[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1056
  • Last Modified:

How to setup and configure OWA with SSL on frontend exchange server with backend exchange holding all the exchange mailboxes.

We have 2 exchange 2000 servers set by previous System Administrator. One of them is a frontend and is running only OWA, it’s got full version of exchange installed on it. Backend server has all the mailboxes.

I have no experience setting up frontend and backend Exchange servers.

I want to migrate Exchange 2000 to Exchange 2003 Enterprise.

Following are my questions:

Q. Should I migrate frontend server first or the backend or either one. Does it matter?

Q. Is it possible to only install OWA service on the frontend server rather then full version of Exchange 2003 Enterprise?

Q. Our present OWA server is setup to use SSL. I am not sure if it is setup with private security certificate or what. How can I check that?

Q. How to point OWA server to the backend server.

Q. Do I need to uninstall OWA service from the backend server since I will have OWA on the frontend server?

Does anyone know if there is Microsoft KB article or white papers that show step-by-step instructions on how to install OWA with SSL.

You help is appreciated.


0
lakhvir
Asked:
lakhvir
  • 14
  • 14
  • +1
1 Solution
 
puneetrajput25Commented:
Hi
Following is the link
Configuring Exchange OWA to Use SSL
http://support.microsoft.com/kb/234022/en-us
0
 
MikeeMiracleCommented:
Q1:  Migrate the FE first, can't recall exact reasons why but it's recomended.
Q2: Nope, it has to be the full fat exchange and the enterprise version at that too.
Q3: Answered above
Q4: This is done automatically which is why it's part of the same Exchange organisation.
Q5: No you do not uninstall OWA on the backend.  The Front end merely handles authentication and connection requests.  This information is passed to the back end for processing which has to mirror the front end in terms of setup (except the ssl certificate.)
0
 
lakhvirAuthor Commented:
I will be doing parallel exchange upgrade (not in place upgrade), ever though I will be doing parallel exchange upgrade do I still need to migrate the FE first.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SembeeCommented:
The major change with Exchange 2003 is that frontends can be standard edition. This can be a significant saving on the licensing costs. Frontend servers must be done first - a frontend should always be the same or higher than the backend servers. Even though you are doing a parallel upgrade you will have to update the frontend first - otherwise the installation will not begin.

IIS is a critical part of the operation of Exchange. Web services are used by Exchange for management and for passing information between the frontend and backend servers.

What are the reason for having the frontend? If you don't have multiple backend servers then their usefulness is limited. If you have a high number of users, with a high number using remote services (OWA etc) then a frontend can be of use.

SSL installation is very simple - just a matter of putting the certificate in the right place. Nothing has to be done to OWA.

Simon.
0
 
lakhvirAuthor Commented:
The reason for having the front-end is the company have high number of employees that are using remote services (OWA). Also, the front-end and back-end setup is already in place before I joined the company.

Q. Can I do parallel upgrade with Front-end(OWA SERVER) or do I have to do inplace upgrade.

Q. Do I have to buy third party certificate or Can I use windows certificate.

Lakhvir
0
 
SembeeCommented:
Exchange 2003 will not install with an Exchange 2000 frontend in place.
There are two ways round that.

1. Turn off the frontend option on the existing Exchange 2000 server, install your first server, then turn it back on again.
2. In place upgrade the frontend.

If it is new hardware then I will build the server as far as I can without installing Exchange (so forest prep, domain prep, install components, patch etc). Then turn off the frontend option on the existing machine and install Exchange 2003. Once it is in, you can turn the frontend option back on again (it is a small box to enable and disable, so doesn't take long). Then patch the new server (SP2 etc). If the machine is behaving itself, then put it in as the frontend to replace the existing one. Exchange 2003 will frontend to an Exchange 2000 server quite happily - although users will not get the new interface until their backend is Exchange 2003. You can then remove the old frontend using Add/Remove programs and continue the deployment.

As for SSL certificate, you could use an self generated cert, but that will generate errors. Get a purchased certificate from somewhere like RapidSSL (US$70 year). Get it on a generic name (mail.domain.com) not the server name so that you can move it around.

Simon.
0
 
lakhvirAuthor Commented:
Q. How can I check which certificate (self generated or purchased) is currently installed on the current Front-end server.

Your help is very much appreciated.
Lakhvir
0
 
SembeeCommented:
Open IIS Manager.
Go to the Default web site. Right click on the default web site. Choose Properties. Click on the tab Directory Security and then view certificate.

Simon.
0
 
lakhvirAuthor Commented:
Thanks, Simon.

I checked it's purchased certificate from a third party. How can I move it to the new server and when should I move it to the new server, before or after I take the existing front-end server offline.

Thanks,
Lakhvir
0
 
SembeeCommented:
The move to another server is simple enough - simply export the certificate from the original server to a file, then import it on to the other server. Use the Certificate wizard to export the certificate.
You can do it while the other server is online, as it will not be used until you switch your DNS and/or port forwarding to point to the new server.

Simon.
0
 
lakhvirAuthor Commented:
I have imported the certificate to the other server. When I View Certificate in Default Web site Properties, in Certificate window there is yellow exclamation mark on Certificate Icon and right below, it says Windows does not have enough information to verify this certificate. What could be wrong? How can I fix it.

Thanks,
Lakhvir
0
 
SembeeCommented:
The message means what it says. Windows cannot verify the certificate. Usually means that the root isn't in Windows.
Which company issued the certificate?

Simon.
0
 
lakhvirAuthor Commented:
Issued By: Comodo Class 3 Security Services CA.

This new server is on our Widnows NT domain now. But I haven't installed Exchange yet, waiting for the next weekend to do it. As you suggested I have to turn off the frontend option on the existing machine and install Exchange 2003.
0
 
SembeeCommented:
You haven't tried to install the certificate as a client certificate or anything like that?
The certificate is trusted by Windows, but I am pretty sure that the message means Windows doesn't recognise the certificate as coming from a source it trusts.

Simon.
0
 
lakhvirAuthor Commented:
Simon, I was able to install the Exported certificate. This has been solved.


Q1.  Do you know How can I CONFIGURE TO  redirect the Default Web Site to get its content from a subdirectory. For example, you might redirect your users to the Exchange Virtual Directory so that thay do not need to type '/Exchange' on the end of the server URL to access Outlook Web Access. If the Default Web Site on MY server has been configured in this way HOW CAN I CHECK.


Q2. We have Barracuda Spam firewall installed on our network. From outside world SMTP traffice comes to Barracuda first and then Barracuda redirects SMTP traffic to our existing Backend e-mail server (Exchange 2000). I will be installing Exchange Server 2003 co-existing with our current Exchange 2000 Server. If I move some of the mailboxes to New Exchange Server 2003 do I need to redirect SMTP traffic from Barracuda to New Exchange Server 2003 as well.  

Your help is appreciated!

Thanks,
Lakhvir
0
 
SembeeCommented:
To see whether a redirection has been put in place, look to see how it is done.
I have one technique on my web site here: http://www.amset.info/exchange/owa-defaultpage.asp

Another method is to simply have a file in the root of the web site that redirects to the directory.

For email routing, Exchange can take care of that itself. As long as the two servers can see each other then the email will end up in the right place.

What I tend to suggest though is that once the server is handing off more than 50% of the email, rather than delivering it to its own mailboxes (which can usually match with 50% of the mailboxes being moved), then it makes sense to move the incoming SMTP traffic to the other server.

Simon.
0
 
lakhvirAuthor Commented:
I am running Exchange Server 2000 in Mixed mode(NO EXCHANGE 5.5) and I am migrading to Exchange Server 2003. Do I need to change Exchange 2000 to Native mode first?
0
 
SembeeCommented:
No, but you do have to upgrade any frontend servers first.

Simon.
0
 
lakhvirAuthor Commented:
Our SSL certificate for OWA server is assigned to our server name (postoffice) and I can not move it around. If I get it on a generic name not the server name For Example. My OWA server name is postoffice.domain.com and I get it on generic name mail.domain.com would it work on postoffice.domain.com. Wouldn't it look for mail.domain.com.

I have two Exchange servers Front end and backend. Our Front end server name is postoffice and  is running OWA SSL. Certificate is assigned to it. Today I installed Exchange 2003 to replace our postoffice(OWA). I moved the certificate to our new Exchange server 2003. We want to name our new OWA server postoffice because certificate is assigned to postoffice(OWA). So I tried to change our postoffice name to oldpostoffice so that I could name our new OWA server postoffice. I was able to cahnage the hostname but in Exchange Systems manager name didn't change I guess it not easy to change the Exchange server name. So I uninstalled My new Exchange 2003 server.

Would you please tell me good solution to the above problems. I appreciate your help. Thanks,

If you require more clarification please let me know.



0
 
SembeeCommented:
The name on the certificate and the name of the server do not have to match. They can be totally different.
As long as the name on the certificate resolves to the correct server then it work.

Think about it for a moment...

Your bank could be https://online.bank.com - but the server will not be called online. They will have many servers that all answer to that name.

You cannot change the name of a server once Exchange is installed - that is why I suggest using generic names instead of the actual server name. When it comes to an upgrade or hardware replacement it is much easier to move a generic name than trying to move the specific server name.

Simon.

0
 
lakhvirAuthor Commented:
If I have Exchange 2003 as a Front End and Exchange 2000 as a Back End is possible to turn on OMA on the Front End (Exchange 2003) server OR both FE and BE has to be same verson (Exchange 2003).

Thank you,
0
 
SembeeCommented:
To get the new features that Exchange 2003 offers then you have to have your mailbox on an Exchange 2003 backend server. The frontend doesn't give you the new features as it is just proxying the traffic to the backend server.

Simon.
0
 
lakhvirAuthor Commented:
We have 2 Exchange 2000 servers. OWA and Backend Server. And I am planning to migrate to Exchange 2003. After I migrate to Exchange 2003 I would have 3 Exchange Servers OWA and 2 Backend servers (Exchange 2000 and Exchange 2003).


We have Barracuda Spam Firewall setup all incoming mail comes to Barracuda First then it is relayed to Mail-1 (Exchange 2000). After I setup Exchange 2003 (Mail-2), If there is any Mail for Mail-2, Mail-1 will relay it to Mail-2.
 

Q. I need to know after I install Exchange 2003, would it send it's out going mail to Mail-1 (Exchange 2000) and then Mail-1 send it to Barracuda. OR Would it send directly to Barracuda Spam Firewall. If yes, where can I find settings in the Exchange System Manager. If it would not send directly to Barracuda, How can I configure it to send directly to Barracuda.

Q. I need to have both Exchange Servers to send out going mail directly to Barracuda.

Thanks, for your help
0
 
SembeeCommented:
Once the email hits the Exchange system, Exchange will relay the email to the correct server. As long as the servers can see and communicate with each other, there isn't much more to do.
Therefore you would get your firewall device to send email to one of the Exchange servers. My rule is that the email goes to the server which has the most mailboxes or traffic. When a server is sending on more than it keeps, that is the time to change the delivery point.
If you have front ends, then that doesn't apply. Simply send the email to the front end and leave it to get on with it.

For outbound email delivery, you need to configure an SMTP Connector. If all the servers are in the same routing group, then you just need one SMTP Connector. Use the firewall as a smart host.

Simon.
0
 
lakhvirAuthor Commented:
I have a question about "Use the firewall as a smart host".

Do I use my Barracuda Spam Firewall as a smart host.

or

Do I use my corporate (CISCO FIREWALL) as a smart host.

Thanks,
Lakhvir
0
 
SembeeCommented:
The Cisco firewall doesn't have an SMTP server, so you cannot use that as your smart host.
You should be able to use the spam device as a smart host though.

Simon.
0
 
lakhvirAuthor Commented:
I want to move mailboxes, System and Public folders from Exchange 2000 to Exchange 2003 after the migration.

Q. How do I do that and what tools do I need to use.


Q. Should I move mailboxes first or System folders.


Q How do I verify if all the mailboxes and System and public folders have been moved successfully.


Q After the mailboxes, System and public folders have been moved to Exchange 2003 do I need to remove them from Exchange 2000 before I decommission it.

Your help is appreciated.

Thanks,
Lakhvir



0
 
SembeeCommented:
Public and System folders go across first.
It will take time, a week or more is not uncommon.
You use Exchange System manager to make the changes - you have to replicate the content.

My web site explains exactly what needs to be done: http://www.amset.info/exchange/migration.asp, as does this article at MSKB: http://support.microsoft.com/default.aspx?kbid=307917

Migration to a new server is frequently covered on EE. It will not take much time to search the database to find it done in great depth.

Simon.
0
 
lakhvirAuthor Commented:
I have migrated to Exchange 2003.

First I have migrated my Front End server.

Then I installed additional Exchange 2003 co-existing with Exchange 2000.

I created a test account in Active Directory users and computers and e-mail on the Exchange server 2003.

User account got created in Active Directory. But an e-mail account for this test is not got created in Exchage 2003.

On Exchange 2003 Under Mailboxes folder I don't see an e-mail account for this test user.
I haven't moved public folders over yet.

What could be wrong. Is there any service(s) need to be started.

Thank-you so much for your help!

Lakhvir
0
 
SembeeCommented:
Mailboxes are not actually created until they are required. The account can sit there quite happily with no mailbox until a message is sent to the folder.

The email address should be stamped on the account automatically. If it isn't, then that could indicate an issue with the domain.

With my page editor's hat on - the above questions don't really relate to your original question. I would suggest that you close this question and award points, then open new questions with your queries. This will give other experts an opportunity to answer those questions.
Unlike a forum, the only people who will see your new questions are those that have already posted. This question will not be on the first page of the open questions list (only questions that are two or three days old usually are), and no one looks at the old stuff.

Simon.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 14
  • 14
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now