Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Securing Outlook Web Access (OWA)

Securing Outlook Web Access (OWA)

From: <pierre-luc.levasseur_at_laposte.net>
Date: Tue, 14 Oct 2003 10:55:12 +0200

hello! I am currently looking for a way to secure the deployment of several Outlook Web Access servers (WebMail for MS Exchange 2000). These are our project specifications: We have about 20 OWA servers over a worldwide Intranet. Each OWA server is autonomous (Independent list of addresses) but with a unique point of access available via the Internet. Thus each user (regardless of the OWA server hosting the user Box) connects with a unique URL: https://mail.mycompany.com The HTTP reverse proxy must perform the following operations: - Perform a user authentication with X509 client certificate - If the X509 certificate is valid : HTTP authentication via an LDAP server - If the authentication is valid then redirect automatically to the appropriate OWA server (owa-x.mycompany.com). The redirection changes the hostname but all the flows redirected must pass by the Reverse Proxy (unique point of entry obligatory for all the Webmail flows). - The authentication must be (if possible) Single Sign On, which means that the user doesn’t have to reauthenticate himself when reaching the final OWA server. - An applicative flow control must be integrated to avoid all OWA server attacks (XSS, SQL injection, Session hijacking, etc…) One LDAP list of addresses for all the users is used. It contains the following elements: - Login user name(For HTTP authentication) - Login user password (For HTTP authentication) - DN field for X509 certificate (to verify the username/certificate association) - URL for the OWA server associated with the user (for the redirection) The connection between the Reverse Proxy and the LDAP server must be secure (LDAPS). I am in the process of testing Axiliance’s RealSentry Appliance. The product seems to correspond perfectly to our needs and I would like to know if you have any feedback on your experience of this product. If you know an other product meeting these specifications, I would be very grateful if you would contact me. Best Regards, Pierre Luc LEVASSEUR pierre-luc.levasseur@laposte.net Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34€/mn) ; tél : 08 92 68 13 50 (0,34€/mn)
Received on Oct 14 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]