Exchange OWA and SSL VPN access and ActiveSync

You can implement certificate for Exchange. There are several public certificate authority like Digicert, Go Dady and etc

heres a nice article once you have the certificate set up for OWA.

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Hi cjrmail2k;

thanks for your link, actually; I have activesync problem too, may be the link can help me to solve the problem.  when I activesync to my exchange server, I got some SSL cert issue too.

actually, what is the best practises to protect exchange server, using SSL VPN and SSL cert.  If the OWA and iPhone will be used to access the exchange.

thanks!

the ssl vpn will have a different cert to the IIS server hosting OWA, you can purchase these relatively cheaply depending on the level of encryption you want or even self-certify although self-certification is not best practice.

when you set up your iphone mail connection (once you have a certificate in place), you will not use OWA but rather activesync and yes the link I provided will set everything up for you. It all really depends on how you connect. I connect to our activesync directly via a published URL (in DNS) www.yourdomain.com and put in my credentials into the iphone mail settings. This goes via a ISA firewall that also needs the domain certificate installed, you will need to create a Outlook web listener for that.

hi cjrmail2k;  thanks for your feedback.

let me try to understand your post.

1. I can deploy OWA with my SSL VPN.
2. For those iPhone or iPad user who want to use Exchange client on these two device, I need provide a URL for them to do authentication but in your feedback, the www.yourdomain.com is mapped to the exchange server or a DC?

that is mapped to a dc. To be honest, you should provide OWA the same way, this way your users can access OWA from any machine and they dont need the SSL VPN software. If they have a VPN connection, they can use the full outlook version. The url is mapped to the ISA server which in turn forwards to the exchange front-end.

thanks cjrmail2k.  I want to have a better protection for my OWA.  what would you suggest?

Hi;

I forgot to post more detail in my last post.

For example; if I type https://webmail.company.com on my browser, I will get a "Under construction" message shown on browser but if I type https://webmail.company.com/owa, the OWA logon page will be displayed.  In this case, what can I do to protect the OWA not shown even though https://webmail.company.com/owa entered.

Do you have an ISA server? If so, this will be a setting in the Exchange listener rule. Only certain urls are forwarded hence why you get the login details. If you are going to use SSL VPN, you can disable the Web Listener on the ISA firewall because you will be using your internal DNS instead of coming in through an ISA firewall.

No, I am not using ISA firewall.  Currently, we are using Netscreen and will be migrated to Sonicwall firewall.

the challenging is that the Exchange activesync function on iPhone and iPad requires the public server name of Exchange such as mail.company.com.  But if I announce such host name to public, anyone on internet can try https://mail.company.com/owa, although they do not have account to logon; they know that this is a OWA server.