• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8320
  • Last Modified:

SSL is enabled on the IIS Root Directory

When I ran the Exchange Best Practices Analyzer I received the following warning:

SSL is enabled on the IIS root directory of the Client Access server.  This will break HTTP redirection for other client Access servers unless it is disabled.  Then when I reached this error i found this:

SSL should be enabled for each Client Access server in your organization if you don't have an SSL offloading device and want to maintain secure communications between client and server. If you want to enable SSL offloading, you must disable SSL on each Client Access server in your organization for which you want to enable SSL offloading. If you disable or enable SSL on an Exchange Web Services virtual directory, you must make a configuration change in both Internet Information Services (IIS) Manager and also in a configuration file that's located in the Exchange 2010 installation directory.

How can I tell if I have an SSL offload device, or who should I believe in this instance, since they are contradicting each other?  Please advise.
  • 2
  • 2
1 Solution
Stelian StanNetwork AdministratorCommented:
First run this command (Get-ExchangeCertificate | fl) to find out what certificates you have installed.
rsilver24Author Commented:
This is what I get

ccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
CertificateDomains : {HALISERV3, HALISERV3.hali88.org}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=HALISERV3
NotAfter           : 1/19/2016 12:03:27 PM
NotBefore          : 1/19/2011 12:03:27 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 50FDE2588CD1CCA1444F4AB30BF8C3FA
Services           : IMAP, POP, IIS
Status             : Valid
Subject            : CN=HALISERV3
Thumbprint         : 16FAE471C6ACB81F0341D0D35BF552B92FF773BB
Stelian StanNetwork AdministratorCommented:
You have assigned a SelfSigned certificate for IMAP, POP, IIS.

Here is how to configure SSL offloading: http://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-ssl-offloading-in-exchange-2010.aspx
Ignore this warning this is the default configuration of IIS with Exchange 2010

the only case you will need to change this is IF you want to redirect http://mail.domain.com to https://mail.domain.com other than this you can just ignore it
and 99% you DO NOT have an SSL offloading device, if you had you would know it
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now