I need some help with certificates, OWA's and Exchange 2007

[jfults2000]

As the title states I am in need of help on a certificate issue. I work for a small 13 person company and tackle the IT issues when they arrise. I do not have an IT background but I am learning quicly. If anyone could help me out I would really appreciate it.

Whenever we open our Outlook we have to click 'OK' on two screens that warn us about security and certificates. Whenever we access our OWA from inside or outside the domain we get a certificate error. Or even if I go to our firewalls gui 'https://192.168.1.1' I get a warning about a certificate error.

What is going on here?? Please help.

[itrsteez]

I replied on tkh, but essentially you have to request certs for that server, I'm not sure if you're running OWA and exchange on the same box or not.

certificates can get confusing but this sounds like a straight forward one.

For internal users you could stand up a certificate authority internally, make it a trusted root authority via group policy on all workstations and request/approve/import certificate.

But since you have OWA I would request them from a public certificate authority such as verisign or something of the likes.

[Dave-ROR]

What steve said. I'd also suggest the public CA. We use Digicert now instead of Verisign for ours.

[jfults2000]

What is public CA??

[itrsteez]

What is public CA??

places like verisign, godaddy, etc...

[jfults2000]

I see, I continued this issue on htkh by the way.

[itrsteez]

Yeah, I caught that. And I do apologize that you have to deal with certs if IT work isn't your primary function, I've been doing this shit for years and cringe when I have to do certificate nonsense.

[jfults2000]

It is just the tip of the ice burg my friend. I am half way through a BESX install that i'm stuck on and a few months ago the owner dropped off a SonicWall firewall on my desk and said here get this going. It is way different than the Linsys and WatchGuard I set up before. I am about 90% done setting the SonicWall up and i'm stuck.

So I have more questions if I ever get through this certificate shit. Thanks again for all the help.

[Dave-ROR]

I administered and implemented SonicWALL's for years (Pro 4060s with the Enhanced OS). PM me or email me (dave-at-itrca.com) with any questions you have and I'll try to remember all of that stuff. I've been using Cisco ASAs now for awhile instead so unfortunately I don't have a working sonicwall to go through the screens, but I'll do my best from memory.

Since I don't visit tekh, don't bother PMing there Steve got you through the SSL stuff I assume?

[Dave-ROR]

Oh, and no experience with blackberry stuff here, we use Good Messaging instead and use non-BB devices (generally Palm phones with Windows Mobile, although likely switching to iPhone 4th gens and/or androids in June/July...)

[itrsteez]

phew, I'm of no help on the FW side, I do a little bit of ironport proxy/smtp gateway stuff and our network guys handle our actual firewalls... Also worthless with the BB's. LOL, I think we're moving to iPhones too... the boss made a mention on how he liked them and then everybody starts scrambling figuring out how to get it done. But I'm sure if he requested a rocket pack there would be a prototype developed by lunch, that's the power of being a 3 star equivalent and a SEAL.

I should be able to get him squared away with the cert stuff, or at least in the correct direction it's hard to do when not in person. I put up all of the powershell request commands on tkh, fortunately it was fresh in my brain as I just had to request 12 the other day.

[jfults2000]

I do really appreciate all your guys help. I had one more question over on tkh that hopefully steve can answer and i'll run the comand in powershell. Once the cert issue is over then i'll tackle the sonicwall issue. We are using a TZ200 and my main issue right now is getting my OWA accessable from outside the domain. I have the CRM accessable from the outside with a NAT but for some reason the OWA will not work.

[Dave-ROR]

Are you accessing the Exchange server directly, or using an app proxy lika ISA? Assuming you are accessing the exchange server directly, you'll need address objects setup for the LAN (private) ip and the WAN (public) ip, NAT rules inbound and outbound for the required services (HTTPS [tcp 443]) for OWA with SSL, NAT rule for firewalled subnets, and then an access rule for WAN->LAN for src any, dest OWA private (or public, can't remember which it liked anymore), services HTTPS.

The easiest with those devices is just to use the public server wizard. If that still fails, do the following tests:
1. Test OWA access through the private IP address.
2. Test OWA access from the LAN to the public IP address.
3. Test OWA access from the outside to the public IP address.

Depending on that information, you'll likely have to install a sniffer to see where the traffic starts to fail. PM me the public IP for OWA if you want me to test it from outside. Also, you are NATing to a different IP that's currently not used by anything else correct? Especially one that's different from the public IP address used by the firewall?

[jfults2000]

I will have to get back to you on all this. We have it set up just like the functioning CRM NAT.

[jfults2000]

The OWA works from inside the domain it is access from outside the domain through the public IP that we are having an issue. I will try and get some screen shots of the setup to help out.

[itrsteez]

The OWA works from inside the domain it is access from outside the domain through the public IP that we are having an issue. I will try and get some screen shots of the setup to help out.

I can understand it's failure right now.... get those certs issued and we'll see what happens.

[jfults2000]

The OWA works from inside the domain it is access from outside the domain through the public IP that we are having an issue. I will try and get some screen shots of the setup to help out.

I can understand it's failure right now.... get those certs issued and we'll see what happens.

The thing is the OWA works fine outside the domain with our current Linksys firewall but when I switch over to the SonicWall it fails.

[jfults2000]

Here are the Address objects I set up for Public and Private IP's

[jfults2000]

Currently this firewall is not inplace because it is not fully functional so we can not test it right now. I make changes during the day then come in early in the morning to switch to the SonicWall and see if the changes work.

current linksys setup

[Dave-ROR]

Josh, I'm going to email you. I removed your images from your post.

[jfults2000]

Ok, I wondered if it was safe or not.

[Dave-ROR]

I doubt it's a big concern here, but no reason to leave them up. I just sent you a fairly large email

[jfults2000]

Received and responded.

[Dave-ROR]

:thumbup:

[jfults2000]

I don't know how I got signed up for this shit.