Solved

OWA Certificate error-Webpage not found

Posted on 2010-09-19
5
1,105 Views
Last Modified: 2012-05-10
Using SBS 2003.  Sonicwall TZ 100 Router/Firewall.
When I try to access OWA from outside the network, I get the Certificate Error page.  I then click the Go To Web Site.  Then I get the "Cannot display Webpage" page.  When I try again to go to mail.mydomain.com/exchange, I get the page not found.  OWA used to work.   One change was that I have implimented the Sonicwall Global AV and the AntiSpyware security services since I first installed the TZ 100.
The URL I use to access OWA is mail.mydomain.com/exchange.  mail.mydomin.com points to the WAN Primary IP of the Sonicwall.  The OWS Server Private IP is 10.0.0.1.
I ran the Server configuration Wizard to recreate the server access, but nothing changed.  I am not sure if this is an SBS issue or a Sonicwall issue.

I am working remotely on this (LogMeIn), so I need to be careful configuring things so I don't get disconnected.
I have attached screen shots of the Sonicwall configuration.  
ScreenShots-for-EE-Question.pdf
0
Comment
Question by:beyondt
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:EirinL
Comment Utility
Hi there,

My first thought is that you have the remote management or admin function enabled for the sonicwall on the external IP or public ip. The sonicwall is presenting you with a certifcate to manage it and logon to the admin console and not redirecting or completing the NAT to the internal server.

Try either changing the management ports for both HTTP and HTTPS for the sonicwall to something close to 80 and 443

Then try the publishing rule again and restart the sonicwall.

The fact you are recieving the certificate makes me believe its the sonicwall trying to answer the OWA address which doesnt exist.

ive attached a screen shot on how to do this.
sonicscreenie.JPG
0
 

Author Comment

by:beyondt
Comment Utility
Hi Eirin,
Here's what I did to get it to work:  I simply disabled the Management HTTPS port and User Login HTTP & HTTPS ports in the WAN interface. Now I get the certificate error screen, but when I continue, it opens OWA.  This is fine for now because I just don't want to restart the Sonicwall while connected remotely.

So, I would like to get better understanding of what is going on, because I assume it would be adventageous to have the Management HTTPS port enabled.
Am I on the right track here?...  Assume that I change the HTTP and HTTP Management ports in the Administration to 83 and 445, respectfully.
1. That would not effect connecting to OWA, right?  
2. If I wanted to remotely login as administrator, would the address be mail.mydomain.com:445?
3. Can you clearify your statement, "Then try the Publishing rule again..."?
I have been having a heck of a time getting a handle on the Enhanced OS.  I know it is extremely powerful and flexible, but sometimes it seems like putting a puzzle together.

Thanks for your help.
0
 
LVL 2

Accepted Solution

by:
EirinL earned 250 total points
Comment Utility
Here's what I did to get it to work:  I simply disabled the Management HTTPS port and User Login HTTP & HTTPS ports in the WAN interface. Now I get the certificate error screen, but when I continue, it opens OWA.  This is fine for now because I just don't want to restart the Sonicwall while connected remotely.

So, I would like to get better understanding of what is going on, because I assume it would be adventageous to have the Management HTTPS port enabled.
Am I on the right track here?...  Assume that I change the HTTP and HTTP Management ports in the Administration to 83 and 445, respectfully.
1. That would not effect connecting to OWA, right?

I appologise i read your post a little too quickly before.
You implemented anti spam and gateway AV on the TZ100.
You also enabled SSL or HTTPS management on hte X1 interface.
The sonicwall comes with the ability to self issue certificates or use purchased certs.

Did you assign SSL to the exchange server virutal directories? or are you only using HTTP basic authentication?

The problem with SSL and certificates is that they will only bind to one SSL port per IP address.
i.e The cetificate for mail.mydomain.com will only bind to 443 or 445 not both.
the certificate requires both FQDN, Port and IP address to be unique as well.
You cannot assign two different certificates to a single IP address.
If you have published a server behind the X1 ip for the FQDN mail.mydomain.com then the sonicwall will either only direct traffic via the NAT server publishing rule to your internal server. OR it will only direct you to the sonicwall login screen. It cannot perform both functions on a single ip. Simply because of the SSL channel created. the tunnel can only have one endpoint or it wont be a tunnel :)

to fix this, remove all webmanagement on the X1 interface, install the certificate issued to the exchange server on the sonicwall under security.

(SOMETHING ELSE TO CHECK)
Is the certificate error only experienced by you? Is your Certificate assigned to exchange a purchased certificate or self issued?

If you are a non domain memeber internet explorer will alert you that hte certificate is a NON TRUSTED certificate.

This can be resovled by using a purchased cert.
Alternatively the error is a result of you being presented with the sonicwall certificate and your browser complaining because the mail.mydomain.com FQDN does not match the cert issued as FQ124112512 <- example sonicwall certifiate name
Resoovethis as explained above by installing the exchange cert on hte sonicwalll
(Lets break it down a bit more)
Lets say mail.mydomain.com has an ip address of 196.222.111.120
The SSL certificate you have created on your exchange server must be installed on the sonicwall and your server publishing rule (public server wizard) must use the exchange certificate as the issued certificate for the ip address 196.222.111.120 for port 443.
Why? u may ask... SSL certifcates work in two ways, one they establish an encrypted tunnel, and 2. they provide the client with a guarentee that the website being accessed is who they say they are.
This is done by providing the DNS friendly name, FQDN and purchaser information and associating them)

If you want the best user experience use your exisitng or purchase a new digital certificate online for mail.mydomain.com
install it on the exchange server, and install it on the sonicwall. use the current ip address on X1 for mail.mydomain.com and use port 443.

If you want to be able to manage the sonicwall via SSL using a public IP.you will need to use 2 public ip addresses on the sonicwall.

IP # 1 will be used for mail.mydomain.com
IP # 2 for the sonicwall management ip.

Both IP addresses will use different certificates
You can then acces IP #1 and IP#2 on port 443.

2. If I wanted to remotely login as administrator, would the address be mail.mydomain.com:445?
(I wouldnt suggest opening the sonicwall management using http or https on hte X1 interface. disable this completely and use an L2TP VPN connection to "dial" into the sonicwall and then manage it using the LAN X0 ip address rather.

3. Can you clearify your statement, "Then try the Publishing rule again..."?

Delete the exchange access rules for WAN to LAN and all NAT entry's assocateid with the mail local address, mail internal address and SSL rules.
then use the Wizard to publish a new exchange server, assign the internal or purchased certificate to the SSL rule and your good to go.

I have been having a heck of a time getting a handle on the Enhanced OS.
I know it is extremely powerful and flexible, but sometimes it seems like putting a puzzle together.

Just remember to following when you work through configuring a sonicwall
there are 3 interfaces

LAN - SonicWall - WAN

Rules to provide access or open a port require the following
LAN - Sonicwall (i.e allowing the LAN to talk to the sonicwall)
Sonicwall - WAN (i.e allowing the sonicwall to talk to the outside world)
LAN - WAN ( allowing the LAN to talk to the outside world)
WAN - Sonicwall (allowing traffic back in to the sonicwall)
Sonciwall - LAN ( allowing the sonicwall to talk to the LAN)
By default the rules are
LAN - WAN allow any any
WAN - LAN deny any any

The best way to manage browsing and access is to create service groups, access groups and address groups.

Then you create single rules for Address group 1 allowing service group 1 for access group 1 etc etc
then to add or remove a service or include a new address you just add a new service or address into an exising group instead of publishing a whole new rule.

Good luck let me know if you have any other questions or need further clarification.
0
 

Author Closing Comment

by:beyondt
Comment Utility
Wow!  Thanks for all of the information.  It seems to be working. I am going to test it on other Sonicwalls as well to get a handle on it.

Thanks so much for your generous sharing of knowledge.

Bill
0
 
LVL 2

Expert Comment

by:EirinL
Comment Utility
no problem, i struggled with the sonicwalls as well when i first started using them.
I found their interface and the logic of the system un related to any other firewall i have ever used, even though it is basically a PIX with a web engine.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now