When it comes to Outlook Web Access (OWA) security, most people focus the majority of their efforts on securing the traffic that’s flowing between the client and the OWA front-end server. However, the vast majority of hacks are inside jobs and, therefore, your internal security shouldn’t be ignored. Once OWA traffic has already entered your network, you need a way to secure it. Here’s how it’s done.

Don’t forget to secure Internet connection

Just as important as configuring OWA security between the back-end and front-end servers is securing the connection between the front-end server and the Internet. For more information about how to do so, see the Daily Drill Down “Secure traffic between the Internet and your OWA front-end server.”

Securing front-end and back-end traffic
You can use an SSL certificate to secure the traffic that flows between the ISA server and the OWA front-end server. However, you can’t use SSL to encrypt the traffic flowing between the OWA front-end and the Exchange back-end servers. Instead, you’ll have to rely on the IPSec protocol. This is good news, though, because IPSec is more secure than SSL.

Be aware that the IPSec encryption process consumes a lot of processing power and can really drain your network resources. If your Exchange server tends to handle a lot of network traffic, I recommend spending some extra money and buying IPSec-enabled NICs. These special NIC cards offload IPSec encryption from your system’s processor. IPSec encryption is handled by a dedicated microprocessor on the NIC itself.

If you’ve ever configured a firewall, the process of configuring the necessary IPSec policies won’t seem that unfamiliar to you. That’s because in addition to encrypting traffic, IPSec policies allow you to control which ports are open and which are blocked.

For the purpose of facilitating communications between the OWA front end and the Exchange back end, you will need to focus your attention on port 80, which is used for HTTP traffic. When configuring port 80, you’ll want to configure the Exchange back-end server to encrypt all inbound traffic that’s flowing over port 80. On the OWA front-end server, you’ll want to encrypt outbound traffic on port 80, but block inbound port 80 traffic.

The reason for this is that when the OWA server receives a communication from the ISA server, the communication is SSL-enabled and is therefore flowing across port 443. The OWA front-end server then sends traffic through outbound port 80 to the Exchange back-end server. This is why the OWA server needs to encrypt outbound port 80 traffic, and the Exchange back-end server needs to encrypt inbound port 80 traffic.

The reason inbound port 80 traffic is blocked on the OWA front-end server is that no port 80 traffic should be coming in to the OWA front-end server from the outside world. Also, the Exchange back-end server shouldn’t be sending any outbound port 80 traffic. Therefore, blocking inbound port 80 traffic on the OWA front-end server prevents any traffic that inadvertently left the Exchange back-end server unencrypted from escaping the network.

Creating the IPSec policy for the OWA front-end server
Now that you understand what the various IPSec policies need to accomplish, it’s time to actually create the policies you’ll be using. Begin by creating the IPSec policy for the OWA front-end server. To do so, open the Active Directory Users And Computers console, which is located on the Administrative Tools menu. When the console opens, navigate through the console tree to the organizational unit (OU) containing the OWA front-end server. You’ll find it in the Member Servers | Application Servers | Exchange 2000 | OWA Front-end Servers OU tree, or something similar. If you don’t have such a tree structure, before continuing, you need to organize your Exchange servers into OUs that group them by roles. This will prevent you from accidentally applying the IPSec policy to every server on your network.

Next, right-click on your OWA front-end server OU and select the Properties command from the resulting shortcut menu to display the OU’s properties sheet. Now select the Group Policy tab, select the OWA Front-end Incremental group policy object, and click Edit. This will open the Group Policy Editor.

Navigate through the group policy tree to Computer Configuration | Windows Settings | Security Settings | IP Security Policies On Active Directory. Right-click the IP Security Policies On Active Directory container and select the Manage IP Filter Lists And Filter Actions command from the resulting shortcut menu. Doing so will display the Manage IP Filter Lists And Filter Actions properties sheet.

Make sure that the Manage IP Filter List tab is selected, and then click the Add button to open the IP Filter List dialog box. In the dialog box’s Name field, enter Outbound TCP Port 80 – OWA Front End. Now enter a description that will reflect the idea that this filter applies to outbound traffic on TCP port 80 for the OWA front-end server.

Next, click the Add button to open the IP Filter Wizard. Click the Next button to bypass the welcome screen, and you’ll see a screen asking for a source address. Select My IP Address from the drop-down list and click Next.

On the following screen, select the Any IP Address option from the Destination Address field and click Next. The following screen asks you to select a protocol type. Select the TCP protocol, click Next on the next screen, and select the From Any Port radio button and the To This Port button. Enter 80 in the space provided and click Next and Finish. Your IP Filter List dialog box should now look like the one shown in Figure A.

Figure A
This is how the outbound port 80 filter should look for the OWA front-end server.

Now that we’ve created an outbound port 80 filter for the OWA front-end server, it’s time to build a filter for the inbound traffic. Click Close to return to the Manage IP Filter Lists And Filter Actions properties sheet. Click the Add button to reveal the IP Filter dialog box once again. This time, enter TCP Port 80 – OWA Front End in the Name field, and enter a description designating the filter as applying to inbound traffic on the OWA front-end server.

Next, click the Add button to open the IP Filter Wizard. Click the Next button to bypass the welcome screen, and you’ll see a screen asking for a source address. Select My IP Address from the drop-down list and click Next. On the following screen, select the Any IP Address option from the Destination Address field and click Next. The next screen you’ll encounter asks you to select a protocol type. Select the TCP protocol, click Next on the following screen, and select the From Any Port radio button and the To This Port button. Enter 80 in the space provided and then click Next and Finish. Click Close a couple of times to return to the main Group Policy Editor screen.

Right-click on the IP Security Policies On Active Directory container and select the Manage IP Filter Lists And Filter Actions command from the resulting shortcut menu. When you do, you’ll see the corresponding properties sheet appear. This time, though, select the properties sheet’s Manage Filter Actions tab. This is where we apply actions to the filters that we’ve already created. In this case, we’ll be applying the Block action to the inbound TCP port 80 filter.

From the Manage Filter Actions tab, click the Add button to launch the Filter Actions Wizard. Click Next to bypass the welcome screen, and you’ll see a dialog box asking for the new filter action’s name. Enter Block for the name and click Next. Now you’ll see a screen asking you to set the filter action behavior. Select the Block radio button and click Next and Finish.

We must now repeat the process to create an encrypt action that will be used with the outbound TCP filter for the OWA front end. To do so, click the Add button to launch the wizard again, and click Next to bypass the welcome screen. Now enter Encrypt into the Name field and click Next. This time, when you are asked for the filter action behavior, select the Negotiate Security option and click Next. Windows will now ask if you want to support communications with computers that don’t support IPSec.

Since you’re configuring communications between two Windows 2000 servers, IPSec should always be supported. Therefore, select the Do Not Communicate With Computers That Do Not Support IPSec radio button and click Next. You’ll now see a screen asking for the security method you want to use for the filter action. Select the High (Encapsulated Secure Payload) option and click Next. Windows will now display the wizard’s final screen. Before clicking the Finish button, select the Edit Properties check box.

At this point, you’ll see the New Filter Action properties sheet appear. Click the Add button to display the New Security Method dialog box. Select the Custom (For Expert Users) radio button and click the Settings button. This will display the Custom Security Method Settings dialog box. Only the Data Integrity And Encryption (ESP) check box should be selected. You must now set the Integrity Algorithm to MD5 and the Encryption Algorithm to 3DES, as shown in Figure B

Figure B
Be careful to select the correct encryption settings.

Click OK twice to return to the New Filter Action properties sheet. Select the Custom security method and then click the Move Up button to move the security method to the top of the list. Then, click OK and Close.

Now it’s time to create the IP security policy, apply the filters, and specify the filter actions. To do so, right-click on the IP Security Policies On Active Directory container and select the Create IP Security Policy command from the resulting shortcut menu. This will launch the IP Security Policy Wizard.

Once you bypass the wizard’s welcome screen, you’ll see a dialog box asking for the new IP security policy’s name. For the policy name, enter Block Encrypt TCP 80 Traffic OWA FE, or something similar. On the following screen, make sure that the Activate Default Response Rule check box is selected and click Next. When the next screen appears, verify that the Windows 2000 Default (Kerberos V5 Protocol) radio button is selected and click Next.

On the next screen, be certain that the Edit Properties check box is selected and click the Finish button. This will open the properties sheet for the security rules that you just created. Click the Add button and click Next. On the resulting screen, the This Rule Does Not Specify A Tunnel radio button should be selected; click Next. Now select the All Network Connections radio button and click Next. Make sure that the Windows 2000 Default (Kerberos V5 Protocol) option is selected and click Next.

Now you’ll see a list of filters. Select the filter for inbound OWA traffic and click Next. On the following screen, select the option for the Block filter action and click Next. Now clear the Edit Properties check box and click Finish.

You must now repeat the process for outbound traffic and the encrypt filter action. To do so, click the Add button and click Next. On the resulting screen, the This Rule Does Not Specify A Tunnel radio button should be selected; click Next. Now check to see that the All Network Connections radio button is selected, and then click Next. Make sure that the Windows 2000 Default (Kerberos V5 Protocol) option is selected and click Next.

Now you’ll see a list of filters. Select the filter for outbound traffic and click Next. On the following screen, select the option for the Encrypt filter action and click Next. Clear the Edit Properties check box and click Finish.

The final step in the process is to apply the policy to the OWA front-end server. To do so, right-click on your Block/Encrypt TCP Port 80 traffic policy from within the Group Policy Editor and select the Assign command. Now close the Group Policy Editor and click OK. At this point, you must replicate the new group policy settings to the other domain controllers by opening a command prompt window and entering this command:
SECEDIT /refreshpolicymachine_policy /enforce.

Press [Enter] and then reboot the server.

Creating the Exchange back-end server’s IPSec policy
Begin by creating the IPSec policy for the OWA front-end server. To do so, open the Active Directory Users And Computers console, which is located on the Administrative Tools menu.  When the console opens, navigate through the console tree to the OU containing the Exchange Back-end Server. If you followed the techniques found in my original article on securing Exchange servers by role, then this will be Member Servers | Application Servers | Exchange 2000 | Back-end Servers, or something similar.

Now right-click on your Exchange Back-end Server OU and select the Properties command from the resulting shortcut menu to display the OU’s properties sheet. Select the Group Policy tab, select the Back-end Incremental group policy object, and click Edit. This will open the Group Policy Editor.

Navigate through the group policy tree to Computer Configuration | Windows Settings | Security Settings | IP Security Policies on Active Directory. Right-click on the IP Security Policies On Active Directory container, and select the Manage IP Filter Lists And Filter Actions command from the resulting shortcut menu. Doing so will display the Manage IP Filter Lists And Filter Actions properties sheet.

Make sure that the Manage IP Filter List tab is selected and then click the Add button to open the IP Filter List dialog box. In the dialog box’s Name field, enter TCP Port 80 Exchange Back End. Now enter a description that will reflect the idea that this filter applies to inbound traffic on TCP port 80 for the Exchange back-end server.

Next, click the Add button to open the IP Filter Wizard. Click the Next button to bypass the welcome screen, and you’ll see a screen asking for a source address. Select My IP Address from the drop-down list and click Next. On the following screen, select the Any IP Address option from the Destination Address field and click Next. The next screen asks you to select a protocol type. Select the TCP protocol and click Next on the following screen; then select the From Any Port radio button and the To This Port button. Enter 80 in the space provided and click Next and Finish.

Now it’s time to create the IP security policy, apply the filters, and specify the filter actions. To do so, right-click the IP Security Policies On Active Directory container and select the Create IP Security Policy command from the resulting shortcut menu. This will launch the IP Security Policy Wizard. Click Next to bypass the wizard’s welcome screen, and you’ll see a dialog box asking for the new IP security policy’s name. For the policy name, enter Encrypt TCP 80 Traffic Exchange Back End, or something similar.

On the following screen, make sure that the Activate Default Response Rule check box is selected and click Next. When the next screen appears, verify that the Windows 2000 Default (Kerberos V5 Protocol) radio button is selected and click Next.

On the following screen, check to see that the Edit Properties check box is selected and click the Finish button. This will open the properties sheet for the security rules that you just created. Click the Add button and click Next. On the resulting screen, make sure that the This Rule Does Not Specify A Tunnel radio button is selected and click Next. Now, select the All Network Connections radio button and click Next. At this point, make sure that the Windows 2000 Default (Kerberos V5 Protocol) option is selected and click Next.

You’ll now see a list of filters. Select the filter for inbound Exchange back-end traffic and click Next. On the next screen, select the option for the Encrypt filter action and click Next. Now clear the Edit Properties check box and click Finish and Close.

The final step in the process is to apply the new policy to the Exchange back-end server. To do so, right-click your Encrypt TCP Port 80 traffic policy from within the Group Policy Editor and select the Assign command. Now close the Group Policy Editor and click OK. Now you must replicate the new group policy settings to the other domain controllers by opening a command prompt window and entering:
SECEDIT /refreshpolicymachine_policy /enforce

Press [Enter] and then reboot the server.

Configuring local machines
Now that you’ve implemented IPSec security between the OWA front end and the Exchange back end, you may need to configure your local machines to use IPSec security. This is only necessary if your local machines now have trouble accessing the Exchange back-end server.