Solved

Installing and configuring SSL on Exchange 2003

Posted on 2011-03-08
37
381 Views
Last Modified: 2012-05-11
I have bought an SSL certificate from GoDaddy. I need to install it in my Exchange 2003 and then configure ActiveSync and Outlook over HTTPS. Currently users access email via Outlook 2007 locally, Terminal server and OWA.

How do I:

1- Install the certificate?
2- Configure ActiveSync and Outlook over HTTPS?
3- What kind of Exchange downtime do I expect and how does user access change when they use Outlook via Terminal server, OWA and local Outlook? Will they need to install a license locally? Do I need to warn them about popups etc. ?

Please be specific with regards to steps that need to be taken.

Your help is appreciated. Thank you.
0
Comment
Question by:cembi
  • 19
  • 15
37 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35074389
How do you install it?
You install it via IIS Manager by right-clicking on your Default-Website, choosing Properties> Directory Security Tab> Server Certificate Button> Complete Request and Install Certificate.

To configure Activesync - please read through my Exchange 2003 / Activesync Article:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Exchange Downtime - none unless you have to run iisreset / reboot the server.
0
 

Author Comment

by:cembi
ID: 35074716
Thanks Alan. Will do and let you know.
Any feedback in terms of end user experience? Will it change" Will they need to go to https://email.mycompany.com/exchange? Will they be asked to install the certificate locally in order to access email via OWA or Outlook in the office?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35075278
Once you have the correct IIS Settings - and a Godaddy certificate installed, the users won't be asked about the certificate and you can enable Forms Based Authentication (Pretty Web Mail login screen).

There are several steps to follow.  Get the cert installed and Activesync working and then we can sort the http:// / https:// issue.

Do you want https:// for your web mail?  It would be better and more secure.

You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!
0
 

Author Comment

by:cembi
ID: 35077273
Thanks Alan.

My biggest concern is about the impact to email access once the certificate has been installed? Anything of particular concern that can go wrong?

Re: OWA, we have a link on our website that points users into the email path without them having to remember. I guess modifying it to point into https would be the easiest.
0
 
LVL 6

Expert Comment

by:Flipp
ID: 35078057
"You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!"

Hi Alan ...... can you advise on how this is achieved? I did see somewhere that there are some coding to a web page that is required, but have not had a chance to test this out?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35082933
Once the certificate is installed - there shouldn't be any issues unless you have Windows Mobile 5.0 phones.  If the certificate name is staying the same, just the provider is different, then you should be fine.  Phones should be happier with the new certificate and there shouldn't be any problems.

@Flipp - if you want to ask a question, please don't hijack someone else's question - ask your own one and then if you like, email me a link, but this is not your question.  Sorry.
0
 

Author Comment

by:cembi
ID: 35103204
Hi Alan,

I am having issues with port 443. It seems to be configured for access in my firewall, but when I run canyouseeme.org it shows as inaccessible. All other ports like 25, 3389, 110, 80 show as open. My ISP tells me that they do not have it blocked either. Could it be a problem with the exchange server?

Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35103379
Some Firewalls grab port 443 for remote access to the firewall and you will have to RTFM to figure out how to change the port to something else for remote access e.g., 444 instead.

Once you have freed up port 443, you should be able to allow the port to pass through the router and then life gets easier.

What router / firewall do you have?
0
 

Author Comment

by:cembi
ID: 35104931
It is a Cisco 1841 I believe.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35106326
Okay - I would open up a new question for the Cisco configuration and make sure that your config allows port 443 through (not very familiar with Cisco routers).

Once you know the port is open - we can continue here.
0
 

Author Comment

by:cembi
ID: 35158657
Hi Alan,

I skimmed through your article but didn't see any info pertaining Global Settings, Recipient Policiy etc. in Exchange Manager. Isn't it neccessary to configure some settings in there as well?

Thank you.
0
 

Author Comment

by:cembi
ID: 35311195
Hi Alan,

I followed all your steps but either active sync or Outlook over HTTPS are working. Do i need to restart IIS and Exchange Store after the reconfiguration?

Thank you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35311232
Have you confirmed that port 443 is open and forwarded properly on your Cisco router yet?
0
 

Author Comment

by:cembi
ID: 35311271
Yes. It is open and forwarded. I installed the SSL certificate and followed your steps for configuration. I DID NOT restart IIS or Exchange Store after installing SSL certificate. Is this necessary?
0
 

Author Comment

by:cembi
ID: 35311275
I can actually get a login screen when I configure Outlook over HTTPS at home. However once I enter login info it hangs on forever.
0
 

Author Comment

by:cembi
ID: 35311480
Hey Alan. From an Android tablet, I get "Unable to connect to server" error. I am not sure what else to try.
Thank you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35312750
I would run an IISRESET and then test on the test site.  If you post the results, then I can see what might be happening and point you in the right direction.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:cembi
ID: 35316255
Alan,

I ran IISRESET. Test site shows this error:

"Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body> "

According to your article I went and checked settings at ESM-GS-Mobile Services-Device security and noticed that Enable User Initiated Sync was disabled. I enabled it. I am not sure if I need
Enable Direct Push over HTTP/s !? Also, do I need to do the exception thing in Device Security even though all users are required to enter passwords?

The error that a user gets on his Droid is: "The certificate from server is not validated".

Thank you.
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35322209
If you are getting the 403 error, please refer to that section in my article.

The usual fix for that it to follow KB817379, which makes you create a new Virtual Directory called exchange-oma because you have SSL enabled on the exchange virtual directory.  Once created, the exchange-oma will not have SSL enabled and can then handle the port 80 requests instead of the exchange virtual directory, which it can't, because SSL is enabled on it.

Ignore the devices for now - you need to get all Green Ticks on the test site before thinking about the phone configuration.

I can smell the finish line, but we are not there just yet.
0
 

Author Comment

by:cembi
ID: 35323058
While I deal with exchange-oma directory will there be any impact in Exchange performance? I am trying to figure out whether this is sth to be done after hours.
0
 

Author Comment

by:cembi
ID: 35329966
No luck. Even after creating Exchange-OMA the same issue appears. If before I was able to at least obtain the folders of my mailbox in my Android, now I get "Unable to connect to server".
I am so tired of this. What a pain.
0
 

Author Comment

by:cembi
ID: 35332588
Alan,
I guess I will have to follow the approach of recreating all virtual directories for Exchange? Anything else to try before doing that?
Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36519474
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:cembi
ID: 36519473
Please leave it open for a few more days. Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36519479
Sorry I dropped the ball on this one.  Are you anywhere close to a solution?

What's happening now?

Happy to pick up and carry on troubleshooting with you if you need it.
0
 

Author Comment

by:cembi
ID: 36522833
Alan, no problem.
Not much progress has been made due to various factors. Last time we spoke, I would call Microsoft about this but I never did and I am still reluctant to call them. I notice that Symantec Backup Exec reports 523 corrupt items on Exchange backup. Could this be related to the ActiveSync issues I am having? Perhaps I should make sure I have a clean store first. I am thinking of running an Offline Defrag on Exchange Store first (a lot of data has been moved out exchange recently) and then do an integrity test. What is your opinion on this?
Thank you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36522926
Hmm - do you know what the corrupt items are?  Possibly PST files stored on the server?  If so - they should not be stored AND accessed on the server as corruption can occur.

If that is the problem - then that won't cause Activesync issues.

Offline defrag would be good.  I would repair, defragment and integrity check - just to make sure all is good on that front.  Run the integrity check at least twice.
0
 

Author Comment

by:cembi
ID: 36523068
Alan, here are some samples of the error messages. SBE-Exchange-Backup-Errors.txt
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 36523094
Ah - that's mailbox corruption!!

That will cause Activesync issues, so repair, defragment and integrity check the database is ESSENTIAL.

eseutil /p

eseutil /d

isinteg -s servername -fix -test alltests

For reference:
http://www.msexchange.org/tutorials/exchange-isinteg-eseutil.html
0
 

Author Comment

by:cembi
ID: 36523143
Awesome. Thank you again Alan. I am planning this weekend for all the tests.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36524133
No problems - it will take a while and the weekend is usually the best time.  eseutil will run at about 4-6Gb per hour, so factor that into your timings based on the mailstore size (.edb + .stm) and that should give you an idea of how long the task should take.

Isinteg is usually a bit quicker, but you should run it until you see 0 errors and 0 fixes in the last line of the output, which is often a minimum of 2 times, but usually not more than 2.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36545353
Please close the CS Request and we will continue to work on the question.

Thanks modguy.

Alan
0
 

Author Comment

by:cembi
ID: 36553156
Alan,

I am performing a backup right now. I just wanted to double check with you about your instructions. Do I run all 3 commands while mailbox store is dismount or do I mount and the dismount after every command? What are the ramifications of eseutil /p, any chance for more trouble by running it?
These may be dumb questions but I am a bit paranoid.

Thank you.
0
 

Author Comment

by:cembi
ID: 36553168
Furthermore, is eseutil /p really necessary? Would just running eseutil /d and isinteg suffice?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36553747
eseutil /p repairs any corruption in the store, so it is 100% necessary.

If you run /p, you have to run /d followed by isinteg to complete the tidy up.

Sorry - but you want to do it right.

You need to keep the store dismounted throughout the entire process.

Running eseutil /p will remove corruption, so there is a chance of loss of data, but if it is data that is corrupt, it isn't going to be much use to you.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Outlook for Mac Meeting Rooms 2 25
Intunes without company portal 3 41
Custom attributes in Exchange 8 39
Circular Logging 2 32
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now