Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328163 9-May-2010 14:09
Send private message

Ah, thanks for that Mauricio :)

Here are the main settings. Note that "enable unsupported devices" is checked.

Main settings

Clicking on "device security" above gives the following device settings...

device settings

I think it would have to be an IIS setting given that the phone can't even navigate to the [server]/certsrv page. Maybe an SSL setting? Anyone know where I find these?



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328167 9-May-2010 14:21
Send private message

Kyanar:
@mm1352000: if your Exchange server uses a publicly accessible DNS name, have you tried getting a $15 certificate from Godaddy or whatever and using that?

The DNS is a little confusing for me. There is a public website using http://www.[dns name] hosted by openhost, and then there is public access to the server via https://smtp.[dns name]. I'm not quite sure how it is set up as I can't see the SMTP prefix in the openhost DNS settings. Theoretically it would be possible to get another cert as there is nobody else configured for mobile exchange access yet. At this point I'm thinking the problem is not certificates but SSL settings. Unfortunately there don't appear to be any non-HTTPS services hosted on the Exchange server (smtp prefixed)...

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software


1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328190 9-May-2010 15:33
Send private message

@BrentR:
You asked about the Mail For Exchange logs. When I attempted to sync with a secure connection and get the message "system error: try again later" there is nothing in the log. Attempting to sync with an unsecure connection gives a 504 gateway timeout error (as expected, because the server only supports secure sync, and I don't know how to change this).



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328223 9-May-2010 16:40
Send private message

Further info:
I tried moving my 2degrees SIM from my N97 to the 6120 (added the 2degrees 'internet' AP to the 6120). Was able to get to google but still got the same server access errors. Dad uses the 6120 to connect to the internet on a netbook via bluetooth modem. The server can be accessed on the netbook using IE8 and the Tcom SIM. The usual "there is a problem with this website's security certificate" message is shown, but clicking "continue to this website (not recommended)" works as usual...

BDFL - Memuneh
60005 posts

Uber Geek
+1 received by user: 11105

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 328225 9-May-2010 16:46
Send private message

Until you install the private CA Root certificate your device won't connect to the server for ActiveSync.

Nothing to do with the operator. You need to get into your Windows Server and export the root certificate.

Follow the steps here http://support.microsoft.com/kb/555252 then copy the .cer to your device and install it.







1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328228 9-May-2010 16:55
Send private message

freitasm: Until you install the private CA Root certificate your device won't connect to the server for ActiveSync.

Nothing to do with the operator. You need to get into your Windows Server and export the root certificate.

Follow the steps here http://support.microsoft.com/kb/555252 then copy the .cer to your device and install it.


Thanks for weighing in Mauricio. I'm afraid that my experience suggests that I don't need the cert. To be specific: I don't have to install the cert on the N97 for it to work fine. This is not 2 level authentication with users having to have a private certificate (to identify them) to connect. Rather, it is simply https access with login using domain user accounts. Even if I am wrong, I have tried following the steps (or equivalent) given in the link however the cert can't be put in the phone's store. As I have tried to explain, the phone just won't recognise the cert!

BDFL - Memuneh
60005 posts

Uber Geek
+1 received by user: 11105

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 328234 9-May-2010 17:11
Send private message

Yep, this is the problem. ActiveSync uses SSL to communicate with the server. You are using a self-signed certificate on your server. This is not to identify users. This is just the keys used to create the encrypted channel.

However, the phone won't create the encrypted channel because it doesn't recognise the CA - the CA Root Certificate is not in the local store. The way around this is to install the CA Root Certificate in your phone.

That's what happens with Windows Mobile for example. And here comes the thing. Some smartphones allow loading new certs to the local store, some don't.

For example Windows Mobile Standard (Windows Mobile touchscreen) has a different security level than Windows Mobile Professional (Windows Mobile non-touchscreen). It means on Windows Mobile Standard you just need to load the cert from a file manager. It doesn't work on Windows Mobile Professional, where you have to first "unlock it" to allow self-signed CA Root Certs to be installed.

This is the same as in your Symbian device though. You have to load that certificate, and it's not easy on Symbian.

By the way, I used to run my own Exchange Server before, and used ActiveSync for years, based on this.





3391 posts

Uber Geek
+1 received by user: 395

Trusted

  Reply # 328262 9-May-2010 19:05
Send private message

Can you not just use a standard HTTP connection? Is there a special requirement that the contacts/calendar are that highly confidential? I remember having the same problem myself and just used HTTP on the phones.

Even when we got a signed certificate, the Nokia phones still failed to recognize it :S







1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328289 9-May-2010 21:10
Send private message

@freitasm:
Thanks for the tip. I've essentially done that already but I'll give it another shot. I actually found some instructions that claim to allow me to embed the certificate in a cab file, so I'm going to try that too...

@Zeon:
At this point it is only going to be my dad using the thing, so maybe not essential. My problem is that I don't know enough to set up a dummy http service within IIS that I could use to check http accessibility on the phone. I really don't want to go to the effort of changing the Exchange services to http (especially given I don't really know what I'm doing, which is risky enough) with the chance that it might not work! The server also hosts a Trend Micro installation service which appears to be http only from within the domain. When RDP'd into the server (or on a computer within the domain), I can enter http://localhost/officescan (or http://[server name/IP]/officescan) in the browser and the service will load up. However from the internet I can only see it via https://smtp.[dns name]/officescan for some reason...

246 posts

Master Geek
+1 received by user: 1


  Reply # 328290 9-May-2010 21:11
Send private message

Zeon: Can you not just use a standard HTTP connection? Is there a special requirement that the contacts/calendar are that highly confidential? I remember having the same problem myself and just used HTTP on the phones.

Even when we got a signed certificate, the Nokia phones still failed to recognize it :S


Yes, you can disable SSL in the AS web service using IIS Admin tool.  Instructions here,

http://social.technet.microsoft.com/Forums/en/exchangesvrmobility/thread/83152932-38d6-4326-8ed5-a9d1fbea5463

 

246 posts

Master Geek
+1 received by user: 1


  Reply # 328293 9-May-2010 21:25
Send private message

mm1352000: 
...
@Zeon:
At this point it is only going to be my dad using the thing, so maybe not essential. My problem is that I don't know enough to set up a dummy http service within IIS that I could use to check the accessibility (don't want to go to the effort of changing the Exchange services to http especially given I don't really know what I'm doing with a risk that it wouldn't work!). The server also hosts a Trend Micro installation service which appears to be http only from within the domain. When RDP'd into the server (or on a computer within the domain), I can enter http://localhost/officescan (or http://[server name/IP]/officescan in the browser and the service will load up. However from the internet I can only see it via https://smtp.[dns name]/officescan for some reason...


Why do you need to setup a dummy web service?  You can access the AS web service by pointing your desktop browser to https://<servername>/Microsoft-Server-Activesync.  Thats one way to check the AS service is responding to external requests.

Using OMA is another way to check connectivity.  Load the URL https://<servername>/oma on your device browser.  Even if you are using a private cert it should prompt you to accept the connection. 



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328330 10-May-2010 00:35
Send private message

Kiwipixter: Why do you need to setup a dummy web service?  You can access the AS web service by pointing your desktop browser to https:///Microsoft-Server-Activesync.  Thats one way to check the AS service is responding to external requests.

Using OMA is another way to check connectivity.  Load the URL https:///oma on your device browser.  Even if you are using a private cert it should prompt you to accept the connection. 

If you read earlier posts you will see that the server works with my N97. The 6120 fails to navigate to anything hosted by the server including /exchange, /officescan, /certsrv, /OMA and /Microsoft-Server-ActiveSync. In each case it asks if it is okay to navigate to a secure page (to which I respond "yes") but then never mentions the certificate, and then fails with the "web: unable to perform operation" message (note: the N97 does ask about the cert, and after accepting, loads the page).

The dummy web service would be to check if the phone could access regular http services (as opposed to https) hosted by the server without changing the current config (read: without risk of screwing something up and not being able to fix it). The other reason for a dummy service is that the TrendMicro officescan service is running as http and https services within the domain (network), but external (via internet) access is only possible via https. In short: firewall! I asked dad about this and was told that there is a Juniper NetScreen box ("a blue box" ;) ) of some description between the server and the internet. It seems that it functions as a firewall, internet gateway and router, and facilitates secure VPN access. I wanted to try to log in to it to see how it is configured but dad claims he doesn't have the login details ;) Anyhow I obviously won't be able to test unsecured access to anything until I can open port 80 in the Juniper box...



1049 posts

Uber Geek
+1 received by user: 51

Trusted

  Reply # 328429 10-May-2010 11:14
Send private message

@freitasm: I tried the latest method you suggested but the phone still doesn't recognise the filetype with either .der or .cer extension.

I also tried the CAB method, but it seems that is only intended for Windows Mobile devices. Once again, the phone didn't recognise the filetype...

BDFL - Memuneh
60005 posts

Uber Geek
+1 received by user: 11105

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 328435 10-May-2010 11:22
Send private message
1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48


Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.