Link to home
Create AccountLog in
Avatar of DaleFrazier
DaleFrazierFlag for United States of America

asked on

Setting up SSL for Exchange and WSUS when both are installed to the default web site

Hi Experts,

I have two Windows 2003 servers, one is an Exchange 2003 server and the other is a Domain Controller.  The Exchange server is also running WSUS.  All clients are Windows xp and 2000.  All computers on the network are running behind my router/firewall in a private ip address range.  I only have one public ip address which is configured on my router along with my ISPs DNS servers.  

I had to open port 80 to get OWA to work.  I want to install an ssl certificate to lock down Exchange.  I opened port 443 on my router.  I purchased a certificate.  Once the certificate is installed and working I plan to close port 80.  I would also like to secure WSUS using the same certificate, if possible.  My priority is closing port  80 and keeping OWA working.  

My problem is in IIS, both Exchange and WSUS are using the default web site.  I found the following information in an ebook about WSUS:

You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, but WSUS encrypts only update metadata. If a client computer or another WSUS server attempts to get update files from WSUS on the HTTPS port, the transfer will fail.

I made this discovery while attempting to generate a CSR for the web site.  How can I make this work?  Will WSUS need to be set up on a different web site?

Avatar of shawshanked
shawshanked
Flag of United States of America image

why would you want to use the same cert for both?  if you are using WSUS - you could generate a cert for that using an internal CA - since i imagine you are servicing domain members, there wouldnt be a huge problem.

you will want to install WSUS onto a separate site (within the same server) using the other WSUS ports (8530) then add the CA cert to that.
Avatar of DaleFrazier

ASKER

1.  Lets say all I want to do is setup ssl for Exchange.  I would still need to uninstall WSUS and reinstall it on a different web site, right?

2.  I don't have an internal CA.
I would move WSUS to another site - yes.  You will want to uninstall and reinstall.  The wsus database will still be intact.  It will make a new site using the 8530 port.

Do you want SSL on WSUS?  you can install a CA within a domain controller and generate a certificate.
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Simon,

Thanks for responding.  We have discussed this one before.  I purchased a ssl certificate from www.certificatesforexchange.com.  They told me that the Common Name on the certificate should be mail.domain.com, since I am setting this up for Exchange.  This is the same name that WSUS clients will resolve to, right?  Is this vaild?

Our public web site is hosted by another company.  Both Exchange and WSUS are currently working.  

Dale
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
When generating the CSR what do I put in the OU field?  I tried leaving it blank but the "next" button is grayed  out until I put something in that field.   I thought the OU field was optional?  

Dale
Organisation Unit can be anything you like.
I tend to use IT Services. It is not used by many SSL certificate issuing companies, but needs to be there. The location information isn't used much either.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.