WebApp Sec mailing list archives
Securing Outlook Web Access (OWA)
From: "pierre-luc.levasseur () laposte net" <pierre-luc.levasseur () laposte net>
Date: Tue, 14 Oct 2003 10:55:12 +0200
hello! I am currently looking for a way to secure the deployment of several Outlook Web Access servers (WebMail for MS Exchange 2000). These are our project specifications: We have about 20 OWA servers over a worldwide Intranet. Each OWA server is autonomous (Independent list of addresses) but with a unique point of access available via the Internet. Thus each user (regardless of the OWA server hosting the user Box) connects with a unique URL: https://mail.mycompany.com The HTTP reverse proxy must perform the following operations: - Perform a user authentication with X509 client certificate - If the X509 certificate is valid : HTTP authentication via an LDAP server - If the authentication is valid then redirect automatically to the appropriate OWA server (owa-x.mycompany.com). The redirection changes the hostname but all the flows redirected must pass by the Reverse Proxy (unique point of entry obligatory for all the Webmail flows). - The authentication must be (if possible) Single Sign On, which means that the user doesnt have to reauthenticate himself when reaching the final OWA server. - An applicative flow control must be integrated to avoid all OWA server attacks (XSS, SQL injection, Session hijacking, etc ) One LDAP list of addresses for all the users is used. It contains the following elements: - Login user name(For HTTP authentication) - Login user password (For HTTP authentication) - DN field for X509 certificate (to verify the username/certificate association) - URL for the OWA server associated with the user (for the redirection) The connection between the Reverse Proxy and the LDAP server must be secure (LDAPS). I am in the process of testing Axiliances RealSentry Appliance. The product seems to correspond perfectly to our needs and I would like to know if you have any feedback on your experience of this product. If you know an other product meeting these specifications, I would be very grateful if you would contact me. Best Regards, Pierre Luc LEVASSEUR pierre-luc.levasseur () laposte net Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn)
Current thread:
- Securing Outlook Web Access (OWA) pierre-luc.levasseur () laposte net (Oct 14)
- <Possible follow-ups>
- RE: Securing Outlook Web Access (OWA) Nick Duda (Oct 14)