• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Exchange Server 2003 OWA certificate

Hi All,
  I am planning to install certifcate services on a server, so that users will access OWA using https. I intend to install the CA on a member server that is NOT the Exchange server.
My questions are:
1) Can I install a stand-alone CA instead of Enterprise root CA ?
2) Will I need to advise users to use https instead ? When they enter http://server/exchange will both internal and external users be automatically redirected to https ?
0
anarine
Asked:
anarine
1 Solution
 
i2q2Commented:
Yes you can install a Stand-alone CA, The users may need to install the Public Key and trust the certificate so that the browser does not keep prompting them to trust the certificate.  You can redirect http requests to http however you have to do some configurations for this to happen. Better still just allow https thru firewall for all external users.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
1) Can I install a stand-alone CA instead of Enterprise root CA ?

Yes

2) Will I need to advise users to use https instead ? When they enter http://server/exchange will both internal and external users be automatically redirected to https ?

Users will have to use https. Or else you will have to configure the re-direct.
0
 
anarineAuthor Commented:
What is the disadvantage / advantage of stand alone CA ?

I know users will be prompted that the site cannot be trusted because they don't have the site
in the list of trusted root CAs in the browser. Any way to get around that to have the users go directly to OWA without any warnings ?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
scriptaholicCommented:
only using a fully recognised trusted root certificate will you get past the new ie warnings to that effect. using a stand alone cert has no real downside other than the user perception that something is wrong when they get a certificate warning when they goto the https site.

i have standalone certs on my servers  (std 2003 & r2) and often have to explain this to users that the warning is normal.

you can only avoid this error by manually addiing it to the trusted root certificate store on the connecting computer, or having a true certificate issued by a trusted authority.

From experience, im converting my servers to true certificates and paying for them as this does eliminate the error and saves a lot of support calls for the cost of a certificate.
0
 
anarineAuthor Commented:
When you say pay for a true certificate do you mean third party ?

Should I go with an enterprise root CA instead of stand alone ? Will that get rid of the warnings ?

Can I use group policy to distribute the certificated to clients and also add the CA to trusted authorities in the browser ?
0
 
i2q2Commented:
For any certificate to be trusted, The public Key of that certificate must be available in the trusted certificates list for the browser. When windows OS is installed it adds certain vendors certificates as trusted ( eg: Verisign)  So in your case when you use an internal CA the certificates are not available by default and have to be added to the clients, You could do this very easily for internal hosts but the difficulty is getting installed on machines of people who will access the site from Internet.  A simple alternative will be to go for a certificate from external vendors ( eg: Thawte ) and save yourself the trouble of distributing the Public Key, This will involve a small cost but will save you a lot of efforts.
0
 
georgestarkCommented:
You can install the cert on all computers via Group policy, very easy
just make sure when you create the ceertserver you get the public https adress right
whatever the user connects to i.e https;\\webmail.mydomain.com the ceet should be webmail.mydomain.com
0
 
anarineAuthor Commented:
If I install an enterprise certificate CA, if the CA later fails will that cause problems ?

If certifcates are installed will clients also need certifactes for file sharing, printing, internet access as well ? I am hoping the Certificates would only apply to the exchange server and nothing else.
0
 
i2q2Commented:
CA need not be online all the times so a temporary for some time is OK. The use of the certificate itself depends on the purpose it is issued. In your case just to access emails thru https the clients need to install the Public Key and nothing else, If you want to enable email encryption and file encryption thru PKI then the clients need to have certificates issued for this purpose.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now