|
|
You're in the
iis security
group:Should I install my own CA for use with OWA?
iis security:
Using win2k, exchange 2k.
I need to enable Outlook Web Access for my traveling people, I understand that to do this properly I need to use using SSL. I know next to nothing about this subject so I am running through a technet article on the subject and here are the first questions that come to mind, All this is assuming that I should install my own CA. If I shouldn't why not? 1. I have a webserver, email server, and streaming media server, would it matter which one I installed CA on? 2. Will anything on my existing LAN change when this is completed that I would have to advise users about? Does this become a part of daily life or only when the OWA is accessed? 3.Should I use an Enterprise CA or StandAlone? All legitimate users would obviously have an email account and therefore be in AD so it seems that I would want the Enterprise style. However, the OWA would be accessed from all over the world on any number of outside networks. Does it matter where the OWA would be accessed from? 4. how long should I make the Certs Valid for? 5. What good would a subordinate CA be for me? If I understand it correctly, none? I will have a bunch more but this is a start. Help?
[quoted text, click to view]
> 1. Not sure. Does that mean it doesn't matter which one I put it on?[quoted text, click to view] > 2. Not much will change on the LAN. If you are using Microsoft Certificate > Services you should factor in backup/restore of the CA. Additionally, once > you make a machine a MS Certificate Services server, you can no longer > promote it to a DC (if it's a member server), nor demote it (if it's already > a DC) Thats because the certs would become invalid if I did, isn't that right? [quoted text, click to view] > 3. I would suggest an AD-integrated CA. This means that machines in your > domain automatically trust the CA, and users using those machines (eg > laptops) will not get a warning about the certificate being issued by an > untrusted CA. That's a minor plus. The other alternatives are (a) buy an SSL > certificate from a trusted 3rd party vendor (eg Thawte, Verisign, Geotrust) > or (b) have the users put up wth the warning or (c) manually install the > CA's root cert into the user's certificate store Both types can be AD integrated, the enterprise version is manditory, the standalone will use it if available. But use it how? I have seen a script to install the cert in the trusted zones and I can certainly install them into each users machine manually if I had to so that doesn't bother me too much. But which one are you referring to when you say AD integrated? It sound like enterprise? [quoted text, click to view] > > Cheers > Ken > > > "mmac" <no@thank.you> wrote in message > news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > > Using win2k, exchange 2k. > > I need to enable Outlook Web Access for my traveling people, I understand > > that to do this properly I need to use using SSL. I know next to nothing > > about this subject so I am running through a technet article on the > subject > > and here are the first questions that come to mind, All this is assuming > > that I should install my own CA. If I shouldn't why not? > > > > 1. I have a webserver, email server, and streaming media server, would it > > matter which one I installed CA on? > > > > 2. Will anything on my existing LAN change when this is completed that I > > would have to advise users about? Does this become a part of daily life or > > only when the OWA is accessed? > > > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users would > > obviously have an email account and therefore be in AD so it seems that I > > would want the Enterprise style. However, the OWA would be accessed from > all > > over the world on any number of outside networks. Does it matter where the > > OWA would be accessed from? > > > > 4. how long should I make the Certs Valid for? > > > > 5. What good would a subordinate CA be for me? If I understand it > correctly, > > none? > > > > I will have a bunch more but this is a start. Help? > > > > > > > >
Another 2 cents.
Unless you intend to make other uses of PKI beyond just enabling SSL for OWA you may be best off just buying a certificate from a public authority. 1. None of these. You root CA should be maintained in an off-line state, with day-to-day being handled by a subordinate. 2. Not necessarily inform the users, but you would need to touch all your client machines so that your CA is a trusted root. 3. If you do go the CA route, then enterprise. You do not indicate whether your traveling people will only access OWA from your mobile devices. If they will use unowned devices, then those will not have your CA as trusted and so will not be able to establish SSL. Use of a public cert is the most simple and inexpensive way to enable any device to successfully use SSL for your OWA. 4. probably a moot point by now 5. see above, in 1 -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA [quoted text, click to view] "mmac" <no@thank.you> wrote in message news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > Using win2k, exchange 2k. > I need to enable Outlook Web Access for my traveling people, I understand > that to do this properly I need to use using SSL. I know next to nothing > about this subject so I am running through a technet article on the subject > and here are the first questions that come to mind, All this is assuming > that I should install my own CA. If I shouldn't why not? > > 1. I have a webserver, email server, and streaming media server, would it > matter which one I installed CA on? > > 2. Will anything on my existing LAN change when this is completed that I > would have to advise users about? Does this become a part of daily life or > only when the OWA is accessed? > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users would > obviously have an email account and therefore be in AD so it seems that I > would want the Enterprise style. However, the OWA would be accessed from all > over the world on any number of outside networks. Does it matter where the > OWA would be accessed from? > > 4. how long should I make the Certs Valid for? > > 5. What good would a subordinate CA be for me? If I understand it correctly, > none? > > I will have a bunch more but this is a start. Help? > > >
Hmmm
Got me thinking about FreeSSL now... [quoted text, click to view] "Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:OZr7KDibEHA.2944@TK2MSFTNGP11.phx.gbl... > Another 2 cents. > > Unless you intend to make other uses of PKI beyond just > enabling SSL for OWA you may be best off just buying > a certificate from a public authority. > > 1. None of these. You root CA should be maintained in an > off-line state, with day-to-day being handled by a subordinate. > 2. Not necessarily inform the users, but you would need to touch > all your client machines so that your CA is a trusted root. > 3. If you do go the CA route, then enterprise. You do not indicate > whether your traveling people will only access OWA from > your mobile devices. If they will use unowned devices, then > those will not have your CA as trusted and so will not be able > to establish SSL. Use of a public cert is the most simple and > inexpensive way to enable any device to successfully use SSL > for your OWA. > 4. probably a moot point by now > 5. see above, in 1 > -- > Roger Abell > Microsoft MVP (Windows Server System: Security) > MCSE (W2k3,W2k,Nt4) MCDBA > "mmac" <no@thank.you> wrote in message > news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > > Using win2k, exchange 2k. > > I need to enable Outlook Web Access for my traveling people, I understand > > that to do this properly I need to use using SSL. I know next to nothing > > about this subject so I am running through a technet article on the > subject > > and here are the first questions that come to mind, All this is assuming > > that I should install my own CA. If I shouldn't why not? > > > > 1. I have a webserver, email server, and streaming media server, would it > > matter which one I installed CA on? > > > > 2. Will anything on my existing LAN change when this is completed that I > > would have to advise users about? Does this become a part of daily life or > > only when the OWA is accessed? > > > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users would > > obviously have an email account and therefore be in AD so it seems that I > > would want the Enterprise style. However, the OWA would be accessed from > all > > over the world on any number of outside networks. Does it matter where the > > OWA would be accessed from? > > > > 4. how long should I make the Certs Valid for? > > > > 5. What good would a subordinate CA be for me? If I understand it > correctly, > > none? > > > > I will have a bunch more but this is a start. Help? > > > > > > > >
My $0.02
1. Not sure. 2. Not much will change on the LAN. If you are using Microsoft Certificate Services you should factor in backup/restore of the CA. Additionally, once you make a machine a MS Certificate Services server, you can no longer promote it to a DC (if it's a member server), nor demote it (if it's already a DC) 3. I would suggest an AD-integrated CA. This means that machines in your domain automatically trust the CA, and users using those machines (eg laptops) will not get a warning about the certificate being issued by an untrusted CA. That's a minor plus. The other alternatives are (a) buy an SSL certificate from a trusted 3rd party vendor (eg Thawte, Verisign, Geotrust) or (b) have the users put up wth the warning or (c) manually install the CA's root cert into the user's certificate store 4. Up to you. A year, two years? Longer if you want. 5. I don't think it'll help you much given the facts at hand. Cheers Ken [quoted text, click to view] "mmac" <no@thank.you> wrote in message news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > Using win2k, exchange 2k. > I need to enable Outlook Web Access for my traveling people, I understand > that to do this properly I need to use using SSL. I know next to nothing > about this subject so I am running through a technet article on the subject > and here are the first questions that come to mind, All this is assuming > that I should install my own CA. If I shouldn't why not? > > 1. I have a webserver, email server, and streaming media server, would it > matter which one I installed CA on? > > 2. Will anything on my existing LAN change when this is completed that I > would have to advise users about? Does this become a part of daily life or > only when the OWA is accessed? > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users would > obviously have an email account and therefore be in AD so it seems that I > would want the Enterprise style. However, the OWA would be accessed from all > over the world on any number of outside networks. Does it matter where the > OWA would be accessed from? > > 4. how long should I make the Certs Valid for? > > 5. What good would a subordinate CA be for me? If I understand it correctly, > none? > > I will have a bunch more but this is a start. Help? > > >
[quoted text, click to view]
"mmac" <no@thank.you> wrote in message news:O2KaTIibEHA.1004@TK2MSFTNGP11.phx.gbl... > Hmmm > Got me thinking about FreeSSL now... > :-) or if it takes off the new Aussy effort Building out your PKI is worth it if you have plans to use it in enough ways. Getting your CA signed for by a public root so it can issue for general public use is timeconsuming and expensive. -- Roger [quoted text, click to view] > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:OZr7KDibEHA.2944@TK2MSFTNGP11.phx.gbl... > > Another 2 cents. > > > > Unless you intend to make other uses of PKI beyond just > > enabling SSL for OWA you may be best off just buying > > a certificate from a public authority. > > > > 1. None of these. You root CA should be maintained in an > > off-line state, with day-to-day being handled by a subordinate. > > 2. Not necessarily inform the users, but you would need to touch > > all your client machines so that your CA is a trusted root. > > 3. If you do go the CA route, then enterprise. You do not indicate > > whether your traveling people will only access OWA from > > your mobile devices. If they will use unowned devices, then > > those will not have your CA as trusted and so will not be able > > to establish SSL. Use of a public cert is the most simple and > > inexpensive way to enable any device to successfully use SSL > > for your OWA. > > 4. probably a moot point by now > > 5. see above, in 1 > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "mmac" <no@thank.you> wrote in message > > news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > > > Using win2k, exchange 2k. > > > I need to enable Outlook Web Access for my traveling people, I > understand > > > that to do this properly I need to use using SSL. I know next to > nothing > > > about this subject so I am running through a technet article on the > > subject > > > and here are the first questions that come to mind, All this is assuming > > > that I should install my own CA. If I shouldn't why not? > > > > > > 1. I have a webserver, email server, and streaming media server, would > it > > > matter which one I installed CA on? > > > > > > 2. Will anything on my existing LAN change when this is completed that I > > > would have to advise users about? Does this become a part of daily life > or > > > only when the OWA is accessed? > > > > > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users > would > > > obviously have an email account and therefore be in AD so it seems that > I > > > would want the Enterprise style. However, the OWA would be accessed from > > all > > > over the world on any number of outside networks. Does it matter where > the > > > OWA would be accessed from? > > > > > > 4. how long should I make the Certs Valid for? > > > > > > 5. What good would a subordinate CA be for me? If I understand it > > correctly, > > > none? > > > > > > I will have a bunch more but this is a start. Help? > > > > > > > > > > > > > > >
well, expensive is not in my future so I guess I'll wander out to get
another type. what is the Aussie effort you speak of? [quoted text, click to view] "Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:%23w%231LGubEHA.3148@TK2MSFTNGP10.phx.gbl... > "mmac" <no@thank.you> wrote in message > news:O2KaTIibEHA.1004@TK2MSFTNGP11.phx.gbl... > > Hmmm > > Got me thinking about FreeSSL now... > > > > :-) or if it takes off the new Aussy effort > > Building out your PKI is worth it if you have plans > to use it in enough ways. Getting your CA signed > for by a public root so it can issue for general public > use is timeconsuming and expensive. > > -- > Roger > > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > > news:OZr7KDibEHA.2944@TK2MSFTNGP11.phx.gbl... > > > Another 2 cents. > > > > > > Unless you intend to make other uses of PKI beyond just > > > enabling SSL for OWA you may be best off just buying > > > a certificate from a public authority. > > > > > > 1. None of these. You root CA should be maintained in an > > > off-line state, with day-to-day being handled by a subordinate. > > > 2. Not necessarily inform the users, but you would need to touch > > > all your client machines so that your CA is a trusted root. > > > 3. If you do go the CA route, then enterprise. You do not indicate > > > whether your traveling people will only access OWA from > > > your mobile devices. If they will use unowned devices, then > > > those will not have your CA as trusted and so will not be able > > > to establish SSL. Use of a public cert is the most simple and > > > inexpensive way to enable any device to successfully use SSL > > > for your OWA. > > > 4. probably a moot point by now > > > 5. see above, in 1 > > > -- > > > Roger Abell > > > Microsoft MVP (Windows Server System: Security) > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > "mmac" <no@thank.you> wrote in message > > > news:upjsidhbEHA.2352@TK2MSFTNGP09.phx.gbl... > > > > Using win2k, exchange 2k. > > > > I need to enable Outlook Web Access for my traveling people, I > > understand > > > > that to do this properly I need to use using SSL. I know next to > > nothing > > > > about this subject so I am running through a technet article on the > > > subject > > > > and here are the first questions that come to mind, All this is > assuming > > > > that I should install my own CA. If I shouldn't why not? > > > > > > > > 1. I have a webserver, email server, and streaming media server, would > > it > > > > matter which one I installed CA on? > > > > > > > > 2. Will anything on my existing LAN change when this is completed that > I > > > > would have to advise users about? Does this become a part of daily > life > > or > > > > only when the OWA is accessed? > > > > > > > > 3.Should I use an Enterprise CA or StandAlone? All legitimate users > > would > > > > obviously have an email account and therefore be in AD so it seems > that > > I > > > > would want the Enterprise style. However, the OWA would be accessed > from > > > all > > > > over the world on any number of outside networks. Does it matter where > > the > > > > OWA would be accessed from? > > > > > > > > 4. how long should I make the Certs Valid for? > > > > > > > > 5. What good would a subordinate CA be for me? If I understand it > > > correctly, > > > > none? > > > > > > > > I will have a bunch more but this is a start. Help? > > > > > > > > > > > > > > > > > > > > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |