Chad
Sat Feb 28 15:55:40 CST 2004
Good question -
And yes he can use a dynamic dns service - there's no problem with that at
all. I use a DynDNS.org hostname for my server here at home. The big thing
is that the name on the SSL cert matches the URL used to access the site.
IE / Exchange / ISA don't care if the IP is static or dynamic, if you're
accessing via IP or FQDN - all IE cares about is that the name on the
certificate matches the URL used to access the site (and that the
certificate is current, and that you've chosen to trust the publisher). And
even if NONE of these conditions were met, you could still access OWA via
SSL - you'd just be getting security warnings before the page loads.
--
Chad A. Gross [SBS-MVP]
SBS ROCKS!!!
"Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message
news:%236e9f$j$DHA.2180@TK2MSFTNGP09.phx.gbl...
> What if Gary only had a dynamic IP for a public IP address. If he used a
> DDNS service like Dyndns or TZO, could he still use
> mail.yourcompany.com/exchange for secure access to OWA?
>
> --
> Merv Porter [SBS MVP]
> ===================================
>
> "Chad A Gross [SBS-MVP]" <chad.gross@laytonflower.nospam.com> wrote in
> message news:ugi09zj$DHA.624@TK2MSFTNGP11.phx.gbl...
> > Hi Gary -
> >
> > You don't have to be hosting a public website (other than OWA). When
you
> > access a website using SSL, your browser checks the SSL certificate for
3
> > conditions: 1) the name on the certificate matches the name of the
> website.
> > 2) The certificate hasn't expired. 3) You have chosen to trust the
> > publisher that generated the SSL certificate. As you know, IE has its
> > Trusted Root, which lists a predefined group of trusted publishers. If
> the
> > SSL certificate on a site was not issued by a trusted publisher, you
will
> > receive a security warning before the page loads.
> >
> > When you install and enable Certification Authority in Windows Server /
> SBS,
> > you're basically setting yourself up as a certificate publisher, but the
> > typical small business is not going to be included in IE's list of
trusted
> > publishers. In order to prevent users from getting a security warning
> every
> > time they access an OWA installation using a self-signed certificate,
they
> > need to chose to trust the publisher (you). They do this by installing
> your
> > .crt file mentioned in the article to their trusted root. Obviously,
they
> > need to be able to access your .crt file from the internet in order to
> > install it on their machine. Since publishing Certificate Services to
the
> > internet comes with a slew of security implications (Especially on an
> SBS),
> > I recommend uploading your .crt file to your outsourced website if you
> have
> > one. This allows remote users to be able to access the .crt file so
they
> > can add you as a trusted publisher without further exposing your SBS to
> the
> > internet unnecessarily.
> >
> > It is important to note that it is not necessary to upload your .crt
file
> to
> > a public website, or even for it to be accessible to remote users. You
> can
> > completely skip these steps and your users will still be able to access
> > OWA - the only thing is that they will be prompted with a security
warning
> > indicating that the SSL cert was generated by a publisher they have
chosen
> > not to trust. I would recommend purchasing an SSL cert from a trusted
> > publisher as this completely negates the need to upload a .crt file, and
> the
> > users will not be promted with a security warning. Just make sure that
> the
> > name on the SSL cert matches the URL users will be using to access the
> site.
> > (E.g. - if they're going to access OWA using
> mail.yourcompany.com/exchange,
> > you'll want the name on the SSL cert to be mail.yourcompany.com - if
> > they're accessing it using the public IP 12.23.45.67/exchange, then
> you'll
> > want the name on the SSL cert to be your public IP)
> >
> > As for Exchange using the ISP smarthost & using ETRN to dequeue inbound
> > email, that shouldn't have any affect on OWA. OWA doesn't care how
> Exchange
> > sends & receives email, it just provides access to a mailbox. The same
> goes
> > for if SBS is using the pop connector - OWA works the same as with a
pure
> > SMTP installation. The only thing with using ETRN or the pop connector,
> > etc. is that there is a chance that there are emails sitting on the
ISP's
> > mailserver that Exchange has not retrieved yet. Obviously, these emails
> > won't be available via OWA until Exchange retrieves them.
> >
> > HTH!
> >
> > --
> > Chad A. Gross [SBS-MVP]
> >
> > SBS ROCKS!!!
> >
> > "Gary Webb" <email@garywebb.co.uk> wrote in message
> > news:eJ20c.13032$h44.1360322@stones.force9.net...
> > > Merv,
> > >
> > > These instructions appear to assume that you are running a web site
from
> > > your SBS Server. This is not the case. The SBS Servers I need to try
> this
> > > with are mostly Internet access/Email access/File Servers only. They
> have
> > > the Internet domain name DNS MX record pointing to the 2nd NIC of the
> SBS
> > > which is connected via an ADSL router (/30 subnet). However, some use
> the
> > > ISP SMTP smart-host and collect email by issuing an ETRN to dequeue
it.
> My
> > > first impressions is that either these instructions wont work in this
> > > scenario, or need to be modified to allow for it. Your thoughts please
?
> > >
> > > Thanks
> > >
> > > Gary
> > >
> > >
> > >
> > > "Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message
> > > news:OgU8GlZ$DHA.320@TK2MSFTNGP10.phx.gbl...
> > > > Hi Gary:
> > > >
> > > > Take a look at...
> > > >
> > > > How do I configure OWA with SSL
> > > >
> > > >
http://www.smallbizserver.net/DesktopDefault.aspx?tabid=83
> > > >
> > > > --
> > > > Merv Porter [SBS MVP]
> > > > ===================================
> > > > "Gary Webb" <email@garywebb.co.uk> wrote in message
> > > > news:RUP%b.14859$Y%6.1259105@wards.force9.net...
> > > > > I have done some testing and published Exchange Server 2000 in ISA
> > > Server
> > > > > 2000 within an SBS2000 Server. I used the Microsoft article 308599
> as
> > a
> > > > > guide. This is mainly to allow OWA from anywhere on the Internet
> such
> > as
> > > > > Internet Cafes. My concern before implementing this on a live
system
> > is
> > > > > security. Anybody got any experience of this configuration. Do's,
> > > don'ts,
> > > > > recommendations, etc. My goal is OWA as above with no extra
software
> > > > costs,
> > > > > minimal configuration, and minimal exposure to hacking. The SBS
> server
> > > > will
> > > > > be on a permanent ADSL connection to the Internet.
> > > > >
> > > > > Thanks
> > > > >
> > > > > Gary
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>