Brainlitter » How to implement SSL Certs (for OWA, etc.) in Exchange 2007

How to implement SSL Certs (for OWA, etc.) in Exchange 2007

These instructions were prepared for QuoVadis (great place to get your SSL and Unified UCC SAN Certs from – www.quovadis.bm

Document Deliverables

Microsoft Exchange 2007 requires SSL certificates to be configured/installed in a particular manner, to ensure support of the various ‘Subject Alternative Names’ the server might be found on, depending on the service one is trying to connect to, via SSL (OWA, ActiveSync, Outlook Anywhere).

Document Expectations

Out of Scope

This document will assumes Exchange 2007 is installed, configured correctly and that TCP443 (SSL) traffic is enabled inbound/outbound on your firewall (for external access) and the appropriate FQDN (Fully Qualified Domain Name) are defined and resolvable.

Overview and Background

The certs created in this document were for itgroove Professional Services Ltd. The Exchange Server (2007) being accessed, is referenced by the primary URL of webmail.itgroove.org.

During the cert process, you will want to know all of the ‘Subject Alternative Names’ that may be used to reference this server, including Autodiscover functionality (out of scope of this document). Thus, for the purposes of this document, the SAN’s for this Exchange Server 2007 installation are the following (:

  • webmail.itgroove.org (the primary URL used)
  • autodiscover.itgroove.org (autodiscover URL chosen)
  • autodiscover.itgroove.net (unique to itgroove, as SMTP domain is different – itgroove.net), this secondary entry may not apply unless the SMTP primary domain is different from the URL used for OWA
  • itgca1vmg01 (the NetBIOShostname of the actual Exchange Server)
  • itgca1vmg01.itgroove.org (the FQDN of the server on the client network/LAN)

*Note, in Exchange 2007, the OWA application is now located at https://server/owa

  

Steps to Acquire and Install SSL on Exchange 2007

There are several steps required, to enable SSL correctly for Exchange Server 2007. The process is outlined below.

Generate the certificate request

  1. Open the Exchange Management Shell.
  2. Run the following command, replacing domainname and friendlyname values with your domain name and display name and specify the path for the CSR file (values below underlined in bold, are the values you change).

New-ExchangeCertificate -GenerateRequest -domainname webmail.itgroove.org,autodiscover.itgroove.org,autodiscover.itgroove.net,itgca1vmg01,itgca1vmg01.itgroove.org -FriendlyName webmail.itgroove.org -privatekeyexportable:$true -path c:webmail.itgroove.org_submit_to_QuoVadis.txt

Note: “DomainName” is used to populate one or more domain names (FQDNs) or server names in the resulting certificate request.

Note: “FriendlyName” is used to specify a display name for the resulting certificate. The display name must be fewer than 64 characters.

   
 

Submit the request to QuoVadis to have the certificate generated

Go to http://www.quovadis.bm and start the SSL purchase process and submit the CSR you created in the previous step (the file is located at c:webmail.itgroove.org_submit_to_QuoVadis.txt, unless you specified something different).
   

Enable the certificate on the Default Web site

After your certificate has been generated by QuoVadis, you must import it and then enable the certificate on the Default Web site. From the computer where the previous steps were run, import the certificate. To import the certificate, do the following:

  1. Open the Exchange Management Shell.
  2. Run the following command. Import-ExchangeCertificate -path c:QV_Generated_Cert.cer
  3. Note: ” QV_Generated_Cert.cer” is the location and name of your certificate, that was provided by QuoVadis

        

Copy the thumbprint of the certificate, which is the digest of the certificate data, to the clipboard by doing the following:

  1. Open the Exchange Management Shell.
  2. Run the following command: dir cert:LocalMachineMy | fl
  3. Locate the certificate that you just imported by finding the one that matches FriendlyName from the cert generation step (in our example, webmail.itgroove.org). Then copy the Thumbprint property of that certificate to the Windows Clipboard.

Enable the certificate on the Default Web site:

  1. Open the Exchange Management Shell.
  2. Run the following command:

enable-ExchangeCertificate -thumbprint <value copied to the Clipboard> -services “IIS,IMAP,POP”

Using the “enable-ExchangeCertificate” cmdlet will update the certificate mapping, replacing the self-signed certificate that is installed by default with Exchange 2007 and configured in IIS, IMAP4, POP3.
 

Require the Client Access server virtual directories to use SSL

By default, the Default Web site in IIS is configured to require SSL for all virtual directories except the offline address book virtual directory. However, you can configure additional virtual directories for each Client Access feature. You must confirm that each virtual directory is configured to require SSL.

The Client Access virtual directories are as follows:

  1. Outlook Web Access 2007 virtual directory: owa
  2. Outlook Web Access 2003 and WebDAV virtual directories: exchange and public
  3. Exchange ActiveSync virtual directory: Microsoft-Server-ActiveSync
  4. Outlook Anywhere virtual directory: Rpc
  5. Autodiscover virtual directory: Autodiscover
  6. Exchange Web Services virtual directory: EWS
  7. Unified Messaging virtual directory: Unified Messaging
  8. Offline Address Book virtual directory: OAB

For each of the Client Access virtual directories (above in RED) that you will use, open Internet Information Services (IIS) Manager, and follow these steps:

  1. Under Default Web site, select the virtual directory that you want, for example, “owa“.
  2. Right-click the virtual directory, and then click “Properties”.
  3. Click the “Directory Security” tab.
  4. In the “Secure Communications” section, click “Edit”.
  5. In the “Secure Communications” dialog box, make sure that both the “Require secure channel (SSL)” check box and the “Require 128-bit encryption” check box are selected.
  6. Click “OK” to save your changes.
  7. Finally, Restart the POP3 and IMAP4 services by opening the Services Windows administrative tool, selecting “Microsoft Exchange POP3” or “Microsoft Exchange IMAP4”, right-clicking the name of the service, and then clicking “Restart”. IIS does not have to be restarted. Alternatively, restart the Server

 

Ensure Client Access Settings Are Correct

Finally, it is important to set/verify the URL’s in use, in the ‘Client Access’ settings, in the ‘Server Configuration’ options of the Exchange Management Console.

  1. Open the Exchange Management Console
  2. Go to the ‘Outlook Web Access’ tab and choose the ‘OWA’ value
  3. Validate or change to match, the URL’s on the General Tab, for the Internal and External URL’s (in our example, these are set to https://webmail.itgroove.org/owa

  1. Perform the same actions for the other services you are utilizing including:
  • Exchange ActiveSync
  • Offline Address Book Distribution
  • POP3 and IMAP4