Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

OWA Intermittent SSL Connection Error

Posted on 2014-02-21
9
Medium Priority
?
622 Views
Last Modified: 2016-02-24
Hi all,

We have a customer with an SBS 2011 Server, running Exchange (2010) on an ADSL connection with a static IP address and a trusted (GoDaddy issued) SSL certificate.

For some reason, much of the time OWA doesn't work and other times it does.  We've tried the big yet simple things:

Reinstalling the SSL Certificate
Replacing the modem
Replacing the network switch
Temporary Disabling the Windows Firewall and Testing
Completely Replacing the SSL Certificate
Disable all non-related sites in IIS (Sharepoint, Client Deployment App, etc).

All with no luck.  Internet Explorer just craps out but Google Chrome gives us an SSL connection error which, when we expand for more details, gives us an error code:

Error code: ERR_SSL_PROTOCOL_ERROR

We're at a loss as to how to proceed here.

If we disable 'Require SSL' on the OWA virtual directly in IIS (within the Default Web Site) OWA works fine so the problem is specific to SSL.

Any help would be much appreciated!

Thanks

Bob
0
Comment
Question by:Mango-Man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 20

Assisted Solution

by:Peter Hutchison
Peter Hutchison earned 668 total points
ID: 39876806
A few things to check:
1. Is the latest GoDaddy root certificate on the SBS server and on client machines?
2. Are ports 80 and 443 opened on the Firewall (s) - Server and router etc.
3. Is SSL enabled for all the relevant IIS virtual directories e.g. owa, public, exchange, exadmin, ecl etc.
4. Is the DNS name correctly configured to the correct ip addresses and it matches the address in the SSL certificate.
5. Is the certificate a Subject Alternative Name certificate will all the correct alt subject names added on the server. Exchange 2010 does require additional names e.g. autodiscover, server names etc.
0
 
LVL 6

Accepted Solution

by:
insidetech earned 668 total points
ID: 39876853
Did the SSL connection ever worked?
Is it intermittent or just not working as you describe?
If you can provide your URL one may be able to capture the traffic for analysis.
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 39876990
Hi cmsxpjh / insidetech,

Thanks for your help

I've answered all your questions togehter for clarification:

1. Is the latest GoDaddy root certificate on the SBS server and on client machines?
It's not installed on the client machines and doesn't need to be because its not self-assigned.

2. Are ports 80 and 443 opened on the Firewall (s) - Server and router etc.
Yes - bear in mind it does work sometimes and it currently works on port 80 when 'Require SSL' is disabled in IIS

3. Is SSL enabled for all the relevant IIS virtual directories e.g. owa, public, exchange, exadmin, ecl etc.
Yes - as I say, it works *sometimes*

4. Is the DNS name correctly configured to the correct ip addresses and it matches the address in the SSL certificate.
Yes

5. Is the certificate a Subject Alternative Name certificate will all the correct alt subject names added on the server. Exchange 2010 does require additional names e.g. autodiscover, server names etc.
Yep the correct alt names are on there too, although OWA only requires the FQDN used to access it to be on there (the SANs are for additionals like autodiscover)

Did the SSL connection ever worked?  Is it intermittent or just not working as you describe?
Yes it works intermittently

If you can provide your URL one may be able to capture the traffic for analysis.
Is there anyway I can PM this to you?  Don't want to specific detail on here.

Thanks again for your help!
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 664 total points
ID: 39877409
When you did this:

"Reinstalling the SSL Certificate"

What exactly did you do? Did you rekey the certificate at GoDaddy or something else?

The error message is classic interference of some description, which stops the SSL session from establishing. Although it can be a sign of a corrupt SSL certificate.

Simon.
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 39878117
Hi Simon,

I tried doing a simple rekey and also completely revoked the certificate and issued a new one (done LOTS of these as I manage a web server).  Yep agree everything points to something interfering with the SSL protocol but can't figure out what as all hardware between the phone line and the server has been replaced.

Also - the SSL certificate works just fine when OWA is accessed from the server.  I'm going to get one of our techs to try accessing OWA from inside the network to see if it's some strange port blocking by the ISP.
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 39891777
have visited site a few times but currently it keeps working from in and out when we're there - need to catch it as it breaks again
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 40598681
I'd like to reward those who helped and close the question as unanswerable - is there a protocol for this?
0
 
LVL 1

Author Closing Comment

by:Mango-Man
ID: 41478617
Didn't know how to mark it as unanswerable so have simple closed it and accepted contributions
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 41478618
For anyone facing the same issue, it was solved by replacing the modem for a THIRD time with a different model of modem.  All of these were provided by the ISP.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question