My Exchange 2007 installation guide (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Installation



Message


TwoJ -> My Exchange 2007 installation guide (28.Jun.2007 4:25:15 PM)

Revision 3
 
2008-05-22
A few days ago i started recieving the security alert when i start outlook 2007 from the internet. The security alert is that it is saying there is a security mismatch between autodiscover.domain.com and the actual ssl cert in IIS (mail.domain.com). I didn't make any modifications on the external DNS but i have done updates on both my client and server so i suspect that there is some new update that has changed this behavior. I will continue to investigate this, but be warned that the following guide might not work for the single ssl cert. If anyone has information that might help i certainly would like to hear, i'm not happy that i need to pay $200/year when $20/year works the same.

 
(Note1 - This initial configuration i did on the initial release of Exchange 2007 - since then SP1 has been release and made it possible i believe to accomplish a few more things in the Exchange Management Console - if you install exchange 2007 and update it with SP1 there maybe some easier ways to do stuff in the EMC but as yet i have not done this so this guide still reflects the pre-sp1 setup)

This information may change as mistakes or details are dealt with
I pass this information on, that it may be of help to others (including myself in remembering what i did!)
First i want to thank, t0ta11ed, Sembee, and Henrik, and others who have posted information in this forum and all over the internet.
Preamble: This is my setup, so i cannot guarantee that this will work for you, I have for this setup, 1 server running Windows 2003 x64. If you want to install Exchange 2007 you will need it on either Windows 2003 x64 or 2008 x64 bit versions, the 32bit (x86) will not work. I also have one static public (external) IP. Most of the configurations i came across for Exchange will talk about multiple web sites (with different internal IPs) the thing they rarely mention is that you will need multiple external IPs to map to these internal IPs. If you have multiple external IPs then it is probably better that you assign 1 for autodiscover.domain.com so that you have more choices down the road instead of locking it to the same IP as your main CAS IP. If however you are restricted to 1 external IP this may help you.
A little note about SSL certificates, Exchange 2007 is a bit of a nightmare for SSL certificates, by default you have a self-signed certificate made by exchange, which is ok if you have no one accessing any external services like OWA, activesync, RPC over HTTP (OutlookAnywhere). However this scenario is probably unlikely. If you do have these services then you either can install this self-signed certificate on every computer that needs to access these services not to mention telling people to click through the IE7 stupid "There is a problem with this website's security certificate”, needless to say this is really not a viable option for most people. So pretty much the only real option is a commercial SSL certificate. Trying to find the most economical way to do things, i tried StartCom's free (yes really free, not trial) SSL certificate, problem is that it is trusted by almost everyone INCEPT Internet Explorer, needless to say it becomes a pain to teach people the same thing about untrusted certificates. OK – other choices – for Exchange 2007 you are talking about 2 SSL (I'll show you the bypass to get it to 1 later), one for mail.domain.com and another for autodiscover.domain.com, that means if you've done any research on the subject that you need an SSL cert that supports SAN (Subject Alternative Name). At present the cheapest one is $200/year, others are considerably more expensive. Better but even $200/year i find a little steep if all you need is just a CAS certificate (exchange 2003 front-end certs are easily <$100). On top of this you may already have a mail.domain.com cert that would now be useless. I have a mail.domain.com cert from GoDaddy which cost $20/year (or less) and that is the one that i will be using.
Getting Started:
To start off I did a clean install of windows 2003 x64, setup DNS, WINS (if necessary), DHCP, IIS in that order, a fairly typical PDC. Then a standard install of Exchange 2007, there a few extra programs and hotfixes to install but the install program is good about telling you what you need. A little note, you can install the Exchange tools on a 32 bit machine to do most of the administration from a client machine. Ok so you have a clean Exchange install, let's configure it.
To allow Exchange to accept connections from other mail server, open Exchange Management Shell (EMS)
Run the following command;
Set-RecieveConnector –Identity "Default <ServerName>” –PermissionGroups "AnonymousUsers”
Replace <ServerName> with your CAS name. Close the EMS
To allow Exchange to send mail to other mail servers, open Exchange Management Console (EMC), open Organization Configuration->Hub Transport, click on 'Send Connectors', Right click (RC) in the 'Send Connectors' box and select 'New Send Connector', choose a name, for example 'All Outgoing Connector', leave the 'Select the intended...' as Custom, for the Address Space click the 'Add' button and enter * in the Add Address Space window marked Domain, to accept SMTP connections from all domains, leave the 'Include all subdomains' unchecked. In Network settings leave all values at their default settings, in 'Source Server' again leave the default values, and finally in 'New Connector' click on 'New' to create the connector.
At this point Exchange should be able to send & receive mail.
At this point if you are going to support Outlook with RPC over HTTP you will need to install that service, go to Control Panel->Add/Remove Programs->Add/Remove Windows Components, Select Networking Services, click on details, click the 'RPC over HTTP Proxy', click 'ok', Click 'next', make sure Windows has access to the install source, after the proxy is installed, click 'Next'.
Now you need to remove the Exchange self-signed cert, Open up IIS manager (Administrative Tools->Internet Information Services (IIS) Manager), Open the Server subfolder, open the 'Web Sites' folder, and open the 'Default Web Site', there will be several virtual directories (VD) below the DWS including owa, and Autodiscover. RC the DWS and select Properties, then click the 'Directory Security' tab, then click 'Server Certificate' and then click 'Next' at the SSL welcome wizard. The next step depends if you already have an SSL certificate for mail.domain.com or not. If you do then click 'Replace the current certificate' and follow the instructions. If you do not have an SSL certificate then select the 'Remove the current certificate'. The latter will only remove the certificate from the DWS, it will stay in the windows certificate store so if you ever need it in the future you can always get it back. After you remove the certificate, re-run the wizard and it should ask you to go through the process of asking for an SSL certificate, follow the wizard which will create an certreq.txt file which you will need to make the application at a Certification Authority (CA) company, such as GoDaddy or others. I will leave this to you to follow since the process varies a bit from CA to CA (ie for GoDaddy you need to install an intermediate certificate, which may not be necessary for more expensive CAs. I am using a turbo ssl cert which is registered for mail.domain.com and costs $20/year.
At this point you should have your mail.domain.com cert on the DWS, and any other intermediate certs installed.
Next lets change owa so you need to just enter your username and not domain\username; In EMC go to Server Configuration->Client Access, RC the owa (DWS) click Properties, click the authentication tab, select the 'use forms-based authentication:' and then select the 'User name only', then click on Browse and choose your logon domain. Click 'Ok' to exit.
To install Outlook Anywhere in EMC go to Server Configuration->Client Access, RC the server and select 'Enable Outlook Anywhere', for the External host name use: mail.domain.com , External authentication methods: choose NTLM authentication, do not select 'Allow secure channel (SSL) offloading', click Finish to exit.
Next we need to change the URLs used autodiscover so that all services point to mail.domain.com.
In EMC go to Server Configuration->Client Access choose the Offline Address Book (OAB) Distribution tab, RC the OAB (DWS) and select properties, Click on the URLs tab and put in: https://mail.domain.com/oab for both both internal and external URLs. Click 'Ok' to accept and exit.
Do the same for owa by going to Server Configuration->Client Access (Outlook Web Access tab) andRC the owa (DWS) and choose properties, on the General tab change the Internal and External URLs to: https://mail.domain.com/owa , click 'Apply', an extra feature you may want to give is access to network shares through owa, this is available on the Documents box in owa, if you do then go to the 'Remote File Servers' tab and click the 'Configure' button on the bottom, enter the domain you are using, ie for mail.domain.com you would put domain.com, click 'add' then click 'ok' to exit. Then click on the 'Allow' button and enter the FQDN of your CAS, ie if the CAS computer name is mx1.domain.com, then enter mx1.domain.com and click 'add' then 'ok'. This will give owa users access to any network shares that exist on mx1. Click 'ok' to save and exit. If you do not want this then disregard that previous procedure and click 'ok' to exit.
Next we'll change the URLs for the Unified Messaging, while this step is probably not necessary for most people, it will look better at the end. However to change the URLs we need to go to the EMS.
Open the EMS and enter the following command;
Set-UMVirtualDirectory "UnifiedMessaging (Default Web Site)” –InternalURL https://mail.domain.com/Unifiedmessaging/Service.asmx -ExternalURL https://mail.domain.com/Unifiedmessaging/Service.asmx
Next we change the URLs of the Availability service which will also be the same for OOF, in EMS enter the following command;
Set-WebServicesVirtualDirectory –Identity "EWS*” –InternalURL https://mail.domain.com/EWS/Exchange.asmx -ExternalURL https://mail.domain.com/EWS/Exchange.asmx
Finally we set the autodiscover URL, now this is a little special since it is not possible to set the external URL of autodiscover. Outlook 2007 is set to look for autodiscover.domain.com or domain.com/autodiscover, and this is in my opinion where all the security alert mess comes from. Anyways in the EMS enter the following command;
Set-ClientAccessServer –Identity "your CAS server name (ie mx1)” –AutoDiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml
Ok all done with EMS, you can close it and go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for domain.com, RC the domain.com and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: autodiscover.domain.com , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new autodiscover.domain.com and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC domain.com and then select the mail entry, click 'ok' to complete. You can now close DNS.
I would recommend restarting the server to insure that the new settings are accepted. One thing you will want to check after the restart is to go to EMC->Server Configuration->Mailbox, RC the mailbox database, select properties, click on the 'Client Settings' tab and verify that you have the 'Default Offline Address Book' listed in the Offline address Book window, if not click on the Browse button and select it. If it was not there then restart the server again after you have selected it.
Ok almost done! You should be able to start up a Outlook 2007 client and when adding an exchange mail account it should use the autodiscover feature to get all the URLs. Hopefully everything should work, if you do get a Security Alert windows then try restarting the client and server, also verify that the SSL cert is accepted on the client. If everything did go well then Outlook can connect and send/receive from exchange. Now you can check that all the URLs are pointing to mail.domain.com, while holding down the left 'Ctrl' button RC the Outlook icon in the system tray, this should give you a menu which has 'Test e-mail Autoconfiguration' in the test window, enter your email (ie user@domain.com), unselect the "use guesssmart” and "secure guesssmart authentication” then click 'Test'
If everything goes well then you should have 2 sections after the results come in, one for Exchange RPC and the other Exchange HTTP. The RPC is for LAN connections and HTTP is for HTTP connections. In both sections all the URLs should start https://mail.domain.com
If this is not the case then go back and find the problem.
Another test to do is to verify that your OWA is working internally. If you open Internet Explorer (IE) and enter https://mail.domain.com/owa , don't forget to change domain to whatever your domain is. This should give you the OWA login webpage, if not then go back and find the problem. You should not have any Security Alerts with the OWA.
 If this is ok then your 200x Outlook clients should be working ok internally and your 2003 clients should be ok externally. However if you try your Outlook 2007 clients from the internet you will probably find that they give a Security Alert, and that is because they are looking for either an SSL with a name of autodiscover.domain.com or domain.com. Since yours is for mail.domain.com it will give a name mismatch error. To resolve this you must access your external dns entries which are usually handled by your hosting provider. For your external DNS you will have a MX record for where your mail is sent and probably entries for www, ftp, etc. These are the way that computers on the internet find domain.com resources. Usually it takes 4 to 24 hours for adding or changing the external DNS entries to actually start redirecting clients, so don't expect just because you changed the MX record that your email will be redirected right away. The setup is very similar to the DNS entries for the internal network, for the external DNS entries you will have the MX record to point to mail.domain.com (MX cannot point to an IP), you will need a Host record (A) that is for mail.domain.com which points to your external IP and finally an Alias (CNAME) entry for autodiscover.domain.com which will point to mail.domain.com.
This way when Outlook 2007 is on the internet and asks joeblow_nameserver for autodiscover.domain.com it will be sent to your external DNS entries where it will find autodiscover.domain.com which is an alias for mail.domain.com, the exact details of why outlook accepts it i am not sure, but it doesn't give me any complaints. So this way you don't need multiple external IPs (expensive), nor SAN SSL certificates (unnecessary and expensive), nor create multiple internal websites (unnecessary).
I have been using this for a few weeks now and everything appears normal and stable, i have been using Outlook 2007, i have not tested this on Outlook 2003 however i do not think there should be any problems. The OWA and Outlook clients have no problems connecting, the only thing which i find a bit un-normal is that it seems to take about 2 minutes for Outlook to connect and synchronize, with Exchange 2003 and Outlook 2003 it seems to be quite a bit faster, if anyone can comment on this I'd appreciate any insight.
I have tested this also with Windows Mobile 2003SE and the activesync works well, if you have the GoDaddy cert you will need to add the CA cert to the WM2003 trusted root store, then after that it connects fine.
Most of this information is around the internet but I thought this would be useful to write down in one place since i didn't find much information about external DNS settings. I did leave out some extra information about redirecting the OWA URL, which allows users to log into the port 80 http owa url and then get redirected to the 443 https url, however i am not really satisfied with the current method of the redirect html page. If i find something i'll post back. Anyways i hope this give some insight for some and will help with the installation.
TwoJ
 




jstefani -> RE: My Exchange 2007 installation guide (14.Aug.2007 10:27:37 AM)

Twoj,

This method worked for me.  Beats the two website config. by sembee.  I was a little confused about you final section regarding second dns domain "autodiscover.domain.com".  I didn't see the relevance to this since I performed the Set-ClientAccessServer procedure in your prior step, do I didn't perform the dns forward lookup and everything is working just fine.  Thanks for the info.




TwoJ -> RE: My Exchange 2007 installation guide (14.Aug.2007 11:56:10 AM)

It's possible that the dns domain autodiscover, becomes redunant. these were the steps on how i got my setup working so i was just so happy that i could finally get things working that its possible some of the procedures are unnecessary.
I would have to set up another 2007 exchange to test if the secondary DNS domain autodiscover.domain.com is necessary.
It may be that it becomes necessary under certain conditions.
If anyone else is setting up exchange per the guide you might want to leave out the part of creating the autodiscover.domain.com zone in DNS and see if your Outlook 2007 clients can find the server and sync without issue.

I think this was to avoid the cert mismatch when an outlook 2007 client is trying to connect internally - jstefani - have you tried connecting with Outlook 2007?




mmac -> RE: My Exchange 2007 installation guide (23.Aug.2007 8:23:31 PM)

Excellent post TwoJ, helped greatly.  My autodiscover service is now working perfectly as well as my Outlook Anywhere with Exchange 2007 clients (haven't tried 2003 clients yet, but I will give it a whirl via VMware shortly). 
 
My environment is a little different however in the following ways - right now I have three exchange servers:
 
MAIL1 (Exchange 2003 Front-End)
MAIL2 (Exchange 2007 HUB/CAS/MAILBOX)
MAIL3 (Exchange 2003 Back-End)
 
MAIL1 has mail.domain.com  w/SSL cert registered
MAIL2 has mail2.domain.com w/SSL cert registered
 
My OWA is fine (well as fine as I could've hoped) -- people visit https://mail.domain.com and get redirected to the MAIL2/OWA website (if they're on the 2007 server, and just simply authenticated to the old environment if they're still on the 2003 server).
 
However, my problem is with OutlookAnywhere aka Exchange over HTTP.  I have all my clients (and there about 400+ of them configured to use HTTP proxy via mail.domain.com -- the exchange 2003 front-end).  I was hoping that this would simply redirect them to the Exchange 2007 environment is they were moved, but obviously it doesn't.  It cannot communicate with the server in order to determine where the back-end box is located (in order words the Front-End of 2003 doesn't pass it along to the 2007 Mailbox server).
 
Any ideas how I can work around this?  Obviously I'm going to have a mixed environment for a while until I weed out the 2003 users, but I was hoping to do this sooner rather than later. 
 
Would this work?  Change the DNS for mail.domain.com and point to MAIL2, -- register MAIL.DOMAIN.COM (point to MAIL2) instead, repeat all of the steps you laid out in your procedure to point to MAIL instead of MAIL2. 
 
My question is, would the EXCHANGE 2007 point the users BACK to the 2003 BACK-END (MAIL3) automatically?
 
Is this making any sense ??
 
Thanks for any help you can provide!
 




Elan Shudnow -> RE: My Exchange 2007 installation guide (23.Aug.2007 11:52:34 PM)

Hm, I see you created a FLZ with the name of autodiscover.domain.com with a CNAME that uses parent zonie name to redirect to mail.domain.com in the other FLZ.  Did this not work when just creating a CNAME in the domain.com FLZ?  It seems that when you are talking about external DNS, all you did was just have the 1 FLZ domain.com and create the CNAME with the autodiscover name to redirect to mail.domain.com.  Not sure why you did it using 2 completely different methods internal vs external.




TwoJ -> RE: My Exchange 2007 installation guide (25.Aug.2007 12:31:31 AM)

@mmac
I get a little jittery when people start mixing muliple exchange servers.
If your question is would the exchange 2007 point back to the Exchange 2003 BE, I would think not since it is running the mailbox role on it, so all the authentication should be done on the 2007.
It might help understanding why you have/want this setup? I think it would be simpler with the 2007 as CAS and the 2003 as a BE, but you will lose some functionality in that configuration.
The other choice (which seems to be the more logical) is to just keep the 2007 as HUB/CAS/Mailbox and remove the 2003 machines and then in DNS point mail.domain.com to that 2007 machine.
Let me know if this makes sense or if you can provide some more info it might help coming up with a better answer.

@eshudnow
Again if you see my previous post I was just happy that it was working so i didn't spend much time trying to 'undo' the work. I see what you mean and it is again possible that the FLZ autodiscover.domain.com doesn't have to be created, that all it needs in the domain.com FLZ is a CNAME for autodiscover pointing to mail.domain.com, the next time i'm installing exchange i will find out and post or if anyone wants to try and report on their success or failure it would be apreciated. 




MIDOOooo -> RE: My Exchange 2007 installation guide (5.Sep.2007 3:56:18 PM)

thnx twoj.
what about pop3 and smtp?
how to get it working?
i got it working but i always get a certificate warning when sending and if i just say ok it works fine.
and that not good cuz it says that certificate chain ended in non trusted CA but at the mean while the root CA is installed and working fine for outlook anywhere and owa.
any recommendations?




raftech -> RE: My Exchange 2007 installation guide (26.Sep.2007 2:11:19 PM)

Has anyone published all of these services through an ISA 2006 firewall? There are a couple of things I'm not sure how to set them for publishing through the firewall.
  1. Your instructions call for changing OWA for forms based authentication and selecting "user name only"...my understanding is that when you publish through ISA you need to use basic authentication on the Exchange server itself, and FBA on the ISA publishing rule.
  2. I THINK that I use the same certificate (I'll use a 3rd party wildcard) on the Exchange Server and the web listener(s?) on the ISA 2006 box. Is this correct?
  3. Is NTLM used on the Outlook Anywhere web publishing rule? I've seen conflicting reports of it working and not working.




TwoJ -> RE: My Exchange 2007 installation guide (2.Oct.2007 12:18:34 PM)

@MIDOOooo
 
If i remember correctly to get POP3 going it is just a matter of going to the services and changing the Microsoft Exchange POP service to automatic and then start the service. However note that the POP service default is to use secure login (port 995). you can change that to normal login (plaintext) by going to the management console and using;
Set-PopSettings -LoginType PlainTextLogin
Restart the POP3 service after the change
 
It sounds like there is a problem with your ssl certificate. If you are saying that you get the security popup when using smtp i suggest trying the plaintext login and then see in the event viewer or any log files if it has any more information about what the problem.
 
@raftech
I'm afraid i've never put ISA on the server so i really can't help there. I can tell you that i am using NTLM on Outlook anywhere and it is working fine.




MIDOOooo -> RE: My Exchange 2007 installation guide (2.Oct.2007 12:40:04 PM)

twoj u r correct,
but plain text is not security wise right but if u get it like this u will get it working.
i managed to get it working by modefying sttings through outlook not server.

reftaj,
ur questions no. 1 u r right u need basic authntication in exchange and FBA in isa.
question 2. u will need 2 certificates one for isa as a server certificate and one for exchange for publishing.
question 3 yes NTLM is working but need too many work arounds and in the end i used basic authentication :(




RoRsChAcH -> RE: My Exchange 2007 installation guide (29.Oct.2007 11:55:44 AM)

TwoJ,

Just wanted to say thank you!  I have yet to see an article that takes you through the entire install/config of Exchange 07.  I think this should be taken and written into an article on MSExchange.org as I would hate for it to get lost in the Message Board as I can guarantee that it will/can be extremely helpful to others.  Again, thanks!

Shaun




TwoJ -> RE: My Exchange 2007 installation guide (5.Nov.2007 10:19:07 PM)

Thanks Shaun! But the credit goes to a lot of others as well, i did the simple part of putting into words.
I agree that perhaps there should be a section about "real" installations, not just partial information - but it does take time to write all the steps down.
I eventually would like to get my own site up since i have a few guides for other stuff as well which i understand helps people take the fast track through these installation - maybe one day i'll find the time.
For now i think its in good hands at MSExchange :-)




g.w.paterson -> RE: My Exchange 2007 installation guide (27.Nov.2007 6:20:32 AM)

Great article.

Just to confirm: the mail.domain.com cert you used is a non-SAN certificate that you were using for Exchange 2003?

It would be great to just export/import our existing cert but we will be in a transition state for a couple of weeks with the 2007 CAS co-existing with 2003 backends while data is migrated. We need to support OWA, RPC(HTTPS) and ActiveSync - let me know if you see any problems.
Cheers.




TwoJ -> RE: My Exchange 2007 installation guide (27.Nov.2007 9:27:15 AM)

Thanks

Yes, it is a non-SAN cert, i don't see why a $20 cert that can work for Exchange 2003 shouldn't be good for 2007, and considering the price of SAN certs its more reason to use a simple ssl cert.

I know there are certain restrictions about some of the features available in 2007, which are not available if you are using 2003 as a back-end, you can find that info on technet. But there should be no problem in using the same cert on a 2007 CAS as you were using on the 2003 front-end.
Personally if the end goal is to use just 2007 and get rid of 2003, i would try to work it so that you don't have a couple of weeks of the 2 systems, but obviously you are making the best choices based on your requirements.
The 2 *problems* that seem the most frequent is;
- Time your external dns, so that if you have changes to make, they typically say it may take 24Hrs to propagate, usually 6-12hrs - a few times people make changes and think that it is instantaneous, and then clients from the outside of the network are disconnected.
- If you are using windows mobile 2003SE or earlier you might have to manually add the ssl certificate depending on if its included in windows mobile or not. The GoDaddy i used is not part of the ssl's included so i had to manually add it, after that it is fine.

Good luck




RedlightG20 -> RE: My Exchange 2007 installation guide (27.Dec.2007 11:43:13 AM)

Probably a dumb question but I'm new to SSL and Exchange...  Does it matter what CA we use, if our web host is not GoDaddy but actually 1and1?  The cert is for the CAS and not for the website, correct?  I'm just a little confused because I tried to set up a GeoTrust SSL through our account with 1and1 and it was simply applied to our web domain--I'm guessing this isn't the right way to go..




TwoJ -> RE: My Exchange 2007 installation guide (28.Dec.2007 9:09:39 AM)

Hi RedlightG20

It makes no difference which CA you use, if you want you can use the self signed certificate generated from exchange when it is first installed. The problem with that is that the clients need that cert installed in order for the SSL to work, and i don't feel like installing a cert everytime a new computer needs to connect to exchange. So i tried a free ssl cert from Startcom, great idea, just that it works with all major browsers, incept IE!!
the difference between godaddy & the more expensive ssl certs like verisign, etc, is that the expensive ssl certs don't need an intermidiate cert, they are natively trusted by windows, while the godaddy you need  to install an extra intermidiate cert just on the server in order to complete the trust relationship. Its simple to do and a simple economical choice compared to the others.
The ssl cert works for a virtual web site, usually in most cases this would be the default web site in IIS, you can only have one ssl cert per virtual web site. hense if your 'website' is on the same virtual web site as the exchange components (exchange, owa, etc) then the ssl cert will be for all of them. So if everthing is on the default web site then the cert will apply for the website as well as the exchange sites.
i'm afraid i can't really comment on 1&1 since i've never used them, but the important thing is that you get the ssl with the correct name, like mail.domain.com.
I also am not sure what you mean by applied to the web domian, the issued cert, usually sent by email, or downloaded, would have to manually installed in IIS on the virtual web site that has your exchange components.

i hope this helps




RedlightG20 -> RE: My Exchange 2007 installation guide (31.Dec.2007 2:10:36 PM)

Thanks for the response, TwoJ!  Your post cleared much of this up for me.

I have since went ahead and purchased a GoDaddy cert like you specified, but I still get cert errors when I try to access OWA externally.  I configured our web domain http://mail.domain.org to forward traffic to https://xxx.xxx.xxx.xxx/owa using our CAS IP address.  The browser will connect to OWA but still displays a certificate error.  I suspect this is because I'm forwarding traffic to an IP address that is not recognized by the certificate.  Is there another way to do this to prevent cert errors when accessing OWA?  Could I use our FQDN from our ISP and add that entry into our certificate?

Happy new year everyone!




TwoJ -> RE: My Exchange 2007 installation guide (31.Dec.2007 2:56:51 PM)

your welcome

I'm not sure how you are forwarding traffic? the way i did it in IIS6 is that from the default web page you direct traffic to a URL underneath the current web page and then you enter /owa in the box. There are a few benifits and drawbacks but there is also some additional steps you need to take so that it properly redirects the traffic. I would concentrate first on getting your system working first before doing the redirection.
You are correct that the OWA will get an error because your cert is for mail.domain.com and you are sending it to some IP instead.
take a look on technet for exchange 2007 redirect to /owa on how to set up IIS for the redirection, and then you need a script to switch from http:// to https://
try first the redirection before adding the script.
the first should happen when you put https://mail.domain.com should redirect to https://mail.domain.com/owa
next with the script you can do http://mail.domain.com to https://mail.domain.com

the 2 articles on how to do this are on technet.

hope that helps




hypknight -> RE: My Exchange 2007 installation guide (3.Jan.2008 12:10:51 PM)

I'm sorry to say I'm having the exact same issue with my GoDaddy TurboSSL cert. I've installed the intermediate cert and followed both the 'Pretty IIS Wizard' way of installing the cert, as well as the EMS way of installing it. I've tried re-keying it several times. After installation, I can use the IIS snap-in and view the certificate, everything seems to be fine. However, when I visit OWA from Internet Explorer, I still get the Certificate Warning. I look at the certificate details from within IE and it seems that OWA is still using the self-signed certificate (host.domain.local as issuer and publisher). Everything in EMS and IIS says that it's using the GoDaddy cert, and I followed the directions they gave to a T. The registered address is owa.domain.net, which is an A record leading directly to the external interface of the Exchange CAS. I don't have a redirect setup, but when I view the root of the DWS I still get the cert error.


It should be noted:   the address registered to my cert is owa.domain.net (which is a public domain), but the FQDN of the server itself is host.domain.local. Should that have any bearing.

I'm losing a lot of hair on this guys, can anyone help?




TwoJ -> RE: My Exchange 2007 installation guide (3.Jan.2008 9:48:56 PM)

Hi hypknight

I hope you are testing IIS from an external IP, testing internally is not always very reliable. Normally switching the SSL cert is fairly straightforward so it suprises me that you are having that much trouble, but lets try to help.

I believe normally GoDaddy sends 2 certificates, one is the gd_iis_intermediates.p7b
which is the intermediate certificate, the other is the
mail.domain.com.crt
which is the certificate which should be installed in IIS

Just to cover our bases here - you have installed accourding to the instructions both the intermediate certificate, and the IIS cert?

-Perhaps the first step is to determine if the cert is installed, the cert can be installed without necessary being used, typically there are a lot of certs in the repository that are not used.
First on the server check in the certificates console so that you can see what certs are installed and that you are dealing with.
Start->run->mmc
File->Add/Remove snap-in->Add
Certificates->Add->Computer Account->Local computer->Finish
Click Close on the 'Add Standalone Snap-in
Click Ok on the Add/Remove Snap-in
For the Console1 window click the File->Save as-> name it Certificates and save it to the desktop. This will be a shortcut to the certificate store on your server if you need to access it again.
Expand the Certificates (Local Computer)

Check in the first folder called Personal and then the subfolder certificates, if the cert has been properly installed you should see 2 certs, one for mail.domain.com issued by GoDaddy, and the other cert for the name of your server issues by the name of your server (this is the self-installed cert created by Exchange 2007)

If you do not see the Godaddy, then the IIS cert has not be properly installed.

If you do see the cert then it should be a question of switching the certs in IIS. assuming all your IIS stuff is on the default web page, then
Open IIS, open the tree to websites-> then Default Web Site
right click the default web site and select properties
select the directory security tab, and then the secure communications section, click on the 'view certificate' and see if it is showing the godaddy or the exchange cert.
If it is showing the exchange cert then go back and select the 'Server certificate' button and follow the steps to 'replace' the existing (exchange) cert with the goDaddy cert.
If the cert shows the goDaddy, then try switching it back to exchange, reboot, then switch it back to the godaddy, reboot again, and see if that helps it stick.

BTW - You can also call godaddy for technical help which is included when you purchase a cert through them, I've used them a few times and they aren't bad as tech support goes, they might be able to help as well when you need to have a voice to calm you down after tearing a few more of those precious hairs outs! :-)

Let me know how it goes




Page: [1] 2 3   next >   >>