TANGLAD
asked on
Do I need an Exchange frontend and can I live without ISA?
Users want some kind of remote mail access. Have a D-Link DFL200 firewall with a DMZ port. A Win2k3 server is placed in DMZ and acts as Web/Ftp server. On the LAN we have a Win2k3 Exchange server.
Everything works fine.
How can I implement some kind of remote mail-access? OWA? HTTPS? RPC?
I'm a completely beginner in OWA, HTTPS, RPC so I need some step-by-step advices.
I have never used ISA so I would prefer a solution without ISA.
Do I have to install Exchange/OWA on the Web server in DMZ, or is it possible do make a secure solution against the Exchange server on the LAN. OWA works fine on the Exchange backend server for LAN users.
Everything works fine.
How can I implement some kind of remote mail-access? OWA? HTTPS? RPC?
I'm a completely beginner in OWA, HTTPS, RPC so I need some step-by-step advices.
I have never used ISA so I would prefer a solution without ISA.
Do I have to install Exchange/OWA on the Web server in DMZ, or is it possible do make a secure solution against the Exchange server on the LAN. OWA works fine on the Exchange backend server for LAN users.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no, but this is for addtional security.
it is recommended action
it is recommended action
on the webserver that is accessed for OWA.
you can get a free certificate and install instructions for SSL on http://www.startcom.org
you can get a free certificate and install instructions for SSL on http://www.startcom.org
ASKER
First: I think I will start getting SSL on OWA working. I will try this one:
SSL Enabling OWA 2003 using your own Certificate Authority
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Second: I will try this one:
Using Outlook 2003 to connect to Exchange 2003 using RPC over HTTPS
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html
Then I think I only need to create the firewall rule. Do you have any hints for me regarding the firewall rule?
SSL Enabling OWA 2003 using your own Certificate Authority
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Second: I will try this one:
Using Outlook 2003 to connect to Exchange 2003 using RPC over HTTPS
http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html
Then I think I only need to create the firewall rule. Do you have any hints for me regarding the firewall rule?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I will go for that Simon. Thanks. I will be back on this in next week.
ASKER
Hi again,
Have got a certiciface from (http://www.certificatesforexchange.com).
Then I follow their guide below:
But I'm not sure about the Common Name.
www.mycompany.com goes to the webserver in DMZ
I have done a portforward in the firewall for HTTPS to go to my Exchange server.
If I use a common name of www.mycompany.com what will then happen to my website on the DMZ webserver?
Actually I want remote users to browse to https://webmail.mycompany.com and be directed to the OWA on the exchange server
Does that mean that my Common Name is webmail.mycompany.com?
--------------------------
Follow the below instructions to generate a CSR for your Web site. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.
CSR-Generation Instructions
To Generate and Submit the Certificate Signing Request (CSR):
Please note that you must have at least Service Pack 1 installed before generating a CSR.
Open the "Administrative Tools menu (right click on "My Computer"; select "Manage" or "Control Panel"; select "Administrative Tools.")
Select "Internet Information Services"
Select the computer and Web site (host) that you wish to secure. Right mouse-click to select Properties.
Click the "Directory Security" tab.
Click the "Server Certificate." button (located in the "Secure communications" area)
Click "Next" in the Welcome to the "Web Server Certificate Wizard" window.
Select "Create a new certificate"; then click "Next."
Select "Prepare the request now, but send it later" and click "Next."
In the "Name and Security Settings" window, fill in the name field for the new certificate; then select the bit length (1,024 or higher). Click Next.
Enter your Distinguished Name field information. The following characters cannot be accepted:
< > ~ ! @ # $ % ^ * / \ ( ) ?&.
This includes commas.
Distinguished Name Fields:
Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.
Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
Common Name: The Common Name is the fully-qualified domain name - or URL - for which you plan to use your certificate, e.g., the area of your site you wish customers to connect to using SSL. For example, an SSL certificate issued for "www.yourcompanyname.com" will not be valid for "secure.yourcompanyname.co
If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.domainnamegoes.com" or "www*.domainnamegoeshere.c
Country: The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
State/Province: Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
City/Locality: Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
Enter your Administrator contact information.
Enter a path and file name for the CSR.
Verify the information in the request and click "Next."
On the "Completing the Web Server" screen, click "Finish."
Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into our online enrollment form.
Have got a certiciface from (http://www.certificatesforexchange.com).
Then I follow their guide below:
But I'm not sure about the Common Name.
www.mycompany.com goes to the webserver in DMZ
I have done a portforward in the firewall for HTTPS to go to my Exchange server.
If I use a common name of www.mycompany.com what will then happen to my website on the DMZ webserver?
Actually I want remote users to browse to https://webmail.mycompany.com and be directed to the OWA on the exchange server
Does that mean that my Common Name is webmail.mycompany.com?
--------------------------
Follow the below instructions to generate a CSR for your Web site. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.
CSR-Generation Instructions
To Generate and Submit the Certificate Signing Request (CSR):
Please note that you must have at least Service Pack 1 installed before generating a CSR.
Open the "Administrative Tools menu (right click on "My Computer"; select "Manage" or "Control Panel"; select "Administrative Tools.")
Select "Internet Information Services"
Select the computer and Web site (host) that you wish to secure. Right mouse-click to select Properties.
Click the "Directory Security" tab.
Click the "Server Certificate." button (located in the "Secure communications" area)
Click "Next" in the Welcome to the "Web Server Certificate Wizard" window.
Select "Create a new certificate"; then click "Next."
Select "Prepare the request now, but send it later" and click "Next."
In the "Name and Security Settings" window, fill in the name field for the new certificate; then select the bit length (1,024 or higher). Click Next.
Enter your Distinguished Name field information. The following characters cannot be accepted:
< > ~ ! @ # $ % ^ * / \ ( ) ?&.
This includes commas.
Distinguished Name Fields:
Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field.
Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
Common Name: The Common Name is the fully-qualified domain name - or URL - for which you plan to use your certificate, e.g., the area of your site you wish customers to connect to using SSL. For example, an SSL certificate issued for "www.yourcompanyname.com" will not be valid for "secure.yourcompanyname.co
If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.domainnamegoes.com" or "www*.domainnamegoeshere.c
Country: The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
State/Province: Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
City/Locality: Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
Enter your Administrator contact information.
Enter a path and file name for the CSR.
Verify the information in the request and click "Next."
On the "Completing the Web Server" screen, click "Finish."
Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into our online enrollment form.
ASKER
Tried getting a certificate from http://www.certificatesforexchange.com. Two days has gone and the certificate status is Pending and Whois lookup is being performed. Why does it take so long. Is it a problem that it a danish domain for webmail.mycompany.dk? Do I have to request the certificate from a danish certificate authority?
Another question: In DNS I have made an alias "webmail" and wants the certificate to apply for webmail.mycompany.dk
Will that work? My idea is that when a user browse to https://webmail.mycompany.dk the firewall forwards the request to the Exchange server and when a user browse to www.mycompany.dk the firewall forwards to the webserver in DMZ.
Hope you guys can help. I'm confused.
Another question: In DNS I have made an alias "webmail" and wants the certificate to apply for webmail.mycompany.dk
Will that work? My idea is that when a user browse to https://webmail.mycompany.dk the firewall forwards the request to the Exchange server and when a user browse to www.mycompany.dk the firewall forwards to the webserver in DMZ.
Hope you guys can help. I'm confused.
map port 80 in the firewall to your webserver and port 443 to your exchange server to fix that :)
I don't know about certificatesforexchange, never used it...
I don't know about certificatesforexchange, never used it...
Some of the certificate issuers have problems with certain domain name registrars because the information they use to verify the domain is not made publicly available in all circumstances. I have problems with some .co.uk domains for the same reason. You need to call them or log a support call and they will tell you what you need.
With regards to the certificate name itself, when creating the request you get asked about "common name". This is the name that the users will be entering in to their browser.
Therefore if you want webmail.domain.dk to be the host address that your end users enter in to their web browsers that is the common name that you need to enter.
No https, or / anything, just webmail.domain.dk
You are not requesting a wildcard certificate so you can ignore the * part.
Simon.
With regards to the certificate name itself, when creating the request you get asked about "common name". This is the name that the users will be entering in to their browser.
Therefore if you want webmail.domain.dk to be the host address that your end users enter in to their web browsers that is the common name that you need to enter.
No https, or / anything, just webmail.domain.dk
You are not requesting a wildcard certificate so you can ignore the * part.
Simon.
ASKER
Thanks everyone. Now OWA/HTTPS and RPC over HTTPS works great with a selfmade certicifate. Now I just need to get a purchaced certificate to work.
ASKER