Mobile 5 devices, locally issued cert, .local dns domain with SBS 2003

  • Article

I got an email from Kenrick Robertson a week or so ago about problems he’s been having trying to get Active Sync working with his new Mobile 5 device and his companies Small Business Server 2003. I knew the problems related to the self signed cert pointing to the common name (fully qualified) of a host that has a non routable .local domain (ex: mailserver.mycompany.local).  I did one post a while back about the subject and got quite a response from the SBS community and I wanted to share the email that helped me decide to write the .local post.  

Here’s his comments in the email.
———————-
Hi Rick,

I was at the TNX road show a few weeks ago in Toronto. I was excited in what was presented, and immediately got started with implementing the mobile 5 in our office on a test basis. I originally had the Audiovox 6600 which was running Mobile 2003, I since then upgraded to the UTStarcom 6700 and upgraded my exchange server to SP2

We are running on SBS2003.  I have also assigned a self assigned certificate to the server.

I know SSL is working; I can currently HTTPS to the exchange server, and I get the certificate information dialog

Here’s the problem I am having.

  1. On my mobile 5 device, If I use the internal IP address and cradle the device, and do not use SSL, I am able to Sync the device with exchange successfully.
  2. If I turn on SSL on the device I get the following error code: Support code:80072f17, still using the external address
  3. If I use the external address and try to Sync the device I get the following error 0x80072EE2 
  4. I am also having problem establishing a PPTP VPN connection, I have contacted UT Starcom, but they suggested that I contact Microsoft as they do not support VPN.

Any help to get this process started will be greatly appreciated.

Thanks,

Kenrick
—————————————-

I asked a friend of mine (Daniel Nerenberg) in Montreal who I know picked up a 6700 UTStarcom device from Telus and I wanted to hear if he had problems like what Kenrick had experienced. The following email post is his reply. Some good information in here.

——————————-

I would categorize myself as an early adopter, I think most people who know me really well would agree. When I happened across the Mobile 5 device on Telus’s web site it couldn’t have happened at a better time. My contract was up for renewal and I was itching for a new “toy”.

Within 2 hours I had a new contract signed and a top of the line Mobile 5 Wireless device. I had my cake. But it would be a while before I could eat it!

The first thing I did was a simple outlook sync of the mobile device. This of course worked without a problem. Active Synch had been working great at the desktop level for years. Of course the next step was to get the device working with my Small Business Version of Exchange. This is where the challenges started to pile up.

The first challenge: The device didn’t support the Microsoft management pack yet (AKU2). So when I set up the password policy the device refused to synch with the server. This issue dogged me for about a week where I toggled and traced every setting from the Mobile 5 Device, to ISA and finally to IIS. The positive is I know how Active-Sync for Exchange works. Finally with the help of a Microsoft Tech I was directed to the Mobile Security configuration dialog where I had to select the option to allow devices that did not comply with the security policy.

The next challenge was working with the certificates. My AD domain is based on SBS 2003 server. When I installed SBS I followed the Wizard and created a “.local” Active directory domain. The original certificate that was installed had a common name of sbsserver.sbsdomain.local. Here are some constraints I discovered while working with SBS and certificates:

  1. The sbs server needs to have a certificate installed that is the same name as the sbs server to ensure that Exchange public folders keep working with HTTPS.
  2. The Certificate that you use for synchronizing your Mobile 5 device needs to have a routable domain name.
  3. If you don’t have ISA server (or by extension SBS Premium) you will have to choose between synchronizing your device, or using secure public folders.

Most enterprise users won’t have this issue because they can just set up a publishing rule on either their ISA server, or their Exchange is split into a front end server and a back end server.

My final solution with 1 caveat is the following. I installed in my ISA web listener a self generated certificate for my public domain. (mail.myoutsidedomain.com). This left my IIS certificate the same, and kept my public folders working securely. Next I then had to install the CA certificate on my device so that my device would trust the certificate I generated. This is done by opening up your servers trusted certificate list, exporting the file into a .cer, copying the file to your mobile 5 device, and finally opening the certificate to get the install option.

With this configuration my device would synchronize over the air with my Exchange server. The caveat is that as soon as I would cradle the device in my local network, I would receive a synchronization error. The device would attempt to synch with the local Exchange (Bypassing ISA’s web listener), and would refuse the certificate installed on the IIS because it didn’t match the domain name the device was configured to log into the server with.  My final Certificate summary:

  1. Make sure your certificate’s common name is exactly the same as the domain name you enter into the device to synchronize.
  2. Make sure you use a routable sub domain name.
  3. If you can buy a certificate from a public CA. This will allow you to avoid configuring a CA, issuing certificates, and Having to install certificates on the Mobile 5 device.
  4. If you’re deploying SBS server, don’t use a .local domain, it will make using mobile 5 devices that much more complicated. (unless you enjoying complexity)

I now synchronize my device with my Company’s exchange server, and it works great, I think I will finally be eating my cake when the update for my phone is released and I can have push mail, but for now at least I’m enjoying licking the icing off the side!

Daniel Nerenberg
IT Consultant
AlphaMosaik