SPX Encryption

The Exchange server should not be in 'Upstream Hosts', rather, it should be in 'Host-based Relay'.  Does that resolve your issue?

Cheers - Bob

Thanks for the reply.  That did not change the result. 

What *should* be the address for the hostname?  

In the SPX configuration, the Hostname should be an FQDN that resolves to your public IP.

Cheers - Bob

Thanks, Bob... when I put a FQDN in as the hostname, I am able to set a password and open it.  However, the site shows as unsecure... even though I have a wildcard certificate uploaded; what am I missing?

  Thanks!

Show a picture of the warning you get, tell us what FQDN you're browsing to and tell us the 'Hostname' defined in 'Management >> System Settings'.

Cheers - Bob

It's not so much an error as a warning : 

The hostname is the 'Management-->System Settings' is NOT resolvable to public DNS and doesn't match the FQDN hostname I used for the SPX settings.  

A screenshot of the body of the browser with the cause of the warning would be more suitable for us to help you. Have you uploaded a certificate signed by a public CA in Webserver Protection > Certificate Management and selected this certificate to be used for HTTPS communication in Management > WebAdmin Settings >HTTPS Certificate? SPX portal will use the same certificate as WebAdmin/User Portal, and that certificate CN needs to match the FQDN you provided in "SPX Portal Settings". You said you are using a wildcard certificate, so as long as the domain matches and the certificate is publicly trusted, you should not see a warning anymore. 

Regards,

Giovani

"The hostname is the 'Management-->System Settings' is NOT resolvable to public DNS and doesn't match the FQDN hostname I used for the SPX settings."

I would urge you to correct that.  See The Zeroeth Rule in Rulz for a trick to do this easily and almost painlessly.  Be sure to get a good backup or two before you start so that you can go back quickly.

Cheers - Bob

Ah... so the certificate in use there is the hostname used in Management-->Hostname.  It's the hostname that isn't available in public DNS.  If I change the HTTPS cert to be used to the wildcart cert, when someone visits using the other hostname (for management purposes), will they receive the cert error?  So for example, let's say the Hostname is listed as internal.domain.com but I entered the SPX hostname as external.domain.com because that actually resolves from public DNS.  If I change the HTTPS cert to wildcard, it shouldn't result in a bad cert error when visiting internal.domain.com (which resolves internally).  

The browser warning : 

giomoda said:

A screenshot of the body of the browser with the cause of the warning would be more suitable for us to help you. Have you uploaded a certificate signed by a public CA in Webserver Protection > Certificate Management and selected this certificate to be used for HTTPS communication in Management > WebAdmin Settings >HTTPS Certificate? SPX portal will use the same certificate as WebAdmin/User Portal, and that certificate CN needs to match the FQDN you provided in "SPX Portal Settings". You said you are using a wildcard certificate, so as long as the domain matches and the certificate is publicly trusted, you should not see a warning anymore. 

Regards,

Giovani

 

You see, you have two warnings:

- Certificate CN mismatch, meaning the SSL certificate CN does not match the URL. 

- Untrusted CA, meaning you are probably using the auto-generated self-signed certificate 

So, let's take some practical examples. Let's suppose you configured your UTM with a internal FQDN like utm.domain.local. The default for the UTM is to create a self-signed certificate for utm.domain.local and use it for encrypting WebAdmin sessions. That same certificate will be used for Webadmin, UserPortal and SPX. 

So let's say you configured SPX hostname as spx.domain.com, which is publicly resolvable. When clients access that URL, the certificate presented is that auto-created self-signed certificate for utm.domain.local. That explains the warning: CN mismatch and untrusted CA, since the CN is utm.internal.local and no browser has the UTM's internal CA in their trusted CA list.

The only way to resolve this is to buy a SSL certificate for a single domain signed by a public CA (they come as cheap as 5 bucks nowadays) with, for the sake of my example, spx.domain.com as the CN or to buy a wildcard certificate for *.domain.com (more expensive, but recommended). 

If you buy a wildcard certificate (and I believe you already have one) and bind it to WebAdmin, you can access Webadmin, UserPortal and SPX using any URL as *.domain.com (as long as the FQDN resolves to your external interface) without any warning. But for management purposes, if you access the UTM by it's internal FQDN (utm.domain.local in my example), you will receive a warning because now the CN for the wildcard certificate (*.domain.com) does not match the internal URL (utm.domain.local).

You can circumvent that by accessing WebAdmin, that should by now be protected by your wildcard certificate, by it's public interface and FQDN.

I'd still follow Bob's suggestion to replace your UTM's hostname for a FQDN that's publicly resolvable. As stated in the zeroeth Rulz, that's the shortest way for a happy UTM.

Regards,

Giovani

Thank you for all the replies.  I understand what needs to be adjusted... unfortunately, there's some politics at work that currently preventing the necessary changes.

I do have one more question... I currently have the the trigger set as 'Encrypt' using ^Encrypt... is there a way to set it to [Encrypt]?  When I entered ^[Encrypt], it never works.

  Thanks. 

Thank you for all the replies.  I understand what needs to be adjusted... unfortunately, there's some politics at work that currently preventing the necessary changes.

I do have one more question... I currently have the the trigger set as 'Encrypt' using ^Encrypt... is there a way to set it to [Encrypt]?  When I entered ^[Encrypt], it never works.

  Thanks.