Both Microsoft Outlook and Outlook Web Access (OWA) use the HTTP protocol to transmit data. You can provide remote users a highly secure connection OWA. Security technologies that assure a protected link between the remote user and the OWA Web site include:
- SSL connections
- Between the OWA client and the ISA Server firewall
- Between the ISA Server firewall and the OWA site on the front-end Exchange server
- Client certificate presentation is enforced on the OWA directories-This requires the ISA Server (and other hosts) to present a client certificate before it can connect to any of the OWA Web site directories.
- Delegation of basic credentials-This ensures that the firewall forwards the credentials to the OWA Web site and this prevents unauthenticated hosts from sending a single packet to the OWA Web site.
When using basic authentication, it is critical to protect network traffic by using Secure Sockets Layer (SSL) to protect user passwords from network packet sniffing. In addition, to ensure that user data is always secure, access to the front-end server without SSL should be disabled (an option in the SSL configuration).
If you do not use SSL between clients and the front-end server, HTTP data transmission to your front-end server will not be secure. We highly recommended that you configure the front-end server to require SSL.
SSL uses encryption keys to secure HTTP connections. These encryption keys are contained in SSL certificates used by both the client and server. It is recommended that you obtain an SSL certificate from a Certification Authority.
For more information see Obtaining and Installing Server Certificates on the Microsoft TechNet site.
Setting up and tearing down SSL connections is a processor-intensive task and requires significant resources from a front-end Exchange server. Using an SSL hardware accelerator can offload these tasks to a device optimized for SSL connection management.
SSL accelerators generally come in two configurations:
- A card you can install on each front-end server.
- An external device or computer you place between the clients and the front-end servers.
Adding accelerator cards is a cost-efficient and effective way to offload SSL encryption and decryption processes.
When using an external accelerator between the client and the front-end server, the accelerator must still be able to pass on the "Front-End-Https:On" header to the front-end server, even after it performs SSL decryption. Otherwise, the front-end server cannot pass the same header information to the back-end server. The back-end server needs this information to initiate an SSL session when sending URLs for the location of inbox messages to an OWA client.