Can we use one certificate for both OWA and OMA/EAS?

Sure.

"C C"  wrote in message 
news:OdeifbDGJHA.1372@TK2MSFTNGP03.phx.gbl...
> Can we use one certificate for both OWA and OMA/EAS?

Can OWA and OMA use the same Website in IIS in Exchange 2003 server?

"Michael Dragone"  wrote in message 
news:%23SfApfDGJHA.6052@TK2MSFTNGP04.phx.gbl...
> Sure.
>
> "C C"  wrote in message 
> news:OdeifbDGJHA.1372@TK2MSFTNGP03.phx.gbl...
>> Can we use one certificate for both OWA and OMA/EAS?
>

Sure, this is the default. What are you trying to accomplish?

"C C"  wrote in message 
news:#77RsnDGJHA.1272@TK2MSFTNGP02.phx.gbl...
> Can OWA and OMA use the same Website in IIS in Exchange 2003 server?
>
> "Michael Dragone"  wrote in message 
> news:%23SfApfDGJHA.6052@TK2MSFTNGP04.phx.gbl...
>> Sure.
>>
>> "C C"  wrote in message 
>> news:OdeifbDGJHA.1372@TK2MSFTNGP03.phx.gbl...
>>> Can we use one certificate for both OWA and OMA/EAS?

Thanks.  We are already publishing OWA with SSL/FBA through ISA 2004 server. 
IIS in the Exchange 2003 server are all setup with defaults.  The "Default 
Website", as seen in the IIS Manager has the following: Exadmin, Exchange, 
Microsoft-Server-ActiveSync, OMA, Public, and aspnet_client.  We want to use 
EAS on three mobile phones supposed to be capable of EAS.  Our ISA 2004 
server already has a Listener for the OWA with Forms Based Authentication 
(FBA).  What else do I need to do to make EAS to work?

Thanks in advance.

"Michael Dragone"  wrote in message 
news:e6r5$uDGJHA.3576@TK2MSFTNGP03.phx.gbl...
> Sure, this is the default. What are you trying to accomplish?
>
> "C C"  wrote in message 
> news:#77RsnDGJHA.1272@TK2MSFTNGP02.phx.gbl...
>> Can OWA and OMA use the same Website in IIS in Exchange 2003 server?
>>
>> "Michael Dragone"  wrote in message 
>> news:%23SfApfDGJHA.6052@TK2MSFTNGP04.phx.gbl...
>>> Sure.
>>>
>>> "C C"  wrote in message 
>>> news:OdeifbDGJHA.1372@TK2MSFTNGP03.phx.gbl...
>>>> Can we use one certificate for both OWA and OMA/EAS?
>

Microsoft-Server-ActiveSync = Exchange ActiveSync (EAS)

You should be good to go as long as the users that you want to set up with 
EAS are allowed to access it (under their user account in AD, enable "User 
Initiated Synchronization" and "Up-to-date Notifications") and you have 
"Enable user initiated synchronization" and "Enable Direct Push over 
HTTP(s)" checked off in Exchange System Manager under Global Settings, 
Mobile Services, Properties.

You'll have to turn off FBA. Microsoft has a detailed guide for setting up 
Exchange 2003 SP2 with ISA 2004.

Step-by-Step Guide to Deploying Windows Mobile-based Devices with Microsoft 
Exchange Server 2003 SP2
Appendix B: Install and Configure an ISA Server 2004 Environment
http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_b.mspx

"C C"  wrote in message 
news:O4Yyc8DGJHA.2252@TK2MSFTNGP02.phx.gbl...
> Thanks.  We are already publishing OWA with SSL/FBA through ISA 2004 
> server. IIS in the Exchange 2003 server are all setup with defaults.  The 
> "Default Website", as seen in the IIS Manager has the following: Exadmin, 
> Exchange, Microsoft-Server-ActiveSync, OMA, Public, and aspnet_client.  We 
> want to use EAS on three mobile phones supposed to be capable of EAS.  Our 
> ISA 2004 server already has a Listener for the OWA with Forms Based 
> Authentication (FBA).  What else do I need to do to make EAS to work?
>
> Thanks in advance.

Michael, thanks for your response.  What will happen to OWA if I turn off 
FBA.  Will it confuse users that are already used to FBA?

"Michael Dragone"  wrote in message 
news:OcPKfDEGJHA.1456@TK2MSFTNGP03.phx.gbl...
> Microsoft-Server-ActiveSync = Exchange ActiveSync (EAS)
>
> You should be good to go as long as the users that you want to set up with 
> EAS are allowed to access it (under their user account in AD, enable "User 
> Initiated Synchronization" and "Up-to-date Notifications") and you have 
> "Enable user initiated synchronization" and "Enable Direct Push over 
> HTTP(s)" checked off in Exchange System Manager under Global Settings, 
> Mobile Services, Properties.
>
> You'll have to turn off FBA. Microsoft has a detailed guide for setting up 
> Exchange 2003 SP2 with ISA 2004.
>
> Step-by-Step Guide to Deploying Windows Mobile-based Devices with 
> Microsoft Exchange Server 2003 SP2
> Appendix B: Install and Configure an ISA Server 2004 Environment
> http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_b.mspx
>
> "C C"  wrote in message 
> news:O4Yyc8DGJHA.2252@TK2MSFTNGP02.phx.gbl...
>> Thanks.  We are already publishing OWA with SSL/FBA through ISA 2004 
>> server. IIS in the Exchange 2003 server are all setup with defaults.  The 
>> "Default Website", as seen in the IIS Manager has the following: Exadmin, 
>> Exchange, Microsoft-Server-ActiveSync, OMA, Public, and aspnet_client. 
>> We want to use EAS on three mobile phones supposed to be capable of EAS. 
>> Our ISA 2004 server already has a Listener for the OWA with Forms Based 
>> Authentication (FBA).  What else do I need to do to make EAS to work?
>>
>> Thanks in advance.
>

They'll get a dialog box asking them for their credentials.
So yes, they'll be confused most likely. You might want to warn them first 
and provide example screenshots.

"C C"  wrote in message 
news:ee7pZpLGJHA.2508@TK2MSFTNGP06.phx.gbl...
> Michael, thanks for your response.  What will happen to OWA if I turn off 
> FBA.  Will it confuse users that are already used to FBA?
>
> "Michael Dragone"  wrote in message 
> news:OcPKfDEGJHA.1456@TK2MSFTNGP03.phx.gbl...
>> Microsoft-Server-ActiveSync = Exchange ActiveSync (EAS)
>>
>> You should be good to go as long as the users that you want to set up 
>> with EAS are allowed to access it (under their user account in AD, enable 
>> "User Initiated Synchronization" and "Up-to-date Notifications") and you 
>> have "Enable user initiated synchronization" and "Enable Direct Push over 
>> HTTP(s)" checked off in Exchange System Manager under Global Settings, 
>> Mobile Services, Properties.
>>
>> You'll have to turn off FBA. Microsoft has a detailed guide for setting 
>> up Exchange 2003 SP2 with ISA 2004.
>>
>> Step-by-Step Guide to Deploying Windows Mobile-based Devices with 
>> Microsoft Exchange Server 2003 SP2
>> Appendix B: Install and Configure an ISA Server 2004 Environment
>> http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_b.mspx

If you're not using a FE then you will have to create a second virtual
directory for Exchange if using FBA or SSL.

Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or
forms-based authentication is required for Exchange Server 2003
http://support.microsoft.com/kb/817379



James Chong (MVP)
MCITP | EMA; MCSE | M, S,
Security, Project, ITIL
msexchangetips.blogspot.com


On Sep 16, 4:00 pm, "C C"  wrote:
> Can we use one certificate for both OWA and OMA/EAS?

Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
Authentication is Basic + Integrated, thus removing FBA.  Then I logged in 
to our OWA site and it opened login dialog box three times before entire 
Outlook screen!  Why?

"Michael Dragone"  wrote in message 
news:eL54kQNGJHA.4060@TK2MSFTNGP03.phx.gbl...
> They'll get a dialog box asking them for their credentials.
> So yes, they'll be confused most likely. You might want to warn them first 
> and provide example screenshots.
>
> "C C"  wrote in message 
> news:ee7pZpLGJHA.2508@TK2MSFTNGP06.phx.gbl...
>> Michael, thanks for your response.  What will happen to OWA if I turn off 
>> FBA.  Will it confuse users that are already used to FBA?
>>
>> "Michael Dragone"  wrote in message 
>> news:OcPKfDEGJHA.1456@TK2MSFTNGP03.phx.gbl...
>>> Microsoft-Server-ActiveSync = Exchange ActiveSync (EAS)
>>>
>>> You should be good to go as long as the users that you want to set up 
>>> with EAS are allowed to access it (under their user account in AD, 
>>> enable "User Initiated Synchronization" and "Up-to-date Notifications") 
>>> and you have "Enable user initiated synchronization" and "Enable Direct 
>>> Push over HTTP(s)" checked off in Exchange System Manager under Global 
>>> Settings, Mobile Services, Properties.
>>>
>>> You'll have to turn off FBA. Microsoft has a detailed guide for setting 
>>> up Exchange 2003 SP2 with ISA 2004.
>>>
>>> Step-by-Step Guide to Deploying Windows Mobile-based Devices with 
>>> Microsoft Exchange Server 2003 SP2
>>> Appendix B: Install and Configure an ISA Server 2004 Environment
>>> http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_b.mspx
>

Double-check the section "To configure the Web listener" at the link I 
provided earlier. I believe your issue is that you need to clear the 
Integrated checkbox and also allow the "All Users" User Set access to the 
Web listener.

"C C"  wrote in message 
news:uUuCXzQGJHA.616@TK2MSFTNGP06.phx.gbl...
> Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
> Authentication is Basic + Integrated, thus removing FBA.  Then I logged in 
> to our OWA site and it opened login dialog box three times before entire 
> Outlook screen!  Why?
>
> "Michael Dragone"  wrote in message 
> news:eL54kQNGJHA.4060@TK2MSFTNGP03.phx.gbl...
>> They'll get a dialog box asking them for their credentials.
>> So yes, they'll be confused most likely. You might want to warn them 
>> first and provide example screenshots.
>>
>> "C C"  wrote in message 
>> news:ee7pZpLGJHA.2508@TK2MSFTNGP06.phx.gbl...
>>> Michael, thanks for your response.  What will happen to OWA if I turn 
>>> off FBA.  Will it confuse users that are already used to FBA?

Okay thanks.  I'll review the article again.

"Michael Dragone"  wrote in message 
news:OD9PgJSGJHA.4936@TK2MSFTNGP03.phx.gbl...
> Double-check the section "To configure the Web listener" at the link I 
> provided earlier. I believe your issue is that you need to clear the 
> Integrated checkbox and also allow the "All Users" User Set access to the 
> Web listener.
>
> "C C"  wrote in message 
> news:uUuCXzQGJHA.616@TK2MSFTNGP06.phx.gbl...
>> Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
>> Authentication is Basic + Integrated, thus removing FBA.  Then I logged 
>> in to our OWA site and it opened login dialog box three times before 
>> entire Outlook screen!  Why?
>>
>> "Michael Dragone"  wrote in message 
>> news:eL54kQNGJHA.4060@TK2MSFTNGP03.phx.gbl...
>>> They'll get a dialog box asking them for their credentials.
>>> So yes, they'll be confused most likely. You might want to warn them 
>>> first and provide example screenshots.
>>>
>>> "C C"  wrote in message 
>>> news:ee7pZpLGJHA.2508@TK2MSFTNGP06.phx.gbl...
>>>> Michael, thanks for your response.  What will happen to OWA if I turn 
>>>> off FBA.  Will it confuse users that are already used to FBA?
>

Well, how will I control access to OWA if I allow "All Users" to the 
listener?

"Michael Dragone"  wrote in message 
news:OD9PgJSGJHA.4936@TK2MSFTNGP03.phx.gbl...
> Double-check the section "To configure the Web listener" at the link I 
> provided earlier. I believe your issue is that you need to clear the 
> Integrated checkbox and also allow the "All Users" User Set access to the 
> Web listener.
>
> "C C"  wrote in message 
> news:uUuCXzQGJHA.616@TK2MSFTNGP06.phx.gbl...
>> Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
>> Authentication is Basic + Integrated, thus removing FBA.  Then I logged 
>> in to our OWA site and it opened login dialog box three times before 
>> entire Outlook screen!  Why?
>>
>> "Michael Dragone"  wrote in message 
>> news:eL54kQNGJHA.4060@TK2MSFTNGP03.phx.gbl...
>>> They'll get a dialog box asking them for their credentials.
>>> So yes, they'll be confused most likely. You might want to warn them 
>>> first and provide example screenshots.
>>>
>>> "C C"  wrote in message 
>>> news:ee7pZpLGJHA.2508@TK2MSFTNGP06.phx.gbl...
>>>> Michael, thanks for your response.  What will happen to OWA if I turn 
>>>> off FBA.  Will it confuse users that are already used to FBA?
>

Yes,

The certificate is assigned to the published URL and not the sub directories 
under it. You will have to select which virtual directory will be using the 
SSL connection.

Milind
"C C"  wrote in message 
news:OdeifbDGJHA.1372@TK2MSFTNGP03.phx.gbl...
> Can we use one certificate for both OWA and OMA/EAS?
>

From the same article:

"Accepting the All Users default entry does not enable all users to access 
the Exchange Web site. Only users who can authenticate successfully will be 
able to access the Exchange Web site. The actual authentication is done by 
the Exchange Web site, which uses the credentials that the ISA Server 2004 
firewall has forwarded to it. The ISA Server 2004 firewall and the Exchange 
Web site cannot both authenticate the user. This means that you must allow 
all users access to the rule. An exception to this rule is when users 
authenticate to the ISA Server 2004 firewall itself by using client 
certificate authentication."

"C C"  wrote in message 
news:#ZWEYZYGJHA.3800@TK2MSFTNGP05.phx.gbl...
> Well, how will I control access to OWA if I allow "All Users" to the 
> listener?
>
> "Michael Dragone"  wrote in message 
> news:OD9PgJSGJHA.4936@TK2MSFTNGP03.phx.gbl...
>> Double-check the section "To configure the Web listener" at the link I 
>> provided earlier. I believe your issue is that you need to clear the 
>> Integrated checkbox and also allow the "All Users" User Set access to the 
>> Web listener.
>>
>> "C C"  wrote in message 
>> news:uUuCXzQGJHA.616@TK2MSFTNGP06.phx.gbl...
>>> Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
>>> Authentication is Basic + Integrated, thus removing FBA.  Then I logged 
>>> in to our OWA site and it opened login dialog box three times before 
>>> entire Outlook screen!  Why?

I have an "OWA Users" group in AD.  I have to restrict access to OWA. 
Inside, everyone in the domain has access to our Exchange BUT not from 
outside.

"Michael Dragone"  wrote in message 
news:eNjdoPZGJHA.4984@TK2MSFTNGP05.phx.gbl...
> From the same article:
>
> "Accepting the All Users default entry does not enable all users to access 
> the Exchange Web site. Only users who can authenticate successfully will 
> be able to access the Exchange Web site. The actual authentication is done 
> by the Exchange Web site, which uses the credentials that the ISA Server 
> 2004 firewall has forwarded to it. The ISA Server 2004 firewall and the 
> Exchange Web site cannot both authenticate the user. This means that you 
> must allow all users access to the rule. An exception to this rule is when 
> users authenticate to the ISA Server 2004 firewall itself by using client 
> certificate authentication."
>
> "C C"  wrote in message 
> news:#ZWEYZYGJHA.3800@TK2MSFTNGP05.phx.gbl...
>> Well, how will I control access to OWA if I allow "All Users" to the 
>> listener?
>>
>> "Michael Dragone"  wrote in message 
>> news:OD9PgJSGJHA.4936@TK2MSFTNGP03.phx.gbl...
>>> Double-check the section "To configure the Web listener" at the link I 
>>> provided earlier. I believe your issue is that you need to clear the 
>>> Integrated checkbox and also allow the "All Users" User Set access to 
>>> the Web listener.
>>>
>>> "C C"  wrote in message 
>>> news:uUuCXzQGJHA.616@TK2MSFTNGP06.phx.gbl...
>>>> Okay.  I made a quick change in the ISA 2004 OWA Listener so that 
>>>> Authentication is Basic + Integrated, thus removing FBA.  Then I logged 
>>>> in to our OWA site and it opened login dialog box three times before 
>>>> entire Outlook screen!  Why?
>