jmylett
asked on
How do I make Exchange 2003, OWA, and POP all work with SSL
My old Exchange 2003 server was migrated to new hardware. Since then we have had issues with the new SSL certificate. As it stands users are unable to logon to OWA without having to reject the certificate. Also POP and RPC over HTTP does work without VPN'ing into the office. The contractors who performed the Exchange migration said they were unable to keep the same username so the server name was changed which prompted me to renew my Verissign certificate. Once I installed it users were able to logon to OWA via mail.domain.com and for me to make RPC users work I would have to VPN to the office from the users laptop setup RPC and Outlook would work once disconnected. And with POP I had to disabled SSL on incoming and leave it enabled on outgoing so that pop connections were allows. How would I ultimatly resolved these problems. Is there a way to resolve SSL issues without having to recieve another SSL certificate from Verisign?
ASKER
"The security certificate presented by this website was issued for a different website's address"
That's what the OWA message says. Our old Exchange server has not been reformatted yet, is it possible to get the Verisng certificate from that one and edit it. Or, from what I've read it's possible to create my own, would that be the best idea? The users cannot use Outlook for Pop and RPC over HTTPS and the only reason OWA is still accessible is because it's able to be by passed.
That's what the OWA message says. Our old Exchange server has not been reformatted yet, is it possible to get the Verisng certificate from that one and edit it. Or, from what I've read it's possible to create my own, would that be the best idea? The users cannot use Outlook for Pop and RPC over HTTPS and the only reason OWA is still accessible is because it's able to be by passed.
Creating your own certificate is not a good idea, as that will always generate an error unless you import the certificate on to the machine. When users use a new machine it will generate a warning. I think the warnings are unprofessional and should not be accepted. I also believe they are a security risk.
The message you are getting means that you have browsed to https://server.domain.com/ when the certificate is issued to https://mail.domain.com/
Both POP and RPC over HTTPS cannot cope with the SSL prompts so would fail for that reason.
Therefore you have two options.
1. You need to configure DNS both internally and externally so that the name on the SSL certificate resolves to the correct server.
2. A new certificate is generated for the external name.
If you are going down the new certificate route, then I would suggest a generic name that isn't the same as any server you already have so that you can move the certificate around and adjust the DNS, without having to worry about the server's real name.
Simon.
--
If your question has been answered, please remember to accept the answer and close the question.
The message you are getting means that you have browsed to https://server.domain.com/ when the certificate is issued to https://mail.domain.com/
Both POP and RPC over HTTPS cannot cope with the SSL prompts so would fail for that reason.
Therefore you have two options.
1. You need to configure DNS both internally and externally so that the name on the SSL certificate resolves to the correct server.
2. A new certificate is generated for the external name.
If you are going down the new certificate route, then I would suggest a generic name that isn't the same as any server you already have so that you can move the certificate around and adjust the DNS, without having to worry about the server's real name.
Simon.
--
If your question has been answered, please remember to accept the answer and close the question.
ASKER
I've recieved my certificate from Verisign and applied it 'Default Sites' in IIS and that has solved the OWA SSL issue. I also went into and replaced the POP virtual server's certificate with that one as well. When I enable SSL on the Incoming POP setting it works fine but Outgoing errors out and says 'Your server does not support the encryption type you verified'. I disable it and it's fine. As for RPC when I edit the exchange settings and insert mail.domain.com (which is the name on the verisign cert) and then account name it says 'the action is completed. The connection to Microsoft Exchange is unavailable'. WHat was there before was servername.domain.com because I would connect all my users to VPN to setup the RPC and then it would work like it should once it's disconnected.Is there a step I left out as far as placement of the SSL certificate or should the issues with the POP outgoing server and RPC not connecting have been resolved when I applied the certificate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ahh I see! So once I enable ther certificate on the SMTP vserver will this require a change on all of the POP clients? Seems like it would however, I want to verify before I take that step.
ASKER
I have recently uncovered Sembee's identity. He's a machine using leading edge AI to sucessfuly answer these questions and he saved my job! ... for now :) Thanks!
Your existing certificate will work fine, you just need to ensure that the name on the certificate resolves correctly.
The best practise is to use a name that does NOT belong to any machine in particular. So if the server's name is exch.domain.com then your certificate is in the name of mail.domain.com.
As long as mail.domaiin.com resolves to the server, Exchange doesn't care what the URL is.
With POP3 connections, you need to ensure that you install the SSL certificate on to the POP3 virtual server AND that the name your clients are using is the same name as on the certificate.
When you use OWA and get the certificate prompt - which element is it failing on?
Simon.
--
If your question has been answered, please remember to accept the answer and close the question.