RE: Exchange with SSL - OWA Access
- From: "Tim Jordan" <tim@xxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Mon, 27 Dec 2004 11:10:51 -0900
We are using one certificate created by our non-MS Certificate
Authority. The Apache server and the OWA server both have a copy.
Here is what our unix admin recommends...
http://www.giac.org/practical/GSEC/David_Waldo_GSEC.pdf
TJ
-----Original Message-----
From: Ola One [mailto:ola_atb@xxxxxxxxxxx]
Sent: Friday, December 24, 2004 10:31 AM
To: [ExchangeList]
Cc: Tim Jordan
Subject: [exchangelist] RE: Exchange with SSL - OWA Access
http://www.MSExchange.org/
Hello TJ,
Are you using Microsoft Certificate Authority for your SSL on both
Apache and OWA or are you using 2 different Certificates. I started out
with the intentions of running reverseproxy, but I am thinking that is
what you are doing already. Can you lend a Helping hand please.
Thank you
>From: "Tim Jordan" <tim@xxxxxxxxxxxxx>
>Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
>Subject: [exchangelist] RE: Exchange with SSL - OWA Access
>Date: Wed, 22 Dec 2004 16:33:11 -0900
>
>http://www.MSExchange.org/
>
>Hi Tom,
>Your comments left me a little confused. If the client is using SSL to
>connect to the Apache server which then passes the request to the
>internal OWA server...where does the "security nightmare" come into
>play?
>
>I personally use https://mywebsite/exchange to connect to my OWA server
>which is proxied by Apache. It works great and the user is prompted
to
>accept the cert from the OWA server. So the Apache server is running
>SSL and so is the OWA server.
>
>
>TJ
>
>-----Original Message-----
>From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
>Sent: Wednesday, December 22, 2004 1:05 PM
>To: [ExchangeList]
>Subject: [exchangelist] RE: Exchange with SSL - OWA Access
>
>http://www.MSExchange.org/
>
>HI Tim,
>
>That allows for SSL to HTTP bridging! A security nightmare. And he has
>the gall to say that IIS is insure after describing such a config.
Arrg!
>
>
>
>Tom
>www.isaserver.org/shinder
>Tom and Deb Shinder's Configuring ISA Server 2004
>http://tinyurl.com/3xqb7
>MVP -- ISA Firewalls
>
>
>-----Original Message-----
>From: Tim Jordan [mailto:tim@xxxxxxxxxxxxx]
>Sent: Wednesday, December 22, 2004 2:43 PM
>To: [ExchangeList]
>Subject: [exchangelist] RE: Exchange with SSL - OWA Access
>
>http://www.MSExchange.org/
>
>Ola,
>Here is another link for proxying OWA through Apache server.
>http://3cx.org/static/pages/1
>
>TJ
>
>-----Original Message-----
>From: Tim Jordan [mailto:tim@xxxxxxxxxxxxx]
>Sent: Wednesday, December 22, 2004 11:16 AM
>To: [ExchangeList]
>Subject: [exchangelist] RE: Exchange with SSL - OWA Access
>
>http://www.MSExchange.org/
>
>I disagree with Andrew on this. There is no need for ISA or dumping
>Apache to make this work.
>
>Ola, are you an experinced Apache admin? If you are I would suggest
>researching Apache proxy. If you have a unix admin he/she should know
>this stuff.
>
>TJ
>
>-----Original Message-----
>From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx]
>Sent: Tuesday, December 21, 2004 7:40 PM
>To: [ExchangeList]
>Subject: [exchangelist] RE: Exchange with SSL - OWA Access
>
>http://www.MSExchange.org/
>
>You need to invest in a real firewall like ISA server that way you do
>what you are asking without worrying about port 80 being signed to one
>machine.
>
>I currently run a web server on a separate box and Exchange on another
>which my users can access their web sites and emails from, both are
>running on port 80, however my ISA server knows what is coming in for
>web and what is coming in for OWA and thus points the connections to
>the right server.
>
>Using your everyday Linksys type router will not work for you. If you
>can't afford to invest in a proper firewall then I suggest you run your
>web sites from your Exchange Server and dump the Apache box.
>
>Andrew
>
>
>-----Original Message-----
>From: Ola One [mailto:ola_atb@xxxxxxxxxxx]
>Sent: Tuesday, December 21, 2004 9:48 PM
>To: [ExchangeList]
>Subject: [exchangelist] Exchange with SSL - OWA Access
>
>http://www.MSExchange.org/
>
>Hello all,
>
>I have a peculiar problem. I have two win2k3 Enterprise on my network.
>Apache webserver is sitting on one, and Exchange 2003 Enterprise is
>sitting on the other.
>
>The Apache Server came first and so the router has been used to map
>Port 80 to the Apache Server. Now with Exchange installed, the question
>are two
>folds:
>
>1. Exchange was installed and Microsoft Certificate Authority was
>generated and used. So SSL is on. Based on this, if the users are
>willing, can they access OWA through HTTPS and not bother with HTTP
>since Port 80 is in use by the Apache Server. That way, the router can
>open Port 25, 110, and 443 to the Exchnage server? The main way of
>connecting to this server is mostly
>
>through OWA.
>
>2. I have forgotten whose address I put in Forwarders in my DNS entry
>(Would that be my WAN IP?), and whether I need to include MX record in
>my forward lookup zone.
>
>Thank you all in advance.
>
>Ola
>
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>andrew@xxxxxxxxxxxxxxxxxxxxxx
>To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>tim@xxxxxxxxxxxxx To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>tim@xxxxxxxxxxxxx To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>tshinder@xxxxxxxxxxx
>To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
Library:
>http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>tim@xxxxxxxxxxxxx To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
>
>------------------------------------------------------
>List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
>Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
>------------------------------------------------------
>Other Internet Software Marketing Sites:
>World of Windows Networking: http://www.windowsnetworking.com Leading
>Network Software Directory: http://www.serverfiles.com
>No.1 ISA Server Resource Site: http://www.isaserver.org Windows
>Security Resource Site: http://www.windowsecurity.com/ Network Security
>Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
>http://www.ntfaxfaq.com
>------------------------------------------------------
>You are currently subscribed to this MSEXchange.org Discussion List as:
>ola_atb@xxxxxxxxxxx
>To unsubscribe visit
>http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
>Report abuse to listadmin@xxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
tim@xxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
