Securing OWA w/SSL on IIS5.0
From: Evan Mann (emann@questinc.org)Date: 01/03/02
- Previous message: SteveF@dice.com: "RE: Exchange 5.5 locking down"
- Next in thread: Tyrone Bennett: "Re: Securing OWA w/SSL on IIS5.0"
- Reply: Tyrone Bennett: "Re: Securing OWA w/SSL on IIS5.0"
- Reply: Skinner, Kit: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Jason Brvenik: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Evan Mann: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Ogle Ron (Rennes): "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Andrew Langton: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Turner, Keith: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Evan Mann: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Mike Shaw: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Jason Brvenik: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Duane Waddle: "RE: Securing OWA w/SSL on IIS5.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Evan Mann <emann@questinc.org> To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Thu, 3 Jan 2002 11:09:52 -0500
I would like someone to tell me if what I did is the appropriate way to
secure my OWA connections. The main goal was to secure the password
exchange as my OWA server is firm external use and I have to allow
anon/basic text auth for it. The OWA server itself sits behind my firewall
and is accessed via an HTTP proxy from external to internal. SSL on port 443
also NATs the same way.
In any event, I found all the appropriate MS KB articles on setting up a CA
and securing an IIS5.0 website with SSL. It was pretty basic. Installed
the CA. Setup my OWA website with a certificate. Not much else needed to
be done according to the KB articles. Now whenever I hit the site the
typical IE popup about accepting a certificate pops up and I accept it and
IE shows the page as being secured, and all further OWA pages.
On my test computer, I also installed the certificated for the CA into my
trusted certificates list. I do not plan to have all my users of OWA do
this at this time, is this a good or bad idea?
I am "ignorning client certificates" on my particular website, mainly
because I am clueless as to how to configure these, and when I use "accept
client certificates", I get an additional certificate box where I am to
select a certificate, but none are in a list to select.
Am I at the point where I'm actually encrypting the password exchange and
all other data sent over OWA, or do I have a false sene of security?
Evan Mann
- Previous message: SteveF@dice.com: "RE: Exchange 5.5 locking down"
- Next in thread: Tyrone Bennett: "Re: Securing OWA w/SSL on IIS5.0"
- Reply: Tyrone Bennett: "Re: Securing OWA w/SSL on IIS5.0"
- Reply: Skinner, Kit: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Jason Brvenik: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Evan Mann: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Ogle Ron (Rennes): "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Andrew Langton: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Turner, Keith: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Evan Mann: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Mike Shaw: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Jason Brvenik: "RE: Securing OWA w/SSL on IIS5.0"
- Reply: Duane Waddle: "RE: Securing OWA w/SSL on IIS5.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
