SLL in OWA will not open

I have an Exchange 2003 SP1 server on Windows 2003 server that I've setup as the certificate authority.  I've followed all of the directions on this link

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

The problem I end up with is when I try to access the page via HTTPS (both inside and outside) I get a page not displayed error.  I do get the prompt to install the certificate which I have done.  443 is going through my firewall.  As soon as I disable requiring SSL I get in via HTTP  Any ideas?
LVL 3
cnewgaardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VahikCommented:
go to ur active directory users and computer\domain group policy and import ur
certificate that u installed in ur web site in to ur trusted root certificate authority....
0
cnewgaardAuthor Commented:
Vahik could you elaborate a little more on the process to accompish the certificate import (location in GP, etc.)  Thanks.
0
VahikCommented:
well cetificates authority must be registerd with ur domain.....win 2000 and 2003 AD
comes with certain cer authority preinstalled(like verisign).....
to know which ones are installed in ur AD go to active directory users and computers
right click on ur domain name and click on group policy in ur computer configuration

drill down to security setting\public key policies and make sure ur CA is installed(or listed)

before i forget have u issued certificates to ur users????/they must also import them
in to their local machine.
i have to go now but will be back in few hours.....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cnewgaardAuthor Commented:
I've installed the certificate into the domain.  Still having the same issue.  I must be missing something here.  It's my impression from the article I followed that I could use my own server as a CA to external clients.  The users don't use OWA internally but I have a few users that use it while traveling.  I'm wondering if it even works this way without having some type of external CA issuing the certificate.  I do get the prompt externally to install the cert but when I install it I get a page cannot be displayed error.  Works fine over straight HTTP.  Anyone out there ever done with the setup I have below.

Internal domain with .local suffix behind a PIX firewall (443 open) DC and Exchange are seperate servers.  Exchange is setup as the CA.  I don't host my own DNS that is external only internal DNS.  
0
SembeeCommented:
Personally I wouldn't use your own certificate - I think it is a false economy and also does more harm than good for general network security.

If people are going to be accessing the OWA application from machines that are not under your control (internet cafes for example), then they are going to get an error message. That is fine. However what do they do with that error message? They accept the message and carry on.
What happens if they visit Amazon and get the same error message? They shouldn't get that error message because it is a professional operation. Which means that the traffic is probably being redirected. However the user will think that because it is ok to accept the error message on your site, it is OK to accept the message on all sites. They accept, do what they want and the next thing they know their credit card has been compromised.

As network administrators we should be responsible for the general education of the less technical users.
Therefore I would go to freessl.com and get one of their cheap starter SSL certificates. The cost is much less than Verisign etc charge and they are perfectly suitable for OWA use.

As for your exact problem - has SSL taken properly? If you look in IIS Manager does the number "443" appear in the SSL box?

Simon.
0
cnewgaardAuthor Commented:
Sembee this is a test situation to see if this would work for possible use across a broad range of clients.  Personally I have no desire to implement OWA in any form for security reasons and my own sanity as a network admin.  Until Microsoft can get their security situation worked out I will not rely on them to perform and security functions that I can provide in a different manner.  As I said this was just a test situation and it failed so I can go to my client with some level of proof on my opinion not to implement this.  I prefer them going in through my VPN to access company resources.  I do think you're confused on the error that I am getting.  It is a simple page not displayed error.  Just like any other unavilable site.  I am going to close this question since I am not going to implement this solution.  I will give Vahik the points since he made an effort to help.
0
SembeeCommented:
There are a large number of reasons why you will get errors with OWA. I deal with them all the time. However you seem unwilling to work through what the cause of the problems are, instead just look for "ammunition" to support your personal view that OWA is insecure and the client should not implement it.
I strongly doubt that the SSL certificate was the core to the problem it was probably something else. However we shall never know.

So many of the "problems" with Microsoft products are not down to the products themselves, rather the people who are implementing and administrating them.

OWA can be implemented securely. I have done so on numerous occassions for clients that require a high level of security.
The biggest issue with email security (after the users) is attachments. With OWA 2003 you can disable attachment support - so that the users cannot add or remove attachments. That feature alone removes the largest security problem that OWA may face.

I run a large OWA implemention. To date, this year there has be zero virus infection, zero exploit, and zero intrusion. Considering the technical abilities of some of the users, the machines and locations that they access OWA from, this is quite a feat and proves what a properly managed Exchange implemention can do.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.