Technical Note Configuring Outlook Web Access with Secure WebMail Proxy for eprism
Information in this document is subject to change without notice. This document may be distributed freely only in whole, however no alterations are allowed without the expressed written consent of the author, St. Bernard Software, Inc. 2004-2005 St. Bernard Software, Inc. All rights reserved. St. Bernard Software is a trademark of St. Bernard Software, Inc. All other product and corporate names may be trademarks or registered trademarks, and are used only for identification, without intent to infringe. For more information about St. Bernard Software and eprism, check us out on the Web at http://www.stbernard.com/eprism. Contact Information St. Bernard Software (North America, South America, Pacific Rim) 15015 Avenue of Science San Diego, CA 92128 858.676.2277 FAX: 858.676.2299 Sales: 800.782.3762 Technical Support: 858.676.5050 Technical Support FAX: 858.676.5055 Technical Support E-mail: eprism-support@stbernard.com St. Bernard Software (Europe, Asia, Africa) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support E-mail: support@uk.stbernard.com
Table of Contents Contact Information... 2 Table of Contents... 3 Introduction... 4 Enabling the Secure WebMail OWA Proxy... 5 Integration with OWA 2000 on a Windows 2000 Server... 7 Issues with Configuring eprism and OWA 2000... 9 ANONYMOUS ACCESS AND AUTHENTICATION CONTROL... 9 IP Address and Domain Name Restrictions... 11 User Protocol Settings... 12 Local NTFS Permissions... 14 EXCHANGE 2000 SERVICE PACK 3... 15 ACCESSING OWA WITH RADIUS AUTHENTICATION... 16 Installing a RADIUS Server on the Windows 2000 Domain... 17 Installing IAS... 17 Register IAS Server with Active Directory... 17 Add eprism as a RADIUS Client... 17 Enable the Remote Access Policy... 18 Enable Dial-in Permission for a User... 21 Enabling RADIUS on eprism... 22 Last Revision: 11/1/2005 2005-2005 St. Bernard Software 3
Introduction The Secure WebMail proxy provides a highly secure mechanism for accessing Microsoft OWA (Outlook Web Access). OWA uses a very similar interface to Outlook, and provides an attractive, easy to use remote interface for users to access their Exchange mailboxes remotely. With OWA, users can see all of their mail, contacts, calendar (and so on), using a web browser. Since OWA is accessible from the Internet, it presents a number of security challenges. The Secure WebMail Proxy feature is designed to support OWA use while protecting it from Internet attacks. The OWA connection is managed using a full application proxy. eprism completely recreates all HTTP/HTTPS requests made by the external client to the internal OWA Exchange server. The following diagrams describe two different ways to secure OWA with eprism: Setup 1: eprism Deployed with Two Interfaces Setup 2: eprism Deployed in the DMZ INTERNET INTERNET Public Network Private Network eprism Public Network Private Network Firewall DMZ Network eprism OWA OWA Last Revision: 11/1/2005 2005-2005 St. Bernard Software 4
In Setup 1, eprism uses two interfaces: one for the private network and one for the public network. OWA users will connect to the OWA interface through the public interface of eprism. eprism will then proxy the traffic through its private interface to the OWA server. The connection is secure because the requests by the OWA clients are recreated by eprism. In Setup 2, eprism is deployed in the DMZ, and OWA users will first connect to the public interface of the firewall. The traffic is forwarded to eprism, and then the requests will be recreated and forwarded to the OWA server. On the firewall, incoming port 443 needs to be opened from the public interface to the DMZ to allow traffic flow from the Internet to eprism. Ports 80 or 443 from the DMZ to the private network also need to be configured to allow the eprism to connect to the OWA server. Enabling the Secure WebMail OWA Proxy Configure the OWA proxy on eprism by selecting User Accounts, and then Secure WebMail from the menu. Add an OWA enabled machine as follows: 1. Click the Add Server button. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 5
2. Specify the URL of the page where OWA is located, such as http://owa.stbernard.com/exchange/ in the Address field. 3. Enter an optional name to describe this server in the Label field. 4. Select the users that will be allowed to use OWA by clicking on the corresponding check box. This option can also be enabled from the user s mailbox properties. 5. If the Try eprism mail client ID/Login first option is enabled, the username and password for the user will be sent to the Exchange server. eprism will prompt the user for a password for the Exchange server if this option is not checked. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 6
Integration with OWA 2000 on a Windows 2000 Server OWA (Outlook Web Access) provides a way to access Exchange server mailboxes and folders via standard web browsers, providing the advantage of platform independence. The current version of OWA included with Microsoft Exchange 2000 server is OWA 2000. OWA is installed by default when you install Exchange 2000 server. By default, it will allow all users access to their mailboxes and public folders immediately after installation with no additional configuration. eprism uses an application proxy to allow users OWA access through a secure channel. There are some noticeable differences in the user interface when accessing OWA from eprism. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 7
OWA Interface with eprism OWA 2000 uses IIS 5.0 (Internet Information Server) to access the Exchange server. Configuration of directory security, authentication and access control can all be performed with the Internet Information Services management console (MMC) accessed from the Administration Tools menu of the Windows 2000 server. The Exchweb folder stores most of the information required to run OWA. Internet Information Services Management Console Last Revision: 11/1/2005 2005-2005 St. Bernard Software 8
Issues with Configuring eprism and OWA 2000 The following describes certain issues that may arise from running OWA 2000 with eprism. Anonymous Access and Authentication Control In OWA 2000, users must be authenticated before gaining access to resources on the Exchange server. There are four types of authentication available: Anonymous, Basic Authentication, Digest Authentication and Integrated Windows Authentication. To view the available options, examine the properties menu of the Exchweb folder, click Directory Security, then Anonymous Access Authentication Control and then click Edit. The default authentication methods enabled by default are shown above. eprism only supports anonymous access, so the default options available will work for eprism. Anonymous access does not require a user name and password. If this option is checked, the other three options are ignored. Note: Enabling Basic authentication with Anonymous access may cause the OWA server to be inaccessible from eprism. A common configuration issue with integrating eprism and OWA 2000 is that anonymous access may be turned off for security reasons before implementing eprism. After eprism is installed and the Secure WebMail proxy enabled, the OWA server will not be accessible. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 9
If OWA is not accessible, you may see one of the following symptoms: When logging in, icons like Inbox, Calendars, Contacts, and Folders are not displayed. When accessing the interface by clicking on any of the functions, the session logs out, as shown below. Enabling Anonymous access from the Authentication Methods screen should solve this problem. Although enabling anonymous access may seem insecure, users have already been authenticated by eprism when they log in. In this setup, eprism acts as the first point of authentication for Secure WebMail. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 10
IP Address and Domain Name Restrictions IIS can be used to administer access control for hosted web sites. This feature can also be used for controlling access to OWA. From the properties menu of the Exchweb folder, click on Directory Security, then IP Address and Domain Name Restrictions, and then click Edit. When Granted Access is checked, all computers except the listed IP addresses, IP network ranges and/or domain names will be granted access to OWA. When Denied Access is checked, all computers except those listed will be denied access. When eprism is deployed with OWA access, it acts on the requesting clients behalf to establish the connection. As a result, the source IP address of the connection will be the IP Address of the eprism system. When access control is set to deny access for the IP Address of eprism, users will not be able to access the OWA server properly, and images on the screen will not be displayed, as shown below. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 11
The web server s log will show an error code of 403 for all the image files. The log files can be found in the following directory: System root\winnt\system32\logfiles\w3svc1 To enable the image files, the IP address of eprism can be added to the list of IP addresses that are allowed access. With these types of IP address restrictions, a possible configuration is to only allow access from the IP address of the eprism system. All users should then be directed to the IP address or host name of eprism for web mail access. With this configuration, all connections can be secured by eprism. User Protocol Settings In Windows 2000, each user s protocol settings can be modified to restrict or allow access to POP3, IMAP and HTTP (OWA). When there are problems accessing OWA, these settings should be verified. The protocol setting for each user can be viewed by using Active Directory Users and Computers. Right click on the user account that needs to be modified and view its properties. Navigate to the Exchange Advanced tab. Note: This menu can only be accessed after enabling the View Advanced Features option. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 12
Click the Protocol Settings button: Last Revision: 11/1/2005 2005-2005 St. Bernard Software 13
Select HTTP and verify that the Enable for mailbox option is checked. If this is not enabled, logging on to the OWA server through eprism will result in the HTTP/1.0 403 Forbidden error. Local NTFS Permissions Since eprism only supports anonymous access, the account that is used for anonymous access needs to have the appropriate permissions for accessing local Exchange resources. From Internet Information Services, right click on the Exchweb folder and select properties. Choose Directory Security, then Anonymous Access and Authentication Control, and then click Edit. Under Anonymous Access and next to Account used for anonymous access, click Edit. The default account that is used for anonymous access should be IUSR_<computer name>. If the computer name is OWAPC, the user account will be IUSR_OWAPC. Ensure that this user has permissions for the following directory: System Root\Program Files\Exchsrvr\exchweb Right click on the directory and select properties. Select the Securities tab and ensure that the Authenticated Users have Read & Execute, List Folder Contents, and Read permissions set to Allow. The Authenticated Users group includes the anonymous user (IUSR_<computer name>) as specified by Internet Information Services. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 14
Exchange 2000 Service Pack 3 The Exchange 2000 Service Pack 3 was released in July 2002. It includes a large amount of bug fixes and some added features, a few of which affect eprism. Note: For a list of bug fixes in Service Pack 3, see: http://www.microsoft.com/exchange/downloads/2000/sp3/default.asp After Service Pack 3 is installed, the OWA logo changes and a Logoff button are added to the left menu, as shown below. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 15
Different Logo Logoff button Added A known problem with public folders not being accessible from OWA in Exchange 2000 has been fixed in Service Pack 3. If you notice problems with accessing public folders, ensure that Service Pack 3 is installed. Accessing OWA with RADIUS Authentication RADIUS authentication for OWA users is supported by eprism Mail Firewall version 2.0.1 and above. The main advantage of this option is that the user database on Windows 2000 domain controllers can be used for authenticating OWA access via eprism. To allow RADIUS authentication, Internet Authentication Services must be installed on the Windows 2000 server. This service is included in the Windows 2000 Server CD but is not installed by default. Caution: When using RADIUS authentication, users should not be created on eprism. If duplicate users exist on both eprism and the Windows 2000 domain, the user will not be able to log in. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 16
Installing a RADIUS Server on the Windows 2000 Domain To allow the Windows 2000 Server to authenticate users with RADIUS, Internet Authentication Service (IAS) must be installed, and Routing and Remote Access must also be running. With IAS installed, user information can be retrieved from the Windows 2000 Domain Controller. The RADIUS server does not need to be running on the Domain Controller itself. When eprism sends out a request for authentication, the RADIUS server will query the Domain Controller on behalf of eprism. Existing user accounts on the Windows 2000 domain can be used to allow OWA access. Installing IAS 1. Select Add/Remove Programs in Control Panel. 2. Select Add/Remove Windows Components. 3. Highlight Networking Services and click Details. 4. Select the Internet Authentication Service check box. 5. Click Next to install the service. Register IAS Server with Active Directory To allow IAS read access permissions on the Domain Controller, the Windows 2000 server running IAS must be registered with Active Directory: 1. Launch Internet Authentication Service by clicking Start, and then select Administrative Tools. 2. Right click on Internet Authentication Service. 3. Select Register server with Active directory. Add eprism as a RADIUS Client 1. Launch IAS. 2. Click on Clients. 3. Right click on an empty area and choose New Client. 4. Specify a name to identify the client (eprism). 5. Ensure the default protocol is set to RADIUS. 6. Click Next. 7. Specify the IP address of the eprism system. 8. Ensure that Client-Vendor is set to RADIUS Standard. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 17
9. The Shared Secret must be the same as the one specified on the eprism. 10. Click Finish. Enable the Remote Access Policy 1. Launch IAS. 2. Click on Remote Access Policy. 3. Select the Allow Access if dial-in permission is enabled option and click Edit. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 18
4. Select Grant remote access permission. 5. Click the Edit Profile button. 6. Select the Authentication tab. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 19
7. Select the Unencrypted Authentication (PAP, SPAP) check box. 8. Click OK to exit the Edit Profile menu. 9. Click OK again to exit the Allow access properties menu. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 20
Enable Dial-in Permission for a User 1. Launch Active Directory Users and Computers on the Domain Controller. 2. Double click on the user name. 3. Select the Dial-in tab. 4. Select Allow access. 5. Click OK. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 21
Enabling RADIUS on eprism To configure RADIUS, select User Accounts, and then Remote Auth from the menu. Add a RADIUS server as follows: 1. Enter the IP address and shared secret of the RADIUS server, and then click Add. 2. Select all accessible OWA servers from the Accessible Servers section and click Apply. Last Revision: 11/1/2005 2005-2005 St. Bernard Software 22