Configuring OWA in Exchange Server 2003

When Microsoft created Exchange Server 2003, some of the biggest improvements that they made over Exchange 2000 were to OWA. Unlike previous versions of Exchange, OWA now looks and feels a lot like Outlook. In fact, you can do most of the things in OWA that you can do in Outlook. Best of all, OWA is now enabled by default. You can access OWA by opening Internet Explorer and enteringhttp://server's_IP_address/exchange. Before you get too excited though, there are some serious security implications to having OWA enabled by default. In this article, I will explain what you need to know about configuring OWA the safe way.

What are the risks?

Since Microsoft enables OWA by default, it would seem that having OWA enabled is harmless. By itself, OWA is pretty much harmless. After all, OWA is nothing more than a Web site that acts as an interface to a user's mailbox. The security risks have to do with the way that the network is configured.

To understand why an improperly configured OWA instance is such a threat, you must consider the nature of the server that OWA exists on. Exchange Server is publicly accessible by its very nature. If it weren't then no from the outside world would be able to send e-mail to mailboxes residing on the server. The reason why it is possible to send e-mail messages to mailboxes on the server is because the server has a publicly accessible IP address (port forwarding might be used as an alternative, but I will talk about that later). If someone from the outside world wants to send a message to one of your users, their mail client will perform a DNS query to determine the IP address associated with your mail server. Once the client knows the IP address, mail is transmitted to that address using the SMTP protocol.

Like every other server on your network, your Exchange Server is probably behind a firewall. The firewall is responsible for blocking any protocol that you don't specifically allow. However, the SMTP protocol is allowed to reach your mail server because you would not be able to receive external mail without it.

Keep in mind that this very same server is also running OWA. However, if your firewall isn't configured to allow inbound HTTP traffic, then OWA won't be accessible to those outside your network perimeter. You could technically allow the outside world to access OWA by simply allowing the HTTP protocol to pass through your firewall. This is an extremely bad idea though.

Right now you might be wondering why it's safe to allow SMTP traffic to reach the server, but it isn't safe to permit HTTP traffic. The reason for this is that SMTP is an extremely simple protocol. It has one use and one use only; to send and receive messages. HTTP on the other hand is much more complex. There are dozens of known HTTP exploits. If you blindly allow HTTP traffic to pass through your firewall, you are asking for trouble.

The solution

There are several tricks to implementing OWA safely. The first trick is to control how traffic enters your network. You can't really get around permitting inbound HTTP and HTTPS traffic. You can however isolate that traffic so that outsiders can't use HTTP exploits against other parts of your network.

I have seen some people accomplish this isolation by placing an Exchange Server into a DMZ. DMZ stands for demilitarized zone. It refers to an isolated part of your network that the firewall does not protect. I personally think that it's a bad idea to place an Exchange Server into a DMZ because the server will have absolutely no protection. Besides, Exchange Server relies on the Active Directory. A hacker could potentially take over the Exchange Server and then use it as a staging platform for attacks against your Active Directory or against other Exchange Servers in your organization.

When it comes to controlling inbound traffic, I prefer to use a technique called port forwarding. Port forwarding allows you to redirect specific types of traffic to a designated IP address, regardless of the traffic's intended destination. For example, you could create a port forwarding rule that directs all HTTP traffic to your OWA server regardless of which server the packets were actually intended for.

Isolating OWA

Just because you have configured your firewall to direct HTTP traffic to your OWA server doesn't mean that OWA is secure though. You still have a publicly accessible server that is prone to HTTP exploits. Because the server is subject to HTTP based exploits, your best bet is to insure that there is no real data on the server. This means moving all of your Exchange databases to a different server.

This is known as a front-end / back-end configuration. The idea is that the front-end server acts as a sort of buffer against Web based attacks. Internet based users are never given direct access to the servers containing the Exchange databases. Instead, OWA users authenticate into the OWA front-end server (the server without any databases), and the front-end server acts as a proxy that relays information between the user and the back-end server.

The primary reason for implementing a front-end / back-end configuration is that doing so allows you to isolate your Exchange Servers that contain data so that those servers are in no way directly accessible from the outside world. The easiest way of accomplishing this is to multihome your front-end server. You can then attach your front-end server to an isolated segment of your network. Once the front-end server is isolated from the rest of your network, you can connect the server's other NIC to a switch on the network segment that contains your other Exchange Servers.

By connecting the front-end server to the network in the manner that I have described, it becomes accessible from both the Internet and from the private network. Since this is the case, you might be wondering what stops Internet users from passing through the front-end server and accessing the rest of your network.

The reason why you don't have to worry about Internet users accessing the rest of your network through the front-end server is because of a fundamental rule of networking. There is a rule that says that in order for two nodes to communicate on a network, they must share a common protocol. While it's true that the end user, the front-end server, and the back-end server are all using the TCP/IP protocol, they are not all using it in the same way. Remember that TCP/IP is actually a suite of protocols rather than being one individual protocol. The firewall insures that Internet users are only able to access the front-end server by using the HTTP or HTTPS protocol. However, the front-end server does not use HTTP requests to communicate with the back-end server. This prevents an Internet user from passing an HTTP request through an OWA server to the backend network.

In case you are wondering, Exchange actually contains a setting that you can use to designate a server as a front-end OWA server. If you were to open the Exchange System Manager, navigate to Administrative Groups | your administrative group | Servers | your server, right click on the server and select the Properties command from the shortcut menu, you would see that the General tab of the server's properties sheet contains a check box that you can use to designate the server as a front-end server. When you select this check box, Exchange will automatically take care of some of the security requirements pertaining to keeping the Exchange databases isolated.

Encrypting OWA traffic

Another reason why a default OWA installation is a threat to your network's security is because by default, OWA doesn't encrypt anything. Passwords and e-mail messages are both transmitted across the wire in clear text for anyone with a protocol analyzer to read.

As you may know, Internet Information Server offers multiple authentication options. Clients accessing a Web site may use Windows integrated authentication, basic authentication, and anonymous authentication. Anonymous authentication simply won't work for an OWA Web site because OWA needs to know who is logging in so that it can display the correct mailbox.

This leaves basic authentication, which transmits passwords in clear text, and Windows integrated authentication, which is generally a better choice if the person accessing the Web site is running a Windows operating system. The problem is that you have no way of controlling what operating system your users will be running when they access your OWA Web site. That being the case, basic authentication is the only choice that will work.

Basic authentication does transmit passwords in clear text, but you can get around this problem if you encrypt the session using SSL over HTTPS. Using SSL is an ideal solution since users would otherwise be using the HTTP protocol to access the OWA server. Keep in mind though that communications between the front-end server and the back-end servers do not use HTTP and therefore SSL encryption is not an option.

If you happen to have an ISA Server at your disposal, you can make communications between the front-end server and the Internet even more secure. There is a technique by which you can copy the front-end server's certificate to the ISA server. You can then configure the ISA server to impersonate the front-end server. Internet users would never actually communicate with the front-end server directly.

Instead, the users would communicate with the ISA Server (the perimeter firewall's port forwarding feature would have to be configured to pass HTTP and HTTPS packets to the ISA Server rather than to the front-end server). The ISA Server would then act as an application level firewall / proxy. It would screen inbound HTTP and HTTPS requests. If the requests were valid then the requests would be passed along to the front-end server. The server's response would then be relayed back to the user. If the inbound packets are determined to be malicious, then the packets are blocked from ever reaching the front-end server.

Communications between the front-end server and the back-end servers seems to be a touchy issue for some reason. There are a couple of different schools of thought on the subject. Some people believe that since users are authenticated prior to the front-end server ever initiating communications with the back-end server, the user is trusted. Furthermore, the packets are flowing across your own private network, so there is no need to encrypt communications between the front-end server and the back-end servers. On the flip side of the issue, security purists believe that you should encrypt any traffic that's flowing across your network as a way of protecting user's privacy and as a way of guarding the system against security breaches.

I personally believe that whether or not you encrypt front-end to back-end traffic should depend on your own organization's security needs. If you do decide that IPSec encryption is necessary, then you might be interested in knowing that you can't implement IPSec in the usual way.

Windows has three different IPSec policies built in. I don't really want to get into all of the specifics regarding these policies because they are beyond the scope of this article. Generally speaking though, if you activate any of the built in policies, then the policy will apply to all IP traffic flowing in or out of the machines that the policy applies to.

The reason why the built in policies are not appropriate is because you don't want blanket IPSec encryption to apply to the front-end server. Remember that a lot of the traffic that's coming into the front-end server is coming from the Internet and is already encrypted with SSL. You don't want to attempt to encrypt that traffic with IPSec. The back-end server on the other hand can use a blanket IPSec policy. The backend server will never communicate directly with Internet users. Since the back-end server's communications will be limited to the private network, encrypting all inbound and outbound traffic with IPSec is perfectly acceptable.

There are a few different ways that you can get around the blanket coverage problem. What I recommend doing is to create a separate organizational unit within the Active Directory and moving your front-end server into it. The reason why I suggest doing this is because IPSec policies are group policy objects. Group policies can be applied at the organizational unit level. This means that you could have one IPSec policy for your front-end server and a separate IPSec policy for everything else (including your back-end servers).

There is also another side effect to using a separate organizational unit for the front-end server. Having the front-end server placed in a separate organizational unit from everything else allows you to assign the server an entirely different computer level security policy. Since the server will be accessible from the Internet, you have to assume that the server will be attacked on a regular basis. The fact that the server will have its own security policy means that you can defend the server by applying a very rigid security policy without affecting any of your users or any of your other servers.

OK, so we've established that you will need a separate IPSec policy for the front-end server, but you might still be wondering how you would prevent the front-end server from having blanket IPSec encryption. Microsoft gives you a few built in IPSec policies that you can activate, but there is nothing stopping you from creating your own policy. An IPSec policy is nothing more than a collection of rules.

For the front-end server's IPSec policy, you must simply create a policy around rules that tell Windows to encrypt any traffic flowing between the front-end server and the backend server. All other traffic should remain unencrypted. As you create the rule, you will have to specify each backend server by IP address. If you add an additional backend server later on or if the server's IP address changes, you will have to update your rule to match the change.

Download:Troubleshooting Outlook Web Access(OWA) problems

Outlook Web Access (OWA) is an indispensable application in many organizations because it allows users to check their e-mail from anywhere in the world using only a Web browser. Unfortunately, OWA doesn’t always work the way that it’s supposed to. In this Daily Drill Down, I’ll show you what to do when OWA breaks down.

What OWA does
An OWA environment is nothing more than an IIS-based Web application with an interface to the Exchange stores. Clients access the OWA site by making a request to the IIS server over port 80 (HTTP) or port 443 (HTTPS). Once the initial request has been processed, the IIS Server asks the client for authentication credentials. The OWA Server takes these credentials and attempts to authenticate the client. Once they’re authenticated, clients can access their Exchange e-mail accounts.

Problems with OWA
Problems with OWA can usually be traced to one of the following areas:
The client’s Web browser
The client’s connection to the IIS Server
An IIS problem
An Exchange problem

Any one or any combination of these problems can keep OWA from functioning. Naturally, some of the problems that I just described are a little tougher to troubleshoot than others. Therefore, I’ll start with the easier solutions and build up to the more complex troubleshooting issues.

Client problems
There are many different types of OWA problems, but what the client gets often yields clues as to the nature of the problem. For example, a message stating that a Web site can’t be found means something completely different from a message indicating that the page isn’t displaying correctly.

If the client receives a message stating that the OWA Web site can’t be found, there are a number of possible causes to investigate. I recommend troubleshooting such a problem by first trying to access the OWA server from another computer. If other computers can access the OWA site, then the problem is likely with the computer in question’s Internet connection and not with OWA.

On the other hand, if none of the computers that you attempt to access OWA through can attach to the OWA server, then you have a more serious problem. The WAN connection linking the OWA Server to the Internet may be down; IIS could be malfunctioning; or there could be an invalid DNS entry that’s pointing the OWA server’s FQDN to an invalid or incorrect IP address. I’ll discuss these problems in a bit more detail later on.

Another possibility is that the client is able to access the OWA site, but the site displays incorrectly, or the user isn’t allowed to log in. Again, begin the troubleshooting process by trying a different computer. This particular problem is often due to someone using an unsupported Web browser to access OWA. However, if you discover that none of your test computers can authenticate into the OWA Server, it’s likely that you have an authentication problem on the server end rather than a Web browser problem.

IIS connection errors
IIS connection problems and other IIS-related malfunctions are among the most common causes of OWA errors. It’s a lot of work to thoroughly troubleshoot IIS problems, but the necessary steps aren’t especially difficult. I recommend beginning the troubleshooting process by going to the OWA Server and verifying its connection to the Internet. If you can surf the Web from the OWA server, you can rule out a connectivity problem.

Next, go to a computer outside your network and attempt to ping your OWA server. Try pinging first by IP address and then by FQDN. If both pings fail, it probably means that your firewall is set to block ICMP packets and that the server won’t respond to a ping. If this happens to you, I recommend trying the ping test from behind your firewall.

A failure of both pings could also mean that there is no connectivity between the machine that you’re pinging from and the OWA server. This won’t apply in this particular case, though, because you’ve already established that the communications link is good.

If the ping by IP address is good but the ping by FQDN fails, then you likely have a DNS problem. Remember that DNS servers resolve FQDNs to IP addresses. Therefore, if a ping by IP address is successful, you can verify that the communications link is good. If this is the case, then the only thing that should cause a ping by FQDN to fail is if the FQDN isn’t being resolved.

Firewall problems
So far you’ve verified that you’ve got a good communications link and that the DNS server is doing its job. If your clients are still unable to connect to the OWA server, it’s probably either due to a firewall problem or an IIS failure.

Testing for a firewall problem is easy. Just try to access the OWA server from behind your firewall. If both the OWA server and the client machine exist on your private network behind the same firewall, you can use the client machine to test the OWA server without the firewall interfering. If the test is successful, then the firewall is your problem. Verify that ports 80 and 443 are open to inbound traffic.

IIS problems
If the firewall doesn’t seem to be the source of your problems, then there’s a really good chance that IIS is causing the problem. To test IIS, begin by selecting the Programs | Administrative Tools | Services commands from the Start menu. When you do, Windows will open the Service Control Manager. Go through the Service Control Manager and verify that the following services are running:
World Wide Web Publishing Service
IIS Admin Service
Protected Storage
Remote Procedure Call (RPC)

This is also a good time to verify that the various Microsoft Exchange-related services are running as well.

Once you’ve verified that the necessary IIS services are running, open Internet Explorer directly on the OWA Server and enter the OWA Server’s IP address into the browser. If the OWA session starts, IIS is working correctly. If you can’t get OWA to start by entering the IP address, verify that IIS is configured to use the correct IP address.

To verify that IIS is configured to use the correct IP address, select Internet Services Manager from the Administrative Tools menu. When the Internet Information Server console opens, select the OWA Web site from the console tree. Before continuing, verify that the word Stopped doesn’t appear in parenthesis next to the Web site name. If it does, simply right-click the site and select the Start command. If you receive an error message, your OWA site probably has an IP address conflict with another site on the server. To solve this problem, read the following instructions for verifying the IP address, and then try to start the site again.

Verifying the OWA site's IP address
To verify the site’s IP address, right-click the OWA site and select Properties. On the site’s property sheet, select the Web Site tab and verify that the IP address is correct. By default, the IP address will be set to All Unassigned. However, the All Unassigned setting should be used only for the default Web site. The OWA site should have a dedicated IP address. While on the Web Site tab, you should also verify that the OWA site is configured to use port 80.

If all of your settings are correct but you still can’t access the OWA Web site, the best thing to do is to implement a sample Web site to verify IIS’s functionality. To do so, open the Control Panel and double-click the Network And Dial Up Connections icon. When the Network And Dial Up Connections window opens, right-click your main network connection and select Properties.

On the connection’s property sheet, select the TCP/IP protocol from the list and click the Properties button to reveal the TCP/IP property sheet. On the TCP/IP property sheet, click Advanced to reveal the Advanced TCP/IP Settings property sheet. On the IP Settings tab of the Advanced TCP/IP Settings property sheet, click the Add button under the IP Addresses section and add a unique IP address to the server. Click OK on all of the open windows to close them.

Now, create a directory called Test on your hard disk and place a few random HTML files into it. Be sure to name one of the files INDEX.HTM. At this point, return to the Internet Services Manager. Right-click the server name in the console tree and select New | Web Site. This will launch the Web site creation wizard.

Click Next to bypass the wizard’s introduction screen. You’ll then be asked to enter a description of the site. Enter the words Test Site and click Next. On the following screen, select the IP address that you added to the server from the Enter The IP Address To Use For This Web Site drop-down list. Verify that the site is configured to use TCP port 80, and then click Next. On the following screen, enter C:\TEST as the path to the home directory. You should also make sure that the Allow Anonymous Access To This Web Site check box is selected. You’ll then see a screen asking what permissions should be set for the home directory. Accept the default choices by clicking Next, followed by Finish.

When you’ve completed the test site, you’ll see it appear in the IIS tree with the words Stopped in parenthesis next to it. Right-click the new site and select the Start command from the shortcut menu. The site should now be started.

Next, open Internet Explorer and enter the new site’s IP address followed by INDEX.HTM. For example, if you assigned the address 147.100.100.100 to the site, the format would be http://147.100.100.100/index.htm. If you can access your test site, then IIS is functional and you likely have an authentication problem.

If you discover that IIS is malfunctioning, I recommend reinstalling it. You can do so through the Add/Remove Programs applet in the Control Panel. IIS is located in the Windows Components section.

Authentication problems
The authentication portion of Outlook Web Access tends to be one of the trickiest parts to troubleshoot. When troubleshooting authentication problems, it’s helpful to keep in mind that when your users use OWA, they aren’t telling OWA which Exchange server their mailboxes exist on. Instead, OWA is performing an Active Directory query during the authentication process. This query tells OWA which Exchange server to connect the user to.

It’s quite possible that the Active Directory query could be causing the problem. The easiest way to find out is to enter the URL of the OWA site into the Web browser in a way that conveys the name of the user’s mailbox. For example, if you normally enter http://server_name/exchange, try entering http://server_name/exchange/user_name instead. If this technique works, then the problem could be due to the OWA server’s TCP/IP settings not referencing a DNS server that’s aware of your Active Directory. The other possibility is a problem with the authentication protocol, which is what I’m about to show you how to fix.

When it comes to Windows 2000 authentication, the NTLM authentication protocol is more secure than basic or anonymous authentication. However, in an OWA environment, you must use basic authentication. NTLM doesn’t work if your clients are communicating with the server over HTTP or HTTPS. Likewise, anonymous authentication does work, but it would give everyone in the world access to your server. Therefore, basic authentication is your only real choice.

To verify what type of authentication is being used, open the Internet Services Manager, right-click the OWA Web site, and select Properties. Select the Directory Security tab on the OWA site’s property sheet, and click the Edit button found in the tab’s Anonymous Access And Authentication Control section. When you do, you’ll see the Authentication Methods dialog box. Verify that the Anonymous Access check box is not selected. Now, take a look at the Authenticated Access section and verify that only the Basic Authentication check box is selected. As you look at the various check boxes, you’ll notice an Edit button just to the right of the Basic check box. Click the Edit button and verify that the correct authentication domain is selected.

At this point, close all of the open windows by clicking OK in each. You’ve now specified that the OWA Web site will use basic authentication exclusively, and that a specific domain will perform the authentication. The final step in the process is to verify that the OWA server can communicate with the domain that you’ve specified.

You can start out by attempting to ping domain controllers in the specified domain from the OWA server. If the pings are successful, the next step is to verify that the OWA server is configured to use the same DNS server as all of the domain controllers. Unless all of the servers use a common DNS server (or linked DNS servers), the OWA server may have trouble accessing Active Directory information from the domain controller.

If you're still having trouble
OWA is a handy Web application, but it doesn’t always work the way it’s supposed to. If you’re still having problems, Microsoft has an excellent document on OWA troubleshooting at Microsoft’s Exchange Web Site.

crash course in the Exchange 2010 Control Panel

When Microsoft created Exchange Server 2007, it gave Outlook Web Access (OWA) a much-needed overhaul — becoming

a lot more like Outlook — and even added some modest management utilities. In Exchange 2010, Microsoft has once again made a lot of changes to OWA, greatly extending the management functionality with the addition of the Exchange Control Panel (ECP).

Before I get into more detail with ECP, I want to point out that there are other changes in Exchange 2010 OWA, starting with its name. Even though OWA has stood forOutlook Web Access for as long as I can remember, the folks in Redmond decided to rename OWA to Outlook WebApp. Generally speaking though, users who are used to OWA 2007 won’t have too much trouble finding their way around OWA 2010. Looking at Figure A, you can see that OWA 2010 looks very similar to OWA 2007.

Figure A

Click to enlarge.

This is what the Outlook WebApp looks like.

The most significant change that Microsoft has made to OWA doesn’t appear in the figure above though. If you look at it, you will notice an Options link, just to the left of the search box. While this link did exist in OWA 2007, its functionality has been greatly extended in OWA 2010. The Options link takes you to the ECP.

Figure B shows you the view when you click on the Options link. As you can see, the entire interface changes. Incidentally, if you need to get back to your Inbox, you can do so by clicking on the My Mail link that now replaces the Options link.

Figure B

Click to enlarge.

Another thing that I want to point out about this screen is the drop-down list in the upper left corner of the screen. You will notice that this drop-down list is presently set to Myself. You have three options; Myself, My Organization, and Another User.

Myself

The Myself area of the ECP is designed to act as a self-service portal for users. Assuming that they have the proper permissions, users can use the ECP to keep their contact information up to date, as shown in the figure above. Users also have the ability to change their password, enable the Out of Office feature, or even modify Inbox rules through this interface. Like OWA 2007, users can also use this area to manage some general OWA settings.

My Organization

Selecting the My Organization option reveals the true power of ECP. Figure Cillustrates how ECP allows you to manage things like mailboxes, groups, and even user and administrative roles through the OWA interface. While there doesn’t seem to be a mechanism in place that would allow you to create a mailbox through the ECP, you can view and edit many of the mailbox attributes.

Figure C

Click to enlarge.

The Exchange Control Panel allows you to manage mailboxes, groups, and even administrative and user roles.

You will also notice that the tree on the left in Figure C contains a Reporting option. Clicking on this option takes you to a screen that allows you to perform message tracking. This is my favorite of the new OWA / ECP features. You can see what the reporting and message tracking options look like in Figure D.

Figure D

Click to enlarge.

You can now perform message tracking through OWA’s ECP.

Another User

The Another User option is similar to the Myself option. This feature allows you to perform the same basic operations on another user’s account that you can perform on your own account by using the Myself option.

Conclusion

As you can see, the Exchange Control Panel should make managing Exchange remotely a lot easier. In case you are wondering though, the various administrative functions are only displayed to users who have the proper permissions.