5-minute Security Advisor - Configuring Outlook Web Access

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Updated : May 10, 2002

Outlook Web Access (OWA) for Exchange 2000 is a great way to access your email on the road. It works best with Internet Explorer for Windows, but it also works with Netscape, Opera, and others browsers on Windows, Mac OS, Linux, and even Solaris! When you use OWA to access your Exchange Server mailbox,

On This Page

Setting up SSL
Enforce SSL for OWA Users
Automatically Redirect Users to the SSL OWA Site

Setting up SSL

By default, all traffic passing over the Internet is unencrypted. This is on purpose; the architects who originally built the Internet's core protocols and infrastructure didn't (and couldn't have!) anticipate how widely used the Internet would be, nor how advances in computing power makes it feasible to use cryptography to secure traffic so that it can't be read or tampered with. Netscape originally developed the Secure Sockets Layer protocol (SSL) to guard traffic between web browsers and web servers; the idea quickly caught on, and now SSL (and its more secure descendant, TLS) is ubiquitous.

Internet Information Server 5.0 includes full support for SSL, as do all versions of Internet Explorer, Netscape, and most third-party browsers. When you use SSL between a web server and a browser, third parties cannot read the traffic passing back and forth, and the client can authenticate the server's identity by checking the validity of the server's encryption certificate. These protections are very useful for OWA, since they protect your users' account names, passwords, and mail messages from being read in transit.

The first step along the road to protecting your OWA traffic is to enable SSL on your Exchange 2000 server. The steps to do this are fairly simple: you need to get an SSL certificate, install it, and tell IIS to use it for your Exchange server's OWA directory. You can use Microsoft's Certificate Server (included with Windows 2000 Server and higher) to issue your own certificate, or you can buy a commercial certificate from a third-party certificate issuer like VeriSign or Thawte.

Action Get a server certificate, either from a third party or using your own certificate server. Once you've gotten it, use the Web Server Certificate Wizard to install it.

Enforce SSL for OWA Users

You can only turn on SSL if you've installed a certificate. Once that's done, you can enable or require SL for any or all of the directories served by IIS on that machine. In our case, we're interested in protecting the /exchange virtual directory, since that's the directory users access to get OWA. While you could just enable SSL, it's a better idea to require it—don't leave your users' security up to them. Forcing SSL on is fairly easy to do:

  1. Open the Computer Management snap-in on your Exchange server. Expand the Services and Applications node, then the Internet Information Services node.

  2. Expand the Default Web Site node, then find the Exchange directory. Right-click it and choose the Properties command.

  3. Click the Directory Security tab. In the Secure Communications control group, the View Certificate and Edit buttons should be active. If they're not, your certificate isn't installed properly—you'll have to fix it before proceeding.

  4. Click the Edit button in the Secure Communications group. You'll see the Secure Communications dialog box.


  5. Check the "Require secure channel (SSL)" checkbox. You can optionally check the "Require 128-bit encryption" box as well. Doing so gives you better security, but some clients may not be able to connect.

Once you've made these changes, you should be able to open your mailbox by typing https://yourServerName/exchange/yourMailbox. You should not be able to open it with an ordinary http URL.

Action Try opening your mailbox with and without SSL. Verify that you cannot open it without using https:// as the URL prefix.

Automatically Redirect Users to the SSL OWA Site

Once you've configured IIS to require the use of SSL, you may also want to automatically redirect users to the secure directory; that way, users who can't remember to use https:// can still get their mail without bothering you. To do this, you'll need to create a file named ssl-redirect.asp in your Exchange server's inetpub\wwwroot\owaasp directory.In that file, paste the following code:

      If Request.ServerVariables("SERVER_PORT")=80  Then
         Dim strRedirURL
            strRedirURL = "https://" & Request.ServerVariables("SERVER_NAME")
 strRedirURL = strRedirURL & "/exchange"
         Response.Redirect strRedirURL
      End If

Next, follow these instructions to tell IIS to map error 403.4 to the ssl-redirect.asp file. Every time IIS encounters that particular error, it will execute the ASP code, which automatically redirects the user to the correct page.