Exchange Server TechCenter >
Exchange Server Forums
>
Secure Messaging
>
Confused with SSL and Certificate Authority
Confused with SSL and Certificate Authority
- I am vague about how SSL and certificate authority works. Windows Server 2003 has a built in CA it looks like, but people are saying to buy a 3rd party CA.
Will the built in CA only work for internal users of the network?
I've been trying to get SSL to work for our OWA, but it seems like SSL will only work for our internal users and not our external users. I've enabled our sonicwall all WAN to specifically the ip address of the LAN exchange server. Could this be a certificate problem? When connected from outside, the website just displays:
Unable to connect
Firefox can't establish a connection to the server at email.domain.com
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
Answers
- That doesn't sound like a certificate problem, it is more like a port forwarding issue to me.
Remember SSL uses port 443, and you access it using https://
You will need to have port 443 forwarded to your exchange server.
I'm going to assume you are using Exchange 2003, as you mention Windows 2003 has a CA.
Yes, you can use the CA to issue an SSL certificate, and it should match the external URL you use for accessing Exchange.
Note that if you choose to use your server CA, the computers (and other devices such as mobile phones) that connect will not automatically trust your server as a Certificate Authority and so you will need to import the root 'CA' certificate to all your connecting devices.
Now, this can be a headache if you have quite a few PC's. Especially when a 3rd party single name certificate only cost around £10GBP per year.
If you use a third party certificate, you should not need to do anything on the client devices, the root CA should be trusted on most browsers. Godaddy.com are an example provider.
The situation is similar for Exchange 2007, however you should use a UC or SAN certificate to support autodiscover and internal\exernal URL's.
Shaun- Marked As Answer byXiu Zhang - MSFTMSFT, ModeratorFriday, November 13, 2009 8:57 AM
All Replies
- That doesn't sound like a certificate problem, it is more like a port forwarding issue to me.
Remember SSL uses port 443, and you access it using https://
You will need to have port 443 forwarded to your exchange server.
I'm going to assume you are using Exchange 2003, as you mention Windows 2003 has a CA.
Yes, you can use the CA to issue an SSL certificate, and it should match the external URL you use for accessing Exchange.
Note that if you choose to use your server CA, the computers (and other devices such as mobile phones) that connect will not automatically trust your server as a Certificate Authority and so you will need to import the root 'CA' certificate to all your connecting devices.
Now, this can be a headache if you have quite a few PC's. Especially when a 3rd party single name certificate only cost around £10GBP per year.
If you use a third party certificate, you should not need to do anything on the client devices, the root CA should be trusted on most browsers. Godaddy.com are an example provider.
The situation is similar for Exchange 2007, however you should use a UC or SAN certificate to support autodiscover and internal\exernal URL's.
Shaun- Marked As Answer byXiu Zhang - MSFTMSFT, ModeratorFriday, November 13, 2009 8:57 AM
