Installing and configuring SSL on Exchange 2003

How do you install it?
You install it via IIS Manager by right-clicking on your Default-Website, choosing Properties> Directory Security Tab> Server Certificate Button> Complete Request and Install Certificate.

To configure Activesync - please read through my Exchange 2003 / Activesync Article:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Exchange Downtime - none unless you have to run iisreset / reboot the server.

Thanks Alan. Will do and let you know.
Any feedback in terms of end user experience? Will it change" Will they need to go to https://email.mycompany.com/exchange? Will they be asked to install the certificate locally in order to access email via OWA or Outlook in the office?

Once you have the correct IIS Settings - and a Godaddy certificate installed, the users won't be asked about the certificate and you can enable Forms Based Authentication (Pretty Web Mail login screen).

There are several steps to follow.  Get the cert installed and Activesync working and then we can sort the http:// / https:// issue.

Do you want https:// for your web mail?  It would be better and more secure.

You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!

Thanks Alan.

My biggest concern is about the impact to email access once the certificate has been installed? Anything of particular concern that can go wrong?

Re: OWA, we have a link on our website that points users into the email path without them having to remember. I guess modifying it to point into https would be the easiest.

"You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!"

Hi Alan ...... can you advise on how this is achieved? I did see somewhere that there are some coding to a web page that is required, but have not had a chance to test this out?

Once the certificate is installed - there shouldn't be any issues unless you have Windows Mobile 5.0 phones.  If the certificate name is staying the same, just the provider is different, then you should be fine.  Phones should be happier with the new certificate and there shouldn't be any problems.

@Flipp - if you want to ask a question, please don't hijack someone else's question - ask your own one and then if you like, email me a link, but this is not your question.  Sorry.

Hi Alan,

I am having issues with port 443. It seems to be configured for access in my firewall, but when I run canyouseeme.org it shows as inaccessible. All other ports like 25, 3389, 110, 80 show as open. My ISP tells me that they do not have it blocked either. Could it be a problem with the exchange server?

Thanks.

Some Firewalls grab port 443 for remote access to the firewall and you will have to RTFM to figure out how to change the port to something else for remote access e.g., 444 instead.

Once you have freed up port 443, you should be able to allow the port to pass through the router and then life gets easier.

What router / firewall do you have?

It is a Cisco 1841 I believe.

Okay - I would open up a new question for the Cisco configuration and make sure that your config allows port 443 through (not very familiar with Cisco routers).

Once you know the port is open - we can continue here.

Hi Alan,

I skimmed through your article but didn't see any info pertaining Global Settings, Recipient Policiy etc. in Exchange Manager. Isn't it neccessary to configure some settings in there as well?

Thank you.

Hi Alan,

I followed all your steps but either active sync or Outlook over HTTPS are working. Do i need to restart IIS and Exchange Store after the reconfiguration?

Thank you.

Have you confirmed that port 443 is open and forwarded properly on your Cisco router yet?

Yes. It is open and forwarded. I installed the SSL certificate and followed your steps for configuration. I DID NOT restart IIS or Exchange Store after installing SSL certificate. Is this necessary?

I can actually get a login screen when I configure Outlook over HTTPS at home. However once I enter login info it hangs on forever.

Hey Alan. From an Android tablet, I get "Unable to connect to server" error. I am not sure what else to try.
Thank you.

I would run an IISRESET and then test on the test site.  If you post the results, then I can see what might be happening and point you in the right direction.

Alan,

I ran IISRESET. Test site shows this error:

"Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body> "

According to your article I went and checked settings at ESM-GS-Mobile Services-Device security and noticed that Enable User Initiated Sync was disabled. I enabled it. I am not sure if I need
Enable Direct Push over HTTP/s !? Also, do I need to do the exception thing in Device Security even though all users are required to enter passwords?

The error that a user gets on his Droid is: "The certificate from server is not validated".

Thank you.
 

If you are getting the 403 error, please refer to that section in my article.

The usual fix for that it to follow KB817379, which makes you create a new Virtual Directory called exchange-oma because you have SSL enabled on the exchange virtual directory.  Once created, the exchange-oma will not have SSL enabled and can then handle the port 80 requests instead of the exchange virtual directory, which it can't, because SSL is enabled on it.

Ignore the devices for now - you need to get all Green Ticks on the test site before thinking about the phone configuration.

I can smell the finish line, but we are not there just yet.

While I deal with exchange-oma directory will there be any impact in Exchange performance? I am trying to figure out whether this is sth to be done after hours.

No luck. Even after creating Exchange-OMA the same issue appears. If before I was able to at least obtain the folders of my mailbox in my Android, now I get "Unable to connect to server".
I am so tired of this. What a pain.

Alan,
I guess I will have to follow the approach of recreating all virtual directories for Exchange? Anything else to try before doing that?
Thanks.

I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Please leave it open for a few more days. Thanks.

Sorry I dropped the ball on this one.  Are you anywhere close to a solution?

What's happening now?

Happy to pick up and carry on troubleshooting with you if you need it.

Alan, no problem.
Not much progress has been made due to various factors. Last time we spoke, I would call Microsoft about this but I never did and I am still reluctant to call them. I notice that Symantec Backup Exec reports 523 corrupt items on Exchange backup. Could this be related to the ActiveSync issues I am having? Perhaps I should make sure I have a clean store first. I am thinking of running an Offline Defrag on Exchange Store first (a lot of data has been moved out exchange recently) and then do an integrity test. What is your opinion on this?
Thank you.

Hmm - do you know what the corrupt items are?  Possibly PST files stored on the server?  If so - they should not be stored AND accessed on the server as corruption can occur.

If that is the problem - then that won't cause Activesync issues.

Offline defrag would be good.  I would repair, defragment and integrity check - just to make sure all is good on that front.  Run the integrity check at least twice.

Alan, here are some samples of the error messages. SBE-Exchange-Backup-Errors.txt

Awesome. Thank you again Alan. I am planning this weekend for all the tests.

No problems - it will take a while and the weekend is usually the best time.  eseutil will run at about 4-6Gb per hour, so factor that into your timings based on the mailstore size (.edb + .stm) and that should give you an idea of how long the task should take.

Isinteg is usually a bit quicker, but you should run it until you see 0 errors and 0 fixes in the last line of the output, which is often a minimum of 2 times, but usually not more than 2.

Please close the CS Request and we will continue to work on the question.

Thanks modguy.

Alan

Alan,

I am performing a backup right now. I just wanted to double check with you about your instructions. Do I run all 3 commands while mailbox store is dismount or do I mount and the dismount after every command? What are the ramifications of eseutil /p, any chance for more trouble by running it?
These may be dumb questions but I am a bit paranoid.

Thank you.

Furthermore, is eseutil /p really necessary? Would just running eseutil /d and isinteg suffice?

eseutil /p repairs any corruption in the store, so it is 100% necessary.

If you run /p, you have to run /d followed by isinteg to complete the tidy up.

Sorry - but you want to do it right.

You need to keep the store dismounted throughout the entire process.

Running eseutil /p will remove corruption, so there is a chance of loss of data, but if it is data that is corrupt, it isn't going to be much use to you.