[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Installation of a UC digital certificate in EBS environment

Posted on 2010-09-20
11
Medium Priority
?
901 Views
Last Modified: 2013-11-10
Dear Experts,

I have just purchased a new cert and want to install it into my EBS environment. Previously we had domainA.com and now we will be using domainB.com.  So we still need domainA.com to feature in our organisation for a year (or so).

So I purchased a UC cert from comodo for the fqdn remote.domainA.com and remote.domainB.com. I have completed the cert request in IIS7 on the management server. I exported it and added to the trusted root authority and personal store on the security server (forefront) then added it to  listener in the rww publishing rule within forefront.

I have made all the necessary DNS changes for MX and A records for the domainB.com

In exchange, I have added domainB.com to the list of accepted domains and changed the recipient policy to make it the default for sending for all users.  I have tested mailflow to and from user@domainB.com and all seems ok.

2 questions:

1. Given the information above, I can still access the rww site by visitng https://remote.domainA.com and all works fine. When I view the certificate presented, it shows me the new one. But when I visit https://remote.domainB.com i get the "The page cannot be displayed " with "Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)"

What gives here?

2. What else have I missed? I'm pretty sure that I have to update and enable the exchange  certificate services.

Bear in mind I have no experience with UC certificates and am treading carefully here...

Many thanks in advance.
0
Comment
Question by:Cruthin
  • 7
  • 3
11 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33721422
you need to install the new certificate onto the exchange server
then run the following to locate the cert
get-exchangecertificate | fl

then using the thumbprint for the new cert run
enable-exchangecertificate -thumbprint <id> -services "iis,pop,imap,smtp"

you do not need to restart any services
0
 

Author Comment

by:Cruthin
ID: 33721448
Ok. great.  Will that sort the problem of accessing RWW using the https://remote.domainB.com ?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33721450
what is the entire http error code 403.x?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:Cruthin
ID: 33721458
the error displayed in IE8 is:

The page cannot be displayed  
Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

--------------------------------------------------------------------------------

Try the following:

Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

--------------------------------------------------------------------------------

Technical Information (for support personnel)

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
 
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33721474
0
 

Author Comment

by:Cruthin
ID: 33721487
just the same.  I will install the cert on the exchange server tomorrow to see if that fixes the issues and report back.

thanks.
0
 

Author Comment

by:Cruthin
ID: 33723645
I installed the new cert on the exchange server. I ran the enable-exchangecertificate -thumbprint <id> -services "iis,pop,imap,smtp"  command  and all users immediatley received a certificate error message.  So I switched it back.

Any thoughts.
0
 

Author Comment

by:Cruthin
ID: 33724143
I have looked at the forefront logs and found the following entry. I have changed the private names and addresses where applicable:

#################################################################

Denied Connection SECURITYSERVER 21/09/2010 12:06:56
Log type: Web Proxy (Reverse)
Status: 12202 The Forefront TMG denied the specified Uniform Resource Locator (URL).  
Rule: Default rule
Source: External (external IP)
Destination: Local Host (192.168.1.2:443)
Request: GET http://remote.domainB.com/ 
Filter information: Req ID: 228512d6; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes
Protocol: https
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3...
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type: -

######################################################################

It would appear that ISA is denying access when the name remote.domainB.com is used by the client.

Any further thoughts?
 
0
 
LVL 2

Expert Comment

by:aimcitp
ID: 33729029
When you set up the publishing rule on your ISA, did you import the private key with the certificates?

0
 

Author Comment

by:Cruthin
ID: 33736048
I believe so.  I exported the cert from the management server and imported it into ISA. Then i added it to the listener.
0
 

Accepted Solution

by:
Cruthin earned 0 total points
ID: 33909167
I got this resolved.  Please see the link below:
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26537328.html

Thanks for your input.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses
Course of the Month11 days, 6 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question