Link to home
Create AccountLog in
Avatar of considerscs
considerscsFlag for United States of America

asked on

Self signed certificate - Outlook 2010 / 2007 - Exchange 2007

Please see the attached screen shot to show the certificate error we are getting.

From what i have read it is coming from our router, but I am not sure how to make this error quit popping up for the users.

It really isnt anything detrimental to their work, but from our standpoint we are tired of hearing the complaints.

Has anyone seen this before and know how to get around this?

Installing this certificate does not work when installing it to the computer.
Avatar of Satish Auti
Satish Auti
Flag of India image

where is the attachment? i guess its missing.
No attachment!

If port 443 is used by your router for remote management, you need to change the remote management port to something else to allow port 443 through the router.  At the moment it will be terminating on the router, not your Exchange server.

Or I am wildly off track!

Alan
Avatar of considerscs

ASKER

sorry i always do that and forget the attachment.
Untitled.png
Port 443 is nat port forwarded to our exchange server.
no, 443 is landing on IOS (cisco router)
ip nat inside source static tcp 10.10.10.10 443 FastEthernet1 443 extendable

This is what we have as the NAT port forward.  Is this why it is catching the certificate?  Will it still catch it if we change the outside port?
Our OWA goes tot hat.
Is OWA working?
yes owa works from the outside and inside.  never had any problem with it.
Okay - so port 443 is happily open.

When does the error appear?  What do the users have open at the time?  Outlook?
Outlook is open when it happens.  It throws that only when they open outlook to use their exchange email.
This certificate does not exist on our exchange server either.  i have reviewed the entire list of certificates to see if i could find this and get rid of it.
What FQDN's are included in your cert e.g. Mail.domain.com and do those FQDN's resolve internally to your server, or externally to your Public IP address.
internally it resolves to the internal ip of the server.

externally it resolves to our outside ip address.
my FQDN's are mail.domain.com and autodiscover.domain.com and a couple more.
So autodiscover and mail.domain.com both resolve internally?  Is your internal domain name domain.com?
can you run autodiscover/outlook anywhere test from
https://www.testexchangeconnectivity.com/

This tool is incredibly useful for knocking down cert errors.
yes both resolve internally.  internally for autodiscover, it uses the local name of the server, but does resolve.

my internal domain name is domain.internal as it is an SBS.
I assume this affects workstations on the lan side of the router.

It may be a dns issue where the client is resolving external ip and nat loopback isnt working properly on the router(traffic from lan > wan ip does not get natted back to exchange server). Can you either run nslookup or ping mail.domain.com and autodiscover.domain.com from affected workstation to confirm proper dns resolution.
internal ping test

mail.domain.com resolves to local ip of the server.

autodiscover.domain.com resolves to local ip of the server.
hmm, i really thought you would see an invalid dns resolution.

The fix is to use loopback nat as outlined here:
https://supportforums.cisco.com/thread/1003238

To confirm my idea, from a workstation can you open command prompt and run 'netstat -an 1 |findstr :443'
then launch outlook. you will see a connection setup with a destination ip of your cisco router.
i get 184.24.64.60:443 Close_wait

I do not recognize that ip at all.

When I open outlook I get the local ip of my exchange server and it shows to port :443 and says established.
The SSL cert at that IP address is issued to oracle. I suspect Java update is making that connection.
I am stumped by your issue. Do you have any redirects on the iis exchange website(default website)? Do you have any srv DNS recorrds for _autodiscover? Can you ctrl right click the toolbar outlook icon and test email autoconfig?
no redirects on the iis.

email autoconfig works every time, just has the cert pop up every now and then.
I understand that but please run the test by right clicking the outlook toolbar icon. This will give you verbose detail as to the connection process. I cannot help with the info you have provided.
Is your Exchange servers Public IP Address 184.24.64.60??
no that is not the public.
Okay - but whatever is behind that IP Address is what is producing the certificate error.

Do you recognise that IP Address?
no im not sure what that ip address is.

How are you able to see that the certificate is coming from that IP address?
that certificate at that ip is not the ios-self-siged cert, it is an oracle cert. netstat did not catch any traffic when he launched outlook. I can safely conclude at that time he also did not encounter the cert error.
Sorry - https://184.24.64.60 - but comparing the cert on that IP to the image you showed does not match.  The error is IOS self-signed certificate.

What firewall do you have?
no firewall.  We have Cisco 1811 that I believe that is coming from.
djcanter - you are correct.  I did not receive the cert at that time.
Okay - so djcanter's suspicions that it is coming from a Cisco box look to be correct.

As to why it is coming from there is a mystery as it shouldn't because Outlook couldn't care.

Does it happen to all machines or just a few random ones?

Do those machines have an Addin or similar for Cisco?
it does happen completely random.  I know some of our people have cisco vpn client or cisco anyconnect.  Whether it is happening on those machines I need to check.

That is what I was wondering is why outlook cares about that cert.
Outlook should only care if from the lan side it is being directed to the public ip. Thats where the loopback nat can help.

This can be caused by cached dns entries, incorrect dns servers, etc. If configure a lan computer to use a public dns server you will duplicate the issue.
i will test that now.  The exchange server internally is set to go to the local server in dns.

it is a forward lookup zone.
Using outside dns from inside the LAN i just got the certificate issue.  It is the IOS self signed one.

So maybe that will help.
Okay - so are your clients getting their IP addresses via DHCP or are they hard coded?

What DNS servers are they pointing to?

On a problem machine, the next time the error appears, please check the DNS settings to make sure they point to an internal server to resolve DNS addresses not a Public server IP.
Yes they are all getting their ip addressed from the router.  They all have dns pointing to the the exchange server which is also our dns and active directory server.

I have a suspicion that these people are working with different dns because their local IT messed it up.
DNS from the router?  You should be using DHCP and DNS from a server not the router.

Time to set things up properly, then the problem will go away.
DHCP from the router.  DNS from the server.

That is where how we do that everywhere.  I do not see the benefit of a server with dhcp versus the router handling it.
i am looking at a user now that has it.

The machine is using local dns and i am getting the cert error.  I am not seeing why it is going through the router when it is inside the building.
run the outlook auto config test by ctrl right clicking the outlook toolbar icon. This will show you which dns records etc. it is referencing.
protocol is Exchange HTTP

it is referencing mail.domain.com

I am not seeing any dns records on the test.
Can you run ipconfig /all on the problem machine and post the output please.
ip is 10.10.10.205

sub 255.255.255.0

gateway 10.10.10.1

dns 10.19.12.80

secondary 4.2.2.2

all ip addresses changed for security.
ASKER CERTIFIED SOLUTION
Avatar of djcanter
djcanter
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Can you tell me what are the advantages of having a dhcp server?

I have never used it that way.
More control of what goes on within your network and allocation of DNS settings via DHCP.
I have taken out 4.2.2.2 and so far i am not seeing the cert.

I will monitor it to make sure it doesnt come back.

We control dns settings from the router.

just drop dns-server x.x.x.x y.y.y.y into the dhcp pool.
I would still take DHCP away from the router, but that's a whole different topic!!
I let network gear do network functions. As both Cisco and Microsoft certified, I can see the advantages of using both. But my main reason for letting the router do the dhcp addressing is that my router reboots considerably less that my server.

Though Windows has a shiny webgui for dhcp admin and adding voip, tftp, settings is easier, i believe in separatoin of function. Esp since microsoft uses non standard dhcp configs (unicast vs broadcast ).
Good team effort.  Well done djcanter.

Glad the problem is resolved.
i agree with djcanter as to my reasons for using the router.  i prefer separation of services as much as possible, but also the cisco router is so much more reliable than microsoft.
It's your network and whilst I don't agree, it's not important to your solution.

Windows DHCP allows for dynamic DNS record updates, so there are benefits to server-based DHCP allocation.  Whilst the server may be rebooted more often than the router, it isn't going to cause any issues for a client unless they happen to be new and wanting an IP at the same time the server is rebooting.

DHCP isn't a massive overhead to a server, so you are not taking away anything substantial by placing it on a router and having it on a router gives you less functionality in a Windows environment.