Exchange 2007 OWA/ActiveSync with Two SSL Certificates

July 20, 2010 / posted in Hack, howto, Microsoft, Servers, Software, Troubleshooting, Windows / No Comments

Yes, it is possible. It’s not pretty by any means (a proper Class 2 SSL Certificate is the best way to go), but it can be done. Click Continue Reading for the process.

Background
I work for a non-profit organisation that’s primarily funded by the government. As such, we receive only a little funding for ‘technical extras’, and sadly even a cheap Class 2 SSL cert is out of financial reach at this time. The has caused a bit of a problem.

We run an Exchange 2007 server on a Windows Server 2003 box with Active Directory in along side the primary and secondary domain controllers. Our internal network was setup (by my predecessor) as foo.local. Our email, on the other hand, is hosted externally (as our ISP does not allow email servers on business accounts – go figure) on the domain mail.bar.com. Because of foo and bar, a single Class 1 Cert can’t be used – and therein lies the problem.

When I access OWA (Outlook Web App) internally, I can use the internal name of the mailserver (mail.foo.local), which uses a self-signed Class 1 Server SSL cert by the Windows Server built-in certificate authority.  Of course, when accessed externally, my browser flips out because it doesn’t recognize my own certificate authority as valid and the name on the cert itself doesn’t match (mail.foo.local compared to the external domain exchange.bar.com). Although this is technically alright, because I know enough to verify the cert manually, this confuses my users and can potentially lead to man-in-the-middle attacks.

The Solution
IIS only allows one SSL cert per Web Site. Without a Class 2 SSL cert (they allow for multiple domains to be specified) it isn’t technically possible to have two domains SSL-protected. If I apply a valid Class 1 cert for the external domain, the internal Outlook clients will throw the SSL error instead, which is much more of a problem.

Therefore, the solution is two create a second Web Site (with different port assignments, otherwise you need a second NIC and IP address) in IIS and mirror the OWA and ActiveSync Virtual Directories. This is actually easier than it sounds. Note that the following instructions are for IIS on Windows Server 2003, and Exchange 2007.

  1. Open IIS, then expand the Web Sites entry.
  2. Right-click on the Web Sites entry and choose “New” -> “Web Site”.
  3. Choose “Next”, then give it a name (and remember it – I chose “OWA-External”), and “Next” again.
  4. If you have a second NIC/IP address on the server, specify it. Otherwise, change Port 80 to an unused port (I choose 82), then click “Next”.
  5. Choose a new folder to be the root of the website. It’ll stay empty, so it doesn’t matter where you put it. I created C:\inetpub2. Click “Next” again.
  6. Leave the defaults selected (Read), then click “Next” and “Finish”.
  7. Right click on the new website (“OWA-External” in this example”) and choose “Permissions”.
  8. Add the “Internet Guest Account” for your server (typically, DOMAINIUSR_SERVERNAME) and give it Read, Read & Execute, and List permissions.
  9. Click OK and close IIS.

Now that the website is setup, we need to tell Exchange to create the Virtual Directories. If you try to manually create them in IIS by mirroring the settings from the existing entries under the Default Web Site, you won’t be able to access OWA.

  1. Open the Exchange Management Shell.
  2. Type Get-OwaVirtualDirectory and press Enter. This will show the existing Virtual Directories.
  3. Now type New-OwaVirtualDirectory -WebSiteName “OWA-External” (replacing OWA-External with your website name) and hit Enter. It make take a minute or two to process, depending on the speed/load of your server.
  4. If you don’t get any errors, type Get-OwaVirtualDirectory again and you should see a new owa entry in the list.
  5. Next is to create a new ActiveSync Virtual Directory in the new site. The command to do that is New-ActiveSyncVirtualDirectory -WebSiteName “OWA-External” -ExternalURL “http://exchange.bar.com/Microsoft-Server-ActiveSync” (replacing OWA-External and the URL with your own, of course).

Now open up the Exchange Management Console. Browse to Server Configuration -> Client Access. Under the Outlook Web Access and Exchange ActiveSync, you should now have two entries each – one for the original Web Site (usually Default Web Site), then one for the one you just created.

Now you’re almost done. Back in IIS, open the Properties for the new Web Site and set your SSL port to something other than 443 (unless you have two IP addresses on the server), then install your valid Class 1 SSL cert for your external domain (exchange.bar.com, in this example – I got my Class 1 cert free from www.startssl.com). The only thing left to do now is to port forward. On your router/gateway/firewall/whatever, forward port 443 to your Exchange server’s IP (or second IP if you’ve set it up that way) and, if appropriate the correct port. In my case, I forward port 443 to port 444, as well as port 444 to 444. Both are necessary if you’re using a port other than 443.

Once all this is done, restart IIS on your server and all should be ready. You’ll now have a valid cert internally and externally!

< , , , , >

Comments (0)

› No comments yet.

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Pingbacks (0)

› No pingbacks yet.