Solved

3rd party SSL Certs install

Posted on 2006-11-27
8
532 Views
Last Modified: 2008-01-09
Hi Experts,

I am fairly new to SSL implimentations, so please bear with me. My basic situation, is I have a Windows Mobile 5 device, with push technology/active sync, and I want to enable secure communications with my server. I tried to use self certs, but for whatever reason the WM5 device refused to connect. I then configured the default website/activesync to not use ssl, and everything worked fine, albiet somewhat insecurely. So, I managed to find a cheap ssl CA (godaddy.com) who supplied a cheap cert for me to use. The WM5 already has this cert in the root certs, so no extra config needs to be done there, which is great. I have applied the new cert to the server.

However, when I generated the request, the common name for the cert had to be the external domain name i.e: mail.mydomain.com - so I am secure from an external point of view. My question is, seeing that my internal SBS server is not called mail.mydomain.com - but mailserver.mydomain.local - how do I set my device to be able to sync when connected locally to the network, and sync securely over the internet? Would I need two different certs with differing common names? How would I add two certs to the website? I cannot change ssl settings and activesync settings anytime, I want to leave the office and vice versa surely?

I know I may be missing something pretty obvious, so your help would be greatly appreciated.

Cheers,
ZM
0
Comment
Question by:zimboman
  • 3
  • 3
  • 2
8 Comments
 

Expert Comment

by:Rhodan
Comment Utility
I have the exact same problem as you, and I was about to post the same question.

I'm not using a 3rd party cert, I want to use a self signed one. Is there anyway you can use an IP address instead of a FQDN ?
0
 

Author Comment

by:zimboman
Comment Utility
I got the ssl part working eventually - I was able to browse the OWA from an external PC, with no popups - all ok. But the WM5 WILL NOT connect, always saying I have an invalid certificate - even though my 3rd party root certificate is installed...

I read somewhere that the virtual websites need ssl turned OFF, and reconfigured authentication methods, so I followed those instructions, and now my OWA is not working, soo... I am VERY frustrated at this point, it looks like I need to recreate all the IIS virtual directories from scratch to recover the default settings

BTW Rhodan, try to ping your external FQDN from your PC, if you receive replies, I think you can just configure Activesync with your external domain name - this worked for me, when I was not using SSL
0
 

Expert Comment

by:Rhodan
Comment Utility
My OWA works perfectly externally.

The problem is that I do not have an external FQDN. I want to use our external IP address, which we use to access OWA. This is the cause of the problem, as the mobile device refuses to connect to the external IP, I think it's because the SSL certificate has the INTERNAL FQDN in it.

Any idea's, besides turning off SSL ?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
There's a complete how-to that you can download from here:  http://go.microsoft.com/fwlink/?LinkId=62797

Jeff
TechSoEasy
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:Rhodan
Comment Utility
Jeff,

I have downloaded and followed that white paper previously, up until the point I am at now. The white paper does not explain much with regards to using a self signed SSL or how to set it up the way we need.

As I said above in previous posts, the problem is with the SSL certificate, in that it uses the internal FQDN, which doesn't help when you are trying to connect with a mobile device from outside the network.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
If you downloaded and followed that paper previously, then I would suspect it was before last week when the paper was updated to version 2.  

I am quite aware of the issues with self signed certificates, as I have deployed a fair amount of SBS/Windows Mobile 5/Activesync systems, and wouldn't have posted the link to this paper alone if I didn't think it answered zimboman's question.

The SSL certificate, if created properly with the Configure Email and Internet Connection Wizard (CEICW) actually has 5 names on it which are valid:

CN = sbs.domain.com
CN = companyweb
CN = sbs
CN = localhost
CN = sbs.domain.local

These can be reviewed by viewing the certificate's "details" and then clicking on "issuers"

If you don't have a FQDN, then on the certificate screen of the CEICW you should insert your external static IP address which will be added to the SSL certificate.  (However, I don't quite understand why you wouldn't register a domain name since that's much easier for folks to remember for other remote applications).

Jeff
TechSoEasy
0
 

Author Comment

by:zimboman
Comment Utility
It works!
I am not exactly sure what I did though... but I will try.

The initial problem I had with the Self signed certs was carried over to when I used 3rd party. Some of the virtual domains were configured to use ssl, which they are NOT supposed to be. That was causing my certificate invalid message easrlier on.

I then sorted that out, but at the same time screwed around with the Authorisation settings on the virtual domains, which gave me another error - based on instructions from another site. I managed to find some other postings by Jeff (Tech SO Easy) that pointed me in the right direction and managed to configure these ok. (Jeff if you could repost the link here, to the vitual website's correct config's - it would be most appreciated)

Rhodan on your issue, what I have done, is created a free static virtual domain (dyndns.org) that points to my external IP address. Create a self signed cert for this FQDN. I have then, in the hosts file of the PC that I use to Sync up, added the  DYNDNS domain name - to point to the local IP address of the server. As I said I have done SO much tinkering I am not 100% sure that works, but it is how I am set up at the moment, and it seems to work.

Thanks Jeff for the help.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
Comment Utility
Well, if I had any idea which site or which article you were referring to I'd be happy to post the info.  (I've probably posted over 5,000 items in the past couple of years).

I'm glad you got it working... what it sounds like, though, is that you hadn't run the CEICW as required.

Jeff
TechSoEasy
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now