Monthly Archives: February 2012

Renewing a 3rd Party SSL Certificate on SBS 2008

Here is how to renew a certificate that’s expired or about to expire on your SBS 2008 Server.

  1. Open the Windows SBS Console
  2. Click on Network
  3. Click on “Add a trusted Certificate”
  4. Click “Next”
  5. Click “I want to renew my Current Trusted Certificate with the same provider” Click Next.
  6. Click Save to file and save the file.
  7. In this case we’re using godaddy, so log into the godaddy website using you username and password.
  8. Purchase a SSL renewal if you’ve not already done so and then launch your SSL Certificate control panel.
  9. Click Request Certificate on the right hand side
  10. Copy the contents of the saved file from step 6 into the CSR section of the godaddy renewal wizard. Click Next on the CSR wizard twice. Click Finished on the CSR renewal wizard.
  11. Approve the confirmation email that godaddy sends, and then log back into your SSL Certificate control panel at godaddy.
  12. Wait for the Certificate to be processed, and then download the certificate with the updated expiration date. Select the Exchange 2010 download format.
  13. Extract the files to a folder, and then return to your “Add a trusted Certificate” wizard.
  14. Select the option for “I have a certificate from my certificate provider” and then click “Next”
  15. Click the “Browse” button and select the .crt file from the folder you just created. Click “Next”.
  16. Wait for the wizard to complete. If the wizard fails follow these instructions:
  17. Right click on your .crt file and select install. Follow the wizard to install it.
  18. Open your TS Gateway Manager, verify that on the “SSL Certificate” tab the proper certificate and expiration date are listed”
  19. Open your Exchange Management Shell
  20. Run the following command and make not of the new certificate’s thumbprint. “Dir cert:\LocalMachine\MY | fl
  21. Run a “get-exchangecertificate | fl” to see a list of all certificates and what services they are tied to.
  22. Verify that the newly installed certificate is configured for IIS, and any other services it should be attached to.
  23. Connect to https://127.0.0.1/owa and verify that the certificate being used is the newest certificate.
  24. If IIS is not using the correct certificate you’ll need to run this command from the exchange management shell: Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP” where the XXX is the new thumbprint and the services listed are the ones that should be using the new cert.

Note: if you need more information on install the certificate in exchange you can read this.

Note: if you can’t figure out where the “TS Gateway Manager” you can read a write up on how to enable it here.

Force All Traffic over a NetExtender SSL VPN Connection, but allow users to continue to access the Internet.

I have a client that is using a medical application whose access to the cloud based storage is locked down by Public IP address. This restricts access to the application to only folks who are in the office, Users who work from home, or take their laptop home with them on the weekend are unable to work from home. To solve this problem I’ve setup netextender and forced it to tunnel all traffic back into the main site, but users were then unable to connect to any resources on the internet.

Here is how to resolve this issue. First let’s configure the SSL VPN:

  1. Log into your Sonicwall, and expand “Network”
  2. Click on “Interfaces” and then click on the Configure link for your WAN connection.
  3. Make sure the box that says “User Login: Https” has a check mark, and then click “OK”
  4. Expand “SSL VPN” on the left, and then click “Server Settings”
  5. Click the red dot next to “WAN” and wait for it to turn green.
  6. Click “Client Settings” on the left, and then configure an IP address range for your SSL VPN Guests, also configure the User Domain, and DNS servers.
  7. Click “Client Routes” on the left pane, Enable “Tunnel All Mode”, this is done to ensure all traffic sent by the client appears to originates from the main office, and not the client’s home router.

Now let’s create a user and grant them access to the appropriate networks during an VPN connection.

  1. Expand “Users” on the left, and then click on “Local Users”.
  2. click “Add User…”
  3. On the “Settings” tab, give the user a username and password.
  4. On the “Groups” tab, Add the user to “Trusted Users”, “Everyone”, and “SSLVPN Services”. Click OK.
  5. Click “Local Groups” on the left.
  6. Click on the “Configure” button for the group “Trusted Users”
  7. Click on the “VPN Access” tab, add “LAN Subnets” and “WAN RemoteAccess Networks” to the list. Click OK.

Now have the user connect to the SSL VPN, open a command prompt and ping anything, the first hop should be the main office’s WAN connection’s Default gateway, this shows that you’re tunneling all traffic over the SSL VPN and still able to get online.