PDA

View Full Version : Setup OWA and RPC over https



nudge109
15-11-2007, 10:11 AM
I want to set up Outlook Web Access and RPC over HTTPS on a single domain.

My understanding is that the login information used to access Outlook Web Access (OWA) is submitted in clear text which has obvious security issues. So, how do I set up my Exchange server so that it uses a SSL certificate to encrypt this data transfer?

I guess to start, how do I assign my Exchange Server's public IP address to a domain name without affecting the IP of the www.domain.com IP address (which is on a different server with a different IP)? (I assume I need to do this first in order to have the SSL certificate associated with a domain.)

Once I have done this, how do I set things up so that my users can go to https://????.domain.com/exchange to login and access their email? (I do understand that I will need to purchase a SSL cert. but am not sure what domain name (or alias) I will need to assign this to.)

Also, there are quite a few SSL certificated products out there at different price levels which is very confusing to me. I Would only need a certificate that could be used for email procurement for remote users (both OWA and RPC over https) on a single domain with one Exchange server present. What type of certificate only deals with this kind of content?

Cheers

TGoddard
15-11-2007, 01:37 PM
I know absolutely nothing about OWA but can help with SSL and DNS.

You just want a general SSL server certificate for the mail server's domain, nothing fancy. You need to purchase a certificate if you want an external authority to verify that you are who you say you are. This is their only role in the SSL process.

You could also at no cost set up your own certification authority (CA) for workplace use and sign your own certificates. The disadvantage is that users would have to install your CA certificate on their machines to properly verify that the server is genuine and not an attacker. With a purchased certificate you will have to go through a verification procedure but users will already have that authority's certificate installed.

How is your domain managed at the moment? Is an external service managing your domain or are you using your own DNS servers? Most businesses are likely to use an external service and as a result the process will depend on who's doing it. If you run your own servers then you will just need to add the subdomain to the configuration.

I can't give any advice about setting up OWA but you will need to point your subdomain to the public address of the server. If you already have a web server on the same address then you may want to use a different port.

nudge109
15-11-2007, 02:49 PM
Thanks TGoddard,
I have reasonable knowledge of the OWA setup process so your comments on SSL certification, which I am researching is very helpful. Do you have any recommendations as to supplier/issuer of a suitable certificate? Price range seems enormously variable. What I'm looking for is a good bang for the buck solution for OWA and RPC over https services. Would it just be a basic SSL cert?
Domain is managed in-house with our own DNS server . I have spoken to telstraclear who are the registrars of my domain and setup a sub-domain name "mail.domain.co.nz" and created a new A Record to point it to the static IP address on the router. The web server is at another location so the A Record for www points to another IP location.
cheers

Erayd
15-11-2007, 03:07 PM
I'd recommend you set up 'webmail.domain.co.nz' and get the cert issued for that name. That way if you want to expand later and put webmail on a different server to your MTA, you can do so without disrupting your ssl.

berryb
15-11-2007, 09:08 PM
Or depending on your requirements you could make your own Cert with SelfSSL included in Server.

http://www.msexchange.org/tutorials/Creating-Certificate-OWA2003-SelfSSL.html

nudge109
16-11-2007, 09:06 AM
Thanks berryb and bletch for your advice. I am waiting for the hardware techs to finish the hardware refresh before I can get on and make those settings. i can get telstra to add in and take out "A" records without too much hassle since they are the registrars.
I will try the selfssl but other techs have told me they have run into so many problems with internal certs that it may be worth spending the dosh and getting a fully-fledged 3rd party one. I'll let you know.

berryb
16-11-2007, 11:45 AM
I used selfssl for one site I manage. Works fine for the small number of people who access OWA for no cost. But as I stated earlier, depends on your own requirements. i haven't used it in other situations.