This is just a a quick post about an interesting issue I’ve seen today, interesting it was, at least to me. I was at a customer’s site publishing Exchange 2010 using a Sophos “Unified Threat Management” box. Well, we all have to live in a post TMG world, don’t we?
After installing the certificate on the box we configured the “virtual web servers” and the corresponding “real web servers”. Outlook Web App worked straight away so we went ahead and tried to connect a Windows Phone 8 using ActiveSync.
That didn’t go so well, the Phone would not connect and instead give a strange error message saying:
Error 85002028: Your Windows phone does not support this server version.
Ok, that’s where the interesting begins. I quickly fired up Remote Connectivity Analyzer which provided a much clearer error description along with a link to this KB article.
It turned out that we had not installed the intermediate CA certificate on the Sophos box. As the Winodws Phone requires the Reverse Proxy to send the whole chain down for verification, this simply didn’t work. Here comes a quote from the above KB article.
Windows Mobile-based devices do not generally contain intermediate CA certificates in their certificate store. Internet Information Services (IIS) sends the whole certificate chain to the device. However, IIS does this only if it can verify the whole chain. By default, the device does not contain these certificates. Therefore, the server must send them. The device must contain only the root certificate in its certificate store.
Makes sense, finally.
until next time,