Cisco 876 Integrated Services Router (ISR)
Exchange Server 2010 SP1

Clients: Outlook 2013, OWA, WP7/WP8 ActiveSync(?)

We just set up a new Cisco ISR. Most everything works fine, with some exceptions. Exchange email stopped altogether for a few days until I realized I needed to redirect the SMTP, HTTP, and HTTPS ports coming from the outside to the Exchange Server. Now mail flow is fine, but...

Every time I start Outlook I get a certificate error. When I look at the certificate in the error popup window, it's actually pointing to the Cisco router's self-signed certificate. When we try to use the Windows Phones, they get a "certificate error" and direct the user to the network administrator. Same with OWA: a certificate error, though it can be "accepted"/overridden.

Each of the clients can still function, with the exception of the Windows Phones. In Outlook and OWA, mail is still being sent and received, but one has to manually accept that the certificate is wrong before the client will load, and then it takes a little longer for the load.

Any ideas?

I've done port "forwarding" on pots 25, 80, and 443. Again, I did that yesterday and now mail seems to flow, whereas before, though one could get into the client with the certificate error, mail was not being received. (There was also a problem with mail not being sent, but that was due to our mail relay provider and was fixed yesterday as well...)

Everything was working fine with the previous router (obviously). It was a high-end, consumer-level Fritz!Box used commonly in Germany. I had also had to allow the ports through on that box not unlike using the ip nat inside static commands on the 876, but I don't know what it might have let through on its own or why the ISR is hijacking the SSL certificate from the Exchange Server application.

Thanks in advance for any help.

jeremyNLSO
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany