Recipe8.7.Enabling SSL for OWA


Recipe 8.7. Enabling SSL for OWA

Problem

You want to enable the use of SSL on your OWA 2000 or OWA 2003 server.

Solution

Using a graphical user interface

  1. Log in to your OWA server.

  2. Open the IIS Manager snap-in from the Administrative Tools menu in the Start menu.

  3. Expand the Web Sites object.

  4. Right-click the Default Web Site object and choose Properties.

  5. Click the Directory Security tab.

  6. Click the Server Certificate button. The Web Server Certificate Wizard will appear; click Next. What you see next will depend on whether or not your server already has a certificate associated with OWA:

    • If you don't have a certificate, you'll see the Server Certificate page. You can request a new certificate or assign one that's already installed but not yet assigned for use with OWA. If you already have an SSL certificate installed for use with OWA, you can reuse it by selecting the Assign an existing certificate button. If you need to request a new certificate, click Create a new certificate, then refer to the instructions provided by your certificate authority; we won't cover the process here.

    • If you have an installed certificate that's already in use for OWA, you'll see the Modify the Current Certificate Assignment page (see Figure 8-2). On this page, you can renew the current certificate, remove it, or replace it with a different existing certificate.

      In either case, choose the appropriate option and click Next. For the rest of this recipe, we'll assume that you've already obtained a certificate from your CA and installed it within IIS.

  7. In the Available Certificates page, select the certificate you're using for SSL and click Next.

  8. Click Next on the summary page, then click Finish to dismiss the certificate wizard.

  9. Click the Edit button in the Secure communications control group.

  10. Click the Require secure channel checkbox. For added security, you should also click the Require 128-bit encryption checkbox. Click OK.

  11. Click OK.

Figure 8-2. Replace, renew, or remove an already-assigned certificate


Discussion

SSL has been around a long time, and so has OWA. By now, there really shouldn't be an Exchange administrator anywhere on Earth who thinks it's OK to run OWA without requiring SSL (unless you're just running OWA on your corporate network). Why? OWA can use two primary authentication modes. Basic authentication obscures the credentials by base64 encoding them, but it doesn't protect them from eavesdroppers. Integrated Windows authentication uses either Kerberos or NTLM authentication, but it only works with specific browsers that support it, and it's normally restricted to use on corporate networks. Accordingly, OWA 2003 enables both types of authentication. However, basic encryption alone really isn't safe for use on the Internet, since each authentication response contains an obscured user name and password that can be easily unobscured by an attacker who can eavesdrop on the connection. To protect against such eavesdropping, any OWA server that's reachable from the Internet should have SSL enabled and required. In fact, SSL must be enabled to use form-based authentication or RPC over HTTPS.

Note that neither EAS nor OMA support SSL connections. See MS KB 817379 for details.

See Also

Recipe 8.8 for setting up form-based authentication, MS KB 839357 (How to redirect an HTTP connection to HTTPS for Outlook Web Access clients), MS KB 816794 (How to install imported certificates on a Web server in Windows Server 2003), and Chapter 2 of the Exchange Server 2003 Client Access Guide:

http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3ClientAccGuide/7ff636d5-a97d-4ac9-a090-10eb428ccf83.mspx


Exchange Server Cookbook
Exchange Server Cookbook: For Exchange Server 2003 and Exchange 2000 Server
ISBN: 0596007175
EAN: 2147483647
Year: 2006
Pages: 235

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net