iPhone denied connection by ISA 2004

All replies

• 

  

  0

  Sign in to vote

  Q1 - what is the exact URL you find in the log entries you mentioned?
  Q2 - exactly how is the OWA publioshing rule defined?
  Q3 - what is the HTTP Response code quoted in the log entry?
  Q4 - what error does the iPhone produce?

  ---

  Jim Harrison Forefront Edge CS

  • Marked as answer by Keith AlabasterModerator Thursday, September 3, 2009 5:46 AM
  • Unmarked as answer by Keith AlabasterModerator Friday, September 4, 2009 7:08 PM

  Thursday, August 20, 2009 8:35 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  I assume the connection url you are using is https://x.y.z/exchange  ?
  Normal PC's connect OK to the /exchange service without issue?
  Is the iPhone using a local WiFi connection or using your phone providers' network to give you access to the Internet?
  
  Keith - ISA MVP

  Saturday, August 22, 2009 5:13 PM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  Hi,

   

  I’d like to confirm whether there is any update about this issue. If anything unclear, please feel free to contact us.

   

  Regards,

  ---

  Nick Gu - MSFT

  • Proposed as answer by Nick Gu - MSFTModerator Tuesday, September 1, 2009 2:45 AM
  • Marked as answer by Nick Gu - MSFTModerator Thursday, September 3, 2009 1:31 AM
  • Unmarked as answer by Keith AlabasterModerator Thursday, September 3, 2009 5:42 AM

  Friday, August 28, 2009 1:50 AM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  Fair question Nick :)
  
  M Bellingham,
  
  
  Are you seeing http/https requests for x.y.x/microsoft-server-activesync ? 
  Did click the active-sync tick box in the publishing rule when you created it?
  Did you add the domain name with the user credentials on the iPhone?
  
  
  
  

  Friday, August 28, 2009 5:30 AM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  I've marked ISAdewd as the accepted answer on this question due to no response from the question asker. Although there is no 'solution' it indicates, for people in the futue who may have the same issue, the things they should be looking for.
  
  Keith
  Owner/Moderator

  Thursday, September 3, 2009 5:49 AM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  Hello Jim,
  
  Thank you very much for your response & apologies for not replying but I have been away on holiday.
  
  Please see my responses to your questions below -
  
  Q1 - what is the exact URL you find in the log entries you mentioned?
  
  http://email.domainname.co.uk:443/microsoft-server-activesync
  
  Q2 - exactly how is the OWA publioshing rule defined?
  
  Allow HTTPS From "Exchange Listner" to "email.domainname.co.uk" condition "All Users".
  
  Q3 - what is the HTTP Response code quoted in the log entry?
  
  HTTP Method = OPTIONS
  
  Q4 - what error does the iPhone produce?
  
  Exchange account verification failed

  Friday, September 4, 2009 10:54 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Hello Keith,
  
  Thank you very much for your response & apologies for not replying but I have been away on holiday.
  
  Please see my responses to your questions below -
  
  I assume the connection url you are using is https://x.y.z/exchange  ?
  
  Connection url is https://email.domainname.co.uk/exchange
  
  Normal PC's connect OK to the /exchange service without issue?
  
  Normal PC's connecting successfully.
  
  Is the iPhone using a local WiFi connection or using your phone providers' network to give you access to the Internet?
  
  iPhone is using the phone providers' network.

  Friday, September 4, 2009 11:00 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Hello Keith,
  
  Are you seeing http/https requests for x.y.x/microsoft-server-activesync ? 
  
  Yes seeing requests for http://email.domainname.co.uk:443/microsoft-server-activesync & status is denied connection.
  
  Did click the active-sync tick box in the publishing rule when you created it?
  
  Publishing rule was set-up by external contractor but within the rule under Paths the following is listed -
  
  External Path = <Same As Internal>
  Internal Path = /Microsoft-Server-ActiveSync
  
  Did you add the domain name with the user credentials on the iPhone?
  
  Do not add the domain name but do enter the username & password.

  Friday, September 4, 2009 11:11 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Hello Keith,
  
  Please could I ask for this call to be changed from accepted answer as I have now returned from holiday & posted replies to your questions?
  
  Thanks,
  Mark

  Friday, September 4, 2009 11:12 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Done - as requested.
  
  Yours appears different to mine - ie mine are captured under my https (owa) publishing rule and are shown as https requests. Also, there is no :443 in the requests I see on my Forefront TMG server.
  
  yes, I added the internal domain (the netbios portion)
  
  All my paths are set to mirror the external path ie I did not have to set anything different or change from the default created by the OWA publishing rule.
  
  Can you run the best practice analyser and just see what it reports?
  Confirming you have service pack 3 (ISA2004) would be useful too.

  Friday, September 4, 2009 7:14 PM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  ISA 2004 was running SP1 which has now been upgraded to SP3.
  
  The following additional info now appears when the iPhone tries to connect  under  logging -
  
  Status: 12217 The request was rejected by the HTTP Filter
  
  Filter Info: Blocked; sent verb is not specifically allowed by HTTP filter
  
  The BPA issues reported are -
  
  1. Memory used for cache is higher than 30%
  2. The name cert attached to publish Exchange Web publishing rule does not match the public name. The cert was issued to email.domainname.co.uk & the set of public names is not found
  3. The no connectivity error alert was signaled 1 times.

  Tuesday, September 8, 2009 11:37 AM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Excellent - and much more informative as you can imagine!!
  
  The obvious check is to right-click the OWA publishing rule, select the configure http option and check that you have all methods allowed rather than just a small list of verbs such as get etc.
  
  I would not expect to see error messages regarding the certificates but if OWA is using the cert..... 
  
  

  • Marked as answer by M Beckingham Tuesday, September 8, 2009 3:39 PM

  Tuesday, September 8, 2009 12:10 PM

  Reply

  |

  Quote

  Moderator
• 

  

  0

  Sign in to vote

  "Filter Info: Blocked; sent verb is not specifically allowed by HTTP filter" is the key.
  You have configured the HTTP filter to block (or allow) specific verbs and this one isn't part of the allow list.
  You're previous answer to my questions gives the answer: "HTTP Method = OPTIONS".
  change the HTTP filter settings for that rule to allow "OPTIONS" and all should be well.

  ---

  Jim Harrison Forefront Edge CS

  Tuesday, September 8, 2009 2:46 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Problem resolved, by configuring the http option to allow all methods the iPhone is now able to connect to Exchange Active Sync via ISA 2004 successfully.
  
  Thank you very much Keith for all of your help.

  Tuesday, September 8, 2009 3:39 PM

  Reply

  |

  Quote
• 

  

  0

  Sign in to vote

  Good all-round joint effort and nice to see it is all working for you.
  The brilliant Service Packs that the guys/girls from the Forefront Team put out are so important and really make a difference as this case shows.
  
  Keith :)

  Tuesday, September 8, 2009 5:40 PM

  Reply

  |

  Quote

  Moderator