 *thunk* *thunk* *thunk*  (head banging against desk...)


 Paul
 





 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

Re: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Ben Nordlander
i should mention. We run ISA and have iPhone users that can connect with our
Exchange 2007 SP1 server just fine with the iPhone ActiveSync client. So i
might be able to help you out?

-Ben

On Mon, Aug 24, 2009 at 9:51 AM, Ben Nordlander bennordlan...@gmail.comwrote:

 You usually can't add to the list of trusted CA's on a device like the
 iPhone. So i find the trick is to find out which SSL cert publishers it does
 trust and just stick with that. If you could let us know the issue you are
 trying to solve then we can start to help you out.

 -BenN

 On Fri, Aug 21, 2009 at 7:12 AM, Maglinger, Paul pmaglin...@scvl.comwrote:

 As the Security Admin and I are still trying to get the
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
 al-waste-products to work through our ISA, we referred back to the ISA
 2006 Migration Guide by Syngress.  The SA came in the morning and showed
 me the following section in the book:

 The topic of Certificate Authorities (CAs)and PKI (Public Key
 Infrastructure) is usually enough to drive many administrators away from
 even considering SSL.  There are a number of reasons for this:
  - The available documentation on certificate authorities and PKI, in
 general, is difficult to understand.
  - The subject has the potential to be extremely complex.
  - You need to learn an entirely new vocabulary to understand the CAs
 and PKI.  Often the documentation on these subjects doesn't define the
 new words, or they use equally arcane terms to define the arcane term
 for which you're trying to get the definition.
  - There doesn't seem to be any support for the network and firewall
 administrator who just wants to get a CA setup and running so that he
 can use certificates for SSL and L2TP/IPSec authentication and
 encryption.


 Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
 think that if this opinion is as common as I believe it to be, somebody
 out there could simplify the process somewhat...

 *thunk* *thunk* *thunk*  (head banging against desk...)


 Paul
 





 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~








~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to
connect to the Exchange server using our internal wireless network
without SSL and was able to get that to work through OWA, but the
ActiveSync is still not working.  We're getting Your account in
Microsoft Exchange Server does not have permission to sync with your
current settings.  We've checked Outlook Mobile Access and Outlook Web
Access settings and they're both enabled.  We've Google this and tried
just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working
running an iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to
trust a mutual third party (a CA). A similar concept to Kerberos or even
AD in general (both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing
your CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration Guide by Syngress.  The SA came in the morning and showed
me the following section in the book:
 
The topic of Certificate Authorities (CAs)and PKI (Public Key
Infrastructure) is usually enough to drive many administrators away from
even considering SSL.  There are a number of reasons for this:
 - The available documentation on certificate authorities and PKI, in
general, is difficult to understand.
 - The subject has the potential to be extremely complex.
 - You need to learn an entirely new vocabulary to understand the CAs
and PKI.  Often the documentation on these subjects doesn't define the
new words, or they use equally arcane terms to define the arcane term
for which you're trying to get the definition.
 - There doesn't seem to be any support for the network and firewall
administrator who just wants to get a CA setup and running so that he
can use certificates for SSL and L2TP/IPSec authentication and
encryption.


Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
think that if this opinion is as common as I believe it to be, somebody
out there could simplify the process somewhat...

*thunk* *thunk* *thunk*  (head banging against desk...)


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~



RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Tim Evans
One of my users came in with an iPhone and it just worked with the standard 
configuration we had for all our WM devices. At the time, we were also using an 
internal certificate and it just worked.

Do you have it working with any WM devices?
ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In 
Exchange 2003, I think it was called Always Up to Date or Push or something 
like that.
Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 10:56 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 We've broken this down into several steps trying to get this to work.
 We backed away from using the iPhone and used a Windows Mobile device to
 connect to the Exchange server using our internal wireless network
 without SSL and was able to get that to work through OWA, but the
 ActiveSync is still not working.  We're getting Your account in
 Microsoft Exchange Server does not have permission to sync with your
 current settings.  We've checked Outlook Mobile Access and Outlook Web
 Access settings and they're both enabled.  We've Google this and tried
 just about everything we've found and still not working.
 
 For those who just tuned in, we eventually want to get this working
 running an iPhone through an ISA 2006 server to Exchange 2003.
 
 -Paul
 
 -Original Message-
 From: Ken Schaefer [mailto:k...@adopenstatic.com]
 Sent: Saturday, August 22, 2009 12:35 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 Huh? PKI is relatively simple technology. Usually both parties need to
 trust a mutual third party (a CA). A similar concept to Kerberos or even
 AD in general (both clients and servers trust DCs)
 
 The tricky part about PKI is all the processes you have around managing
 your CA, key escrow etc. What is the actual issue you are facing?
 
 Cheers
 Ken
 
 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Friday, 21 August 2009 10:12 PM
 To: NT System Admin Issues
 Subject: Still struggling with iPhone, ISA and SSL certs...
 
 As the Security Admin and I are still trying to get the
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
 al-waste-products to work through our ISA, we referred back to the ISA
 2006 Migration Guide by Syngress.  The SA came in the morning and showed
 me the following section in the book:
 
 The topic of Certificate Authorities (CAs)and PKI (Public Key
 Infrastructure) is usually enough to drive many administrators away from
 even considering SSL.  There are a number of reasons for this:
  - The available documentation on certificate authorities and PKI, in
 general, is difficult to understand.
  - The subject has the potential to be extremely complex.
  - You need to learn an entirely new vocabulary to understand the CAs
 and PKI.  Often the documentation on these subjects doesn't define the
 new words, or they use equally arcane terms to define the arcane term
 for which you're trying to get the definition.
  - There doesn't seem to be any support for the network and firewall
 administrator who just wants to get a CA setup and running so that he
 can use certificates for SSL and L2TP/IPSec authentication and
 encryption.
 
 
 Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
 think that if this opinion is as common as I believe it to be, somebody
 out there could simplify the process somewhat...
 
 *thunk* *thunk* *thunk*  (head banging against desk...)
 
 
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
 
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~



RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
 One of my users came in with an iPhone and it just worked with the
standard configuration we had for all our WM devices.  At the time, we
were also using an internal certificate and it just worked.

That's right... just twist the knife... :-)

 Do you have it working with any WM devices?

Just with OWA now.  And as I said, just internally between the WM device
and the Exchange server.  We want to get that done before we throw the
ISA into the mix.

In the IIS Manager, there is a virtual directory called
Micrsoft-Server-ActiveSync.  So doesn't that indicate that it's there?

Yep, running Exchange 2003 SP2.

-Original Message-
From: Tim Evans [mailto:tev...@sparling.com] 
Sent: Monday, August 24, 2009 1:19 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

One of my users came in with an iPhone and it just worked with the
standard configuration we had for all our WM devices. At the time, we
were also using an internal certificate and it just worked.

Do you have it working with any WM devices?
ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync.
In Exchange 2003, I think it was called Always Up to Date or Push or
something like that.
Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 10:56 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 We've broken this down into several steps trying to get this to work.
 We backed away from using the iPhone and used a Windows Mobile device
to
 connect to the Exchange server using our internal wireless network
 without SSL and was able to get that to work through OWA, but the
 ActiveSync is still not working.  We're getting Your account in
 Microsoft Exchange Server does not have permission to sync with your
 current settings.  We've checked Outlook Mobile Access and Outlook
Web
 Access settings and they're both enabled.  We've Google this and tried
 just about everything we've found and still not working.
 
 For those who just tuned in, we eventually want to get this working
 running an iPhone through an ISA 2006 server to Exchange 2003.
 
 -Paul
 
 -Original Message-
 From: Ken Schaefer [mailto:k...@adopenstatic.com]
 Sent: Saturday, August 22, 2009 12:35 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 Huh? PKI is relatively simple technology. Usually both parties need to
 trust a mutual third party (a CA). A similar concept to Kerberos or
even
 AD in general (both clients and servers trust DCs)
 
 The tricky part about PKI is all the processes you have around
managing
 your CA, key escrow etc. What is the actual issue you are facing?
 
 Cheers
 Ken
 
 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Friday, 21 August 2009 10:12 PM
 To: NT System Admin Issues
 Subject: Still struggling with iPhone, ISA and SSL certs...
 
 As the Security Admin and I are still trying to get the

hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
 al-waste-products to work through our ISA, we referred back to the ISA
 2006 Migration Guide by Syngress.  The SA came in the morning and
showed
 me the following section in the book:
 
 The topic of Certificate Authorities (CAs)and PKI (Public Key
 Infrastructure) is usually enough to drive many administrators away
from
 even considering SSL.  There are a number of reasons for this:
  - The available documentation on certificate authorities and PKI, in
 general, is difficult to understand.
  - The subject has the potential to be extremely complex.
  - You need to learn an entirely new vocabulary to understand the CAs
 and PKI.  Often the documentation on these subjects doesn't define the
 new words, or they use equally arcane terms to define the arcane term
 for which you're trying to get the definition.
  - There doesn't seem to be any support for the network and firewall
 administrator who just wants to get a CA setup and running so that he
 can use certificates for SSL and L2TP/IPSec authentication and
 encryption.
 
 
 Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
 think that if this opinion is as common as I believe it to be,
somebody
 out there could simplify the process somewhat...
 
 *thunk* *thunk* *thunk*  (head banging against desk...)
 
 
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
 
 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
Thanks Sherry.  We went to Petri's site per your recommendation last
(you were at home and didn't have specific links there) and tried
several.  I know we hit the first link.  I don't think we went to the
other two, but the mention of 2 virtual directories rings a bell.  I
think we tried something like that.  We'll dig back into it.



From: Sherry Abercrombie [mailto:saber...@gmail.com] 
Sent: Monday, August 24, 2009 1:42 PM
To: NT System Admin Issues
Subject: Re: Still struggling with iPhone, ISA and SSL certs...


I highly recommend looking at these links:

http://www.petri.co.il/configure_isa_to_publish_owa.htm

http://www.petri.co.il/configure_oma.htm

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_
in_activesync.htm

Basically what I had to do was in the last link listed, OWA and
ActiveSync don't play nicely together with FBA in IIS, you create two
virtual directories in IIS, one for OWA with FBA, one for
ActiveSync/Mobile devices without it, reg hack involved,  some other
stuff.  I was going through this kind of frustration about a year ago
when we had to add access for mobile devices, had OWA working for a long
time, but couldn't get anything working on ActiveSync until I did the 2
virtual directories.  



On Mon, Aug 24, 2009 at 1:18 PM, Tim Evans tev...@sparling.com wrote:


One of my users came in with an iPhone and it just worked with
the standard configuration we had for all our WM devices. At the time,
we were also using an internal certificate and it just worked.

Do you have it working with any WM devices?
ActiveSync is not OMA or OWA. In Exchange 2007, it is called
ActiveSync. In Exchange 2003, I think it was called Always Up to Date
or Push or something like that.
Just to confirm, you are on 2003 SP2? You do need SP to get
ActiveSync.


...Tim



 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]

 Sent: Monday, August 24, 2009 10:56 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

 We've broken this down into several steps trying to get this
to work.
 We backed away from using the iPhone and used a Windows Mobile
device to
 connect to the Exchange server using our internal wireless
network
 without SSL and was able to get that to work through OWA, but
the
 ActiveSync is still not working.  We're getting Your account
in
 Microsoft Exchange Server does not have permission to sync
with your
 current settings.  We've checked Outlook Mobile Access and
Outlook Web
 Access settings and they're both enabled.  We've Google this
and tried
 just about everything we've found and still not working.

 For those who just tuned in, we eventually want to get this
working
 running an iPhone through an ISA 2006 server to Exchange 2003.

 -Paul

 -Original Message-
 From: Ken Schaefer [mailto:k...@adopenstatic.com]
 Sent: Saturday, August 22, 2009 12:35 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

 Huh? PKI is relatively simple technology. Usually both parties
need to
 trust a mutual third party (a CA). A similar concept to
Kerberos or even
 AD in general (both clients and servers trust DCs)

 The tricky part about PKI is all the processes you have around
managing
 your CA, key escrow etc. What is the actual issue you are
facing?

 Cheers
 Ken

 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Friday, 21 August 2009 10:12 PM
 To: NT System Admin Issues
 Subject: Still struggling with iPhone, ISA and SSL certs...

 As the Security Admin and I are still trying to get the

hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
 al-waste-products to work through our ISA, we referred back to
the ISA
 2006 Migration Guide by Syngress.  The SA came in the morning
and showed
 me the following section in the book:

 The topic of Certificate Authorities (CAs)and PKI (Public Key
 Infrastructure) is usually enough to drive many administrators
away from
 even considering SSL.  There are a number of reasons for this:
  - The available documentation on certificate authorities and
PKI, in
 general, is difficult to understand.
  - The subject has the potential to be extremely complex.
  - You need to learn an entirely new vocabulary to understand
the CAs
 and PKI.  Often the documentation on these subjects doesn't
define the
 new words

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Tim Evans
Yes, that would imply that ActiveSync is on the server. But you said that the 
error message said that the user's account was not enabled for activesync. You 
need to make sure that the account is enabled first.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 11:42 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  One of my users came in with an iPhone and it just worked with the
 standard configuration we had for all our WM devices.  At the time, we
 were also using an internal certificate and it just worked.
 
 That's right... just twist the knife... :-)
 
  Do you have it working with any WM devices?
 
 Just with OWA now.  And as I said, just internally between the WM device
 and the Exchange server.  We want to get that done before we throw the
 ISA into the mix.
 
 In the IIS Manager, there is a virtual directory called
 Micrsoft-Server-ActiveSync.  So doesn't that indicate that it's there?
 
 Yep, running Exchange 2003 SP2.
 
 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:19 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 One of my users came in with an iPhone and it just worked with the
 standard configuration we had for all our WM devices. At the time, we
 were also using an internal certificate and it just worked.
 
 Do you have it working with any WM devices?
 ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync.
 In Exchange 2003, I think it was called Always Up to Date or Push or
 something like that.
 Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync.
 
 
 ...Tim
 
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 10:56 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  We've broken this down into several steps trying to get this to work.
  We backed away from using the iPhone and used a Windows Mobile device
 to
  connect to the Exchange server using our internal wireless network
  without SSL and was able to get that to work through OWA, but the
  ActiveSync is still not working.  We're getting Your account in
  Microsoft Exchange Server does not have permission to sync with your
  current settings.  We've checked Outlook Mobile Access and Outlook
 Web
  Access settings and they're both enabled.  We've Google this and tried
  just about everything we've found and still not working.
 
  For those who just tuned in, we eventually want to get this working
  running an iPhone through an ISA 2006 server to Exchange 2003.
 
  -Paul
 
  -Original Message-
  From: Ken Schaefer [mailto:k...@adopenstatic.com]
  Sent: Saturday, August 22, 2009 12:35 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  Huh? PKI is relatively simple technology. Usually both parties need to
  trust a mutual third party (a CA). A similar concept to Kerberos or
 even
  AD in general (both clients and servers trust DCs)
 
  The tricky part about PKI is all the processes you have around
 managing
  your CA, key escrow etc. What is the actual issue you are facing?
 
  Cheers
  Ken
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Friday, 21 August 2009 10:12 PM
  To: NT System Admin Issues
  Subject: Still struggling with iPhone, ISA and SSL certs...
 
  As the Security Admin and I are still trying to get the
 
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
  al-waste-products to work through our ISA, we referred back to the ISA
  2006 Migration Guide by Syngress.  The SA came in the morning and
 showed
  me the following section in the book:
 
  The topic of Certificate Authorities (CAs)and PKI (Public Key
  Infrastructure) is usually enough to drive many administrators away
 from
  even considering SSL.  There are a number of reasons for this:
   - The available documentation on certificate authorities and PKI, in
  general, is difficult to understand.
   - The subject has the potential to be extremely complex.
   - You need to learn an entirely new vocabulary to understand the CAs
  and PKI.  Often the documentation on these subjects doesn't define the
  new words, or they use equally arcane terms to define the arcane term
  for which you're trying to get the definition.
   - There doesn't seem to be any support for the network and firewall
  administrator who just wants to get a CA setup and running so that he
  can use certificates for SSL and L2TP/IPSec authentication and
  encryption.
 
 
  Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
  think that if this opinion is as common as I believe it to be,
 somebody
  out there could simplify the process somewhat...
 
  *thunk* *thunk* *thunk

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
Would that show up as ActiveSync in ADUC, Exchange Features, or is it
referred to as Outlook Mobile Access under Mobile Services? 

-Original Message-
From: Tim Evans [mailto:tev...@sparling.com] 
Sent: Monday, August 24, 2009 1:49 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Yes, that would imply that ActiveSync is on the server. But you said
that the error message said that the user's account was not enabled for
activesync. You need to make sure that the account is enabled first.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 11:42 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  One of my users came in with an iPhone and it just worked with the
 standard configuration we had for all our WM devices.  At the time,
we
 were also using an internal certificate and it just worked.
 
 That's right... just twist the knife... :-)
 
  Do you have it working with any WM devices?
 
 Just with OWA now.  And as I said, just internally between the WM
device
 and the Exchange server.  We want to get that done before we throw the
 ISA into the mix.
 
 In the IIS Manager, there is a virtual directory called
 Micrsoft-Server-ActiveSync.  So doesn't that indicate that it's there?
 
 Yep, running Exchange 2003 SP2.
 
 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:19 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 One of my users came in with an iPhone and it just worked with the
 standard configuration we had for all our WM devices. At the time, we
 were also using an internal certificate and it just worked.
 
 Do you have it working with any WM devices?
 ActiveSync is not OMA or OWA. In Exchange 2007, it is called
ActiveSync.
 In Exchange 2003, I think it was called Always Up to Date or Push or
 something like that.
 Just to confirm, you are on 2003 SP2? You do need SP to get
ActiveSync.
 
 
 ...Tim
 
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 10:56 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  We've broken this down into several steps trying to get this to
work.
  We backed away from using the iPhone and used a Windows Mobile
device
 to
  connect to the Exchange server using our internal wireless network
  without SSL and was able to get that to work through OWA, but the
  ActiveSync is still not working.  We're getting Your account in
  Microsoft Exchange Server does not have permission to sync with your
  current settings.  We've checked Outlook Mobile Access and Outlook
 Web
  Access settings and they're both enabled.  We've Google this and
tried
  just about everything we've found and still not working.
 
  For those who just tuned in, we eventually want to get this working
  running an iPhone through an ISA 2006 server to Exchange 2003.
 
  -Paul
 
  -Original Message-
  From: Ken Schaefer [mailto:k...@adopenstatic.com]
  Sent: Saturday, August 22, 2009 12:35 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  Huh? PKI is relatively simple technology. Usually both parties need
to
  trust a mutual third party (a CA). A similar concept to Kerberos or
 even
  AD in general (both clients and servers trust DCs)
 
  The tricky part about PKI is all the processes you have around
 managing
  your CA, key escrow etc. What is the actual issue you are facing?
 
  Cheers
  Ken
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Friday, 21 August 2009 10:12 PM
  To: NT System Admin Issues
  Subject: Still struggling with iPhone, ISA and SSL certs...
 
  As the Security Admin and I are still trying to get the
 

hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
  al-waste-products to work through our ISA, we referred back to the
ISA
  2006 Migration Guide by Syngress.  The SA came in the morning and
 showed
  me the following section in the book:
 
  The topic of Certificate Authorities (CAs)and PKI (Public Key
  Infrastructure) is usually enough to drive many administrators away
 from
  even considering SSL.  There are a number of reasons for this:
   - The available documentation on certificate authorities and PKI,
in
  general, is difficult to understand.
   - The subject has the potential to be extremely complex.
   - You need to learn an entirely new vocabulary to understand the
CAs
  and PKI.  Often the documentation on these subjects doesn't define
the
  new words, or they use equally arcane terms to define the arcane
term
  for which you're trying to get the definition.
   - There doesn't seem to be any support for the network and firewall
  administrator who just wants to get a CA setup

Re: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Sherry Abercrombie
I highly recommend looking at these links:

http://www.petri.co.il/configure_isa_to_publish_owa.htm

http://www.petri.co.il/configure_oma.htm

http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm

Basically what I had to do was in the last link listed, OWA and ActiveSync
don't play nicely together with FBA in IIS, you create two virtual
directories in IIS, one for OWA with FBA, one for ActiveSync/Mobile devices
without it, reg hack involved,  some other stuff.  I was going through this
kind of frustration about a year ago when we had to add access for mobile
devices, had OWA working for a long time, but couldn't get anything working
on ActiveSync until I did the 2 virtual directories.


On Mon, Aug 24, 2009 at 1:18 PM, Tim Evans tev...@sparling.com wrote:

 One of my users came in with an iPhone and it just worked with the standard
 configuration we had for all our WM devices. At the time, we were also using
 an internal certificate and it just worked.

 Do you have it working with any WM devices?
 ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In
 Exchange 2003, I think it was called Always Up to Date or Push or
 something like that.
 Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync.


 ...Tim


  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 10:56 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  We've broken this down into several steps trying to get this to work.
  We backed away from using the iPhone and used a Windows Mobile device to
  connect to the Exchange server using our internal wireless network
  without SSL and was able to get that to work through OWA, but the
  ActiveSync is still not working.  We're getting Your account in
  Microsoft Exchange Server does not have permission to sync with your
  current settings.  We've checked Outlook Mobile Access and Outlook Web
  Access settings and they're both enabled.  We've Google this and tried
  just about everything we've found and still not working.
 
  For those who just tuned in, we eventually want to get this working
  running an iPhone through an ISA 2006 server to Exchange 2003.
 
  -Paul
 
  -Original Message-
  From: Ken Schaefer [mailto:k...@adopenstatic.com]
  Sent: Saturday, August 22, 2009 12:35 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  Huh? PKI is relatively simple technology. Usually both parties need to
  trust a mutual third party (a CA). A similar concept to Kerberos or even
  AD in general (both clients and servers trust DCs)
 
  The tricky part about PKI is all the processes you have around managing
  your CA, key escrow etc. What is the actual issue you are facing?
 
  Cheers
  Ken
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Friday, 21 August 2009 10:12 PM
  To: NT System Admin Issues
  Subject: Still struggling with iPhone, ISA and SSL certs...
 
  As the Security Admin and I are still trying to get the
  hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
  al-waste-products to work through our ISA, we referred back to the ISA
  2006 Migration Guide by Syngress.  The SA came in the morning and showed
  me the following section in the book:
 
  The topic of Certificate Authorities (CAs)and PKI (Public Key
  Infrastructure) is usually enough to drive many administrators away from
  even considering SSL.  There are a number of reasons for this:
   - The available documentation on certificate authorities and PKI, in
  general, is difficult to understand.
   - The subject has the potential to be extremely complex.
   - You need to learn an entirely new vocabulary to understand the CAs
  and PKI.  Often the documentation on these subjects doesn't define the
  new words, or they use equally arcane terms to define the arcane term
  for which you're trying to get the definition.
   - There doesn't seem to be any support for the network and firewall
  administrator who just wants to get a CA setup and running so that he
  can use certificates for SSL and L2TP/IPSec authentication and
  encryption.
 
 
  Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
  think that if this opinion is as common as I believe it to be, somebody
  out there could simplify the process somewhat...
 
  *thunk* *thunk* *thunk*  (head banging against desk...)
 
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~
 
 
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~




-- 
Sherry Abercrombie

Any sufficiently

Re: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Sherry Abercrombie
Exchange features.  We disable mobile  owa for everyone and only enable it
if it is approved by a manager for a user.

On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.comwrote:

 Would that show up as ActiveSync in ADUC, Exchange Features, or is it
 referred to as Outlook Mobile Access under Mobile Services?

 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:49 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...

 Yes, that would imply that ActiveSync is on the server. But you said
 that the error message said that the user's account was not enabled for
 activesync. You need to make sure that the account is enabled first.


 ...Tim


  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 11:42 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
   One of my users came in with an iPhone and it just worked with the
  standard configuration we had for all our WM devices.  At the time,
 we
  were also using an internal certificate and it just worked.
 
  That's right... just twist the knife... :-)
 
   Do you have it working with any WM devices?
 
  Just with OWA now.  And as I said, just internally between the WM
 device
  and the Exchange server.  We want to get that done before we throw the
  ISA into the mix.
 
  In the IIS Manager, there is a virtual directory called
  Micrsoft-Server-ActiveSync.  So doesn't that indicate that it's there?
 
  Yep, running Exchange 2003 SP2.
 
  -Original Message-
  From: Tim Evans [mailto:tev...@sparling.com]
  Sent: Monday, August 24, 2009 1:19 PM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  One of my users came in with an iPhone and it just worked with the
  standard configuration we had for all our WM devices. At the time, we
  were also using an internal certificate and it just worked.
 
  Do you have it working with any WM devices?
  ActiveSync is not OMA or OWA. In Exchange 2007, it is called
 ActiveSync.
  In Exchange 2003, I think it was called Always Up to Date or Push or
  something like that.
  Just to confirm, you are on 2003 SP2? You do need SP to get
 ActiveSync.
 
 
  ...Tim
 
 
   -Original Message-
   From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
   Sent: Monday, August 24, 2009 10:56 AM
   To: NT System Admin Issues
   Subject: RE: Still struggling with iPhone, ISA and SSL certs...
  
   We've broken this down into several steps trying to get this to
 work.
   We backed away from using the iPhone and used a Windows Mobile
 device
  to
   connect to the Exchange server using our internal wireless network
   without SSL and was able to get that to work through OWA, but the
   ActiveSync is still not working.  We're getting Your account in
   Microsoft Exchange Server does not have permission to sync with your
   current settings.  We've checked Outlook Mobile Access and Outlook
  Web
   Access settings and they're both enabled.  We've Google this and
 tried
   just about everything we've found and still not working.
  
   For those who just tuned in, we eventually want to get this working
   running an iPhone through an ISA 2006 server to Exchange 2003.
  
   -Paul
  
   -Original Message-
   From: Ken Schaefer [mailto:k...@adopenstatic.com]
   Sent: Saturday, August 22, 2009 12:35 AM
   To: NT System Admin Issues
   Subject: RE: Still struggling with iPhone, ISA and SSL certs...
  
   Huh? PKI is relatively simple technology. Usually both parties need
 to
   trust a mutual third party (a CA). A similar concept to Kerberos or
  even
   AD in general (both clients and servers trust DCs)
  
   The tricky part about PKI is all the processes you have around
  managing
   your CA, key escrow etc. What is the actual issue you are facing?
  
   Cheers
   Ken
  
   -Original Message-
   From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
   Sent: Friday, 21 August 2009 10:12 PM
   To: NT System Admin Issues
   Subject: Still struggling with iPhone, ISA and SSL certs...
  
   As the Security Admin and I are still trying to get the
  
 
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
   al-waste-products to work through our ISA, we referred back to the
 ISA
   2006 Migration Guide by Syngress.  The SA came in the morning and
  showed
   me the following section in the book:
  
   The topic of Certificate Authorities (CAs)and PKI (Public Key
   Infrastructure) is usually enough to drive many administrators away
  from
   even considering SSL.  There are a number of reasons for this:
- The available documentation on certificate authorities and PKI,
 in
   general, is difficult to understand.
- The subject has the potential to be extremely complex.
- You need to learn an entirely new vocabulary to understand the
 CAs

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Tim Evans
I believe it is under Mobile Services, but it is *NOT* Mobile Access. That is a 
different feature, essentially a real stripped down version of OWA

...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 11:57 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 Would that show up as ActiveSync in ADUC, Exchange Features, or is it
 referred to as Outlook Mobile Access under Mobile Services?
 
 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:49 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
 Yes, that would imply that ActiveSync is on the server. But you said
 that the error message said that the user's account was not enabled for
 activesync. You need to make sure that the account is enabled first.
 
 
 ...Tim
 
 
  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 11:42 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
   One of my users came in with an iPhone and it just worked with the
  standard configuration we had for all our WM devices.  At the time,
 we
  were also using an internal certificate and it just worked.
 
  That's right... just twist the knife... :-)
 
   Do you have it working with any WM devices?
 
  Just with OWA now.  And as I said, just internally between the WM
 device
  and the Exchange server.  We want to get that done before we throw the
  ISA into the mix.
 
  In the IIS Manager, there is a virtual directory called
  Micrsoft-Server-ActiveSync.  So doesn't that indicate that it's there?
 
  Yep, running Exchange 2003 SP2.
 
  -Original Message-
  From: Tim Evans [mailto:tev...@sparling.com]
  Sent: Monday, August 24, 2009 1:19 PM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL certs...
 
  One of my users came in with an iPhone and it just worked with the
  standard configuration we had for all our WM devices. At the time, we
  were also using an internal certificate and it just worked.
 
  Do you have it working with any WM devices?
  ActiveSync is not OMA or OWA. In Exchange 2007, it is called
 ActiveSync.
  In Exchange 2003, I think it was called Always Up to Date or Push or
  something like that.
  Just to confirm, you are on 2003 SP2? You do need SP to get
 ActiveSync.
 
 
  ...Tim
 
 
   -Original Message-
   From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
   Sent: Monday, August 24, 2009 10:56 AM
   To: NT System Admin Issues
   Subject: RE: Still struggling with iPhone, ISA and SSL certs...
  
   We've broken this down into several steps trying to get this to
 work.
   We backed away from using the iPhone and used a Windows Mobile
 device
  to
   connect to the Exchange server using our internal wireless network
   without SSL and was able to get that to work through OWA, but the
   ActiveSync is still not working.  We're getting Your account in
   Microsoft Exchange Server does not have permission to sync with your
   current settings.  We've checked Outlook Mobile Access and Outlook
  Web
   Access settings and they're both enabled.  We've Google this and
 tried
   just about everything we've found and still not working.
  
   For those who just tuned in, we eventually want to get this working
   running an iPhone through an ISA 2006 server to Exchange 2003.
  
   -Paul
  
   -Original Message-
   From: Ken Schaefer [mailto:k...@adopenstatic.com]
   Sent: Saturday, August 22, 2009 12:35 AM
   To: NT System Admin Issues
   Subject: RE: Still struggling with iPhone, ISA and SSL certs...
  
   Huh? PKI is relatively simple technology. Usually both parties need
 to
   trust a mutual third party (a CA). A similar concept to Kerberos or
  even
   AD in general (both clients and servers trust DCs)
  
   The tricky part about PKI is all the processes you have around
  managing
   your CA, key escrow etc. What is the actual issue you are facing?
  
   Cheers
   Ken
  
   -Original Message-
   From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
   Sent: Friday, 21 August 2009 10:12 PM
   To: NT System Admin Issues
   Subject: Still struggling with iPhone, ISA and SSL certs...
  
   As the Security Admin and I are still trying to get the
  
 
 hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
   al-waste-products to work through our ISA, we referred back to the
 ISA
   2006 Migration Guide by Syngress.  The SA came in the morning and
  showed
   me the following section in the book:
  
   The topic of Certificate Authorities (CAs)and PKI (Public Key
   Infrastructure) is usually enough to drive many administrators away
  from
   even considering SSL.  There are a number of reasons for this:
- The available documentation on certificate authorities and PKI

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
Ah...  So if ActiveSync is not showing up under the Exchange Features
tab in ADUC, then that's the problem...  Okay, now to find out why it's
not showing up.



From: Sherry Abercrombie [mailto:saber...@gmail.com] 
Sent: Monday, August 24, 2009 2:08 PM
To: NT System Admin Issues
Subject: Re: Still struggling with iPhone, ISA and SSL certs...


Exchange features.  We disable mobile  owa for everyone and only enable
it if it is approved by a manager for a user.  


On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.com
wrote:


Would that show up as ActiveSync in ADUC, Exchange Features, or
is it
referred to as Outlook Mobile Access under Mobile Services?


-Original Message-
From: Tim Evans [mailto:tev...@sparling.com]

Sent: Monday, August 24, 2009 1:49 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Yes, that would imply that ActiveSync is on the server. But you
said
that the error message said that the user's account was not
enabled for
activesync. You need to make sure that the account is enabled
first.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 11:42 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

  One of my users came in with an iPhone and it just worked
with the
 standard configuration we had for all our WM devices.  At the
time,
we
 were also using an internal certificate and it just worked.

 That's right... just twist the knife... :-)

  Do you have it working with any WM devices?

 Just with OWA now.  And as I said, just internally between the
WM
device
 and the Exchange server.  We want to get that done before we
throw the
 ISA into the mix.

 In the IIS Manager, there is a virtual directory called
 Micrsoft-Server-ActiveSync.  So doesn't that indicate that
it's there?

 Yep, running Exchange 2003 SP2.

 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:19 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

 One of my users came in with an iPhone and it just worked with
the
 standard configuration we had for all our WM devices. At the
time, we
 were also using an internal certificate and it just worked.

 Do you have it working with any WM devices?
 ActiveSync is not OMA or OWA. In Exchange 2007, it is called
ActiveSync.
 In Exchange 2003, I think it was called Always Up to Date or
Push or
 something like that.
 Just to confirm, you are on 2003 SP2? You do need SP to get
ActiveSync.


 ...Tim


  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 10:56 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL
certs...
 
  We've broken this down into several steps trying to get this
to
work.
  We backed away from using the iPhone and used a Windows
Mobile
device
 to
  connect to the Exchange server using our internal wireless
network
  without SSL and was able to get that to work through OWA,
but the
  ActiveSync is still not working.  We're getting Your
account in
  Microsoft Exchange Server does not have permission to sync
with your
  current settings.  We've checked Outlook Mobile Access and
Outlook
 Web
  Access settings and they're both enabled.  We've Google this
and
tried
  just about everything we've found and still not working.
 
  For those who just tuned in, we eventually want to get this
working
  running an iPhone through an ISA 2006 server to Exchange
2003.
 
  -Paul
 
  -Original Message-
  From: Ken Schaefer [mailto:k...@adopenstatic.com]
  Sent: Saturday, August 22, 2009 12:35 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL
certs...
 
  Huh? PKI is relatively simple technology. Usually both
parties need
to
  trust a mutual third party (a CA). A similar concept to
Kerberos or
 even
  AD in general (both clients and servers trust DCs)
 
  The tricky part about PKI is all the processes you have
around

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Maglinger, Paul
Under Exchange Features, we have User Initiated Synchronization enabled,
along with Outlook Mobile Access and Up to Date Notifications.  We also
have Outlook Web Access enabled for this user too.
 



From: Sherry Abercrombie [mailto:saber...@gmail.com] 
Sent: Monday, August 24, 2009 2:08 PM
To: NT System Admin Issues
Subject: Re: Still struggling with iPhone, ISA and SSL certs...


Exchange features.  We disable mobile  owa for everyone and only enable
it if it is approved by a manager for a user.  


On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.com
wrote:


Would that show up as ActiveSync in ADUC, Exchange Features, or
is it
referred to as Outlook Mobile Access under Mobile Services?


-Original Message-
From: Tim Evans [mailto:tev...@sparling.com]

Sent: Monday, August 24, 2009 1:49 PM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Yes, that would imply that ActiveSync is on the server. But you
said
that the error message said that the user's account was not
enabled for
activesync. You need to make sure that the account is enabled
first.


...Tim


 -Original Message-
 From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
 Sent: Monday, August 24, 2009 11:42 AM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

  One of my users came in with an iPhone and it just worked
with the
 standard configuration we had for all our WM devices.  At the
time,
we
 were also using an internal certificate and it just worked.

 That's right... just twist the knife... :-)

  Do you have it working with any WM devices?

 Just with OWA now.  And as I said, just internally between the
WM
device
 and the Exchange server.  We want to get that done before we
throw the
 ISA into the mix.

 In the IIS Manager, there is a virtual directory called
 Micrsoft-Server-ActiveSync.  So doesn't that indicate that
it's there?

 Yep, running Exchange 2003 SP2.

 -Original Message-
 From: Tim Evans [mailto:tev...@sparling.com]
 Sent: Monday, August 24, 2009 1:19 PM
 To: NT System Admin Issues
 Subject: RE: Still struggling with iPhone, ISA and SSL
certs...

 One of my users came in with an iPhone and it just worked with
the
 standard configuration we had for all our WM devices. At the
time, we
 were also using an internal certificate and it just worked.

 Do you have it working with any WM devices?
 ActiveSync is not OMA or OWA. In Exchange 2007, it is called
ActiveSync.
 In Exchange 2003, I think it was called Always Up to Date or
Push or
 something like that.
 Just to confirm, you are on 2003 SP2? You do need SP to get
ActiveSync.


 ...Tim


  -Original Message-
  From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
  Sent: Monday, August 24, 2009 10:56 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL
certs...
 
  We've broken this down into several steps trying to get this
to
work.
  We backed away from using the iPhone and used a Windows
Mobile
device
 to
  connect to the Exchange server using our internal wireless
network
  without SSL and was able to get that to work through OWA,
but the
  ActiveSync is still not working.  We're getting Your
account in
  Microsoft Exchange Server does not have permission to sync
with your
  current settings.  We've checked Outlook Mobile Access and
Outlook
 Web
  Access settings and they're both enabled.  We've Google this
and
tried
  just about everything we've found and still not working.
 
  For those who just tuned in, we eventually want to get this
working
  running an iPhone through an ISA 2006 server to Exchange
2003.
 
  -Paul
 
  -Original Message-
  From: Ken Schaefer [mailto:k...@adopenstatic.com]
  Sent: Saturday, August 22, 2009 12:35 AM
  To: NT System Admin Issues
  Subject: RE: Still struggling with iPhone, ISA and SSL
certs...
 
  Huh? PKI is relatively simple technology. Usually both
parties need
to
  trust a mutual third party (a CA). A similar concept to
Kerberos or
 even
  AD in general (both clients and servers trust DCs)
 
  The tricky part about

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-24 Thread Art DeKneef
I had a similar issue last week. This was with a SBS 2003 server with
Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup
an iPhone and I think received the same error message. I checked everything
I found on the web and all the settings were correct. It just wouldn't
connect. Tried my Windows Mobile phone and it wouldn't connect either. It's
error message stated it was permissions also. Double, triple-checked and
everything was enabled and set correctly.

Got so frustrated decided to start from the beginning. Re-ran the Connect to
Internet Wizard, verified the SSL cert, checked in Exchange Server Manager
for the Mobile Access and made sure the settings were enabled there, checked
the users account and verified the mobile settings were enabled, checked the
SBS firewall. Everything looked correct and as it was before.

Went to my mobile phone. Deleted the server from ActiveSync. Configured the
Server Source again from scratch. Ran a sync and it connected and started
downloading email. Went to the iPhone and deleted the Exchange Server
settings. Configured the Exchange settings from scratch and it connected to
the server and downloaded the email, contacts and calendar. Success at last.

I don't know what was causing the problem but whatever it was it seemed to
have been fixed by starting from the beginning again.

Though they are not using ISA Server, SBS is set up with two NICs and is
using the internal firewall settings. They have a hardware firewall which I
never changed or touched during this exercise.

Maybe this will spark an idea or thought that will help.

Art

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Monday, August 24, 2009 10:56 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

We've broken this down into several steps trying to get this to work.
We backed away from using the iPhone and used a Windows Mobile device to
connect to the Exchange server using our internal wireless network
without SSL and was able to get that to work through OWA, but the
ActiveSync is still not working.  We're getting Your account in
Microsoft Exchange Server does not have permission to sync with your
current settings.  We've checked Outlook Mobile Access and Outlook Web
Access settings and they're both enabled.  We've Google this and tried
just about everything we've found and still not working.

For those who just tuned in, we eventually want to get this working
running an iPhone through an ISA 2006 server to Exchange 2003.

-Paul

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Saturday, August 22, 2009 12:35 AM
To: NT System Admin Issues
Subject: RE: Still struggling with iPhone, ISA and SSL certs...

Huh? PKI is relatively simple technology. Usually both parties need to
trust a mutual third party (a CA). A similar concept to Kerberos or even
AD in general (both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing
your CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration Guide by Syngress.  The SA came in the morning and showed
me the following section in the book:
 
The topic of Certificate Authorities (CAs)and PKI (Public Key
Infrastructure) is usually enough to drive many administrators away from
even considering SSL.  There are a number of reasons for this:
 - The available documentation on certificate authorities and PKI, in
general, is difficult to understand.
 - The subject has the potential to be extremely complex.
 - You need to learn an entirely new vocabulary to understand the CAs
and PKI.  Often the documentation on these subjects doesn't define the
new words, or they use equally arcane terms to define the arcane term
for which you're trying to get the definition.
 - There doesn't seem to be any support for the network and firewall
administrator who just wants to get a CA setup and running so that he
can use certificates for SSL and L2TP/IPSec authentication and
encryption.


Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd
think that if this opinion is as common as I believe it to be, somebody
out there could simplify the process somewhat...

*thunk* *thunk* *thunk*  (head banging against desk...)


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise

RE: Still struggling with iPhone, ISA and SSL certs...

2009-08-21 Thread Ken Schaefer
Huh? PKI is relatively simple technology. Usually both parties need to trust a 
mutual third party (a CA). A similar concept to Kerberos or even AD in general 
(both clients and servers trust DCs)

The tricky part about PKI is all the processes you have around managing your 
CA, key escrow etc. What is the actual issue you are facing?

Cheers
Ken

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, 21 August 2009 10:12 PM
To: NT System Admin Issues
Subject: Still struggling with iPhone, ISA and SSL certs...

As the Security Admin and I are still trying to get the 
hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri
al-waste-products to work through our ISA, we referred back to the ISA
2006 Migration Guide by Syngress.  The SA came in the morning and showed me the 
following section in the book:
 
The topic of Certificate Authorities (CAs)and PKI (Public Key
Infrastructure) is usually enough to drive many administrators away from even 
considering SSL.  There are a number of reasons for this:
 - The available documentation on certificate authorities and PKI, in general, 
is difficult to understand.
 - The subject has the potential to be extremely complex.
 - You need to learn an entirely new vocabulary to understand the CAs and PKI.  
Often the documentation on these subjects doesn't define the new words, or they 
use equally arcane terms to define the arcane term for which you're trying to 
get the definition.
 - There doesn't seem to be any support for the network and firewall 
administrator who just wants to get a CA setup and running so that he can use 
certificates for SSL and L2TP/IPSec authentication and encryption.


Boy, that just seems to sew it up in a nutshell, doesn't it?  You'd think that 
if this opinion is as common as I believe it to be, somebody out there could 
simplify the process somewhat...

*thunk* *thunk* *thunk*  (head banging against desk...)


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/  ~