• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1006
  • Last Modified:

Setting up OWA and Security

Hello Everyone,
Well the boss has asked that he be able to access his e-mail, public calendar and public contacts from home.
I have been researching for a few hours now about outlook web access. I have seen various concerns about security and setting up so I thought I would ask:

1) What is the safest (not the hardest ;P) way to setup OWA on Exchange Server 2003?

2)I  understand OWA gets installed when exchange is installed, however what steps do I need to do access and functionality?

3)The OWA would be on our server, how would this effect security?

Thanks!
Jason
0
JasonWinn
Asked:
JasonWinn
  • 9
  • 3
  • 3
1 Solution
 
SembeeCommented:
OWA is installed and enabled by default.

To secure it, purchase an SSL certificate. I usually get mine from RapidSSL. One of their StarterSSL certificates is fine. Make sure that the name on the certificate is the name that you want to use to access it over the Internet. If you already have an external DNS record pointing to the Exchange server - for SMTP delivery/MX records for example, then you can use the same name.

To access it, enter the URL for the server followed by /exchange:

https://mail.domain.com/exchange

Finally on Exchange 2003 I would enable Forms Based Authentication. This adds an additional layer of security providing a cookie based logout and a graphical front end.
Once you have SSL installed, enable FBA through ESM.
Admin Groups, <your admin group>, Servers, <your server>, Protocols, HTTP. Right click on the Default entry and choose Properties. On the second tab you will find the option to enable FBA.

Simon.
0
 
JasonWinnAuthor Commented:
Hey Simon,
Currently we do have SSL, good to know that will be sufficient.
I have enabled FBA through ESM like you recommended.

I am having problems connecting at the moment though. Just for now I am typing in the internet ip address, 192.168.1.2/exchange and the SSL Certificate pops up and I said yes.
After this I try to login by:
domain\username
and password

I then recieve a 404 error.

One thing I did notice which is odd, i thought with FBA I would see the graphical front end.

Any idea's?

0
 
JasonWinnAuthor Commented:
When I say the graphical front end I mean the first login in screen, instead of getting the outlook login screen it appears to just be a javascript type looking login screen.

Jason
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
JasonWinnAuthor Commented:
About the errors I am recieving,
if using firefox I recieve a 404 error after trying to login.
on Ie, I recieve:
http Error 401.1 - unauthorized: access is denied due to invalid credentials. IIS
0
 
o0JoeCool0oCommented:
hmmm make sure the account isnt locked out in AD and that the user and pass are correct, also check the Authentication in the properties of the default site make sure under authentication that Anonymous access is disabled and authentication is set to integrated widnows authentication and basic authentication
0
 
SembeeCommented:
Check authentication on the Exchange virtual folders. Use IIS manager to check the following:

/exchange
/exchweb
/exadmin
/public

All should be integrated and basic ONLY.
/exchweb should also have anonymous permissions.

Simon.
0
 
JasonWinnAuthor Commented:
Simon I will goa head and reward you the points.

On IIS, where is /exchange, /exchweb /exaadmin and /public located?

0
 
JasonWinnAuthor Commented:
JoeCool-
If I disable anonymous login, then everytime someone would want to go to our webiste wouldnt they have to log in to the network just to visit the website?
There must be a way to disable anonymous login on /exchweb without disabling it on the default website right?

Jason
0
 
o0JoeCool0oCommented:
You are absolutely right, disabling anonymous access will not let anyone external connect, you can set it individually on each site. but exchWeb Must have anonymous access, Im not sure why i said to disable it, I think I read over the question too fast.. my bad.. :)
0
 
SembeeCommented:
The Exchange virtual directories are in IIS Manager - that is where you adjust them.

/exchweb needs to be anonymous as it holds then generic components of OWA. If you are using Forms Based Authentication then this is where the form and the images are held. If you don't have anonymous access to that folder then you will have to authenticate before using that form - which defeats the entire point of it.

Don't worry about it being a security risk, it doesn't hold any of your internal data.

Simon.
0
 
JasonWinnAuthor Commented:
No problem joe :P
Where is exchweb located in IIS to give it anoymous access?
0
 
o0JoeCool0oCommented:
Under the default Site there should be a virtual directory called ExchWeb then you just go to Directory security and click authentication
0
 
JasonWinnAuthor Commented:
Very Odd,
I just checked all of the above features,
all are set to integrated and basic authentication.
0
 
JasonWinnAuthor Commented:
The fact that i am still not getting the graphic log in screen, would this be a clue to anything?
Also, it does not load if i type in companywebsiteaddress.com/exchange, but it does work if i do 192.168.1.2/exchange
0
 
JasonWinnAuthor Commented:
UPDate:
tried going 192.168.1.2/exchange/logon.asp
and it says I am blocked by the administrator.

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now