Announcement

Collapse
No announcement yet.

Issue with Offloading SSL Cert to Hardware SSL Accelerator

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with Offloading SSL Cert to Hardware SSL Accelerator

    I have 2 servers running both CAS/Hub roles sitting behind a Citrix
    Netscaler. I'm using the Netscaler for load balancing and for hosting
    the SSL cert (issue by major CA) for Exchange. I have OWA, POP, IMAP
    and Outlook Anywhere working (haven't tested ActiveSync yet) but
    sometimes I get a popup for the self-assigned cert of the server I'm
    connected to. Once I accept the unkown cert I'm good to go but I
    shouldn't be seeing this happen.
    Can somebody tell me what the best practise is in Exchange settings
    when offloading a cert? All internal and external connections are
    using the public URL through the Netscaler so I shouldn't need a cert
    installed in IIS/Exchange at all, right? Exchange doesn't seem to be
    very happy without a cert in there somewhere.

  • #2
    Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

    I don't think you can run Exchange without an SSL certificate.
    Certainly if you have the UM role and try and remove the certificates Exchange will simply regenerate one.

    Have you checked what URLs are being given out by autodiscover and where the autodiscover DNS entries are pointing?

    The only time I used something else to offload the SSL I still recommended (and deployed) a cheap commercial SAN/UC certificate internally as that ensured that everything worked correctly internally and externally without the additional load of the internal traffic on the appliance.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

      I do not have UM running in my environment. I believe autodiscover is giving out the internal hostname of my CCR virtual server and Outlook Anywhere is using the public URL. When I run "Get-AutodiscoverVirtualDirectory -server mycahub1.domain.local | fl" the InternalURL and ExternalURL fields are empty.

      I had my CA issued wildcard cert in IIS on both servers but have since removed it because all clients (internal and external) will be accessing the CAS/Hub servers via the Netscaler VIP. My app logs are filling up with Event IDs 12014 and 12024 though so I'm putting the cert back in IIS now.
      Since I did not create the cert request from Exchange I don't need to run any powershell commands to make it work with Exchange, right? I just assign it to the website in IIS and I'm good to go?

      Ideally I'd like to have separate internal and external IPs with the same public URL but I'm not sure how to set that up in my environment. My problem is that my AD domain is .local (not .com) and the authortative zone for my public production .com domain is on my public facing name servers, not my internal name servers. Do you know how I could have 1 public IP and 1 internal IP both use the same public URL so the DNS settings would be transparent to the user?
      Last edited by polycarp; 1st December 2008, 20:52.

      Comment


      • #4
        Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

        With regards to the SSL certificate - just putting a certificate in to IIS is not enough. Exchange 2007 is tightly integrated with SSL certificates. If you do put the certificate straight in to IIS then you need to run import-exchange certificate or use PowerGui to enable it in Exchange.

        Furthermore Exchange then does some stuff with AD which allows the clients to accept the self generated certificate. By not doing it that way that doesn't happen.

        I don't recommend the use of a wildcard certificate, because they are specific to one domain.

        For a SAN/UC certificate for Exchange you really need the server's real name, FQDN and its public names in the certificate. If you are running a .local/.com combination that means two different names.

        To have public names work internally, what you need is a split DNS system.
        http://www.amset.info/netadmin/split-dns.asp

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

          Not sure if this is exactly needed/relevant, but would like to share the updated provided by "Update Rollup 3 for Exchange Server 2007 Service Pack 1"

          945453 You cannot log on to Outlook Web Access in an Exchange Server 2007 environment, and you receive an error message: "HTTP Error 403.4"
          http://support.microsoft.com/default...b;EN-US;945453

          Do you have this already on your servers?

          Cheers
          Aravind

          Comment


          • #6
            Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

            e-aravind:
            I am currently on version 8.1.240.6, which I believe is the most current (Rollup 5).

            sembee:
            I followed the steps in http://support.microsoft.com/default.aspx/kb/940726 which stopped the 12014 errors and symptoms.

            As far as "split DNS", I am unfortunately unable to change my environment from mydomain.local to mydomain.com so I don't see how I could implement that solution. Like you mentioned in the article, once you create a foward zone for mydomain.com on the internal DNS server, that server will no longer send queries to the internet for that domain and all internet facing records would need to be manually entered into the internal DNS server. This workaround adds administrative overhead and the potential for resolution problems when a record is created/updated on the external DNS server but not the internal DNS server and is unacceptable in our environment. If you know of an acceptable solution for an environment like mine then I'd be your biggest fan.

            I wish I had a SAN/UC cert but is it really necessary, if you don't plan on using ActiveSync? I'm not sure if I can convince my boss to buy a $600 cert for just for Exchange when we already have a wildcard.

            btw - Thank you both very much for your help.

            Comment


            • #7
              Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

              I wasn't proposing a change of your internal domain.
              The second zone is all that is required.
              How often do you change the entries in the public zone? Most external zones contain three or four hosts at most.
              The admin overhead is minimal - however if that is unacceptable then there is nothing that you can do. However the problem appears to be procedural, not technical. The solution works, you may have to adjust procedures to allow it to be used.

              As for SAN/UC certificates - the days of having to pay $600 for a UC/SAN certificate are long gone. When E2007 was first released it was the only option, but GoDaddy do SAN/UC certificates for US$60/year https://DomainsForExchange.net/

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Issue with Offloading SSL Cert to Hardware SSL Accelerator

                Sorry, my reply was misleading. I intended not say to change my AD domain from mydomain.local to mydomain.com but simply adding the second zone to my internal DNS servers. You're right, my problem is definitely a procedural issue. We currently have about 730 records for mydomain.com.

                BTW - I am now having a problem with OWA on one of my CAS/Hub servers. When i go to OWA in Firefox the page continuously tries and fails to load. If I try to manually go to a webpage (ex. https://mail.mydomain.com/test.html) I get HTTP 403.4 error even though I have the "https" in the URL. When I go to OWA in IE with "https" in the URL I get an error saying OWA did not initialize and:

                Request
                Url: http://mail.mydomain.com:80/owa/auth/error.aspx
                User host address: x.x.x.x (where x.x.x.x is the private VIP of my CCR cluster)


                Now, I do have requests first hitting my SSL accelerator on port 443 then redirecting to the CAS/Hub server's private IP on port 80, not sure if that is relevant in this particular scenario.

                Thanks again for your help.
                Last edited by polycarp; 2nd December 2008, 19:11. Reason: spelling

                Comment

                Working...
                X