Category Archives: SSL

Redirect Exchange OWA to default site and force SSL in Exchange 2010

OWA redirect to default site forcing SSL

is useful If you have those one or two users who cant seem to remember to add the https or the OWA to the exchange OWA url.

To do this via IIS manger can be time consuming and tricky, below is the script which I came across (Mark Smith) which does it for you, just create a batch file with the script and run it once. The only thing you need to modify is https://mail.domain.com/owa

——-
c:
cd \Windows\System32\inetsrv

appcmd.exe ADD Backup “OWA REDIRECT BACKUP 01”

appcmd set config “default web site” -section:httpRedirect /childonly:true /enabled:true
appcmd set config “default web site” -section:system.webServer/httpRedirect -destination:”https://mail.domain.com/owa”

appcmd set config “default web site/Aspnet_Client” -section:httpRedirect /enabled:false
appcmd set config “default web site/Autodiscover” -section:httpRedirect /enabled:false
appcmd set config “default web site/ECP” -section:httpRedirect /enabled:false
appcmd set config “default web site/EWS” -section:httpRedirect /enabled:false
appcmd set config “default web site/Exchange” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Exchweb” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Microsoft-Server-ActiveSync” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/OAB” -section:httpRedirect /enabled:false
appcmd set config “default web site/OWA” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/PowerShell” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Public” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Rpc” -section:httpRedirect /enabled:false
appcmd set config “default web site/RpcWithCert” -section:httpRedirect /enabled:false

appcmd set config “default web site” -section:access -sslflags:”” -commit:apphost

appcmd set config “Default Web Site/Aspnet_Client” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Autodiscover” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/EWS” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/ECP” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchange” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchweb” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Microsoft-Server-ActiveSync” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/OWA” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “default web site/PowerShell” -section:access -sslflags:”” -commit:apphost
appcmd set config “default web site/OAB” -section:access -sslflags:”” -commit:apphost
appcmd set config “Default Web Site/Public” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Rpc” -section:access -sslFlags:Ssl -commit:apphost
appcmd set config “Default Web Site/RpcWithCert” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

cacls “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\web.config” /E /P “NT Authority\authenticated Users”:R

iisreset
——

Invalid Fully Qualified Domain Names no longer accepted in Subject Alternative Names (SANS) in SSL certficates

After a recent legislation change, CA’s will no longer accept invalid fully qualified Domain name such as .local, servername.local as Subject Alternative Names for SSL’s expiring after 1 November 2015. If you already have got such an SSL certificate it will be revoked post this date.
I noticed this when renewing a 5 yr SSL certificate with Go-Daddy will give an error when you have Subject Alternative Names like .local, servername, servername.local.

As we all know if you use Exchange 2007/ 2010, you probably use an internal server name and an external name on your exchange service URLS like autodiscover. If you dont add this in your SAN you get the dreaded certificate mismatch error in Outlook.

“The name of the security certificate is invalid or does not match the name of the site”

Work Around:

To get around this issue, one can simply change the internal URLs to the external ones. For example you have internal name of servername.local, this will need to be changed to mail.contoso.com in the URLS, once this is done you will need to create a DNS zone for contoso.com on your internal DNS and create a host record for mail to point to the exchange servers internal IP address so that internal autodiscovery will work when you do the change.
The following will need to be done for Exchange 2007 via PS:

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)”
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)”
    -InternalUrl https://mail.contoso.com/oab
  5. Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
    Set-UMVirtualDirectory -Identity “CAS_Server_Nameunifiedmessaging (Default Web Site)”
    -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

    Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
  6. Open IIS Manager.
  7. Expand the local computer, and then expand Application Pools.
  8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

 

The same for Exchange 2010

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)”
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)”
    -InternalUrl https://mail.contoso.com/oab
  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Replacing a 1024 bit SSL certificate with a 2048 bit or higher without downtime

As most of the Certificate Authorities now only issue a  minimum 2048 or greater one has issues when you are IIS is using a 1024 bits certificate and when you generate a CSR for renewal you end up with a 1024 CSR and to get around it you need to remove the production SSL certificate and start from scratch which affects anything running of 443 and of course dependencies like Outlook Anywhere will stop functioning.

With this method you can increase the key size of your certificate without any downtime to your website by creating a temporary website.

Creating a Temporary Website

In the Internet Information Services (IIS) Manager window, right-click on the Web Sites folder and select New and Web Sites from the drop down menu.

The Web Site Creation Wizard will appear. In that new window, click on Next.

On the next screen, type in “Temporary” into the Description field. Once you have done that, click on Next.

At the IP Address and Port Settings screen, leave the defaults and click on the Next button.

In the Web Site Home Directory screen, click on the Browse folder and navigate to the Inetpub folder. Once selected, click on the Next button.

The next screen shows the Web Site Access Permissions. Uncheck all of the boxes and click on Next.

At the final screen click on the Finish button.

Back in the Internet Information Services (IIS) Manager window, right-click on the Temporary website and select Stop from the drop down menu.

Creating a CSR for Temporary site

Right-click on the temporary website and click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top.
In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.
The IIS Certificate Wizard appears.

Select the circle, Create a new certificate. and click on Next.

On the next step on the Wizard, select the circle, Prepare the request now, but send it later and click on Next.

At the next step in the Wizard, enter in a Name for your certificate. In the field where you see Bit length: select 2048 from the drop down. Leaving the other two check boxes unchecked, select Next.

On the next screen, enter in the full legal name of the company which the certificate belongs into the Organization field. In the Organizational unit field, enter in the department of the organization, such as ‘IT’ or “Marketing”. Click on Next.

At the next screen, you will need to enter in your FQDN (fully qualified domain name) of your website in the field named Common name. It looks like “secure.example.com” or “example.com”. Click on Next.

On the next screen, you will need to select the country of your organization from the Country/Region drop down. You will then need to type in the State/province of that country along with city within that state within the City/locality field. Once you have done that, click on Next.

At the next step of the Wizard, you will need to specify where to save the CSR text file that will be created. To change the location, you should click on the Browse… button. After you have selected a location, click on the Next button.

At the final screen, you will see a summary of all the certificate details that you have created. Click on Next to generate the CSR file.
Note: When you have generated a CSR file, you will have a pending request held for this website. If this pending request is deleted before a certificate response can be installed, the set of private keys that were created will be deleted as well. This will render the CSR file and the certificate response useless, including during installation.

Paste this CSR on your CA and generate and download the SSL certificate.

Installing the certificate onto Temporary

Right-click on the Temporary website and click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top. In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.

A wizard appears. Click on Next.

On the next screen, select the option, Process the pending request and install the certificate. Click on Next.
Note: If you do not see this option, this could mean that the CSR may have been deleted. If this is the case, then the certificate file cannot be used and the process may have to be restarted.

At the next step of the wizard, you must click on browse and navigate to the .crt that was supplied to you by QuoVadis.
Note: By default, the IIS Certificate Wizard looks for files with the extension of .cer. In order for it to accept the .crt file, you will need to drop the File of type: field down to look for All files and the .crt file should appear. Once you can see it, select it.

Click on Next.

On the next screen, leave the default to port 443. Click on Next.

You should now see a summary screen. When you have finished looking at the summary, you should click on Next.

At the final screen, click on Finish.

Assigning the Stronger Certificate

In IIS, right-click on the production website that has the 1024-bit certificate installed and then click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top. In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.

A wizard appears. Click on Next.

On the next screen, select the option, Replace the current certificate. Click on Next.

Important Note: If you do not receive this option, it may be possible that you have an already pending request for this website. In order to have the Replace the current certificate option available, you will need to delete the pending request on this website.

You should see a list of certificates which contains the certificate you have installed on the Temporary website. Select the newly installed certificate that contains a key size of 2048-bits from this list. Once selected, click on Next.

IIS will display the new replacement certificate’s details. Verify these details and then click on Next.

Click on the Finish button on the next screen.

Back in the Properties window, click on the OK button. The certificate on your website has been updated with the stronger 2048-bit certificate with no downtime.

The final step of this article is to delete the Temporary website that you created in Part I. To do this, right-click the Temporary website from IIS and select Delete from the drop down menu. Click on Yes at the, “Are you sure you want to delete this item?”

source: https://support.quovadisglobal.com/KB/a88/how-to-increase-your-csr-key-size-on-microsoft-iis.aspx