OWA and SSL

OWA and SSL (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access

Message

ctvu -> OWA and SSL (12.Nov.2008 8:35:04 PM)
Hi all As I am configuring the OWA at the moment, by the fault https://server.mydomain.com.au/owa it works fine internally, and it does not work externally. Do we need to purchase a third-party SSL certificate for external access? I have read the book namely How to cheat at Configuring Exchange Server 2007 by Henrik Walther, it is said that "what do I do if my organization can't afford to throw $600 towards an SSL certificate each year?”Well, in that case, the solution would be to use multiple Web sites" I assume it should work too right? but not many people mention about this method. Why is it so? Thanks in advance. Regards

jveldh -> RE: OWA and SSL (13.Nov.2008 2:46:00 AM)
Hi, Please check that you provided an external url is provided in the EMC. This can be done by following this steps: - open the EMC - open the server configuration - select the CAS server - select the OWA which you want to edit - on the general tab ensure that the url's are correct Standard Exchange has a self signed certificate so it should work for both, only this is not "secure". You can buy a certificate for your Exchange on the following website: https://www.godaddy.com/gdshop/ssl/ssl.asp

ctvu -> RE: OWA and SSL (13.Nov.2008 6:45:16 AM)
Thank you for your response. I did add https://webmail.mydomain.com.au/owa in the External URL box. And when tried to open this web page, first I got a waring web page saying that *There is a problem with this website's security certificate.* *The security certificate presented by this website was issued for another website's address.* .................. And if I click on Continue to this website (not recommended). Then I got an error of HTTP 404 Not Found. Thanks in advance Regards,

jveldh -> RE: OWA and SSL (13.Nov.2008 4:21:49 PM)
Hi, The first error is correct because the self-signed certificate is standard assigned to OWA. When using a real certificate you should not see this error any more. About the page not found issue try this: - switch from form based authentication to integrated and check if it works - change it back and use the New-ExchangeCertificate powershell command let to generate a new certificate, then try again.

Elan Shudnow -> RE: OWA and SSL (13.Nov.2008 5:47:13 PM)
You actually don't ever need to modify the ExternalURL or InternalURL for OWA if you're doing a single site scenario. The only time InternalURL or ExternalURL is ever utilized is in a proxying/redirection scenario. The reason this is is that those URLs are automatically fetched so one CAS can see if it should proxy or redirect. If you're single site and all your clients will hit the same CAS, that CAS won't have to fetch any URL. So you can have the InternalURL and/or ExternalURL completely false and it'll work since the only thing that'll happen is a client will directly go to the https://whatever.domain.com/owa and that CAS will see it's the CAS for the box and won't have to proxy/redirect and it'll just work. Just figured I'd throw that information out there.

ctvu -> RE: OWA and SSL (14.Nov.2008 12:17:26 AM)
Hi all Thanks a lot for your response.s To jveidh I'll try it out tonight. Elan Actually I've read something like you said that "If you are using a single-server installation of Exchange 2003, then Outlook Web Access 2003 does not require any specific customization in order to work. It will be installed on the server as part of the Exchange setup". So the Internal and External users should use the same URL (https://server.mydomain.com.au/owa) and it should work supposedly. I did try before, it did not work. I will try again to record the error. Thanks in advance Regards,

Exchange_Geek -> RE: OWA and SSL (14.Nov.2008 1:12:08 AM)
Can you access the following link from outside - and does it error out stating "Page under construction" "https://server.mydomain.com.au/"

ctvu -> RE: OWA and SSL (14.Nov.2008 8:08:26 AM)
Hi all I tried https://server.mydomain.com.au/ as well as https://server.mydomain.com.au/owa, I got the same result i.e. *Internet Explorer cannot display the webpage* No error code at all. to Johan I cleared the External URL in order to test, as I mentioned above it does not work. Then I put it back to try your method, but now it gave me the same error *Internet Explorer cannot display the webpage* Thanks in advance Regards,

Sembee -> RE: OWA and SSL (14.Nov.2008 11:57:11 AM)
The problem with books is that they go out of date very quickly. When Exchange was first released, the SSL certificate you need (a SAN or UC certificate) was indeed $600. You can now get them for US$60/year. I have outlined the full steps required, including the source of the certificates on my blog: http://www.sembee.co.uk/archive/2008/05/30/78.aspx Simon.

ctvu -> RE: OWA and SSL (16.Nov.2008 5:39:33 AM)
Thank you Simon for your help and blog After reading your blog, if I buy a SSL Certificate, it will take care of OWA, Outlook Anywhere and ActiveSync,right? But I don't understand why it does not work with the self-signed certificate, and single site like us. Thanks in advace Regards

pjhutch -> RE: OWA and SSL (16.Nov.2008 6:16:36 AM)
You need to configure the URLs on Exchange to match the name on the certificate esp. if you are using a made up name: Try this powershell tool to fix the problem: http://www.exchangeninjas.com/set-allvdirs See also this article: http://www.amset.info/exchange/singlenamessl.asp

Sembee -> RE: OWA and SSL (16.Nov.2008 1:14:51 PM)
quote: ORIGINAL: ctvu Thank you Simon for your help and blog After reading your blog, if I buy a SSL Certificate, it will take care of OWA, Outlook Anywhere and ActiveSync,right? But I don't understand why it does not work with the self-signed certificate, and single site like us. Thanks in advace Regards The SAN/UC certificate will take care of all of the SSL secured services. That includes the web based services of OWA, EAS and Outlook Anywhere. It can also take care of UC, SMTP, IMAP and POP3. Do note that the self generated SSL certificate is not supported for use with EAS and Outlook Anywhere. Therefore if you want to use those features in a supported environment then you must purchase an SSL certificate. Someone has pointed you to my article on using a single name SSL certificate. While you can use the traditional type of SSL certificates, it is not something I tend to recommend. The fact that you are in a single site environment is immaterial. Simon.

ctvu -> RE: OWA and SSL (17.Nov.2008 6:28:07 AM)
Again thank you Simon for your help and Peter for helpful link. I do really appreciate. Before purchasing any SSL certfication. I have got one question. At the moment we are using POP3 and we have 2 registered domain names say www.firstdomain.com and www.seconddomain.com , and we have 2 POP3 emails user@firstdomain.com and user@seconddomain.com Can Exchange 07 handle this scenario? what I mean is that can one user have 2 different email accounts one for each domain in Exchange 07 environment? If it can be done then we need to purchase a SSL for multi-domain, is it correct? Thanks in advance Regards

Sembee -> RE: OWA and SSL (17.Nov.2008 9:22:45 AM)
The domains the server is accepting email for have nothing to do with the SSL certificate. You can have whatever names you like on the SSL certificate. With a multiple domain name scenario I usually recommend that the same DNS records are used for all domains. Users can use OWA on the original domain - it doesn't matter. If you want to provide vanity URLs (so owa.domain1.net and owa.domain2.net) then get a certificate that can support more additional names. Simon.

ctvu -> RE: OWA and SSL (18.Nov.2008 6:06:52 PM)
Thank you for your response Simon quote: With a multiple domain name scenario I usually recommend that the same DNS records are used for all domains. Honestly, I have been searching for the info about multiple domain in Exchange 07 environment. I will come back for this. Thanks quote: Users can use OWA on the original domain - it doesn't matter. If you want to provide vanity URLs (so owa.domain1.net and owa.domain2.net) then get a certificate that can support more additional names. Again, I am not quite sure what kind of SSL certificate can support more additional names, I have gone through all websites you recommended in your blog + GoDaddy and Google some offers free certificate as well leading more confusing. And I happened to see one post that he/she has an issue with AutoDiscover because SSL certificate he/she bought does not support. Thanks again Simon Regards

Sembee -> RE: OWA and SSL (18.Nov.2008 7:47:39 PM)
With regards to the SSL certificate, I am not sure what is confusing. SAN (Subject Alternative Name) certificates are what you want. They support numerous names. I am not sure of the limit, but most places sell them in fives and tens. Most "free" certificates are not worth the hassle, because they are not trusted. I am certainly not aware of any free SAN certificates that are trusted by most browsers. Without the trust they are useless. Simon.

ctvu -> RE: OWA and SSL (18.Nov.2008 8:18:38 PM)
quote: ORIGINAL: Sembee With regards to the SSL certificate, I am not sure what is confusing. SAN (Subject Alternative Name) certificates are what you want. They support numerous names. I am not sure of the limit, but most places sell them in fives and tens. Most "free" certificates are not worth the hassle, because they are not trusted. I am certainly not aware of any free SAN certificates that are trusted by most browsers. Without the trust they are useless. Simon. Thank you for your patience with me, I am going to have a closer look again at all SSL Certficates available out there. Thanks for that With the "free" certificates, I thought there would be reseaon behind it that no one would like to use it in the production environment, now I know they are not trusted [&:] Much appreciated Regards,

ctvu -> RE: OWA and SSL (11.Dec.2008 6:54:47 AM)
quote: ORIGINAL: Sembee With a multiple domain name scenario I usually recommend that the same DNS records are used for all domains. Hi Simon I have been trying to figure out what it s supposed to mean. But I don't get it. Are you refering SRV record or something else? After meeting today I was asked if he (the boss) can have 2 email address say boss@domain1.com and boss@domain2.com and both should be in the same mailbox. How can I achieve this goal? Thanks in advance Regards,

Sembee -> RE: OWA and SSL (11.Dec.2008 10:14:30 AM)
A few things to be wary of. The DNS records do not have to be in the same domain. For example, your MX records for domain1.net could be mail.domain1.net. The MX records for domain2.com (which is on the same server as domain1.net) could also be mail.domain1.net. As long as the name resolves it will be delivered. To host multiple domains you simply need to ensure that they are listed in accepted domains and then create an email address policy. While you can have as many email addresses on the account as you like, from different domains, what you cannot do is send as a different address - Exchange will only allow email to go out as the default address. Simon.

ctvu -> RE: OWA and SSL (11.Dec.2008 6:41:43 PM)
quote: ORIGINAL: Sembee A few things to be wary of. The DNS records do not have to be in the same domain. For example, your MX records for domain1.net could be mail.domain1.net. The MX records for domain2.com (which is on the same server as domain1.net) could also be mail.domain1.net. As long as the name resolves it will be delivered. Thank you very much I have got another question, I hope you don't mind Within domain1.com, I go to the DNS setting and change an MX record for domain1.com as below *mail.doamin1.com A 192.122.X.X* *domain1.com MX 10 mail.domain1.com* If I am not wrong, then we can add another MX record for domain2.com *domain2.com MX 10 mail.domain1.com* Since we have both domains registered, so what'd happen to the MX record of domain2.com that is already set within domain2.com in the DNS setting? *mail.domain2.com A 192.122.Y.Y (different from domain1.com)* *domain2.com MX 10 mail.domain2.com* would they conflict with the one within domain1.com? Thank you again Regards

Page: [1] 2 next > >>