Solved

3rd party SSL Certs install

Posted on 2006-11-27
8
535 Views
Last Modified: 2008-01-09
Hi Experts,

I am fairly new to SSL implimentations, so please bear with me. My basic situation, is I have a Windows Mobile 5 device, with push technology/active sync, and I want to enable secure communications with my server. I tried to use self certs, but for whatever reason the WM5 device refused to connect. I then configured the default website/activesync to not use ssl, and everything worked fine, albiet somewhat insecurely. So, I managed to find a cheap ssl CA (godaddy.com) who supplied a cheap cert for me to use. The WM5 already has this cert in the root certs, so no extra config needs to be done there, which is great. I have applied the new cert to the server.

However, when I generated the request, the common name for the cert had to be the external domain name i.e: mail.mydomain.com - so I am secure from an external point of view. My question is, seeing that my internal SBS server is not called mail.mydomain.com - but mailserver.mydomain.local - how do I set my device to be able to sync when connected locally to the network, and sync securely over the internet? Would I need two different certs with differing common names? How would I add two certs to the website? I cannot change ssl settings and activesync settings anytime, I want to leave the office and vice versa surely?

I know I may be missing something pretty obvious, so your help would be greatly appreciated.

Cheers,
ZM
0
Comment
Question by:zimboman
  • 3
  • 3
  • 2
8 Comments
 

Expert Comment

by:Rhodan
ID: 18026126
I have the exact same problem as you, and I was about to post the same question.

I'm not using a 3rd party cert, I want to use a self signed one. Is there anyway you can use an IP address instead of a FQDN ?
0
 

Author Comment

by:zimboman
ID: 18026261
I got the ssl part working eventually - I was able to browse the OWA from an external PC, with no popups - all ok. But the WM5 WILL NOT connect, always saying I have an invalid certificate - even though my 3rd party root certificate is installed...

I read somewhere that the virtual websites need ssl turned OFF, and reconfigured authentication methods, so I followed those instructions, and now my OWA is not working, soo... I am VERY frustrated at this point, it looks like I need to recreate all the IIS virtual directories from scratch to recover the default settings

BTW Rhodan, try to ping your external FQDN from your PC, if you receive replies, I think you can just configure Activesync with your external domain name - this worked for me, when I was not using SSL
0
 

Expert Comment

by:Rhodan
ID: 18026407
My OWA works perfectly externally.

The problem is that I do not have an external FQDN. I want to use our external IP address, which we use to access OWA. This is the cause of the problem, as the mobile device refuses to connect to the external IP, I think it's because the SSL certificate has the INTERNAL FQDN in it.

Any idea's, besides turning off SSL ?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18026432
There's a complete how-to that you can download from here:  http://go.microsoft.com/fwlink/?LinkId=62797

Jeff
TechSoEasy
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Expert Comment

by:Rhodan
ID: 18026631
Jeff,

I have downloaded and followed that white paper previously, up until the point I am at now. The white paper does not explain much with regards to using a self signed SSL or how to set it up the way we need.

As I said above in previous posts, the problem is with the SSL certificate, in that it uses the internal FQDN, which doesn't help when you are trying to connect with a mobile device from outside the network.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18027940
If you downloaded and followed that paper previously, then I would suspect it was before last week when the paper was updated to version 2.  

I am quite aware of the issues with self signed certificates, as I have deployed a fair amount of SBS/Windows Mobile 5/Activesync systems, and wouldn't have posted the link to this paper alone if I didn't think it answered zimboman's question.

The SSL certificate, if created properly with the Configure Email and Internet Connection Wizard (CEICW) actually has 5 names on it which are valid:

CN = sbs.domain.com
CN = companyweb
CN = sbs
CN = localhost
CN = sbs.domain.local

These can be reviewed by viewing the certificate's "details" and then clicking on "issuers"

If you don't have a FQDN, then on the certificate screen of the CEICW you should insert your external static IP address which will be added to the SSL certificate.  (However, I don't quite understand why you wouldn't register a domain name since that's much easier for folks to remember for other remote applications).

Jeff
TechSoEasy
0
 

Author Comment

by:zimboman
ID: 18030679
It works!
I am not exactly sure what I did though... but I will try.

The initial problem I had with the Self signed certs was carried over to when I used 3rd party. Some of the virtual domains were configured to use ssl, which they are NOT supposed to be. That was causing my certificate invalid message easrlier on.

I then sorted that out, but at the same time screwed around with the Authorisation settings on the virtual domains, which gave me another error - based on instructions from another site. I managed to find some other postings by Jeff (Tech SO Easy) that pointed me in the right direction and managed to configure these ok. (Jeff if you could repost the link here, to the vitual website's correct config's - it would be most appreciated)

Rhodan on your issue, what I have done, is created a free static virtual domain (dyndns.org) that points to my external IP address. Create a self signed cert for this FQDN. I have then, in the hosts file of the PC that I use to Sync up, added the  DYNDNS domain name - to point to the local IP address of the server. As I said I have done SO much tinkering I am not 100% sure that works, but it is how I am set up at the moment, and it seems to work.

Thanks Jeff for the help.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 18031582
Well, if I had any idea which site or which article you were referring to I'd be happy to post the info.  (I've probably posted over 5,000 items in the past couple of years).

I'm glad you got it working... what it sounds like, though, is that you hadn't run the CEICW as required.

Jeff
TechSoEasy
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now