none
how the active sync works with cas array RRS feed

Answers

  • On Sun, 5 Feb 2012 10:10:46 +0000, Lasandro wrote:
     
    >
    >
    >The owa is working fine both internal and externally from internet.
    >
    >internall it works fine with the name of casarray also with both the names of cas servers.
    >
    >Externally, we've opened the 443 port to only of cas server IP, not to the interal IP of cas array.
    >
    >the result of RCA are as follow. Let me know what is wrong with me
     
    The test is failing on the certificate validation. Do you have a valid
    certificate (issued by a trusted external CA) installed on the CAS
    machines?
     
    The test was able to resolve the name in the akep.al domain, found
    that port 443 was open, and tried (but failed) to find a certificate
    that was valid.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:05 PM
    Sunday, February 5, 2012 4:11 PM
  • On Sun, 5 Feb 2012 16:41:26 +0000, Lasandro wrote:
     
    >
    >
    >No, i don't have a trusted external CA, i use the default one of exchange.
    >
    >so what can i do?
     
    Is https://akep.al/AutoDiscover the URL you intend to use for
    AutoDiscover? Is akep.al the name you intend to use for the ActiveSync
    server name? If your compnay has a web site that uses akep.al then
    you'll have to use another name, for example "autodiscover.akep.al".
     
    Do you have your own internal CA? If you do you can generate the CSR
    file using new-exchangecertificate and use that to get a cert from
    your CA. Then you'll add the CA's root certificate to all of you
    mobile devices and PCs so they trust your CA.
     
    If you don't have your own CA then you'll buy a cert from one of the
    many CAs offering them. DigiCert is one of them.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:02 PM
    Sunday, February 5, 2012 6:06 PM
  • On Sun, 5 Feb 2012 22:45:15 +0000, Lasandro wrote:
     
    >this is the error i got (i've removed the email from picture)
     
    That's not the error you posted in the message I originally relied to
    -- the error that was reported by the web site.
     
    If you're having a problem with authentication you should check to
    make sure you haven't modified the active sync VD.
     
    Out of curiosity, can you use the phone's browser to connect to your
    mailbox using OWA? It'll look ugly, but you're only interested in
    finding out if the phone's capable of accessing the server right now.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:04 PM
    Monday, February 6, 2012 3:37 AM

All replies

  • Hi,

    CAS array givs a logical name to the membres of the CAS Array. If you install a NLB then the traffic is loadbalanced nbetween the memberrs of the CAS Array. So Please use the name of the CAS Array for the cllent (Smartphone, Outlook, etc)

    You have to register this name in DNS.

     


    regards Thomas Paetzold visit my blog on: http://sus42.wordpress.com
    • Edited by Peddy1st Thursday, February 2, 2012 9:41 PM
    Thursday, February 2, 2012 9:41 PM
  • On internall dns i've register the record name of the casarray.

    But i still fail to use the active sync both internal and external.

    I've not setup A-Records for autodiscover both internal and external, is this i'm going wrong?

    thank you


    Lasandro
    Sunday, February 5, 2012 9:53 AM
  • You don't need autodiscover for Activesync but it does remove the need to supply the server name.  Do you have certificates configured for SSL?  Are you using the same CASArray for OWA and does that work internal/external.

    Try the RCA at https://www.testexchangeconnectivity.com to test external connectivity.

    Sunday, February 5, 2012 10:06 AM
  • As you don't have A records set up for autodiscover use the first option in the RCA that just says Activesync.  You will need to specify your server name in the test tool. 
    Sunday, February 5, 2012 10:16 AM
  • i'm not so clear in what u recommend.

    I've to setup A-record in external DNS? if so, what name i've to use for the A-Record?


    Lasandro
    Sunday, February 5, 2012 10:31 AM
  • Don't use the Exchange Activesync Autodiscover test, use the Exchange Activesync test instead.

    Sunday, February 5, 2012 10:37 AM
  • i got the same result as i've posted
    Lasandro
    Sunday, February 5, 2012 10:51 AM
  • On Sun, 5 Feb 2012 10:10:46 +0000, Lasandro wrote:
     
    >
    >
    >The owa is working fine both internal and externally from internet.
    >
    >internall it works fine with the name of casarray also with both the names of cas servers.
    >
    >Externally, we've opened the 443 port to only of cas server IP, not to the interal IP of cas array.
    >
    >the result of RCA are as follow. Let me know what is wrong with me
     
    The test is failing on the certificate validation. Do you have a valid
    certificate (issued by a trusted external CA) installed on the CAS
    machines?
     
    The test was able to resolve the name in the akep.al domain, found
    that port 443 was open, and tried (but failed) to find a certificate
    that was valid.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:05 PM
    Sunday, February 5, 2012 4:11 PM
  • No, i don't have a trusted external CA, i use the default one of exchange.

    so what can i do?


    Lasandro
    Sunday, February 5, 2012 4:41 PM
  • On Sun, 5 Feb 2012 16:41:26 +0000, Lasandro wrote:
     
    >
    >
    >No, i don't have a trusted external CA, i use the default one of exchange.
    >
    >so what can i do?
     
    Is https://akep.al/AutoDiscover the URL you intend to use for
    AutoDiscover? Is akep.al the name you intend to use for the ActiveSync
    server name? If your compnay has a web site that uses akep.al then
    you'll have to use another name, for example "autodiscover.akep.al".
     
    Do you have your own internal CA? If you do you can generate the CSR
    file using new-exchangecertificate and use that to get a cert from
    your CA. Then you'll add the CA's root certificate to all of you
    mobile devices and PCs so they trust your CA.
     
    If you don't have your own CA then you'll buy a cert from one of the
    many CAs offering them. DigiCert is one of them.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:02 PM
    Sunday, February 5, 2012 6:06 PM
  • On Sun, 5 Feb 2012 18:44:48 +0000, Lasandro wrote:
     
    >
    >
    >The name is mail.akep.al
    >
    >the owa is working fine.
    >
    >I don't have a internal CA. let me know
     
    Let you know what? Get a certificate, preferably a SAN/UCC
    certificate, for the names you'll be using.
     
    Your domain name is akep.al so, in addition to the mail.akep.al you'll
    also need either akep.al or autodiscover.akep.al for the AutoDiscover
    to work.
     
    These are the usual services that the CAS and NT roles offer:
     
    autodiscover
    pop3 (optional)
    imap4 (optional)
    smtp (optional)
    outlook web access (usually the same as Outlook Anywhere)
    ActiveSync (usually uses the same as OWA and OA)
     
    If you plan on using OWA and OutlookAnywhere then the commonname on
    the certificate should be mail.akep.al.
     
    The SANs can then be autodiscover.akep.al and whatever you use for
    your SMTP server. You have two host names in your domain's MX so I
    don't know whether to tell you to use mail.akep.al, mx2.akep.al, or
    both. If it's mail.akep.al then that's the one to use. Your outbound
    SMTP server should identify itself in the 220 header as mail.akep.al,
    too.
     
    To be safe, get a cert with the three names you expose to the
    Internet:
    autodiscover.akep.al
    akep.al
    mail.akep.al <== This is the Common Name of the cert
     
    You can add any additional names you use internally, but some CAs
    won't issue certs with names, for example, in the .local top-level
    domain, or names without domains. You must also be the owner of the
    domain -- you can't use somone elses domain.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, February 5, 2012 8:06 PM
  • On Sun, 5 Feb 2012 20:20:06 +0000, Lasandro wrote:
     
     
    >The owa is working fine at https://mail.akep.al/owa.
     
    Sure, except for the warning that the certificate is invalid. The cert
    is issued to HubCas01 with no domain name!
     
    >I'm making the installation to that company, and this is why i'm asking for help.
     
    You'e been getting help.
     
    >i now that there exists to mx records, but is not part of me, i want to sure that at least ActiveSync could work to mail.akep.al
    >
    >As i've said before, we will not use a public CA, so i need to know where i'm going wrong.
     
    "WILL" not? Why? A self-signed certificate isn't trusted by anyone --
    including the mobile devices you're trying to make work.
     
    I don't know how much you're charging for your services, but for US$30
    a year the problem can go away. You can use a regular SSL certificate
    (for akep.al) and a SRV record for the autodiscover.
     
    >I also failed to use my iphone from internally there, and i'm not finding the problem.
     
    You did find the prob,em - the certificate's not trusted by the
    devices.
     
    >Sb tell me to make the users "inherit permission from parent" from Active Directory, but i've not tried yet.
     
    I'm not telling you to make anything inherit permissions since that's
    not what's casuing your problem.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, February 5, 2012 10:09 PM
  • Dear Rich.

    Before installing to site, i've done on HyperV the same installation, and i was able to connect internally from iphone. Even the name of domain and email was virtually, at least i connected from internally. Also i did not use any third CA in this case, but my iphone worked fine.

    I'm not so clear what is going wrong.

    P.S (give me your email, i will write)


    Lasandro
    Sunday, February 5, 2012 10:14 PM
  • HubCas01 is the name of one of the Exchange servers where i've install the Hub and Cas roles.
    Lasandro
    Sunday, February 5, 2012 10:25 PM
  • dfsaafs
    • Edited by Lasandro Sunday, February 12, 2012 9:04 PM v
    Sunday, February 5, 2012 10:45 PM
  • On Sun, 5 Feb 2012 22:45:15 +0000, Lasandro wrote:
     
    >this is the error i got (i've removed the email from picture)
     
    That's not the error you posted in the message I originally relied to
    -- the error that was reported by the web site.
     
    If you're having a problem with authentication you should check to
    make sure you haven't modified the active sync VD.
     
    Out of curiosity, can you use the phone's browser to connect to your
    mailbox using OWA? It'll look ugly, but you're only interested in
    finding out if the phone's capable of accessing the server right now.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Lasandro Sunday, February 12, 2012 9:04 PM
    Monday, February 6, 2012 3:37 AM