WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Securing Outlook Web Access (OWA)

From: "pierre-luc.levasseur () laposte net" <pierre-luc.levasseur () laposte net>
Date: Tue, 14 Oct 2003 10:55:12 +0200
hello!

I am currently looking for a way to secure the deployment of
several Outlook Web Access servers (WebMail for MS Exchange 2000).

These are our project specifications:
We have about 20 OWA servers over a worldwide Intranet.
Each OWA server is autonomous (Independent list of addresses)
but with a unique point of access available via the Internet.
Thus each user (regardless of the OWA server hosting the user
Box) connects with a unique URL: https://mail.mycompany.com

The HTTP reverse proxy must perform the following operations:
- Perform a user authentication with X509 client certificate
- If the X509 certificate is valid : HTTP authentication via
an LDAP server
- If the authentication is valid then redirect automatically
to the appropriate OWA server (owa-x.mycompany.com). The
redirection changes the hostname but all the flows redirected
must pass by the Reverse Proxy (unique point of entry
obligatory for all the Webmail flows).
- The authentication must be (if possible) Single Sign On,
which means that the user doesn’t have to reauthenticate
himself when reaching the final OWA server.
- An applicative flow control must be integrated to avoid all
OWA server attacks (XSS, SQL injection, Session hijacking, etc…)

One LDAP list of addresses for all the users is used. It
contains the following elements:
- Login user name(For HTTP authentication)
- Login user password (For HTTP authentication)
- DN field for X509 certificate (to verify the
username/certificate association)
- URL for the OWA server associated with the user (for the
redirection)

The connection between the Reverse Proxy and the LDAP server
must be secure (LDAPS).

I am in the process of testing Axiliance’s RealSentry Appliance.
The product seems to correspond perfectly to our needs and I
would like to know if you have any feedback on your experience
of this product.

If you know an other product meeting these specifications, I
would be very grateful if you would contact me.

Best Regards,

Pierre Luc LEVASSEUR
pierre-luc.levasseur () laposte net


Accédez au courrier électronique de La Poste : www.laposte.net ; 
3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
Previous By Date Next
Previous By Thread Next

Current thread: