Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
1
Replies

Treo 650 and Cisco SCA

j.rodarte
Level 1
Level 1

‎06-29-2005 12:59 PM

I have come across a problem with a PalmOne Treo 650 Smartphone. This device uses Versamail which now has MS Activesync capabilities. This device is not able to connect via activesync over SSL. Although it will connect via activesync over port 80. I recieve the following error when SSL is active:

HTTP/1.1 400 Bad Request

Response Code: 400

Content-Type: text/html

Date: Tue, 28 Jun 2005 19:58:29 GMT

I am using ethereal packet capture between the SSL offloader and the MS Exchange (OWA) server and this is the request coming from the Cisco SCA:

Hypertext Transfer Protocol

POST https://mail.ciwmb.ca.gov:443/Microsoft-Server-ActiveSync?Cmd=GetItemEstimate&User=dborzell&DeviceId=PLMO35442700216607901a0

5&DeviceType=PalmOneTreoAce HTTP/1.1\r\n

Request Method: POST

As you can see, the request leaviing the Cisco SCA is still an HTTPS request.

The Cisco SCA is configured in Dual Port Pass-Thru mode and the secure

server is configured as follows:

server mail.ciwmb create

ip address 205.225.229.43

localport 443

remoteport 80

key WMB-2K5

cert MailCIWMB-2K5

certgroup chain calepa

secpolicy default

sslv2 enable

sslv3 enable

tlsv1 enable

session-cache size 20480

session-cache timeout 300

session-cache enable

log-url 156.41.160.4 facility 7

no clientauth enable

clientauth verifydepth 1

clientauth error cert-other-error failhtml

clientauth error cert-not-provided fail

clientauth error cert-has-expired fail

clientauth error cert-not-yet-valid fail

clientauth error cert-has-invalid-ca fail

clientauth error cert-has-signature-failure fail

clientauth error cert-revoked fail

clientauth error crl-not-available fail

clientauth error crl-has-expired fail

sharedcipher error failhtml

ephemeral error failhtml

certgroup clientauth defaultCA

I have attached a text version of the trace file and the SCA diagnostic file.

Thanks in Advance and any help is greatly appreciated. - Jose

Labels:
Preview file
149 KB
Preview file
5 KB
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎07-06-2005 08:55 AM

if you put an ssl accelerator in front of a OWA server doing HTTP, you need some specific header to be introduced by the SCA for the OWA device to work.

this is explain at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3FrontBack/578a8973-dc2f-4fff-83c6-39b1d771514c.mspx

"Keep in mind that for Outlook Web Access, an external SSL device must be able to notify the front-end server that SSL was used with the "Front-End-Https: on" header."

If that does not work and the problem is the https://... in the POST request, than the problem is on your palm pilot as the SCA can't rewrite the HTTP request that is provided to it.

Your pilot should not use POST https://... but simply POST /.../...

Is your pilot going through a proxy ?

The POST https://... is usually used when going through a proxy.

Anyway, hopefully yhe OWA server will work fine with the header specified above.

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card