Skip to main content

Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007


I recently got my hands on copies of Microsoft’s Windows Server 2008 and Exchange Server 2007 SP1. I’ve always been an early adopter and I was super excited to upgrade from Server 2003 and Exchange 5.5. It was an absolute nightmare to get everything up and running, but I’ve got it all working now and want to share some pointers for you guys out there who might be running into the same problems I did.
My goal was to have a setup that would allow my workstation, laptop, and smart phone to all sync with Exchange using my residential Internet connection. My setup is simple:
  1. Server - Windows Server 2008 and Exchange Server 2007 SP1
  2. Workstation - Windows Vista Business Edition with Outlook 2007
  3. Laptop - Windows Vista Ultimate Edition with Outlook 2007
  4. Smart Phone - Cingular 3125 with Windows Mobile 5
My workstation syncs directly with Exchange 2007 using my LAN, my laptop syncs using “Outlook Anywhere” (previously titled RCP over HTTP), and my smart phone syncs using ActiveSync with Direct Push.

I installed Windows Server 2008, did some basic configuration, and installed Active Directory with Domain Services. Everything was stable, and I started to install Exchange 2007 SP1. Note that you MUST have an 64 bit version of Windows Server 2008, and you MUST have the SP1 version of Exchange Server 2007 in order for things to work on Windows Server 2008.

Exchange 2007 SP1 died several times during the installation. I couldn’t figure it out! Each time it was saying different services weren’t starting on time. After banging my head on this problem for several DAYS reformatting/reinstalling I finally found out that the Exchange services freak out unless you have IPv6 enabled. I had disabled it every time I installed Active Directory. The services dying problem disappeared after I re-enabled IPv6 on my network connection.

Now that I had everything installed I had to migrate my mailbox from Server 2003/Exchange 5.5 to my new Server 2008/Exchange 2007 SP1 configuration. Easier said than done. Long story short I used ExMerge to export my Exchange 5.5 mailbox as a .PST file and then used the Exchange Server 2007 Management Shell to import the .PST file.

First test was to see if Outlook Web Access worked. I hit up http://mydomain/owa. I got an access denied error, so I tried https. It worked but griped about untrusted the SSL cert. I hate messing around with SSL on my personal e-mail so I jumped into inetmgr and changed the Default Web Site SSL Settings to not require SSL. Now I could use the less secure http protocol, but at least I don’t have to see those SSL cert warnings.
Next I wanted to get my workstation syncing.

I used “Mail” from the control panel, removed my existing profile, and added a new one with my new Exchange server’s name. It kept saying it couldn’t find the server, even though I could browse to it on my workstation.

In order to get it to connect I had to change my network connection to use the DNS server, which just so happens to be hosted on the same machine as Exchange. Once it was using the local DNS server it could resolve my Exchange server, which is Server.home.local. Outlook 2007 synced without a problem and pulled down everything.
I wanted to get my phone with Windows Mobile 5 to sync with Exchange. This was the easiest part! I removed my existing Exchange server source on my phone and added a new server source pointing to “mydomain” without using SSL.

It instantly worked and synced without an error. Direct Push works without any additional configuration.
Last up was the laptop and getting Outlook Anywhere working. I enabled Outlook Anywhere on Exchange Server 2007.

Make sure you use Basic authentication! To my disappointment I did some quick research and found that (1) Outlook Anywhere absolutely requires a certificate, and
(2) Outlook Anywhere does not support self-signed certificates. What the! I didn’t want to spend $30/year on some crappy GoDaddy cert so I decided to push through these limitations. I found out that you can actually use a self-signed certificate you just need to make sure it is in the Trusted Root Certificate Authorities division of your certificate storage.

Here is how you generate a self-signed certificate with Exchange Server 2007 to use for Outlook Anywhere on any of your Outlook 2007 client machines:

1. Open the Exchange Management Shell in Windows Server 2008.
(You need to be logged in as a local Administrator and that Administrator needs to be a member of the Exchange Server Administrator group as well as the Exchange View-Only Administrators group in Active Directory. Make Administrator a member of those accounts and reboot for good measure.)

2. Run the following commands:
New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[*SEE NOTE]”

*Note: this needs to be the exact name of the external domain you are going to use to access Outlook Anywhere.

Enable-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT]
Export-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT] -Path C:\Certificate.pfx -PasswordGet-Credential).password

3. Now you have a cert named Certificate.pfx sitting on C:\ on your Exchange Server. The cert is good for all of the basic Exchange 2007 services. Copy that file to any client machine you want to use to connect to Exchange Server 2007 using Outlook Anywhere.

4. Install the certificate on your client Windows machine by going to Internet Explorer > Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities > Import. Grab the cert you generated on your server, accept the warning dialog, and the import is successful.

5. Run Mail from the control panel on the client machine. Add a new profile and setup an account to use an Exchange server. Type the LOCAL NAME of the Exchange server (mine was Server.home.local). Click on “More Settings” and navigate to the “Connection” tab. At the bottom of the “Connection” check the box next to “Connect to Microsoft Exchange Using HTTP.” Click on “Exchange Proxy Settings”. Type the name of your domain in the top URL box. Uncheck the next two boxes. Check the two boxes next to “On fast networks…” and “On slow networks…”. Set your Proxy authentication settings to use Basic Authentication. Click OK a bunch of times and you should be good to go!

My customer deleted the self signed cert created by Exchange 2007.
For the record, if one ever delete the self signed SSL cert create by Exchange 2007, you only need to run this command in the Exchange powershell:

New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=[Your server name]
and the cert is back

Copied for you!


Popular posts from this blog

Question كيفية عمل share للـ outlook conntact لكل الـ Domain Users

  الحل بسيط جدا عايز الكونتاكت تتحدث دايما بحيث انك لما تضيف يوزر جديد يسمع في الكونتاكت اول حاجه بتدخل علي in office 2003 tools --- email account ---- add address book --- internet directory service (LDAP) type your server name then login info . mark this server require me to logon type any user on active directory and its password then save and close outlook and open it again now you will find all your active directory users in address book

3 things has to be done for better performance

  Tips from Goutham: 3 things has to be done for better performance: By default, XP displays extra graphic objects for menu items which can slow down your display. 1. To turn off these selectively... Right click My Computer Select Properties Click Advanced tab Under Performance, click Settings button To turn them all off, select Adjust for best performance Preference is to leave them all off except for Show shadows under mouse pointer and Show window contents while dragging 2. To speed up the display of the Start Menu Items, turn off the menu shadow. Right click open area of the Desktop Select Properties Click Appearance tab Click Effects button Uncheck Show shadows under menus 3. You can increase system performance by loading more of the system into memory. DO NOT attempt this with less then 512MBs of ram. Your system will become unstable. Click Start Click Run Enter regedit Click OK Go to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Session Manager Memory Management Double cli

The difference between DNS and NDS

  Novell Directory Services(NDS) - Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a  network , such as a company's  intranet , from a single point of administration. Using NDS, a network administrator can set up and control a  database  of users and manage them using a  directory  with an easy-to-use graphical user interface ( GUI ). Users of computers at remote locations can be added, updated, and managed centrally. Applications can be distributed electronically and maintained centrally. NDS can be installed to run under  Windows NT , Sun Microsystem's Solaris, and IBM's  OS/390  as well as under Novell's own  NetWare  so that it can be used to control a multi-platform network. NDS is generally considered an industry  benchmark  against which other products, such as Microsoft's Active Directory, must compete. Lucent Technologies plans to integrate NDS into its own QIP product