"Why implementing SSL in OWA is essential"

Compare SSL certificates from all major certificate authorities

If you haven't yet implemented Outlook Web Access (OWA) with Secure Sockets Layer (SSL), you should!. OWA sessions aren't encrypted by default, and the communication between the Exchange server and the end-user browser is in clear text. Adding SSL to your OWA sessions ensures end-to-end encryption for the duration of the session. Your mobile sales force can securely and effectively work from any location, hotels, cyber cafes, in fact wherever they need to access e-mail!

SSL Certificate Installation Instructions


Microsoft Outlook Web Access

Copy your web server certificate into a text editor such as notepad including the header and footer. You should then have a text file that looks like:

-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----

Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added. Copy your web server certificate into a text editor such as notepad and save as mydomain.cer.

Installing your web server certificate

1.Start IIS and right click Default Web Site and select Properties from the menu.

2.When the Properties appear, click on the Directory Security tab.

3.Click on Server Certificate and follow the on screen wizard:

4. Make sure that you have assigned Port 443 as the SSL port for https for your site. To do this, right click Properties for your website and make sure that 443 has been entered into the SSL port box:

Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://mydomain/) to indicate you wish to use secure HTTP. The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.

Now activate SSL for your Exchange Virtual Directory:.

Now when users enter http://www.mydomain.com/exchange, they will receive an "HTTP 403.4 - Forbidden: SSL required Internet Information Services" error message, because we have configured OWA to require SSL. SSL uses the HTTPS protocol, so users would need to enter the url as https://www.mydomain.com/exchange.

More information to force SSL only connections:



Microsoft has written an article about forcing the use of SSL with OWA: http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q279681

One final step that you may need to take is to ensure that your Firewall / router is configured to allow HTTPS (port 443 by default) to pass through.