I would like someone to tell me if what I did is the appropriate way to
secure my OWA connections. The main goal was to secure the password
exchange as my OWA server is firm external use and I have to allow
anon/basic text auth for it. The OWA server itself sits behind my firewall
and is accessed via an HTTP proxy from external to internal. SSL on port 443
also NATs the same way.

In any event, I found all the appropriate MS KB articles on setting up a CA
and securing an IIS5.0 website with SSL. It was pretty basic. Installed
the CA. Setup my OWA website with a certificate. Not much else needed to
be done according to the KB articles. Now whenever I hit the site the
typical IE popup about accepting a certificate pops up and I accept it and
IE shows the page as being secured, and all further OWA pages.

On my test computer, I also installed the certificated for the CA into my
trusted certificates list. I do not plan to have all my users of OWA do
this at this time, is this a good or bad idea?

I am "ignorning client certificates" on my particular website, mainly
because I am clueless as to how to configure these, and when I use "accept
client certificates", I get an additional certificate box where I am to
select a certificate, but none are in a list to select.

Am I at the point where I'm actually encrypting the password exchange and
all other data sent over OWA, or do I have a false sene of security?

Evan Mann

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]