# OWA and web server



## Afterdark (Jun 22, 2002)

We have a web server, a new 2011 SBS server and one public ip address. Our router NAT table maps port 80 to the web server and although port 443 maps to the 2011 SBS server, we cannot get OWA. We can get it internally but not externally.

Can this be done without resorting to another public ip address?

Thanks.


----------



## Rockn (Jul 29, 2001)

Have you installed the SSL cert on the web server or is this a self signed cert? Not sure why you would port forward 443 to the SBS server.


----------



## Afterdark (Jun 22, 2002)

Rockn said:


> Have you installed the SSL cert on the web server or is this a self signed cert? Not sure why you would port forward 443 to the SBS server.


It was a self signed certificate selected as part of the set up wizard.

On a 2003 SBS I set up, again with a self signed certificate, it needs 443 for the SSL. In fact if I disable forwarding on port 80 but just leave 443 forwarding and go to https://mail.domain.com/exchange I login fine.

Which suggests that if I don't need port 80, then I don't have to worry about running a web server as in my original post. Interesting.

So, might there be a problem with a self signed certificate?

Thanks for the reply.


----------



## Rockn (Jul 29, 2001)

Self signed certs are fine for internal use, but I would never use one on OWA. Get a real cert and install it for use with OWA. Port 443 is the only one you need open if you are using SSL.


----------



## Afterdark (Jun 22, 2002)

Good point and something I will sort out. I was just trying to get OWA working as a test before going further.


----------



## mucker2010 (May 24, 2011)

Although Rockn's advice is favourable to get a public cert, it is not the cause of your issues and by no means a nessacity. I've installed 100's of SBS 2003/2008 servers all using self signed certs and never had problems.

You do get a warning about it being untrusted and it does look like an error. Most people that see this don't actually read the warning and just close the browser thinking it was an error. All you need to though is click contine at the warning and the site loads up.

What exactly is the error you receive?


----------



## Afterdark (Jun 22, 2002)

mucker2010 said:


> Although Rockn's advice is favourable to get a public cert, it is not the cause of your issues and by no means a nessacity. I've installed 100's of SBS 2003/2008 servers all using self signed certs and never had problems.
> 
> You do get a warning about it being untrusted and it does look like an error. Most people that see this don't actually read the warning and just close the browser thinking it was an error. All you need to though is click contine at the warning and the site loads up.
> 
> What exactly is the error you receive?


Like you, I have installed SBS servers before, generally used self signing and never had a problem. My concern was that this was my first 2011 SBS and maybe there was something new with regard to using SSL and certificates.

Since I raised this issue a couple of weeks ago, I put it to one side until last weekend when I finally tried a different ADSL router. I originally used a Draytek 2820 and then tried another identical one but still no luck. However, I then tried a Zyxel router and the problem was solved and everything is now working fine. 

I have been looking around forums and it seems there may be an issue with Drayteks and enabling remote administration but at least I know now and will bare it in mind for the future.

Thanks for the reply.


----------



## mucker2010 (May 24, 2011)

Draytek probably uses 443 for the connection and you can change it somewhere in the config.


----------



## Rockn (Jul 29, 2001)

I think there are issues with self signed certs for certain devices like smart phones that will never connect that way. I think the Droid is one of them if I am not mistaken. I know that isn't the issue here, just an FYI


----------



## Afterdark (Jun 22, 2002)

You can certainly change management ports on the Draytek and I did try different ports at the time but no luck. However, it works now so my client is happy.

But I have also mentioned proper certificates and they are quite happy to go that route, so thanks for the advice guys.


----------

