01-22-2012 05:09 AM - edited 03-16-2019 09:08 AM
We have CUPS 8.6 on production, we are planning to integrate CUPC with exchange calender.
We have configured Presence gateway with AD users, AD users are configured Exchange view only, Receive As permissions ect.
Once we configured it, we are getting below error.
Exchange Reachability (pingable) | |
Exchange SSL Connection/Certificate Verification |
We would like to know what cerificate is missing and what certificate needs to be installed on CUPS.
I have attached the screen shot of gateway configuration and certificate error.
Pls. suggest.
Solved! Go to Solution.
01-22-2012 08:40 AM
Yes. You need to look at the certificate chain, and ensure all the certs involved are installed. If there are multiple server (i.e. that ISA-02 is not the root CA) then you need the intermediate server certs as well.
Aaron
01-22-2012 02:05 PM
Hi
If the two cluster members share the SAME subject name/certificate (e.g. regardess of which one is active, you accces it via CAS-CLUSTER) then you don't need to import both.
Aaron
01-22-2012 05:28 AM
Hi
From what I can gather CUPS can pull the certificates from your Exchange server if it has a certificate issued directly by a root CA, by lcking the 'accept certificate chain' option. If you have a cert issued by a subordinate CA (which is very common) it doesn't seem to work.
Here's what I do:
1) Browse to OWA, then click the 'padlock' icon in IE or Firefox to view the certificate details.
2) On one of the tabs, you can export that certificate.
3) You can also view the certificate chain, do this and then view each certificate in the chain. Export each one to a file.
4) Once done, go to OS admin, and upload all the certificates (some may already have been imported, but one will be missing at least). Import them as presence-trust certificates.
Once that's all done you should be able to validate the cert chain in presence admin.
Principal Engineer at Logicalis UK
Please rate helpful posts...
01-22-2012 05:53 AM
Hi Aaron
I have did the same as you mentioned.
through OWA export the certificate and installed on CUPS through OS
Back in Gateway, I have clicked "Configure" and checked Accept Cerificate Chain.
Exchange SSL Connection/Certificate Verification
I am getting same error.
Pls. advice.
I have attached the screenshot of OWA and CUPS certificate upload
Message was edited by: RAJESH KUMAR
01-22-2012 07:50 AM
Hi
In that cert2.jpg I don't see the cert for your the root CA (whatever that server is that ends in ISA-02 in the cert chain display).
You've highlighed something with CUPS in the hostame in the OS cert admin page - that looks like the CUPS server certiicate, not your root CA.
Aaron
01-22-2012 08:30 AM
Thanks,
I have below certificate(CAS-CLUSTER)installed on CUPS, which is downloaded from OWA.
Under Cups OS certificate,
--------------------------------------
cup-trust trust-certs CAS-CLUSTER.pem CAS-CLUSTER.der
What you suggest is, we also need to install root certificate form the server ends with ISA-02 ?
Pls. suggest.
Rgds
Rajesh
01-22-2012 08:40 AM
Yes. You need to look at the certificate chain, and ensure all the certs involved are installed. If there are multiple server (i.e. that ISA-02 is not the root CA) then you need the intermediate server certs as well.
Aaron
01-22-2012 08:47 AM
Thanks for the information,
ISA-02 is the root CA.
All the exchange CAS servered certificates are issued by ISA-02.
I will install exchannge CAS-CLUSTER ansd ISA-02 certifcate and update you.
One more question, we have ISA-01 and ISA-02 and CAS-CLUSTER (CAS-01 server, CAS-02 server), we need to install individual server certificate on CUPS ?
Thanks & Rgds
Rajesh
01-22-2012 02:05 PM
Hi
If the two cluster members share the SAME subject name/certificate (e.g. regardess of which one is active, you accces it via CAS-CLUSTER) then you don't need to import both.
Aaron
01-23-2012 11:00 AM
Dear Aaron
Thanks a lot. Problem resolved after installing certiface chain (root CA and cas-cluster) on CUPS.
Rgds
Rajesh
11-15-2012 02:01 PM
What if ICMP isn't allowed to the exchange server, does this have to be enabled for this to work?
Thanks,
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide