Outlook Web Access SSL Certificate

Posted on 2012-04-13
Last Modified: 2012-05-05
A couple of years ago I received some excellent advice from the Experts on how to set up Outlook Web Access in SBS2003 and have set up a number of these.
One issue I’m having difficulty in my head round is how the SSL Certificates work.
I was advised to always purchase a SSL certificate and did so on my first few OWA installs. Then a colleague told me this was unnecessary as SBS has its own facility to create a Certificate at no cost. So this is how I did them from then on. So what I’m failing to see is what is the benefit of paying money for a SSL certificate. In both the ones I’ve done with and without installing a paid-for certificate, the user performs exactly the same procedures to get to their OWA email, ie navigate to say and, after getting a screen warning that there is a problem with the certificate and it is not recommended to continue, they simply select ‘Continue to this website (not recommended)’ and get to the logon name & password prompt for their email. This to me does not seem particularly secure and I wonder if there is a way of making it more secure?
On a more specific note, I have a current issue with one of my OWA setups whereby after making the usual selection ‘Continue to this website (not recommended)’ I just get a ‘Service Unavailable’ message in big black writing at the top left. Any ideas on how to fault-find this?
Question by:laurencoull
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37841560
The main difference between paid vs self-issued is down to trust (or lack of) for the issuing authority and the admin / graft that has to be done to make things work vs no graft to make things work.

With a self issued certificate, you need to install the certificate on eqch and every client using RPC over HTTPS and when the cert expires, you need to reinstall the new cert.  fine if you only have 5 users, but a pain for 65.

With a purchased SSL cert, this isn't a problem (unless you choose a random untrusted provider) as the issuing authority is already trusted by the client, so you don't have to install any certs other than on the server.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37841565
In terms of your fault - just re-run the connect to the Internet wizard, change nothing and see how the site behaves afterwards.

If still no joy, please advise.

Author Comment

ID: 37844832
Hi Alan
Cheers for your 2 postings:
On your 1st posting:
Makes sense, but only thing I'd say is that I've never had to install the certificate on each client, or indeed on any client, when using a self issued certificate, but have always got it to work. Strange?
On your 2nd posting:
Oh dear...... did so: Got 3 green ticks (Network, Secure website & Email config) & 1 red cross with message 'An error occurred while configuring a component: Firewall configuration'. Tried a second time: Same.
Now on navigating to instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage'
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 76

Expert Comment

by:Alan Hardisty
ID: 37844997

Author Comment

ID: 37853732
Checked that out & the registry key does match the IIS value.
Investigated the suggestion about stopping the Vipre service, however there isn't a Service listed called Vipre
Do you think the fact the Firewall part of the wizard failing is connected to my OWA problem?
Anyhow, I noticed after completing the wizard (as mentioned previously) that instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage' message
I also noticed that:
The HTTP SSL Service was in a 'Stopping' state
The WWW Publishing Service was in a 'Starting' state
So I re-booted the server
Voila (I thought)..... the Services are all ok & OWA started working again!.... but only for a few hours, then it went back to the original 'Service Unavailable'
Tried running the connect to the Internet wizard again & it failed as before, ie at the Firewall config
And, just exactly as before after running the wizard.............
The HTTP SSL Service has gone into a 'Stopping' state
The WWW Publishing Service has gone into a 'Starting' state
and OWA just returns ''Internet Explorer cannot display the webpage'
I'm willing to bet that if I re-boot again, it will likely start workign again but only briefly then go back to its 'Service Unavailable'
What next to try then....................?
LVL 35

Expert Comment

by:Cris Hanna
ID: 37874501
Is the server you're having issues with, still SBS 2003?
If so, how many NICs in the server and are you running ISA?

If this is a later version, which one?

Author Comment

ID: 37875358
Yes SBS2003.
There are 2 on-board NICs, however the second one is not used and is disabled
No, not running ISA.
LVL 35

Expert Comment

by:Cris Hanna
ID: 37875857
what is the URL you are using to connect for OWA?
If would be helpful if you did mask these...remember these are on public DNS servers anyway and enough effort they can be discovered :-)

What are you using for a firewall/router?

Author Comment

ID: 37875928
Using a Cisco PIX501 firewall
I don't think there can be a problem with the external setup side of the OWA, as I say this did used to work and there have been no changes made to the config. And it still does work sporadically, so I'm more inclined to think the issue's with the server side.
LVL 35

Accepted Solution

Cris Hanna earned 500 total points
ID: 37876138
You should run the SBS 2003 BPA and consider re-running the Connect to email and internet wizard

Also verify the exchange site in IIS is running on .net 1.1 and not 2.0(or other higher version)

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question