[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Installing and configuring SSL on Exchange 2003

I have bought an SSL certificate from GoDaddy. I need to install it in my Exchange 2003 and then configure ActiveSync and Outlook over HTTPS. Currently users access email via Outlook 2007 locally, Terminal server and OWA.

How do I:

1- Install the certificate?
2- Configure ActiveSync and Outlook over HTTPS?
3- What kind of Exchange downtime do I expect and how does user access change when they use Outlook via Terminal server, OWA and local Outlook? Will they need to install a license locally? Do I need to warn them about popups etc. ?

Please be specific with regards to steps that need to be taken.

Your help is appreciated. Thank you.
0
cembi
Asked:
cembi
  • 19
  • 15
1 Solution
 
Alan HardistyCo-OwnerCommented:
How do you install it?
You install it via IIS Manager by right-clicking on your Default-Website, choosing Properties> Directory Security Tab> Server Certificate Button> Complete Request and Install Certificate.

To configure Activesync - please read through my Exchange 2003 / Activesync Article:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Exchange Downtime - none unless you have to run iisreset / reboot the server.
0
 
cembiIT Author Commented:
Thanks Alan. Will do and let you know.
Any feedback in terms of end user experience? Will it change" Will they need to go to https://email.mycompany.com/exchange? Will they be asked to install the certificate locally in order to access email via OWA or Outlook in the office?
0
 
Alan HardistyCo-OwnerCommented:
Once you have the correct IIS Settings - and a Godaddy certificate installed, the users won't be asked about the certificate and you can enable Forms Based Authentication (Pretty Web Mail login screen).

There are several steps to follow.  Get the cert installed and Activesync working and then we can sort the http:// / https:// issue.

Do you want https:// for your web mail?  It would be better and more secure.

You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
cembiIT Author Commented:
Thanks Alan.

My biggest concern is about the impact to email access once the certificate has been installed? Anything of particular concern that can go wrong?

Re: OWA, we have a link on our website that points users into the email path without them having to remember. I guess modifying it to point into https would be the easiest.
0
 
FlippCommented:
"You can even redirect http://email.mycompany.com automatically to https://email.mycompany.com/exchange without the users having to remember the full path!"

Hi Alan ...... can you advise on how this is achieved? I did see somewhere that there are some coding to a web page that is required, but have not had a chance to test this out?
0
 
Alan HardistyCo-OwnerCommented:
Once the certificate is installed - there shouldn't be any issues unless you have Windows Mobile 5.0 phones.  If the certificate name is staying the same, just the provider is different, then you should be fine.  Phones should be happier with the new certificate and there shouldn't be any problems.

@Flipp - if you want to ask a question, please don't hijack someone else's question - ask your own one and then if you like, email me a link, but this is not your question.  Sorry.
0
 
cembiIT Author Commented:
Hi Alan,

I am having issues with port 443. It seems to be configured for access in my firewall, but when I run canyouseeme.org it shows as inaccessible. All other ports like 25, 3389, 110, 80 show as open. My ISP tells me that they do not have it blocked either. Could it be a problem with the exchange server?

Thanks.
0
 
Alan HardistyCo-OwnerCommented:
Some Firewalls grab port 443 for remote access to the firewall and you will have to RTFM to figure out how to change the port to something else for remote access e.g., 444 instead.

Once you have freed up port 443, you should be able to allow the port to pass through the router and then life gets easier.

What router / firewall do you have?
0
 
cembiIT Author Commented:
It is a Cisco 1841 I believe.
0
 
Alan HardistyCo-OwnerCommented:
Okay - I would open up a new question for the Cisco configuration and make sure that your config allows port 443 through (not very familiar with Cisco routers).

Once you know the port is open - we can continue here.
0
 
cembiIT Author Commented:
Hi Alan,

I skimmed through your article but didn't see any info pertaining Global Settings, Recipient Policiy etc. in Exchange Manager. Isn't it neccessary to configure some settings in there as well?

Thank you.
0
 
cembiIT Author Commented:
Hi Alan,

I followed all your steps but either active sync or Outlook over HTTPS are working. Do i need to restart IIS and Exchange Store after the reconfiguration?

Thank you.
0
 
Alan HardistyCo-OwnerCommented:
Have you confirmed that port 443 is open and forwarded properly on your Cisco router yet?
0
 
cembiIT Author Commented:
Yes. It is open and forwarded. I installed the SSL certificate and followed your steps for configuration. I DID NOT restart IIS or Exchange Store after installing SSL certificate. Is this necessary?
0
 
cembiIT Author Commented:
I can actually get a login screen when I configure Outlook over HTTPS at home. However once I enter login info it hangs on forever.
0
 
cembiIT Author Commented:
Hey Alan. From an Android tablet, I get "Unable to connect to server" error. I am not sure what else to try.
Thank you.
0
 
Alan HardistyCo-OwnerCommented:
I would run an IISRESET and then test on the test site.  If you post the results, then I can see what might be happening and point you in the right direction.
0
 
cembiIT Author Commented:
Alan,

I ran IISRESET. Test site shows this error:

"Attempting the FolderSync command on the Exchange ActiveSync session.
  The test of the FolderSync command failed.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body> "

According to your article I went and checked settings at ESM-GS-Mobile Services-Device security and noticed that Enable User Initiated Sync was disabled. I enabled it. I am not sure if I need
Enable Direct Push over HTTP/s !? Also, do I need to do the exception thing in Device Security even though all users are required to enter passwords?

The error that a user gets on his Droid is: "The certificate from server is not validated".

Thank you.
 
0
 
Alan HardistyCo-OwnerCommented:
If you are getting the 403 error, please refer to that section in my article.

The usual fix for that it to follow KB817379, which makes you create a new Virtual Directory called exchange-oma because you have SSL enabled on the exchange virtual directory.  Once created, the exchange-oma will not have SSL enabled and can then handle the port 80 requests instead of the exchange virtual directory, which it can't, because SSL is enabled on it.

Ignore the devices for now - you need to get all Green Ticks on the test site before thinking about the phone configuration.

I can smell the finish line, but we are not there just yet.
0
 
cembiIT Author Commented:
While I deal with exchange-oma directory will there be any impact in Exchange performance? I am trying to figure out whether this is sth to be done after hours.
0
 
cembiIT Author Commented:
No luck. Even after creating Exchange-OMA the same issue appears. If before I was able to at least obtain the folders of my mailbox in my Android, now I get "Unable to connect to server".
I am so tired of this. What a pain.
0
 
cembiIT Author Commented:
Alan,
I guess I will have to follow the approach of recreating all virtual directories for Exchange? Anything else to try before doing that?
Thanks.
0
 
Alan HardistyCo-OwnerCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
cembiIT Author Commented:
Please leave it open for a few more days. Thanks.
0
 
Alan HardistyCo-OwnerCommented:
Sorry I dropped the ball on this one.  Are you anywhere close to a solution?

What's happening now?

Happy to pick up and carry on troubleshooting with you if you need it.
0
 
cembiIT Author Commented:
Alan, no problem.
Not much progress has been made due to various factors. Last time we spoke, I would call Microsoft about this but I never did and I am still reluctant to call them. I notice that Symantec Backup Exec reports 523 corrupt items on Exchange backup. Could this be related to the ActiveSync issues I am having? Perhaps I should make sure I have a clean store first. I am thinking of running an Offline Defrag on Exchange Store first (a lot of data has been moved out exchange recently) and then do an integrity test. What is your opinion on this?
Thank you.
0
 
Alan HardistyCo-OwnerCommented:
Hmm - do you know what the corrupt items are?  Possibly PST files stored on the server?  If so - they should not be stored AND accessed on the server as corruption can occur.

If that is the problem - then that won't cause Activesync issues.

Offline defrag would be good.  I would repair, defragment and integrity check - just to make sure all is good on that front.  Run the integrity check at least twice.
0
 
cembiIT Author Commented:
Alan, here are some samples of the error messages. SBE-Exchange-Backup-Errors.txt
0
 
Alan HardistyCo-OwnerCommented:
Ah - that's mailbox corruption!!

That will cause Activesync issues, so repair, defragment and integrity check the database is ESSENTIAL.

eseutil /p

eseutil /d

isinteg -s servername -fix -test alltests

For reference:
http://www.msexchange.org/tutorials/exchange-isinteg-eseutil.html
0
 
cembiIT Author Commented:
Awesome. Thank you again Alan. I am planning this weekend for all the tests.
0
 
Alan HardistyCo-OwnerCommented:
No problems - it will take a while and the weekend is usually the best time.  eseutil will run at about 4-6Gb per hour, so factor that into your timings based on the mailstore size (.edb + .stm) and that should give you an idea of how long the task should take.

Isinteg is usually a bit quicker, but you should run it until you see 0 errors and 0 fixes in the last line of the output, which is often a minimum of 2 times, but usually not more than 2.
0
 
Alan HardistyCo-OwnerCommented:
Please close the CS Request and we will continue to work on the question.

Thanks modguy.

Alan
0
 
cembiIT Author Commented:
Alan,

I am performing a backup right now. I just wanted to double check with you about your instructions. Do I run all 3 commands while mailbox store is dismount or do I mount and the dismount after every command? What are the ramifications of eseutil /p, any chance for more trouble by running it?
These may be dumb questions but I am a bit paranoid.

Thank you.
0
 
cembiIT Author Commented:
Furthermore, is eseutil /p really necessary? Would just running eseutil /d and isinteg suffice?
0
 
Alan HardistyCo-OwnerCommented:
eseutil /p repairs any corruption in the store, so it is 100% necessary.

If you run /p, you have to run /d followed by isinteg to complete the tidy up.

Sorry - but you want to do it right.

You need to keep the store dismounted throughout the entire process.

Running eseutil /p will remove corruption, so there is a chance of loss of data, but if it is data that is corrupt, it isn't going to be much use to you.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 19
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now