This is the best response I have read so far on this subject. Of importance is the issue of mobile clients. Depending upon version, they vary from easy to install an un-trusted Authorities certificate to being impossible to install one.
Jonathan Link said "#2 is not necessarily true. I did not install the self-signed cert into my iPhone." I am not sure about this being true, and would like to hear from others. My experience and opinion of others in my immediate vicinity who have set these up indicate that Self-Signed SSL certificates do not work with iPhone (just as with WinMobiles). Maybe you aren't using SSL in your OWA setup? From: Peter Johnson [mailto:peter.john...@peterstow.com] Sent: Wednesday, 22 July 2009 2:28 AM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question With regards to this issue I believe the following is true with a self signed certificate 1.) On the browsers the users would have to agree to continue to the site everytime until they add the certificate to the machine. This is a pain particularly with mobile users and OWA access from ad-hoc computers such as Internet Kiosks etc. 2.) Mobile phones using activesync will not work until the self signed cert is installed onto the device. This becomes an admin overhead. The worst case is if you have to rebuild the server in disaster recovery u generate a new certificate and the entire cycle starts all over again. I've been through this and it's not fun!! With regards to certificates I've used Digicert a few times and always had good results particularly with SAN certificates which you will need for Exchange 2007 going forward. Regards Peter Johnson From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: 21 July 2009 16:46 To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question I know about GoDaddy, and recommend it every time any of our 4 SSL certs come up for renewal. But the manager wants to stay with the "industry standard" Verisign. I'm the kind of guy that buys the Shasta colas, or the Sam's colas, because it's pretty much the same thing at half the price. I have also looked at generating our own cert, which really makes sense for this purpose, as it's only internal users that will be accessing OWA. What could they face from home, if I use a homemade cert? Are there browser issues, with certain browsers not liking homemade certs? Joe Heaton Employment Training Panel From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Tuesday, July 21, 2009 8:42 AM To: MS-Exchange Admin Issues Subject: RE: OWA / SSL question If your cert expires, users will have to either configure their browsers to allow them to go the site, or click through warning/error messages to get there. I would believe depending on your mobile phone setup those users will have similar problems. Have you looked into generating your own internal certificate? CHEAP: I got 3 year SSL Cert for OWA from GoDaddy.com for $67.47 ________________________________ From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, July 21, 2009 11:27 AM To: MS-Exchange Admin Issues Subject: OWA / SSL question Guys, Due to the budget issues here in California, my agency is down to the wire with renewing our SSL cert for Exchange. I've already told my manager that we can easily go with one of the cheaper alternatives, and have the same security, but she's really wanting to stick with Verisign. Due to this, our SSL cert may end up expiring. I've told her that the impact would be that I would have to turn off OWA. In addition, wouldn't our phones be affected? We're using Activesync on our Windows Mobile devices, and requiring the SSL connection. Would we be able to make a secure SSL connection without the cert? I'm thinking this is possibly a stupid question, but my brain is really fuzzy this morning. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov
<<image001.jpg>>
<<image002.jpg>>