Allow ActiveSync for Android through Microsoft’s Web Application Proxy

While moving to Web Application Proxy for our reverse proxy, which is replacing TMG 2010 servers, we had an issue with Android devices connecting to Exchange.

After much playing around I discovered the issue was due to Server Name Indication (SNI). According to Wikipedia:

Server Name Indication (SNI) is an extension to the TLS protocol[1] that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

My understanding is that Android supports this, but for some reason it wasn’t working. This was tested with a few devices i.e. Samsung Galaxy Note (Cyanogen and Stock), Samsung Galaxy S3 & S4, & HTC One.

I found this article that explains how to resolve this issue. You simply need to add a binding by running this command:

netsh http add sslcert ipport=0.0.0.0:443 certhash=<your certificate's hash> appid={f955c070-e044-456c-ac00-e9e4275b3f04}

This acts as a legacy non-SNI binding. Once this is done you should be able to use Android devices through WAP.

Advertisements