iosys
asked on
OWA URL and Logon Screen
Hi,
Two quick questions relating to Exchange 2003 + OWA...
1. can you change and then remove the default OWA url (/exchange) ?
I'd like tio change it to something less obvious (ie. /webmail) and then remove /exchange, so hackers don;t necessarily know it's an exchange backend.
2. When I logon to my OWA server, via a Front-end server on our DMZ, I am prompted for the name + password, before being taken to OWA. However, the prompt is a standard Windows Logon Pop-Up, and not an OWA webpage with logon.
I've seens mention, and other OWA sites on the net, where you are taken straight to the OWA Logon page and you enter your credentials and then choose Basic or Premium client.
How can I force OWA to show this screen as opposed to the Windows Credentials Pop-Up.
Thanks
Ian
Two quick questions relating to Exchange 2003 + OWA...
1. can you change and then remove the default OWA url (/exchange) ?
I'd like tio change it to something less obvious (ie. /webmail) and then remove /exchange, so hackers don;t necessarily know it's an exchange backend.
2. When I logon to my OWA server, via a Front-end server on our DMZ, I am prompted for the name + password, before being taken to OWA. However, the prompt is a standard Windows Logon Pop-Up, and not an OWA webpage with logon.
I've seens mention, and other OWA sites on the net, where you are taken straight to the OWA Logon page and you enter your credentials and then choose Basic or Premium client.
How can I force OWA to show this screen as opposed to the Windows Credentials Pop-Up.
Thanks
Ian
you need to select fba. it is on the exchange virtual directory properties advanced tab in esm. You have to have ssl running for this to work though. fba(forms based authentication)
ASKER
To install SSL do I need to install Certificate Server ? (If yes, can I install it on the Front End Server and is there a cost)
Will all the clients need a certifivcate installing on their PC's ???
Will all the clients need a certifivcate installing on their PC's ???
you can create the cert server yourself this is a great site a tutorial. http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
It is not hard to do, i did it on a test lab and it worked very well.
It is not hard to do, i did it on a test lab and it worked very well.
To make OWA the default on a web site:
1. Start IIS Manager
2. Right click on the "Default Web Site" and choose "Properties".
3. Click on the "Home Directory" tab.
4. Change the first option to "A redirection to a URL".
5. Enter "/exchange" in to the box (minus quotes)
6. Change the entry below to "A directory below URL entered".
7. Click Apply/OK and close the IIS Manager.
8. Test.
http://www.amset.info/exchange/default-web.asp
As for SSL, while you can use your own certificate I prefer to purchase one. FreeSSL do two year certificates for US$60. This saves prompts being received when the users access the OWA URL.
It also means that you can use RPC over HTTP at a later date.
Simon.
1. Start IIS Manager
2. Right click on the "Default Web Site" and choose "Properties".
3. Click on the "Home Directory" tab.
4. Change the first option to "A redirection to a URL".
5. Enter "/exchange" in to the box (minus quotes)
6. Change the entry below to "A directory below URL entered".
7. Click Apply/OK and close the IIS Manager.
8. Test.
http://www.amset.info/exchange/default-web.asp
As for SSL, while you can use your own certificate I prefer to purchase one. FreeSSL do two year certificates for US$60. This saves prompts being received when the users access the OWA URL.
It also means that you can use RPC over HTTP at a later date.
Simon.
ASKER
I don't want OWA to be the default page on the website, what I want to do is change the OWA URL from /exchange to /webmail.
That way, if someone is trawling sites on the net looking for vulnerable Exchange sites (ie. searching for /exchange on a site and seeing if they get an OWA prompt) they won;t find mine !
Cheers
Ian
That way, if someone is trawling sites on the net looking for vulnerable Exchange sites (ie. searching for /exchange on a site and seeing if they get an OWA prompt) they won;t find mine !
Cheers
Ian
Oh.
It isn't easy to do that. It may work by removing the Exchange virtual folders and then recreating them with the correct paths. It isn't something I have done before - and isn't something I have been too worried about.
However OWA would not be the first way I would go looking for an Exchange server on the Internet. FBA isn't heavily used yet - many people don't even know that it is there.
If I was looking for Exchange servers I would be looking at the SMTP banner. This tells you not only that it is Exchange but also which version.
Simon.
It isn't easy to do that. It may work by removing the Exchange virtual folders and then recreating them with the correct paths. It isn't something I have done before - and isn't something I have been too worried about.
However OWA would not be the first way I would go looking for an Exchange server on the Internet. FBA isn't heavily used yet - many people don't even know that it is there.
If I was looking for Exchange servers I would be looking at the SMTP banner. This tells you not only that it is Exchange but also which version.
Simon.
All you have to do is put a redirect so if you had www.whatever.com/exchange just change to www.whatever.com/webmail and then inside the webmail folder you could have a redirect to your exchange folder. That way you could apply ntfs security on the webmail folder and limit access that way. But I am not sure how you would close down the exchange folder so no one got to it if you are running this box out of a firwall
ASKER
Ok, here's where we are so far ...
Created a certificate
Installed that on the Front End Server
Setup /exchange and /public to use SSL (128bit)
Setup ESM to use FBA with High compression.
Enter: http://www.frontlione.ltd.uk/exchange - receive message that bneed to use https (so far so good)
Enter: https://www.frontline.ltd.uk/exchange - receive Page not found error
So, tried using the internal IP address of the Front End Server, and still get the Page Not Found error.
Any ideas ? What page actually hold the FBA Logon page - need to check it's there !
Ian
Created a certificate
Installed that on the Front End Server
Setup /exchange and /public to use SSL (128bit)
Setup ESM to use FBA with High compression.
Enter: http://www.frontlione.ltd.uk/exchange - receive message that bneed to use https (so far so good)
Enter: https://www.frontline.ltd.uk/exchange - receive Page not found error
So, tried using the internal IP address of the Front End Server, and still get the Page Not Found error.
Any ideas ? What page actually hold the FBA Logon page - need to check it's there !
Ian
what athentication settings are you using?
ASKER
Integrated Windows and Basic
If I goto http://www.frontline.ltd.uk I get a totally blank page, as I should do (This is my page)
If I switch on SSL / FBA and goto https://www.frontline.ltd.uk I get the 'Page not found' error
Looks like a certificate or security problem.
Does anyone have a document on setting up OWA with SSL, FBA and a Front-End Server (ie. what you set on each of the 2 boxes)
If I goto http://www.frontline.ltd.uk I get a totally blank page, as I should do (This is my page)
If I switch on SSL / FBA and goto https://www.frontline.ltd.uk I get the 'Page not found' error
Looks like a certificate or security problem.
Does anyone have a document on setting up OWA with SSL, FBA and a Front-End Server (ie. what you set on each of the 2 boxes)
Go back to basics first.
On the Exchange backend server itself, enter http://localhost and see what happens.
Then do the same with https if the SSL certificate is installed there.
Repeat with the frontend.
Simon.
On the Exchange backend server itself, enter http://localhost and see what happens.
Then do the same with https if the SSL certificate is installed there.
Repeat with the frontend.
Simon.
ASKER
On the Backend ...
http://localhost - Page displays ok
https://localhost - The Page Cannot Be Displayed (SSL certificate isn't installed on the backend)
On the Front ...
http://localhost - Page displays ok
https://localhost - The Page Cannot Be Displayed
Ian
http://localhost - Page displays ok
https://localhost - The Page Cannot Be Displayed (SSL certificate isn't installed on the backend)
On the Front ...
http://localhost - Page displays ok
https://localhost - The Page Cannot Be Displayed
Ian
Change your security to basic on the front end. and make sure you have enabled the ssl encryption.
ASKER
Done that - still the same
ASKER
FIXED IT !!!
Looks like the new certificate was faulty.
Set it back to the certificate that came with OWAAdmin, and then got 440 logon timeout error.
Set everyone to have READ permissions to the following and it now works :
\exchweb\bin
\exchweb\bin\auth
\exchweb\bin\auth\usa
\exchweb\bin\auth\usa\logo
Finally ran IISRESET
Ian
Looks like the new certificate was faulty.
Set it back to the certificate that came with OWAAdmin, and then got 440 logon timeout error.
Set everyone to have READ permissions to the following and it now works :
\exchweb\bin
\exchweb\bin\auth
\exchweb\bin\auth\usa
\exchweb\bin\auth\usa\logo
Finally ran IISRESET
Ian
Did you manage to get this working correctly?
If so, then you should close the question and award the points.
If you still need assistance then please post back so that the issue can be resolved.
Simon.
If so, then you should close the question and award the points.
If you still need assistance then please post back so that the issue can be resolved.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.