I'm trying to publish Exchange 2003 activesync on a Server2K3 box, through TMG 2010 on a 2008R2 box, using client certificate on Android mobiles.
From what I can tell, the issue is with TMG, as when I connect directly to the mail server everything works fine. When going through TMG, I can see the attempt in the EAS logs and the server returns 403.7 - Forbidden, client certificate required.
Now, I have set up the web listener to require client certificates, I have told the publishing rule to use Kerberos Constrained Delegation and I have configured the TMG box in Active Directory for delegation with the following SPNs:
http/{mail server internal FQDN}
w3svc/{mail server internal FQDN}
I have followed the steps in these two walkthroughs:
http://www.isaserver.org/tutorials/publish-microsoft-exchange-active-sync-eas-isa-server-2006-part1.html
http://www.isaserver.org/tutorials/Publish-Microsoft-Exchange-Active-Sync-EAS-ISA-Server-2006-Part2.html
Yet despite everything I am still getting 403.7 back from the Exchange server. I suspect the issue is either with the TMG server getting a ticket from our DC, or with the TMG providing the ticket to the mailserver.
Any suggestions would be most welcome!
Thanks in advance.
Grab a network trace from the inside of the TMG box while you're authenticating from a client; that'll show you the ticketing exchange with the DC. (assuming the logs don't have a particular error).
Though 403.7 roughly translates to Client Certificate Required. If this is the error you're seeing in the W3 logs on the web server, you need to disable Client Certificate authentication there; TMG can only do Kerberos, so Client Cert Auth isn't on the cards any more.
This would also explain why it still works internally with no changes.
Edit - about the best link for setting up ActiveSync with Client Certificate Authentication that I've seen is in the ISA 2006 Deployment guidance on Technet: http://technet.microsoft.com/en-us/library/bb794751.aspx#AppendixC
Edit 2 - to make it explicit, the above Part 1 article is wrong, in that doesn't address ISA/TMG performing client certificate auth; only doing it directly at the Exchange box.