Securing Outlook Web Access using SSL
Securing Your Outlook Web Access 2000 Implementation Using SSL
Outlook Web Access (OWA) has become a very important part of Exchange. Many companies have implemented OWA to allow their users the ability to access their mail from pretty much anywhere. For more information on OWA take a look at Will Schmied’s excellent article on OWA at http://www.msexchange.org/pages/articles.asp?art=325
What we are going to look at in this article is how to make your OWA implementation more secure by using Secure Socket Layers (SSL). We are going to use InstantSSL (http://www.instantssl.com/) as the third-party trusted organization. You could create your own certificate using Microsoft Certificate Server.
InstantSSL offers many different packages that range in price and complexity. Check out their web site for the latest prices and offerings.
1. Using the Internet Services Manager.
2. Right click on the website that is hosting your OWA component (this is by default the “Default Web Site”) and open its properties.
3. Select the “Directory Security” tab and then click on “Server Certificates”. The “Web Server Certificates Wizard” will now be displayed, click Next.
4. On the “Server Certificate” dialogue box (below), we are going to select “Create a new certificate”, click Next.
5. In the “Delayed or Immediate Request” dialogue box (below), we will select “Prepare the request now, but send it later”, this is because we will be sending the certificate request to a third-party to process, in our case InstantSSL, click Next.
6. We are now presented with the “Name and Security Settings” dialogue box (below). Give our new certificate a name and also select the level of security we would like to use (it is not recommended that you go over 1024 as this will have an adverse effect on your server performance), click Next.
7. In the “Organization Information” dialogue box (below), we will enter the name of our organization. This should be as you want it to appear on any legal documents as this is the name that will appear in your certificate. The organizational unit can be a location, department or business unit within your company.
8. In the “Your Site’s Common Name” dialogue box (below), we must enter the FQDN of our web server.
9. You are now presented with the “Geographical Information” dialogue box (below). It is important to make sure you enter the State in full, for example “New York” not just “NY”. Abbreviating State names will be rejected at the end of the Certificate Wizard.
10. The last step is to specify the location of the Certificate Request File, remember where and what you called this as you will need to copy the data from this file to send to the third-party organization.
11. The “Request File Summary” will now appear (below). Make sure everything is OK and then click Next to process the request.
We have now created a “Certificate Request”; this will be used in the CSR that we send to InstantSSL.
When you apply for a certificate from InstantSSL they will ask for you to provide the Certificate Request, this is done by pasting the contents of the file we just created into a form when you apply for your certificate.
Once we have submitted our request we must wait for them to process the request, this is normally done within a few hours but could take up to 24 hours of you submitting your request, they will send their acknowledgement via email to the technical contact that you specified on the enrollment form.
When you receive the confirmation email from the third-party they will also include instructions on how to install the certificate.
Adding SSL to your OWA Page
We have now received our certificate from InstantSSL and we’re now going to setup OWA so it requires the use of SSL.
1. Open Internet Services Manager from your Administrative Tools.
2. Open the Properties for the Web Site that is hosting OWA (normally the Default Web Site).
3. Select the “Directory Security” tab and then click on the “Server Certificates” button.
4. You will now be presented with the “Pending Certificate Request” dialogue box (below), select “Process the pending request and install the certificate”, click Next.
5. The “Process a Pending Request” dialogue box will appear (below), navigate to the Certificate that you received from the third-party, click Next.
6. You will now be presented with the “Certificate Summary” (below), if everything on this screen looks OK, click Next.
We have now installed the SSL certificate into our web site, the next step is to enable SSL for OWA - this is a pretty simple task.
1. Using the Internet Services Manager, open the properties for the “Exchange” virtual directory.
2. Select the “Directory Security” tab and the click on the “Edit” button in the Secure Communication section.
3. In the “Secure Communications” dialogue box (yet again below), check the box “Require Secure Channel (SSL)”, you could also check the box “Require 128-bit encryption”, if you do check the 128-bit checkbox, any browsers that do not support 128-bit encryption will be unable to connect to OWA.
OK, so now when users enter http://ahost.adomain.com/exchange, they will receive an “HTTP 403.4 – Forbidden: SSL required Internet Information Services” error message, because we have configured OWA to require SSL. SSL uses the HTTPS protocol, so users would need to enter the url as https://ahost.adomain.com/exchange. Microsoft has written a great article about forcing the use of SSL with OWA:
One final step that you may need to take is to ensure that your Firewall is configured to allow HTTPS (port 443 by default) to pass through.
So now that we have followed all of these steps, OWA should now be secure.