Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Web Enrolment of Certificates for OWA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Web Enrolment of Certificates for OWA Page: [1]
Login
Message << Older Topic   Newer Topic >>
Web Enrolment of Certificates for OWA - 6.Jul.2005 9:18:00 AM   
waynewhittle

 

Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline 		Just require confirmation of a few things as a result of some feeback from end users.

1. Silly question but one worth asking anyway - As an end user if you don't bother with the process of web enrolment and installing the certificate chain from the certificate server you can still have an SSL connection to OWA if you just browse to https://owa.domain.com/exchange. Is this still a secure connection or only secure one-way ? Is the purpose of downloading this certificate to enable you to digitally sign and encrpt messages you send from OWA ?

2. When you configure web enrolment for the CA certificate using ISA 2004 (publishing) it is using an HTTP listener on the Certsrv and CertEnrol directories with Basic Authentication (password sent in clear text). I have applied an IPSEC policy on the Certificate Server (Request Security). How do I ensure IPSEC is used by the end user (so that the administrator username and password required to download the certificate chain remains encrypted) ? I am questioning the logon information you have to provide in order to connect to the Certificate Server - how can this be secured ?

[ July 06, 2005, 09:22 AM: Message edited by: Stanley ]
Post #: 1
RE: Web Enrolment of Certificates for OWA - 8.Jul.2005 12:52:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stanley,

1. Yes, its still secure. The only difference for OWA uses is that they need to click through the warning dialog box.

2. Good question. This should use integrated auth unless you are using SSL to SSL bridging.

HTH,
Tom

(in reply to waynewhittle)
Post #: 2
RE: Web Enrolment of Certificates for OWA - 8.Jul.2005 4:34:00 AM   
waynewhittle

 

Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline 		Hi Tom,

I am using SSS-SSL bridging for the OWA not web enrolment - so that's my SSL listener used up. Can you have multiple SLL listeners on 443 ?

I have published web enrolment on ISA (as per the ISA2004SE Exchange Kit) with an HTTP:80 listener with Integrated Authentication. As you know for a user/administrator to download the CA Certificate from ISA they need to browse to http://ISA External Interface/certsrv and enter the administrator credentials. I have two questions regarding this:

1. How does the end user at home facilitate Integrated logon access when browsing to the external interface of ISA as they are not logged into the domain - to ISA they are an anonymous (external) user. Consequently they just get access is denied when trying to access certsrv ?

2. How secure is Integrated Authentication ? Can the username/password be 'seen' when sent over the wire ?

3. You say that the OWA connection is still secure even if the end user doesn't download the CA certificate then why bother downloading it in the first place ? Is it just the warning box ?

Thanks!

[ July 08, 2005, 05:14 AM: Message edited by: Stanley ]

(in reply to waynewhittle)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Web Enrolment of Certificates for OWA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts