Recipe 8.7. Enabling SSL for OWA Problem You want to enable the use of SSL on your OWA 2000 or OWA 2003 server. Solution Using a graphical user interface Log in to your OWA server. Open the IIS Manager snap-in from the Administrative Tools menu in the Start menu. Expand the Web Sites object. Right-click the Default Web Site object and choose Properties. Click the Directory Security tab. Click the Server Certificate button. The Web Server Certificate Wizard will appear; click Next. What you see next will depend on whether or not your server already has a certificate associated with OWA: If you don't have a certificate, you'll see the Server Certificate page. You can request a new certificate or assign one that's already installed but not yet assigned for use with OWA. If you already have an SSL certificate installed for use with OWA, you can reuse it by selecting the Assign an existing certificate button. If you need to request a new certificate, click Create a new certificate, then refer to the instructions provided by your certificate authority; we won't cover the process here. If you have an installed certificate that's already in use for OWA, you'll see the Modify the Current Certificate Assignment page (see Figure 8-2). On this page, you can renew the current certificate, remove it, or replace it with a different existing certificate. In either case, choose the appropriate option and click Next. For the rest of this recipe, we'll assume that you've already obtained a certificate from your CA and installed it within IIS.
In the Available Certificates page, select the certificate you're using for SSL and click Next. Click Next on the summary page, then click Finish to dismiss the certificate wizard. Click the Edit button in the Secure communications control group. Click the Require secure channel checkbox. For added security, you should also click the Require 128-bit encryption checkbox. Click OK. Click OK. Figure 8-2. Replace, renew, or remove an already-assigned certificate Discussion SSL has been around a long time, and so has OWA. By now, there really shouldn't be an Exchange administrator anywhere on Earth who thinks it's OK to run OWA without requiring SSL (unless you're just running OWA on your corporate network). Why? OWA can use two primary authentication modes. Basic authentication obscures the credentials by base64 encoding them, but it doesn't protect them from eavesdroppers. Integrated Windows authentication uses either Kerberos or NTLM authentication, but it only works with specific browsers that support it, and it's normally restricted to use on corporate networks. Accordingly, OWA 2003 enables both types of authentication. However, basic encryption alone really isn't safe for use on the Internet, since each authentication response contains an obscured user name and password that can be easily unobscured by an attacker who can eavesdrop on the connection. To protect against such eavesdropping, any OWA server that's reachable from the Internet should have SSL enabled and required. In fact, SSL must be enabled to use form-based authentication or RPC over HTTPS. Note that neither EAS nor OMA support SSL connections. See MS KB 817379 for details. See Also Recipe 8.8 for setting up form-based authentication, MS KB 839357 (How to redirect an HTTP connection to HTTPS for Outlook Web Access clients), MS KB 816794 (How to install imported certificates on a Web server in Windows Server 2003), and Chapter 2 of the Exchange Server 2003 Client Access Guide: - http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ClientAccGuide/7ff636d5-a97d-4ac9-a090-10eb428ccf83.mspx
|