Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007
I recently got my hands on copies of Microsoft’s Windows Server 2008 and Exchange Server 2007 SP1. I’ve always been an early adopter and I was super excited to upgrade from Server 2003 and Exchange 5.5. It was an absolute nightmare to get everything up and running, but I’ve got it all working now and want to share some pointers for you guys out there who might be running into the same problems I did.
My goal was to have a setup that would allow my workstation, laptop, and smart phone to all sync with Exchange using my residential Internet connection. My setup is simple:
My workstation syncs directly with Exchange 2007 using my LAN, my laptop syncs using “Outlook Anywhere” (previously titled RCP over HTTP), and my smart phone syncs using ActiveSync with Direct Push.
- Server - Windows Server 2008 and Exchange Server 2007 SP1
- Workstation - Windows Vista Business Edition with Outlook 2007
- Laptop - Windows Vista Ultimate Edition with Outlook 2007
- Smart Phone - Cingular 3125 with Windows Mobile 5
I installed Windows Server 2008, did some basic configuration, and installed Active Directory with Domain Services. Everything was stable, and I started to install Exchange 2007 SP1. Note that you MUST have an 64 bit version of Windows Server 2008, and you MUST have the SP1 version of Exchange Server 2007 in order for things to work on Windows Server 2008.
Exchange 2007 SP1 died several times during the installation. I couldn’t figure it out! Each time it was saying different services weren’t starting on time. After banging my head on this problem for several DAYS reformatting/reinstalling I finally found out that the Exchange services freak out unless you have IPv6 enabled. I had disabled it every time I installed Active Directory. The services dying problem disappeared after I re-enabled IPv6 on my network connection.
Now that I had everything installed I had to migrate my mailbox from Server 2003/Exchange 5.5 to my new Server 2008/Exchange 2007 SP1 configuration. Easier said than done. Long story short I used ExMerge to export my Exchange 5.5 mailbox as a .PST file and then used the Exchange Server 2007 Management Shell to import the .PST file.
First test was to see if Outlook Web Access worked. I hit up http://mydomain/owa. I got an access denied error, so I tried https. It worked but griped about untrusted the SSL cert. I hate messing around with SSL on my personal e-mail so I jumped into inetmgr and changed the Default Web Site SSL Settings to not require SSL. Now I could use the less secure http protocol, but at least I don’t have to see those SSL cert warnings.
Next I wanted to get my workstation syncing.
I used “Mail” from the control panel, removed my existing profile, and added a new one with my new Exchange server’s name. It kept saying it couldn’t find the server, even though I could browse to it on my workstation.
In order to get it to connect I had to change my network connection to use the DNS server, which just so happens to be hosted on the same machine as Exchange. Once it was using the local DNS server it could resolve my Exchange server, which is Server.home.local. Outlook 2007 synced without a problem and pulled down everything.
I wanted to get my phone with Windows Mobile 5 to sync with Exchange. This was the easiest part! I removed my existing Exchange server source on my phone and added a new server source pointing to “mydomain” without using SSL.
It instantly worked and synced without an error. Direct Push works without any additional configuration.
Last up was the laptop and getting Outlook Anywhere working. I enabled Outlook Anywhere on Exchange Server 2007.
Make sure you use Basic authentication! To my disappointment I did some quick research and found that (1) Outlook Anywhere absolutely requires a certificate, and
(2) Outlook Anywhere does not support self-signed certificates. What the! I didn’t want to spend $30/year on some crappy GoDaddy cert so I decided to push through these limitations. I found out that you can actually use a self-signed certificate you just need to make sure it is in the Trusted Root Certificate Authorities division of your certificate storage.
Here is how you generate a self-signed certificate with Exchange Server 2007 to use for Outlook Anywhere on any of your Outlook 2007 client machines:
1. Open the Exchange Management Shell in Windows Server 2008.
(You need to be logged in as a local Administrator and that Administrator needs to be a member of the Exchange Server Administrator group as well as the Exchange View-Only Administrators group in Active Directory. Make Administrator a member of those accounts and reboot for good measure.)
2. Run the following commands:
New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[*SEE NOTE]”
*Note: this needs to be the exact name of the external domain you are going to use to access Outlook Anywhere.
Enable-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT]
Export-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT] -Path C:\Certificate.pfx -PasswordGet-Credential).password
3. Now you have a cert named Certificate.pfx sitting on C:\ on your Exchange Server. The cert is good for all of the basic Exchange 2007 services. Copy that file to any client machine you want to use to connect to Exchange Server 2007 using Outlook Anywhere.
4. Install the certificate on your client Windows machine by going to Internet Explorer > Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities > Import. Grab the cert you generated on your server, accept the warning dialog, and the import is successful.
5. Run Mail from the control panel on the client machine. Add a new profile and setup an account to use an Exchange server. Type the LOCAL NAME of the Exchange server (mine was Server.home.local). Click on “More Settings” and navigate to the “Connection” tab. At the bottom of the “Connection” check the box next to “Connect to Microsoft Exchange Using HTTP.” Click on “Exchange Proxy Settings”. Type the name of your domain in the top URL box. Uncheck the next two boxes. Check the two boxes next to “On fast networks…” and “On slow networks…”. Set your Proxy authentication settings to use Basic Authentication. Click OK a bunch of times and you should be good to go!
My customer deleted the self signed cert created by Exchange 2007.
For the record, if one ever delete the self signed SSL cert create by Exchange 2007, you only need to run this command in the Exchange powershell:
New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[Your server name]
and the cert is back
Copied for you!
- Other Apps