Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 806
  • Last Modified:

Setting up SSL for Exchange and WSUS when both are installed to the default web site

Hi Experts,

I have two Windows 2003 servers, one is an Exchange 2003 server and the other is a Domain Controller.  The Exchange server is also running WSUS.  All clients are Windows xp and 2000.  All computers on the network are running behind my router/firewall in a private ip address range.  I only have one public ip address which is configured on my router along with my ISPs DNS servers.  

I had to open port 80 to get OWA to work.  I want to install an ssl certificate to lock down Exchange.  I opened port 443 on my router.  I purchased a certificate.  Once the certificate is installed and working I plan to close port 80.  I would also like to secure WSUS using the same certificate, if possible.  My priority is closing port  80 and keeping OWA working.  

My problem is in IIS, both Exchange and WSUS are using the default web site.  I found the following information in an ebook about WSUS:

You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, but WSUS encrypts only update metadata. If a client computer or another WSUS server attempts to get update files from WSUS on the HTTPS port, the transfer will fail.

I made this discovery while attempting to generate a CSR for the web site.  How can I make this work?  Will WSUS need to be set up on a different web site?

0
DaleFrazier
Asked:
DaleFrazier
  • 5
  • 3
  • 2
4 Solutions
 
shawshankedCommented:
why would you want to use the same cert for both?  if you are using WSUS - you could generate a cert for that using an internal CA - since i imagine you are servicing domain members, there wouldnt be a huge problem.

you will want to install WSUS onto a separate site (within the same server) using the other WSUS ports (8530) then add the CA cert to that.
0
 
DaleFrazierAuthor Commented:
1.  Lets say all I want to do is setup ssl for Exchange.  I would still need to uninstall WSUS and reinstall it on a different web site, right?

2.  I don't have an internal CA.
0
 
shawshankedCommented:
I would move WSUS to another site - yes.  You will want to uninstall and reinstall.  The wsus database will still be intact.  It will make a new site using the 8530 port.

Do you want SSL on WSUS?  you can install a CA within a domain controller and generate a certificate.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
SembeeCommented:
If the SSL certificate is on the same web site then you don't have to do anything to WSUS. Just adjust the clients to use https://host.domain.com instead of http://host.domain.com 

Don't uninstall WSUS, don't change its web site.
I run WSUS and Exchange together on numerous servers. It is one of my favourite techniques as it allows WSUS to work for mobile users as well.

Simon.
0
 
SembeeCommented:
Just re-reading the question, I think the reference you have seen is to the setting "Require SSL".  Do not enable that on the entire site as it will also break Exchange. Once you have the SSL certificate in place, simply close port 80. Everything will run though 443 quite happily.

Simon.
0
 
DaleFrazierAuthor Commented:
Simon,

Thanks for responding.  We have discussed this one before.  I purchased a ssl certificate from www.certificatesforexchange.com.  They told me that the Common Name on the certificate should be mail.domain.com, since I am setting this up for Exchange.  This is the same name that WSUS clients will resolve to, right?  Is this vaild?

Our public web site is hosted by another company.  Both Exchange and WSUS are currently working.  

Dale
0
 
SembeeCommented:
When you setup the WSUS clients, configure the server address as mail.domain.com
Ensure that mail.domain.com resolves internally to the internal IP address of the server. WSUS doesn't care what the address is - as long as it resolves.

Simon.
0
 
SembeeCommented:
This is lifted directly from a workstation that points to a combo WSUS/OWA Server:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000001
"WUServer"="https://owa.domain.net"
"WUStatusServer"="https://owa.domain.net"
"TargetGroupEnabled"=dword:00000001
"TargetGroup"="Workstations"

Group Policy will do that for you, but it shows the host name using SSL.

Simon.
0
 
DaleFrazierAuthor Commented:
When generating the CSR what do I put in the OU field?  I tried leaving it blank but the "next" button is grayed  out until I put something in that field.   I thought the OU field was optional?  

Dale
0
 
SembeeCommented:
Organisation Unit can be anything you like.
I tend to use IT Services. It is not used by many SSL certificate issuing companies, but needs to be there. The location information isn't used much either.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now