Re: SA2000, Exchange 2003 & iPhone4

dw-ecl_ · ‎07-14-2010

Hi,

This has probably been asked before but I was just wondering if there is an idiots idiots guide to setting up ActiveSync access on the iPhone? I have read the documentation and followed the steps but things do not seem to be working. Having read a few things on here and other forums I am thinking the doumentation maybe missing things, such as do I need to use another public IP address, do I need another certificate, do I need to create resource profiles/policies? I have even read that I need to setup virtual ports under the network settings?

Maybe there is a step by step doc somewhere?

Thanks,

D

dcvers_ · ‎07-14-2010

First of all Apple managed to break ActiveSync in iOS4 so you may find some things don't work (we find we can recieve mail but not send it). Last time I saw Microsoft said it was a know bug and they were working with Apple but Apple weren't saying anything.

You will need a public DNS with associated certificate. On our test lab I've got it working with a generic certifcate from out internal CA but when we go live we'll probable go with a vritual port with its own IP and certificate.

Our set up (which we are testing) is as follows:

Sign In Policy

User type:	Authorization Only Access
Virtual Hostname:	as.xxx.com
Backend URL:	https://Activesync.xxx.loc:443/*
Description	Active Sync Policy
Authorization Server	[No Authorization]
Role Option:	ActiveSync
Protocol Option	Allow ActiveSync Traffic Only: Yes

Role

Name:	ActiveSync
Description	Enables mobile device to synchronize using ActiveSync
Options:
VLAN/Source IP	No
Session Options	No
UI Options	No
Access features
Web	Yes

Resource Policy

Type	Web Access Policy
Name:	ActiveSync
Description	Enables mobile device to synchronize using ActiveSync
Resources	https://Activesync.xxx.loc:443/Microsoft-Server-ActiveSync* https://Activesync.xxx.loc:443/rpc/*
Roles
Policy applies to SELECTED roles	Yes
Selected roles	ActiveSync
Action	Allow access

As I said this basic works except for sending mail. It works perferect for a Windows Mobile 6.1

dw-ecl_ · ‎07-20-2010

Hi,

Many thanks for the reply. I tried the settings that you are using but didn't seem to have much success. It seemed to be the backend resources that was causing the problems. I had a tinker about and ended up with the following settings:

Sign In Policy

User Type: Authorization Only

Virtual Hostname: host.domain.co.uk

Backend URL: http://exchangehostname.domain.co.uk:80/*

Authorization Server: No Authorization

Role Option: ActiveSync

Protocol Option: Allow ActiveSync Traffic Only: Yes

Role

Name: ActiveSync

Web: Yes

Resource Profile

Type: Custom

Name: ActiveSync

Base URL: http://exchangehostname.domain.co.uk

Autopolicy Web Access Control: Yes

Roles: Selected Roles: ActiveSync

This auto created a Web ACL policy.

Now, from the phone I put in:

Server: host.domain.co.uk

Domain: domain.co.uk

Username: username

Password: domain password

I also created a generic certificate.

This all seems to be working, but the only problem I am having is that when I first connect to the mailbox on the phone I get the following message:

Cannot verify server identity. Exchange cannot verify the identity of "host.domain.co.uk". Would you like to continue anyway.

If I click on details it shows that it is trying to accept the certificate that is being used for general access to the SA 2000, not the new one I created for ActiveSync access. Is this OK, or do I need to do something else to get the phone to use the newly generated generic certificate that was created?

Thanks,

D

dcvers_ · ‎07-20-2010

As it is a test box I had applied the generic certificate to the external interface. If you want to keep the existing certificate you will need to create a virtual port on the external Interface and apply the new certificate to the virtual port. Your external DNS will then need to resolve to the address of the virtual port.