RE: SSL certificate not refreshing

Hi Chris,



Thank you for posting here.



According to your description, I understand that you have difficult when
you deploy a third-party Certificate.You should only use third-party
certificates from a CA that has a root certificate present on the root
store of Windows Mobile powered devices. For a listing of CAs offering
Windows Mobile-compatible certificates, refer to the following URL:

http://go.microsoft.com/fwlink/?LinkId=61499



First of all, check for certificate-related problems, perform the following:

1. check the certificate on the Windows SBS server. To do this, browse to
http://YourPublicDNS.YourServer.com/exchange on a computer (not connected
to your LAN) with Internet access and ensure you are redirected to an SSL
connection without a prompt for a certificate.

2. When you synchronize a device, click the Attention Required link on the
ActiveSync screen. Review the error message to see if there is a reference
to a certificate problem.

Second, check the firewall configuration, perform the following checks:

1. Ensure port 443 is open, and that traffic to that port is
being directed to the Windows SBS server.

2.Ensure that the checks for useragent strings are disabled. Some
firewalls have this enabled by default. Exchange ActiveSync does not send
useragent strings.

3. Ensure that the timeout value is set high enough for SSL
connections, typically fifteen minutes.

For more information, refer to the article, ¡°Enterprise firewall
configuration for Exchange ActiveSync Direct Push Technology¡°, available
at the following URL:

http://support.microsoft.com/?id=905013

4.If you have not upgraded to Internet Security and Acceleration Server
2004 as part of the installation of SBS Service Pack 1, you need to add a
registry key to use direct push with ISA 2000. See
http://support.microsoft.com/?ID=304340 for more information (this article
describes a different issue, however the registry change specified in this
article applies for direct push on ISA 2000).

5. If you are using ISA Server, you may need to implement a split DNS
configuration to have a uniform experience both inside and outside the LAN.
For more information, refer to the following URL:

http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html

6. If you are using ISA Server 2004 and users can sync over the air, but
not from the cradle, you can perform the following steps to resolve some
issues with ISA Server 2004:

a. Open ISA Server Management.

b. In the console tree, expand Configuration and click General.

c. In the details pane, click the Define Firewall Client Settings
link.

d. In the Firewall Client Settings dialog box, click the Application
Settings tab and create the following three new application settings.



Application WCESCOMM WCESMGR REPIMGR
Key Disabled Disabled Disabled
Value 0 0
0







Please ensure your certificate configuration:



1. Open Internet Information Services (IIS) Manager from Administrative
Tools.

2. Expand WindowsSBSServerName, expand Web Sites, and right-click
Default Web Site and click Properties.

3. On the Directory Security tab, click the Server Certificate button to
start the IIS Certificate Wizard.

4. On the welcome page, click Next.

The Modify the Current Certificate Assignment page is displayed if you have
an existing certificate installed on the server. If the page is displayed,
perform the following steps:

a. Click Remove the current certificate and click Next.



Note: The existing certificate could have been created while running the
Configure E-Mail and Internet Connection Wizard.

b. Click Next on the next two pages and then click Finish to complete
the wizard and remove the certificate.

c. Start the wizard again by clicking the Server Certificate button
on the Directory Security tab. On the welcome page, click Next.



5. On the Server Certificate page, click Create a new certificate and
click Next.



6. On the Delayed or Immediate Request page, click Prepare the request
now, but send it later and click Next.



7. On the Name and Security Settings page, type the name of the company
and click Next.



8. On the Organization Information page, type the name of the company
and the name of the department, which may be the same.

Note: It is important to type the proper company name because the CA will
use this name to verify the company information before issuing a
certificate. After you submit the request, the CA will verify the
information that you have submitted, as well as the company information. If
you apply for the certificate using a Trade/DBA (Doing Business As) name,
be prepared to show documentation of the trade name. Also ensure that your
Dun & Bradstreet (D&B) or other commercial directory information is up to
date before submitting the certificate signing request because many CAs use
that information for verification.

Get the exact verification requirements from the CA you have chosen.



9. On the Your Site¡¯s Common Name page, type the public DNS (Domain
Name System) name of the server. Take special care to ensure that the
information is correct because the certificate will not work properly if
this information is provided incorrectly.



10. On the Geographical Information page, enter all required information.
Do not use abbreviations because some CAs do not accept abbreviations.



11. Provide a path and file name for saving the request. Click Next twice
and then click Finish.



12. Open the request file you just created using Notepad and copy all of
the text in the file, including dashes, into the application form to be
sent to the CA.



Note: Be careful not to change or modify any of the certificate settings on
the website after creating the certificate request. The steps in the
section will not work if the pending request is cancelled for any reason.
If you cancel the pending request, you will have to apply with the CA to
have the certificate reissued using a new request file.





Installing the Certificate on the Server

After receiving the certificate (.cer) file from the CA, install the
certificate on the Windows SBS server. To do this, perform the following
steps on the Windows SBS server:

1. Open the Server Management console.

2. Click the Internet and E-mail link.

3. Click the Connect to the Internet link to start the Configure E-mail
and Internet Connection Wizard.

4. On the welcome page, click Next

5. On the Connection Type page, click Do not change connection type and
click Next.

6. On the Firewall page, click Do not change firewall configuration and
click Next.

7. On the Web Server Certificate page, click Use a Web server
certificate from a trusted authority, click Browse, navigate to and
double-click the certificate file provided by the CA, and finally click
Next.



8. On the Internet E-mail page, click Do not change Internet e-mail
configuration and click Next.

9. On the Completing the Configure E-mail and Internet Connection Wizard
page, click Finish.




Configuring Windows SBS for MSFP

Configuring the Windows SBS server for MSFP involves the following tasks:

1. Installing Exchange Server 2003 SP2.

2. Installing Exchange Server ActiveSync Web Administration Tool.

3. Enabling Direct Push.



Installing Exchange Server 2003 Service Pack 2

You must have Exchange Server 2003 SP2 already installed on your Windows
SBS server to take advantage of the new features of Windows Mobile 5.0
with MSFP. If it is not already installed, install it by downloading from
the following URL:

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/sp2/dow
nload.mspx



Installing Exchange Server ActiveSync Web Administration Tool

To take advantage of the remote device wipe feature of MSFP, you need to
install the Exchange Server ActiveSync Web Administration Tool. Note that
before installing the tool, Exchange Server 2003 SP2 must already be
installed on the Windows SBS server.

The tool is available for download at the following URL:

http://www.microsoft.com/downloads/details.aspx?familyid=e6851d23-d145-4dbf-
a2cc-e0b4c6301453&displaylang=en



After installing the Exchange Server ActiveSync Web Administration tool,
ensure that the installation was successful by opening Internet Explorer on
the server and browsing to http://localhost/mobileadmin and logging on to
the console by providing domain administrator credentials.





Enabling Direct Push

Direct Push provides users immediate access to new information or changes
to information stored on the Exchange server, including E-Mail, Calendar,
Contacts, and Tasks.

To enable Direct Push, perform the following steps on the Windows SBS
server:

1. Ensure that Exchange Server 2003 SP2 is installed on the server.

2. Open Exchange System Manager.

3. Expand Global Settings.

4. Right-click Mobile Services and click Properties.

5. Verify that the Enable Direct Push over HTTP(s) check box is selected.



In addition, enable Direct Push on the device by performing the following
steps:

1. Ensure that the device is not connected to a client computer.

2. Run ActiveSync on the Windows Mobile powered device.

3. Navigate to Menu\Schedule.

4. Set the Sync during setting to As items arrive.





Hope this helps, I'm looking forward to your update.



Have a nice day!




Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

.