You need to install Windows 2000, Internet Information Services (IIS) 5, which is accompanied with Windows 2000, and Microsoft Exchange Server, we are using version 5.5. It is preferred to install Windows 2000 Service Pack 2, and Exchange 5.5 Service Pack 4. If you intend to customize the main page of the Outlook Web Access, you will need an HTML editor, such as Microsoft FrontPage.
When installing IIS 5, you must install the following components:
- Common Files
- FrontPage 2000 Server Extensions (not very necessary)
- Internet Information Services Snap-In
- Internet Services Manager (HTML)
- World Wide Web Servers
Be sure not to install the FTP services, for it will be considered as a vulnerable hole in your web server. You don’t need FTP services to setup an OWA server.
1. Start installing Microsoft Exchange Server.
2. Only select the Outlook Web Access component, and if needed, install the documentation.
3. The OWA server must be in the same domain of the Exchange server, or has a trust relationship to that domain. If not, the OWA server will not be able to access the Exchange server, and therefore, will not allow continuing installation.
4. When prompted, provide the Exchange server name.
5. After you have completed the installation, upgrade the Exchange 5.5 to SP4.
The default homepage of IIS is in the “C:\inetpub\wwwroot” directory, while the default homepage of the OWA is in the “C:\exchsrvr\WEBDATA\USA”.
1. To change the default page to the one with OWA, right-click “Default Web Site” from the console tree, then click properties.
2. Click on the “Home Directory” tab.
3. In the “Local Path” box, type “C:\exchsrvr\WEBDATA\USA”. Now by only providing the Domain name of the server, or the external IP address, you will be automatically redirected to the homepage.
You can specify access to the OWA to be from only one NIC, e.g. only from the external network. That can be done by the following steps:
1. Click on the “Web Site” tab.
2. Type the IP Address of the NIC from which you want to restrict access, in the “IP Address” box.
3. If you want to allow access from both NICs, click advanced, click “Add” in the “Multiple identities for this Web Site” box, then give the IP address of the other NIC(s) in the “IP Address” box. Give the default port number, i.e. port 80, in the “TCP Port” box, then click Ok, Ok.
4. For now, Ignore the “Multiple SSL Identities for this website” box, and the SSL port number.
5. Click Ok to go back to the Internet Information Services console.
For security precautions, we must remove all testing virtual directories from the IIS console. The following does that:
1. Click on the Default Web Site
2. Delete the following Virtual Directories:
a. IISAdmin
b. IISSamples
c. MSADC
If it is not necessary to have Administrative login from the Internet, which is the case here, stop the “Administration Web Site” by clicking on it, then clicking the stop sign in the top of the console (the square sign).
If it is not desirable to allow anonymous users access the site’s main page, anonymous access may be disallowed. That may be achieved using the following steps:
1. Right-click the “Default Web Site”, then click properties.
2. Click on the “Directory Security” tab.
3. In the “Anonymous access and authentication control” box, click “Edit”
4. Uncheck the “Anonymous Access” check box and the “Integrated Windows authentication” check box.
5. Check the “Basic authentication” check box. One may hesitate on doing so, for the user name and password will be sent in plain text, and could be captured using sniffers. This problem will be overcome using the Secure Socket Layer (SSL) that will be explained soon.
6. The Integrated Windows authentication does not work except if the OWA is installed in the same server in which the Exchange server is installed. If enabled, then access to the server externally will not be possible.
7. The “IP address and domain name restrictions” box is used only if one needs to restrict access to the server to only certain people or domains. It is not used in our case.
8. The “Secure communications” box will be explained in the “Deploying SSL” section.
For further security precaution, all TCP ports of the Web server (OWA server) that are unneeded should be shut down. Therefore, we only want to enable port 80 for site access, and port 443 for SSL. The following steps do that:
1. Right-click “My Network Places, then click properties.
2. You will find two (or more) “Local Area Connection” icons, depending on the number of NICs in your server. Right-click the one with the External connection to the Internet, then click properties.
3. Click on the TCP/IP protocol, then click Properties.
4. Click “Advanced”.
5. Click the “Options” tab.
6. Click “TCP/IP filtering”, then click properties.
7. Click the “Permit Only” radio button of the TCP Ports.
8. Click “Add”
9. Type in the “80” TCP port, then Ok.
10. Repeat Steps 8 and 9, but add TCP Port “443” this time.
11. Click Ok, Ok, Ok, and Ok.
Now, we have restricted access to the server to only TCP ports 80 and 443.
SSL is used to secure transfer of user name and password through the network by encrypting the data sent using the public key encryption technology. The steps below show how to deploy it.
1. Right-click the “Default Web Site”, then click properties.
2. Click the “Directory Security” tab.
3. In the “Secure communications” box, click “Server Certificate”.
4. Click “Next”.
5. Click on the “Create a new certificate” radio button, then click “Next”. If you already have a certificate, you can export it to a key file, then import it using the “Import a certificate from a Key Manager backup file”.
6. Choose a name for the certificate, that is easy to remember, and type it in the name box. Read the information to know what bit length to choose.
7. Click “Next”.
8. Type in the Organization name and unit, accordingly, then click “Next”.
9. For the “Common name”, you must provide the name that will be used to access the server externally, i.e. the DNS name. For example, mail.organization.com.
10. Click “Next”.
11. Fill in the information accordingly, then click “Next”.
12. Give an appropriate certificate name, as a text file, then click “Next”.
13. Now, Open the text file generated in the previous step, and copy the portion that looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIChTCCAi8CAQAwdTETMBEGA1UEAxMKc2hhcmVwb2ludDERMA8GA1UECxMIR3Jv
dXAgSVQxGzAZBgNVBAoTEkFsIEZhaXNhbGlhaCBHcm91cDEPMA0GA1UEBxMGUml5
YWRoMRAwDgYDVQQIEwdDZW50cmFsMQswCQYDVQQGEwJTQTBcMA0GCSqGSIb3DQEB
AQUAA0sAMEgCQQC+wbeZdpBhWfIou9exoHRWroQO14nSHxwaHlM0ek/cVuLUmI1N
J+JMlXuRiihFZPrzpIZZcaOlNl3QFDEApaL5AgMBAAGgggFTMBoGCisGAQQBgjcN
AgMxDBYKNS4wLjIxOTUuMjA1BgorBgEEAYI3AgEOMScwJTAOBgNVHQ8BAf8EBAMC
BPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisGAQQBgjcNAgIxge4wgesCAQEe
WgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBsACAA
QwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOBiQBf
E24DPqBwFplR15/xZDY8Cugoxbyymtwq/tAPZ6dzPr9Zy30NnkKQbKcsbLR/4t9/
tWJIMmrFhZonrx12qBfICoiKUXreSK89OILrLEto1frm/dycoXHhStSsZdm25vsz
v827FKKk5bRW/vIIeBqfKnEPJHOnoiG6UScvgA8QfgAAAAAAAAAAMA0GCSqGSIb3
DQEBBQUAA0EAvmgt6pOlzONZeFBXPaXfbVrjl/KQwewJRSPbdM1crai04fBpbjOa
fI7gC/0hX2Zxr5dLWtwmrys67urhGW8Zpg==
-----END NEW CERTIFICATE REQUEST-----
14. Go to any Certificate Authority (CA) website, such as VeriSign.
15. Now, depending on the site you go to, you will have to follow certain steps and then you will be asked to paste the lines copied above within the site, as part of the procedure. After completing the steps, the site will be able to extract the information you gave about the organization, common name, etc, from the code above. It will then ask for an email to send you the certificate code, that should look like this:
-----BEGIN CERTIFICATE-----
MIICYDCCAgoCEGkGfbrhARMMHpJPqllDypkwDQYJKoZIhvcNAQEEBQAwgakxFjAU
BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAxMDYyNjAwMDAwMFoXDTAxMDcxMDIz
NTk1OVoweTELMAkGA1UEBhMCU0ExEDAOBgNVBAgTB0NlbnRyYWwxDzANBgNVBAcU
BlJpeWFkaDEbMBkGA1UEChQSQWwgRmFpc2FsaWFoIEdyb3VwMREwDwYDVQQLFAhH
cm91cCBJVDEXMBUGA1UEAxQOd3d3LmFmZy5jb20uc2EwgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAN0/n2JZEZHUK4QTo/yIRcq+aJNxxdXqk8snHC2dQr2VNIKA
5nxosqsMUTGqFqc7jLJzzEZRTkGDiDuj6DLE9RN1ePE77lTJcfJcoKmc4YKeURs8
oJr7vfS1kDo7atlA6YUOJL07WCZY/j5eWI+FO0aGJ5QbgVDxDzebK/AU0USfAgMB
AAEwDQYJKoZIhvcNAQEEBQADQQCtyjcw5ugu2ODVm6VJ0leI5cucSlGrgqsNrCLC
jvlLOX0DxL4SroaIb/q8qgiOzDs4pZSxUTBlO6SRbOFyj4Cs
-----END CERTIFICATE-----
16. Copy the portion that looks like that above into the clip board, then to a text file, and name it with any appropriate name, with the extension .cer.
17. Go back to the IIS manager, and right-click the “Default Web Site”, properties.
18. Again, click the “Directory Security” tab. Note that the “View Certificate” and “Edit” buttons are grayed out, you cannot click on them.
19. Click the “Server Certificate”.
20. Click on the “Process the pending request and install certificate” radio button, then click “Next”.
21. Specify the path and file name of the *.cer file mentioned above, then click “Next”.
22. Follow the corresponding steps until you finish the wizard. It should not be difficult.
23. Now note that the “View Certificate” and “Edit” buttons are enabled. You may View the certificate, or edit the certificate. Click “Edit”.
24. Now, whatever changes you do here will be applied to all virtual directories under “Default Website”. You can require the use of a secure channel (SSL) by clicking the “Require Secure Channel (SSL)” check box. However, it is possible to only require using a secure channel for certain pages or virtual directories, if it is not necessary for all of them, e.g. only the page that authenticates the user name and password. To do that, it is exactly the same procedure, except that instead of going to the properties of the “Default Website”, you go to the properties of that particular page by browsing to it from the Console tree and opening the virtual directory of the page you want to secure.
25. If using a secure channel is required, you can also require using 128-bit encryption, but that only works for Windows 2000 North America versions, i.e. versions released inside USA and Canada. Export versions of Windows 2000 are 56-bit encryption. You must also have a 128-bit certificate, which usually costs more, the default encryption of the certificate is 40-bit encryption. Also, the client must have a browser that supports 128-bit encryption, such as Internet Explorer 5.5. Internet Explorer 5 does not support 128-bit encryption.
26. If using a secure channel is required, you can require that the client have a certificate installed in his browser. This option is used if you want only certain clients, who carry that certificate, to access your website. You can also choose to accept a client certificate, or just ignore the client’s certificate.
27. You can also map the certificate to the clients who are accessing your website.
Note that when accessing the site using SSL, there would be a time overhead which will appear as slowness in browsing. This time overhead is caused by the time required to encrypt and decrypt every single image or letter being transferred over the network.
One final step in enabling the SSL, is giving the SSL TCP port number.
1. Go to the “Default Web Site” properties, which you should know how by now.
2. Click the “Web Site” tab.
3. In the “SSL Port” box, type in the port “443”. This should have been done by default.
4. Click Advanced. Now we go back to the steps that we ignored before, in assigning multiple identities for the OWA server. The server may be accessed locally, but it must be given multiple identities, which is explained above in the IIS setup section.
5. In the “Multiple SSL Identities for this Web Site” Box, click add, to enable accessing the website using SSL locally.
6. Give the IP address of the local NIC, and TCP port number 443, then click Ok.
Now you enabled accessing the site locally via SSL. Please note that, if the server is ever placed behind a firewall, it is very likely that the firewall will block any local access to the server, allowing only external access.
After the SSL has been deployed, it is possible now to allow change of password via the OWA externally, i.e. from the Internet. To do that, follow the following steps:
1. Right-click Default Web Site
2. No, this time we will not go to properties. Go to New->Virtual Directory
3. Click “Next”.
4. In the “Alias” box, type “IISADMPWD” as the virtual directory name, then click “Next”.
5. In the “Directory” box, type the path of the IISADMPWD folder of the server, which should be by default: “C:\WINNT\system32\inetsrv\iisadmpwd”, and change the C with your home directory letter. You may browse to the folder if you are not sure of the location of it.
6. Make sure that only the “Read” and the “Run scripts (such as ASP)” check boxes are checked.
7. Click “Next”, “Finish”.
8. The next step is to change the Metabase PasswordChangeFlags setting to zero. That has to be done from the command prompt. In the command prompt, we need to go to the directory: C:\inetpub\adminscripts>
After that, the following command should be applied:
adsutil set
w3svc/passwordchangeflags 0
9. Now, in the Internet Services Manager, delete the following files, to disallow password change without using SSL:
a. Aexp3.htr
b. Aexp4.htr
c. Aexp4b.htr
d. Anot3.htr
10. Now, you may access the password change page either by clicking on the “Options” link on the left frame of the page, then click on a button that would take you there, or make a link directly to there on the left panel by doing the following steps:
a. Edit the file: “exchsrvr\WEBDATA\USA\NAVBAR\NBINBOX.ASP” using any HTML editor, such as Microsoft FrontPage.
b. Type “Change Password” in the last empty cell below, then highlight it.
c. Go to Insert->hyperlink
d. Type the following link in the “Hyperlink” box: “https://mail.organization.com/iisadmpwd/aexp2b.htr”, where “mail.organization.com” is your DNS name, or the external NIC IP address, if you don’t have a DNS name yet.
One last word of advice. In order to be able to change the password after the password has already expired, you cannot do that while Anonymous access is disabled. To do that, go to the “IISADMPWD” virtual directory, right-click it, go to properties, go to Directory Security tab, then click the Edit button of the “Anonymous access” box. There, you should enable the anonymous access. That will enable Anonymous access to that folder and all folders/files inside it ONLY. It will not allow anonymous access to the rest of the website.
Now your outlook web access project is complete. If you need more information, you may access the following links:
http://www.amrein.com/luzynski.htm#01
http://www.iisanswers.com/articles/OWAbehindproxy2.htm
Sincerely,
Ibrahim A. Niazy
Email me at: khilwafi@hotmail.com
See more about Securing Outlook Web Access here