Announcement

Collapse
No announcement yet.

port 443 won't open on SBS2008 after certificate change

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • port 443 won't open on SBS2008 after certificate change

    Hello all,

    Because I had a problem with the SMTP banner on 2 Windows SBS 2011 servers I search the internet.
    When I go to mxtoolbox.com and I do the SMTP test the output was:

    OK - xx.xx.xx.xx resolves to mail.domain.nl

    Warning - Reverse DNS does not match SMTP Banner
    OK - Supports TLS.
    0 seconds - Goodon Connection time
    OK - Not an open relay.
    5.928 seconds - Warning on Transaction Time

    So this is what I did:

    Go to [Exchange Management Console],
    Expaned [Server Configuration]
    Click on [Hub Transport]
    Double click on [Windows SBS internet receive servername]
    On the tab [General] I change the field: [Specify the FQDN this connector wil provide in response to HELO or EHLO] from [Remote.domain.nl] to [Mail.domain.nl]

    Result MXtoolbox:

    OK - xx.xx.xx.xx resolves to mail.domain.nl

    OK - Reverse DNS matches SMTP Banner
    Warning - Does not support TLS.
    0 seconds - Goodon Connection time
    OK - Not an open relay.
    5.897 seconds - Warning on Transaction Time

    As you see, the SMTP banner is ok, but TLN support is gone.
    And in the event viewer I get this error:

    MSExchangeTransport
    Event ID 12014

    Microsoft Exchange could not find a certificate that contains the domain name mail.domain.nl in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Windows SBS Internet Receive SERVERNAME with a FQDN parameter of mail.domain.nl. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.”

    So to solve this problem I did the following:

    Go to IIS
    In the left column select the [servername]
    In the middle column server certificate
    Create a new domain certificaat for mail.domain.nl (right column, follow the wizard)
    1. Open "Exchange Management Shell".

    2. Write "get-ExchangeCertificate" and press on "Enter" button.

    3. Write down the Thumbprint of the certificate that reflect the required FQDN name of the server (mail.domain.nl).

    4. Write "Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"

    (the thumbprint is an example, The value of -Thumbprint obtained in stage 3.)

    press on 'Enter" button.

    6. Restart the Exchange server.

    The result on MXtoolbox.com:

    OK – xx.xx.xx.xx resolves to mail.domain.nl

    OK - Reverse DNS matches SMTP Banner
    OK - Supports TLS.
    0 seconds - Goodon Connection time
    OK - Not an open relay.
    5.975 seconds - Warning on Transaction Time

    So that looks ok, and the error in the eventviewer is gone.


    After successfully did this procedure on 2 other SBS 2011 servers, I did the same on a SBS 2008 server. There is where the problem begins…

  • #2
    Re: port 443 won't open on SBS2008 after certificate change

    I post my problem in a reply on the discription of the situation, cause I can't post everything in one reply.

    On the first look everything looks ok, also the output from MXtoolbox.com, so everything was a suspected. I restarted the server, and he stayed a very long time in “applying computer settings” (something like 1,5 our) So I ride to the server room (I was working remote) and when I arrived I shutdown the server and start again, after a long wait I finally can login.


    So I decide to delete the new certificate and put everything back like it was, I don’t know if it did the right thing but I did the command
    ["Enable-ExchangeCertificate -Thumbprint 2afd26617915932ad096c48eb3b847fc7457662 -Services "SMTP"] again on the remote.domain.nl.

    But still the server won’t bootup normal, so I search the internet again and found:

    support.microsoft.com/kb/2004121

    After I use this solution the boot problem was gone. But now I have another problem….
    I think I mess-up my certificates by delete the one mail.domain.nl. Because now OWA is not working anymore, when I open owa on the local network is works great, but from the internet, it’s not working. After a port scan with MXtoolbox.com I discover that port 443 is not open. And I am sure it is not the firewall (cause it always worked that way) everything is working except OWA. I am searching and try to find the solution for 4 days now, but I don’t get it.

    I look into the bindings, changed the certificates redo the procedure e.d. Something is blocking port 443 and I think it has something to do with the certificates

    Can anybody post the standard configuration of a windows SBS2008 server? (IIS certificates, bindings and connectors) Is there anybody who has a good suggestion? THANKS ALLOT for reading this story!

    I know it is a long story but I also know that for a good view of the situation, a administrator must know the whole picture....

    Comment


    • #3
      Re: port 443 won't open on SBS2008 after certificate change

      Check DNS.

      Comment


      • #4
        Re: port 443 won't open on SBS2008 after certificate change

        Want kind of FireWall redirection do you have? For example, I troubleshooted an issue after an SSL certificate change it ended up being the fact their FireWall was redirecting https traffic to http internally though port 443 was used internally for OWA. When the SSL had been updated, port 443 only had been enforced on the OWA virtual directory.

        Comment


        • #5
          Re: port 443 won't open on SBS2008 after certificate change

          Originally posted by Virtual View Post
          Want kind of FireWall redirection do you have? For example, I troubleshooted an issue after an SSL certificate change it ended up being the fact their FireWall was redirecting https traffic to http internally though port 443 was used internally for OWA. When the SSL had been updated, port 443 only had been enforced on the OWA virtual directory.
          I know this problem, but that is not the case, the webinterface of the firewall is only accesable trough poort 80 internal. Poort 443 is forwarded to the server, and there is no certificate involved.

          Comment


          • #6
            Re: port 443 won't open on SBS2008 after certificate change

            After a long search the problem is solved by a collegua, but don't ask me how this can be the sollution

            On teh firewall, on the virtual server we just disable NAT, reenable NAT again and everything works fine. Strainge detail was that OMA was working good, but MXtoolbox tells us port 443 was closed. After this problem was solved I also update the firmware, let hope the problem stays away! Thanks for your help all!

            Comment

            Working...
            X