WebApp Sec mailing list archives
RE: Securing Outlook Web Access (OWA)
From: "Nick Duda" <nduda () VistaPrint com>
Date: Tue, 14 Oct 2003 08:23:06 -0400
Wouldn't using front-end/backend configuration with certificates on the user object not work? This will handle the forward request to the appropriate server, and wouldn’t hold an info store. For that matter you wouldn't even need to run any E2K services. This is how its being used in my org. - Nick -----Original Message----- From: pierre-luc.levasseur () laposte net [mailto:pierre-luc.levasseur () laposte net] Sent: Tuesday, October 14, 2003 4:55 AM To: webappsec Subject: Securing Outlook Web Access (OWA) hello! I am currently looking for a way to secure the deployment of several Outlook Web Access servers (WebMail for MS Exchange 2000). These are our project specifications: We have about 20 OWA servers over a worldwide Intranet. Each OWA server is autonomous (Independent list of addresses) but with a unique point of access available via the Internet. Thus each user (regardless of the OWA server hosting the user Box) connects with a unique URL: https://mail.mycompany.com The HTTP reverse proxy must perform the following operations: - Perform a user authentication with X509 client certificate - If the X509 certificate is valid : HTTP authentication via an LDAP server - If the authentication is valid then redirect automatically to the appropriate OWA server (owa-x.mycompany.com). The redirection changes the hostname but all the flows redirected must pass by the Reverse Proxy (unique point of entry obligatory for all the Webmail flows). - The authentication must be (if possible) Single Sign On, which means that the user doesn’t have to reauthenticate himself when reaching the final OWA server. - An applicative flow control must be integrated to avoid all OWA server attacks (XSS, SQL injection, Session hijacking, etc…) One LDAP list of addresses for all the users is used. It contains the following elements: - Login user name(For HTTP authentication) - Login user password (For HTTP authentication) - DN field for X509 certificate (to verify the username/certificate association) - URL for the OWA server associated with the user (for the redirection) The connection between the Reverse Proxy and the LDAP server must be secure (LDAPS). I am in the process of testing Axiliance’s RealSentry Appliance. The product seems to correspond perfectly to our needs and I would like to know if you have any feedback on your experience of this product. If you know an other product meeting these specifications, I would be very grateful if you would contact me. Best Regards, Pierre Luc LEVASSEUR pierre-luc.levasseur () laposte net Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
Current thread:
- Securing Outlook Web Access (OWA) pierre-luc.levasseur () laposte net (Oct 14)
- <Possible follow-ups>
- RE: Securing Outlook Web Access (OWA) Nick Duda (Oct 14)