OWA behind ISA works but Active sync give error - An HTTP 403 error
hi i have a lan with a Exchange Server 2007, ISA Server and several other servers & clients.


ISA has two nic; first nic connected to external broadband with multiple static ip addresses and second nic to internal LAN where Exchange, DC and rest of the servers/clients are connected.

So far from ISA i have published OWA with the SSL (www.instantssl.com). Usesr from outside types https://mail.mycompany.com where they are prompted with outlook web access form. They can successfully logon with their domain username & passwd to send/receive emails.

Now i am trying to setup Exchange Activesync so that users can use their phones to setup the email. This is what i did:

Created another rule to publish exchange
- selected Exchange 2007
- ticked on Exchange Activesync
- entered myexchange1.mycompany.com
- selected Accept requests for "This domain name" - and typed mail.mycompany.com
- created new web listener - selected External networks with diff ip than the one used with OWA weblistener - used 443 as port - selected certificate as mail.mycompany.com - selected Basic Authentication
- selected the above web listener
- Added All Users



Now from my iphone if i setup as
email: user1@mycompany.com
server: mail.mycompany.com
domain: mydomain
username: user1
password: ********
use ssl: ticked

When i access the mail app, it gives error

Exchange Account
Unable to verify account information.

ISA Logging shows followings:
Action: Denied Connection
Rule: Default rule
Source Port: 52291
Dest Port: 443
Result Code: 0xc004000d FWX_E_POLICY_RULES_DENIED
Log Record Type: Firewall

From a PC from my home if i type

https://myexchange1.mycompany.com/Microsoft-Server-ActiveSync Server not found page displays
https://mail.mycompany.com/Microsoft-Server-ActiveSync will redirects page to outllok web access form


From PC in Lan if i type this in the browser
https://myexchange1.mycompany.com/Microsoft-Server-ActiveSync
I get a login username and password box. Once i type a correct username and password i get just blank page with no errors.

Also within a lan i can successfully access email using
https://myexchange1.mycompany.com/owa/
or
https://mail.mycompany.com

What could be the problem.

 

i tried this website to test the activesync
https://www.testexchangeconnectivity.com

and this is what i got

Testing HTTP Authentication Methods for URL https://mail.mycompany.com/Microsoft-Server-Activesync/.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

Help will be much appreciated. thank you.

May 21st, 2011 1:23pm

Hi,

you can use the existing rule and Listener for Exchange Active Sync which you used for OWA. Simple extend your OWA publishing rule with the path for /Microsoft-Server-Activesync

Free Windows Admin Tool Kit Click here and download it now
May 21st, 2011 2:06pm

I have tried just adding the /Microsoft-Server-Activesync/* in the path of owa publishing rule but im getting same error.

May 21st, 2011 5:39pm

Hi,

 

Thank you for the post.

 

Just like Marc said, you can simply use the existing OWA Web Listener and Publishing rule to configure ActiveSync publishing. As long as the following basic criteria are met:

 

•ActiveSync clients use the same external server name as the OWA clients.

•ActiveSync clients have the trusted Root (and possibly Intermediate) certificate<s> installed.

•You have added the ‘Microsoft-Server-ActiveSync’ path to the OWA publishing rule.

 

Regards,

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2011 10:20am

I have exactly the same error... did you solve this? how???
June 21st, 2013 9:14pm

I am having the exact same error with Exchange 2010 behind TMG. Any suggestions. I am using the SAME listener for OWA and ActiveSync
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2013 12:26am

When using a browser on the LAN to access the Exchange CAS like https://FQDN/Microsoft-Server-ActiveSync/ you should get prompted to enter credentials and then get either HTTP 501 Not Implemented or HTTP 505 Version Not Supported, that is an indication that ActiveSync is working. If you don't get this message then most likely your Exchange CAS is not setup for Activesync or there is something wrong with the authentication. Try troubleshooting that before making any changes to the TMG.</id>

\Mattias


July 3rd, 2013 9:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics