Certificate Options

21 May 2009 12:46 AM

Nick

Hello,

I am looking for some guidance on securing an OWA server.

Initially, I was under the impression that we needed to purchase an SSL cert
from a vendor to secure the server. However, in searching the Internet, it
appears (if I understood it correctly) there is another option where each
visitor to the site would have to install a certificate locally and I wouldnt
have to purchase an SSL cert to do this.

If there are those two differrent options, what are they called? If I dont
have to purchase a cert in the 2nd option (installing local cert), then what
do I need to go with this option? Meaning, does this come as a part of IIS or
do I need to purchase another piece of software.

Hope that was clear...Thanks in advance.

27 May 2009 1:48 PM

Ashwin @ Sumix

The option you are looking for is called "Certificate Authority"
You can install that role onto the server you wish to apply the certificate.
You can create your own local certificate and issue that by binding it to
the site you wish to create.

You can follow this article to do so:

http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

Cheers

Show quoteHide quote

"Nick" wrote:

> Hello,
>
> I am looking for some guidance on securing an OWA server.
>
> Initially, I was under the impression that we needed to purchase an SSL cert
> from a vendor to secure the server. However, in searching the Internet, it
> appears (if I understood it correctly) there is another option where each
> visitor to the site would have to install a certificate locally and I wouldnt
> have to purchase an SSL cert to do this.
>
> If there are those two differrent options, what are they called? If I dont
> have to purchase a cert in the 2nd option (installing local cert), then what
> do I need to go with this option? Meaning, does this come as a part of IIS or
> do I need to purchase another piece of software.
>
> Hope that was clear...Thanks in advance.

27 May 2009 1:52 PM

Robert Hindla

You just need to install a cert on the Exchange server, then select "forms
authentication" as the means of logon to OWA. It will work fine, I think,
as long as your Exchange servers aren't clustered. That makes storage of
the cert's private key hairy: it can only be on one server at a time; the
cluster members can't share the key.

The funky little one with the certs on the clients is something you don't
need to worry about. Most people don't use it. It's really lovely in ultra
high security areas where authentication is a priority, and you set up your
own certificate server to mint the certs, but most people don't use it.

Just buy a cert for your domain and paste it on the Exchange server and set
up "forms authetication" and you'll get a nice, secure OWA session.

On 5/20/09 8:46 PM, in article
676AAAB2-5C85-4B52-8E5C-60714F844***@microsoft.com, "Nick"
<N***@discussions.microsoft.com> wrote:

Show quoteHide quote

> Hello,
>
> I am looking for some guidance on securing an OWA server.
>
> Initially, I was under the impression that we needed to purchase an SSL cert
> from a vendor to secure the server. However, in searching the Internet, it
> appears (if I understood it correctly) there is another option where each
> visitor to the site would have to install a certificate locally and I wouldnt
> have to purchase an SSL cert to do this.
>
> If there are those two differrent options, what are they called? If I dont
> have to purchase a cert in the 2nd option (installing local cert), then what
> do I need to go with this option? Meaning, does this come as a part of IIS or
> do I need to purchase another piece of software.
>
> Hope that was clear...Thanks in advance.