We are in the process of securing our iPhone fleet using Airwatch. In order to enroll devices with Airwatch you go to a website from the device, enter a group name and your credentials. This then talks to the Exchange server and configures the device with email. Unfortunately the Forefront TMG server seems to be blocking this traffic from going through and I can't figure out why. All ActiveSync traffic works fine, so devices which are already connected, remain connected and working, but enrollment from the Airwatch website does not work. When we have all ActiveSync traffic routed to Exchange through our Juniper devices there are no issues with enrollment so I know the problem is not with Exchange. The error in the TMG logs is "12309 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator." I suspect the Airwatch website is trying to make an anonymous connection to our Exchange server which is being blocked by TMG. When I try to change the ActiveSync rule to allow All Users I get an error message that "The Web listener selected for this rule requires authentication. However, when the All Users user set is selected for a rule, authentication is not performed. To apply authentication to this rule using this configuration, select the Require all users to authenticate check box in the Web listener Advanced Authentications dialog box."
Has anyone else come across this issue and can they suggest what settings might be required on the ActiveSync rule or the Exchange Web Listener, in order to make this work.
Regards Kate