Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ssl Certifcates on exchange cluster 1

Status
Not open for further replies.

Fabit

Technical User
Nov 22, 2005
95
US
Hi all,

I running an win2k3 exchange cluster. I want to use ssl for my webmail. can someone tell me how can I go about doing this.

Thank you,

Most appreciative,
 
You should only even consider this with a Front End. Webmail, SMTP and everything else. Never use a cluster and expose OWA etc. directly at it.
 
Why not? I hav filtering that port anyway?
 
Security, stability and performance. Remember a FE terminates the SSL which takes a chunk of processing off the box. It's also a single point of arrival and less complex on the network for you. You can also enhance security by beefing up the internal network by restricting what the FE can talk to thus reducing the attack area.

There are a chunk of reasons. Others will add more if they are inclined to do so.

 
so,

ssl for owa on a exchange cluster is no good is what you telling me right?
 
No good" is a little strong. It will work "Unwise" and "not recommended" (my use of the word recommended, not Microsoft's) would be better.
 
even if I buy a cert from verisign. its still not secure?
 
It has nothing to do with the certificate. A certificate is a certificate is a certificate (pretty much in this case) It's all around the stability of the box you're connecting to, it's performance etc.
 
what if I am redirecting from http to https. see what I am trying to do is redirect my http traffic to a more secure place right after a user has loged within owa.
 
That doesn't make any sense.
Usually people have a redirect from to because people always forget the S.
You can't redirect someone after they've logged into OWA.

I think you need to park this one. Operating a FE is something you should do for HTTPS and SMTP. All your SMTP should be dropped onto the FE/SMTP Bridgehead first. Really all this back and forth about HTTPS is secondary because the traffic should be dropped onto the FE on the way out as well as the way in so that it doesn't sit on the cluster queue.
 
ok

so, how can I configure the fe to work so that I can get a more secure connection to owa?
 
Easy, it's a standard FE/BE configuration.
Install Windows, Install Exchange, Service Pack, Put the SSL on the website, Tick the FE boxes in Exchange, Tick the Form Based Authentication boxes and reboot it.


Another reason for the old FE/BE setup is that you cannot offer RPC over HTTPS with a cluster only setup. You HAVE to have a FE in front of the cluster because the RPC Proxy Service is not supported on a cluster. (forgot about that point) Nearly everyone goes with that solution these days as it's such a useful feature.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top