Exchange Server 2003 OWA certificate

Hi All,
  I am planning to install certifcate services on a server, so that users will access OWA using https. I intend to install the CA on a member server that is NOT the Exchange server.
My questions are:
1) Can I install a stand-alone CA instead of Enterprise root CA ?
2) Will I need to advise users to use https instead ? When they enter http://server/exchange will both internal and external users be automatically redirected to https ?
anarineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

i2q2Commented:
Yes you can install a Stand-alone CA, The users may need to install the Public Key and trust the certificate so that the browser does not keep prompting them to trust the certificate.  You can redirect http requests to http however you have to do some configurations for this to happen. Better still just allow https thru firewall for all external users.
0
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
1) Can I install a stand-alone CA instead of Enterprise root CA ?

Yes

2) Will I need to advise users to use https instead ? When they enter http://server/exchange will both internal and external users be automatically redirected to https ?

Users will have to use https. Or else you will have to configure the re-direct.
0
anarineAuthor Commented:
What is the disadvantage / advantage of stand alone CA ?

I know users will be prompted that the site cannot be trusted because they don't have the site
in the list of trusted root CAs in the browser. Any way to get around that to have the users go directly to OWA without any warnings ?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

scriptaholicCommented:
only using a fully recognised trusted root certificate will you get past the new ie warnings to that effect. using a stand alone cert has no real downside other than the user perception that something is wrong when they get a certificate warning when they goto the https site.

i have standalone certs on my servers  (std 2003 & r2) and often have to explain this to users that the warning is normal.

you can only avoid this error by manually addiing it to the trusted root certificate store on the connecting computer, or having a true certificate issued by a trusted authority.

From experience, im converting my servers to true certificates and paying for them as this does eliminate the error and saves a lot of support calls for the cost of a certificate.
0
anarineAuthor Commented:
When you say pay for a true certificate do you mean third party ?

Should I go with an enterprise root CA instead of stand alone ? Will that get rid of the warnings ?

Can I use group policy to distribute the certificated to clients and also add the CA to trusted authorities in the browser ?
0
i2q2Commented:
For any certificate to be trusted, The public Key of that certificate must be available in the trusted certificates list for the browser. When windows OS is installed it adds certain vendors certificates as trusted ( eg: Verisign)  So in your case when you use an internal CA the certificates are not available by default and have to be added to the clients, You could do this very easily for internal hosts but the difficulty is getting installed on machines of people who will access the site from Internet.  A simple alternative will be to go for a certificate from external vendors ( eg: Thawte ) and save yourself the trouble of distributing the Public Key, This will involve a small cost but will save you a lot of efforts.
0
georgestarkCommented:
You can install the cert on all computers via Group policy, very easy
just make sure when you create the ceertserver you get the public https adress right
whatever the user connects to i.e https;\\webmail.mydomain.com the ceet should be webmail.mydomain.com
0
anarineAuthor Commented:
If I install an enterprise certificate CA, if the CA later fails will that cause problems ?

If certifcates are installed will clients also need certifactes for file sharing, printing, internet access as well ? I am hoping the Certificates would only apply to the exchange server and nothing else.
0
i2q2Commented:
CA need not be online all the times so a temporary for some time is OK. The use of the certificate itself depends on the purpose it is issued. In your case just to access emails thru https the clients need to install the Public Key and nothing else, If you want to enable email encryption and file encryption thru PKI then the clients need to have certificates issued for this purpose.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.