Securing OWA w/SSL on IIS5.0

From: Evan Mann (emann@questinc.org)
Date: 01/03/02


From: Evan Mann <emann@questinc.org>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Thu, 3 Jan 2002 11:09:52 -0500 

I would like someone to tell me if what I did is the appropriate way to
secure my OWA connections. The main goal was to secure the password
exchange as my OWA server is firm external use and I have to allow
anon/basic text auth for it. The OWA server itself sits behind my firewall
and is accessed via an HTTP proxy from external to internal. SSL on port 443
also NATs the same way.

In any event, I found all the appropriate MS KB articles on setting up a CA
and securing an IIS5.0 website with SSL. It was pretty basic. Installed
the CA. Setup my OWA website with a certificate. Not much else needed to
be done according to the KB articles. Now whenever I hit the site the
typical IE popup about accepting a certificate pops up and I accept it and
IE shows the page as being secured, and all further OWA pages.

On my test computer, I also installed the certificated for the CA into my
trusted certificates list. I do not plan to have all my users of OWA do
this at this time, is this a good or bad idea?

I am "ignorning client certificates" on my particular website, mainly
because I am clueless as to how to configure these, and when I use "accept
client certificates", I get an additional certificate box where I am to
select a certificate, but none are in a list to select.

Am I at the point where I'm actually encrypting the password exchange and
all other data sent over OWA, or do I have a false sene of security?

Evan Mann



Relevant Pages

  • Re: Remote access to OWA
    ... After trying to access your OWA and remote sites, we found the certificate ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 certificate problem affecting Exchange
    ... There was internet website except for the ... Email has worked fine, even OWA, as ... certificate errors. ... so tomorrow I'll try to create a cert issued to ...
    (microsoft.public.exchange.admin)
  • Re: OWA published in ISA (SBS 2000)
    ... You don't have to be hosting a public website (other than OWA). ... access a website using SSL, your browser checks the SSL certificate for 3 ... 1) the name on the certificate matches the name of the website. ... SSL certificate on a site was not issued by a trusted publisher, ...
    (microsoft.public.backoffice.smallbiz2000)
  • IIS - Default Website
    ... by default IIS installs RWW and Exchange (OWA) into the ... this is causing certificate issues ... default website - i.e. for RWW he wants remote.domain.com, ...
    (microsoft.public.windows.server.sbs)
  • RE: RWW, OWA, mobile device sync mystery
    ... the certificate problem will not cause RWW and OWA ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)