RE: Still struggling with iPhone, ISA and SSL certs...
Haven't tried that format yet, and doubt I ever will. As soon as we got it working they ran off with our test device and are somewhere gleefully rubbing their fingers across it's glossy surface. *sigh* -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, September 01, 2009 9:00 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Did you try Domain\Username? If you are using NTLM authentication, then ISA or IIS cannot insert the domain into the user property Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Wednesday, 2 September 2009 1:29 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Okay, we finally got the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA. We brought in a hired gun, ended up making a few changes on the ISA server for the Listener. But probably the biggest thing, which came as a flash of insight to our security admin, was to try logging in from the iPhone as usern...@domain.com instead of just username. In all the masses of documents we've downloaded and perused, I don't think we found anything that said to do that. Maybe we should have assumed that from the beginning? I don't know. It's working now and I'm done with it. I'm going to go back and bang my head against the wall for a few more minutes before getting on my next project. Paul -Original Message- From: Art DeKneef [mailto:art.dekn...@cox.net] Sent: Monday, August 24, 2009 2:36 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT
RE: Still struggling with iPhone, ISA and SSL certs...
This is not iPhone specific. If you are using Basic AuthN, then everything is cleartext, so ISA server (or IIS or whatever) can alter the supplied username to prepend a domain name. If you are using NTLM, then username (including the domain name) is user in part of the authentication hash, and IIS (or ISA) cannot alter the username because that would change the authentication hash, and ISA or IIS cannot do that because the hash is also based on the user's password. Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, 3 September 2009 2:05 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Haven't tried that format yet, and doubt I ever will. As soon as we got it working they ran off with our test device and are somewhere gleefully rubbing their fingers across it's glossy surface. *sigh* -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, September 01, 2009 9:00 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Did you try Domain\Username? If you are using NTLM authentication, then ISA or IIS cannot insert the domain into the user property Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Wednesday, 2 September 2009 1:29 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Okay, we finally got the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA. We brought in a hired gun, ended up making a few changes on the ISA server for the Listener. But probably the biggest thing, which came as a flash of insight to our security admin, was to try logging in from the iPhone as usern...@domain.com instead of just username. In all the masses of documents we've downloaded and perused, I don't think we found anything that said to do that. Maybe we should have assumed that from the beginning? I don't know. It's working now and I'm done with it. I'm going to go back and bang my head against the wall for a few more minutes before getting on my next project. Paul -Original Message- From: Art DeKneef [mailto:art.dekn...@cox.net] Sent: Monday, August 24, 2009 2:36 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone
RE: Still struggling with iPhone, ISA and SSL certs...
Okay, we finally got the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA. We brought in a hired gun, ended up making a few changes on the ISA server for the Listener. But probably the biggest thing, which came as a flash of insight to our security admin, was to try logging in from the iPhone as usern...@domain.com instead of just username. In all the masses of documents we've downloaded and perused, I don't think we found anything that said to do that. Maybe we should have assumed that from the beginning? I don't know. It's working now and I'm done with it. I'm going to go back and bang my head against the wall for a few more minutes before getting on my next project. Paul -Original Message- From: Art DeKneef [mailto:art.dekn...@cox.net] Sent: Monday, August 24, 2009 2:36 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn
RE: Still struggling with iPhone, ISA and SSL certs...
That'll do it. When I setup my iPhone, I used domain_name/username. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Tuesday, September 01, 2009 1:29 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Okay, we finally got the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA. We brought in a hired gun, ended up making a few changes on the ISA server for the Listener. But probably the biggest thing, which came as a flash of insight to our security admin, was to try logging in from the iPhone as usern...@domain.com instead of just username. In all the masses of documents we've downloaded and perused, I don't think we found anything that said to do that. Maybe we should have assumed that from the beginning? I don't know. It's working now and I'm done with it. I'm going to go back and bang my head against the wall for a few more minutes before getting on my next project. Paul -Original Message- From: Art DeKneef [mailto:art.dekn...@cox.net] Sent: Monday, August 24, 2009 2:36 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration
RE: Still struggling with iPhone, ISA and SSL certs...
Did you try Domain\Username? If you are using NTLM authentication, then ISA or IIS cannot insert the domain into the user property Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Wednesday, 2 September 2009 1:29 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Okay, we finally got the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA. We brought in a hired gun, ended up making a few changes on the ISA server for the Listener. But probably the biggest thing, which came as a flash of insight to our security admin, was to try logging in from the iPhone as usern...@domain.com instead of just username. In all the masses of documents we've downloaded and perused, I don't think we found anything that said to do that. Maybe we should have assumed that from the beginning? I don't know. It's working now and I'm done with it. I'm going to go back and bang my head against the wall for a few more minutes before getting on my next project. Paul -Original Message- From: Art DeKneef [mailto:art.dekn...@cox.net] Sent: Monday, August 24, 2009 2:36 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section
Re: Still struggling with iPhone, ISA and SSL certs...
You usually can't add to the list of trusted CA's on a device like the iPhone. So i find the trick is to find out which SSL cert publishers it does trust and just stick with that. If you could let us know the issue you are trying to solve then we can start to help you out. -BenN On Fri, Aug 21, 2009 at 7:12 AM, Maglinger, Paul pmaglin...@scvl.comwrote: As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) Paul ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Still struggling with iPhone, ISA and SSL certs...
i should mention. We run ISA and have iPhone users that can connect with our Exchange 2007 SP1 server just fine with the iPhone ActiveSync client. So i might be able to help you out? -Ben On Mon, Aug 24, 2009 at 9:51 AM, Ben Nordlander bennordlan...@gmail.comwrote: You usually can't add to the list of trusted CA's on a device like the iPhone. So i find the trick is to find out which SSL cert publishers it does trust and just stick with that. If you could let us know the issue you are trying to solve then we can start to help you out. -BenN On Fri, Aug 21, 2009 at 7:12 AM, Maglinger, Paul pmaglin...@scvl.comwrote: As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) Paul ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Still struggling with iPhone, ISA and SSL certs...
We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Still struggling with iPhone, ISA and SSL certs...
One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Still struggling with iPhone, ISA and SSL certs...
One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com
RE: Still struggling with iPhone, ISA and SSL certs...
Thanks Sherry. We went to Petri's site per your recommendation last (you were at home and didn't have specific links there) and tried several. I know we hit the first link. I don't think we went to the other two, but the mention of 2 virtual directories rings a bell. I think we tried something like that. We'll dig back into it. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Monday, August 24, 2009 1:42 PM To: NT System Admin Issues Subject: Re: Still struggling with iPhone, ISA and SSL certs... I highly recommend looking at these links: http://www.petri.co.il/configure_isa_to_publish_owa.htm http://www.petri.co.il/configure_oma.htm http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_ in_activesync.htm Basically what I had to do was in the last link listed, OWA and ActiveSync don't play nicely together with FBA in IIS, you create two virtual directories in IIS, one for OWA with FBA, one for ActiveSync/Mobile devices without it, reg hack involved, some other stuff. I was going through this kind of frustration about a year ago when we had to add access for mobile devices, had OWA working for a long time, but couldn't get anything working on ActiveSync until I did the 2 virtual directories. On Mon, Aug 24, 2009 at 1:18 PM, Tim Evans tev...@sparling.com wrote: One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words
RE: Still struggling with iPhone, ISA and SSL certs...
Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk
RE: Still struggling with iPhone, ISA and SSL certs...
Would that show up as ActiveSync in ADUC, Exchange Features, or is it referred to as Outlook Mobile Access under Mobile Services? -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:49 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup
Re: Still struggling with iPhone, ISA and SSL certs...
I highly recommend looking at these links: http://www.petri.co.il/configure_isa_to_publish_owa.htm http://www.petri.co.il/configure_oma.htm http://www.petri.co.il/problems_with_forms_based_authentication_and_ssl_in_activesync.htm Basically what I had to do was in the last link listed, OWA and ActiveSync don't play nicely together with FBA in IIS, you create two virtual directories in IIS, one for OWA with FBA, one for ActiveSync/Mobile devices without it, reg hack involved, some other stuff. I was going through this kind of frustration about a year ago when we had to add access for mobile devices, had OWA working for a long time, but couldn't get anything working on ActiveSync until I did the 2 virtual directories. On Mon, Aug 24, 2009 at 1:18 PM, Tim Evans tev...@sparling.com wrote: One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Sherry Abercrombie Any sufficiently
Re: Still struggling with iPhone, ISA and SSL certs...
Exchange features. We disable mobile owa for everyone and only enable it if it is approved by a manager for a user. On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.comwrote: Would that show up as ActiveSync in ADUC, Exchange Features, or is it referred to as Outlook Mobile Access under Mobile Services? -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:49 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs
RE: Still struggling with iPhone, ISA and SSL certs...
I believe it is under Mobile Services, but it is *NOT* Mobile Access. That is a different feature, essentially a real stripped down version of OWA ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:57 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Would that show up as ActiveSync in ADUC, Exchange Features, or is it referred to as Outlook Mobile Access under Mobile Services? -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:49 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI
RE: Still struggling with iPhone, ISA and SSL certs...
Ah... So if ActiveSync is not showing up under the Exchange Features tab in ADUC, then that's the problem... Okay, now to find out why it's not showing up. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Monday, August 24, 2009 2:08 PM To: NT System Admin Issues Subject: Re: Still struggling with iPhone, ISA and SSL certs... Exchange features. We disable mobile owa for everyone and only enable it if it is approved by a manager for a user. On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.com wrote: Would that show up as ActiveSync in ADUC, Exchange Features, or is it referred to as Outlook Mobile Access under Mobile Services? -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:49 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around
RE: Still struggling with iPhone, ISA and SSL certs...
Under Exchange Features, we have User Initiated Synchronization enabled, along with Outlook Mobile Access and Up to Date Notifications. We also have Outlook Web Access enabled for this user too. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Monday, August 24, 2009 2:08 PM To: NT System Admin Issues Subject: Re: Still struggling with iPhone, ISA and SSL certs... Exchange features. We disable mobile owa for everyone and only enable it if it is approved by a manager for a user. On Mon, Aug 24, 2009 at 1:56 PM, Maglinger, Paul pmaglin...@scvl.com wrote: Would that show up as ActiveSync in ADUC, Exchange Features, or is it referred to as Outlook Mobile Access under Mobile Services? -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:49 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Yes, that would imply that ActiveSync is on the server. But you said that the error message said that the user's account was not enabled for activesync. You need to make sure that the account is enabled first. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 11:42 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. That's right... just twist the knife... :-) Do you have it working with any WM devices? Just with OWA now. And as I said, just internally between the WM device and the Exchange server. We want to get that done before we throw the ISA into the mix. In the IIS Manager, there is a virtual directory called Micrsoft-Server-ActiveSync. So doesn't that indicate that it's there? Yep, running Exchange 2003 SP2. -Original Message- From: Tim Evans [mailto:tev...@sparling.com] Sent: Monday, August 24, 2009 1:19 PM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... One of my users came in with an iPhone and it just worked with the standard configuration we had for all our WM devices. At the time, we were also using an internal certificate and it just worked. Do you have it working with any WM devices? ActiveSync is not OMA or OWA. In Exchange 2007, it is called ActiveSync. In Exchange 2003, I think it was called Always Up to Date or Push or something like that. Just to confirm, you are on 2003 SP2? You do need SP to get ActiveSync. ...Tim -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about
RE: Still struggling with iPhone, ISA and SSL certs...
I had a similar issue last week. This was with a SBS 2003 server with Exchange Server 2003 SP2. OWA was working fine from outside. Tried to setup an iPhone and I think received the same error message. I checked everything I found on the web and all the settings were correct. It just wouldn't connect. Tried my Windows Mobile phone and it wouldn't connect either. It's error message stated it was permissions also. Double, triple-checked and everything was enabled and set correctly. Got so frustrated decided to start from the beginning. Re-ran the Connect to Internet Wizard, verified the SSL cert, checked in Exchange Server Manager for the Mobile Access and made sure the settings were enabled there, checked the users account and verified the mobile settings were enabled, checked the SBS firewall. Everything looked correct and as it was before. Went to my mobile phone. Deleted the server from ActiveSync. Configured the Server Source again from scratch. Ran a sync and it connected and started downloading email. Went to the iPhone and deleted the Exchange Server settings. Configured the Exchange settings from scratch and it connected to the server and downloaded the email, contacts and calendar. Success at last. I don't know what was causing the problem but whatever it was it seemed to have been fixed by starting from the beginning again. Though they are not using ISA Server, SBS is set up with two NICs and is using the internal firewall settings. They have a hardware firewall which I never changed or touched during this exercise. Maybe this will spark an idea or thought that will help. Art -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Monday, August 24, 2009 10:56 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... We've broken this down into several steps trying to get this to work. We backed away from using the iPhone and used a Windows Mobile device to connect to the Exchange server using our internal wireless network without SSL and was able to get that to work through OWA, but the ActiveSync is still not working. We're getting Your account in Microsoft Exchange Server does not have permission to sync with your current settings. We've checked Outlook Mobile Access and Outlook Web Access settings and they're both enabled. We've Google this and tried just about everything we've found and still not working. For those who just tuned in, we eventually want to get this working running an iPhone through an ISA 2006 server to Exchange 2003. -Paul -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Saturday, August 22, 2009 12:35 AM To: NT System Admin Issues Subject: RE: Still struggling with iPhone, ISA and SSL certs... Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
RE: Still struggling with iPhone, ISA and SSL certs...
Huh? PKI is relatively simple technology. Usually both parties need to trust a mutual third party (a CA). A similar concept to Kerberos or even AD in general (both clients and servers trust DCs) The tricky part about PKI is all the processes you have around managing your CA, key escrow etc. What is the actual issue you are facing? Cheers Ken -Original Message- From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Friday, 21 August 2009 10:12 PM To: NT System Admin Issues Subject: Still struggling with iPhone, ISA and SSL certs... As the Security Admin and I are still trying to get the hell-spawned-demonic-iPhone-from-the-putrid-cesspool-of-caustic-industri al-waste-products to work through our ISA, we referred back to the ISA 2006 Migration Guide by Syngress. The SA came in the morning and showed me the following section in the book: The topic of Certificate Authorities (CAs)and PKI (Public Key Infrastructure) is usually enough to drive many administrators away from even considering SSL. There are a number of reasons for this: - The available documentation on certificate authorities and PKI, in general, is difficult to understand. - The subject has the potential to be extremely complex. - You need to learn an entirely new vocabulary to understand the CAs and PKI. Often the documentation on these subjects doesn't define the new words, or they use equally arcane terms to define the arcane term for which you're trying to get the definition. - There doesn't seem to be any support for the network and firewall administrator who just wants to get a CA setup and running so that he can use certificates for SSL and L2TP/IPSec authentication and encryption. Boy, that just seems to sew it up in a nutshell, doesn't it? You'd think that if this opinion is as common as I believe it to be, somebody out there could simplify the process somewhat... *thunk* *thunk* *thunk* (head banging against desk...) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~