?
Solved

OWA, SBS2008, no "There is a problem with this website's security certificate." warning when accesing from outside

Posted on 2011-09-13
10
Medium Priority
?
811 Views
Last Modified: 2012-05-12
-SBS2008 installation, self issued certificate
-owa, companyweb accesible from inside LAN or via VPN, getting warning prompt about security certificate.

When accesing from outside
accesing via http port 80 works (shows iis homepage)
accesing companyweb via port987 works (with warning prompt as expected)
accesing owa via htpps port 443  - no warning prompt, just  cannot display the webpage, as if there is no certificate - any kind of certificate.
Where to look to "turn on" the certificate for owa when trying to get acces from outside lan?




0
Comment
Question by:mkre03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 11

Expert Comment

by:John Easton
ID: 36530927
The problem with Self Issued Certificates is that a browser cannot verify it becuase it either does not know or does not trust the certificate authority.

However, it is possible to install the certificate on each computer that has the problem.  It has been a while since I have needed to do this, but you should be able to view the certificate when you get the error message, and then install this on the computer in question.

If you use a lot of certificates it may be easier to install your 'root' server.  You would need to distribute this key to all the relevant computers though.

Sorry the answer is a bit vague.  It has been a couple of years since I last had to deal with digital certificates!
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36531078
From Exchange Management Shell: get-ExchangeCertificate
To enable a different certificate you will need to make a note of the thumbprint of the certificate you wish to use and then run Enable-ExchangeCertificate -Thumbprint [xxx ... xxx] -Services IIS

Or open IIS > Sites > SBS Web Applications > Properties > Edit Bindings > https (443) > Edit and it will show you which certificate is being used.
0
 

Author Comment

by:mkre03
ID: 36531278
To JEaston
I don't even get to the point where I'd be able to import/accept the certificate. The behaviour is quite strange: as if the validation doesn't even take place... just: Page cannot be displayed  - but it works within LAN. Thanks for your quick response!
 
To marcustech
I've seen it I've checked, it its there,  it's self issued and it's valid,
One and the same certificate is user for accesing owa(443) as for accesing companyweb (987), right?

My main question right now is not about the validity or the type of certificate, I'd just like to find out why don't I get the "There is a problem with this website's security certificate." warning when I try to connect to the owa from outside the company, but I get it when I'm inside...
 

 
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 12

Expert Comment

by:marcustech
ID: 36532171
Page cannot be displayed  - but it works within LAN
Page cannot be displayed doesn't normally indicate a certificate problem.  What bits of network do you have between the internet and the server?  Is the firewall on on the server?  I take it that this is the same with all external clients?
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36532268
Sorry, by 'bits of network' I mean modems, routers, managed switches, firewalls etc.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1000 total points
ID: 36532473
***SBS***  ...use the wizards, use the wizards, use the wizards. The fact that this is working in the LAN and failing when accessing externally shows that your host bindings are all sorts of screwed up.

1) Run the Internet Address Management Wizard and set your host name. This will set appropriate settings in log files, Active Directory, and IIS, as well as create a new self-signed certificate. If you are using PowerShell, you have already gone off the rails.

2) Run the Fix My Network Wizard. This will fix IIS bindings, ensure the certificate is properly attached to IIS *and* Exchange, and ensure OWA is set up properly.

3) Run the SBS Best Practices Analyzer. Fix any remaining issues it reports.

-Cliff
0
 

Author Comment

by:mkre03
ID: 36532497
The thing is, that we moved the server that was working just fine to a new location, where there was a different internet connection, provided by the same ISP, so I talked to their DNS admins to make the necessary changes - redirect the trafic for the existing domain to different public IP adress, I don't think that this could be the reason for the problem I'm expiriencing.
The only bit of network that is configurable is the router which has the external trafic thru port 443 redirected to internal IP address of the server (same port). Same for ports 987 and 80... but apps that use these ports (iis7web and companyweb) perform well...
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 36532611
Except you should *never* see the IIS7 homepage, even on port 80. By default that should be the RWW login/landing page for SBS. Which means IIS is not getting the host header it is expecting and is not sending the RWW redirect from 80 to 443. ...aka....busted host headers and bindings.

-Cliff
0
 
LVL 6

Expert Comment

by:jaredr80
ID: 37960017
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question