Protecting Client-to-Front-end-Server Communications

Protecting ClienttoFront-endServer Communications

When clients connect to an Outlook Web Access (OWA) server, the information must be protected to ensure that usernames, passwords, and messaging data are not susceptible to compromise. This protection can be accomplished through the use of SSL on the Internet Information Services (IIS) virtual server. SSL requires a digital certificate that can be supplied either by the organization's PKI or through a third-party, such as VeriSign.

Automatic SSL redirection

If SSL is used on the OWA server, clients connect to the OWA server by typing https :// <FQDN> or https:// <FQDN> /exchange to log on and use Exchange Server 2003 over the SSL connection. One of the biggest hassles for clients, however, is remembering to use https rather than just http. Using http means using the nonsecure URL.

Exchange Server 2003 provides a way to automatically redirect OWA clients to an SSL connection if they should use the non-secure URL. This prevents users from mistakingly trying to use the non-secure URLnot to mention keeps the number of helpdesk calls to a minimum if users are not able to gain access to email.

To configure automatic SSL redirection when form-based authentication is not in use, create a new HTM file called HTTPSRedirect.htm with the following contents:

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD> <meta http-equiv="refresh" content="0; url=https://webmail.companyabc.com"> </HEAD></HTML> 

If you use form-based authentication, do the following:

1. Create a new HTM document called HTTPSRedirect.htm with the following content:

     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"   "http://www.w3.org/TR/html4/strict.dtd">   <HTML><HEAD>   <meta http-equiv="refresh" content="0; url=https://webmail.companyabc.com/exchweb/bin/auth  /owalogon.asp?url=   https://webmail.companyabc.com/exchange&reason=0">   </HEAD></HTML>  

2. Save the file in %SYSTEMROOT%\help\iisHelp\common\ .

3. From the Administrative Tools menu, open the Internet Information Services (IIS) Manager and expand the local computer.

4. Expand Web Sites and then right-click Default Web Site and choose Properties.

5. On the Custom Errors tab, select the HTTP Error 403;4 message entry and click the Edit button.

6. Ensure that the Message type is File and then click the Browse button and navigate to %SYSTEMROOT%\Help\iisHelp\common\HTTPSRedirect.htm .

7. Click Open and then click OK twice to close the Properties window.

8. Stop and restart the Default Web Site.