Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OMA / OWA & SSL - I don't get it 1

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
Hi.

We have had our server support guys install a new SSL certificate to use with OMA / OWA , however when I checked IIS they had not enforced use of SSL.

So I selected it, however the handsets then errored with ActiveSync failing.

After researching I have found that ActiveSync uses port 80 and so forcing SSL (port 443) breaks ActiveSync.

Can someone please explain to me why we had to purchase an SSL certificate to ensure data communications encryption but then activsync doesn't use it and uses port 80.

Or is it using it but over port 80 and not 443, why can I not enforce SSL ?

I'm concerned that the device is not communicating with the server using SSL and so the emails are not being encrypted during active sync.

Can anyone enlighten me to what's going on please?

How can I force SSL, because if I cannot then I must report to the boss I am not happy with them using their handsets and take no responsibility for the security of our system using this technology.

all help undestanding and securing this technology is much appreciated.





"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Sort by date Sort by votes
If the mobile devices are configured to use HTTP and not HTTPS for their connection, then requiring SSL will break their config. It sounds like they were set up without encryption (just using an HTTP connection URL or not having the SSL checkbox checked) because there was no cert at the time. Then the cert was installed, but no one reconfigured the phones to use HTTPS.

OWA/OMA/ActiveSync can all use HTTP, but it's not recommended. You new cert now allows you to encrypt all three and use HTTPS for them, but you have to take care of the client-side URL for them to use HTTPS, and if you enforce HTTPS, then HTTP doesn't work anymore. Once you reconfig the client devices, you can then require SSL and be fine.

Hope that's clear.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Hello Dave,

I'm a little lost by your reply, this is how we have it and perhaps you can explain back to me what needs changing.

We have installed against IIS -> default website a GoDaddy SSL certificate.

On the handset I have selected 'Requires SSL'.

Everything works fine!

But if on the IIS server I force SSL on the Exchange-OMA folder or the OMA service (if that's what that gear symbol means) the activesync stops working.

I do not want anyone to be able to connect to any part of our SBS server remotely without being over SSL.

But if I put in my browser, I get a login prompt and after loging in I get the links to Inbox, Calendar etc.. and the URL is not over SSL (https).

So if i can navigate to the OMA direct without using SSL and assume my userID and password is being passed un-encrypted also, i'm assuming ActiveSync isn't using SSL either as from what I've read it uses port 80.

Hence my confusion over this, any help locking down our server and forcing SSL over ANY connection to ANY part is much appreciated.

Regards,
1DMF

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
You should be able to run your SBS box without passing port 80 at all: only allowing 443. If your phone is configured with HTTP instead of HTTPS, it's not secure/encrypted/SSL/HTTPS. Maybe it doesn't matter if you check the "requires SSL" checkbox on the handset if you don't actually use a secure URL. That's the only weird part about what you're saying.

Question: if you change the URL to use HTTPS and then set the OMA directory to require SSL, does it work?

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
can you please explain to me what URL i'm meant to be changing.

the handset does not allow the protocol part to be entered so it is just subdom.maindom.com there is no http or https part and it errors if you try to use one.

So I'm not sure what you are suggesting I change.

sorry if i'm seeming dumb!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
? anyone know how to force SSL for OMA ?

I still don't understand how I change the protocol part on the handset when it won't accept anything other than subdom.maindom.tld

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
I think that checking the "requires SSL" is all you'd normally need to do. I'm still processing your question, assuming that with that check box, you'd be making an HTTPS connection.

Let me check the settings on one of my servers and get back to you. It could be that the OMA directory is not supposed to have that "enforce" box checked. And if you are blocking port 80 at the firewall, you wouldn't need to enforce that on OMA anyway, since only SSL connections would be talking to the server in the first place.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
My default installs of SBS do NOT have a "require Secure channel" on the OMA virdir, and I do not allow port 80 to the servers. Some people allow port 80 just so that they can redirect client traffic that wasn't properly initiated using HTTPS instead of HTTP, but I just create proper shortcuts for them.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
I've taken port 80 forwarding out of the application pool on the router/firewall.

I just now need to see if anything stops working.

The handset has 'Requires SSL ticked', so let's hope it is going over SSL.

Though I read that ActiveSync uses port 80 full stop, so again let's hope that this is not the case.

I don't understand why forcing SSL on the virdir and ticking 'Requires SSL' on the hadnset doesn't work, so I'm not holding my breath on this one!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
There is a couple of articles out there about getting OMA sorted with SSL as i struggled to get it all working ... i think the one i found which sorted all my little niggles was on msexchange.org there is a 3 or 4 part guide by Henrik Walther which covers all aspects.

Regards

Skr
 
Upvote 0 Downvote
In a default install, the Exchange and ExchWeb virtual directories both have Require Secure Channel selected, but the Exchange-OMA and Microsoft-Server-ActiveSync vdirs don't.

So how's it working now?

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Well I have blocked port 80 as i said, and everything still seems to work.

So now the only way in via web access is port 443, I guess ticking the 'Requires SSL' on the handset does use 443.

I still don't understand why when forcing SSL on the IIS server it breaks the ActiveSync if the handset is using 443.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
SSL is working on the server, but some of the communications between virtual directories may not be able to handle SSL. Certain virtual directories are not direct client-contact oriented and others are, and inter-object communication also needs to be accounted for.

Dave Shackelford
Shackelford Consulting
 
Upvote 0 Downvote
Was the same sort of problem I had when I removed the blank header from the website.

all internal stuff stopped working, the SBS server report , company web etc..

stupid thing, I don't want the IP to run from external but only one specific URL for OWA / OMA, but it won't play ball with out breaking stuff trying to run via local host.

For all the problem SBS solves, it seems to throw a whole bunch of new ones into the mix!

I just had to solve that darn IAS (Internet Authentication Service) problem with port conflict ever since an MS update, oh what fun us IT bods have.

I sometimes feel like our new kitten, for ever chasing my tail!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
223
DTGMI
DTGMI
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
192
DeepuM
DeepuM
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
102
juniper911
juniper911
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
517
gbaughma
gbaughma
Billz66
  • Locked
  • Question
unable to instal msmq on server 2019 get sxs assembly missing
Replies
0
Views
160
Billz66
Billz66

Part and Inventory Search

Sponsor

Back
Top