Re: http to https redirect for OWA

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Bruno GUERPILLON (spam_at_gerpion.com)
Date: 08/23/04 

Date: Mon, 23 Aug 2004 13:56:39 +0200

Robert Korzuch wrote:
| My users keep forgetting to type https in their web
| browser to securely connect to outlook web access and
| therefore get the SSL error message. I have read KB
| Article #555126 and have implemented the changes.
| Everything works fine internally (inside the firewall
| (ISA Server 2000 SP1)) but user get the same SSL error
| message when they try to connect externally (outside the
| firewall). Everything works fine if I uncheck
| the "Require secure channel (SSL)" checkbox on the
| Exchange and Public virtual directories but it is not a
| secure connection. Is there a way in ISA to redirect
| http request to https for the OWA website? I tired of
| getting phone call in the middle of the night because a
| user can't read his email.

Hi Robert,

Correct me if i'm wrong (hey Thomas Shinder :) )
If you set up HTTP to HTTPS what does it mean ? it means that the HTTP
request from your external client will go thru a HTTPS (SSL tunnel). Well,
my thought are the following : http will go from client to ISA plain text
(wow) and SSL from ISA to OWA (mmm ok).
Kinda dangerous imho. Cause maybe you doesnt trust your LAN/DMZ, it's really
ok to do this.
What you should do is to not trust (not at all ever) Internet side.
I guess the best way would be to do some communication to your customers /
users and explain em they have to put a https so they will be in a secure
environnement.

I hope it helps in any way.

Regards 

-- 
Tenez nous au courant
cordialement,
Bruno GUERPILLON
http://isa.gerpion.com

Relevant Pages

  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: iis not transferring clients to ssl port
    ... individual ASP pages, inside of IIS metabase at a per-URL level, or inside ... because for all intents and purposes, the "transfer" from HTTP to HTTPS is ... Select the file to require SSL, choose right-click properties, and go to ... he wants the webmasters to be able to secure only the pages they want ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is this REALLY a secure site?
    ... >> How can anyone really know if an SSL or HTTPS connection is truly ... Even if it is theoretically secure ... major credit card company wound up making the authorization against my ... > site uses a numerical IP address: those are always bogus. ...
    (microsoft.public.windowsxp.general)
  • Re: Secure an upload page
    ... The most secure way to do downloads might be to use NTFS ... If the upload page ... I am using https ...
    (microsoft.public.inetserver.iis.security)
  • Re: At What Point Does the Security Begin?
    ... All secure forms examine this variable, and if empty redirect to the ... all pages behind the login are posted through SSL. ... in which I understand .NET uses a cookie behind ... not secure (it's called at http, not https) but posts to a page ...
    (microsoft.public.dotnet.security)