Outlook Web Access SSL Certificate

A couple of years ago I received some excellent advice from the Experts on how to set up Outlook Web Access in SBS2003 and have set up a number of these.
One issue I’m having difficulty in my head round is how the SSL Certificates work.
I was advised to always purchase a SSL certificate and did so on my first few OWA installs. Then a colleague told me this was unnecessary as SBS has its own facility to create a Certificate at no cost. So this is how I did them from then on. So what I’m failing to see is what is the benefit of paying money for a SSL certificate. In both the ones I’ve done with and without installing a paid-for certificate, the user performs exactly the same procedures to get to their OWA email, ie navigate to say owa.mydomain.com/exchange and, after getting a screen warning that there is a problem with the certificate and it is not recommended to continue, they simply select ‘Continue to this website (not recommended)’ and get to the logon name & password prompt for their email. This to me does not seem particularly secure and I wonder if there is a way of making it more secure?
On a more specific note, I have a current issue with one of my OWA setups whereby after making the usual selection ‘Continue to this website (not recommended)’ I just get a ‘Service Unavailable’ message in big black writing at the top left. Any ideas on how to fault-find this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
The main difference between paid vs self-issued is down to trust (or lack of) for the issuing authority and the admin / graft that has to be done to make things work vs no graft to make things work.

With a self issued certificate, you need to install the certificate on eqch and every client using RPC over HTTPS and when the cert expires, you need to reinstall the new cert.  fine if you only have 5 users, but a pain for 65.

With a purchased SSL cert, this isn't a problem (unless you choose a random untrusted provider) as the issuing authority is already trusted by the client, so you don't have to install any certs other than on the server.
Alan HardistyCo-OwnerCommented:
In terms of your fault - just re-run the connect to the Internet wizard, change nothing and see how the site behaves afterwards.

If still no joy, please advise.
laurencoullAuthor Commented:
Hi Alan
Cheers for your 2 postings:
On your 1st posting:
Makes sense, but only thing I'd say is that I've never had to install the certificate on each client, or indeed on any client, when using a self issued certificate, but have always got it to work. Strange?
On your 2nd posting:
Oh dear...... did so: Got 3 green ticks (Network, Secure website & Email config) & 1 red cross with message 'An error occurred while configuring a component: Firewall configuration'. Tried a second time: Same.
Now on navigating to https://owa.mydomain.com/exchange instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage'
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Alan HardistyCo-OwnerCommented:
laurencoullAuthor Commented:
Checked that out & the registry key does match the IIS value.
Investigated the suggestion about stopping the Vipre service, however there isn't a Service listed called Vipre
Do you think the fact the Firewall part of the wizard failing is connected to my OWA problem?
Anyhow, I noticed after completing the wizard (as mentioned previously) that instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage' message
I also noticed that:
The HTTP SSL Service was in a 'Stopping' state
The WWW Publishing Service was in a 'Starting' state
So I re-booted the server
Voila (I thought)..... the Services are all ok & OWA started working again!.... but only for a few hours, then it went back to the original 'Service Unavailable'
Tried running the connect to the Internet wizard again & it failed as before, ie at the Firewall config
And, just exactly as before after running the wizard.............
The HTTP SSL Service has gone into a 'Stopping' state
The WWW Publishing Service has gone into a 'Starting' state
and OWA just returns ''Internet Explorer cannot display the webpage'
I'm willing to bet that if I re-boot again, it will likely start workign again but only briefly then go back to its 'Service Unavailable'
What next to try then....................?
Cris HannaSr IT Support EngineerCommented:
Is the server you're having issues with, still SBS 2003?
If so, how many NICs in the server and are you running ISA?

If this is a later version, which one?
laurencoullAuthor Commented:
Yes SBS2003.
There are 2 on-board NICs, however the second one is not used and is disabled
No, not running ISA.
Cris HannaSr IT Support EngineerCommented:
what is the URL you are using to connect for OWA?
If would be helpful if you did mask these...remember these are on public DNS servers anyway and enough effort they can be discovered :-)

What are you using for a firewall/router?
laurencoullAuthor Commented:
Using a Cisco PIX501 firewall
I don't think there can be a problem with the external setup side of the OWA, as I say this did used to work and there have been no changes made to the config. And it still does work sporadically, so I'm more inclined to think the issue's with the server side.
Cris HannaSr IT Support EngineerCommented:
You should run the SBS 2003 BPA and consider re-running the Connect to email and internet wizard

Also verify the exchange site in IIS is running on .net 1.1 and not 2.0(or other higher version)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.