OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tyrone Bennett (btyrone2000yahoo.com)
Date: Thu Jan 03 2002 - 15:22:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Evan,

    You must have your clients enroll & install a client
    certificate into their browser first. This can be done
    by having the client connect with their web browser to
    the CA web interface http://nameofyourCAserver/certsrv
    and request a browser certificate. If your CA is a
    stand alone root CA it will set the certifcate request
    to pending and you will have to deny or issue the
    pending request for the client certificate at the CA.
    After you have issued the certificate request at the
    CA you will now have to connect using the same browser
    that requested the client certificate to the CA web
    interface and select Check on pending request. Select
    your certificate and install it into your browser. Now
    you can select require client certificates on your IIS
    box and only those with the client certificates that
    you have issued will be able to have access to the OWA
    site. Hope this helps. I just completed a similar
    secure email project using a setup with Exchange
    5.5,OWA,SSL,and IIS 5.0.

    regards,
    Tyrone Bennett

    --- Evan Mann <emannquestinc.org> wrote:
    > I would like someone to tell me if what I did is the
    > appropriate way to
    > secure my OWA connections. The main goal was to
    > secure the password
    > exchange as my OWA server is firm external use and I
    > have to allow
    > anon/basic text auth for it. The OWA server itself
    > sits behind my firewall
    > and is accessed via an HTTP proxy from external to
    > internal. SSL on port 443
    > also NATs the same way.
    >
    > In any event, I found all the appropriate MS KB
    > articles on setting up a CA
    > and securing an IIS5.0 website with SSL. It was
    > pretty basic. Installed
    > the CA. Setup my OWA website with a certificate.
    > Not much else needed to
    > be done according to the KB articles. Now whenever
    > I hit the site the
    > typical IE popup about accepting a certificate pops
    > up and I accept it and
    > IE shows the page as being secured, and all further
    > OWA pages.
    >
    > On my test computer, I also installed the
    > certificated for the CA into my
    > trusted certificates list. I do not plan to have
    > all my users of OWA do
    > this at this time, is this a good or bad idea?
    >
    > I am "ignorning client certificates" on my
    > particular website, mainly
    > because I am clueless as to how to configure these,
    > and when I use "accept
    > client certificates", I get an additional
    > certificate box where I am to
    > select a certificate, but none are in a list to
    > select.
    >
    > Am I at the point where I'm actually encrypting the
    > password exchange and
    > all other data sent over OWA, or do I have a false
    > sene of security?
    >
    > Evan Mann
    >

    __________________________________________________
    Do You Yahoo!?
    Send your FREE holiday greetings online!
    http://greetings.yahoo.com