Solved

OWA, SBS2008, no "There is a problem with this website's security certificate." warning when accesing from outside

Posted on 2011-09-13
10
796 Views
Last Modified: 2012-05-12
-SBS2008 installation, self issued certificate
-owa, companyweb accesible from inside LAN or via VPN, getting warning prompt about security certificate.

When accesing from outside
accesing via http port 80 works (shows iis homepage)
accesing companyweb via port987 works (with warning prompt as expected)
accesing owa via htpps port 443  - no warning prompt, just  cannot display the webpage, as if there is no certificate - any kind of certificate.
Where to look to "turn on" the certificate for owa when trying to get acces from outside lan?




0
Comment
Question by:mkre03
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 10

Expert Comment

by:JEaston
ID: 36530927
The problem with Self Issued Certificates is that a browser cannot verify it becuase it either does not know or does not trust the certificate authority.

However, it is possible to install the certificate on each computer that has the problem.  It has been a while since I have needed to do this, but you should be able to view the certificate when you get the error message, and then install this on the computer in question.

If you use a lot of certificates it may be easier to install your 'root' server.  You would need to distribute this key to all the relevant computers though.

Sorry the answer is a bit vague.  It has been a couple of years since I last had to deal with digital certificates!
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36531078
From Exchange Management Shell: get-ExchangeCertificate
To enable a different certificate you will need to make a note of the thumbprint of the certificate you wish to use and then run Enable-ExchangeCertificate -Thumbprint [xxx ... xxx] -Services IIS

Or open IIS > Sites > SBS Web Applications > Properties > Edit Bindings > https (443) > Edit and it will show you which certificate is being used.
0
 

Author Comment

by:mkre03
ID: 36531278
To JEaston
I don't even get to the point where I'd be able to import/accept the certificate. The behaviour is quite strange: as if the validation doesn't even take place... just: Page cannot be displayed  - but it works within LAN. Thanks for your quick response!
 
To marcustech
I've seen it I've checked, it its there,  it's self issued and it's valid,
One and the same certificate is user for accesing owa(443) as for accesing companyweb (987), right?

My main question right now is not about the validity or the type of certificate, I'd just like to find out why don't I get the "There is a problem with this website's security certificate." warning when I try to connect to the owa from outside the company, but I get it when I'm inside...
 

 
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 12

Expert Comment

by:marcustech
ID: 36532171
Page cannot be displayed  - but it works within LAN
Page cannot be displayed doesn't normally indicate a certificate problem.  What bits of network do you have between the internet and the server?  Is the firewall on on the server?  I take it that this is the same with all external clients?
0
 
LVL 12

Expert Comment

by:marcustech
ID: 36532268
Sorry, by 'bits of network' I mean modems, routers, managed switches, firewalls etc.
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 250 total points
ID: 36532473
***SBS***  ...use the wizards, use the wizards, use the wizards. The fact that this is working in the LAN and failing when accessing externally shows that your host bindings are all sorts of screwed up.

1) Run the Internet Address Management Wizard and set your host name. This will set appropriate settings in log files, Active Directory, and IIS, as well as create a new self-signed certificate. If you are using PowerShell, you have already gone off the rails.

2) Run the Fix My Network Wizard. This will fix IIS bindings, ensure the certificate is properly attached to IIS *and* Exchange, and ensure OWA is set up properly.

3) Run the SBS Best Practices Analyzer. Fix any remaining issues it reports.

-Cliff
0
 

Author Comment

by:mkre03
ID: 36532497
The thing is, that we moved the server that was working just fine to a new location, where there was a different internet connection, provided by the same ISP, so I talked to their DNS admins to make the necessary changes - redirect the trafic for the existing domain to different public IP adress, I don't think that this could be the reason for the problem I'm expiriencing.
The only bit of network that is configurable is the router which has the external trafic thru port 443 redirected to internal IP address of the server (same port). Same for ports 987 and 80... but apps that use these ports (iis7web and companyweb) perform well...
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 36532611
Except you should *never* see the IIS7 homepage, even on port 80. By default that should be the RWW login/landing page for SBS. Which means IIS is not getting the host header it is expecting and is not sending the RWW redirect from 80 to 443. ...aka....busted host headers and bindings.

-Cliff
0
 
LVL 6

Expert Comment

by:jaredr80
ID: 37960017
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question