Announcement

Collapse
No announcement yet.

RWW and web certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RWW and web certificate

    Hello:
    I am new to sbs2003 and have a question regarding RWW and the web certificate. Our company has several users that want to access their desktops and mail remotely. Internet access is currently set up with the web server set as the IP address on the web certificate page. So that the remote users don't have to enter https://xxx.xxx.xxx/remote to access the server, I have set up a redirect on the companies web site to redirect server.ourcompany.com to https:/xxx.xxx.xxx/remote. This works fine. However, when the log on they are presented with the bad certificate message. My understanding is, without a valid certificate, they don't get a secure connection. If this is not true, then we really don't care if we have a certificate or not since the only ones accessing the site, trust the site. If this is true, I want to install a self issued certificate so we get a secure connection. The current certificate has expired so my question is, if I create a new certificate, what should I name it. Should I call it the ip address, as it is currently defined or should I call it server.ourcompany.com, something else, or does it even matter what I call it. I ask this because we currently get 2 warnings. One says certificate is expired, the other says the certificate name is different. Want to correct both of these problems. Any help would be great.
    Thanks

  • #2
    Re: RWW and web certificate

    If you install a self signed certificate you will always get an error message.
    Furthermore you can't normally issue a certificate to an IP address.

    Your best option is to setup remote.example.com (where example.com is your public domain name), point to the SBS server.
    Then purchase a certificate for US$29.99 from http://certificatesforexchange.com/ and install it in to IIS. That way you will get
    - secure remote access
    - secure OWA
    - able to use RPC over HTTPS with Outlook 2003 and higher.
    - secure ActiveSync.

    The common name must resolve to the server correctly, and be the name the users are entering.
    If you get a certificate for server.example.com and users are entering mail.example.com or an IP address, then you will get an SSL warning.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: RWW and web certificate

      Thanks for the reply. Given that I am not real up on this can you verify that I understand you correctly. I have created a sub domain on our web site. ie. server.ourcompany.com. I have redirected the sub somain so when someone entered server.ourcompany.com they are rediected to https://xxx.xxx.xxx/remote. Thus connecting to the server. This works. Now I purchase a certificate and install it. With CEICW I set the web site name to server.ourcompany.com. (Can I also install the certicicate here?). I then change the common name to server.ourcompany.com. Done. Is this correct?
      Thanks

      Comment


      • #4
        Re: RWW and web certificate

        That was wrong.
        Don't create the redirect. Create a new A record in your public DNS that points directly to the external IP address of the server. I also wouldn't use the server's actual name - SBS likes to use remote.example.com for most of its examples, and that is what I recommend.

        You do a certificate request with a common name - you don't change it after the certificate has been installed. Therefore you have to decide on what it is before you start.

        You basically have to stop using the IP address as the URL - only use the host name.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: RWW and web certificate

          I think the SBS way is simpler (The other is the regular server way).
          You run the CEICW creating a new certificate. This should be automatically pushed out to domain joined computers.
          You set up your DNS for the FQDN you gave in the CEICW. ie if you called the server kuku.company.tld then you should have an A Record pointing kuku.company.tld to yout fixed external IP. On your firewall you redirect ports 80, 443 and 4125 from your external IP to the SBS's external (but private) IP (if it has 2 NICs)
          For external users, you can create a certificate package from under \\<SBServer>\ClientApps\SBScert and put them in the trusted root certificates store of the computer

          Finally, you connect by using the url http://kuku.company.tld/remote
          For 2008, you use remote.company.tld but that's another forum!
          TIA

          Steven Teiger [SBS-MVP(2003-2009)]
          http://www.wintra.co.il/
          sigpic
          Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

          We donít stop playing because we grow old, we grow old because we stop playing.

          Comment


          • #6
            Re: RWW and web certificate

            That doesn't help for non-domain members though.
            Personally I dislike telling users to ignore SSL warnings. Users getting used to just clicking past a warning is a bad idea, and they will not always remember that it is for your server only. It doesn't take much of my time cleaning up after a phishing attack on a server to make $30 SSL certificate a cost effective purchase.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: RWW and web certificate

              ???

              What 's it got to do with domain joined?
              My laptop is a member of my domain, but I have lots of clients' certificates in the trusted root authority - though I am not joined to their domain. I don't get SSL warnings, unless there is something wrong with the certificate. like it expired!!
              TIA

              Steven Teiger [SBS-MVP(2003-2009)]
              http://www.wintra.co.il/
              sigpic
              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

              We donít stop playing because we grow old, we grow old because we stop playing.

              Comment


              • #8
                Re: RWW and web certificate

                You still get an SSL warning when you first connect.

                The certificate is only trusted by domain members natively, as the SBS connect computer wizard installs it.

                I don't want end users to see any certificate warning. Not once, not ever. I do not want them to get used to do anything different with regards to SSL certificates.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: RWW and web certificate

                  But that is NOT what i am saying!

                  You take the certificates that are in SBSCerts and you place them on a USB drive or download them by any means possible and install them as Trusted Root Certificates on your non-domain joined computer. Then when you connect you do NOT get a certificate warning.
                  TIA

                  Steven Teiger [SBS-MVP(2003-2009)]
                  http://www.wintra.co.il/
                  sigpic
                  Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                  We donít stop playing because we grow old, we grow old because we stop playing.

                  Comment


                  • #10
                    Re: RWW and web certificate

                    That only works if you have 100% control over every machine that is being used to access the web services - however the very nature of web services means that isn't' always the case.

                    The MD wants to check his email on a friends computer and then browses to OWA - gets a certificate prompt. Ignores the certificate prompt because you have told him to. Up pops a window that looks like the Exchange login screen, but is actually run by a hacker. Enters his credentials. It fails. Hacker now has MD's credentials and sends spam through your server.

                    Seen it happen, cleaned up the mess.

                    If you are restricting the use of the server to only machines under your control, then fine. However in this day and age, that is a pipe dream for most sites. Users want to be able to use any machine from any location, and therefore IT people have to take in to account the issues of security. Telling users to ignore the warning is a bad idea.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X