It's single certs for normal, and for activesynce (like your example: One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com). No wildcard certs. We're running WM 5/6 (multiple phones), and iPhones (the main driving force behind this implementation). We're using the Verisign Trial Cert, which requires a Verisign Trial CA to be added (which the phones don't seem to like).

I did, however, try the trick of unchecking SSL required and once I did that, the cert issue cleared up (so now I'm not sure if I'm encrypted or not at that point, but thinking not), instead now I get server not found (Error code: 0x80072F78).

Again, I appreciate your help.

I have a self signed cert associated with the activesync.domain.com url, and the iPhone doesn't seem to mind after initial setup. Do you get the same message with the iPhone?

I spoke with JTAC, and the only way to do the self signed cert is by resetting the configs (which I did), and used the self signed cert. I then imported the system/user configs minus the certs, and then manually installed the certs again (from configs), so it wouldnt' overwrite the new self signed cert. Once I did that, I was able to download the self signed cert, and the phones now work, and the iPhone sends a warning, which you choose to accept the cert, then lets ActiveSync work..

Thanks again for your help privatepile.

i had the same problem today with not being able to see the content. Any fix for this at all ?

Can you elaborate? Are you trying to browse the virtual hostname from your PC and are not seeing content?

If you're not able to see content, that's by design.

It works but I have a problem understanding the security implications.

The instructions say "No Authorization" for the reverse proxy.

In my understanding that basically means that your whole internal IIS Default Web site is now exposed to the Internet.

You basically send all requests directed at the reverse proxy name unfiltered/unauthenticated to the backend server.

I would prefer e.g. a certificate authentication at the IVE as a first line of defense. Is that possible? Getting a certificate onto the iPhone doesn't seem to be too hard.

On IVE 6.5R1
1. Create a new role ("iphone")
a. Check Web / Options
Under advanced:
allow untrusted ssl websites
set http timeout - mine is 240.
2. Create a new resource policy
a. Add new Web policy of type Custom
1. Add Base url to exchange activesync http://hostname.domain.com (or https)
2. Check that Web ACL AutoPolicy is created.
b. Hit roles tab and add "iphone" role created in step 1.
3. Create a new sign-in policy
a. Add new URL to the external Activesync URL
b. Click Authorization Only Access button
1. Virtual hostname is the outside hostname
2. Backend url to exchange activesync http://hostname.domain.com:80/ (or https/443)
3. Auth Server is "No Authorization"
4. Role --> role from step 1
5. Check Allow ActiveSync Traffic Only
4. Optional - Create a new virtual host ip for activesync
This allows you to add a proper certificate for the domain name that activesync will be using.
a. Add new external virtual host under networks.
b. Create in install new device cert
1. Click the name of the new cert to assign to the virtual host.

On iPhone

Go to Settings/Mail,Contacts,Calendars

Accouts--> Add Account
Exchange Activesync
external hostname of activesync virtual port (async.company.com)
[email protected]
ADdomain\username
ADpassword