07-23-2008 02:31 PM
I ask only because I have yet to see a clear guide, other than the one in the IVE, and it doesn't work with OWA.
I have performed the instructions at the bottom of this post, which are the ones right from the SSL Help menu. Now, this works for a basic hyperlink, but not OWA. When you request OWA, it redirects you to the internal FQDN of the host in question.
For instance: I go to owa.company.com/exchange, and my requests end up exchange.company.local/exchange, which obviously doesn't work. In looking at the session, the request from OWA passes a "base" tag that is the internal fqdn of the server. I'm assuming this needs to get rewritten somehow in the IVE, but dont know what to do for that to happen.
Instructions from IVE:
Using Activesync, you can synchronize data between a Windows-based desktop computer and handheld devices. The IVE can be used as a reverse proxy to allow users to synchronize their data without installing an additional client application, such as WSAM, on their handheld devices. For more information on using the IVE as a reverse proxy, see Defining authorization-only access policies.
Please note the following:
* Supports Windows Mobile 5.0 and 6.0 only
* Supports Exchange Server 2003 and 2007
* Both NTLM & Basic Auth on the Exchange server are supported
* Both HTTP and HTTPS between IVE and Exchange server are supported
* If the IVE is used for OWA & Activesync, the hostnames for OWA access and Activesync must be different
* No endpoint checking is supported.
To configure the IVE as a reverse proxy for use with Activesync:
1. In the admin console, choose Authentication > Signing In > Sign-in Policies.
2. To create a new authorization only access policy, click New URL and select authorization only access. Or, to edit an existing policy, click a URL in the Virtual Hostname column.
3. In the Virtual Hostname field, enter the name that maps to the IVE’s IP address. The name must be unique among all virtual host names used in pass-through proxy’s hostname mode. The hostname is used to access the Exchange server entered in the Backend URL field. Do not include the protocol (for example, http in this field.
For example, if the virtual hostname is myapp.ivehostname.com, and the backend URL is http://www.xyz.com:8080/, a request to https://myapp.ivehostname.com/test1 via the IVE is converted to a request to http://www.xyz.com:8080/test1. The response of the converted request is sent to the original requesting web browser.
4. In the Backend URL field, enter the URL for the Exchange server. You must specify the protocol, hostname and port of the server. For example, http://www.mydomain.com:8080/*.
When requests match the hostname in the Virtual Hostname field, the request is transformed to the URL specified in the Backend URL field. The client is directed to the backend URL unaware of the redirect.
5. Enter a Description for this policy (optional).
6. Select No Authorization from the Authorization Server drop down menu.
7. Select a user role from the Role Option drop down menu.
Only the following user role options are applicable for Autosync.
* HTTP Connection Timeout (Users > User Roles > RoleName > Web > Options > View advanced options)
* Allow browsing un-trusted SSL websites (Users > User Roles > RoleName > Web > Options > View advanced options)
* Source IP restrictions (Users > User Roles > RoleName > General > Restrictions)
* Browser restrictions (Users > User Roles > RoleName > General > Restrictions)
For more information on these role options, see Configuring Advanced Web Browsing Options, Specifying Source IP Access Restrictions and Specifying Browser Access Restrictions.
8. Click Save Changes.
Solved! Go to Solution.
07-28-2008 04:05 PM
07-30-2008 04:38 AM
I wonder if you can answer a question for me on this, a customer is asking me about this but has a large number of phones; does each active phone use a concurrent license?
Sorry for being cheeky!
07-30-2008 09:19 AM
I only have one user right now; I just looked and my logged on users are "0."
Perhaps it increments when an actual sync is happening, but I see no licenses in use at the moment.
07-30-2008 01:10 PM
Hi, That is good news, given that the IVE is just "passing through" and not doing any active intermediation, Juniper may have been nice and not added it to the concurrent user license count; however, we may have just highlighted a previously unknown "feature" which will be "corrected" in the next version; I'd better raise a TAC case and find out what the official answer is then..
Thanks for your assistance..
08-04-2008 09:07 AM
I followed the same instructions and point it to our OWA servers (using https and 443), but I get certificate errors on the remote devices. Which cert is an issue?
I currently have an external Verisign cert for the external IVE interface, and internal assigned cert for the internal interface, and our OWA servers have a Verisign cert. All certs seem to be good.
08-04-2008 10:45 AM
I suspect the SSL cert on your server is causing the problem, as you are probably using the internal fqdn on the SA config to communicate with the server. I would simply use standard http if possible between the SA and your server, and that should clear it up.
08-05-2008 07:59 AM
I've made the change to point to http and port 80, but now I get server not found.. looking at the user logs, it appears that it sends data? Any ideas? (I'm now testing by accessing the Virtual Hostname FQDN, using IE on an external laptop).
08-05-2008 08:06 AM
Do the OWA frames show up? Does the virtual directory require SSL?
When I tested with a desktop (server/exchange), OWA frames would show up, but the content would not. I assumed it wasn't working for the longest time but then tested Activesync with an iPhone and it worked.
08-05-2008 10:05 AM - edited 08-05-2008 10:16 AM
When I test with a desktop, I get the login page, then I sign in, and get the frame, but page not found. I'm using a Verisgn TRIAL cert to the FQDN of the Virtual Port/Host of the IVE.
When I try with the ActiveSync phone, I get certificate errors: Support code: 0x80072F0D on the Motorola Q.
Thanks for you help.
08-05-2008 11:47 AM
So you have two certs for the SA, correct? One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com? Is this a wildcard cert? What version of Windows Mobile are you running? Windows Mobile 5 and below don't support wildcard certs.
Also, I wonder if the Verisign Trial certs use a different root CA that might not be trusted on your phone. Just a guess.
08-05-2008 03:30 PM
It's single certs for normal, and for activesynce (like your example: One for normal access, ie. secure.domain.com, and another for activesync, activesync.domain.com). No wildcard certs. We're running WM 5/6 (multiple phones), and iPhones (the main driving force behind this implementation). We're using the Verisign Trial Cert, which requires a Verisign Trial CA to be added (which the phones don't seem to like).
I did, however, try the trick of unchecking SSL required and once I did that, the cert issue cleared up (so now I'm not sure if I'm encrypted or not at that point, but thinking not), instead now I get server not found (Error code: 0x80072F78).
Again, I appreciate your help.
08-05-2008 11:33 PM
08-06-2008 11:59 AM
I spoke with JTAC, and the only way to do the self signed cert is by resetting the configs (which I did), and used the self signed cert. I then imported the system/user configs minus the certs, and then manually installed the certs again (from configs), so it wouldnt' overwrite the new self signed cert. Once I did that, I was able to download the self signed cert, and the phones now work, and the iPhone sends a warning, which you choose to accept the cert, then lets ActiveSync work..
Thanks again for your help privatepile.
09-02-2009 10:38 AM
It works but I have a problem understanding the security implications.
The instructions say "No Authorization" for the reverse proxy.
In my understanding that basically means that your whole internal IIS Default Web site is now exposed to the Internet.
You basically send all requests directed at the reverse proxy name unfiltered/unauthenticated to the backend server.
I would prefer e.g. a certificate authentication at the IVE as a first line of defense. Is that possible? Getting a certificate onto the iPhone doesn't seem to be too hard.
09-03-2009 01:51 PM
1. Create a new role ("iphone")
a. Check Web / Options
allow untrusted ssl websites
set http timeout - mine is 240.
2. Create a new resource policy
a. Add new Web policy of type Custom
1. Add Base url to exchange activesync http://hostname.domain.com (or https)
2. Check that Web ACL AutoPolicy is created.
b. Hit roles tab and add "iphone" role created in step 1.
3. Create a new sign-in policy
a. Add new URL to the external Activesync URL
b. Click Authorization Only Access button
1. Virtual hostname is the outside hostname
2. Backend url to exchange activesync http://hostname.domain.com:80/ (or https/443)
3. Auth Server is "No Authorization"
4. Role --> role from step 1
5. Check Allow ActiveSync Traffic Only
4. Optional - Create a new virtual host ip for activesync
This allows you to add a proper certificate for the domain name that activesync will be using.
a. Add new external virtual host under networks.
b. Create in install new device cert
1. Click the name of the new cert to assign to the virtual host.
09-03-2009 01:52 PM
Go to Settings/Mail,Contacts,Calendars
Accouts--> Add Account
external hostname of activesync virtual port (async.company.com)