DaleFrazier
asked on
Setting up SSL for Exchange and WSUS when both are installed to the default web site
Hi Experts,
I have two Windows 2003 servers, one is an Exchange 2003 server and the other is a Domain Controller. The Exchange server is also running WSUS. All clients are Windows xp and 2000. All computers on the network are running behind my router/firewall in a private ip address range. I only have one public ip address which is configured on my router along with my ISPs DNS servers.
I had to open port 80 to get OWA to work. I want to install an ssl certificate to lock down Exchange. I opened port 443 on my router. I purchased a certificate. Once the certificate is installed and working I plan to close port 80. I would also like to secure WSUS using the same certificate, if possible. My priority is closing port 80 and keeping OWA working.
My problem is in IIS, both Exchange and WSUS are using the default web site. I found the following information in an ebook about WSUS:
You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, but WSUS encrypts only update metadata. If a client computer or another WSUS server attempts to get update files from WSUS on the HTTPS port, the transfer will fail.
I made this discovery while attempting to generate a CSR for the web site. How can I make this work? Will WSUS need to be set up on a different web site?
I have two Windows 2003 servers, one is an Exchange 2003 server and the other is a Domain Controller. The Exchange server is also running WSUS. All clients are Windows xp and 2000. All computers on the network are running behind my router/firewall in a private ip address range. I only have one public ip address which is configured on my router along with my ISPs DNS servers.
I had to open port 80 to get OWA to work. I want to install an ssl certificate to lock down Exchange. I opened port 443 on my router. I purchased a certificate. Once the certificate is installed and working I plan to close port 80. I would also like to secure WSUS using the same certificate, if possible. My priority is closing port 80 and keeping OWA working.
My problem is in IIS, both Exchange and WSUS are using the default web site. I found the following information in an ebook about WSUS:
You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, but WSUS encrypts only update metadata. If a client computer or another WSUS server attempts to get update files from WSUS on the HTTPS port, the transfer will fail.
I made this discovery while attempting to generate a CSR for the web site. How can I make this work? Will WSUS need to be set up on a different web site?
ASKER
1. Lets say all I want to do is setup ssl for Exchange. I would still need to uninstall WSUS and reinstall it on a different web site, right?
2. I don't have an internal CA.
2. I don't have an internal CA.
I would move WSUS to another site - yes. You will want to uninstall and reinstall. The wsus database will still be intact. It will make a new site using the 8530 port.
Do you want SSL on WSUS? you can install a CA within a domain controller and generate a certificate.
Do you want SSL on WSUS? you can install a CA within a domain controller and generate a certificate.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Simon,
Thanks for responding. We have discussed this one before. I purchased a ssl certificate from www.certificatesforexchange.com. They told me that the Common Name on the certificate should be mail.domain.com, since I am setting this up for Exchange. This is the same name that WSUS clients will resolve to, right? Is this vaild?
Our public web site is hosted by another company. Both Exchange and WSUS are currently working.
Dale
Thanks for responding. We have discussed this one before. I purchased a ssl certificate from www.certificatesforexchange.com. They told me that the Common Name on the certificate should be mail.domain.com, since I am setting this up for Exchange. This is the same name that WSUS clients will resolve to, right? Is this vaild?
Our public web site is hosted by another company. Both Exchange and WSUS are currently working.
Dale
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
When generating the CSR what do I put in the OU field? I tried leaving it blank but the "next" button is grayed out until I put something in that field. I thought the OU field was optional?
Dale
Dale
Organisation Unit can be anything you like.
I tend to use IT Services. It is not used by many SSL certificate issuing companies, but needs to be there. The location information isn't used much either.
Simon.
--
If your question has been answered, pleased remember to accept the answer and close the question.
I tend to use IT Services. It is not used by many SSL certificate issuing companies, but needs to be there. The location information isn't used much either.
Simon.
--
If your question has been answered, pleased remember to accept the answer and close the question.
you will want to install WSUS onto a separate site (within the same server) using the other WSUS ports (8530) then add the CA cert to that.