Configuring Exchange 2003 Webmail to use SSL

My client is running Exchange 2003 on Windows 2003 Server, and they use the Webmail function to check there E-mail from home. They are a financial institute, and I would like to secure the connection to the Exchange webmail. Would it be best for me to use SSL, and how do I set it up?

Thank you for a great site.
Leon Janse van Rensburg
Who is Participating?
SSL is certainly the least you should do, but if you open the port directly on to your internal mail server, you are exposing an internal service directly to the internet. Attacks can be made using SSL - or instance password attacks.

A more secure implemtation would be to have a proper firewall, beit PIX, watchguard, ISA etc, with a DMZ. You can then set up an HTTP proxy in the DMZ. This was attacks are not made directly on the internal network. You could also use an Exchange server configured as a front end server in the DMZ.

Assuming this overkill or you do not have the resources, you just need to open port 443 (HTTPS) to your exchange server, and configure a certificate on the server. To do this you can either buy a proper certificate, for verisign for instance, or just create your own.

To do that, for free, install the Certificate services Windows component, and choose Enterprise Root CA, and then give it a name, for instance the company name.

Then you can go to the default website in IIS, and go to Security, then Server Certificate. Choose to create on and send it to an online authority. Fill out the details, and it will submit it to your local CA, and then should install it.

Make sure the site is listening on 443 and away you go!

Whatever you do do not let them use HTTP!

hsclater - How does having an Exchange server of any kind in the DMZ increase security?

Please tell me as I would love to know. People keep suggesting that, but are unable to come up with how it increases security.

How does making all the changes to Exchange to use static ports instead of dynamic ports, then punching lots of holes through a firewall from the DMZ to the live production server improve security? Why is that better than having a single port open straight to the production network over SSL?

By all means have a HTTP proxy server in the DMZ, but this needs to be a member of a workgroup or a special DMZ domain - not a member of the production domain.

As this is a financial institution I would also recommend AGAINST using a home grown certificate. The users should be trained to recognise a security warning in the browser as they will be a target. Use a purchased certificate, a StarterSSL from RapidSSL will be fine. This will ensure that there are no security warning messages and the users can be told that if they get a warning when accessing what they think is OWA they should report it.

If this finance house you may want to consider using an SSL appliance or something like that. Depending on how concerned over security they are, the decision may be made not to allow external OWA access.

Exchange MVP.
leonjvreAuthor Commented:
Hi Guys
We do have a Linux Server in it's own seperate domain as a firewall.It's routing the exchange traffic to the exchange server. With this in mind, what would be my best solution. SSLCertificate, and just set it up?
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I would just go with the SSL certificate and pass the traffic straight through.

Sembee - you are quite right about the exchange server in a DMZ - I take it back. No need to be quite so aggressive here though.

However, I think that having a server that anyone can directly authenticate against is too big a risk for any kind of sensitive information. A VPN into the office with a Radius server, and Outlook 2003 in cached, mode for instance, would provide both security and ease of access. Since they are using it at home, they can have the VPN set up on home PCs, and any laptops.

hsclater - sorry if I came across so aggressive. The Exchange in a DMZ comes up so often on this site and yet when I challenge anyone to tell me how it improves security no one comes up with a reason. There seems to have been a brainwashing that the DMZ is more secure - which is not always the case.

VPN on a machine that you can control is the most secure solution.
However VPN on a machine out of your control can be worse. A number of companies - including Microsoft - have been compromised in the past by someone coming in over a VPN connection. If you could lock down that VPN configuration so that even after connecting the port access is limited to just 443 then you would have a pretty good solution. Combine the VPN authentication with some kind of dynamic password (SecureID etc) then a potential attacker has to get round the VPN authentication, then the authentication to OWA. I also think that a dual authentication of that type would be acceptable to the users as it is nice and straightforward - dynamic number, then their familiar user name and password.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.