Re: SSL Noob needs some help
- From: Roberto Franceschetti <rob-erto-do-not-spam@xxxxxxxxxx>
- Date: Sun, 10 Aug 2008 23:47:17 -0400
On 8/7/08 12:16 PM, in article
04148125-26BF-4D8B-9135-B48F6866DA57@xxxxxxxxxxxxx, "David B"
<DavidB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
We are looking at configuring our OWA servers for SSL encryption. Currently
they are just out of the box regular HTTP://
We are Windows 2003 Active Directory with a central office and 2 small field
offices. Our Core Exchange server is here at corp office and each field
office has a small exchange server for their users. All 3 have OWA enabled
with a public sub-domain (http://office.ourdomain.com/exchange). The field
offices are both connected back here with a fractional T1 line.
I think I have a decent idea of the steps that need to occur, but not
certain on a few things.
1. Establish a Certificate Server here at corp hq. I assume this can go on
any member server with IIS installed? Is there a benefit or a detriment to
using the Exchange Server itself? Or would one of our core DCs be a better
choice? Does this box need to be public facing?
2. Once the Cert Server is up, purchase and download the certificate to it.
As I understand, each subdomain of ourdomain.com will require the
purchase/installation of its own unique SSL cert. Can these all be hosted on
the same server, or does each server need to host it's own? Also, with it
being across a WAN connection, would it be beneficial or necessary to have a
cert server at each field location?
3. Enable OWA at each server to be SSL enabled. I have an article that
explains this process, so I think once I have SSL up and running, turning it
on for each OWA instance should be easy enough.
Any thoughts suggestions, gotchas etc would be greatly appreciated.
There is no usefulness in purchasing a commercial SSL certificate and
assigning it to your Certificate Server. This is because the end users are
going to be accessing your OWA server(s), and the SSL cert needs to be
assigned to your OWA server(s) (running IIS).
This said, if you will be accessing OWA from the internet, you only need one
OWA server used by all offices. If you will be accessing OWA only form
within your internal network, then, depending on your network structure, you
may need one in each office or just one shared by all offices.
If the OWA server(s) is on the internal network only, you can install an
internal Certificate Authority (CA) Server, and use that CA to issue
certificates to your OWA server(s). You can then also configure your Active
Directory to "trust" your CA, so that all SSL certificates it will issue
will not cause any security popup errors in the end-user's browsers while
accessing OWA.
If the OWA is accessible from the internet, you can still add your root CA's
certificate to your Active Directory (or you can add the cert issued to the
OWA server to the trusted list of certs in Active Directory) to avoid that
annoying security popup. However when users access OWA from home, they will
see the popup. The only way to avoid this popup without asking the home
users to accept certificates (which is a procedure only needed once...),
then and only then you will need to use a commercial certificate assigned to
the OWA server.
--
Roberto Franceschetti
LogSat Software
http://www.logsat.com
.
- References:
- SSL Noob needs some help
- From: David B
- SSL Noob needs some help
- Prev by Date: Re: inetinfo.exe on Windows 2008
- Next by Date: Re: Separate SSL cert for each NLB server?
- Previous by thread: Re: SSL Noob needs some help
- Next by thread: inetinfo.exe on Windows 2008
- Index(es):
Relevant Pages
|
