RedDoorSupplies
asked on
Exchange 2007 SSL Not Working
Hi I installed a purchased SSL certificate onto a Exchange 2007 server in July 2007 but recently some users are having problems using Outlook Anywhere which was working fine up till then.
I have run an exchange test for the autodiscover and for the Outlook Anywhere.
When trying autodiscover I can an error saying
"The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. "
How can I check the SSL certificate is still working ok and how can I get the users back up and running?
Due to a recent line update we had to change static IP address of the server im not sure if the IP is included or linked to the SSL in anyway?
Thanks
I have run an exchange test for the autodiscover and for the Outlook Anywhere.
When trying autodiscover I can an error saying
"The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. "
How can I check the SSL certificate is still working ok and how can I get the users back up and running?
Due to a recent line update we had to change static IP address of the server im not sure if the IP is included or linked to the SSL in anyway?
Thanks
ASKER
Hi I have checked the SSL via the padlock in IE and this all looks ok.
It just used the 1 domain and the autodiscover has a SRV setup for it.
I have also run the commands you suggested and some look ok where as some don't have anything listed for external or internal URL which is odd, can these settings be edited anywhere?
Also do you think the IP change would have any impact at all?
It just used the 1 domain and the autodiscover has a SRV setup for it.
I have also run the commands you suggested and some look ok where as some don't have anything listed for external or internal URL which is odd, can these settings be edited anywhere?
Also do you think the IP change would have any impact at all?
It's not unusual for a bunch of the URLs to be blank. I get some blank on the server I have and external access is working fine. As long as the External URL or OWA is correct and for the Offline Address Book too, I believe you're generally ok.
Seeing as the IP has changed recently I'm sure you're right in thinking that's the culprit.
You'll want to confirm that the inbound rule from your firewall to exchange is using the correct IP and port number (443).
There should also be a NAT in place there to translate between the public and private address.
You should only need the inbound rule, not an outbound one unless you have reason for the Exchange server to start outbound sessions on port 443.
If you're familiar with Wireshark it would be useful to have it running on the Exchange server while you try to connect with a phone.
Using the filter;
tcp.port==443
You should see all ssl connections coming into the server. You'll only be able to see the content of the SSL handshake of course but it can confirm whether traffic is getting to your server and at what point the communication falls down.
Seeing as the IP has changed recently I'm sure you're right in thinking that's the culprit.
You'll want to confirm that the inbound rule from your firewall to exchange is using the correct IP and port number (443).
There should also be a NAT in place there to translate between the public and private address.
You should only need the inbound rule, not an outbound one unless you have reason for the Exchange server to start outbound sessions on port 443.
If you're familiar with Wireshark it would be useful to have it running on the Exchange server while you try to connect with a phone.
Using the filter;
tcp.port==443
You should see all ssl connections coming into the server. You'll only be able to see the content of the SSL handshake of course but it can confirm whether traffic is getting to your server and at what point the communication falls down.
ASKER
Ok thanks.
Just as some more information there are a good few iPhones that all still connect ok as well as some users that use OWA and they are not seeing any issues at all, its only people using Outlook Anywhere that are having the trouble.
That's what im finding strange as it all seems to be working ok?
Just as some more information there are a good few iPhones that all still connect ok as well as some users that use OWA and they are not seeing any issues at all, its only people using Outlook Anywhere that are having the trouble.
That's what im finding strange as it all seems to be working ok?
Who issued the SSL certificate?
If it was issued in June 2007 then it would be quite old certificate, and seven years for an SSL certificate is unusual. Have you confirmed the certificate is still valid?
Simon.
If it was issued in June 2007 then it would be quite old certificate, and seven years for an SSL certificate is unusual. Have you confirmed the certificate is still valid?
Simon.
ASKER
Sorry just checked my orginal post and I did put 2007 and I have no idea why!!!
It was added July 2013 and expired 1/7/14 so that is all ok.
I have just found out that the server had a "compress hard drive" run on it as the drive was getting full.
I have taken this option off of the c:\program files\exchange folder incase that was causing an issue but its not working still although I haven't done a restart since.
Would the compress space option need to be taken off any other folders?
Thanks
It was added July 2013 and expired 1/7/14 so that is all ok.
I have just found out that the server had a "compress hard drive" run on it as the drive was getting full.
I have taken this option off of the c:\program files\exchange folder incase that was causing an issue but its not working still although I haven't done a restart since.
Would the compress space option need to be taken off any other folders?
Thanks
Personally I would never compress a system drive because of the impact on performance.
Is this a virtual server? Would you be able to increase the size of the drive rather than compress?
I couldn't say whether it's a factor for this issue or not but it means every read or write on the hard drive must run through a compression process. Do you know if the time the drive was compressed coincided with the time the connectivity issue first occurred?
Have you looked in the Event Viewer on both the server and the clients for anything that might be related?
It might be that the issue is on the client end rather than with the server. So far it looks like your server is set up correctly.
For the clients Outlook Anywhere settings have you got the same URL in place as is being used by the security certificate?
The MS support page for that is here: Use Outlook Anywhere
Is this a virtual server? Would you be able to increase the size of the drive rather than compress?
I couldn't say whether it's a factor for this issue or not but it means every read or write on the hard drive must run through a compression process. Do you know if the time the drive was compressed coincided with the time the connectivity issue first occurred?
Have you looked in the Event Viewer on both the server and the clients for anything that might be related?
It might be that the issue is on the client end rather than with the server. So far it looks like your server is set up correctly.
For the clients Outlook Anywhere settings have you got the same URL in place as is being used by the security certificate?
The MS support page for that is here: Use Outlook Anywhere
ASKER
Yes I agree I wouldn't usually compress a system drive but this was carried out by someone else, so im going to look into expanding the capacity.
Im currently on the phone with Microsoft who are looking at the issue but incase it helps anyone else out I was getting the following error when running test-outlookwebservices
"Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted."
We over came this by adding the following registry entry
HKLM\system\currentcontrol
Dword - DisableLoopbackCheck - Value1
Will update when Microsoft have finished.
Thanks
Im currently on the phone with Microsoft who are looking at the issue but incase it helps anyone else out I was getting the following error when running test-outlookwebservices
"Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted."
We over came this by adding the following registry entry
HKLM\system\currentcontrol
Dword - DisableLoopbackCheck - Value1
Will update when Microsoft have finished.
Thanks
ASKER
Well we seemed to have got it working I have tested a users laptop and the Outlook Anywhere is connecting and it stays connected after restarting etc.
If I run the Exchange test it still fails on Autodiscover and Outlook Anywhere which is very strange!
If I run the Exchange test it still fails on Autodiscover and Outlook Anywhere which is very strange!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Was resolved as of a support call to Microsoft, all required info has been added
Once the page loads click on the lock icon in the address bar and choose "View Certificates".
Confirm the details on the General Tab.
The "Issued to" address should be the one you're using for the autodiscover URL.
If you're using a SAN certificate the autodiscover address could be different.
To check this click into the details tab and highlight the "Subject Alternative Name" entry. Verify the DNS names listed. One of these could also be used for your autodiscover address.
To check some relavent URLs on Exchange, open the Exchange Management Shell (run as administrator).
Run the following commands;
Get-WebServicesVirtualDire
get-AutodiscoverVirtualDir
Get-OwaVirtualDirectory | fl Id*,*url*
Get-ClientAccessServer | fl Id*,*uri*
Get-OabvirtualDirectory | fl Id*,*url*