Results 1 to 5 of 5
  1. #1
    Join Date
    Nov 2007
    Arab world!
    Blog Entries
    Rep Power

    Arrow Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Any

    Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007

    I recently got my hands on copies of Microsofts Windows Server 2008 and Exchange Server 2007 SP1. Ive always been an early adopter and I was super excited to upgrade from Server 2003 and Exchange 5.5. It was an absolute nightmare to get everything up and running, but Ive got it all working now and want to share some pointers for you guys out there who might be running into the same problems I did.
    My goal was to have a setup that would allow my workstation, laptop, and smart phone to all sync with Exchange using my residential Internet connection. My setup is simple:
    1. Server - Windows Server 2008 and Exchange Server 2007 SP1
    2. Workstation - Windows Vista Business Edition with Outlook 2007
    3. Laptop - Windows Vista Ultimate Edition with Outlook 2007
    4. Smart Phone - Cingular 3125 with Windows Mobile 5
    My workstation syncs directly with Exchange 2007 using my LAN, my laptop syncs using Outlook Anywhere (previously titled RCP over HTTP), and my smart phone syncs using ActiveSync with Direct Push.

    I installed Windows Server 2008, did some basic configuration, and installed Active Directory with Domain Services. Everything was stable, and I started to install Exchange 2007 SP1. Note that you MUST have an 64 bit version of Windows Server 2008, and you MUST have the SP1 version of Exchange Server 2007 in order for things to work on Windows Server 2008.

    Exchange 2007 SP1 died several times during the installation. I couldnt figure it out! Each time it was saying different services werent starting on time. After banging my head on this problem for several DAYS reformatting/reinstalling I finally found out that the Exchange services freak out unless you have IPv6 enabled. I had disabled it every time I installed Active Directory. The services dying problem disappeared after I re-enabled IPv6 on my network connection.

    Now that I had everything installed I had to migrate my mailbox from Server 2003/Exchange 5.5 to my new Server 2008/Exchange 2007 SP1 configuration. Easier said than done. Long story short I used ExMerge to export my Exchange 5.5 mailbox as a .PST file and then used the Exchange Server 2007 Management Shell to import the .PST file.

    First test was to see if Outlook Web Access worked. I hit up http://mydomain/owa. I got an access denied error, so I tried https. It worked but griped about untrusted the SSL cert. I hate messing around with SSL on my personal e-mail so I jumped into inetmgr and changed the Default Web Site SSL Settings to not require SSL. Now I could use the less secure http protocol, but at least I dont have to see those SSL cert warnings.
    Next I wanted to get my workstation syncing.

    I used Mail from the control panel, removed my existing profile, and added a new one with my new Exchange servers name. It kept saying it couldnt find the server, even though I could browse to it on my workstation.

    In order to get it to connect I had to change my network connection to use the DNS server, which just so happens to be hosted on the same machine as Exchange. Once it was using the local DNS server it could resolve my Exchange server, which is Server.home.local. Outlook 2007 synced without a problem and pulled down everything.
    I wanted to get my phone with Windows Mobile 5 to sync with Exchange. This was the easiest part! I removed my existing Exchange server source on my phone and added a new server source pointing to mydomain without using SSL.

    It instantly worked and synced without an error. Direct Push works without any additional configuration.
    Last up was the laptop and getting Outlook Anywhere working. I enabled Outlook Anywhere on Exchange Server 2007.

    Make sure you use Basic authentication! To my disappointment I did some quick research and found that (1) Outlook Anywhere absolutely requires a certificate, and
    (2) Outlook Anywhere does not support self-signed certificates. What the! I didnt want to spend $30/year on some crappy GoDaddy cert so I decided to push through these limitations. I found out that you can actually use a self-signed certificate you just need to make sure it is in the Trusted Root Certificate Authorities division of your certificate storage.

    Here is how you generate a self-signed certificate with Exchange Server 2007 to use for Outlook Anywhere on any of your Outlook 2007 client machines:

    1. Open the Exchange Management Shell in Windows Server 2008.
    (You need to be logged in as a local Administrator and that Administrator needs to be a member of the Exchange Server Administrator group as well as the Exchange View-Only Administrators group in Active Directory. Make Administrator a member of those accounts and reboot for good measure.)

    2. Run the following commands:
    New-ExchangeCertificate -PrivateKeyExportable $True -Services IMAP, POP, IIS, SMTP -SubjectName cn=[*SEE NOTE]

    *Note: this needs to be the exact name of the external domain you are going to use to access Outlook Anywhere.

    Enable-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT]
    Export-ExchangeCertificate -Thumbprint [THUMBPRINT FROM NEW CERT] -Path C:\Certificate.pfx -PasswordGet-Credential).password

    3. Now you have a cert named Certificate.pfx sitting on C:\ on your Exchange Server. The cert is good for all of the basic Exchange 2007 services. Copy that file to any client machine you want to use to connect to Exchange Server 2007 using Outlook Anywhere.

    4. Install the certificate on your client Windows machine by going to Internet Explorer > Tools > Internet Options > Content > Certificates > Trusted Root Certificate Authorities > Import. Grab the cert you generated on your server, accept the warning dialog, and the import is successful.

    5. Run Mail from the control panel on the client machine. Add a new profile and setup an account to use an Exchange server. Type the LOCAL NAME of the Exchange server (mine was Server.home.local). Click on More Settings and navigate to the Connection tab. At the bottom of the Connection check the box next to Connect to Microsoft Exchange Using HTTP. Click on Exchange Proxy Settings. Type the name of your domain in the top URL box. Uncheck the next two boxes. Check the two boxes next to On fast networks and On slow networks. Set your Proxy authentication settings to use Basic Authentication. Click OK a bunch of times and you should be good to go!

    My customer deleted the self signed cert created by Exchange 2007.
    For the record, if one ever delete the self signed SSL cert create by Exchange 2007, you only need to run this command in the Exchange powershell:

    New-ExchangeCertificate -PrivateKeyExportable $True -Services IMAP, POP, IIS, SMTP -SubjectName cn=[Your server name]
    and the cert is back

    Copied for you!

  2. Facebook Comments -

  3. Forum Ads:

  4. Forum Ads:

  5. Forum Ads:


  6. #2
    Join Date
    Jan 2008
    Blog Entries
    Rep Power

  7. #3
    Join Date
    Nov 2007
    Arab world!
    Blog Entries
    Rep Power


    THANKS, You are welcome Hopy!

  8. Forum Ads:

  9. #4


    Dear Mohamed,
    I think there is a better work around for this problem, Simply just setup internal CA and request a certificate for The Exchange

    New-ExchangeCertificate GenerateRequest SubjectName '' DomainName,,, CAS_Server "NetBios name" FriendlyName CAS SAN Certificate KeySize 1024 Path c:\cert_req.txt PrivateKeyExportable:$true

    Sure you have to remove the blue part

    Then go to your internal CA -->advanced certifcate request then submit the certifcate request and choose web certifcate.

    then run those commands

    Import-ExchangeCertificate Path c:\certnew.cer | Enable-ExchangeCertificate -Services IIS, POP, IMAP

    Using pipeline( |) is simple and save time.

    I do not recommend to work with the self signed certificate but as you mentioned deleting the self signed certifcate would cause some problem Check this

    Thanks for sharing this experience with us.

  10. #5
    Join Date
    Nov 2007
    Arab world!
    Blog Entries
    Rep Power


    And Thank you for the great addin...

    Mohamed Fouad
    Technical Team Leader
    Connect your EgyEng.comand Facebook account NOW!
    Just click on the Facebook icon so scroll till upper of the page and connect NOW!

    Mohamed Fouad :

  11. Forum Ads:

Similar Threads

  1. Replies: 0
    Last Post: 10-02-2011, 11:37 AM
  2. Replies: 0
    Last Post: 08-08-2010, 04:12 PM
  3. Replies: 2
    Last Post: 21-05-2010, 03:54 PM
  4. Replies: 4
    Last Post: 12-06-2008, 11:08 AM
  5. 70-236 Exchange Server 2007 Cbt and TS
    By Mohamed Fouad in forum Microsoft Certifications
    Replies: 1
    Last Post: 10-02-2008, 05:49 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Egypt Engineers