brothertu
asked on
How to setup and configure SSL on SBS 2003
I am trying to setup SSL in our SBS 2003 for Iphone access to Exchange email, but so far no luck.
I have checked the forum and work out following step to address the issue.
Following is the steps I plan to go thought again, could someone help to see if there is any issue with the whole process.
Step 1, Create a MAIL.XYZ.NET.AU record on Public NDS, which points to our gateway route IP address,
Step 2, In SBS 2003 server, run CEICW to create the NEW WEB SERVER CERTIFICATE, but after run the CEICW, I did not see any info about cert request file. Does this step is necessary?
Step 3, Since no cert request file has been created thought the step 2, I went to default web site in IIS to create a request file for whole default web site, with mail.xyz.net.au friendly name. Since there are sub folders within the Default Web Site, such as Exchange , OMA, Remote. I would like to use SSL to secure all those site.
Step 4, purchase a multiple domain SSL certificate from Godaddy.com and request for the cert to include following web name: exchange.mail.xyz.net.au OMA.mail.xyz.net.au, remote.mail.xyz.net.au and download the intermediate CA & SSL Cert
Step 5, install intermediate CA thought the MMC console on SBS server.
Step 6, install the Mail.XYZ.net.au SSL Cert thought the CEICW instead of the MMC console in SBS server.
Step 7, Replace the SBS private cert by new cert on DEFULT WEB SITE then configure each subfolder, i.e Exchange, OMA and Remote folder to use SSL
Please advice if there is any problem with this process. Thanks in advance.
I have checked the forum and work out following step to address the issue.
Following is the steps I plan to go thought again, could someone help to see if there is any issue with the whole process.
Step 1, Create a MAIL.XYZ.NET.AU record on Public NDS, which points to our gateway route IP address,
Step 2, In SBS 2003 server, run CEICW to create the NEW WEB SERVER CERTIFICATE, but after run the CEICW, I did not see any info about cert request file. Does this step is necessary?
Step 3, Since no cert request file has been created thought the step 2, I went to default web site in IIS to create a request file for whole default web site, with mail.xyz.net.au friendly name. Since there are sub folders within the Default Web Site, such as Exchange , OMA, Remote. I would like to use SSL to secure all those site.
Step 4, purchase a multiple domain SSL certificate from Godaddy.com and request for the cert to include following web name: exchange.mail.xyz.net.au OMA.mail.xyz.net.au, remote.mail.xyz.net.au and download the intermediate CA & SSL Cert
Step 5, install intermediate CA thought the MMC console on SBS server.
Step 6, install the Mail.XYZ.net.au SSL Cert thought the CEICW instead of the MMC console in SBS server.
Step 7, Replace the SBS private cert by new cert on DEFULT WEB SITE then configure each subfolder, i.e Exchange, OMA and Remote folder to use SSL
Please advice if there is any problem with this process. Thanks in advance.
As Alan hinted at, using your process risks breaking a great many things REfer to his info to resolve the issue.
One particular point of clarification however:
Step 3, Since no cert request file has been created thought the step 2, I went to default web site in IIS to create a request file for whole default web site, with mail.xyz.net.au friendly name. Since there are sub folders within the Default Web Site, such as Exchange , OMA, Remote. I would like to use SSL to secure all those site.
<:>These are *not* sites. These are virtual directories within *one* site. So they do not appear as oma.mail.company.com, for example. They appear as mail.company.com/oma
<::>VERY different uses, and misunderstanding that can cause very bad things, and can really screw up troubleshooting as well.
<:::>HTH,
<::::>-Cliff
<:::::><::>
One particular point of clarification however:
Step 3, Since no cert request file has been created thought the step 2, I went to default web site in IIS to create a request file for whole default web site, with mail.xyz.net.au friendly name. Since there are sub folders within the Default Web Site, such as Exchange , OMA, Remote. I would like to use SSL to secure all those site.
<:>These are *not* sites. These are virtual directories within *one* site. So they do not appear as oma.mail.company.com, for example. They appear as mail.company.com/oma
<::>VERY different uses, and misunderstanding that can cause very bad things, and can really screw up troubleshooting as well.
<:::>HTH,
<::::>-Cliff
<:::::><::>
stop stop stop
do not do anything on sbs unless you use the wizard yuo will break it.
as for iphones they work out of th box on sbs2003 you just need to make sure your exchange and sbs have the latest SP i think its SP2 on exchange and sp2 on sbs had teh same problem with my phone its not the certificate is Active sync and this needs to be fully updates with SP including Exchange SP
NB re run the connect to Internet wizard and recreate a certificate so its back to normal and hope nothing is damaged.
do not do anything on sbs unless you use the wizard yuo will break it.
as for iphones they work out of th box on sbs2003 you just need to make sure your exchange and sbs have the latest SP i think its SP2 on exchange and sp2 on sbs had teh same problem with my phone its not the certificate is Active sync and this needs to be fully updates with SP including Exchange SP
NB re run the connect to Internet wizard and recreate a certificate so its back to normal and hope nothing is damaged.
ASKER
Thanks all for the prompt reply.
My situation is that the OMA, OWA and Remote Web Workplace are all working fine with the SBS private cert (internally and externally). Only problem is that when I try to replace it with cert from Godday, I can not browser the page, even in the IIS console itself. I believe that it must be something to do with the process used to apply for cert. I did request a cert for one of WEB site (with FQDN) in our DMZ, which went very smoothly. I guess the process of request cert in SBS is different from Normal IIS server.
hi alanhardisty, thanks for you link, which is very detailed in deployment of the cert. but I believe my problem is to do with the way I request the certification, I believe. Can you see if is there any problem with the way I request for the cert, or do you have brief introduction on how to request cert on SBS server?
Hi Cgaliher, thanks for your comment to clarify the difference between the virtual directories and website.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alanhardisty, thanks for your comment.
I am familiar with the cert request process. I have requested two certs for our web site in DMZ. My problem is after download and install cert to IIS in SBS, I can not browse the default website. I think the way of requesting cert for default web site in SBS might be a bit different from one for normal web site.
some people talks about using CEICW, should I reqest cert from IIS console (thought the process you mention above), then install it thought CEICW?
I am familiar with the cert request process. I have requested two certs for our web site in DMZ. My problem is after download and install cert to IIS in SBS, I can not browse the default website. I think the way of requesting cert for default web site in SBS might be a bit different from one for normal web site.
some people talks about using CEICW, should I reqest cert from IIS console (thought the process you mention above), then install it thought CEICW?
The Connect To The Internet Wizard will generate a Self-Signed Certificate not a Certificate Signing Request you can use to request a 3rd party one.
How is your network configured and what server is in the DMZ?
How is your network configured and what server is in the DMZ?
To make sure Activesync will work properly, this needs to be named something like mail.yourdomain.com or something that resolves correctly in DNS to your server's IP address.
Once that is configured properly, the rest should be plain sailing, but please refer to my article to check your settings and make sure IIS is configured happily.
http://www.experts-exchang
Alan