Outlook Web Access SSL Certificate

A couple of years ago I received some excellent advice from the Experts on how to set up Outlook Web Access in SBS2003 and have set up a number of these.
One issue I’m having difficulty in my head round is how the SSL Certificates work.
I was advised to always purchase a SSL certificate and did so on my first few OWA installs. Then a colleague told me this was unnecessary as SBS has its own facility to create a Certificate at no cost. So this is how I did them from then on. So what I’m failing to see is what is the benefit of paying money for a SSL certificate. In both the ones I’ve done with and without installing a paid-for certificate, the user performs exactly the same procedures to get to their OWA email, ie navigate to say owa.mydomain.com/exchange and, after getting a screen warning that there is a problem with the certificate and it is not recommended to continue, they simply select ‘Continue to this website (not recommended)’ and get to the logon name & password prompt for their email. This to me does not seem particularly secure and I wonder if there is a way of making it more secure?
On a more specific note, I have a current issue with one of my OWA setups whereby after making the usual selection ‘Continue to this website (not recommended)’ I just get a ‘Service Unavailable’ message in big black writing at the top left. Any ideas on how to fault-find this?
laurencoullAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Cris HannaConnect With a Mentor Commented:
You should run the SBS 2003 BPA and consider re-running the Connect to email and internet wizard

Also verify the exchange site in IIS is running on .net 1.1 and not 2.0(or other higher version)
0
 
Alan HardistyCo-OwnerCommented:
The main difference between paid vs self-issued is down to trust (or lack of) for the issuing authority and the admin / graft that has to be done to make things work vs no graft to make things work.

With a self issued certificate, you need to install the certificate on eqch and every client using RPC over HTTPS and when the cert expires, you need to reinstall the new cert.  fine if you only have 5 users, but a pain for 65.

With a purchased SSL cert, this isn't a problem (unless you choose a random untrusted provider) as the issuing authority is already trusted by the client, so you don't have to install any certs other than on the server.
0
 
Alan HardistyCo-OwnerCommented:
In terms of your fault - just re-run the connect to the Internet wizard, change nothing and see how the site behaves afterwards.

If still no joy, please advise.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
laurencoullAuthor Commented:
Hi Alan
Cheers for your 2 postings:
On your 1st posting:
Makes sense, but only thing I'd say is that I've never had to install the certificate on each client, or indeed on any client, when using a self issued certificate, but have always got it to work. Strange?
On your 2nd posting:
Oh dear...... did so: Got 3 green ticks (Network, Secure website & Email config) & 1 red cross with message 'An error occurred while configuring a component: Firewall configuration'. Tried a second time: Same.
Now on navigating to https://owa.mydomain.com/exchange instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage'
0
 
Alan HardistyCo-OwnerCommented:
0
 
laurencoullAuthor Commented:
Ok:
Checked that out & the registry key does match the IIS value.
Investigated the suggestion about stopping the Vipre service, however there isn't a Service listed called Vipre
Do you think the fact the Firewall part of the wizard failing is connected to my OWA problem?
Anyhow, I noticed after completing the wizard (as mentioned previously) that instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage' message
I also noticed that:
The HTTP SSL Service was in a 'Stopping' state
The WWW Publishing Service was in a 'Starting' state
So I re-booted the server
Voila (I thought)..... the Services are all ok & OWA started working again!.... but only for a few hours, then it went back to the original 'Service Unavailable'
Tried running the connect to the Internet wizard again & it failed as before, ie at the Firewall config
And, just exactly as before after running the wizard.............
The HTTP SSL Service has gone into a 'Stopping' state
The WWW Publishing Service has gone into a 'Starting' state
and OWA just returns ''Internet Explorer cannot display the webpage'
I'm willing to bet that if I re-boot again, it will likely start workign again but only briefly then go back to its 'Service Unavailable'
What next to try then....................?
0
 
Cris HannaCommented:
Is the server you're having issues with, still SBS 2003?
If so, how many NICs in the server and are you running ISA?

If this is a later version, which one?
0
 
laurencoullAuthor Commented:
Yes SBS2003.
There are 2 on-board NICs, however the second one is not used and is disabled
No, not running ISA.
0
 
Cris HannaCommented:
what is the URL you are using to connect for OWA?
If would be helpful if you did mask these...remember these are on public DNS servers anyway and enough effort they can be discovered :-)

What are you using for a firewall/router?
0
 
laurencoullAuthor Commented:
https://owa.mydomainname/exchange
Using a Cisco PIX501 firewall
I don't think there can be a problem with the external setup side of the OWA, as I say this did used to work and there have been no changes made to the config. And it still does work sporadically, so I'm more inclined to think the issue's with the server side.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.