How to setup SSL in Exchange Server 2003?

Hello,

Q1: I have an Exchange Server running on Server 2003. How can I setup SSL for exchange mail? Is there any guide available? Currently the server address is setup as "mail.domain.com", the online access is "mail.domain.com/exchange" for exchange and the regular web access is "mail.domain.com/oma". NOTE that this is NOT a front-end server.

Q2: How can I take full backup of exchange server?

Any further information would be greatly appreciated. Thanks.
SrinathSAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad HoweDevOps ManagerCommented:
Hi.
1. You can purchase a signed CA  from vendors such as Verisign, Thawte, GoDaddy, GeoTrust etc... or you can generate your SelfSigned.
Here's link about how to set it up
http://www.petri.co.il/configure_ssl_on_owa.htm

http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
2. For exchange  Backups, you can use again vendor software such as Tivoli, Veritas, Acronis OR even free NTBackup. See this msexchange article for ntbackup and restore.
http://www.msexchange.org/tutorials/Exchange-2003-Backup-Restore-NTBACKUP.html
Cheers,
Hades666
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brad HoweDevOps ManagerCommented:
I also wanted to mention about the MS Exchange client guide
"It contains configuration information, such as how to secure your messaging environment, deploy the server architecture, and configure Exchange servers for your supported client access methods."
http://go.microsoft.com/fwlink/?LinkId=69702
Let us know if you have questions,
Hades666
0
SrinathSAuthor Commented:
Hi,

Thanks for quick reply. I'm currently taking backup of entire Exchange server using NTBACKUP. I will try to follow the above instructions after that.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

kapiltapaCommented:
To set up SSL on a server

   1.

      In IIS Manager, expand the local computer, and then expand the Web Sites folder. Right-click the Web site or file that you want to protect with SSL, and then click Properties.
   2.

      Under Web site identification, click Advanced.
   3.

      In the Advanced Web site identification box, under Multiple identities for this Web site, verify that the Web site IP address is assigned to port 443 (the default port for secure communications), and then click OK. Optionally, to configure more SSL ports for this Web site, click Add under Multiple identities of this Web site, and then click OK.
   4.

      On the Directory Security tab, under Secure communications, click Edit.
   5.

      In the Secure Communications box, select the Require secure channel (SSL) check box.

0
SrinathSAuthor Commented:
Hi,

Can I take trusted SSL from 3rd party vendor for the mail server like "mail.domain.com" ? Currently we are hosting "domain.com" on another server with different A record for the domain. I think it won't affect the SSL installation for mail server.

On setup steps, can I type "mail.domain.com" instead of sample "mail.contoso.com" or similar address?
0
ArdiseisCommented:
On SSL certs you can have single SSL Certs for each sub domain.
i.e.: www.abc.com can have one cert and mail.abc.com can have another.
It on the same server as a different site or a different server it does not matter as long as the host headers for the site and the url directing the user to the site matches the fqdn of the ssl cert you are good.
0
Brad HoweDevOps ManagerCommented:
Hi,
Yes, you can installl an SSL certificate on any site. domain.com and mail.domain.dom can be different servers and have different IP as well.
You could also have domain.com and mail.domain.com on the same server even in hte same site. To set this up you would use Web Host Headers.
-Hades666
0
SrinathSAuthor Commented:
Hi,

I found that SSL certificate is installed by our previous tech team, but they didn't acitvated (not enabled the 128-bit encrypt option.) When I try to apply the option it shows me a window. I didn't understand it. I attached the screen-shot. I would appreciate if anyone can guide me on this.

Thanks to all!
1.JPG
0
Brad HoweDevOps ManagerCommented:
In iis manager click on server certificate, you should have the option to chose existing or cretae a new request. -Hades666
0
ArdiseisCommented:
You want to click ok so the sub sites for outlook web access and RPC over HTTPS along with other exchange functions will work with the SSL is the simplified answer to your screen shot post.
0
SrinathSAuthor Commented:
Okay. The existing SSL certificate is not properly installed. I will delete that and create a new certificate tonight. I will update this question If I encounter any issues. Thanks!
0
ArdiseisCommented:
For any trouble shooting after the new SSL cert is installed create a dummy account on your server and use https://www.testexchangeconnectivity.com as it warns please do not use a live client account and disable or delete the test account when finished.
0
SrinathSAuthor Commented:
I've rescheduled this to coming Friday. Thanks.
0
SrinathSAuthor Commented:
Hello All,

I'm able to install the self-signed SSL certificate by following this tutorial: http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

When I verify it by typing https://exchange/exchange , it works! I mean, I'm able to login into exchange and I found the secure lock icon at the status bar.

BUT, when I try to access
https://mail.testdomain.com/owa
https://mail.testdomain.com/exchange

More details:
Internal Exchange Name (local): EXCHANGE
External Exchange Name: mail.testdomain.com

As I said earliar, we are hosting testdomain.com elsewhere by pointing the domain A record.

I restarted all the required services and even restarted the server. Any further quick help would be greatly apprciated. Thanks.
0
SrinathSAuthor Commented:
BUT, when I try to access
https://mail.testdomain.com/owa
https://mail.testdomain.com/exchange

It didn't work both on web and iPhone. On the web, it displays the page can not be displayed. I went to Exchange virtual directory and verified the settings. The SSL option is enabled including the 128-bit option.
0
ArdiseisCommented:
If you are using a self issued SSL cert as per that guide it will indeed work in systems inside the domain using intranet security settings but the cert will not show as valid and may even block the site from even displaying the invalid ssl cert error depending on browser settings.

now lest say on LAN your site is HTTPS://Exchange/Exchange
On Web you are HTTPS://mail.myexchange.com/exchange
you also have alias HTTPS://mail.demoexchange.com/exchange

on a single fqdn ssl cert  the only site that should not give a invalid cert error is HTTPS://mail.myexchange.com/exchange
now you can get more complex ssl certs but they are quite a bit more expensive.

While I have successfully installed a self issued ssl cert on a windows mobile phone to get OMA to work I could not get it to work on an iphone even telling it to ignore the ssl cert. I have heard from others that the same is true for a droid user
0
SrinathSAuthor Commented:
From http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Note: You may have noticed the yellow warning sign, this informs us The name on the security certificate is invalid or does not match the name of the site. Don’t worry there’s nothing wrong with this, the reason why it appears is because we aren’t accessing OWA through the common name, which we specified when the certificate was created. When you access OWA from an external client through mail.testdomain.com/exchange, this warning will disappear.

I've a new SSL certificate from GlobalSign Inc. for the domain mail.testdomain.com - First I tried to follow the instructions available at above link. It didn't works for me.
0
ArdiseisCommented:
The line you quoted is for IE6 has not been true since IE7 and still not true for IE8. The Link is a good guide just 6 years old and a lot has changed since then.

From top down is OWA hosted on a web server that is not the exchange server?

The host headers in IIS have mail.testdomain.com in them
The under directory security the ssl cert matches your fqdn and external DNS

on lan OWA is resolved on Backend exchange server directly not on frontend web server correct?

you may want to check this link it is also older but may help http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

also a huge help for you make a dummy account with no admin rights log into owa once to make sure mailbox is active and test with this site https://www.testexchangeconnectivity.com/ 

and lastly is in AD your users have all the mobile options enabled
0
SrinathSAuthor Commented:
Okay. I removed the self-signed SSL certificate from Exchange server. I will install the GlobalSign Inc. SSL certificate in the same way. I will update this question shortly. Thanks for pointing me into right direction.
0
SrinathSAuthor Commented:
Hello All,

Sorry for late reply. I generated the CSR in Exchange Server and get the SSL certificates (Root, Intermediate and Child) from GlobalSign Inc. The generated SSL certificate is for the following address: mail.domain.com Even though I followed the installation instructions, it still didn't work. After setup, I even restarted all necessary services.

The SSL setup screenshot is attached. The SSL certificate clearly shows that the SSL certificate is properly installed. Any further help would be greatly appreciated. Thanks.
1.JPG
0
ArdiseisCommented:
Can you post results from https://www.testexchangeconnectivity.com/ I am interested to see what you get for both RPC over HTTPS and Active Sync
0
SrinathSAuthor Commented:
Exchange ActiveSync Test Results File Attached.
exchange-sutosync-result.txt
0
SrinathSAuthor Commented:
I also ran the test without SSL option enabled.
exchange-sutosync-result-no-ssl.txt
0
SrinathSAuthor Commented:
Hi,

I'm currently reading this post: http://www.experts-exchange.com/Apple/Hardware/iPhone/Q_23629611.html#22186293

It seems to be the ActiveSync is not enabled or not supported. It's look like I need to create new Virtual Directory to support ActiveSync.

Am I Correct?
0
ArdiseisCommented:
What happens when you try to open https://mail.yourdomain.com/exchange also yes if you are using a split frontend/backend server you have to build all the virutal directories it is much harder than letting the exchange server host OWA and OMA. It is starting to sound like your issue is not the SSL cert but the IIS configuration. Internally can you resolve https://frontendserver/exchange on the LAN of your network you will get a cert error but if configured correctly it should still work while complaining.
0
SrinathSAuthor Commented:
We don't have frontend/backend servers. We have only 1 exchange server configured. When I visit that page, it displays "Page can not be displayed" message both on internal and external networks.
0
SrinathSAuthor Commented:
Never mind. I'm unable to solve this issue. However we are going to upgrade Exchange 2003 to 2007. Thanks to All Experts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.