How do I configure OWA to use SSL?
Outlook Web Access (or OWA for short) is one of Exchange Server's best features, allowing you to connect to your corporate mailbox from virtually any spot on earth as long as you have an Internet connection and a decent web browser.
You can read more about OWA in the featured links at the bottom of this article.
OWA transmits traffic to and from the web browser in HTTP (based upon TCP, port 80) and in clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.
To secure the transmission of information between Exchange Server 2003 and Outlook Web Access clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).
To configure SSL for Outlook Web Access on Exchange Server 2003 complete the following steps:
Note: Although the screenshots are made with Exchange 2003 on Windows Server 2003, the same procedure applies for Exchange 2000 and Windows 2000.
Note: If you already have a valid certificate for your website skip this phase and continue at the next one.
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites.
- In the console tree, right-click Default Web Site, and then click Properties.
- In the Default Web Site Properties dialog box, click Directory Security.
- On the Directory Security tab, click Server Certificate.
- In the Welcome to the Web Server Certificate Wizard, on the Welcome page, click Next.
- On the Server Certificate page, verify that Create a new certificate is selected, and then click Next.
- On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA. You can try this link for some more information (thank you Abid Ali for the link):
- On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.
Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.
- On the Organization Information page, in the Organization box, type your own company name. In the Organizational Unit box, type a descriptive name and then click Next.
- On the Your Sites Common Name page, in the Common name box, type yourservername.domainname.com (see important note in step #9) and then click Next.
- On the Geographical Information page, in the State/province box, type the required info and then click Next.
- On the SSL Port page, in the SSL port this web site should use box, verify that 443 is specified, and then click Next.
- On the Choose a Certification Authority page, in the Certification Authorities box, verify that your online CA is selected, and then click Next.
- On the Certificate Request Submission page, click Next to submit the request, and then click Finish to complete the wizard.
To use the certificate to secure OWA
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites, then expand Default Web Site.
- In the console tree, right-click the EXCHANGE virtual directory, and then click Properties.
- In the Default Web Site Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
Note: If EDIT is grayed out then you did not successfully install a certificate for the Default Web Site. Go back to the beginning of the article and follow my instructions.
- In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.
- In the Exchange virtual directory properties dialog box, click OK all the way out, and close Internet Information Services (IIS) Manager. Note that you might want to restart the World Wide Web Publishing service just in case, although generally this is not required.
Verify that SSL is working
To test your new settings connect your open a browser and type your server's FQDN (or NetBIOS name, if on the LAN) + /EXCHANGE in the address bar (for example: http://server200/exchange).
Since you still used HTTP (plain text http, using TCP port 80) you'll get the following error message:
Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the OWA website.
You might receive a Security Alert window. Click Ok.
If configured correctly, you should be able to log into your mailbox by either using the currently supplied credentials (i.e. there will be no need to actually enter any username or password), or by entering the right username in the form of DOMAIN\USERNAME and then the password.
To verify that you're using SSL try to find a small yellow lock icon on the browser lower right corner . Double click the lock icon.
A Certificate window will open. Review the information that is entered into the certificate and click Ok.
Note: Make sure you renew your certificate a few weeks before it expires in order to prevent mishaps like this one: Expired SSL Website Certificate.
You may find these related articles of interest to you:
- Configuring Forms-Based Authentication in OWA and Exchange 2003
- Configure ISA to Publish OWA
- Configure Message Security in OWA 2003
- Configure OMA in Exchange 2003
- Configure OWA 2003 Attachment Blocking
- Configure SSL on OMA
- Configure SSL on Your Website with IIS
- Configure Web Access to Newsgroups Hosted on Exchange 2000/2003
- Disable Spell Checking in OWA 2003
- Enable Password Changing through OWA in Exchange 2003
- Error c1030af1 on Public Folder Properties in ESM
- Install Windows Server 2003 CA
- How to Synchronize a Pocket PC with Exchange 2003?
- Problems with Forms-Based Authentication and SSL in ActiveSync
- Reset OWA 2000/2003 Language
- Test OMA in Exchange 2003
- Temporarily Disable Root Certificates Checking in Windows Mobile 2002/2003 Pocket PC
- Web Access to Alternate PF