Solved

How to setup SSL in Exchange Server 2003?

Posted on 2010-08-27
28
414 Views
Last Modified: 2012-05-10
Hello,

Q1: I have an Exchange Server running on Server 2003. How can I setup SSL for exchange mail? Is there any guide available? Currently the server address is setup as "mail.domain.com", the online access is "mail.domain.com/exchange" for exchange and the regular web access is "mail.domain.com/oma". NOTE that this is NOT a front-end server.

Q2: How can I take full backup of exchange server?

Any further information would be greatly appreciated. Thanks.
0
Comment
Question by:SrinathS
  • 15
  • 7
  • 4
  • +2
28 Comments
 
LVL 30

Accepted Solution

by:
Brad Howe earned 100 total points
ID: 33548336
Hi.
1. You can purchase a signed CA  from vendors such as Verisign, Thawte, GoDaddy, GeoTrust etc... or you can generate your SelfSigned.
Here's link about how to set it up
http://www.petri.co.il/configure_ssl_on_owa.htm

http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
2. For exchange  Backups, you can use again vendor software such as Tivoli, Veritas, Acronis OR even free NTBackup. See this msexchange article for ntbackup and restore.
http://www.msexchange.org/tutorials/Exchange-2003-Backup-Restore-NTBACKUP.html
Cheers,
Hades666
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33548339
I also wanted to mention about the MS Exchange client guide
"It contains configuration information, such as how to secure your messaging environment, deploy the server architecture, and configure Exchange servers for your supported client access methods."
http://go.microsoft.com/fwlink/?LinkId=69702
Let us know if you have questions,
Hades666
0
 

Author Comment

by:SrinathS
ID: 33548364
Hi,

Thanks for quick reply. I'm currently taking backup of entire Exchange server using NTBACKUP. I will try to follow the above instructions after that.
0
 

Assisted Solution

by:kapiltapa
kapiltapa earned 100 total points
ID: 33548567
To set up SSL on a server

   1.

      In IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site or file that you want to protect with SSL, and then click Properties.
   2.

      Under Web site identification, click Advanced.
   3.

      In the Advanced Web site identification box, under Multiple identities for this Web site, verify that the Web site IP address is assigned to port 443 (the default port for secure communications), and then click OK. Optionally, to configure more SSL ports for this Web site, click Add under Multiple identities of this Web site, and then click OK.
   4.

      On the Directory Security tab, under Secure communications, click Edit.
   5.

      In the Secure Communications box, select the Require secure channel (SSL) check box.

0
 

Author Comment

by:SrinathS
ID: 33549271
Hi,

Can I take trusted SSL from 3rd party vendor for the mail server like "mail.domain.com" ? Currently we are hosting "domain.com" on another server with different A record for the domain. I think it won't affect the SSL installation for mail server.

On setup steps, can I type "mail.domain.com" instead of sample "mail.contoso.com" or similar address?
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
ID: 33549312
On SSL certs you can have single SSL Certs for each sub domain.
i.e.: www.abc.com can have one cert and mail.abc.com can have another.
It on the same server as a different site or a different server it does not matter as long as the host headers for the site and the url directing the user to the site matches the fqdn of the ssl cert you are good.
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 100 total points
ID: 33549638
Hi,
Yes, you can installl an SSL certificate on any site. domain.com and mail.domain.dom can be different servers and have different IP as well.
You could also have domain.com and mail.domain.com on the same server even in hte same site. To set this up you would use Web Host Headers.
-Hades666
0
 

Author Comment

by:SrinathS
ID: 33549679
Hi,

I found that SSL certificate is installed by our previous tech team, but they didn't acitvated (not enabled the 128-bit encrypt option.) When I try to apply the option it shows me a window. I didn't understand it. I attached the screen-shot. I would appreciate if anyone can guide me on this.

Thanks to all!
1.JPG
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33550007
In iis manager click on server certificate, you should have the option to chose existing or cretae a new request. -Hades666
0
 
LVL 3

Expert Comment

by:Ardiseis
ID: 33551113
You want to click ok so the sub sites for outlook web access and RPC over HTTPS along with other exchange functions will work with the SSL is the simplified answer to your screen shot post.
0
 

Author Comment

by:SrinathS
ID: 33551138
Okay. The existing SSL certificate is not properly installed. I will delete that and create a new certificate tonight. I will update this question If I encounter any issues. Thanks!
0
 
LVL 3

Expert Comment

by:Ardiseis
ID: 33551185
For any trouble shooting after the new SSL cert is installed create a dummy account on your server and use https://www.testexchangeconnectivity.com as it warns please do not use a live client account and disable or delete the test account when finished.
0
 

Author Comment

by:SrinathS
ID: 33617094
I've rescheduled this to coming Friday. Thanks.
0
 

Author Comment

by:SrinathS
ID: 33655842
Hello All,

I'm able to install the self-signed SSL certificate by following this tutorial: http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

When I verify it by typing https://exchange/exchange , it works! I mean, I'm able to login into exchange and I found the secure lock icon at the status bar.

BUT, when I try to access
https://mail.testdomain.com/owa
https://mail.testdomain.com/exchange

More details:
Internal Exchange Name (local): EXCHANGE
External Exchange Name: mail.testdomain.com

As I said earliar, we are hosting testdomain.com elsewhere by pointing the domain A record.

I restarted all the required services and even restarted the server. Any further quick help would be greatly apprciated. Thanks.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:SrinathS
ID: 33655858
BUT, when I try to access
https://mail.testdomain.com/owa
https://mail.testdomain.com/exchange

It didn't work both on web and iPhone. On the web, it displays the page can not be displayed. I went to Exchange virtual directory and verified the settings. The SSL option is enabled including the 128-bit option.
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
ID: 33656706
If you are using a self issued SSL cert as per that guide it will indeed work in systems inside the domain using intranet security settings but the cert will not show as valid and may even block the site from even displaying the invalid ssl cert error depending on browser settings.

now lest say on LAN your site is HTTPS://Exchange/Exchange
On Web you are HTTPS://mail.myexchange.com/exchange
you also have alias HTTPS://mail.demoexchange.com/exchange

on a single fqdn ssl cert  the only site that should not give a invalid cert error is HTTPS://mail.myexchange.com/exchange
now you can get more complex ssl certs but they are quite a bit more expensive.

While I have successfully installed a self issued ssl cert on a windows mobile phone to get OMA to work I could not get it to work on an iphone even telling it to ignore the ssl cert. I have heard from others that the same is true for a droid user
0
 

Author Comment

by:SrinathS
ID: 33656743
From http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Note: You may have noticed the yellow warning sign, this informs us The name on the security certificate is invalid or does not match the name of the site. Don’t worry there’s nothing wrong with this, the reason why it appears is because we aren’t accessing OWA through the common name, which we specified when the certificate was created. When you access OWA from an external client through mail.testdomain.com/exchange, this warning will disappear.

I've a new SSL certificate from GlobalSign Inc. for the domain mail.testdomain.com - First I tried to follow the instructions available at above link. It didn't works for me.
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
ID: 33656876
The line you quoted is for IE6 has not been true since IE7 and still not true for IE8. The Link is a good guide just 6 years old and a lot has changed since then.

From top down is OWA hosted on a web server that is not the exchange server?

The host headers in IIS have mail.testdomain.com in them
The under directory security the ssl cert matches your fqdn and external DNS

on lan OWA is resolved on Backend exchange server directly not on frontend web server correct?

you may want to check this link it is also older but may help http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

also a huge help for you make a dummy account with no admin rights log into owa once to make sure mailbox is active and test with this site https://www.testexchangeconnectivity.com/

and lastly is in AD your users have all the mobile options enabled
0
 

Author Comment

by:SrinathS
ID: 33656938
Okay. I removed the self-signed SSL certificate from Exchange server. I will install the GlobalSign Inc. SSL certificate in the same way. I will update this question shortly. Thanks for pointing me into right direction.
0
 

Author Comment

by:SrinathS
ID: 33764621
Hello All,

Sorry for late reply. I generated the CSR in Exchange Server and get the SSL certificates (Root, Intermediate and Child) from GlobalSign Inc. The generated SSL certificate is for the following address: mail.domain.com Even though I followed the installation instructions, it still didn't work. After setup, I even restarted all necessary services.

The SSL setup screenshot is attached. The SSL certificate clearly shows that the SSL certificate is properly installed. Any further help would be greatly appreciated. Thanks.
1.JPG
0
 
LVL 3

Expert Comment

by:Ardiseis
ID: 33764714
Can you post results from https://www.testexchangeconnectivity.com/ I am interested to see what you get for both RPC over HTTPS and Active Sync
0
 

Author Comment

by:SrinathS
ID: 33764764
Exchange ActiveSync Test Results File Attached.
exchange-sutosync-result.txt
0
 

Author Comment

by:SrinathS
ID: 33764795
I also ran the test without SSL option enabled.
exchange-sutosync-result-no-ssl.txt
0
 

Author Comment

by:SrinathS
ID: 33764905
Hi,

I'm currently reading this post: http://www.experts-exchange.com/Apple/Hardware/iPhone/Q_23629611.html#22186293

It seems to be the ActiveSync is not enabled or not supported. It's look like I need to create new Virtual Directory to support ActiveSync.

Am I Correct?
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
ID: 33765025
What happens when you try to open https://mail.yourdomain.com/exchange also yes if you are using a split frontend/backend server you have to build all the virutal directories it is much harder than letting the exchange server host OWA and OMA. It is starting to sound like your issue is not the SSL cert but the IIS configuration. Internally can you resolve https://frontendserver/exchange on the LAN of your network you will get a cert error but if configured correctly it should still work while complaining.
0
 

Author Comment

by:SrinathS
ID: 33765155
We don't have frontend/backend servers. We have only 1 exchange server configured. When I visit that page, it displays "Page can not be displayed" message both on internal and external networks.
0
 
LVL 34

Assisted Solution

by:Shreedhar Ette
Shreedhar Ette earned 50 total points
ID: 33945067
0
 

Author Closing Comment

by:SrinathS
ID: 34057065
Never mind. I'm unable to solve this issue. However we are going to upgrade Exchange 2003 to 2007. Thanks to All Experts.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now