Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SLL in OWA will not open

Posted on 2004-11-20
7
Medium Priority
?
652 Views
Last Modified: 2008-01-09
I have an Exchange 2003 SP1 server on Windows 2003 server that I've setup as the certificate authority.  I've followed all of the directions on this link

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

The problem I end up with is when I try to access the page via HTTPS (both inside and outside) I get a page not displayed error.  I do get the prompt to install the certificate which I have done.  443 is going through my firewall.  As soon as I disable requiring SSL I get in via HTTP  Any ideas?
0
Comment
Question by:cnewgaard
  • 3
  • 2
  • 2
7 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 12635110
go to ur active directory users and computer\domain group policy and import ur
certificate that u installed in ur web site in to ur trusted root certificate authority....
0
 
LVL 3

Author Comment

by:cnewgaard
ID: 12635438
Vahik could you elaborate a little more on the process to accompish the certificate import (location in GP, etc.)  Thanks.
0
 
LVL 26

Accepted Solution

by:
Vahik earned 2000 total points
ID: 12635512
well cetificates authority must be registerd with ur domain.....win 2000 and 2003 AD
comes with certain cer authority preinstalled(like verisign).....
to know which ones are installed in ur AD go to active directory users and computers
right click on ur domain name and click on group policy in ur computer configuration

drill down to security setting\public key policies and make sure ur CA is installed(or listed)

before i forget have u issued certificates to ur users????/they must also import them
in to their local machine.
i have to go now but will be back in few hours.....
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 3

Author Comment

by:cnewgaard
ID: 12636934
I've installed the certificate into the domain.  Still having the same issue.  I must be missing something here.  It's my impression from the article I followed that I could use my own server as a CA to external clients.  The users don't use OWA internally but I have a few users that use it while traveling.  I'm wondering if it even works this way without having some type of external CA issuing the certificate.  I do get the prompt externally to install the cert but when I install it I get a page cannot be displayed error.  Works fine over straight HTTP.  Anyone out there ever done with the setup I have below.

Internal domain with .local suffix behind a PIX firewall (443 open) DC and Exchange are seperate servers.  Exchange is setup as the CA.  I don't host my own DNS that is external only internal DNS.  
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12639180
Personally I wouldn't use your own certificate - I think it is a false economy and also does more harm than good for general network security.

If people are going to be accessing the OWA application from machines that are not under your control (internet cafes for example), then they are going to get an error message. That is fine. However what do they do with that error message? They accept the message and carry on.
What happens if they visit Amazon and get the same error message? They shouldn't get that error message because it is a professional operation. Which means that the traffic is probably being redirected. However the user will think that because it is ok to accept the error message on your site, it is OK to accept the message on all sites. They accept, do what they want and the next thing they know their credit card has been compromised.

As network administrators we should be responsible for the general education of the less technical users.
Therefore I would go to freessl.com and get one of their cheap starter SSL certificates. The cost is much less than Verisign etc charge and they are perfectly suitable for OWA use.

As for your exact problem - has SSL taken properly? If you look in IIS Manager does the number "443" appear in the SSL box?

Simon.
0
 
LVL 3

Author Comment

by:cnewgaard
ID: 12639776
Sembee this is a test situation to see if this would work for possible use across a broad range of clients.  Personally I have no desire to implement OWA in any form for security reasons and my own sanity as a network admin.  Until Microsoft can get their security situation worked out I will not rely on them to perform and security functions that I can provide in a different manner.  As I said this was just a test situation and it failed so I can go to my client with some level of proof on my opinion not to implement this.  I prefer them going in through my VPN to access company resources.  I do think you're confused on the error that I am getting.  It is a simple page not displayed error.  Just like any other unavilable site.  I am going to close this question since I am not going to implement this solution.  I will give Vahik the points since he made an effort to help.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 12640224
There are a large number of reasons why you will get errors with OWA. I deal with them all the time. However you seem unwilling to work through what the cause of the problems are, instead just look for "ammunition" to support your personal view that OWA is insecure and the client should not implement it.
I strongly doubt that the SSL certificate was the core to the problem it was probably something else. However we shall never know.

So many of the "problems" with Microsoft products are not down to the products themselves, rather the people who are implementing and administrating them.

OWA can be implemented securely. I have done so on numerous occassions for clients that require a high level of security.
The biggest issue with email security (after the users) is attachments. With OWA 2003 you can disable attachment support - so that the users cannot add or remove attachments. That feature alone removes the largest security problem that OWA may face.

I run a large OWA implemention. To date, this year there has be zero virus infection, zero exploit, and zero intrusion. Considering the technical abilities of some of the users, the machines and locations that they access OWA from, this is quite a feat and proves what a properly managed Exchange implemention can do.

Simon.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question