Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Internal and External Clients See Cisco Router Certificate, NOT Exchange SSL Certificate

Cisco 876 Integrated Services Router (ISR)
Exchange Server 2010 SP1

Clients: Outlook 2013, OWA, WP7/WP8 ActiveSync(?)

We just set up a new Cisco ISR. Most everything works fine, with some exceptions. Exchange email stopped altogether for a few days until I realized I needed to redirect the SMTP, HTTP, and HTTPS ports coming from the outside to the Exchange Server. Now mail flow is fine, but...

Every time I start Outlook I get a certificate error. When I look at the certificate in the error popup window, it's actually pointing to the Cisco router's self-signed certificate. When we try to use the Windows Phones, they get a "certificate error" and direct the user to the network administrator. Same with OWA: a certificate error, though it can be "accepted"/overridden.

Each of the clients can still function, with the exception of the Windows Phones. In Outlook and OWA, mail is still being sent and received, but one has to manually accept that the certificate is wrong before the client will load, and then it takes a little longer for the load.

Any ideas?

I've done port "forwarding" on pots 25, 80, and 443. Again, I did that yesterday and now mail seems to flow, whereas before, though one could get into the client with the certificate error, mail was not being received. (There was also a problem with mail not being sent, but that was due to our mail relay provider and was fixed yesterday as well...)

Everything was working fine with the previous router (obviously). It was a high-end, consumer-level Fritz!Box used commonly in Germany. I had also had to allow the ports through on that box not unlike using the ip nat inside static commands on the 876, but I don't know what it might have let through on its own or why the ISR is hijacking the SSL certificate from the Exchange Server application.

Thanks in advance for any help.

jeremyNLSO
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

So we actually figured this

So we actually figured this out today. The internal DHCP server was handing out a public DNS server along with the internal DNS. The internal DNS was timing out and the client was getting the external IP from the public DNS and it was receiving an unexpected cert from the router. Once we removed the public DNS servers from DHCP and only used internal DNS servers the issue went away. Makes sense after we realized what was going on. 

6 REPLIES

Internal and External Clients See Cisco Router Certificate, NOT

I've not run into this issue in the past, but do you have tcp intercept enabled on the router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Internal and External Clients See Cisco Router Certificate, NOT

John, forgive my ignorance, but I don't think I have that running. At least there's no such command in the running config. But I'm not sure I know what "tcp intercept" is?...

Should I post the running config?

jeremyNLSO
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

Internal and External Clients See Cisco Router Certificate, NOT

Yes please. Remove public addressing and passwords...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Did you ever find a solution

Did you ever find a solution to this issue?

Community Member

No... Never did figure it out

No... Never did figure it out. I ended up using the ISR at a client site where there was no Exchange Server so there's no issue with the certificate.

This thread can be closed -- how should I do that? Not "Answered" but also no longer possible to troubleshoot.

Thanks!

 

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
Community Member

So we actually figured this

So we actually figured this out today. The internal DHCP server was handing out a public DNS server along with the internal DNS. The internal DNS was timing out and the client was getting the external IP from the public DNS and it was receiving an unexpected cert from the router. Once we removed the public DNS servers from DHCP and only used internal DNS servers the issue went away. Makes sense after we realized what was going on. 

1446
Views
5
Helpful
6
Replies
CreatePlease to create content