Re: OWA published in ISA (SBS 2000)
From: Chad A Gross [SBS-MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 02/28/04
- Next message: Slavomir Ivanov: "SBS Warrning Event"
- Previous message: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- In reply to: Gary Webb: "Re: OWA published in ISA (SBS 2000)"
- Next in thread: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- Reply: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 28 Feb 2004 14:54:49 -0600
Hi Gary -
You don't have to be hosting a public website (other than OWA). When you
access a website using SSL, your browser checks the SSL certificate for 3
conditions: 1) the name on the certificate matches the name of the website.
2) The certificate hasn't expired. 3) You have chosen to trust the
publisher that generated the SSL certificate. As you know, IE has its
Trusted Root, which lists a predefined group of trusted publishers. If the
SSL certificate on a site was not issued by a trusted publisher, you will
receive a security warning before the page loads.
When you install and enable Certification Authority in Windows Server / SBS,
you're basically setting yourself up as a certificate publisher, but the
typical small business is not going to be included in IE's list of trusted
publishers. In order to prevent users from getting a security warning every
time they access an OWA installation using a self-signed certificate, they
need to chose to trust the publisher (you). They do this by installing your
.crt file mentioned in the article to their trusted root. Obviously, they
need to be able to access your .crt file from the internet in order to
install it on their machine. Since publishing Certificate Services to the
internet comes with a slew of security implications (Especially on an SBS),
I recommend uploading your .crt file to your outsourced website if you have
one. This allows remote users to be able to access the .crt file so they
can add you as a trusted publisher without further exposing your SBS to the
internet unnecessarily.
It is important to note that it is not necessary to upload your .crt file to
a public website, or even for it to be accessible to remote users. You can
completely skip these steps and your users will still be able to access
OWA - the only thing is that they will be prompted with a security warning
indicating that the SSL cert was generated by a publisher they have chosen
not to trust. I would recommend purchasing an SSL cert from a trusted
publisher as this completely negates the need to upload a .crt file, and the
users will not be promted with a security warning. Just make sure that the
name on the SSL cert matches the URL users will be using to access the site.
(E.g. - if they're going to access OWA using mail.yourcompany.com/exchange,
you'll want the name on the SSL cert to be mail.yourcompany.com - if
they're accessing it using the public IP 12.23.45.67/exchange, then you'll
want the name on the SSL cert to be your public IP)
As for Exchange using the ISP smarthost & using ETRN to dequeue inbound
email, that shouldn't have any affect on OWA. OWA doesn't care how Exchange
sends & receives email, it just provides access to a mailbox. The same goes
for if SBS is using the pop connector - OWA works the same as with a pure
SMTP installation. The only thing with using ETRN or the pop connector,
etc. is that there is a chance that there are emails sitting on the ISP's
mailserver that Exchange has not retrieved yet. Obviously, these emails
won't be available via OWA until Exchange retrieves them.
HTH!
-- Chad A. Gross [SBS-MVP] SBS ROCKS!!! "Gary Webb" <email@garywebb.co.uk> wrote in message news:eJ20c.13032$h44.1360322@stones.force9.net... > Merv, > > These instructions appear to assume that you are running a web site from > your SBS Server. This is not the case. The SBS Servers I need to try this > with are mostly Internet access/Email access/File Servers only. They have > the Internet domain name DNS MX record pointing to the 2nd NIC of the SBS > which is connected via an ADSL router (/30 subnet). However, some use the > ISP SMTP smart-host and collect email by issuing an ETRN to dequeue it. My > first impressions is that either these instructions wont work in this > scenario, or need to be modified to allow for it. Your thoughts please ? > > Thanks > > Gary > > > > "Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message > news:OgU8GlZ$DHA.320@TK2MSFTNGP10.phx.gbl... > > Hi Gary: > > > > Take a look at... > > > > How do I configure OWA with SSL > > > > http://www.smallbizserver.net/DesktopDefault.aspx?tabid=83 > > > > -- > > Merv Porter [SBS MVP] > > =================================== > > "Gary Webb" <email@garywebb.co.uk> wrote in message > > news:RUP%b.14859$Y%6.1259105@wards.force9.net... > > > I have done some testing and published Exchange Server 2000 in ISA > Server > > > 2000 within an SBS2000 Server. I used the Microsoft article 308599 as a > > > guide. This is mainly to allow OWA from anywhere on the Internet such as > > > Internet Cafes. My concern before implementing this on a live system is > > > security. Anybody got any experience of this configuration. Do's, > don'ts, > > > recommendations, etc. My goal is OWA as above with no extra software > > costs, > > > minimal configuration, and minimal exposure to hacking. The SBS server > > will > > > be on a permanent ADSL connection to the Internet. > > > > > > Thanks > > > > > > Gary > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Slavomir Ivanov: "SBS Warrning Event"
- Previous message: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- In reply to: Gary Webb: "Re: OWA published in ISA (SBS 2000)"
- Next in thread: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- Reply: Merv Porter [SBS-MVP]: "Re: OWA published in ISA (SBS 2000)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
