SSL & Exchange...

SSL & Exchange...

Post by Greg Aske » Sun, 03 Nov 2002 05:11:15



Why would the name be different?  Sounds like a pita to me.  If the url is
mail.company.com, I would configure it to work the same internally and
externally - and it's less confusing for users.

--
--

Quote:> Newbie to certificates...

> I have successfully setup OWA with SSL on Exchange 2000. From the Internet
> my users are able to gain access to OWA. Internally, I am using a
different
> domain name because I am behind a NATted firewall.

> I get the following on the 'Security Alert' window when accessing the site
> from inside the firewall:

> "The name on the security certificate is invalid or does not match the
name
> of the site."

> My question(s) is/are:

> 1. Can I setup IIS to use more than one certificate? If so how?
> 2. Is there a better approach to my configuration?

> Thanks,
> Jody

 
 
 

SSL & Exchange...

Post by Fred » Mon, 04 Nov 2002 03:48:03


I have the same setup with the same problem but we get it from outside the
firewall.  My users are able to get their mail.  I even installed the
security certificate and trusted it in IE as a trusted site.  I'm just
living with it for now, I never really got an answer from my post when I
asked about this?  I am tring something I hope will fix this issue but it
has not been tested yet.  If it works I will reply to you on what I did.  I
feel I shouldnt post it yet.  It could be wrong :(

Fred


Quote:> Newbie to certificates...

> I have successfully setup OWA with SSL on Exchange 2000. From the Internet
> my users are able to gain access to OWA. Internally, I am using a
different
> domain name because I am behind a NATted firewall.

> I get the following on the 'Security Alert' window when accessing the site
> from inside the firewall:

> "The name on the security certificate is invalid or does not match the
name
> of the site."

> My question(s) is/are:

> 1. Can I setup IIS to use more than one certificate? If so how?
> 2. Is there a better approach to my configuration?

> Thanks,
> Jody


 
 
 

SSL & Exchange...

Post by Jody Green » Thu, 07 Nov 2002 04:48:26


NAT has an inert problem with reverse routing...  NAT sees the source and
destination address as the same.

The name is not different...  Just the domain, and the certificate is issued
to the distinguished name cn.ou.o

User's don't use it from internal, only external...  I am the only one who
uses it from internal for testing only.


> Why would the name be different?  Sounds like a pita to me.  If the url is
> mail.company.com, I would configure it to work the same internally and
> externally - and it's less confusing for users.

> --
> --


> > Newbie to certificates...

> > I have successfully setup OWA with SSL on Exchange 2000. From the
Internet
> > my users are able to gain access to OWA. Internally, I am using a
> different
> > domain name because I am behind a NATted firewall.

> > I get the following on the 'Security Alert' window when accessing the
site
> > from inside the firewall:

> > "The name on the security certificate is invalid or does not match the
> name
> > of the site."

> > My question(s) is/are:

> > 1. Can I setup IIS to use more than one certificate? If so how?
> > 2. Is there a better approach to my configuration?

> > Thanks,
> > Jody

 
 
 

SSL & Exchange...

Post by Greg Aske » Thu, 07 Nov 2002 05:23:00


Not sure why NAT would have anything to do with certificates, or why the
domain name have to be different on the certificate because of NAT?  Are you
trying to say your Windows 2000 domain name is something.local and your
public domain name is something.com?

By name, I mean fqdn (which includes the domain).

To make things easy, try telling us the name of the url a user is typing,
and the common name as listed on the certificate.

If the problem is the url as entered by the user is mail.company.com and the
cert cn is something else, you just need to create a certificate with that
common name and install it on the IIS server used by Outlook Web Access.  If
you have Certificate Services installed as an Enterprise Root CA somewhere
in your domain, you can click the button to send the request immediately to
an online certification authority.  Otherwise, you may need to save it as a
cert request and load it on a cert server or get a public cert from a
trusted cert authority.

If none of this makes sense, I suggest paying a few bucks for a cert from a
public CA.  Even with an internally-generated cert external machines will
receive a message the cert is untrusted.  Mark Fugatt turned us on to this
outfit a while back:  http://www.instantssl.com/

But you still need to ensure the cn on the cert matches the url the users
type in their web browser.

--
--

> NAT has an inert problem with reverse routing...  NAT sees the source and
> destination address as the same.

> The name is not different...  Just the domain, and the certificate is
issued
> to the distinguished name cn.ou.o

> User's don't use it from internal, only external...  I am the only one who
> uses it from internal for testing only.


> > Why would the name be different?  Sounds like a pita to me.  If the url
is
> > mail.company.com, I would configure it to work the same internally and
> > externally - and it's less confusing for users.

> > --
> > --


> > > Newbie to certificates...

> > > I have successfully setup OWA with SSL on Exchange 2000. From the
> Internet
> > > my users are able to gain access to OWA. Internally, I am using a
> > different
> > > domain name because I am behind a NATted firewall.

> > > I get the following on the 'Security Alert' window when accessing the
> site
> > > from inside the firewall:

> > > "The name on the security certificate is invalid or does not match the
> > name
> > > of the site."

> > > My question(s) is/are:

> > > 1. Can I setup IIS to use more than one certificate? If so how?
> > > 2. Is there a better approach to my configuration?

> > > Thanks,
> > > Jody

 
 
 

1. SSL & Exchange 2000 Server

Does any one know if you can utilze SSL Certificates for
secure communnications between SMTP servers where Exchange
2000 is the secured server with the certificate installed
and other SMTP servers recieve/utilize the certificate?

2. Document for WebDav access Exchange 2000?

3. Exchange 5.5 with LDAP & SSL

4. Changing perms on the ROOT Public folder

5. Exchange SSL & IIS Question

6. SendMail (Exchange 5.5)

7. Exchange OWA & SSL

8. OWA and UPN

9. Exchange Server 2K, OWA, & SSL

10. SSL & Passwords (OWA)

11. OWA & SSL

12. SSL for OWA, IMAP & POP3

13. MSX 5.5 & SSL