Providing user access to e-mail from anywhere has become an important service for many organizations. Many of these organizations have chosen to use Web-based clients to give remote users access to their Exchange Server mailboxes. One of the most popular ways to provide access to e-mail on Exchange Server computers for users outside the internal network is to deploy an Outlook Web Access (OWA) server that is accessible from the Internet. With OWA, users can access their mailboxes on an Exchange server from any computer with an Internet connection and a Web browser. In addition, Exchange Server 2003 also enables access to mailboxes for wireless mobile clients, including Outlook Mobile Access (OMA) and Microsoft ActiveSync clients. This lesson describes how to use ISA Server to secure Web client connections.
Known Web Client Security Issues
The most popular options for providing Web-based client access to Exchange Server mailboxes are using Outlook Web Access (OWA) and Outlook Mobile Access (OMA) and Microsoft Exchange ActiveSync.
Outlook Web Access Features and Security Issues
OWA provides access to the mailboxes on an Exchange Server computer through a Web browser. Although OWA does not provide all the functionality provided by a full Outlook client, the fact that it is easy to deploy and requires no special client makes OWA an attractive option for providing remote access.
By default, all servers running Exchange 2000 Server and Exchange Server 2003 are OWA servers. To install Exchange Server, Microsoft Internet Information Services (IIS) must be installed on the computer. When the user connects to a computer running Exchange Server from the Web browser, the request is passed from IIS to the Exchange Server services on the computer. The requested content is returned to the IIS service, where it is forwarded to the Web browser.
OWA is frequently deployed using front-end and back-end servers. To do this, the front-end server must be running Exchange 2000 Server, Enterprise Edition, or Exchange Server 2003, Enterprise Edition. In this configuration, clients connect to the front-end server. This server authenticates the user, and then queries Active Directory directory service to determine which back-end computer running Exchange Server hosts the user mailbox. The front-end server then forwards the request to the back-end server. The back-end server replies to the front-end server, which replies to the client.
The use of OWA raises several issues with e-mail security, including the following:
1- Securing the user logon By default, OWA is configured to use Hypertext Transfer Protocol (HTTP). This means that all user logon information is passed in clear text to the computer running Exchange Server. This issue can be easily addressed using Secure Sockets Layer (SSL) to encrypt all user sessions. However,some clients may cache the user logon credentials so that if the user does not close all Web browser sessions, another user may be able to access the user’s e-mail without logging on.
2- Securing e-mail contents Because all messages are sent in clear text using HTTP, the e-mail contents may not be secure while crossing the Internet. You can use Hypertext Transfer Protocol Secure (HTTPS) to secure the e-mail. However, some Web browsers may cache the e-mail contents on the local computer. For example, when you open an attachment using OWA, it is stored in the temporary Internet files on the computer. Another user may be able to gain access to the files.
Known Web Client Security Issues
The most popular options for providing Web-based client access to Exchange Server mailboxes are using Outlook Web Access (OWA) and Outlook Mobile Access (OMA) and Microsoft Exchange ActiveSync.
Outlook Web Access Features and Security Issues
OWA provides access to the mailboxes on an Exchange Server computer through a Web browser. Although OWA does not provide all the functionality provided by a full Outlook client, the fact that it is easy to deploy and requires no special client makes OWA an attractive option for providing remote access.
By default, all servers running Exchange 2000 Server and Exchange Server 2003 are OWA servers. To install Exchange Server, Microsoft Internet Information Services (IIS) must be installed on the computer. When the user connects to a computer running Exchange Server from the Web browser, the request is passed from IIS to the Exchange Server services on the computer. The requested content is returned to the IIS service, where it is forwarded to the Web browser.
OWA is frequently deployed using front-end and back-end servers. To do this, the front-end server must be running Exchange 2000 Server, Enterprise Edition, or Exchange Server 2003, Enterprise Edition. In this configuration, clients connect to the front-end server. This server authenticates the user, and then queries Active Directory directory service to determine which back-end computer running Exchange Server hosts the user mailbox. The front-end server then forwards the request to the back-end server. The back-end server replies to the front-end server, which replies to the client.
The use of OWA raises several issues with e-mail security, including the following:
1- Securing the user logon By default, OWA is configured to use Hypertext Transfer Protocol (HTTP). This means that all user logon information is passed in clear text to the computer running Exchange Server. This issue can be easily addressed using Secure Sockets Layer (SSL) to encrypt all user sessions. However,some clients may cache the user logon credentials so that if the user does not close all Web browser sessions, another user may be able to access the user’s e-mail without logging on.
2- Securing e-mail contents Because all messages are sent in clear text using HTTP, the e-mail contents may not be secure while crossing the Internet. You can use Hypertext Transfer Protocol Secure (HTTPS) to secure the e-mail. However, some Web browsers may cache the e-mail contents on the local computer. For example, when you open an attachment using OWA, it is stored in the temporary Internet files on the computer. Another user may be able to gain access to the files.
