advertisement
Secure WebMail
Secure WebMail and OWA 2003 Configuration Issues
The following sections describe certain issues that may arise when running OWA 2003 with the Secure
WebMail proxy.
Exchange Authentication
In OWA 2003, users must be authenticated before gaining access to resources on the Exchange server. There are two different folders that require configuration: Exchange and Exchweb .
1. Examine the Properties menu of the Exchange folder.
2. Select Directory Security .
3. Select Authentication and Access Control .
4. Click Edit .
5. Make sure that Basic Authentication is enabled.
282 WatchGuard XCS
Anonymous access
The Exchweb folder only requires anonymous access to allow access to webmail images.
To view the available options.
1. Examine the Properties menu of the Exchweb folder.
2. Select Directory Security .
3. Select Authentication and Access Control .
4. Click Edit .
Secure WebMail
User Guide
A common configuration issue with integrating the WatchGuard XCS and OWA 2003 is that anonymous access may be turned off for the Exchweb folder for security reasons before implementing the WatchGuard XCS. After the WatchGuard XCS is installed and the Secure WebMail proxy enabled, the OWA server will not be accessible.
If OWA is not accessible, you may see one of the following symptoms:
When logging in, icons like the Inbox , Calendars , Contacts , and Folders are not displayed.
When accessing the interface by clicking on any of the functions, the session logs out.
Enabling Anonymous access on the Exchweb Authentication Methods screen will resolve this issue.
Although enabling anonymous access may seem insecure, users have already been authenticated by the WatchGuard XCS when they log in. In this configuration, the WatchGuard XCS acts as the first point of authentication for Secure WebMail and OWA access.
283
Secure WebMail
IP Address and domain name restrictions
IIS can be used to administer access control for hosted web sites. This feature can also be used for controlling access to OWA.
To configure IP address restrictions:
1. Select the Properties menu of the Exchweb folder.
2. Select Directory Security .
3. Select IP Address and Domain Name Restrictions .
4. Click Edit .
When Granted Access is selected, all computers except the listed IP addresses, IP network ranges, or domain names will be granted access to OWA.
When Denied Access is selected, all computers except those listed will be denied access.
When the WatchGuard XCS is deployed with OWA access, it acts on the requesting client’s behalf to establish the connection. As a result, the source IP address of the connection will be the IP Address of the WatchGuard XCS system. When access control is set to deny access for the IP Address of the
WatchGuard XCS, users will not be able to access the OWA server properly and images on the screen will not be displayed.
The web server's log will show an error code of 403 for all the image files. The log files can be found in the following directory:
System root\WINNT\System32\LogFiles\W3SVC1
To enable the image files, the address of the WatchGuard XCS can be added to the list of IP addresses that are allowed access. With these types of IP address restrictions, a typical secure configuration is to only allow access from the IP address of the WatchGuard XCS system. All users should then be directed to the IP address or host name of the WatchGuard XCS for web mail access. With this configuration, all connections can be secured by the WatchGuard XCS.
284 WatchGuard XCS
Secure WebMail
User protocol settings
Each user's protocol settings can be modified to restrict or allow access to POP3, IMAP, and OWA. When there are problems accessing OWA, these settings should be examined and verified.
To view the protocol setting for each user.
1. Open Active Directory Users and Computers .
2. Right-click on the user account that needs to be modified and view its properties.
3. Navigate to the Exchange Features tab.
This menu can only be accessed after enabling the View > Advanced Features option.
User Guide
4. Make sure Outlook Web Access in the Protocols section is enabled.
If this is not enabled, logging in to the OWA server via the WatchGuard XCS will result in the “HTTP/1.0
403 Forbidden” error.
285
Secure WebMail
Local NTFS Permissions
As the WatchGuard XCS only supports anonymous access, the account that is used for anonymous access needs to have the appropriate permissions for accessing local Exchange resources.
To configure the permissions:
1. In the IIS configuration, right-click on the Exchweb folder.
2. Select Properties .
3. Select Directory Security .
4. Select Authentication and Access Control .
5. Click Edit .
286
6. The default account that is used for anonymous access should be IUSR_<computer name>.
If the computer name is OWAPC, the user account will be IUSR_OWAPC. Ensure that this user has permissions for the following directory:
System Root\Program Files\Exchsrvr\exchweb
7. Right-click on the directory and select Properties .
8. Select the Security tab.
WatchGuard XCS
Secure WebMail
9. Make sure that the Authenticated Users group has Read & Execute , List Folder Contents , and Read permissions set to Allow .
The Authenticated Users group includes the anonymous user (IUSR_<computer name>) as specified by IIS.
User Guide 287
advertisement
Related manuals
advertisement