What is Secure
Outlook Web Access (SSL-OWA)?
September 13, 2000
What is OWA?
Microsoft OWA for Exchange Server offers the ability to access secure e-mail, calendar, scheduling and collaboration applications using the Internet Explorer Web Browser. A server running Exchange 5.5 and Internet Information Server are required on the backend. The IIS server uses active server pages to handle the requests and interact with the central log on server for authenticity and the Exchange Information Store for access to a mailbox. Mailbox information can only be accessed while client/server on-line connectivity exists. This application is used primarily as a central server application service, which remote clients connect to over the public Internet. Due to the inherent insecurity of the Internet, security settings such as SSL need to be put in place.
What is ASP and SSL?
ASP is an acronym for Application Server Provider and refers to an environment where clients access a central server over the Internet, and the core data resides on the server. The OWA connection fits the ASP model because all of the data is centrally hosted and decentralized clients are accessing the data. Typically, ASP
SSL is an acronym for Secure Sockets Layer which is a protocol developed by Netscape Communications to provide secure data transmissions over the Internet. SSL is a transport layer security technique that can be applied to HTTP and provide privacy between two communicating devices, as this paper will demonstrate the Windows client and the Exchange/IIS server. SSL provides mandatory authentication, encryption and data integrity. The protocol mandates data transmissions by a session key so that data transmissions cannot be altered or disclosed. A more in depth understanding of the SSL transaction will be established in the next sections.
Setup of OWA
For my test, I used Windows clients (98/NT/2000) connected to dial up, cable modem and T1 connections over the Internet to illustrate the ASP functionality. Please note IE is required as OWA connectivity will not work with Netscape or any other Internet Browser. I used NAI's Gauntlet 5.5 firewall and built a proxy to handle the connection. On the LAN, I used a standard Intel server configuration running Windows2000 SP1, Exchange 5.5 SP3 and IIS 5. For SSL I used a server certificate issued by a publicly trusted root CA, Thawte, and installed it on the IIS server. I only required server side authentication, but to add an additional layer of authentication security one could require the client have a valid SSL certificate (see IIS SSL ENABLE SETUP). Below is a diagram of the network topology, screen shots of the log on transaction and further explanation of the SSL/OWA and network authentication transaction.
In order for the SSL transaction to work both the client (IE) and the Server (IIS) must be SSL enabled. The transaction runs over TCP. (1) The security transaction begins when the client sends a request to the server for its digital certificate. Traditionally, this begins with typing https: in the URL locator. (2) The server sends its digital certificate to the client. The client will check the digital certificate for accuracy in terms of issuance from a trusted root Certificate Authority, valid date on the certificate and common name of the certificate. If there are any problems the user has the option to view the certificate, continue or cancel the transaction. (3) If the client continues, then the client authenticates the server by decrypting the digital signature that is within the digital certificate. The client then generates a session key and encrypts it using the server's public key from the certificate sends it to the server. Once the server receives the session key it uses it to encrypt and decrypt the data tunnel. SSL uses message authentication to ensure tampering with data transferred between the client and server has not taken place.
Once the SSL session is established between the client and server, the server requests from the client a user alias mailbox on the client. (4) Then the client is prompted for its network logon credentials, which it then authenticates with a Logon Server. (5) Once authenticated with a valid user account the Exchange server offers the client access to their mailbox resources.
OWA Log On Mailbox Alias Screen
Network Logon Server Screen (4)
Mailbox Resource Screen (5)
IIS SSL Enable Setup
As noted previously, the test installation was on a Windows2000 SP1 platform with Exchange Server 5.5 SP3 and Internet Information Server 5. The following screen shots give a graphical presentation on how to set up SSL within IIS. The SSL connection has additional security options such as requiring the browser to establish 128 bit encryption or mandating client certificates.
Properties of IIS Web Server
Manage Secure Communications
Very important security warning message
This screen shows SSL connection options.
OWA over a SSL connection can offer an effective, secure communication over the public Internet to an Exchange mailbox. OWA operates as an ASP host, which increases the ability to tighten security in a central location. OWA installations without SSL are a security risk as users will send their passwords in clear text over the Internet. SSL ensures authentication, encryption and data integrity. When establishing any type of remote access into an internal network a well thought out plan is essential to ensure the highest level of security possible in protecting precious Information Systems.
Microsoft Corporation. (1999). "Planning and Deploying Outlook Web Access 5.5". Microsoft Corporation. Redmond, WA. White Paper.
Microsoft Corporation (1999). "ASP Certification White Paper". Microsoft Corporation. Redmond, WA. http://www.microsoft.com/ISN/downloads/ASP%20Certification%20White%20Paper.doc White Paper.
Minoli, Daniel, E. Minoli. (1998). Web Commerce Technology Handbook. McGraw-Hill Companies Inc. New York, NY.
Network Associates Technology, Inc. (1996-1999). Gauntlet Firewall/VPN for WindowsNT Getting Started Guide v5.5. Network Associates Technology, Inc. Santa Clara, CA.
Thawte - A Verisign Company. www.thawte.com