• Log Off when the User Leaves Site Feature Removed
  • Users Receive Access Denied Error Message
  • Certificate Implementation Issues on the Server
  • Communication Issues between the Front-end and Back-end Exchange Servers
  • Frequently Asked Questions
  • Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device
  • Creating the Provisioning XML to Install a Certificate to the Root Store
  • Creating a .cab File that Contains the Provisioning XML
  • Distributing the CAB Provisioning File
    		•

    Issues Related to ISA Server 2006




    Download 1,65 Mb.
    bet26/147
    Sana21.03.2017
    Hajmi1,65 Mb.
    #1016
    1   ...   22   23   24   25   26   27   28   29   ...   147

    Issues Related to ISA Server 2006


    The following issues have been discovered in early deployment of ISA Server 2006.

    Double Authentication Required after Upgrading from ISA Server 2004


    After upgrading from ISA Server 2004, when an Exchange publishing rule was defined with forms-based authentication, users are prompted twice for their credentials. In ISA Server 2004, when you create a rule with the New Mail Server Publishing Rule Wizard, authentication delegation is not required, because it is handled by ISA Server itself. When this rule is upgraded to ISA Server 2006, authentication delegation for the rule is set to No delegation.

    The solution is to manually configure authentication delegation for the affected rule to Basic Authentication.


    Log Off when the User Leaves Site Feature Removed


    The Log off when the user leaves site setting has been removed from ISA Server 2006. Users should always use the log off button to properly log off from Outlook Web Access.

    Windows Mobile Users Receive Error 401 Unauthorized


    When a Windows Mobile user tries to access a published Outlook Web Access or Windows Mobile Access Web site published with the New Exchange Publishing Rule Wizard, the user receives error 401 instead of the Exchange logon forms.

    This error appears when the required HTML form directories for Windows Mobile access are missing from the Exchange HTML form set directory

    The solution is to manually create the two directories, cHTML and xHTML, in the %programfiles%\Microsoft ISA Server\CookieAuthTemplate\Exchange folder. Then, copy the contents of the %programfiles%\Microsoft ISA Server\CookieAuthTemplate\Exchange\HTML folder to the cHTML and xHTML folders.

    Users Receive Access Denied Error Message


    When a user attempts to connect to a published Outlook Web Access site and does not add the /exchange suffix to the end of the URL, such as https://mail.contoso.com, instead of receiving the forms-based authentication logon screen, the user receives an "Access denied" error message. This error can be difficult to troubleshoot because ISA Server is behaving as expected.

    A workaround is to publish the root of the Exchange front-end server, with an action of Deny, and redirect users to the proper URL, such as https://mail.contoso.com/exchange.

    Perform the following procedure to automatically redirect users to the proper Outlook Web Access URL.

    To create an Exchange Web client access publishing rule


      1. In the console tree of ISA Server Management, click Firewall Policy:

       For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Firewall Policy.

       For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Firewall Policy.



      2. On the Tasks tab, click Publish Web Sites. Use the wizard to create the rule as outlined in the following table.



    Page

    Field or property

    Setting

    Welcome

    Web publishing rule name

    Type a name for the rule, such as Exchange Redirect.

    Select Rule Action

    Action to take when rule conditions are met

    Select Deny.

    Publishing Type

    Select if this rule will publish a single Web site or external load balancer, a Web server farm, or multiple Web sites

    Select Publish a single Web site or load balancer.

    Server Connection Security

    Choose the type of connections ISA Server will establish with the published Web server or server farm

    Select Use SSL to connect to the published Web server or server farm.

    Note:

    A server certificate must be installed on the published Exchange front-end servers, and the root CA certificate must be installed on the ISA Server computer.

    Internal Publishing Details

    Internal site name

    Type the internal FQDN of the Exchange front-end server. For example: exchfe.corp.contoso.com.

    Important:

    The internal site name must match the name of the server certificate that is installed on the internal Exchange front-end server.



    Note:

    If you cannot properly resolve the internal site name, you can select Use a computer name or IP address to connect to the published server, and then type the required IP address or name that is resolvable by the ISA Server computer.

    Internal Publishing Details

    Path (optional)

    Type / in the Path box.

    Public Name Details

    Accept requests for

    Public name
    This domain name (type below)

    Type the domain name that you want ISA Server to accept connections for. For example, type mail.contoso.com.

    Select Web Listener

    Web listener

    Select the Web listener you created previously, such as Exchange FBA.

    Authentication Delegation

    Select the method used by ISA Server to authenticate to the published Web server

    Select Basic authentication.

    User Sets

    This rule applies to requests from the following user sets

    Select the user set approved to access this rule. This should be the same user set that you used in the Exchange publishing rule.

    Completing the New Web Publishing Rule Wizard

    Completing the New Web Publishing Rule Wizard

    Finish to complete the wizard.


    Certificate Implementation Issues on the Server


    For information about troubleshooting Certificate implementation on Server, see "Certificate Revocation and Status Checking" on the Microsoft TechNet Web site.

    http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx


    Communication Issues between the Front-end and Back-end Exchange Servers


    For information about front-end and back-end communication issues, see the Microsoft Support Webcast, "Troubleshooting Microsoft Exchange Server 2003 ActiveSync Issues."

    http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/en/transcripts/wct032504.asp


    Frequently Asked Questions


    The Exchange Product team has written an article that explains steps that an administrator can take to help isolate direct push technology issues. For more information about the deployment of direct push technology, see the Exchange Server blog article "Direct push is just a heartbeat away" at http://go.microsoft.com/fwlink/?LinkId=67080.

      1. Does direct push technology work for folders other than inbox?

    Yes, direct push is available for mail folders, Contacts, Calendar and Tasks. The list of folders for direct push is the same as the list of folders that have been configured for sync.

      2. What devices support direct push technology?

    Windows Mobile 5 devices require the Messaging and Security Feature Pack(MSFP) for direct push. MSFP is included with AKU2.2. So any Windows Mobile 5 device that has AKU2.2 supports direct push. The AirSync protocol has been licensed to several companies such as Palm, Motorola, Nokia, Symbian, Dataviz and SonyEricsson. Please contact the licensees to see if direct push capable devices are available.

      3. Is direct push supported over Wi-Fi?

    No. direct push requires a cellular data connection. It is not supported over Wi-Fi or Desktop Passthrough (when the device is cradled).

    Due to hardware limitations, Wi-Fi cannot go into standby mode and receive notifications. So in order to support direct push over Wi-Fi, the Wi-Fi connection would have to be kept alive which in turn would drain the battery very rapidly.



      4. Does direct push technology work with SecurID?

    RSA has an update to their agent to allow it to work with direct push technology. RSA Authentication Agent 5.3 for Web for IIS enables you to use Exchange ActiveSync without having to reauthenticate every time ActiveSync is invoked. For more details, please read this and contact RSA.

      5. Does direct push have an impact on server performance?

    A typical FE services several thousand connections from clients using OWA, OMA, EAS, and RPC/HTTP clients. Based on the testing done by Microsoft IT, the additional connections opened by direct push did not require the deployment of any additional FE or BE servers. It also did not require an upgrade of hardware on existing servers.

    For more information please refer to the whitepaper titled "Microsoft IT Scalability Experience with Windows Mobile 2003 and Exchange Server 2003 Mobile Messaging" available at

    http://www.microsoft.com/windowsmobile/business/strategy/scalability.mspx

    Appendix D: Adding a Certificate to the Root Store of a Windows Mobile-based Device


    To add a certificate to the Root store of a Windows Mobile-based device, you must have manager permission to the device or you must have the ability to run trusted code. The application security settings that are on your devices will determine whether or not you can add a root certificate. However, some devices are configured so that you get a prompt when you attempt install a .cab file. In this case, you can follow the procedure below to add a certificate to the Root store of your Windows Mobile-based device.

    The following list shows the trusted certificate authorities whose root certificates are included with Windows Mobile 5.0-based devices:



       Verisign

       GTE Cyber Trust

       Equifax

       Entrust

       GlobalSign

       Thawte


    It is highly recommended that you install a certificate that is issued by one of the trusted certificate authorities on this list, or a certificate that chains to one of the trusted certificate authorities.

    To determine which certificates are included with your Windows Mobile-based device, check the Root certificate stores.



       For a typical Windows Mobile-based Pocket PC, go to Start>Settings>System>Certificates>Root.

       For a typical Windows Mobile-based Smartphone, go to Start>Settings>Security>Certificates>Root.


    Creating the Provisioning XML to Install a Certificate to the Root Store


    The provisioning code carries the certificate hash and instructions for placing it in the root store of a mobile device.

    To create the provisioning code that is necessary for adding a certificate to the root store of a Windows Mobile-based device

    1. Create an XML file, and add the following text.








    "/>










    1. In Windows Explorer, double-click the root certificate that you need.

    2. Choose the Details tab.

    3. Choose Thumbprint in the Field list box.

    4. Select the text in the box that is below the list box, and then press CTRL C.

    5. In the XML code, replace with the copied text.

    6. In the thumbprint text in the XML code, delete the white spaces.

    7. In the Certificate dialog box, choose OK to close the dialog box.

    8. In Windows Explorer, open the exported root certificate by using a text editor.

    9. Delete the lines with BEGIN CERTIFICATE and END CERTIFICATE.

    10. Remove line breaks from the remaining text. This text is the encoded contents of the root certificate.

    11. Select the text, and then press CTRL C.

    12. In the XML code, replace with the copied text. The completed provisioning XML document will appear as shown in the following example.
















    1. Save the XML document as an ASCII file named _setup.xml.

    Note:

    You must name the file _setup.xml, because that is the name that the loader will recognize.


    Creating a .cab File that Contains the Provisioning XML


    The _setup.xml file that you created in step 14 must be processed as a .cab file before it is transferred and installed on the Windows Mobile-based device.

    From the Windows command line prompt, run the following text:



    makecab _setup.xml .cab

    Distributing the CAB Provisioning File


    The .cab file that contains the provisioning XML can be distributed to a Windows Mobile-based device that is cradled to a desktop PC, or to a variety of storage cards that can be inserted into the Windows Mobile-based device, such as a MultiMedia Card (MMC), a Secure Digital I/O (SDIO) card, and a CompactFlash card.

    Note:

    If the ActiveSync wizard appears when you connect the device to a desktop computer, click Cancel. It is recommended that you use Windows Explorer and File Explorer to transfer the .cab file to the device.



    To copy the .cab file from the desktop to the device by using File Explorer

      1. Copy the .cab file to the device.

      2. On the device, locate the .cab file by using File Explorer.

      3. Click the .cab file icon to initiate the installation.

      4. Notification of successful installation will appear. If you get a prompt, you must say yes to let the installation process execute.



      5. Check the Root certificate store of the Windows Mobile-based device to verify successful installation.



    Download 1,65 Mb.
    1   ...   22   23   24   25   26   27   28   29   ...   147




    Download 1,65 Mb.