Essential Business Server continues Microsoft’s commitment to offer integrated functionality in pre-configured Server packages for Small and Medium sized business. To achieve an out of the box secure environment in EBS, a Security Server is included in the topology as the edge ( or public ) facing connector between the open internet and the EBS 2008 environment.

SSL encryption is mandatory for Clients connecting to this server over the web

Today’s article focuses on

• the tasks of finding and installing EBS leaf and root certificates ( using the EBS Certificate Installer Package ) on computers that are not joined to the EBS 2008 domain.
• some essential information about EBS Certificates, what they do, and how to recreate them.

EBS 2008 Self Signed Leaf Certificate

 ** Please note: the certificate chain must be installed ”IF” users intend on using Remote Desktop through Terminal Services Gateway and/or want to connect to Exchange from Outlook using RPC / HTTP  – - or – - these features will not work for connecting computers.

The EBS Root Certificate Package in Essential Business Server 2008

Essential Business Server includes a certificate installer to make adding the EBS Certificate Chain to any Client computer easy.

The location of that Certificate Package is on the EBS 2008 Management server in the following path

%ProgramFiles%\Windows Essential Business Server\Data\RWW Cert Package

An administrator would typically copy this package to removable media for provision to users and installation. Users cannot access the default location directly so the administrator must distribute the Certificate Installer.

To make a secure trusted SSL connection to EBS 2008 from the internet, Users must first install the Root Certificate as a Trusted Root Certificate in the Certificate store of their Client computers. These computers can be domain computers or non-domain computers. Non-domain computers must manually import the certificates.

EBS 2008 Certificates are usually imported in the following ways:

• DOMAIN: by joining the Client Computer to the Essential Business Server domain ( during which EBS 2008 automatically installs the certificates using group policy )
• NON-DOMAIN: install the EBS Root Certificate manually to a non-domain computer using the RWW Cert Package located in the path highlighted in red above

How To install the EBS 2008 Root Certificate on a Client Computer that is not joined to the EBS domain

• Log on to the EBS 2008 Management Server (using a Local or Domain Administrator account)
• using Explorer, browse to the folder
  %ProgramFiles%\Windows Essential Business Server\Data\RWW Cert Package
• copy the folder (including all the contents) to a storage media
• insert the media into the destination Client Computer
• open the RWW Cert Package and execute the CertificateInstaller.exe program

The Essential Business Server root certificate and leaf certificate ( used on the TMG External Listener ) will be installed. By default, the root certificate is installed in the Trusted Root Certification Authorities store.

About the SSL Certificate for Threat Management Gateway External Listener in EBS 2008

The secure socket layer certificate linked to the TMG External Listener is used primarily to encrypt traffic between the Security Server. Essential Business Server setup creates this certificate as a part of the setup process. The public facing certificate is what is know as a leaf certificate.  Users connecting to EBS from the web are commonly expecting to use the following EBS 2008 functionality:

• Remote Web Workplace
• Outlook Web Access in Exchange Server 2007

EBS 2008 RWW Remote Web Workplace Logon

EBS 2008 - Check E-Mail (using Outlook Web Access ) and Connect to a Computer (using TS Gatway)

The SSL encryption provided by the certificate also supports other important remote access features as well and it is “essential” for the certificates to be installed for these features to work:

• Connect to a Computer ( via terminal services gateway ) on the EBS local area network
• Outlook Email client connecting to Exchange Server 2007 when connecting via Outlook RPC over HTTP using NTLM Authentication

EBS 2008 Remote Desktop Connection

EBS 2008 Connect Computer Terminal Services Gateway Logon

Creating a new EBS 2008 SSL Certificate and/or rename a new EBS 2008 SSL Certificate

Administrators can also add a new certificate to the Threat Management Gateway ( Security Server ) External Listener, replacing the existing one, by following these articles:

• Add EBS 2008 Certificate for Threat Management Gateway External Web Listener
• How To Change the Public Certificate used by Windows Essential Business Server for Incoming Web Requests

To learn more about Active Directory Certificate Services in Essential Business Server 2008, please read this TechNet article

• Certificates in Windows Essential Business Server

You can learn more about EBS 2008 versions and the Threat Management Gateway MBE Security Server here ( or contact me at http://www.wigital.net ):

• Standard and Premium versions of EBS 2008
• Threat Management Gateway Medium Business Edition

Thanks for reading. Please comment for the community. If this information has helped you, please link back here. It helps us as well as others who may need the information.

Thank you.
Mark Raborn
WIGITAL