leonjvre
asked on
Configuring Exchange 2003 Webmail to use SSL
Hi.
My client is running Exchange 2003 on Windows 2003 Server, and they use the Webmail function to check there E-mail from home. They are a financial institute, and I would like to secure the connection to the Exchange webmail. Would it be best for me to use SSL, and how do I set it up?
Thank you for a great site.
Leon Janse van Rensburg
My client is running Exchange 2003 on Windows 2003 Server, and they use the Webmail function to check there E-mail from home. They are a financial institute, and I would like to secure the connection to the Exchange webmail. Would it be best for me to use SSL, and how do I set it up?
Thank you for a great site.
Leon Janse van Rensburg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Guys
We do have a Linux Server in it's own seperate domain as a firewall.It's routing the exchange traffic to the exchange server. With this in mind, what would be my best solution. SSLCertificate, and just set it up?
Thanks
Leon
We do have a Linux Server in it's own seperate domain as a firewall.It's routing the exchange traffic to the exchange server. With this in mind, what would be my best solution. SSLCertificate, and just set it up?
Thanks
Leon
I would just go with the SSL certificate and pass the traffic straight through.
Simon.
Simon.
Sembee - you are quite right about the exchange server in a DMZ - I take it back. No need to be quite so aggressive here though.
However, I think that having a server that anyone can directly authenticate against is too big a risk for any kind of sensitive information. A VPN into the office with a Radius server, and Outlook 2003 in cached, mode for instance, would provide both security and ease of access. Since they are using it at home, they can have the VPN set up on home PCs, and any laptops.
However, I think that having a server that anyone can directly authenticate against is too big a risk for any kind of sensitive information. A VPN into the office with a Radius server, and Outlook 2003 in cached, mode for instance, would provide both security and ease of access. Since they are using it at home, they can have the VPN set up on home PCs, and any laptops.
hsclater - sorry if I came across so aggressive. The Exchange in a DMZ comes up so often on this site and yet when I challenge anyone to tell me how it improves security no one comes up with a reason. There seems to have been a brainwashing that the DMZ is more secure - which is not always the case.
VPN on a machine that you can control is the most secure solution.
However VPN on a machine out of your control can be worse. A number of companies - including Microsoft - have been compromised in the past by someone coming in over a VPN connection. If you could lock down that VPN configuration so that even after connecting the port access is limited to just 443 then you would have a pretty good solution. Combine the VPN authentication with some kind of dynamic password (SecureID etc) then a potential attacker has to get round the VPN authentication, then the authentication to OWA. I also think that a dual authentication of that type would be acceptable to the users as it is nice and straightforward - dynamic number, then their familiar user name and password.
Simon.
VPN on a machine that you can control is the most secure solution.
However VPN on a machine out of your control can be worse. A number of companies - including Microsoft - have been compromised in the past by someone coming in over a VPN connection. If you could lock down that VPN configuration so that even after connecting the port access is limited to just 443 then you would have a pretty good solution. Combine the VPN authentication with some kind of dynamic password (SecureID etc) then a potential attacker has to get round the VPN authentication, then the authentication to OWA. I also think that a dual authentication of that type would be acceptable to the users as it is nice and straightforward - dynamic number, then their familiar user name and password.
Simon.
Please tell me as I would love to know. People keep suggesting that, but are unable to come up with how it increases security.
How does making all the changes to Exchange to use static ports instead of dynamic ports, then punching lots of holes through a firewall from the DMZ to the live production server improve security? Why is that better than having a single port open straight to the production network over SSL?
By all means have a HTTP proxy server in the DMZ, but this needs to be a member of a workgroup or a special DMZ domain - not a member of the production domain.
As this is a financial institution I would also recommend AGAINST using a home grown certificate. The users should be trained to recognise a security warning in the browser as they will be a target. Use a purchased certificate, a StarterSSL from RapidSSL will be fine. This will ensure that there are no security warning messages and the users can be told that if they get a warning when accessing what they think is OWA they should report it.
If this finance house you may want to consider using an SSL appliance or something like that. Depending on how concerned over security they are, the decision may be made not to allow external OWA access.
Simon.
Exchange MVP.