Will smartphone users be operational once SSL Ceritifcate is applied to Exchange Server?

Hello Experts,

I have a customer whose setup consists of the following:

Win2k domain
Exchange 2003 installed on a Win2K server
Running OWA (and )
ActiveSync for smartphones

Customer wants to apply a SSL certificate from a third party vendor to encrypt communication to clients and smartphone users. I would like to make the transition as smooth as possibly especially because the end users (about 200 of them) will need assistance to change their phone SSL settings.

I'm familiar with the logistics of creating the CSR for the certificate, applying the cert to Exchange IIS and enabling Port 443 at the firewall for communications.

My question is: Once the certificate is applied to the Exchange server, will the smartphone users still able to communicate through port 80 and continue to pull email as normal? Or once the Certificate is applied, will everyone need to change their settings immediately in order to access their email through 443?

Thank you,

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Alan HardistyConnect With a Mentor Co-OwnerCommented:
Once the certificate is applied, your users should switch to HTTPS (port 443) for communication to the server to make things nice and secure.

If you get problems making it work, please have a read through my article:

We run Exchange 2007 and several HTC Desire (Android 2.2) phones plus one iPhone. There is a setting during the Exchange setup on the phones which says "This server requires an encrypted SSL connection" or just "Use SSL" for the iPhone. Unless this is selected the phones will not connect to Exchange.

I'd say all your users will heed to change will be this setting in their phones.

I just upgraded our SSL cert and here is what I observerd:

It was transparent for Blackberry users (BES and BIS) and iPhone users.  Droid users had to manually update the certificate on their phone.  On a few occasions, we had to remove the user's email account and set it back up on Droid devices but all in all it was fairly simple.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

aznetworks_netAuthor Commented:

That's pretty much what the users have in production: BES, iPhone and Android.

So, as soon as the SSL cert is applied all the Android phones will have to either enable the SSL option and update the cert or re-configure the account from scratch otherwise they will not retrieve email.

Did the iPhone recognize the Cert in place and automatically enables the SSL option?

The bottom line, is because of my situation of having a small support staff, I would like to migrate the users  in two or three phases. But obviously if by making the change will not allowed them to access email then it sounds like I will have to make the change on all smartphones at the same time.

Alan HardistyConnect With a Mentor Co-OwnerCommented:
You can't migrate - it is either HTTP or HTTPS.  Once you install the certificate and enable SSL on the relevant virtual directories, then everyone will have to switch at once.

My article will advise you what directories need changing.
hallcomisConnect With a Mentor Commented:
All our iPhones already were configured for SSL as we were using SSL before we ever introduced iPhones into the mix.  This is why we did not have an issue with them.  In your case, you will need to enable SSL on the iPhones once you install the cert.  
aznetworks_netAuthor Commented:
Thank you so much for your feedback.

alanhardisty: Fantastic article you wrote. One last question in regards to the actual third party SSL Cert: the Exchange FQDN is "mail.xxxxxx.com", the DNS A record to access OWA from the outside world is "xxxxxxmail.xxxxx.com... According to your article the cert should be created for mail.xxxxxx.com; will the users be able to access OWA through xxxxxmail.xxxxxx.com without cert issues?
Alan HardistyCo-OwnerCommented:
As long as your IIS settings are correct, there shouldn't be any issues.  OWA uses the /exchange virtual directory whereas Activesync uses the /microsoft-server-activesync virtual directory.

The cert name should match the FQDN you use to access the server with and the name is not relevant.  If domain.com and mail.domain.com both resolve to your server's IP Address, then all will be well with either name.

You can make any name work for your domain - it is DNS that will make or break the name.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.