I have Exchange 2007 installed with all the roles on 1 Windows 2008 Standard server. I have created an Exchange web publishing rule on ISA 2006 (with sp1) for Exchange Activesync. I configured an iPhone to test if working and it worked briefly but now it's not and I have made no changes. I also have a rule stup for OWA which was working too but now isnt. I have run the Exchange Remote Connectivity Analyzer to test Exchange Activesync and it fails with the following: ExRCA is testing Exchange ActiveSync. The Exchange ActiveSync test failed. The host name resolved successfully. Testing TCP port 443 on host to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps Validating the certificate name. The certificate name was validated successfully. Additional Details Validating certificate trust for Windows Mobile devices. Certificate trust validation failed. Tell me more about this issue and how to resolve it Additional Details The certificate chain didn't end in a trusted root. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US The certifcate I use is wildcard certificate and I ran the certifcate test (http://www.digicert.com/help/) which completes successfully. I have also run the Test Rule in the ISA console and it fails with the following (it did work before but then stopped working): Testing URL https://external.company.com:443/Microsoft-Server-ActiveSync/ Category: Connectivity error Error details: 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965 Please help as I am out of ideas!

Hi Can you validate so that you have all necessary certificates in place, root cert, intermediate certificate etc on both your ISA server and Exchange? The iphone isn't that sensitive to the certificates like a windows mobile.. Download a windows mobile emulator and check http://downloadsquad.switched.com/2008/03/02/microsoft-device-emulator-lets-you-run-windows-mobile-6-on-your/ Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

The 10060 error commonly indicates that ISA can’t establish a TCP connection to the exchange server Please disable the firewall and anti-virus software temporarily on the exchange server for troubleshooting Please check the settings of the virtual directories on the exchange server Default settings for Exchange-related virtual directories in Exchange Server 2007 Please confirm there’s no redirect setting on the /Microsoft-Server-Activesync virtual directory Please browse the /Microsoft-Server-Activesync virtual directory internally and externally, see if you can get the expected error response “501/505” on the webpage Please also try the troubleshooting steps from Jonas Please reproduce the issue, and then check the application log and IIS log on the exchange server James Luo TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Last week I re-installed my wildcard certificate including the intermediate and root certificates that I received from DigiCert. There were duplicate root certifcates (same serial number but different names) so I deleted the old one and installed the new one. When I installed the root certificate on the ISA server I received the message: " You are about to install a certiciate from a CA claiming to represent: Entrust.net Secure Server CA. Windows cannot verify that the certifcate is actually from "Entrust.net Secure Server CA". You should confirm its origin by contacting "Entrust.net Secure Server CA". The following number will assist you in this process: Thumbprint: <thumbprint number>. Warning: If you install this root certifcate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click Yes you acknowledge this risk. Do you want to install this certificate?" I selected Yes to the above. I didnt receive this message when I installed it on the Exchange server. The certificates look fine on both servers. Yesterday I restarted the ISA services and ran the Test Rule for my ActiveSync Publishing Rule and it ran successfully then setup a new Exchange account on my iPhone and it worked (I could receive and send mail). OWA was working too. Now today both EA and OWA are not working again. Do you think there is a problem with any of the certificates? I now receive the following when I run ExRCA: ExRCA is testing Exchange ActiveSync. The Exchange ActiveSync test failed. Test Steps Attempting to resolve the host name in DNS. The host name resolved successfully. Additional Details IP addresses returned: x.x.x.x Testing TCP port 443 on host exchange.blah.org.au to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The certificate passed all validation requirements. Test Steps Validating the certificate name. The certificate name was validated successfully. Additional Details The host name that was found, exchange.blah.org.au, is a wildcard certificate match for common name *.blah.org.au. Validating certificate trust for Windows Mobile devices. The certificate is trusted and all certificates are present in the chain. Additional Details The certificate is trusted for Windows Mobile 5.0 and later versions. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn't expired. Additional Details The certificate is valid. NotBefore = 1/24/2011 12:00:00 AM, NotAfter = 1/26/2014 11:59:59 PM Checking the IIS configuration for client certificate authentication. The test passed with some warnings encountered. Please expand the additional details. Additional Details Client certificate authentication couldn't be determined because an unexpected failure occurred. WinHttpSendRequest failed with error 12002. Testing HTTP Authentication Methods for URL https://exchange.blah.org.au/Microsoft-Server-Activesync/. The HTTP authentication test failed. Additional Details A Web exception occurred because an HTTP 408 - RequestTimeout response was received from ISA. I can browse https://exchange.blah.org.au/Microsoft-Server-ActiveSync on the Exchange server and from a Window 7 machine on the same network (and get the 501/505 error responses) as the Exchange server. When trying externally I get the error: "Error Code: 408. The operation timed out. The remote server did not respond within the set time allowed. The server might be unavailable at this time. Try again later or contact the server administrator. (12002) " I installed the windows mobile emulator and Exchange Activesync fails with error: "Your account in Microsoft Exchange Server does not have permission to synchronize with you current settings. Contact your Exchange Server administrator. Support code: 0x85010006". Authentiaction is set to "Basic" for Exchyange Activesync and "User forms-based authentication" for owa. Do I have to install any certificates on the mobile device? Is there something else I am missing?

I have re-installed the root and intermediate certifcates on both isa and exchange servers and I still receive the same errors above when running the ExRCA.

I have rung our network provider to look at the traffice between the ISA server and the Exchange server and it appears that the ISA server is using the incorrect network card to make a https connection to the Exchange server. On the ISA server I have 2 network cards and a listener created for each network card. I have separate rules setup (for OWA, EA and OA) for each listener. How do I force the rules to use the correct network card?

does anyone have an answer for me??

Hello lmahar, Did you get an answer on this yet? I did some checking with our CAS team, and our ISA team. The synopsis was that you need to verify a couple of settings on the ISA side. Here is what our ISA team suggested: *********************************************************************** Testing URL https://external.company.com:443/Microsoft-Server-ActiveSync/ Category: Connectivity error Error details: 10060 - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965 ******************************************************************************* 1) This error can occur when ISA server looses connectivity with the CAS server. a) Verify ISA server "Activesync" Publishing rule >> Properties >> "To" tab "Published Site Name" field (should use the correct name) & "Computer Name" or "IP address " field (should have the CAS Servers correct IP address), " Enable Forward Original Host header" option (Only if the External and Internal Site name is same) "Proxy Request to Published Site" should be "Request appear to come from the ISA Server Computer" (Since this works in all Scenarios) Note:- If CAS Server is in different Network from the ISA Server Internal Network, then ISA should have Persistent Routes. b) Once you APPLY changes, verify ActiveSync Publishing Rule >> Properties >> Verify "Test Rule" button output. Same Step applies for OWA Publishing. 2) Exchange Remote Connectivity Analyzer for Exchange Activesync can test external connectivity. ************************************************************** Error: The certificate chain didn't end in a trusted root. Root = CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US ***************************************************************** a) Verify ISA server "Local Computer" Certificate store has all the Root and Intermediate Certificates. b) Copy Third Party Root Certificate to the "local Computer" Certificate store >> "Third-Party Certification Authorities" (Recommended Server Reboot for a valid Output). c) External Mobile Device will receive similar certificate chain error, if the Third Party Server certificate used for Publishing Activesync is a New Generation certificate. Since the Mobile OS doesn't contain this new Intermediate and Root certificates, it fails with "certificate chain error. " Note:- A) External User can either manually import root certificate and Intermediate Certificate to the Mobile device. (No guarantee if all Third Party Mobile OS will work in this scenario) or B) Obtain a new Server Certificate for the ActiveSync Publishing, which is compatible with all Mobile Devices. I Hope this helps. Thanks, Kevin Ca - MSFTKevin Ca - MSFT