I ask only because I have yet to see a clear guide, other than the one in the IVE, and it doesn't work with OWA.
I have performed the instructions at the bottom of this post, which are the ones right from the SSL Help menu. Now, this works for a basic hyperlink, but not OWA. When you request OWA, it redirects you to the internal FQDN of the host in question.
For instance: I go to owa.company.com/exchange, and my requests end up exchange.company.local/exchange, which obviously doesn't work. In looking at the session, the request from OWA passes a "base" tag that is the internal fqdn of the server. I'm assuming this needs to get rewritten somehow in the IVE, but dont know what to do for that to happen.
Instructions from IVE:
Using Activesync, you can synchronize data between a Windows-based desktop computer and handheld devices. The IVE can be used as a reverse proxy to allow users to synchronize their data without installing an additional client application, such as WSAM, on their handheld devices. For more information on using the IVE as a reverse proxy, see Defining authorization-only access policies.
Please note the following:
* Supports Windows Mobile 5.0 and 6.0 only
* Supports Exchange Server 2003 and 2007
* Both NTLM & Basic Auth on the Exchange server are supported
* Both HTTP and HTTPS between IVE and Exchange server are supported
* If the IVE is used for OWA & Activesync, the hostnames for OWA access and Activesync must be different
* No endpoint checking is supported.
To configure the IVE as a reverse proxy for use with Activesync:
1. In the admin console, choose Authentication > Signing In > Sign-in Policies.
2. To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.
3. In the Virtual Hostname field, enter the name that maps to the IVEÕs IP address. The name must be unique among all virtual host names used in pass-through proxyÕs hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, http in this field.
For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 via the IVE is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.
4. In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.
When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.
5. Enter a Description for this policy (optional).
6. Select No Authorization from the Authorization Server drop down menu.
7. Select a user role from the Role Option drop down menu.
Only the following user role options are applicable for Autosync.
* HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)
* Allow browsing un-trusted SSL websites (Users > User Roles > RoleName > Web > Options > View advanced options)
* Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
* Browser restrictions (Users > User Roles > RoleName > General > Restrictions)
For more information on these role options, see Configuring Advanced Web Browsing Options, Specifying Source IP Access Restrictions and Specifying Browser Access Restrictions.
8. Click Save Changes.
Solved! Go to Solution.
I wonder if you can answer a question for me on this, a customer is asking me about this but has a large number of phones; does each active phone use a concurrent license?
Sorry for being cheeky!
I only have one user right now; I just looked and my logged on users are "0."
Perhaps it increments when an actual sync is happening, but I see no licenses in use at the moment.
Hi, That is good news, given that the IVE is just "passing through" and not doing any active intermediation, Juniper may have been nice and not added it to the concurrent user license count; however, we may have just highlighted a previously unknown "feature" which will be "corrected" in the next version; I'd better raise a TAC case and find out what the official answer is then..
Thanks for your assistance..
I followed the same instructions and point it to our OWA servers (using https and 443), but I get certificate errors on the remote devices. Which cert is an issue?
I currently have an external Verisign cert for the external IVE interface, and internal assigned cert for the internal interface, and our OWA servers have a Verisign cert. All certs seem to be good.
I suspect the SSL cert on your server is causing the problem, as you are probably using the internal fqdn on the SA config to communicate with the server. I would simply use standard http if possible between the SA and your server, and that should clear it up.
I've made the change to point to http and port 80, but now I get server not found.. looking at the user logs, it appears that it sends data? Any ideas? (I'm now testing by accessing the Virtual Hostname FQDN, using IE on an external laptop).
Do the OWA frames show up? Does the virtual directory require SSL?
When I tested with a desktop (server/exchange), OWA frames would show up, but the content would not. I assumed it wasn't working for the longest time but then tested Activesync with an iPhone and it worked.
When I test with a desktop, I get the login page, then I sign in, and get the frame, but page not found. I'm using a Verisgn TRIAL cert to the FQDN of the Virtual Port/Host of the IVE.
When I try with the ActiveSync phone, I get certificate errors: Support code: 0x80072F0D on the Motorola Q.
Thanks for you help.