Announcement

Collapse
No announcement yet.

Is a 3rd-party cert required for RPC over HTTPS?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is a 3rd-party cert required for RPC over HTTPS?

    In order to configure RPC over HTTPS, do i really need to enable SSL using third party CA or windows 2003 server in-built CA will work.........

    More and more i am reading the forums articles on the globe, i am getting confused. Some are saying not required from 3rd party and some are saying it is better to have 3rd party SSL installed............

    Pls advice.....

  • #2
    Re: RPC over HTTPS

    It's not required if you have port 80 forwarded to your Exchange server, but this is not a very secure configuration.
    Network Engineers do IT under the desk

    Comment


    • #3
      Re: RPC over HTTPS

      I have used both 3rd party certs and Windows 2003 gen'd certs successfully on Treos.

      Comment


      • #4
        Re: RPC over HTTPS

        Originally posted by kdh_wa View Post
        I have used both 3rd party certs and Windows 2003 gen'd certs successfully on Treos.
        Treos do not use RPC over HTTPS but Microsoft Outlook does.

        And on the subject of Outlook Mobile Access, yes the Microsoft certificates work fine. You have to first open the certificate and then save it as a type 'DES' certificate to import it in a Treo.

        Copy it over to the Treo and then double-click the CERT.
        Network Engineers do IT under the desk

        Comment


        • #5
          Re: RPC over HTTPS

          Sembee has previously pointed out that GoDaddy has real certificates for about $20 per year. https://www.godaddy.com/gdshop/offer...ll.asp?ci=6018 This is a very cheap option to give your Exchange server a professional looking setup.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Choose a better topic for your thread!

            Make sure you pick a better topic for your next thread. Failing to do so will result in your account being suspended for 2 weeks.
            Cheers,

            Daniel Petri
            Microsoft Most Valuable Professional - Active Directory Directory Services
            MCSA/E, MCTS, MCITP, MCT

            Comment


            • #7
              Re: Is a 3rd-party cert required for RPC over HTTPS?

              I have a very low success rate on RPC over HTTPS with home grown certificates. Plus it makes the deployment of RPC over HTTPS more complex.

              As already pointed out, GoDaddy do certificates for US$20 from GoDaddy or a reseller, you can also get certificates from RapidSSL (owned by GeoTrust) for US$60 or less if you look around.

              The certificate will also secure OWA, OMA, Exchange ActiveSync and any other web services on the same virtual server.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Is a 3rd-party cert required for RPC over HTTPS?

                I have found that using the stand-alone Certificate Authority in Windows 2000 Server intimidating, however, Small Business Server 2003 makes the process almost fool proof. I have not set up CA in a stand-alone Server 2003 setting.

                I have about 45 SBS 2003 installations to date under my belt. Not all of them started off with RPC over HTTPS, but with spam out of control these days, it makes sense to connect directly to the Exchange server from remote locations where the Exchange server has proper spam filtering in place. Also, from a security standpoint, RPC over HTTPS is definately a positive move. I have set up most of my mobile users with RPC over HTTPS, and I also have my Smartphone users using SBS 2003 certificates.

                With an SBS installation, the certificate is created for you automatically and works flawlessly. What I have found is most people to not know how to properly do the configuration. i.e. You are asked for a name for your web server, which is my installations is alway my MX record that resolves to the Exchange server. That then becomes part of your URL and your cert is created based on that.

                Also, where many people fail is with the authentication when you log on to Exchange from a remote location. By default the username will always be SERVERNAME\username and you have to change that to DOMAIN\username.

                With SBS 2003, the remote web site will provide you with detailed instructions how to connect to Exchange using RPC over HTTPS. There is a menu item on the Remote Web Workplace.

                External certificates are a nice luxury but I would rather not throw my customer's money around if I have all the working resources at my disposal. Don't get me wrong about my reluctance to use 3rd-party certificates. I get a little anal sometimes seeing people who are professionals loading all types of 3rd-party applications to do things when they already have the capabilities.

                Examples would include (1) fax software because the pro did not know how to set up a fax gateway, (2) certificates , (3) network utilites, ...

                Thanks for your comments.
                Network Engineers do IT under the desk

                Comment


                • #9
                  Re: Is a 3rd-party cert required for RPC over HTTPS?

                  I fully agree with what RobW has posted above - but still prefer to use commercial certificates. For US$20 it makes the deployment look more professional.
                  I include the cost of the certificate in my quotes for SBS deployments - I don't use one of Verisign's expensive certificates.

                  The main reason I use commercial certificates is the SSL warning - particularly with IE7. I don't want to be telling people to ignore SSL warnings with all the phishing sites floating around. You can tell users to only ignore the warning on your site, but they will simply hear the "ignore the warning" and forget that it should be on your own site only.

                  As with many things with Microsoft, if you are using SBS then things are very easy. If you are using their preferred deployment method of FE/BE then it is also easier.

                  It is still an annoyance of mine that when the GUI for RPC over HTTPS was introduced that a single server option was not included. It has been resolved in E2007.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Is a 3rd-party cert required for RPC over HTTPS?

                    After I do a network installation for a customer, I always factor in at least half a day to be on site and to help individuals through the transition. This is an ideal time for me to demonstrate how Outlook Web Access and Remote Web Workplace works.

                    I take advantage of this time to show the customer how easy it is to "view" the certificate and to click on the "Install certificate" button. Whether it is IE 6 or IE 7, this quickly installs the certificate in the Trusted Root, gets rid of the security warnings, and gives the customer a sense of personal attention.
                    Network Engineers do IT under the desk

                    Comment

                    Working...
                    X