1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure OWA with SSL

Discussion in 'Software' started by danielno8, Apr 20, 2009.

  1. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    hey guys,

    do any of you use your own CA for this, or do you buy SSL certs?

    Whats the benefit in using paid for instead of settign upi your own CA?

    Daniel
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  2. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    We buy SSL certs. If you use your own created SSL cert for PC's outside your domain they will have to manually import your cert, otherwise it'll come up with the:

    or something along those lines message, every time they come to use the service on your server, eg OWA.

    Plus according to an article on Vedetta.com:

    The benefits of using self-signed certs: Free

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  3. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    We use Verisign, which means anyone hacks in they are responsible and not us as they provide the encryption.

    Also, if your Users will be logging in from home they will not have any issues as Verisign is a Trusted Publisher.

    If you use your own CA, then the main difference would be you are responsible and cannot point the finger at anyone else. Your Users (unless they have logged into the Domain on there PC or you have setup Autoenrolment for VPN usage) will not trust the CA automatically. Could just tell them to check the Certificate is from 'x' and if so then go ahead to emails.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  4. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Thanks for the replies guys!

    Don't know why our OWA has never had SSL set up (actually i do know why but probably not best to post on a forum where person in question may come across it)

    Only now i am getting the confidence to start speaking up about this sort of thing to try and get it fixed! Are most providers the same price range in your experience? On the vendors sites there are many different options for certificates, any recommendations on a particular certificate to get?

    Thanks again
    Daniel
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  5. Triton.Deep

    Triton.Deep Bit Poster

    42
    3
    22
    Generally speaking:

    If the site or service is going to be internet facing, use well known 3rd party certs.

    If you are securing sites or services where you control all computers and communications, user self signed.

    For example, when I set up Outlook Web Access for my employees to use from home, I use a cert from Verisign. However; when I secure SSL/TLS communications between multi-tiered internal servers, I use self signed because I control all the systems.

    Each has its place and its application and its advantages. However; I will say this, certs exist for two reasons:

    1) Authenticate that the server is who it says it is
    2) Encrypt the communications between that server and it's client.

    While it's often possible to configure it, my opinion would be that we should never use untrusted/self-signed certs because it results in a higher probability of data/authentication credential compromise.

    J.
     
    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  6. wagnerk
    Highly Decorated Member Award

    wagnerk aka kitkatninja Moderator

    10,831
    357
    341
    While SSL certs from Verisign are great, they also come with a great price tag. We use SSL certs from GoDaddy, which are cheaper but only have a 99% browser recognition (which in my opinion is ok, since the majority of people use either: IE, FF, Safari or Chrome now-a-days) :)

    You can see the comparison chart here on the different types of SSL certs that GoDaddy offer.

    -Ken
     
    Certifications: CITP, PGCert, BSc, HNC, LCGI, PTLLS, MCT, MCITP, MCTS, MCSE, MCSA:M, MCSA, MCDST, MCP, MTA, MCAS, MOS (Master), A+, N+, S+, ACA, VCA, etc... & 2nd Degree Black Belt
    WIP: PGDip
  7. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Thanks, will pitch those GoDaddy certs to my boss when he gets back! (once i have told him what SSL is lol)
     
    Certifications: CCENT, CCNA
    WIP: CCNP

Share This Page

Loading...