External Exchange stopped working after cert renew
Settup: SBS2003 R2 with exchange 2003 and ISA (2006?) The cert expired, so I recreated a self signed cert *.mydomain.net. (the old cert was for servr.mydomain.net) I updated IIS standard website to use this cert. Internally on LAN OWA is working OK: serv/exchange However, externally,: - OWA: in Chrome going to http://www.mydomain.net/exchange redirects to https but then results in error 'Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error' in IE I imediatelly get 'Internet Explorer cannot display the webpage' - RCP no longer functionning I get a feeling that the ISA is messing up something, but can't see what to change. So question: on what locations do you need to change somethign when changing a certificate? Thanks, Christof
March 22nd, 2012 6:46am

Hello Christof De Backere, Since you have changed a new certificate, make sure that this certificate is installed on the stores: Trusted and Personal in your MMC. Also you will have to have this certificate installed in Web Listener in ISA. Check the Rules for OWA and RPC and Listeners, if they have the correct Certificate installed. Do let me know your findings.APK
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 8:16am

Make sure your ISA is on the latest SP1. Been a long time, but if I remember correct, it did have issues with wildcard certificates.Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007 / 2010
March 22nd, 2012 4:00pm

Hi APK, I had already installed them in the stores, so that's OK. In ISA, I checked for the listeners serving https and rpc. These were 'SBS Web listner' and 'SBS companyweb listner'. Went to 'right-click'->properties->preferences->SSL->select certificate and selected the appropriate one from the store. Repeated this for the other listener. After 'apply changes' I had the impression it still didn't work. But then after a couple more minutes .. it did. For the moment I can only speak about the web (https OWA, etc) access. Have not been able to test rcp externally yet. I'll respond once that's validated. Thanks for the clear advice. You made me (and the users) very happy Christof
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2012 6:57am

Thanks Casper, I believe that the SP1 was already installed a^s part of normal updates of the server many years ago. Anyway, once it worked, the wildcard didn't seem to bother ISA. Thanks, Christof
March 23rd, 2012 6:58am

Thanks Christof, The web listener plays an important role in ISA. Good that issue has been resolved. You can mark as answered if your issue has been resolved.APK
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2012 8:34am

Hi there, I am really puzzled: it worked for some time (at least while testing) but then, shortly after, it stopped working again, with the same symptoms. So it seems like it worked for some time after aligning the listner cert to the new wildcard cert (previously no wildcard cert) In IE I get a 'webpage can not be displayed' (so not a 404 orso) and in Chrome I again get 'Error 107 (net::ERR_SSL_PROTOCOL_ERROR): Error with SSL-protocol.' HELP. ISA version I just check the ISA version. I am mistaken: it's not 2006 but 2004 ! Could that explain the issue with wildcard cert? Thanks, Christof
March 28th, 2012 5:13am

Hi, Please have a look at the article below: Step-by-Step: Publishing a Single Exchange 2003 OWA with ISA 2004 Firewall Forms Based Authentication http://www.isaserver.org/tutorials/2004owafba.htmlXiu Zhang TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2012 5:18am

How is the issue now?Xiu Zhang TechNet Community Support
April 2nd, 2012 2:04am

Hi, I tried the howto you linked, but no luck. In the end, I tried to do the 'connect to internet' wizard. But that crashed. Then I found the reason: I added a virtual 2nd IP to the LAN and WAN interface..causing the Wizard to go 'banana' So removed the additional IP's .. Then after 3 more trials and reboots, the wizard more or less completed. Anyway, this caused the publishing of the sites to be reactivated. At least the ones running on the default IP. Adding the VIP's didn't work out as apparently also the listeners on OS level went.. so after adding those with the admin tools ... things started to get back to normal. The only downside is that now, the certificate is again the one with the wrong FQN .. causing certificate warnings in browsers etc. The Wizard didn't ask how I wanted (hostname) to publish these sites. Too bad, that's how it was before, but by far the most important is that the sites and RCP/HTTPS are up again from the outside world. Thanks all for your assistance.
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 5:38pm

Glad to hear that the outlook anywhere is working now. For certificate, if it is a self-signed certifcate, then please ensure that you have install the certificate on the client computer. Besides, I recommend you to have a look at the article below: Configuring ISA to Redirect OWA Users to the Correct Directories and Protocols (Part 2) http://www.msexchange.org/articles/Redirecting-OWA-Users-Correct-Directories-Protocols-Part2.htmlXiu Zhang TechNet Community Support
April 4th, 2012 2:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics