How to enable OWA with SSL and get it right the first time

Shijaz.com: Articles | Windows Server | Exchange Server | ISA Server |

How to enable OWA with SSL and get it right the first time.

Shijaz Abdulla, MVP

www.shijaz.com/exchange

This article will guide you on how to enable Outlook Web Access (OWA 2003) with SSL using your own Certification Authority (CA). By using your own CA, you are making your own certificates and you do not need to spend money on a third party SSL certificate.

Step 1: Configure the Certification Authority

1. Identify a server to be used as the Certification Authority. This can be any member server on the domain. You could even put it on your Exchange Server. If you already have a CA on one of your servers, proceed to Step 2.

2. Install IIS on the server where you want to install the CA. (Control Panel à Add/Remove Programs à Windows Components à Application Server à Internet Information Services (IIS).)

If you are installing CA on your Exchange server, you already have IIS installed.

3. Install the Certification Authority component. From Control Panel, choose Add/Remove Programs.

4. Select Add/Remove Windows Components. Select Application Server and choose Details. Put a check mark next to Certificate Services. Click Next.

5. You will see a warning indicating that domain membership should not be changed once certificate services is installed. Click Yes to continue.

6. Choose Enterprise root CA. Click Next.

7. Enter the Common name for the CA, which will be the host name of the server. Click Next.

8. In the next screen, leave the defaults, which would be fine under most circumstances.

9. Click Next. Certification Authority will be installed.

Step 2: Create a request for a certificate

1. Click Start à Administrative Tools à Internet Information Services (IIS) Manager.

2. Expand Websites. Right click on Default Web site and select Properties.

3. On the Directory Security tab, under Secure Communications, click Server Certificate.

4. Choose Create a new Certificate and click Next

5. Select Prepare the request now, but send it later and click Next.

6. Select Prepare the request now, but send it later and click Next.

7. Enter a name for the new certificate. Click Next.

8. Enter an Organization name and an Organizational Unit name. Click Next.

9. Enter a common name for your server. This should be the FQDN name. It is very important that this information is entered correctly. Click Next.

10. Enter your Country, State and other information. Click Next.

11. Enter a path where your certificate request should be created. Click Next. You will be shown a summary. Click Finish.

Step 3: Requesting the certificate

1. Open Internet Explorer.

2. In the address bar, type http://servername/certsrv, where servername is the host name of your CA server.

3. This will open the CA website. (If you are prompted for a username and password, use the domain administrator credentials) If the website is blocked in Windows 2003, add it to your trusted sites.

4. Click Request a certificate.

5. Click advanced certificate request.

6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

7. Open the CERTREQ.TXT file that was created in Step 2. Copy its contents to the clipboard and paste it in the text box provided (see screenshot).

8. Under Certificate Template, select Web Server. Click Submit.

9. In the next page, select Base 64 encoded and click Download certificate. Save it to a location on the server’s local drive as certnew.cer

Step 4: Using the certificate on the OWA website

1. Click Start à Administrative Tools à Internet Information Services (IIS) Manager.

2. Expand Websites. Right click on Default Web site and select Properties.

3. On the Directory Security tab, under Secure Communications, click Server Certificate.

4. Choose Process the pending request and install the certificate. Click Next.

5. Enter the path to the certnew.cer file you saved in Step 3. Click Next.

6. Enter the SSL port (443).

7. View the summary and click Finish.

Step 5: Enabling SSL on the OWA website

1. Click Start à Administrative Tools à Internet Information Services (IIS) Manager.

2. Expand Websites. Right click on Default Web site and select Properties.

3. On the Directory Security tab, under Secure Communications, click Edit.

4. Put a check mark next to Require secure channel (SSL) and Require 128-bit encryption. Click OK.

5. You might get a message asking whether you want to propagate these settings to all child items. Make sure that “Require secure Channel” setting is not selected for the ExAdmin virtual folder. (If this is done, you will have problems accessing your public folders, for more information see Microsoft KB article 324345)

Step 6: Testing OWA

1. From a connected machine, go to Internet Explorer

2. Visit the page https://servername/exchange where servername is the name of your Exchange server. (Note that its httpS, and not http)

3. You will get a warning like the one below. You can safely ignore this warning.

4. You will be prompted for your mailbox credentials. If you have enabled forms-based authentication, you will be presented with the OWA 2003 web form for username and password.

5. Once you enter the credentials, you will have access to your mailbox.

Was this Article Useful?

Post your comments!

Disclaimer

The steps mentioned in this are results of testing in a lab environment. The procedure might require additional testing before being deployed on a live environment. I assume no responsibility for damage(s) occurring due to following this procedure or any other procedure listed on this site. Use it at your own risk!