Problem solve Get help with specific problems with your technologies, process and projects.

Solve the OWA security problem

Ways to provide access securely.

When you set up Outlook Web Access with Exchange, odds are it's to allow access to OWA over the Internet. Because of this, you need to keep security in mind.

The first major issue is authentication. OWA can perform authentication one of several ways: through cleartext, which is not recommended for obvious reasons, or via Windows Integrated Authentication. WIA has a degree of security built into it -- it'll certainly foil a casual inspection -- but it only works with Internet Explorer; users of any other web browser (I know of no third-party web browser that supports WIA) will be locked out.

To increase the security of the connection, you may elect to have OWA available only through an SSL (HTTPS) connection, and generate a certificate to encrypt communications. (If the IIS box hosting OWA already has an SSL certificate installed, that's one less thing to do -- you can simply use the existing SSL certificate.) But an important consideration with SSL is speed.

Each encrypted transmission requires a certain amount of CPU power to encode and decode. If you routinely support dozens or hundreds of connections at once, SSL will add a considerable amount of CPU overhead. The overhead can also be something of a double whammy. If you're using PPTP tunneling with encryption to make the connection to OWA in the first place, then you're encrypting the connection twice -- once in the SSL session and again in the PPTP encapsulation.

Unless you want to use such double-redundant encryption, it makes sense to choose one method to serve all your users -- not just for the sake of reduced CPU consumption, but also for the sake of having that much less complexity in your setup. If PPTP tunneling, or VPNs, are already in use, that's another tool you can put to use: you can restrict access to OWA to any client that isn't connected across the VPN, which is relatively easy to implement and a good deal more secure than simply using OWA passwords alone.

Some notes on building custom security modifications into the OWA logon page can be found in Microsoft KnowledgeBase article 321832.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.