Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3734
Views
5
Helpful
6
Replies

Internal and External Clients See Cisco Router Certificate, NOT Exchange SSL Certificate

Go to solution
ArchiTech89
Level 1
Level 1

‎08-14-2013 05:09 AM - edited ‎03-03-2019 07:09 AM

Cisco 876 Integrated Services Router (ISR)
Exchange Server 2010 SP1

Clients: Outlook 2013, OWA, WP7/WP8 ActiveSync(?)

We just set up a new Cisco ISR. Most everything works fine, with some exceptions. Exchange email stopped altogether for a few days until I realized I needed to redirect the SMTP, HTTP, and HTTPS ports coming from the outside to the Exchange Server. Now mail flow is fine, but...

Every time I start Outlook I get a certificate error. When I look at the certificate in the error popup window, it's actually pointing to the Cisco router's self-signed certificate. When we try to use the Windows Phones, they get a "certificate error" and direct the user to the network administrator. Same with OWA: a certificate error, though it can be "accepted"/overridden.

Each of the clients can still function, with the exception of the Windows Phones. In Outlook and OWA, mail is still being sent and received, but one has to manually accept that the certificate is wrong before the client will load, and then it takes a little longer for the load.

Any ideas?

I've done port "forwarding" on pots 25, 80, and 443. Again, I did that yesterday and now mail seems to flow, whereas before, though one could get into the client with the certificate error, mail was not being received. (There was also a problem with mail not being sent, but that was due to our mail relay provider and was fixed yesterday as well...)

Everything was working fine with the previous router (obviously). It was a high-end, consumer-level Fritz!Box used commonly in Germany. I had also had to allow the ports through on that box not unlike using the ip nat inside static commands on the 876, but I don't know what it might have let through on its own or why the ISR is hijacking the SSL certificate from the Exchange Server application.

Thanks in advance for any help.

jeremyNLSO
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Daniel Williams
Level 1
Level 1
In response to ArchiTech89

‎12-05-2014 09:23 PM

So we actually figured this out today. The internal DHCP server was handing out a public DNS server along with the internal DNS. The internal DNS was timing out and the client was getting the external IP from the public DNS and it was receiving an unexpected cert from the router. Once we removed the public DNS servers from DHCP and only used internal DNS servers the issue went away. Makes sense after we realized what was going on. 

View solution in original post

6 Replies 6

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎08-14-2013 09:28 AM

I've not run into this issue in the past, but do you have tcp intercept enabled on the router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
ArchiTech89
Level 1
Level 1
In response to John Blakley

‎08-15-2013 12:58 AM

John, forgive my ignorance, but I don't think I have that running. At least there's no such command in the running config. But I'm not sure I know what "tcp intercept" is?...

Should I post the running config?

jeremyNLSO
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to ArchiTech89

‎08-15-2013 03:05 AM

Yes please. Remove public addressing and passwords...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Daniel Williams
Level 1
Level 1

‎12-03-2014 09:48 AM

Did you ever find a solution to this issue?

0 Helpful

Go to solution
ArchiTech89
Level 1
Level 1
In response to Daniel Williams

‎12-05-2014 04:39 PM

No... Never did figure it out. I ended up using the ISR at a client site where there was no Exchange Server so there's no issue with the certificate.

This thread can be closed -- how should I do that? Not "Answered" but also no longer possible to troubleshoot.

Thanks!

 

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Go to solution
Daniel Williams
Level 1
Level 1
In response to ArchiTech89

‎12-05-2014 09:23 PM

So we actually figured this out today. The internal DHCP server was handing out a public DNS server along with the internal DNS. The internal DNS was timing out and the client was getting the external IP from the public DNS and it was receiving an unexpected cert from the router. Once we removed the public DNS servers from DHCP and only used internal DNS servers the issue went away. Makes sense after we realized what was going on. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents