We help IT Professionals succeed at work.

OWA SSL

etonnemacher
etonnemacher asked
on
Medium Priority
964 Views
Last Modified: 2012-06-27
I need to setup OWA on server 2003 using exchange 2003  using ssl - I don't remember this being so hard but I can't seem to do it on this platform - IS there a "start here" rule of thumb for doing this - my goal is for the web users to access web mail using https://mail.domain.com - thanks
Comment
Watch Question

Commented:
Where you getting stuck? Does non SSL webmail work if you go to http://mail.domain.com?

Are you trying to access this from the internal network for testing? Or you trying to access it externally over the network.

The first thing I would do would be to test it internally and work on be able to access it via IP to eliminate DNS issues.
https://exchangerserveripaddress/exchange

Does that work?
Commented:
Without knowing how you are approaching SSL certificates (your own cert authority or 3rd party) I found a few links which cover the topic:

Set up OWA using SSL certs from your own cert authority:  http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
Using a free cert from a 3rd party:  http://www.msexchange.org/tutorials/SSL-Enabling-OWA-2003-Using-Free-3rdParty-Certificate.html

...this should at least get you going in the right direction!

Commented:
The following will enable you to set up OWA over SSL for free

Assuming the URL for your OWA server is called webmail.123.co.uk and that the default website is set up for OWA

Download the IIS Resource Kit.  You can generate a secure certificate using selfssl.
Open a command prompt and go to the install location for selfssl, usually c:\program files\IIS Resources\selfssl

selfssl  /T /N:cn=webmail.123.co.uk /V:365

This creates a certificate for webmail.123.co.uk, sets the lifetime to 365 days, adds it to the trusted
certificate store and installs it in the default website

Next, go to your OWA server and create a new file under c:\inetpub\wwwroot (assuming you are using default location) called index.htm

Add the following code

<html>
<head>
<title>123.co.uk Webmail Service</title>
<meta http-equiv="refresh" content="2; URL=https://webmail.123.co.uk/exchange">
<meta name="keywords" content="automatic redirection">
</head>
<body>
Your browser should automatically redirect you in 2 seconds.  If not click <a href="https://webmail.inghams.co.uk/exchange">here</a>
</body>
</html>

Change the default document for your default website to index.htm

Open the properties of the Exchange folder under your default website, go to directory security and make sure SSL is required and set to 128-bit

Now, users navigating to your OWA server will automatically be directedto the secure page.

If you want to make it even better, enables forms-based authentication.  Go to Exchange System Manager, expand your administrative group, expand your Front End Server, expand protocols, expand HTTP and bring up properties of Default HTTP Virtual Server.  Under setttings, tick enabledforms based authentication.

To make it better still, you can modify the logon page to autmatically provide your domain name.  Find the following section in the logon.asp file under prograqm files\exchsrvr\exchweb\bin\auth\usa\logon.asp and replace XXXXX with your domain name

return true;
}
logonForm.username.value = "XXXXX\" + logonForm.username.value;
  return false;
}
//-->
</script>
<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm" autocomplete="off" onsubmit="logonForm_onsubmit()">
      <% Else %>
      <BODY scroll="AUTO" bgColor="#FFFFFF" text="#000000" onload="setFocus()">
            <script Language=javascript>
  <!--
function logonForm_onsubmit()
{
if (logonForm.username.value.indexOf("@") !=-1)
{
return true;
}
logonForm.username.value = "XXXXXX\" + logonForm.username.value;
  return false;
}
//-->
</script>

The above should make for a slick OWA setup.

WARNING users will get a certififcate warning when they hit theOWAlogon page because your certififcate is not from a trusted authority.  you still get the encryption benefits however.

Author

Commented:
Hi Guys - sorry it took so long for me to get back with you - long story short, I've been tasked with securing a network that is pretty wide open - The ssl was my first step and succssful thanks to your comments - Hstiles, I tried yours and screwed it up! Sorry but it did give me some good pointers! The biggest problem was that they were approaching IIS as a website provider and not a stand alone company. o moved everything under the "default" website and locked it down

Thanks for all your help!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.