Our implementation of Outlook Web Access (OWA)consists of an Exchange 5.5 SP1 Server and a separate IIS Server with OWA. It works great.
My concern is security. We did not implement SSL because it is complicated and requires users intervention to encrypt messages they send from their machines. We know our users, and they will forget 90% of the time.
I would like to be able to at least encrypt User ID and password. The way to do that is to enable NT challenge/response
authentication only in IIS.
Unfortunately, Exchange 5.5 forbids to do that if IIS is installed on a physically separate server than the one Exchange Server is installed on. The only authentication methods allowed in this scenario are Basic Clear Text and Anonymous.
Is there a way to work around this serious limitation short of upgrading to Exchange 2000 (not in our plans for now)?
Thanks everyone for any advice on this.