Solved

Outlook Web Access SSL Certificate

Posted on 2012-04-13
11
400 Views
Last Modified: 2012-05-05
A couple of years ago I received some excellent advice from the Experts on how to set up Outlook Web Access in SBS2003 and have set up a number of these.
One issue I’m having difficulty in my head round is how the SSL Certificates work.
I was advised to always purchase a SSL certificate and did so on my first few OWA installs. Then a colleague told me this was unnecessary as SBS has its own facility to create a Certificate at no cost. So this is how I did them from then on. So what I’m failing to see is what is the benefit of paying money for a SSL certificate. In both the ones I’ve done with and without installing a paid-for certificate, the user performs exactly the same procedures to get to their OWA email, ie navigate to say owa.mydomain.com/exchange and, after getting a screen warning that there is a problem with the certificate and it is not recommended to continue, they simply select ‘Continue to this website (not recommended)’ and get to the logon name & password prompt for their email. This to me does not seem particularly secure and I wonder if there is a way of making it more secure?
On a more specific note, I have a current issue with one of my OWA setups whereby after making the usual selection ‘Continue to this website (not recommended)’ I just get a ‘Service Unavailable’ message in big black writing at the top left. Any ideas on how to fault-find this?
0
Comment
Question by:laurencoull
  • 4
  • 3
  • 3
11 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37841560
The main difference between paid vs self-issued is down to trust (or lack of) for the issuing authority and the admin / graft that has to be done to make things work vs no graft to make things work.

With a self issued certificate, you need to install the certificate on eqch and every client using RPC over HTTPS and when the cert expires, you need to reinstall the new cert.  fine if you only have 5 users, but a pain for 65.

With a purchased SSL cert, this isn't a problem (unless you choose a random untrusted provider) as the issuing authority is already trusted by the client, so you don't have to install any certs other than on the server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37841565
In terms of your fault - just re-run the connect to the Internet wizard, change nothing and see how the site behaves afterwards.

If still no joy, please advise.
0
 

Author Comment

by:laurencoull
ID: 37844832
Hi Alan
Cheers for your 2 postings:
On your 1st posting:
Makes sense, but only thing I'd say is that I've never had to install the certificate on each client, or indeed on any client, when using a self issued certificate, but have always got it to work. Strange?
On your 2nd posting:
Oh dear...... did so: Got 3 green ticks (Network, Secure website & Email config) & 1 red cross with message 'An error occurred while configuring a component: Firewall configuration'. Tried a second time: Same.
Now on navigating to https://owa.mydomain.com/exchange instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage'
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37844997
0
 

Author Comment

by:laurencoull
ID: 37853732
Ok:
Checked that out & the registry key does match the IIS value.
Investigated the suggestion about stopping the Vipre service, however there isn't a Service listed called Vipre
Do you think the fact the Firewall part of the wizard failing is connected to my OWA problem?
Anyhow, I noticed after completing the wizard (as mentioned previously) that instead of getting to the Continue to website page then the 'Service Unavailable' after choosing to continue, I don't even get the Continue to website page, I just get an immediate 'Internet Explorer cannot display the webpage' message
I also noticed that:
The HTTP SSL Service was in a 'Stopping' state
The WWW Publishing Service was in a 'Starting' state
So I re-booted the server
Voila (I thought)..... the Services are all ok & OWA started working again!.... but only for a few hours, then it went back to the original 'Service Unavailable'
Tried running the connect to the Internet wizard again & it failed as before, ie at the Firewall config
And, just exactly as before after running the wizard.............
The HTTP SSL Service has gone into a 'Stopping' state
The WWW Publishing Service has gone into a 'Starting' state
and OWA just returns ''Internet Explorer cannot display the webpage'
I'm willing to bet that if I re-boot again, it will likely start workign again but only briefly then go back to its 'Service Unavailable'
What next to try then....................?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 37874501
Is the server you're having issues with, still SBS 2003?
If so, how many NICs in the server and are you running ISA?

If this is a later version, which one?
0
 

Author Comment

by:laurencoull
ID: 37875358
Yes SBS2003.
There are 2 on-board NICs, however the second one is not used and is disabled
No, not running ISA.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 37875857
what is the URL you are using to connect for OWA?
If would be helpful if you did mask these...remember these are on public DNS servers anyway and enough effort they can be discovered :-)

What are you using for a firewall/router?
0
 

Author Comment

by:laurencoull
ID: 37875928
https://owa.mydomainname/exchange
Using a Cisco PIX501 firewall
I don't think there can be a problem with the external setup side of the OWA, as I say this did used to work and there have been no changes made to the config. And it still does work sporadically, so I'm more inclined to think the issue's with the server side.
0
 
LVL 35

Accepted Solution

by:
Cris Hanna earned 500 total points
ID: 37876138
You should run the SBS 2003 BPA and consider re-running the Connect to email and internet wizard

Also verify the exchange site in IIS is running on .net 1.1 and not 2.0(or other higher version)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now