OWA with SSL
-
Hey all. I've been stupid enought to take on to install Exchange 2003, so I suppose I'll just have to blame myself but I'd still appreciate some help on this: When I try to enable SSL for OWA in [Exchange] System manager, the textbox for filling in the SSL port is grayed out, so I have to enable SSL from IISAdmin instead and it works. The problem is that when the server is restarted the settings I do in IISAdmin is overwritten with the ones from System Manager, so SSL dissapears:mad: :rose:To anyone with a decent (scripted?) solution or suggestion. (I Have a CA on the same machine.)
-
Hey all. I've been stupid enought to take on to install Exchange 2003, so I suppose I'll just have to blame myself but I'd still appreciate some help on this: When I try to enable SSL for OWA in [Exchange] System manager, the textbox for filling in the SSL port is grayed out, so I have to enable SSL from IISAdmin instead and it works. The problem is that when the server is restarted the settings I do in IISAdmin is overwritten with the ones from System Manager, so SSL dissapears:mad: :rose:To anyone with a decent (scripted?) solution or suggestion. (I Have a CA on the same machine.)
Is this on IIS 5 or 6 (Windows 2000 Server or Windows Server 2003)? Our Exchange Server 2003 installation on Windows Server 2003 is currently using a test certificate from Thawte. I can't find any options for enabling SSL in Exchange System Manager on this server - where are you looking? If I try to create a new HTTP Virtual Server through ESM, and choose Advanced next to IP Addresses, that does offer an SSL port field. It's initially grayed out because you've not yet added a certificate to this new virtual server, I think. Unless you want to expose a different set of mailboxes to users connecting to the server with different IP addresses or (HTTP 1.1) host headers (e.g. you're hosting two separate domains on the same server), I'd stick with enabling SSL on your default server. In the Internet Information Services management console, expand Web Sites. Right-click Default Web Site and choose Properties. Go to the Directory Security tab. Click Server Certificate, then follow the wizard to add the certificate to this site. Once you've done this, you can assign the SSL port to something other than the default using the Web Site tab. I don't recommend doing this because it's unexpected by the users, and doesn't offer much additional security. If you want to ensure that OWA users can only connect using SSL, right-click the Exchange virtual directory under Default Web Site and go to the Directory Security tab. Here, click Edit under Secure Communications and check the Require Secure Channel option. Remember that SSL protects your users' passwords and data, but does not provide access control. Unless you open your Kerberos ports on the firewall, authentication data (username and password) is sent using HTTP Basic Authentication, i.e. in clear text, so I recommend requiring SSL. Stability. What an interesting concept. -- Chris Maunder
-
Is this on IIS 5 or 6 (Windows 2000 Server or Windows Server 2003)? Our Exchange Server 2003 installation on Windows Server 2003 is currently using a test certificate from Thawte. I can't find any options for enabling SSL in Exchange System Manager on this server - where are you looking? If I try to create a new HTTP Virtual Server through ESM, and choose Advanced next to IP Addresses, that does offer an SSL port field. It's initially grayed out because you've not yet added a certificate to this new virtual server, I think. Unless you want to expose a different set of mailboxes to users connecting to the server with different IP addresses or (HTTP 1.1) host headers (e.g. you're hosting two separate domains on the same server), I'd stick with enabling SSL on your default server. In the Internet Information Services management console, expand Web Sites. Right-click Default Web Site and choose Properties. Go to the Directory Security tab. Click Server Certificate, then follow the wizard to add the certificate to this site. Once you've done this, you can assign the SSL port to something other than the default using the Web Site tab. I don't recommend doing this because it's unexpected by the users, and doesn't offer much additional security. If you want to ensure that OWA users can only connect using SSL, right-click the Exchange virtual directory under Default Web Site and go to the Directory Security tab. Here, click Edit under Secure Communications and check the Require Secure Channel option. Remember that SSL protects your users' passwords and data, but does not provide access control. Unless you open your Kerberos ports on the firewall, authentication data (username and password) is sent using HTTP Basic Authentication, i.e. in clear text, so I recommend requiring SSL. Stability. What an interesting concept. -- Chris Maunder
Well, as I said, I do get SSL to work, but the SSL settings are deleted when the virtual directories are read from ESM when restarting the services, so I need to enter them there instead of in IISAdmin. I have several ips on the Exchange server to enable two companies to use the same one with different public folders and only port 443. Thank you for your exchaustive answer though.:rose: