We are using one certificate created by our non-MS Certificate Authority. The Apache server and the OWA server both have a copy. Here is what our unix admin recommends... http://www.giac.org/practical/GSEC/David_Waldo_GSEC.pdf TJ -----Original Message----- From: Ola One [mailto:ola_atb@xxxxxxxxxxx] Sent: Friday, December 24, 2004 10:31 AM To: [ExchangeList] Cc: Tim Jordan Subject: [exchangelist] RE: Exchange with SSL - OWA Access http://www.MSExchange.org/ Hello TJ, Are you using Microsoft Certificate Authority for your SSL on both Apache and OWA or are you using 2 different Certificates. I started out with the intentions of running reverseproxy, but I am thinking that is what you are doing already. Can you lend a Helping hand please. Thank you >From: "Tim Jordan" <tim@xxxxxxxxxxxxx> >Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx> >To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx> >Subject: [exchangelist] RE: Exchange with SSL - OWA Access >Date: Wed, 22 Dec 2004 16:33:11 -0900 > >http://www.MSExchange.org/ > >Hi Tom, >Your comments left me a little confused. If the client is using SSL to >connect to the Apache server which then passes the request to the >internal OWA server...where does the "security nightmare" come into >play? > >I personally use https://mywebsite/exchange to connect to my OWA server >which is proxied by Apache. It works great and the user is prompted to >accept the cert from the OWA server. So the Apache server is running >SSL and so is the OWA server. > > >TJ > >-----Original Message----- >From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] >Sent: Wednesday, December 22, 2004 1:05 PM >To: [ExchangeList] >Subject: [exchangelist] RE: Exchange with SSL - OWA Access > >http://www.MSExchange.org/ > >HI Tim, > >That allows for SSL to HTTP bridging! A security nightmare. And he has >the gall to say that IIS is insure after describing such a config. Arrg! > > > >Tom >www.isaserver.org/shinder >Tom and Deb Shinder's Configuring ISA Server 2004 >http://tinyurl.com/3xqb7 >MVP -- ISA Firewalls > > >-----Original Message----- >From: Tim Jordan [mailto:tim@xxxxxxxxxxxxx] >Sent: Wednesday, December 22, 2004 2:43 PM >To: [ExchangeList] >Subject: [exchangelist] RE: Exchange with SSL - OWA Access > >http://www.MSExchange.org/ > >Ola, >Here is another link for proxying OWA through Apache server. >http://3cx.org/static/pages/1 > >TJ > >-----Original Message----- >From: Tim Jordan [mailto:tim@xxxxxxxxxxxxx] >Sent: Wednesday, December 22, 2004 11:16 AM >To: [ExchangeList] >Subject: [exchangelist] RE: Exchange with SSL - OWA Access > >http://www.MSExchange.org/ > >I disagree with Andrew on this. There is no need for ISA or dumping >Apache to make this work. > >Ola, are you an experinced Apache admin? If you are I would suggest >researching Apache proxy. If you have a unix admin he/she should know >this stuff. > >TJ > >-----Original Message----- >From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] >Sent: Tuesday, December 21, 2004 7:40 PM >To: [ExchangeList] >Subject: [exchangelist] RE: Exchange with SSL - OWA Access > >http://www.MSExchange.org/ > >You need to invest in a real firewall like ISA server that way you do >what you are asking without worrying about port 80 being signed to one >machine. > >I currently run a web server on a separate box and Exchange on another >which my users can access their web sites and emails from, both are >running on port 80, however my ISA server knows what is coming in for >web and what is coming in for OWA and thus points the connections to >the right server. > >Using your everyday Linksys type router will not work for you. If you >can't afford to invest in a proper firewall then I suggest you run your >web sites from your Exchange Server and dump the Apache box. > >Andrew > > >-----Original Message----- >From: Ola One [mailto:ola_atb@xxxxxxxxxxx] >Sent: Tuesday, December 21, 2004 9:48 PM >To: [ExchangeList] >Subject: [exchangelist] Exchange with SSL - OWA Access > >http://www.MSExchange.org/ > >Hello all, > >I have a peculiar problem. I have two win2k3 Enterprise on my network. >Apache webserver is sitting on one, and Exchange 2003 Enterprise is >sitting on the other. > >The Apache Server came first and so the router has been used to map >Port 80 to the Apache Server. Now with Exchange installed, the question >are two >folds: > >1. Exchange was installed and Microsoft Certificate Authority was >generated and used. So SSL is on. Based on this, if the users are >willing, can they access OWA through HTTPS and not bother with HTTP >since Port 80 is in use by the Apache Server. That way, the router can >open Port 25, 110, and 443 to the Exchnage server? The main way of >connecting to this server is mostly > >through OWA. > >2. I have forgotten whose address I put in Forwarders in my DNS entry >(Would that be my WAN IP?), and whether I need to include MX record in >my forward lookup zone. > >Thank you all in advance. > >Ola > > > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security Library: >http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >andrew@xxxxxxxxxxxxxxxxxxxxxx >To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security Library: >http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >tim@xxxxxxxxxxxxx To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security Library: >http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >tim@xxxxxxxxxxxxx To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security Library: >http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >tshinder@xxxxxxxxxxx >To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > > > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security Library: >http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >tim@xxxxxxxxxxxxx To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx > >------------------------------------------------------ >List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp >Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ >------------------------------------------------------ >Other Internet Software Marketing Sites: >World of Windows Networking: http://www.windowsnetworking.com Leading >Network Software Directory: http://www.serverfiles.com >No.1 ISA Server Resource Site: http://www.isaserver.org Windows >Security Resource Site: http://www.windowsecurity.com/ Network Security >Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: >http://www.ntfaxfaq.com >------------------------------------------------------ >You are currently subscribed to this MSEXchange.org Discussion List as: >ola_atb@xxxxxxxxxxx >To unsubscribe visit >http://www.webelists.com/cgi/lyris.pl?enter=exchangelist >Report abuse to listadmin@xxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: tim@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx