Re: Can I set 2 SSL Certificate for one IP?
- From: "SBS Rocker" <noreply@xxxxxxxxxxxx>
- Date: Mon, 10 Sep 2007 15:19:51 -0700
OK Maybe I do have to admit that I may be slighted by the fact that I do use
SBS 2003 along with Exchange 2003 and that my company is less than 50 users.
I'm not doubting the integrity of SSL and using OWA. I guess I'm confused as
why one would have users use OWA "internally" and not Outlook. I guess the
reasons you give for someone using a sniffer on your internal nic are
"assuming" someine is already inside of your network and if that is the case
then I would think at that point all is a lost cause now. Maybe I was wrong
when I always thought that OWA is more for "external" access to one's email.
Being internal and using Outlook's built in encryption I would think is good
enough for my users. I'm not trying to discredit your reasoning just trying
to understand why OWA and not Outlook internally?
"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:p0fbe39ns1224fh0qfschcdlqr857bs7d8@xxxxxxxxxx
"SBS Rocker" <noreply@xxxxxxxxxxxx> wrote:
"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:sr9be3p7pmab1c7c1mir62uff13oq5jita@xxxxxxxxxx
"SBS Rocker" <noreply@xxxxxxxxxxxx> wrote:
Working with SBS does not affect my view on why using SSL to access OWA
internally.
Oh, but I think it does!
Are your office networks switched or do they use hubs? Do you know
who's installed WireShark (the new name for Ethereal), or whose
network adaptor's using promiscuous mode? Do you trust /all/ the
people with access to your network?
This is my "internal" network. My network is on switches and different
subnets and hubs.
Then the parts on the hubs can be sniffed by anyone with the ability
to put their NIC in promiscuous mode and install network monitoring
software. I don't know how many people that might be, or what there
technical abilities might be, but you've got a lot of lightly-, or
un-, encrypted information moving between your Exchange server and
email clients (even Outlook) that just about anyone can see.
The switched part of the network is more techincally challanging, but
people with access to the switch can plug in a network monitor and
have access to all the information that passes through the switch(es).
Since you say it's "my" internal network I think it's safe to assume
that it not very large. So my comment about SBS and your thinking
still stands.
Your reasons for doing so does not justify the need.
Well, then, you go right ahead and continue using HTTP. It's your
network. But please don't question the validity of using secure
protocols to transmit potentially confidential information.
If you have SSL setup to use exteranally then redirection internally will
take them to the OWA using https and SSL. I do not use http for OWA. Again
this is my "internal" network and my clients use Outlook.
You've verified that with the HTTP log files?
I do not see a
need for my users to have to use OWA internally. If you have to still use
SSL internally then obiously you yourself have security issues within your
own company.
And you don't? Maybe you should read "Enemy at the watercooler"!
(Ignore the fact that it was written by the CEO of an ESM company and
just get an idea of what really can happen -- I'm not recommending you
take all the advice and go by lots of expensive equipment.)
If someone inside my network wants to use OWA they type in http
and it will automatically redirect them to https using SSL. they will get
a
certificate error but they can still use OWA and SSL internally.
And if they use "http://<mailbox-server>/Exchange" what happens? Or
does SBS use the same IP address (or URL) for all roles? Again, that
SBS thing affects the way you view security.
"Conference rooms? Visiting another person's office? Kiosks?
Meaning that it's unlikely that a person is carrying a machine with
them, or that they feel its necessary to log on to another machine to
check their mail or next appointment (assuming they have a roaming
profile).
Any of my clients can log onto any machine and use Outlook.
With roaming profiles? Again, your assuptions are based on small
numbers of users.
Remember, your statement was that the /other/ person doesn't need
secure communications. Perhaps /you/ don't (or don't know you do), but
you don't know that /he/ doesn't need it.
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx
mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx
mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.
- Follow-Ups:
- Re: Can I set 2 SSL Certificate for one IP?
- From: Rich Matheisen [MVP]
- Re: Can I set 2 SSL Certificate for one IP?
- References:
- Re: Can I set 2 SSL Certificate for one IP?
- From: SBS Rocker
- Re: Can I set 2 SSL Certificate for one IP?
- From: Ivan Chen
- Re: Can I set 2 SSL Certificate for one IP?
- From: SBS Rocker
- Re: Can I set 2 SSL Certificate for one IP?
- From: Rich Matheisen [MVP]
- Re: Can I set 2 SSL Certificate for one IP?
- From: SBS Rocker
- Re: Can I set 2 SSL Certificate for one IP?
- From: Rich Matheisen [MVP]
- Re: Can I set 2 SSL Certificate for one IP?
- From: SBS Rocker
- Re: Can I set 2 SSL Certificate for one IP?
- From: Rich Matheisen [MVP]
- Re: Can I set 2 SSL Certificate for one IP?
- Prev by Date: Re: Restore after Service Pack Install
- Next by Date: Re: Installation with /DisasterRecvery
- Previous by thread: Re: Can I set 2 SSL Certificate for one IP?
- Next by thread: Re: Can I set 2 SSL Certificate for one IP?
- Index(es):
Relevant Pages
|
