How to setup SSL in Exchange Server 2003?


Q1: I have an Exchange Server running on Server 2003. How can I setup SSL for exchange mail? Is there any guide available? Currently the server address is setup as "", the online access is "" for exchange and the regular web access is "". NOTE that this is NOT a front-end server.

Q2: How can I take full backup of exchange server?

Any further information would be greatly appreciated. Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad HoweDevOps ManagerCommented:
1. You can purchase a signed CA  from vendors such as Verisign, Thawte, GoDaddy, GeoTrust etc... or you can generate your SelfSigned.
Here's link about how to set it up
2. For exchange  Backups, you can use again vendor software such as Tivoli, Veritas, Acronis OR even free NTBackup. See this msexchange article for ntbackup and restore.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brad HoweDevOps ManagerCommented:
I also wanted to mention about the MS Exchange client guide
"It contains configuration information, such as how to secure your messaging environment, deploy the server architecture, and configure Exchange servers for your supported client access methods."
Let us know if you have questions,
SrinathSAuthor Commented:

Thanks for quick reply. I'm currently taking backup of entire Exchange server using NTBACKUP. I will try to follow the above instructions after that.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

To set up SSL on a server


      In IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site or file that you want to protect with SSL, and then click Properties.

      Under Web site identification, click Advanced.

      In the Advanced Web site identification box, under Multiple identities for this Web site, verify that the Web site IP address is assigned to port 443 (the default port for secure communications), and then click OK. Optionally, to configure more SSL ports for this Web site, click Add under Multiple identities of this Web site, and then click OK.

      On the Directory Security tab, under Secure communications, click Edit.

      In the Secure Communications box, select the Require secure channel (SSL) check box.

SrinathSAuthor Commented:

Can I take trusted SSL from 3rd party vendor for the mail server like "" ? Currently we are hosting "" on another server with different A record for the domain. I think it won't affect the SSL installation for mail server.

On setup steps, can I type "" instead of sample "" or similar address?
On SSL certs you can have single SSL Certs for each sub domain.
i.e.: can have one cert and can have another.
It on the same server as a different site or a different server it does not matter as long as the host headers for the site and the url directing the user to the site matches the fqdn of the ssl cert you are good.
Brad HoweDevOps ManagerCommented:
Yes, you can installl an SSL certificate on any site. and mail.domain.dom can be different servers and have different IP as well.
You could also have and on the same server even in hte same site. To set this up you would use Web Host Headers.
SrinathSAuthor Commented:

I found that SSL certificate is installed by our previous tech team, but they didn't acitvated (not enabled the 128-bit encrypt option.) When I try to apply the option it shows me a window. I didn't understand it. I attached the screen-shot. I would appreciate if anyone can guide me on this.

Thanks to all!
Brad HoweDevOps ManagerCommented:
In iis manager click on server certificate, you should have the option to chose existing or cretae a new request. -Hades666
You want to click ok so the sub sites for outlook web access and RPC over HTTPS along with other exchange functions will work with the SSL is the simplified answer to your screen shot post.
SrinathSAuthor Commented:
Okay. The existing SSL certificate is not properly installed. I will delete that and create a new certificate tonight. I will update this question If I encounter any issues. Thanks!
For any trouble shooting after the new SSL cert is installed create a dummy account on your server and use as it warns please do not use a live client account and disable or delete the test account when finished.
SrinathSAuthor Commented:
I've rescheduled this to coming Friday. Thanks.
SrinathSAuthor Commented:
Hello All,

I'm able to install the self-signed SSL certificate by following this tutorial:

When I verify it by typing https://exchange/exchange , it works! I mean, I'm able to login into exchange and I found the secure lock icon at the status bar.

BUT, when I try to access

More details:
Internal Exchange Name (local): EXCHANGE
External Exchange Name:

As I said earliar, we are hosting elsewhere by pointing the domain A record.

I restarted all the required services and even restarted the server. Any further quick help would be greatly apprciated. Thanks.
SrinathSAuthor Commented:
BUT, when I try to access

It didn't work both on web and iPhone. On the web, it displays the page can not be displayed. I went to Exchange virtual directory and verified the settings. The SSL option is enabled including the 128-bit option.
If you are using a self issued SSL cert as per that guide it will indeed work in systems inside the domain using intranet security settings but the cert will not show as valid and may even block the site from even displaying the invalid ssl cert error depending on browser settings.

now lest say on LAN your site is HTTPS://Exchange/Exchange
On Web you are HTTPS://
you also have alias HTTPS://

on a single fqdn ssl cert  the only site that should not give a invalid cert error is HTTPS://
now you can get more complex ssl certs but they are quite a bit more expensive.

While I have successfully installed a self issued ssl cert on a windows mobile phone to get OMA to work I could not get it to work on an iphone even telling it to ignore the ssl cert. I have heard from others that the same is true for a droid user
SrinathSAuthor Commented:

Note: You may have noticed the yellow warning sign, this informs us The name on the security certificate is invalid or does not match the name of the site. Don’t worry there’s nothing wrong with this, the reason why it appears is because we aren’t accessing OWA through the common name, which we specified when the certificate was created. When you access OWA from an external client through, this warning will disappear.

I've a new SSL certificate from GlobalSign Inc. for the domain - First I tried to follow the instructions available at above link. It didn't works for me.
The line you quoted is for IE6 has not been true since IE7 and still not true for IE8. The Link is a good guide just 6 years old and a lot has changed since then.

From top down is OWA hosted on a web server that is not the exchange server?

The host headers in IIS have in them
The under directory security the ssl cert matches your fqdn and external DNS

on lan OWA is resolved on Backend exchange server directly not on frontend web server correct?

you may want to check this link it is also older but may help

also a huge help for you make a dummy account with no admin rights log into owa once to make sure mailbox is active and test with this site 

and lastly is in AD your users have all the mobile options enabled
SrinathSAuthor Commented:
Okay. I removed the self-signed SSL certificate from Exchange server. I will install the GlobalSign Inc. SSL certificate in the same way. I will update this question shortly. Thanks for pointing me into right direction.
SrinathSAuthor Commented:
Hello All,

Sorry for late reply. I generated the CSR in Exchange Server and get the SSL certificates (Root, Intermediate and Child) from GlobalSign Inc. The generated SSL certificate is for the following address: Even though I followed the installation instructions, it still didn't work. After setup, I even restarted all necessary services.

The SSL setup screenshot is attached. The SSL certificate clearly shows that the SSL certificate is properly installed. Any further help would be greatly appreciated. Thanks.
Can you post results from I am interested to see what you get for both RPC over HTTPS and Active Sync
SrinathSAuthor Commented:
Exchange ActiveSync Test Results File Attached.
SrinathSAuthor Commented:
I also ran the test without SSL option enabled.
SrinathSAuthor Commented:

I'm currently reading this post:

It seems to be the ActiveSync is not enabled or not supported. It's look like I need to create new Virtual Directory to support ActiveSync.

Am I Correct?
What happens when you try to open also yes if you are using a split frontend/backend server you have to build all the virutal directories it is much harder than letting the exchange server host OWA and OMA. It is starting to sound like your issue is not the SSL cert but the IIS configuration. Internally can you resolve https://frontendserver/exchange on the LAN of your network you will get a cert error but if configured correctly it should still work while complaining.
SrinathSAuthor Commented:
We don't have frontend/backend servers. We have only 1 exchange server configured. When I visit that page, it displays "Page can not be displayed" message both on internal and external networks.
SrinathSAuthor Commented:
Never mind. I'm unable to solve this issue. However we are going to upgrade Exchange 2003 to 2007. Thanks to All Experts.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.