Configuring Exchange 2003 Webmail to use SSL

Posted on 2005-04-18
Last Modified: 2008-03-10
My client is running Exchange 2003 on Windows 2003 Server, and they use the Webmail function to check there E-mail from home. They are a financial institute, and I would like to secure the connection to the Exchange webmail. Would it be best for me to use SSL, and how do I set it up?

Thank you for a great site.
Leon Janse van Rensburg
Question by:leonjvre
    LVL 4

    Accepted Solution

    SSL is certainly the least you should do, but if you open the port directly on to your internal mail server, you are exposing an internal service directly to the internet. Attacks can be made using SSL - or instance password attacks.

    A more secure implemtation would be to have a proper firewall, beit PIX, watchguard, ISA etc, with a DMZ. You can then set up an HTTP proxy in the DMZ. This was attacks are not made directly on the internal network. You could also use an Exchange server configured as a front end server in the DMZ.

    Assuming this overkill or you do not have the resources, you just need to open port 443 (HTTPS) to your exchange server, and configure a certificate on the server. To do this you can either buy a proper certificate, for verisign for instance, or just create your own.

    To do that, for free, install the Certificate services Windows component, and choose Enterprise Root CA, and then give it a name, for instance the company name.

    Then you can go to the default website in IIS, and go to Security, then Server Certificate. Choose to create on and send it to an online authority. Fill out the details, and it will submit it to your local CA, and then should install it.

    Make sure the site is listening on 443 and away you go!

    Whatever you do do not let them use HTTP!

    LVL 104

    Expert Comment

    hsclater - How does having an Exchange server of any kind in the DMZ increase security?

    Please tell me as I would love to know. People keep suggesting that, but are unable to come up with how it increases security.

    How does making all the changes to Exchange to use static ports instead of dynamic ports, then punching lots of holes through a firewall from the DMZ to the live production server improve security? Why is that better than having a single port open straight to the production network over SSL?

    By all means have a HTTP proxy server in the DMZ, but this needs to be a member of a workgroup or a special DMZ domain - not a member of the production domain.

    As this is a financial institution I would also recommend AGAINST using a home grown certificate. The users should be trained to recognise a security warning in the browser as they will be a target. Use a purchased certificate, a StarterSSL from RapidSSL will be fine. This will ensure that there are no security warning messages and the users can be told that if they get a warning when accessing what they think is OWA they should report it.

    If this finance house you may want to consider using an SSL appliance or something like that. Depending on how concerned over security they are, the decision may be made not to allow external OWA access.

    Exchange MVP.

    Author Comment

    Hi Guys
    We do have a Linux Server in it's own seperate domain as a firewall.It's routing the exchange traffic to the exchange server. With this in mind, what would be my best solution. SSLCertificate, and just set it up?
    LVL 104

    Expert Comment

    I would just go with the SSL certificate and pass the traffic straight through.

    LVL 4

    Expert Comment

    Sembee - you are quite right about the exchange server in a DMZ - I take it back. No need to be quite so aggressive here though.

    However, I think that having a server that anyone can directly authenticate against is too big a risk for any kind of sensitive information. A VPN into the office with a Radius server, and Outlook 2003 in cached, mode for instance, would provide both security and ease of access. Since they are using it at home, they can have the VPN set up on home PCs, and any laptops.

    LVL 104

    Expert Comment

    hsclater - sorry if I came across so aggressive. The Exchange in a DMZ comes up so often on this site and yet when I challenge anyone to tell me how it improves security no one comes up with a reason. There seems to have been a brainwashing that the DMZ is more secure - which is not always the case.

    VPN on a machine that you can control is the most secure solution.
    However VPN on a machine out of your control can be worse. A number of companies - including Microsoft - have been compromised in the past by someone coming in over a VPN connection. If you could lock down that VPN configuration so that even after connecting the port access is limited to just 443 then you would have a pretty good solution. Combine the VPN authentication with some kind of dynamic password (SecureID etc) then a potential attacker has to get round the VPN authentication, then the authentication to OWA. I also think that a dual authentication of that type would be acceptable to the users as it is nice and straightforward - dynamic number, then their familiar user name and password.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    Use email signature images to promote corporate certifications and industry awards.
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now