Solved

Will smartphone users be operational once SSL Ceritifcate is applied to Exchange Server?

Posted on 2011-03-24
8
504 Views
Last Modified: 2012-05-11
Hello Experts,

I have a customer whose setup consists of the following:

Win2k domain
Exchange 2003 installed on a Win2K server
Running OWA (and )
ActiveSync for smartphones

Customer wants to apply a SSL certificate from a third party vendor to encrypt communication to clients and smartphone users. I would like to make the transition as smooth as possibly especially because the end users (about 200 of them) will need assistance to change their phone SSL settings.

I'm familiar with the logistics of creating the CSR for the certificate, applying the cert to Exchange IIS and enabling Port 443 at the firewall for communications.

My question is: Once the certificate is applied to the Exchange server, will the smartphone users still able to communicate through port 80 and continue to pull email as normal? Or once the Certificate is applied, will everyone need to change their settings immediately in order to access their email through 443?

Thank you,

A
0
Comment
Question by:aznetworks_net
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Expert Comment

by:siht
Comment Utility
We run Exchange 2007 and several HTC Desire (Android 2.2) phones plus one iPhone. There is a setting during the Exchange setup on the phones which says "This server requires an encrypted SSL connection" or just "Use SSL" for the iPhone. Unless this is selected the phones will not connect to Exchange.

I'd say all your users will heed to change will be this setting in their phones.

0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 300 total points
Comment Utility
Once the certificate is applied, your users should switch to HTTPS (port 443) for communication to the server to make things nice and secure.

If you get problems making it work, please have a read through my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
0
 
LVL 1

Expert Comment

by:hallcomis
Comment Utility
I just upgraded our SSL cert and here is what I observerd:

It was transparent for Blackberry users (BES and BIS) and iPhone users.  Droid users had to manually update the certificate on their phone.  On a few occasions, we had to remove the user's email account and set it back up on Droid devices but all in all it was fairly simple.
0
 

Author Comment

by:aznetworks_net
Comment Utility
hallcomis:

That's pretty much what the users have in production: BES, iPhone and Android.

So, as soon as the SSL cert is applied all the Android phones will have to either enable the SSL option and update the cert or re-configure the account from scratch otherwise they will not retrieve email.

Did the iPhone recognize the Cert in place and automatically enables the SSL option?

The bottom line, is because of my situation of having a small support staff, I would like to migrate the users  in two or three phases. But obviously if by making the change will not allowed them to access email then it sounds like I will have to make the change on all smartphones at the same time.

A
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 300 total points
Comment Utility
You can't migrate - it is either HTTP or HTTPS.  Once you install the certificate and enable SSL on the relevant virtual directories, then everyone will have to switch at once.

My article will advise you what directories need changing.
0
 
LVL 1

Assisted Solution

by:hallcomis
hallcomis earned 200 total points
Comment Utility
All our iPhones already were configured for SSL as we were using SSL before we ever introduced iPhones into the mix.  This is why we did not have an issue with them.  In your case, you will need to enable SSL on the iPhones once you install the cert.  
0
 

Author Comment

by:aznetworks_net
Comment Utility
Thank you so much for your feedback.

alanhardisty: Fantastic article you wrote. One last question in regards to the actual third party SSL Cert: the Exchange FQDN is "mail.xxxxxx.com", the DNS A record to access OWA from the outside world is "xxxxxxmail.xxxxx.com... According to your article the cert should be created for mail.xxxxxx.com; will the users be able to access OWA through xxxxxmail.xxxxxx.com without cert issues?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
As long as your IIS settings are correct, there shouldn't be any issues.  OWA uses the /exchange virtual directory whereas Activesync uses the /microsoft-server-activesync virtual directory.

The cert name should match the FQDN you use to access the server with and the name is not relevant.  If domain.com and mail.domain.com both resolve to your server's IP Address, then all will be well with either name.

You can make any name work for your domain - it is DNS that will make or break the name.

Alan
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now