hi
I have built a TMG 2010 server for use with Exchange 2010 ActiveSync.
The config is as follows:
Internet (SSL) >> TMG server (SSL) >> NetScaler load balancer (SSL) >> 2 x CAS Servers running ActiveSync (SSL Require certs)
I do not have SSL offload configured on the load balancer
SSL cert was assigned from our internal enterprise root CA and has been assigned to IIS on Exchnage servers. The cert has been installed on the domain joined TMG server also and assigned to the ActiveSync listener.
I created a new Exchange Publishing Rule for ActiveSync on the TMG server. I created a listener that uses "SSL Client Cert Authentication".
In Active Directory I created an SPN on the 2 x CAS servers for http/activesync.company.com (the external ActiveSync connection point) I then set delegation on the TMG computer object and assigned http and w3svc services to the computer.
I run "test rule" on the ActiveSync rule on TMG and get the following:
Time reported by the Microsoft Forefront TMG Firewall Service: 15.677 seconds
HTTP response: 401 Unauthorized
The test successfully completed for this URL.
When I try to connect to the activesync url externally I get the error belo:
Error Code: 500 Internal Server Error. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Running tests at https://www.testexchangeconnectivity.com produces below:
| Testing TCP port 443 on host activesync.company.com to ensure it's listening and open. | |
| The specified port is either blocked, not listening, or not producing the expected response |
I can telnet to activesync.company.com on port 443 so im not sure why I am seeing the above.
I can browse the ActiveSync website internally (get the usual HTTP version not supported message when using IE though).
Mobile clients just cant connect from externally. I have an external DNS record created for activesync.company.com. Internally I created a DNS record for activesync.company.com that points to the load balanced IP for the CAS servers. Again I have no problems connecting internally, only via the TMG server.
Most clients use iPhones and have the internal root CA cert and their own private AD issued cert (that Protects e-mail messages) installed.
Can anyone help with this as I have been stuck on this problem for the last number of days.
Many thanks in advance
