OWA - to SSL or not to SSL??

OWA - to SSL or not to SSL??

Post by Mathe » Sat, 15 Feb 2003 01:18:48



I recently built a new win2k server with exchange 2000
sp3. I have mcafee groupshield exchange running for
virus/blocking purposes, and I also configured Outlook Web
Access for use with SSL.

I'm using the MS supplied Certificate Authority, so I
don't have to spend the money to get it from an outside
source.

My question is if it is really necessary? Sure it goes
over https protocol, but what is it really doing except
telling the workstations it is ok to come into the
corporate server, and chewing up server resources?

Is normal http OWA unencrypted? The initial page load for
OWA takes almost 10 seconds because the certificate is not
installed. I'm not sure how to install it. It pops up and
asks if I want to accept, I say yes.. Yet it keeps asking
me each time i try to log into OWA.

Thanks!!!

 
 
 

OWA - to SSL or not to SSL??

Post by Baris Eris [MS » Sat, 15 Feb 2003 02:53:41


Mathew, we strongly recommend you to implement SSL.

Otherwise all the traffic will travel in clear text. Most importantly,
usernames/passwords will travel in clear. Not a very good practice.

If you know your client base; you can add your internal CA to the trust
lists of those IE clients and that way avoid that untrusted CA pop-up
message every time you use OWA.

Baris.

--
Visit these sites to automatically update your system:
http://windowsupdate.microsoft.com and http://office.microsoft.com
Always run latest versions: W2k SP3, NT4 SP6a, E2k SP3, E55 SP4, Office XP
SP2
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. ? 2003 Microsoft Corporation. All rights
reserved.


Quote:> I recently built a new win2k server with exchange 2000
> sp3. I have mcafee groupshield exchange running for
> virus/blocking purposes, and I also configured Outlook Web
> Access for use with SSL.

> I'm using the MS supplied Certificate Authority, so I
> don't have to spend the money to get it from an outside
> source.

> My question is if it is really necessary? Sure it goes
> over https protocol, but what is it really doing except
> telling the workstations it is ok to come into the
> corporate server, and chewing up server resources?

> Is normal http OWA unencrypted? The initial page load for
> OWA takes almost 10 seconds because the certificate is not
> installed. I'm not sure how to install it. It pops up and
> asks if I want to accept, I say yes.. Yet it keeps asking
> me each time i try to log into OWA.

> Thanks!!!


 
 
 

OWA - to SSL or not to SSL??

Post by Mathe » Sat, 15 Feb 2003 05:17:29


But how do I get the IE clients to authenticate the
certificate quickly? It takes almost 10 seconds for the
message to pop up to accept the certificate, even after
I've imported the certificate.

Thanks.

Quote:>-----Original Message-----
>Mathew, we strongly recommend you to implement SSL.

>Otherwise all the traffic will travel in clear text. Most
importantly,
>usernames/passwords will travel in clear. Not a very good
practice.

>If you know your client base; you can add your internal
CA to the trust
>lists of those IE clients and that way avoid that
untrusted CA pop-up
>message every time you use OWA.

>Baris.

>--
>Visit these sites to automatically update your system:
>http://windowsupdate.microsoft.com and

http://office.microsoft.com
Quote:>Always run latest versions: W2k SP3, NT4 SP6a, E2k SP3,
E55 SP4, Office XP
>SP2
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. ? 2003 Microsoft

Corporation. All rights

- Show quoted text -

>reserved.



>> I recently built a new win2k server with exchange 2000
>> sp3. I have mcafee groupshield exchange running for
>> virus/blocking purposes, and I also configured Outlook
Web
>> Access for use with SSL.

>> I'm using the MS supplied Certificate Authority, so I
>> don't have to spend the money to get it from an outside
>> source.

>> My question is if it is really necessary? Sure it goes
>> over https protocol, but what is it really doing except
>> telling the workstations it is ok to come into the
>> corporate server, and chewing up server resources?

>> Is normal http OWA unencrypted? The initial page load
for
>> OWA takes almost 10 seconds because the certificate is
not
>> installed. I'm not sure how to install it. It pops up
and
>> asks if I want to accept, I say yes.. Yet it keeps
asking
>> me each time i try to log into OWA.

>> Thanks!!!

>.

 
 
 

OWA - to SSL or not to SSL??

Post by Greg Kelle » Sat, 15 Feb 2003 09:56:07


Export the Trusted CA certificate from your web server hosting the OWA site.
Take that file and import it as a Trusted CA certificate on the IE clients.
For both processes (exporting from server and importing to client) you can
use IE.  Go to Tools->Internet Options and click on the Content tab.  Then
click on the Certificates button.  Go to the Trusted Root Certificate tab,
find your certificate and export.  Use the same process to import on the
client.  Message box then goes away when connecting to OWA.

--
Greg Kelley
SS&G Technology Consulting, LLC
http://www.ssgtechnology.com


But how do I get the IE clients to authenticate the
certificate quickly? It takes almost 10 seconds for the
message to pop up to accept the certificate, even after
I've imported the certificate.

Thanks.

Quote:>-----Original Message-----
>Mathew, we strongly recommend you to implement SSL.

>Otherwise all the traffic will travel in clear text. Most
importantly,
>usernames/passwords will travel in clear. Not a very good
practice.

>If you know your client base; you can add your internal
CA to the trust
>lists of those IE clients and that way avoid that
untrusted CA pop-up
>message every time you use OWA.

>Baris.

>--
>Visit these sites to automatically update your system:
>http://windowsupdate.microsoft.com and

http://office.microsoft.com
Quote:>Always run latest versions: W2k SP3, NT4 SP6a, E2k SP3,
E55 SP4, Office XP
>SP2
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. ? 2003 Microsoft

Corporation. All rights

- Show quoted text -

>reserved.



>> I recently built a new win2k server with exchange 2000
>> sp3. I have mcafee groupshield exchange running for
>> virus/blocking purposes, and I also configured Outlook
Web
>> Access for use with SSL.

>> I'm using the MS supplied Certificate Authority, so I
>> don't have to spend the money to get it from an outside
>> source.

>> My question is if it is really necessary? Sure it goes
>> over https protocol, but what is it really doing except
>> telling the workstations it is ok to come into the
>> corporate server, and chewing up server resources?

>> Is normal http OWA unencrypted? The initial page load
for
>> OWA takes almost 10 seconds because the certificate is
not
>> installed. I'm not sure how to install it. It pops up
and
>> asks if I want to accept, I say yes.. Yet it keeps
asking
>> me each time i try to log into OWA.

>> Thanks!!!

>.

 
 
 

1. OWA w/ SSL slow to establish SSL connection

Hello,

I'm having great difficulty trying to figure out why OWA is so slow using
SSL.
It seems to only be over the internet, but we have a 1Mbps connection, and
light usage, we were on a 100Mbps connection, but downgraded due to cost.
I am aware of the tremendous speed difference, but SSL only seems to be slow
for certain connections, it is blazing fast from one of our branch offices,
but dead slow from my house...
(My house isn't that far from the branch where its fast on Cable Modem, but
we have different ISP's, I'm on ADSL)

Thanks,

Clint McGuire

2. cant delete item from public folder

3. SSL Diagnostics: Beta 2 (I386 Only) -- OWA Users with SSL

4. Total exchange

5. SSL Credential Error, without SSL installed

6. Exchange 2000 availability at a Disaster Recovery Site

7. owa ssl file not found

8. Downstream Notes Email address generator for Exchange server

9. New SSL certificate installed now OWA Password change does not work

10. OWA page not found after SSL

11. OWA - Attachments not working after enabling SSL, sp2

12. OWA & SSL Not working

13. page not found after setting OWA for SSL