Assumptions: SonicOS 5.8+ and Windows Server 2008 R2 Enterprise running as a domain controller.
- On the Domain Controller: Open “Server Manager”, click “Roles”, click “Add Roles”.
- Click “Next >”, ensure there is a check mark next to “Active Directory Certificate Services”, click “Next >”, Click “Next >”, Ensure there is a check mark in the boxes “Certification Authority”, “Certification Authority Web Enrollment”, and “Online Responder” (Certification Authority Web Enrollment” and “Online Responder” are not technically needed, but are common parts of a CA infrastructure that should also be installed if you are installing a CA), Click “Next >”, Approve the installation of the IIS components that are required to run the Web Enrollment, Select the “Enterprise” radio button and click “Next >”, Select the “Root CA” radio button and then click “Next >”, Select the “Create a new private key” radio button and then click “Next >”, Select “RSA#Microsoft Software Key Storage Provider”, “4096”, and “SHA512” from the drop down boxes, click “Next >”, Edit the Common Name for the CA if desired, and then click “Next >”, Change the validity period if desired, and then click “Next >”, Click “Next >” to leave the database in its default location, click “Next >” to install IIS, Leave default IIS installation options checked, and click “Next >”, click “Install”, Click “Close”.
- From the Domain Controller, open Internet Explorer, and go to http://127.0.0.1/certsrv, when prompted login with the Domain Administrator account.
- Click the link “Download a CA Certificate, certificate chain, or CRL”
- Select the certificate with the common name from step 2, and then ensure the radio button “DER” is selected, click “Download CA Certificate”.
- Rename this certificate to match that of the common name and save it on the desktop.
- Login to the SonicWALL.
- Expand “System” from the left hand pane, and then click “Certificates”.
- Click “Import…” at the bottom.
- Select the radio button “Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem), or DER (.der or .cer) encoded file.” Is selected, and then click “Browse…” Select the certificate with the common name that you set in step 2. Click “Open”, Click “Import”.
- Expand “Users” from the left hand pane of the SonicWALL, click “Settings”.
- Change the drop down box titled “Authentication method for login: “ to “LDAP + Local Users”.
- Ensure that the check box “Case-sensitive user names” is UnChecked.
- Click “Accept” at the top.
- Click the “Configure…” button next to the “Authentication method for login: “ drop down box.
- On the “Settings” tab enter the IP address of the Domain controller in the box titled “Name or IP Address:”, Change “Port Number:” to “636”, change the radio button selection to “Give login name/location in tree”, Enter a Active Directory user account( a service account with “Domain Guest” group membership will suffice) in the “Login user name:” field, enter the password for the account in the “Login password:” field, UnCheck “require valid certificate from server”.
- On the “Directory” tab enter the following: In the “Primary Domain:” field enter the DNS active Directory Domain Name, change the “User tree for login to server:” to the full path of where the service account (used on the Settings tab) is located in Active Directory (spaces are okay), click “Apply”.
- Click “Auto-Configure” to test populate the directories in AD which contain Users or Groups.
So long as your list populated with OUs you should be good, this is everything you need to do in order to secure the connection between your SonicWALL and your domain controller.
You’ll need a .pfx certificate in this guide, so once you have your certificate and any intermediates that need to be installed, export the certificate and include the entire chain the export, assign a password and then save the .pfx somewhere where you can access it from the terminal server.
On the Terminal Server in Question:
- Click “Start” and then “Run”.
- Enter “mmc” and then click “OK”.
- Click on the “File” menu and then select “Add/Remove Snap-in…”.
- Click “Certificates” and then click “Add >”, when prompted choose option “Computer Account” and then click “Next >”.
- Select “Local Computer” and then click “Finish”.
- Click “OK” to complete the add snap-in wizard and then expand “Certificates (Local Server)”.
- Right click on the “Personal” folder and then select “All Tasks”, then “Import…”.
- Click “Next >” and then locate the .pfx you’ve saved earlier. Click “Next >”
- Enter your password, and then click “Next >”, click “Next >”, click “Finish”.
- Now open “Remote Desktop Session Host Configuration”.
- Right click on “RDP-tcp” in the center of the window and select “Properties”.
- On the “General” tab, click the “Select” button, Select your certificate, and then click “OK”.
- Click “OK” one more time, and then all future connections will be secured by the certificate.
Here is how to renew a certificate that’s expired or about to expire on your SBS 2008 Server.
- Open the Windows SBS Console
- Click on Network
- Click on “Add a trusted Certificate”
- Click “Next”
- Click “I want to renew my Current Trusted Certificate with the same provider” Click Next.
- Click Save to file and save the file.
- In this case we’re using godaddy, so log into the godaddy website using you username and password.
- Purchase a SSL renewal if you’ve not already done so and then launch your SSL Certificate control panel.
- Click Request Certificate on the right hand side
- Copy the contents of the saved file from step 6 into the CSR section of the godaddy renewal wizard. Click Next on the CSR wizard twice. Click Finished on the CSR renewal wizard.
- Approve the confirmation email that godaddy sends, and then log back into your SSL Certificate control panel at godaddy.
- Wait for the Certificate to be processed, and then download the certificate with the updated expiration date. Select the Exchange 2010 download format.
- Extract the files to a folder, and then return to your “Add a trusted Certificate” wizard.
- Select the option for “I have a certificate from my certificate provider” and then click “Next”
- Click the “Browse” button and select the .crt file from the folder you just created. Click “Next”.
- Wait for the wizard to complete. If the wizard fails follow these instructions:
- Right click on your .crt file and select install. Follow the wizard to install it.
- Open your TS Gateway Manager, verify that on the “SSL Certificate” tab the proper certificate and expiration date are listed”
- Open your Exchange Management Shell
- Run the following command and make not of the new certificate’s thumbprint. “
Dir cert:\LocalMachine\MY | fl”
- Run a “
get-exchangecertificate | fl” to see a list of all certificates and what services they are tied to.
- Verify that the newly installed certificate is configured for IIS, and any other services it should be attached to.
- Connect to https://127.0.0.1/owa and verify that the certificate being used is the newest certificate.
- If IIS is not using the correct certificate you’ll need to run this command from the exchange management shell:
Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP” where the XXX is the new thumbprint and the services listed are the ones that should be using the new cert.
Note: if you need more information on install the certificate in exchange you can read this.
Note: if you can’t figure out where the “TS Gateway Manager” you can read a write up on how to enable it here.
Recently came across this problem on a SBS 2008 deployment (just missed the SBS 2011 release), where users who were trying to connect to their computers using the Remote Web Workplace, but were unable and were getting this error:
An internal error has occurred (error 50331688). For more information, please
contact your network administrator or Microsoft Product Support.
Turns out the problem is related to the Terminal Services Gateway not having a certificate configured.
To resolve this follow these steps:
- Open TS Gateway Manager MMC
- Select your server in the Left hand pane
- In the Middle pane, click “View or modify certificate properties”
- Click “Select an existing Certificate for SSL encryption (recommended)”
- Click “Browse Certificates….”
- Select the correct 3rd party certificate from the list, and then click “Install”
- Click “Apply”, and then try to connect via RWW again.
This should also resolve any issues you have when trying to connect in via RDP when using a Terminal Services Gateway.
Exchange 2007 Requires a UCC certificate in order for the various services within exchange to work properly. Exchange likes to see an SSL certificate for each of it’s services, internal and external so in order to cover all bases I typically create a certificate with the following Subject Alternative Names (SANs) (assuming that the server’s name is “mailserver” the external company name is “company.com” and the internal Active Directory name is “company.local”):
- Public FQDN of the Server (mail.company.com)
- Private FQDN of the Server (Mailserver.company.local)
- Netbios name of the server (mailserver)
- for the last SAN feel free to use WWW, or anything else so that you can use this expensive certificate on your IIS servers as well
Godaddy.com allows you to create a UCC certificate with a Domain name, and up to 4 additional SANs, for a total of 5 FQDNs per certificate.
The first thing you’ll need to do is to log into your godaddy.com account, purchase a UCC certificate and the start the wizard to configuring it. When it asks you for your CSR you’ll need to follow these instructions on your exchange server in order to create one:
- Open the Exchange Management Shell.
- The first thing I do is run the following command to get a handle of what certificates are currently installed:
Dir cert:\LocalMachine\MY | fl
- To Generate a new CSR you’ll need to enter the following command:”
New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=COUNTRY, l=CITYNAME, s=STATENAME, o=COMPANY NAME,cn=FIRST FQDN" -domainname SAN1, SAN2, SAN3, SAN4 -PrivateKeyExportable $true -path c:\certrequest.txt ” You’ll have to fill in the BOLD sections with your own information and the SANs that we created above.
- Once You’ve run the command, copy the contents of
C:\certrequest.txt into the Godaddy.com CSR request field and continue the wizard.
- The wizard will complete, and eventually you’ll get an email from Go Daddy that your request is completed and you can download the certificate. Download the zip file to you exchange server and extract it to a folder. The zip file will contain two Certificates, an intermediates.p7b file and your FQDN.crt file.
- You’ll have to follow these instructions from Go Daddy to install their Intermediate certificate and disable their older Class 2 Root Certificate, I’ve included these instructions verbatim here, but you’ll probably want to follow the most recent set of instructions from them when you download the certificate.
- Once the Intermediate is installed, and the Class 2 Root Certificate is disabled, you can install the new certificate on the Exchange server by moving the .crt file to c:\ and typing the following in the Exchange Shell:”
Import-ExchangeCertificate –path c:\FQDN.crt ” You’ll need to change the name of the .crt file to match that of the one you were sent.
- Type ”
Dir cert:\LocalMachine\MY | fl “again and copy the thumbprint of the newly installed certificate.
- To enable the certificate type: ”
Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP” ” replace the Bolded X’s with the thumbprint you copied from step 8. IMAP and POP are optional, and I don’t typically configure SMTP with SSL either.
That’s it! You’re new SSL certificate is now installed.
Note: These instructions are a verbatim copy of what is published on godaddy.com. These are published here because I reference it from another blog post, you’ll probably want to follow the instructions included with you certificate when you download it from GoDaddy.com to make sure you are following the most recent set of instructions.
To Install Intermediate Certificate Bundles
- Type mmc in the Start search box after pressing the Start menu to start the Microsoft Management Console (MMC).
- In the Management Console, select File then Add/Remove Snap In.
- In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
- Choose Computer Account then click Next.
- Choose Local Computer, then click Finish.
- Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
- If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
- Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
- Follow the wizard prompts to complete the installation procedure.
- Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
- Click Next in the Certificate Import Wizard.
- Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish. NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.
- Expand the Trusted Root Certification Authorities folder
- Double-click the Certificates folder to show a list of all certificates.
- Find the Go Daddy Class 2 Certification Authority certificate.
- Right-click on the certificate and select Properties.
- Select the radio button next to Disable all purposes for this certificate.
- Click OK.
- Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.
NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.