How to set up secure communication between Symantec Mail Security for Microsoft Exchange Consoles using a self-signed certificate.

book

Article ID: 178365

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

Resolution

 

The following steps when utilized will allow for secure communication between Symantec Mail Security for Microsoft Exchange consoles using self signed certificates.

Windows 2012 R2 / Exchange 2013

The following steps are required for both local access and access from a remote SMSMSE console.

Configuring SMSMSE Server to listen for SSL traffic:

  1. Open Server Manager
  2. In Server Manager choose Tools > Internet Information Services (IIS) Manager.
  3. Under "Connections" select the ServerName.
  4. Under "ServerName Home" right-click Server Certificates and choose Open Feature.
  5. Select "Create Self-Signed Certificate"
  6. Once in the wizard specify a "Friendly Name" that identifies this certificate (eg.  SMSMSE_SSL)
  7. Click OK and a new certificate with the specified "Friendly Name" is created.
  8. Right-Click the new certificate then choose Export.
  9. Provide a path and name (eg. Friendly Name) leave the extension as default (pfx).  Provide password, Click OK.
  10. Under "Connections" expand "Sites" then select "Symantec Mail Security for Microsoft Exchange"
  11. Under "Symantec Mail Security for Microsoft Exchange Home" right-click SSL Settings and select Bindings.
  12. Click Add. (Do Not specify a value within Hostname or remote connections will most likely fail)
  13. Set type to HTTPS.  Set port to 8082.  Under SSL Certificate select the "Friendly Name" certificate from previous step.  Click OK.
  14. Under "Symantec Mail Security for Microsoft Exchange Home" right-click SSL Settings and select "Open Feature".
  15. Check box "Require SSL".  Set Client certificates to "Accept".  ON the right-hand side click "Apply"
  16. Close the Internet Information Services (IIS) Manager.

 

For Remote Console access perform the following additional steps.

Windows Firewall rule creation: 

(Note:  This process is required only on servers that have Windows Firewall enabled.  These changes must be made on each SMSMSE server)

  1. In Server Manager choose Tools > Windows Firewall with Advanced Security.
  2. In the left-hand pane choose "Inbound Rules"
  3. On the Actions window choose "New Rule"
  4. In the "New Inbound Rule Wizard" choose Port and click Next.
  5. Specify the local port of 8082 and click Next until you reach category Name.  Specify Name (eg SMSMSE Inbound SSL)
  6. Click Finish to create a new inbound firewall rule.

 

Importing Certificate to Remote console machine:

(Note:  This process is required for the server in which will be managing all SMSMSE assets)

  1. Navigate to the file location the certificate was exported in step 9 in the first section
  2. Copy the certificate to the Remote console server.
  3. Open the (local computer) Certificates MMC snap-in.  (From a "run" window type MMC.  File > add/remove  snap-in)
  4. Navigate to "Trusted Root Certificate Authorities" > Certificates.  In the right-hand pane right-click and choose All Tasks > Import.
  5. Within the Import Wizard click Browse.  Change filetype to "Personal Information Exchange" and select your certificate then click Open.
  6. Click Next, Check "Mark Key as exportable", specify password used during certificate export then click next until you can finish.
  7. Repeat the previous import process using the same certificate under "Personal" > Certificates.

Configuring SMSMSE Console for remote access:

  1. Open SMSMSE Console.
  2. Click Assets (at the top)
  3. (Skip this step if the server is already added) Click Add Server. Locate and select server. Click >>. Do not modify port value and click OK.
  4. Right-Click remote ServerName under assets and choose Properties.
  5. Check "Use SSL" and set port value to 8082. Click OK, Click Close.
  6. Close the SMSMSE Console.
  7. Open the SMSMSE Console. Click Change, select the remote server to test secure communication.