Solved

Setting up SSL Certificates for Exchange 2010 and my website

Posted on 2010-11-28
7
1,122 Views
Last Modified: 2012-05-10
I am completely baffled by SSL certificates. I understand the concepts of trust and security but the actual installation and setup of certificates so that everybody is happy has always been confusing for me.

Here is my current setup:

      - Website  www.mycompany.com    hosted with 1and1.com's web hosting service

      - Windows 2008 Server on a business network with a dynamic IP
      - mycompany.dyndns.org        -     dynamically updated to point to my windows server

      - Microsoft Exchange Server 2010 running on the windows machine, with Outlook Web Access, IMAP, POP3 and Outlook Anywhere  (although OA is not working at the moment)
     
      - "remote.mycompany.com"      -      setup in 1and1 to have a CNAME pointing to mycompany.dnynds.org
      - "mail.mycompany.com"           -      setup as an HTTP redirect to https://remote.mycompany.com/owa"

Ideally what I would like to do is purchase one or more SSL certificates from 1and1.com (they offer "QuickSSL" certificates signed by GeoTrust) and set it up so that:

1) Users can connect to https://remote.mycompany.com/owa and not get an "untrusted certificate" warning
2) Users can connect to https://mycompany.com/* and use my website's online shopping cart system without getting "untrusted certificate" warnings (this website is hosted by 1and1)
3) Users can connect to outlook web access, and use "outlook anywhere" on their outlook without it failing with untrusted certificate warnings
4) Users can connect via IMAP and SMTP with SSL encryption, without it failing with untrusted certificate errors.


I really have no idea where to begin with this. I know when I buy a certificate from 1and1.com they'll probably hold my hand through the process of getting my actual www.mycompany.com website secured via SSL, but what about my Windows Server machine? I will need to install the certificate into IIS somehow and make sure everything lines up properly, but I don't really know what to do here.
0
Comment
Question by:Frosty555
  • 4
  • 2
7 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
Comment Utility
Hi,

SSL certificates are just about names. The point is - if you want to enable access to a certain secured site or service by it's name and prevent that visitors get warned off by invalid certificate (or even worse - fail to connect) you need to:
1) Ensure that the certificate presented contains a Common Name (CN) or Subject Alternative Name (SAN) that exactly matches the name that was used to access the site or service.
2) Ensure that the certificate was issued by a trusted certificate authority.

For Exchange services you can even manage with a single name for all services, however it requires some manual configuration regarding SRV records in DNS so if you can avoid it - do so.

GeoTrust QuickSSL supports adding up to 3 SANs to a certificate issued for some CN. Also, I've seen them advertise a free www.mydomain.com added to certificate issued for mydomain.com but I guess that it won't extend the number of SANs they allow per quick SSL certificate.

So the main point here would be - what names will you need? As far as I can see - this will be needed:

mycompany.com
remote.mycompany.com
autodiscover.mycompany.com

and possibly

mail.mycompany.com (depending on what you set up your OA service to use)
www.mycompany.com (if someone uses that instead of mycompany.com when accessing your web shop)

So, we have 5 names, but can use only 4 in quick SSL.

One more thing I see as a problem is redirecting your mail.mycompany.com to remote.company.com/owa. This is something I dont suggest because you are headed for problems if you intend to use mail.mydomain.com as name for your mail server.

And since all your mail services and remote services point to a SINGLE server, there is no advantage in setting up different fqdns for them (pop.mydomain.com, mail.mydomain.com, remote.mydomain.com...) since you can't stuff them into a single QuickSSL anyway.

Another thing to consider is the possibility you'll be setting up some WSS sites or possibly a RDS Gateway on your server. When that happens you'll be looking at more names to add to your certificate. But at that point QuickSSL probably won't cut it anyway.

So this is what I suggest at this point:

Get a single QuickSSL certificate for the following Common Name:

mydomain.com

and add following 3 SANs to it:

www.mydomain.com
remote.mydomain.com
autodiscover.mydomain.com

That way you will have a certificate that will:
1) Support your public web site and web shop (mydomain.com, www.mydomain.com)
2) Support autodiscover service for your Exchange
3) Support any public services you intend to publish from your Windows server as long as they use remote.mydomain.com to be accessed.

And if you find that your DNS provider would support SRV records under free setup that you have (mydomain.dyndns.org) you might even use some other name you WILL actually use instead of autodiscover name.

Regards,
Tomislav
0
 
LVL 4

Expert Comment

by:tech20bly
Comment Utility
Can you pleaes check whether the OWA virtual directory is holding right certificate. If it is then choose the right certificate.  
0
 
LVL 7

Expert Comment

by:tstritof
Comment Utility
Hi, just noticed it - sorry for me using "mycompany" and "mydomain" inconsistently but I hope you got the idea.

And to clear it up - you'll be publishing all the services from your server under remote.mydomain.com (SMTP, POP, IMAP, OWA, OA...).

Regards,
Tomislav
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 31

Author Comment

by:Frosty555
Comment Utility
tstritof,

That's a huge wealth of information you've given me. Thank you!

Now as far as the actual certificates inside of exchange goes - I have no idea what I ahve in there, it would be whatever Windows Server 2008 setup automatically which is almost certainly wrong. I've been accessing everything via the mycompany.dyndns.org name and only recently did the switch over to remote.mycompany.com, so I'm sure everything is messed up now.

So when I sign up for a Geotrust SSL certificate, I tell them all three names I want (mycompany.com, remote.mycompany.com, autodiscover.mycompany.com) and then it will create a single certificate that I can import into my server? Or is it 3 separate certificates?

Or, do I "create request" on the Server, send that info off to Geotrust QuickSSL, they send me back a response and I perform a "complete request" on the Server?

Is the "SSL Certificates" section of IIS Manager the only place I need to go to configure certificates for my Windows Server machine, or are there other places I have to go tweak settings?
0
 
LVL 7

Assisted Solution

by:tstritof
tstritof earned 500 total points
Comment Utility
Hi,

few pointers regarding QuickSSL first.

I purchased my GeoTrust QuickSSL certificate through dyndns.com and it turned out cheaper than going directly through GeoTrust. However, I have few other services active on dyndns.com (domain hosting, custom dns, backup mail server) so that might have influenced the pricing. I guess you'll have similar options with 1and1.com.

Regarding the certificate creation process on dyndns in the first step I had been prompted for a CN of the certificate (Common Name - the main name for which certificate is issued). In one of the next steps I had to create the request for the common name on my IIS and copy/paste the contents of the request file (it's basically a text file usually with .req extension) into the web order for. There was a detailed instruction on dyndns how to create a certificate request for different types of web servers. In one of the final steps (maybe even as part of request approval process on GeoTrust site) I was offered to add up to 3 SANs (subject alternative names). Make sure that you set up correct e-mail addresses for certificate request approval process or you'll hit problems at some point (would be best if the e-mail referenced the mydomain.com - that's one of the things that confirms your ties to the domain).

A single certificate should be created as a result of that. This is important because IIS normaly won't allow you to use multiple certificates on the same server (there may be a way to override this by directly modifying the metabase but I'm not sure).

Once the certificate had been issued I imported it to IIS by finalizing the previously started certificate request process - you have assumed this correctly.

I suggest you request the certificate for mycompany.com as CN and www.mycompany.com, remote.mycompany.com and autodiscover.mycompany.com as SANs. I don't know the insides of your hosted public site and web shop but if it can be accessed through either mycompany.com and www.mycompany.com it's better you include both names in the certificate to avoid problems.

The list of available certificates shows up in "SSL certificates" section. However, a specific certificate is chosen when you create a https host header (a binding) on IIS site. If you are only using IIS to access OWA and for other Exchange services then you won't have to specify host names in https bindings and you are good to go.

After you set things up it's good to do an iisreset before proceeding to Exchange configuration.

After this you should go to your Exchange and do few simple steps which are to:
- disable Outlook Anywhere on your CAS,
- reenable Outlook Anywhere on your CAS and specify the "remote.mycompany.com" as a name for client access

This will be the default name distributed by autodiscover service to Outlook clients and ActiveSync devices and is covered by your cert so there should be no problems. To make sure that Exchange uses this name and not something else run the following command in your Exchange Management Shell:

Get-OutlookProvider

The output should look like this:
 
Name                Server              CertPrincipalName   TTL

----                ------              -----------------   ---

EXCH                                                        1

EXPR                                                        1

WEB                                                         1

Open in new window


If it doesn't use the Set-OutlookProvider command to clear the invalid values. Syntax for that is:

Set-OutlookProvider <provider> -CertPrincipalName $null

where provider may be EXCH, EXPR or WEB.

Regarding your DNS setup, I would do following:
- set up a CNAME autodiscover.mycompany.com to point to mycompany.dyndns.org
- remove the mapping you created for mail.mycompany.com

The final note is that autodiscover.mycompany.com isn't a must in your cert but sure minimizes problems. This is why:
- if your e-mail is someone@mycompany.com the autodiscovery first tries to locate the autodiscovery service at https://autodiscover.mycompany.com
- if that fails an attempt is made to locate the autodiscovery at mycompany.com - which in your case points to a wrong IP
- if that fails an attempt is made to locate the autodiscovery by address pointed to by SRV record in your DNS which might look something like this in your case:
_autodiscover._tcp.mycompany.com 60 IN SRV 10 0 443 remote.mycompany.com.
which tells that autodiscover service requests should be redirected to remote.mycompany.com (here's some basic info on SRV records). However, this option requires that your DNS provider supports SRV records (probably does) but also that your autodiscover partners (Outlook,...) know how to utilize them.

There are some other steps Outlook can perform in Exchange autodiscovery if that fails, but this is something I never rely on due to required certificate names.

Finally, remember that any secured service you'll be publishing (pop...) will have to refer to remote.mycompany.com for server name and may require some additional setup depending on your requirements.

And if you ever plan to put things like RDS Gateway on the same machine it will have to use the same name because this service is tied in with IIS (meaning that when you change the cert in either console it automatically changes the cert for the other service too - can cause some headaches until you realize that :)).

Well, that's about it - good luck with your setup!

Regards,
Tomislav
0
 
LVL 31

Author Comment

by:Frosty555
Comment Utility
tstritof: thank you very much for your help, you've made this a LOT clearer to me.

A little update - it turns out that 1and1.com does NOT give you the certificate that you purchase, and they do not support using the certificate anywhere other than their own servers. After a run around with their support, none of which are as knowledgable on the subject as you, they eventually just stopped returning my emails.

Pretty ridiculous when you think it's a standard Geotrust certificate that I can get anywhere, I expect to have access to the services I've purchased.

On your suggestion, I think I'm going to demand my money back from them and purchase one from DynDNS - since you've had success with that in the past.
0
 
LVL 7

Expert Comment

by:tstritof
Comment Utility
No problem. I can recommend DynDNS, they are one of the best on-line services I've ever used - easy to work with, 0 outages in 4 years and not bugging the customer with spam.

Regards,
Tomislav
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now