OWA security in DMZ

chunger
chunger used Ask the Experts™
on
Hi:

This is a 3 part question...

1) I am running Exchange 2000 in a 2000 Native mode domain.  I also have a Certificate Server which is also a domain controller behind a firewall.  And I have a webserver in a DMZ.  I would like to securely publish OWA in a DMZ using SSL.

I am not familiar with setting up SSL at all.  What do I need to do to get OWA running in the DMZ secuely accessing OWA on the Exchange server?  I know port 80 & 443 need sto be open from the DMZ to the inside.

2) Currently when a user is logged in and he opens IE and connects  to //<servername>/exchange, OWA automatically logs in with that user's credentials.  It also lets me login to other people's mailboxes if I have the proper security without typing in the other person's password info.  How can I prevent that?  

3) And lastly, is there a way to remove the save password check box from the OWA login?

Thanks for the help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
The first thing you need is a Front End server in the DMZ.  Are you familiar with that concept?  If not, please let me know and I'll explain.

You only need TCP ports 80 and 443 open from the client to the front-end server and 80 open from the front-end server to your mailbox servers.

To deploy SSL, you need to add your SSL certificate to the web site.  To do this, use Internet Services Manager to access properties for the "Exchange" site.  Go to the Directory Security tab and click the Server Certificate button.  A wizard will take you through the rest.  I can provide additional help here, if necessary, as well.  You will probably also want to create a new web site, like www.mydomain.com/webmail (or something more obscure) and forward that to https://frontendserver.domain.com/exchange.  This will make things more convienient for your users.

The reason people are not being asked to authenticate is because Integrated Windows Authentication is enabled.  They actually are authenticating.  They are simply using their logon token.  This is the same as opening Outlook, or a network share that the logged on account has access to.  You can disable this on the Directory Security tab as well.  Click the Edit button under Anonymous access and authentication control.

A couple of things to consider.  If you plan on using your certificate server as the CA for your SSL certificate, people are going to get prompted that your certificate is not trusted unless your CA is a subordinate CA signed by a trusted authority.  You can find trusted Windows authorties through the Certificates MMS.  If you use a non-trusted certficate, your sessions will still be secure, but people will be prompted every time they connect.  I can expand on this if you need me to.

Also, "secure" OWA is a relative term.  While SSL helps, you probably want another layer of authentication in FRONT of OWA.  This is called "dual factor authentication".

Please let me know if you have questions.

OneHump

Author

Commented:
What if I don't have a frontend server?  Should have mentioned that before.  We don't have the resources to install another server just for OWA.  Wouldn't I need 443 open to the certificate server from the DMZ?

We do have another layer of authentication into the Extranet webpage against a DB.  An alternate approach would be appreciated.  TX.

Author

Commented:
What is a Certificates MMS and where do I find it?
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Commented:
You either need a front-end server, or you need to expose one of your mailbox servers as an OWA server in the DMZ.  The problem is that you'll have mailboxes on that server, requiring RPC ports to be open through the DMZ.  It will also increase your security risk.  Do you have a spare server that you can install Exchange on to place in the DMZ?  Making that a front-end server is a simply a matter of checking a checkbox.

I was refering to the Certificates MMC, sorry.  On the run line, type MMC.  Go to File|Add/Remove Spap-in.  click the Add button.  Click the Certificates object and click ADD.    Select Computer Account, click Next then Finish.  Click Close then OK.  Expand Certificates in the MMC window.  Expand Trusted Root Certification Authorities and click Certificates.  A list of trusted CA's will appear.  You only need to do this if you are interested in obtaining a 3rd party SSL certificate, or if you are interested in signing your CA.  Getting your CA signed is a HUGE pain that requires an audit, a lot of money and even more work.


OneHump

Author

Commented:
It's not the spare PC thats the problem, it's paying for an additional Exchange license for webmail.

Went to the Internet Services Manager\Directory Security tab, but it is greyed out???

Commented:
In order to have a front end server you need to have Enterprise editon of Exchange....you can then install it on your Webserver....all it is really is a program that looks and acts like an Exchange store...but it just forwards requests to the real Exchange store.

dawne :)

see link :)

http://support.microsoft.com/default.aspx?scid=kb;en-us;326276

Commented:
chunger,

I completely understand your position.  The only other option is to open up ports 80 and 443 to your Exchange mailbox servers.  I don't recommend that as a secure solution.

Did you check the directory security tab for the properties of "Exchange" under the Default Web Site?


OneHump

Author

Commented:
Ya, I checked the directory security tab of the "Exchange" under default web site.  Guess I need to assign a certificate to that server first?

I am trying to run the webmail from the DMZ to the a Front end server on the network by opening port 80 & 443 only & using SSL.   Got the webmail working on the DMZ server, but when I try to access it from an outside client, the page won't come up.  I think I'm missing some kind of translation between the client and the DMZ server.  Microsoft recommends using ISA, but I'm going to look for an alternative.  Any suggestions?  I know you don't like this solution, but it's better then what I have now.  At least it is not directly open to the internet.  We don't have the re$ource$ available to upgrade to Enterprice and buy another license.  Any ideas would help.

TX

Commented:
Yes, you do need a certficate first.  You can either create one with your very own certificate server, or buy one from one of the evil trusted CA's.  If you make your own, it won't be trusted and people will be prompted when they come to your site.  The transaction, however, will still be encrypted.

Here are a couple of links for you:

Creating a Certificate Request File (SSL/TLS) in IIS 5.0
http://www.iis-resources.com/modules/news/article.php?storyid=13

Excellent site for choosing a Certifcation Authority
http://www.whichssl.org/


OneHump

Author

Commented:
Got the SSL all figured out.  I would like to distribute the certificate to users who I only want to allow access.  How would I do that.  Also I only have Basic Authentication enabled w/ SSL.  I want to be able to login from the https://server name/exchange rather then the full mailbox path (https://server name/exchange/User_name).

When I try logging in with just the https://server name/exchange, multiple logins are required and it never works.  If I use the full path https://server name/exchange/user_name, authentication is fine.  

The reason for my request is so that users will have only a single click link to their webmail.  Any suggestions?
Commented:
You don't issue an SSL certificate.  You install it on the web server, and those with access to connect, and using the proper protocol (https), will have use of the certificate's public key to encrypt the session.

What you would do to restrict access is to either the site by IP, through IIS Admin, or restrict the protocol through Exchange System Manager. You could normally restrict NTFS permissions on the site's home directory, but that would be a bad thing to do on the M drive.  To restrict who can access mailboxes for E2K OWA, check the Exchange Advanced tab for the user object, click the protocols button and either enable or disable HTTP for that mailbox.

There may be another way, but I would have to test to figure that out.  I belive those are the best ways.  They are certainly the most supported.



OneHump

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial