how do I get SonicWall to use the SSL from Exchange 2007 so Outlook Anywhere and Autodiscover works?

Hi,

    I could really use some help with this... hopefully, I can explain this right...
We've got an Exchange 2007 server where OWA, Autodiscover and Outlook Anywhere all work fine. That is, they work from inside the network. (Yeah, really useful.)  I've installed SSL, I've configured DNS, and if I try to access these services with the "external" address https://hostname.domain.com, then a browser will recognize the SSL certificate just fine. The problem is that if someone is on the outside, that is, outside the SonicWall, and they try to access OWA, then we have been getting that all-too-well known "there is a problem with this website's security certificate" Yeah, it's like the SSL certificate doesn't even exist. I was checking everything, but it dawned on me that it's working on the inside of the network. So, I tried an Outlook Anywhere setup from outside, and it found a certificate, and guess what it was?  It was a SonicWall one from site 192.168.168.168. (Will sound familiar to SonicWall techs.) I'm just betting that someone out there knows exactly what the deal is here. It seems to me that I need to use SSL on the SonicWall or chain it or something... Btw, the SonicWall actually has the IP (on its WAN) corresponding to the DNS name of the e-mail server. It's on the MX record, and the SSL. So, this will probably won't be too complex, for someone but I'm kinda at a loss at this point...   thanks for any help.
gs-rhoAsked:
Who is Participating?
 
Cas KristCommented:
You can run SSLVPN on another port if you wish.
You should disable web management on the WAN port, or if you really want web management, you can change the port for this service. Go to 'network', 'services' and change the port for the 'https management', which is now 443, to for example 4443. (first make a backup of your settings!!!)
0
 
Cas KristCommented:
Or SSLVPN is turned on on the Sonicwall, or remote https management (on the WAN interface) is on. I gues the latter.
Pls let us know which Sonicwall you are using and what OS you are running, Standard or Enhanced!
0
 
Cas KristCommented:
Properties of WAN-interface (with SonicOS Enhanced), see picture.
wan-interface.png
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
gs-rhoAuthor Commented:
TZ 210
SonicOS Enhanced 5.3.0.1-17o

So, you're thinking that there might be a service using SSL that is turned on, on the SonicWall? I haven't gotten into using the SSL much on it, so not that familiar with the features or considering that possibility...  let me know you think...  but it does lead me to wonder if any solution to this issue might lead me to not be able to use SSL VPN. That's probably not ideal, as I was hoping to check out SSL VPN soon. But if I have to pick one for now, I do want to get the present questions solved... my thoughts for this moment, anyway...

As I said, I don't know a lot about SSL VPN yet, but if I go to SSL VPN > Client settings, it says: "Red indicates inactive SSLVPN status" ... and all zones are red.

Under System >  Administration > web management settings  ... I do see that HTTPS management is on  (Guess I didn't really have to look it up). When you mentioned it, I remembered... however, I was not as familiar with the settings there for SSL certificates, and the SonicWall self-signed cert in place currently. I see that it says there that I can import a certificate.

Sounds promising. I should probably give that a try.

Any thoughts on my being able to use SSL VPN, in the future, if I continue to pursue this setup? Probably not an issue. It's probably simply this self-signed cert that is the issue...
 
0
 
Cas KristCommented:
You should not try to import the certificate on the sonicwall!!!!
0
 
Cas KristCommented:
By the way, you can also change the web management port (HTTPS) on the page you mentioned. Under "Web management settings", "HTTPS port".
0
 
Cas KristCommented:
I'l try to explain whaty is going on:
You can't run the same service (ports) on the same ip address twice. What you are trying to do is use port 443 for OWA and port 443 for HTTPS webmanagement for the Sonicwall (both on the same ip address). You have to choose which service you want offer, I would prefer to use 443 for OWA and use another port for webmanagement for the Sonicwall (e.g. 4443).
It has nothing to do with the certificate.
0
 
gs-rhoAuthor Commented:
Okay, that makes sense about running both services on that same address/port. Guess I should've picked up on that.
So, even if I change ports for the SonicWall web management, I should not import the commercial cert on the SonicWall, right? It should just keep its own?

Thanks!
0
 
Cas KristCommented:
No, do not import the cert on the Sonicwall, your server should handle this.
The Sonicwall keeps its own self-signed certificate.
0
 
Cas KristCommented:
I do not know if you already took care of the NAT policies and firewall rules? You should run the public server wizard.
0
 
gs-rhoAuthor Commented:
Sounds good.
Yeah, I actually did run the public server wizard. It seems to be functioning fine in that area. I'll change the port for web management, sometime today, and see if everything falls into place with this matter.
0
 
Cas KristCommented:
OK, good luck, let us know please.
0
 
gs-rhoAuthor Commented:
Btw, when you suggested using the public server wizard, did you just mean for OWA? Or did you mean for the Web Management? Do I simply change the port number on Administration > Web Management?
Thanks. Havent had any reason to change that before.
0
 
Cas KristCommented:
I meant just for OWA.
0
 
Cas KristCommented:
The port for web administration of the sonicwall can be changed the way you indicate:
Administration > Web Management (only the port for HTTPS).
But remember the port!
0
 
gs-rhoAuthor Commented:
Okay, that's what I thought you meant, but wanted to make sure.
0
 
gs-rhoAuthor Commented:
that worked out great!  Thanks a lot, caskrist!
0
 
Cas KristCommented:
You're welcome, good luck and thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.