SBS 2003 SSL Issues

I have an aging SBS 2003 server which I use solely for Exchange.  I have a number of clients that connect various devices for email comms.  Some just use Outlook 2010 using Outlook over VPN and some use OWA and some use Exchange push mail for hand-held devices.  Just before Christmas I renewed my Go Daddy SSL cert which secures my mail domain and now all services apart from Outlook over VPN have fallen over with SSL issues.  I need someone with SBS 2003 experience to help me through the minefield.
MikeDTEAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Windows 2003 and probably Exchange 2007 right ?
You will start getting a lot of problems very soon since as you know new Outlook 2016 / 2019 or O365 is not compatible with Exchange 2007
If you do have Exchange 2010 then your problems will start very soon to, so think about migration ASAP.
As you know new Outlook is using Autodiscover and not supporting RCP over HTTP anymore.

As of your problem, go to IIS manager and make sure new certificate is bind to your 443 port for OWA address under Default Website
If you'll change bindings then restart server or Transport service.
MikeDTEAuthor Commented:
Hi Tom

Thanks for your reply

Windows Small Business Server 2003 with no other server product (i.e. no Exchange 2007.  I am not looking to upgrade as the cost is prohibitive.  I am well aware that Outlook 2013 / 16 / 19 and O365 is not compatible. All clients using Outlook 2010 and can connect to my SBS 2003 without issue.

I have a problem with certificate for the mail domain mail.d-t-e.net only which means that OWA and push mail is down.  I need help with this part only.

Regards
Mike
Tom CieslikIT EngineerCommented:
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

kevinhsiehCommented:
Are your customers aware that you are running on a platform that lost all security updates as of April 2014? This is a security nightmare. Your Exchange 2003 server should be considered owned. It is irresponsible to keep Windows 2003/Exchange 2003 out on the Internet in 2018/2019.  If your business can't afford to keep Exchange up to date, you shouldn't be in the business of providing Exchange services to your customers. There are some very inexpensive O365 plans that they can use.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
How was the certificate obtained? Where was the CSR generated?

If the certificate is not on the server yet import it and make sure the Private Key is imported with it.

There is a SSL Wizard in the SBS Console. Use it to seat the "already on the server" SSL certificate.

Things will start to work as expected.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Oh, and SBS was never meant to be a hosting platform. That brings about license compliance questions.

Service Providers License Agreement: SPLA

Here in Canada, the SPLA SAL for Exchange is less than $3 per user per month. It's not that expensive licensing wise to provide e-mail services for our clients. The expense comes in with the hardware and underlying high availability solution that should be there to keep the customer's mail flowing.
MikeDTEAuthor Commented:
Hi Tom

OK I have followed all the instructions and I still cannot access my mail domain

A simple SSL Checker reveals the attached report.  There seems to be a cert in place from the Router and not the SSL cert I have installed.

Regards
Mike
SSLRep.JPG
Tom CieslikIT EngineerCommented:
If you have no access to your OWA from inside or you getting certificate issue, it mean that you've installed wrong certificate or wronc certificate is binded to your SSL port 443 in IIS

Router certificate has nothing to do your your Exchange server
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
SonicWALL? Change the admin port to 8443 or something like that as it defaults to 443 thus interfering with port forwarding rule to the server.

EDIT: *When publishing remote console access to the SonicWALL.
MikeDTEAuthor Commented:
Hi Philip

The SSL port on my router was set to 8443 but I changed it to 443 which is what the SSL config is set to.  Are you recommending SSL on the router is set to 8443?

Regards
Mike
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The remote management port would be set to 8443.

The SSL publishing rule that forwards port 443 needs to be configured correctly. 443, SSL, needs to hit SBS.
Tom CieslikIT EngineerCommented:
Do you have access to OWA from inside ? with no error ?
MikeDTEAuthor Commented:
Hi Tom

Yes by accessing my server using LAN I get a security warning but I am able to access OWA

Regards
Mike
OWA.JPG
MikeDTEAuthor Commented:
Hi Philip

I need to understand this:

In IIS I use 443
My Router is set to 8443

Is this correct please?

Regards
Mike
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Port Forwarding flow:

443 inbound --> WAN Port --> Router Port Forwarding Rule --> 443 --> LAN Port --> SBS
Tom CieslikIT EngineerCommented:
If you can,, create forward lookup zone for your domain name (register in Public DNS) in your local DNS refresh DNS on workstation and try to access owa from inside using public name

https://emailserver.domain.com/owa

emailserver - name your server in certificate
domain.com - your public domain name

if you'll get access to OWA with no error and new certificate will show in browser it mean you;ve installed and bind certificate correctly but problem is on your firewall.
MikeDTEAuthor Commented:
Hi Philip

I just need for you to tell me

Router - set SSL to 8443 - yes or no
IIS - set certificate to use port 443 - yes or no

Sorry Philip but I am into day 3 of this particular problem and I need simple answers rather than explanations - hope you understand - I am a DB / VB / VBA developer running an old server set-up by somebody else and I have very little depth of knowledge.

Regards
Mike
Tom CieslikIT EngineerCommented:
Mike,,,you Exchange have worked before with no problem. If you did not changed anything on router why after certificate renewal all stopped working ?
Only explanation is because your certificate is not installed correctly.

Please do what I've suggested before and You'll have your answer
MikeDTEAuthor Commented:
Hi Tom

Yes it was working and I used the prompted settings when completing the IIS cert creation but it didn't work.  AT some point I read up so info on the web that appeared to suggest the router should be set to 443 so I did that.  Nothing I have done has changed the situation since it went wrong.

Regards
Mike
Tom CieslikIT EngineerCommented:
OO,, so if you did set 443 port to be Router management port from outside or inside so now you have conflict and your SSL request is not going to server,,, is stopping on router.
MikeDTEAuthor Commented:
Hi Tom

OK then it follows that the router should be set to 8443?

Regards
Mike
Tom CieslikIT EngineerCommented:
Yes.
That's why I was suggesting for you to create public domain name in your local DNS to check if then certificate is working OK from Inside
MikeDTEAuthor Commented:
Hi Tom

OK I have reset router to use 8443 as my SSL port.

I presume that the cert attached to IIS on port 443 is still OK.

I get the attached from a SSL checker.

Regards
Mike
SSL2.JPG
Tom CieslikIT EngineerCommented:
I assume you have d-t-e.local domain name inside
can you create in your dns new zone named

d-t-e.net ?
then inside create A record for mail server pointing to local mail server IP

After that you should be able to get https://mail.d-t-e.net/owa from local network and you should see if certificate working and is installed correctly
MikeDTEAuthor Commented:
I think it's working - I need to have dinner and do some checking but email is now coming through on my phone!!!

Will be back in touch
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Question: Were any of the SBS Wizards used to set this up?

https://remote.domain.com/remote or https://remote.domain.com/outlook would have been the URL used by default for both Remote Web Workplace and OWA respectively if memory serves correct.

In this case I can get to RWW via https://mail.d-t-e.net/remote:              
DeltaTech
Remote Web Workplace

The certificate is correctly seated as no red bang exists in my browser.

So, the router is set up correctly and so is the certificate. Which leads me back to: Was the SBS Wizard used to seat that SSL certificate?

EDIT: Oh, and SBS uses a SPLIT DNS by default. So, the mail. URL will resolve to SBS via internal IP (or should if the wizards were used).
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
https://mail.d-t-e.net/Exchange does indeed resolve and OWA comes up as expected with a proper certificate seated.

You're good to go.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MikeDTEAuthor Commented:
Hi Philip and Tom

Sorry - my dinner was on the table and my good lady required me to attend!!

Yes this issue seems to be resolved - many thanks for all your help.

Yes I did use the SBS wizard to seat the cert.

Regards and Happy New Year
Mike
MikeDTEAuthor Commented:
Thanks to all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.