RE: ActiveSync and T-Mobile Treo 650

Hello Dave,

Thank you for posting in the SBS newsgroup.

Considering the current condition, I suggest you create a new thread on the
SBS newsgroup. The reason why I recommend this is that you will get the
most qualified pool of respondents, and other partners who the newsgroups
regularly can share their knowledge. Thanks for understanding.

Additionally, I'm glad to provide the following general information for
your reference:

If you are using the ISA Server, this is confirmed to be a problem when
trying to use Microsoft Exchange ActiveSync from a Palm Treo 650 through an
ISA 2000 firewall or an ISA 2004 Standard Edition over an SSL connection.
This issue does not appear to occur in ISA 2004 SP1, but this does not mean
it is an issue of ISA. Actually, this issue occurs because this device is
not fully respecting the RFC when processing the URL while ISA does, so
this issue occurs. ISA 2004 SP1 has some design change and bypass this
conflict.

Generally, to publish ActiveSync, you just need to run the CEICW and enable
the firewall settings and make sure the 443 port is forwarded.

For this specific device, there are four available workarounds for your
scenario.

Method 1 - Since the SBS SP1 is released, please upgrade your ISA 2000 to
ISA 2004. ISA 2004 SP1 is included in the SBS 2k3 Sp1.

Method 2 - Replace your Exchange Web Publishing rule with a Server
Publishing rule.

Use this method if you allow only SSL access to Exchange web components
(AirSync, OWA, RPCHTTP) and do not want to use a separate URL to access
AirSync. By replacing your Web Publishing rule with a Server Publishing
rule you will not be able to perform more advanced reverse proxy functions,
such as SSL offloading, forwarding of basic credentials, http filtering,
HTTP /HTTPS redirection etc.

Steps

1. Delete the existing Web Publishing rule that is publishing the
Exchange Web services (OWA, OMA, ActiveSync and possible RpcHTTP).
a. Open the ISA Server Management utility
b. Select Firewall Policy in the left hand pane
c. Right click on your Web Publishing rule for Exchange HTTP
access and select "Delete? Click "Yes" when prompted.
2. Create a new Server Publishing rule that publishes the Exchange
Web services
a. Right click on "Firewall Policy and select New->Server
Publishing Rule
b. Enter a name for the Rule and click 'Next?
c. Enter the IP address of the Exchange Server that you want to
direct the requests to, and click "Next?
d. Select "HTTPS Server as the selected protocol and click "Next"
e. Select "External?for the network. If you want to restrict this
to a specific IP address on the external NIC click "Address and select the
"Specified IP addresses on the ISA Server computer in the selected network
radio button and add the correct IP to the list of Selected IP Addresses.
f. Click OK, then Next to exit the wizard. Then click "Apply to
apply the changes

Method 3 - Create a new Server Publishing rule exclusively for accessing
Microsoft Exchange ActiveSync.

In order to partition this from OWA and other Exchange HTTP traffic you
need to assign a different internet facing URL and IP address for Microsoft
Exchange ActiveSync.

This is a more complex solution and requires additional setup on the
Exchange server (Front End server if you have one). You will also need a
new certificate on the Exchange server to match the new url being used to
publish ActiveSync.

As ActiveSync access will be gained through a Server Publishing rule it is
unable to take advantage of more advanced reverse proxy functions, such as
SSL offloading, forwarding of basic credentials, http filtering etc.
However, OWA access will remain unaffected.


Example:

OWA, OMA and RpcHTTP use mail.contoso.com which maps to an IP address on
the internet facing network card of the ISA server ActiveSync uses
activesync.contoso.com which maps to a different IP address on the internet
facing network card of the ISA server.

In addition, you should create a new virtual server and Exchange ActiveSync
virtual directory on your Exchange Server (on the Front End Exchange Server
if you have one) to accept the incoming connections and assign this a
different IP address than that used by the default web site. This is to
allow the use of a different SSL certificate on the Exchange server to
match the new URL. Also it prevents any non ActiveSync traffic from using
this Server Publishing rule.

To avoid any conflict of rules on the ISA you should restrict the two
different rules listeners to listen only on their specific IP addresses,
and not all IP address on the internet facing NIC.

Steps:

1. Assign a new IP address to the internet facing NIC on your ISA
Server.
2. If it's not already configured to do so, edit your current
listener for your web publishing rule for Exchange HTTP access to only
listen for requests on the specific IP address that maps to the URL used
for OWA access.
a. Open the ISA Server Management utility
b. Select Firewall Policy in the left hand pane
c. Right click on your Web Publishing rule for Exchange HTTP
access and select "Properties?
d. Select the "Listener tab
e. Click "Properties?
f. Select the "Networks tab
g. Select the network that is being listened to (usually this will
be "External and click Address
h. Select the "Specified IP addresses on the ISA Server computer
in the selected network radio button and add the correct IP to the list of
Selected IP Addresses.
i. Click OK until you are back to the ISA Server Management UI and
then click "Apply to apply the changes

3. Create a new Server Publishing rule
a. Open the ISA Server Management utility
b. Select Firewall Policy in the left hand pane
c. Right click on "Firewall Policy and select New->Server
Publishing Rule
d. Enter a name for the Rule and click 'Next?
e. Enter the IP address of the Exchange Server that you want to
direct the requests to, and click "Next" (Note - This should correspond to
the IP address of the virtual server for ActiveSync access on the Exchange
server).
f. Select "HTTPS Server as the selected protocol and click "Next"
g. Select "External?for the network, then click "Address and
select the "Specified IP addresses on the ISA Server computer in the
selected network radio button and add the correct IP to the list of
Selected IP Addresses.
h. Click OK, then Next to exit the wizard. Then click "Apply to
apply the changes

OWA, OMA and RpcHTTP traffic will use the Exchange Web Publishing rule,
however, ActiveSync traffic will now use the Server Publishing rule. In
addition clients cannot use the ActiveSync url to access OWA.

Method 4 - Create a Server Publishing rule for HTTPS traffic and use a Web
Publishing rule for HTTP traffic.

This is not recommended as you should use SSL for all Exchange HTTP
traffic. However, you could configure your Web Publishing rule listener to
not listen for HTTPS traffic, then configure a separate Server Publishing
rule for HTTPS traffic on the same IP address as the Web Publishing rule.
This means you can use the same URL for both AirSync and OWA access,
however, if all your traffic is over SSL then all access will use the
Server Publishing rule - just like method 2.

This is only really useful if you have other non SSL services that you want
to use the same URL as the Exchange Web Services.


If you do not have ISA installed, this issue could still be device related.
As on our test, the Treo 650 does not comply with the RFC and will cause
unexpected authentication issue.

For this issue, I would like to suggest following:

First of all, I want to confirm that you have run CEICW wizard to publish
the necessary resource to the internet and configure internet access.

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

Please make sure you have proper port (80, 443 and etc) open if you have
hardware router in front of your SBS server.

To troubleshoot this issue, please refer to the following suggestions

1. Please make sure your PPC has valid internet connection. You
could just test the OMA by visiting https://SBSFQDN/oma

2. Since the ServerSync on the internet use port 443, please use
the telnet to test the communication. You can run the following command on
the internet computer to test your SBS server.

Telnet SBSFQDN 443

A blank screen is expected.

3. Since the serversync is using SSL communication, the server
certificate is needed. As I know, sometimes, the incorrect certificate will
cause the issue. You could use tool to remove the limitation of certificate
for troubleshooting purposes. Please refer to the following steps.

Please visit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D88753B8-8B3A-4F1D-
8E94-530A67614DF1&displaylang=en

Download the file and try the following steps:
a. Ensure that your device is connected to the Desktop, that
ActiveSync is installed, and your device is connected. A partnership is not
necessary, you may connect as Guest should you wish.
b. On the desktop, open up a command prompt, and change to the
directory containing the tool executable CERTCHK.EXE
c. The tool uses a simple command line interface. To disable
certificate checking, type: CERTCHK off
d. To enable certificate checking, type: CERTCHK on
e. To verify if certificate checking is currently enabled or
disabled, type: CERTCHK query
f. To get syntax help for the command, type: CERTCHK
g. Please be sure to re-enable certificate checking on the device
after you are done with testing and have installed a signed certificate.

4. a. On the server, click Start, point to Programs, point
to Administrative Tools, and then click Internet Services Manager.
b. Expand the ServerName and the Default Web Site nodes.
c. Right-click the "Microsoft Server ActiveSync" virtual
root, and then click Properties.
d. On the Directory Security tab, click Edit under
Secure Communications.
e. Verify that the Require Secure Channel (SSL) check
box is not selected, and then click OK two times.
f. Please check the same thing at "Exchange-oma" virtual
root
g. Close Internet Services Manager.

By the way, please note the partner managed newsgroups are staffed weekdays
by Microsoft Support professionals. Our goal is to provide a one business
day response to all posts.

For time critical issues (not business down), we encourage you to contact
CSS directly for more immediate assistance:
International Support (non-US/Canada):
http://support.microsoft.com/common/international.aspx

US and Canada:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone


Best regards,

Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
>Thread-Topic: ActiveSync and T-Mobile Treo 650
>thread-index: AcXuKX46A9CuFS+bSZmmGO820ig4DQ==
>X-WBNR-Posting-Host: 84.92.177.71
>From: =?Utf-8?B?RGF2ZSBT?= <DaveS@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <OPNVKU0vFHA.1032@xxxxxxxxxxxxxxxxxxxx>
<lTKwwn#vFHA.780@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: ActiveSync and T-Mobile Treo 650
>Date: Sun, 20 Nov 2005 15:24:02 -0800
>Lines: 165
>Message-ID: <2EF8A322-BF20-4C3B-9A3C-660E654C4771@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:224011
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I too was having problems and even though I had exported the certificate
and
>inported it on the PDA, it still wouldn't work. I thought that the
>certchk.exe way was the answer but alas that hasn't worked either even
though
>certificate checking is now switched off on the PDA.
>
>Any more ideas?
>
>""Nathan Liu [MSFT]"" wrote:
>
>> Hello Gregg,
>>
>> Thank you for posting in the SBS newsgroup.
>>
>> According to your description, I understand that you would like to get
the
>> T-Mobile Palm Treo 650 to work with SBS 2003 Exchange via ActiveSync. If
I
>> have misunderstood the problem, please don't hesitate to let me know.
>>
>> Generally speaking, since the SSL certificate configured for the SBS web
>> sites is issued by the server itself, the certificate is not trusted (by
>> the device) by default. Sometimes, due to the untrusted root
certificate,
>> the SSL connection cannot be established. To resolve this issue, we can
>> choose one of the following suggestions:
>> 1. Purchase a web certificate from the third-party internet root CA such
as
>> VeriSign, Cybertrust, Thawte, etc. Install the certificate onto the SBS
>> server. Rerun CEICW to apply the certificate.
>>
>> 2. Disable the certificate verification on the mobile device.
>>
>> 3. Add the CA certificate of the SBS server to the mobile device.
>>
>> Could you please let me know the detailed restrictions that Cigular
defined
>> on the device? Can I assume that the install certificate utility
(certinst
>> which is located in \Windows folder in ROM) is disabled? If not, you may
>> try the following steps to install the CA certificate of the SBS server
to
>> the mobile device:
>> a. On the SBS server, click 'Start->'Run'. Input 'mmc' and press Enter.
>>
>> b. In the MMC console, click 'File'->'Add/Remove Snap-in'. In the
window,
>> click 'Add' button. Select 'Certificates' and then click 'Add'.
>> Select 'Computer account'-->'Next'-->'Local computer'-->'Finish'. Click
>> 'Close' in the Add standalone Snap-in dialog box and click 'OK' in the
>> Add/Remove snap-in dialog box. You will see 'Certificates' under the
>> console root. Expand it and navigate to 'Trusted Root Certificate
>> Authorities\'Certificates' folder.
>>
>> c. Right-click the certificate which is created for the SBS server.
>> Choose 'All Tasks'->'Export'. Export the certificate to a .cer file.
>>
>> d. Copy the .cer file to a workstation which is connecting with the
mobile
>> device. Then, go to the workstation and copy the .cer file to the mobile
>> device. (You can copy the file to the \storage folder.) On the mobile
>> device, open Explorer program. Find the .cer file and press the button.
The
>> certificate will be added to the root certificate library of the mobile
>> device.
>>
>> e. Restart the mobile device. Try to perform the Server ActiveSync
again.
>> What's the result?
>>
>> If you cannot add the CA certificate to the mobile device, you may try
the
>> certchk utility to disable the certificate verification on the mobile
>> device:
>> a. Download the tool from:
>>
http://www.microsoft.com/downloads/details.aspx?FamilyId=D88753B8-8B3A-4F1D-
>> 8E94-530A67614DF1&displaylang=en
>>
>> b. Go to a workstation which has ActiveSync program installed. Connect
the
>> SmartPhone to the workstation (through USB connection).
>>
>> c. Copy the file certchk.exe to the c:\ of the workstation. Open a
command
>> prompt, use 'cd \' command to navigate to the c:\ path.
>>
>> d. Input 'certchk off' (without the quotation marks) and press Enter.
After
>> doing this, restart the mobile device.
>>
>> e. Use 'certchk query' command to query the certificate verification
status
>> on the mobile device. You should see 'Certificate checking is now OFF.'
>>
>> f. Try the Server ActiveSync again. What's the result?
>>
>> In addition, for the Server site configurations, please make sure that
you
>> have used the CEICW to configure the server internet connections and
>> publish the ActiveSync web service to the Internet. If there is a router
>> installed in front of the SBS server, please also ensure that the TCP
443
>> port forwarding is opened. More info:
>> 825763 How to configure Internet access in Windows Small Business Server
>> 2003
>> http://support.microsoft.com/?id=825763
>>
>> I appreciate your time and cooperation. If anything is unclear, please
feel
>> free to let me know. I am looking forward to hearing from you.
>>
>> Best regards,
>>
>> Nathan Liu (MSFT)
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Reply-To: "Gregg Hill" <bogus@xxxxxxxxxxx>
>> >From: "Gregg Hill" <bogus@xxxxxxxxxxx>
>> >Subject: ActiveSync and T-Mobile Treo 650
>> >Date: Thu, 22 Sep 2005 00:12:48 -0700
>> >Lines: 17
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>> >X-RFC2646: Format=Flowed; Original
>> >Message-ID: <OPNVKU0vFHA.1032@xxxxxxxxxxxxxxxxxxxx>
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: rrcs-67-52-120-182.west.biz.rr.com 67.52.120.182
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155477
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Hello!
>> >
>> >I have a client with a T-Mobile Treo 650 that he wants to connect to
his
>> SBS
>> >2003 Exchange account via ActiveSync. The account is set up on his Treo
>> 650
>> >phone/PDA. Outlook RPC over HTTP and OWA work fine, but I cannot get it
to
>> >connect to ActiveSync. I think it is a problem with the SBS 2003
>> self-signed
>> >security certificate.
>> >
>> >I called T-Mobile and they passed me off to Palm. Palm said they cannot
>> help
>> >with the problem.
>> >
>> >Has anyone figured out how to get a T-Mobile Palm Treo 650 to work with
>> SBS
>> >2003 Exchange via ActiveSync?
>> >
>> >Gregg Hill
>> >
>> >
>> >
>>
>>
>

.