?
Solved

3rd party SSL Certs install

Posted on 2006-11-27
8
Medium Priority
?
541 Views
Last Modified: 2008-01-09
Hi Experts,

I am fairly new to SSL implimentations, so please bear with me. My basic situation, is I have a Windows Mobile 5 device, with push technology/active sync, and I want to enable secure communications with my server. I tried to use self certs, but for whatever reason the WM5 device refused to connect. I then configured the default website/activesync to not use ssl, and everything worked fine, albiet somewhat insecurely. So, I managed to find a cheap ssl CA (godaddy.com) who supplied a cheap cert for me to use. The WM5 already has this cert in the root certs, so no extra config needs to be done there, which is great. I have applied the new cert to the server.

However, when I generated the request, the common name for the cert had to be the external domain name i.e: mail.mydomain.com - so I am secure from an external point of view. My question is, seeing that my internal SBS server is not called mail.mydomain.com - but mailserver.mydomain.local - how do I set my device to be able to sync when connected locally to the network, and sync securely over the internet? Would I need two different certs with differing common names? How would I add two certs to the website? I cannot change ssl settings and activesync settings anytime, I want to leave the office and vice versa surely?

I know I may be missing something pretty obvious, so your help would be greatly appreciated.

Cheers,
ZM
0
Comment
Question by:zimboman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 

Expert Comment

by:Rhodan
ID: 18026126
I have the exact same problem as you, and I was about to post the same question.

I'm not using a 3rd party cert, I want to use a self signed one. Is there anyway you can use an IP address instead of a FQDN ?
0
 

Author Comment

by:zimboman
ID: 18026261
I got the ssl part working eventually - I was able to browse the OWA from an external PC, with no popups - all ok. But the WM5 WILL NOT connect, always saying I have an invalid certificate - even though my 3rd party root certificate is installed...

I read somewhere that the virtual websites need ssl turned OFF, and reconfigured authentication methods, so I followed those instructions, and now my OWA is not working, soo... I am VERY frustrated at this point, it looks like I need to recreate all the IIS virtual directories from scratch to recover the default settings

BTW Rhodan, try to ping your external FQDN from your PC, if you receive replies, I think you can just configure Activesync with your external domain name - this worked for me, when I was not using SSL
0
 

Expert Comment

by:Rhodan
ID: 18026407
My OWA works perfectly externally.

The problem is that I do not have an external FQDN. I want to use our external IP address, which we use to access OWA. This is the cause of the problem, as the mobile device refuses to connect to the external IP, I think it's because the SSL certificate has the INTERNAL FQDN in it.

Any idea's, besides turning off SSL ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18026432
There's a complete how-to that you can download from here:  http://go.microsoft.com/fwlink/?LinkId=62797

Jeff
TechSoEasy
0
 

Expert Comment

by:Rhodan
ID: 18026631
Jeff,

I have downloaded and followed that white paper previously, up until the point I am at now. The white paper does not explain much with regards to using a self signed SSL or how to set it up the way we need.

As I said above in previous posts, the problem is with the SSL certificate, in that it uses the internal FQDN, which doesn't help when you are trying to connect with a mobile device from outside the network.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18027940
If you downloaded and followed that paper previously, then I would suspect it was before last week when the paper was updated to version 2.  

I am quite aware of the issues with self signed certificates, as I have deployed a fair amount of SBS/Windows Mobile 5/Activesync systems, and wouldn't have posted the link to this paper alone if I didn't think it answered zimboman's question.

The SSL certificate, if created properly with the Configure Email and Internet Connection Wizard (CEICW) actually has 5 names on it which are valid:

CN = sbs.domain.com
CN = companyweb
CN = sbs
CN = localhost
CN = sbs.domain.local

These can be reviewed by viewing the certificate's "details" and then clicking on "issuers"

If you don't have a FQDN, then on the certificate screen of the CEICW you should insert your external static IP address which will be added to the SSL certificate.  (However, I don't quite understand why you wouldn't register a domain name since that's much easier for folks to remember for other remote applications).

Jeff
TechSoEasy
0
 

Author Comment

by:zimboman
ID: 18030679
It works!
I am not exactly sure what I did though... but I will try.

The initial problem I had with the Self signed certs was carried over to when I used 3rd party. Some of the virtual domains were configured to use ssl, which they are NOT supposed to be. That was causing my certificate invalid message easrlier on.

I then sorted that out, but at the same time screwed around with the Authorisation settings on the virtual domains, which gave me another error - based on instructions from another site. I managed to find some other postings by Jeff (Tech SO Easy) that pointed me in the right direction and managed to configure these ok. (Jeff if you could repost the link here, to the vitual website's correct config's - it would be most appreciated)

Rhodan on your issue, what I have done, is created a free static virtual domain (dyndns.org) that points to my external IP address. Create a self signed cert for this FQDN. I have then, in the hosts file of the PC that I use to Sync up, added the  DYNDNS domain name - to point to the local IP address of the server. As I said I have done SO much tinkering I am not 100% sure that works, but it is how I am set up at the moment, and it seems to work.

Thanks Jeff for the help.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 18031582
Well, if I had any idea which site or which article you were referring to I'd be happy to post the info.  (I've probably posted over 5,000 items in the past couple of years).

I'm glad you got it working... what it sounds like, though, is that you hadn't run the CEICW as required.

Jeff
TechSoEasy
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question