Topic Last Modified: 2010-01-27

The Microsoft Exchange Server 2010 Management Pack for System Center Operations Manager monitors the Windows Application log on computers running Exchange 2010 and generates this alert when the events specified in the following Details table are logged.

To learn more about this alert, in Operations Manager, do one or more of the following:

From the Operations Console, double-click this alert, and then click the General tab. Review the description of the alert that includes the variables specific to your environment.
From the Operations Console, double-click this alert, and then click the Alert Context tab. Review the logged events that meet the criteria of this Operations Manager alert.

Details

Product Name	Exchange
Product Version	14.0 (Exchange 2010)
Event ID	1035
Event Source	MSExchange ActiveSync
Alert Type	Warning
Rule Path	Microsoft Exchange Server/Exchange 2010/Client Access/ActiveSync
Rule Name	The proxy request has failed due to an invalid SSL certificate on the destination Client Access server.

Explanation

This Warning event is logged if the Client Access server that issued a proxy request to another Client Access server failed because a certificate is not valid on the Client Access server that received the request. Proxy requests occur when users use a Client Access server that is not in the same site as their mailbox. In this situation, the request is proxied to a Client Access server that is in the same site as the mailbox.

This event is logged if the following conditions are true:

The proxy request to the receiving Client Access server is configured to use Secure Sockets Layer (SSL). By default, proxy requests do not use SSL. To use SSL, you must make a configuration change in the registry to force certificate checking when a proxy request is sent to another Client Access server.
The certificate is not valid. For example, the certificate is self signed.

User Action

To resolve this warning, do one of the following:

Install a valid certificate on the Client Access server that receives the proxy requests. A valid certificate must contain a valid host name. In addition, it must be signed by a recognized certification authority. In this scenario, a valid host name is the internal host name.
Configure Microsoft Exchange to let you use non-valid (or self-signed) certificates in the proxy scenario. To do this, you must make a registry configuration change on the Client Access server that receives the proxy requests. Do the following:

Caution Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
1. Start Registry Editor (regedit).
2. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA\
3. Edit the AllowInternalUntrustedCerts key so that the certificate will not be checked. One way to do that is to make sure that the AllowInternalUntrustedCerts key is not present. Alternatively, you can change the data value of Value data of the AllowInternalUntrustedCerts key to 1.
4. Exit Registry Editor.
Note You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

For More Information

If you are not already doing so, consider running the Exchange tools created to help you analyze and troubleshoot your Exchange environment. These tools can help make sure that your configuration aligns with Microsoft best practices. They can also help you identify and resolve performance issues, improve mail flow, and better manage disaster recovery scenarios. To run these tools, go to the Toolbox node of the Exchange Management Console. To learn more about these tools, see Managing Tools in the Toolbox.