SBS 2003 SSL Issues

MikeDTE
MikeDTE used Ask the Experts™
on
I have an aging SBS 2003 server which I use solely for Exchange.  I have a number of clients that connect various devices for email comms.  Some just use Outlook 2010 using Outlook over VPN and some use OWA and some use Exchange push mail for hand-held devices.  Just before Christmas I renewed my Go Daddy SSL cert which secures my mail domain and now all services apart from Outlook over VPN have fallen over with SSL issues.  I need someone with SBS 2003 experience to help me through the minefield.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Windows 2003 and probably Exchange 2007 right ?
You will start getting a lot of problems very soon since as you know new Outlook 2016 / 2019 or O365 is not compatible with Exchange 2007
If you do have Exchange 2010 then your problems will start very soon to, so think about migration ASAP.
As you know new Outlook is using Autodiscover and not supporting RCP over HTTP anymore.

As of your problem, go to IIS manager and make sure new certificate is bind to your 443 port for OWA address under Default Website
If you'll change bindings then restart server or Transport service.

Author

Commented:
Hi Tom

Thanks for your reply

Windows Small Business Server 2003 with no other server product (i.e. no Exchange 2007.  I am not looking to upgrade as the cost is prohibitive.  I am well aware that Outlook 2013 / 16 / 19 and O365 is not compatible. All clients using Outlook 2010 and can connect to my SBS 2003 without issue.

I have a problem with certificate for the mail domain mail.d-t-e.net only which means that OWA and push mail is down.  I need help with this part only.

Regards
Mike
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

kevinhsiehNetwork Engineer

Commented:
Are your customers aware that you are running on a platform that lost all security updates as of April 2014? This is a security nightmare. Your Exchange 2003 server should be considered owned. It is irresponsible to keep Windows 2003/Exchange 2003 out on the Internet in 2018/2019.  If your business can't afford to keep Exchange up to date, you shouldn't be in the business of providing Exchange services to your customers. There are some very inexpensive O365 plans that they can use.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
How was the certificate obtained? Where was the CSR generated?

If the certificate is not on the server yet import it and make sure the Private Key is imported with it.

There is a SSL Wizard in the SBS Console. Use it to seat the "already on the server" SSL certificate.

Things will start to work as expected.
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Oh, and SBS was never meant to be a hosting platform. That brings about license compliance questions.

Service Providers License Agreement: SPLA

Here in Canada, the SPLA SAL for Exchange is less than $3 per user per month. It's not that expensive licensing wise to provide e-mail services for our clients. The expense comes in with the hardware and underlying high availability solution that should be there to keep the customer's mail flowing.

Author

Commented:
Hi Tom

OK I have followed all the instructions and I still cannot access my mail domain

A simple SSL Checker reveals the attached report.  There seems to be a cert in place from the Router and not the SSL cert I have installed.

Regards
Mike
SSLRep.JPG
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
If you have no access to your OWA from inside or you getting certificate issue, it mean that you've installed wrong certificate or wronc certificate is binded to your SSL port 443 in IIS

Router certificate has nothing to do your your Exchange server
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
SonicWALL? Change the admin port to 8443 or something like that as it defaults to 443 thus interfering with port forwarding rule to the server.

EDIT: *When publishing remote console access to the SonicWALL.

Author

Commented:
Hi Philip

The SSL port on my router was set to 8443 but I changed it to 443 which is what the SSL config is set to.  Are you recommending SSL on the router is set to 8443?

Regards
Mike
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
The remote management port would be set to 8443.

The SSL publishing rule that forwards port 443 needs to be configured correctly. 443, SSL, needs to hit SBS.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Do you have access to OWA from inside ? with no error ?

Author

Commented:
Hi Tom

Yes by accessing my server using LAN I get a security warning but I am able to access OWA

Regards
Mike
OWA.JPG

Author

Commented:
Hi Philip

I need to understand this:

In IIS I use 443
My Router is set to 8443

Is this correct please?

Regards
Mike
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Port Forwarding flow:

443 inbound --> WAN Port --> Router Port Forwarding Rule --> 443 --> LAN Port --> SBS
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
If you can,, create forward lookup zone for your domain name (register in Public DNS) in your local DNS refresh DNS on workstation and try to access owa from inside using public name

https://emailserver.domain.com/owa

emailserver - name your server in certificate
domain.com - your public domain name

if you'll get access to OWA with no error and new certificate will show in browser it mean you;ve installed and bind certificate correctly but problem is on your firewall.

Author

Commented:
Hi Philip

I just need for you to tell me

Router - set SSL to 8443 - yes or no
IIS - set certificate to use port 443 - yes or no

Sorry Philip but I am into day 3 of this particular problem and I need simple answers rather than explanations - hope you understand - I am a DB / VB / VBA developer running an old server set-up by somebody else and I have very little depth of knowledge.

Regards
Mike
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Mike,,,you Exchange have worked before with no problem. If you did not changed anything on router why after certificate renewal all stopped working ?
Only explanation is because your certificate is not installed correctly.

Please do what I've suggested before and You'll have your answer

Author

Commented:
Hi Tom

Yes it was working and I used the prompted settings when completing the IIS cert creation but it didn't work.  AT some point I read up so info on the web that appeared to suggest the router should be set to 443 so I did that.  Nothing I have done has changed the situation since it went wrong.

Regards
Mike
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
OO,, so if you did set 443 port to be Router management port from outside or inside so now you have conflict and your SSL request is not going to server,,, is stopping on router.

Author

Commented:
Hi Tom

OK then it follows that the router should be set to 8443?

Regards
Mike
Tom CieslikIT Engineer
Distinguished Expert 2017
Commented:
Yes.
That's why I was suggesting for you to create public domain name in your local DNS to check if then certificate is working OK from Inside

Author

Commented:
Hi Tom

OK I have reset router to use 8443 as my SSL port.

I presume that the cert attached to IIS on port 443 is still OK.

I get the attached from a SSL checker.

Regards
Mike
SSL2.JPG
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
I assume you have d-t-e.local domain name inside
can you create in your dns new zone named

d-t-e.net ?
then inside create A record for mail server pointing to local mail server IP

After that you should be able to get https://mail.d-t-e.net/owa from local network and you should see if certificate working and is installed correctly

Author

Commented:
I think it's working - I need to have dinner and do some checking but email is now coming through on my phone!!!

Will be back in touch
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
Question: Were any of the SBS Wizards used to set this up?

https://remote.domain.com/remote or https://remote.domain.com/outlook would have been the URL used by default for both Remote Web Workplace and OWA respectively if memory serves correct.

In this case I can get to RWW via https://mail.d-t-e.net/remote:              
DeltaTech
Remote Web Workplace

The certificate is correctly seated as no red bang exists in my browser.

So, the router is set up correctly and so is the certificate. Which leads me back to: Was the SBS Wizard used to seat that SSL certificate?

EDIT: Oh, and SBS uses a SPLIT DNS by default. So, the mail. URL will resolve to SBS via internal IP (or should if the wizards were used).
Technical Architect - HA/Compute/Storage
Commented:
https://mail.d-t-e.net/Exchange does indeed resolve and OWA comes up as expected with a proper certificate seated.

You're good to go.

Author

Commented:
Hi Philip and Tom

Sorry - my dinner was on the table and my good lady required me to attend!!

Yes this issue seems to be resolved - many thanks for all your help.

Yes I did use the SBS wizard to seat the cert.

Regards and Happy New Year
Mike

Author

Commented:
Thanks to all

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial