Re: Web Certificate for IIS Server on SBS Domain

Eriq,

Thanks for a great, comprehensive reply.

You guessed correctly on everything:

The public name of the IIS server is diferent than that used for RWW, OWA,
etc (in fact, I'm just using https://{SBSPublicIPViaNAT} for the SBS tools,
haven't even set up a name, although I may change that at some point when I
feel up to reinstalling the cert on all PocketPCs and helping home users to
do the same.)

The IIS server has a dedicated DNS name/Public IP.

It has only one LAN interface, and my firewall is configured with 1:1 NAT
for it. I just purchased the new static IP for it yesterday, in fact.

I'm all for purchasing a 3rd party cert if it doesn't cost an arm and a leg.
I'm sure there are plenty of cert authorities out there that are much more
competitive than verisign, and I don't need a recognized cert authority; my
intent is simply to secure users' sessions with the server, not provide
3rd-party verification of identity, since only my users will be on the site.
But I've had a hard time finding (via google) a decent guide to inexpensive
cert authorities. I'm finding companies, but how do I know who's
reliable/reputable?

If I tried to install Cert Services in my SBS domain, what sort of problems
could I expect, and is there a way to avoid them?

Thanks again for the great info Eriq.

Bryan


"Eriq Neale" <eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2005091309302016807%eon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> On 2005-09-12 17:03:06 -0500, "Bryan L"
> <blinton.nospam@xxxxxxxxxxxxxxxxxxxxxxxxxxx> said:
>
>> I have configured a certificate on my SBS for use with RWW, OWA, OMA, and
>> RPC over HTTP. I've never had any trouble with it.
>>
>> I'm now setting up a web application on a new IIS server on my domain and
>> I want to secure all connections with a self-issued certificate, since I
>> want to give my users access to it across the internet. Since the
>> certificate and DNS names need to match, I presume I need to set up
>> another cert specifically for use by that server. I've set up 1:1 NAT
>> and a public DNS record for the server. I just have a few questions:
>>
>> I've never installed Certificate Services on the SBS because I haven't
>> needed to. Will that be necessary in order for the IIS server to request
>> a certificate of the SBS server?
>>
>> Will installing Certificate Services mess up my existing configuration in
>> any way?
>>
>> Do I need to install Certificate Services on the SBS, or can it be
>> installed on the IIS server? Would I get the same results either way,
>> and is there a best practice?
>>
>> Just looking to clearly understand my options, and the logical process of
>> what I need to do.
>>
>> Thanks in advance!
>>
>> Bryan
>
> Hey Brian - a couple of other questions for you:
>
> 1. Is the Public Name of the new IIS server the same or different from the
> name used to access RWW, OWA, etc?
> 2. If they are different (which seems to be the case in your message, but
> it's not exactly clear, hence question #!) are they both pointing to the
> same public IP address?
> 3. Is this new IIS server only on the internal network, or does it have a
> separate interface that connects to the public internet as well?
>
> To be perfectly honest, I would recommend that you avoid the use of
> Certificate Services on your internal network and if the second IIS server
> is as truly separate as it seems like it might be, go ahead and purchase a
> third-party certificate for that server and keep it independent of the
> self-signed certificate for the SBS server. Can you install and use
> Certificate Services to do what you are wanting? Absolutely. Is it going
> to cost more in time and headache than purchasing a third-party cert for
> your second website? Absolutely times 10. You have to realize that once
> you pur Certificate Services in an SBS environment, you don't want to pull
> it out, and it can in some cases interfere with traditional SBS
> certificate functions.
>
> Case in point - about two months ago, I set up a purchased certificate for
> a client. The total cost to the client was about one hour of my standard
> consulting rate. Only half of that cost went toward the purchase of the
> certiicate, and the other half represented the half hour of my time that
> it took me to set it up. If you're only trying to set up a single
> certificate for a single site, I cannot see the time value of setting up
> Certificate Services for that single server.
>
> If you were talking about putting together certs for multiple servers
> and/or multiple users, then you might look into it, but in this scenario,
> I think it would be more trouble than it's worth...
>
>
> HTH...
>
> -Eriq
> --
> Eriq Neale - Small Business Specialist, MCSE, Mac Guru
> EON Consulting - www.eonconsulting.net
> Author of Microsoft Small Business Server 2003 Unleashed
> Need additional IT insight? E-mail "support at eonconsulting dot net"
>


.

Relevant Pages

  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Activesync between Windows Mobile 5 and SBS2003 gives error
    ... If you don't find a cert here that matches the URL for OWA, you need to re-run the CEICW wizard on the SBS box and re-create the self signed cert. ... I exported the certificate straight from the server. ... Treo 700wx running Windows Mobile 5. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 Premium and Cert Services
    ... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)
Loading