One way to increase the security of Microsoft Outlook Web Access (OWA) is to use a Secure Sockets Layer (SSL) certificate to encrypt traffic during an OWA session. If you have a significant number of users (100 or more) simultaneously accessing OWA, they can place a significant CPU load on the OWA server. The problem is that each logical OWA connection requires the server to manage multiple SSL sessions.
To reduce the load on the OWA servers and increase the number of users that an OWA server can handle, you can purchase an SSL accelerator card, such as HP's AXL300 accelerator PCI card. These coprocessor cards are fine for smaller OWA implementations, but for larger installations, consider an SSL appliance, such as F5 Network's BIG-IP. Note that these appliances typically start at $10,000, whereas an SSL accelerator card is roughly $1500. Of course, the appliances offer much more than an SSL acceleration, such as built-in load balancing, higher SSL performance, protection against Denial of Service (DoS) attacks and IP spoofing, failover, and scalability. A typical OWA installation might involve three OWA back end servers with an F5 BIG-IP as the SSL termination point.
I usually have the client purchase an SSL certificate for an OWA installation; however, you can install Windows Server 2003 Certificate Services and issue your own SSL certificates. An advantage of purchasing a commercial SSL certificate is that users will not receive an error message about the validity of the certificate. For more information about SSL certificates check out http://www.whichssl.com. You can purchase an OWA certificate for as little as $40 per year. If you plan to load balance your OWA servers by using an appliance like BIG-IP, you need only one certificate. Make sure that the Fully Qualified Domain Name (FQDN) listed on the certificate request matches the public-facing FQDN. For example, you might have three back-end OWA servers called OWA1, OWA2, and OWA3, but you need only one external presence using the BIG-IP appliance. If the external FQDN is owa.mydomain.com, make sure to use this external FQDN when you order the SSL certificate; otherwise you'll receive an error message that the OWA site doesn't match the name of the server. For instructions about how to generate a request and install an SSL certificate on a Microsoft IIS server, visit http://certs.ipsca.com/Support/CSRMicrosoft-Internet-Information-Server-5.0.asp. When you receive the certificate, you can install it on any of the back-end servers. For the BIG-IP appliance, you must export the SSL certificate from one of the back-end servers to a personal information exchange (PFX) file. Then import the file into the BIG-IP device and parse it. Refer to your vendor's documentation about specific settings on the SSL appliance for the cluster setup. Because the SSL appliance is the termination point for the SSL session, you typically disable the SSL requirement for the OWA Web pages on the back-end OWA servers, however this depends on the SSL appliance you're using. If you configured the OWA cluster to use Network Load Balancing (NLB), I suggest you disable it and use the SSL appliance's load-balancing feature. In my experience, the higher end SSL appliances like the BIG-IP do a better job of load balancing compared with NLB because BIG-IP monitors network traffic to each cluster server. This translates to a well-balanced load across all servers, especially when particular OWA sessions last longer or request significantly more data than other OWA sessions.
Consider enabling form-based authentication in OWA for enhanced security. Forms-based authentication lets you set a time-out period for an OWA session, prohibits Microsoft Internet Explorer (IE) from memorizing an OWA password, offers a premium and basic version of OWA, and forces a reauthentication after you log off of OWA. Refer to http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;830827#XSLTH3152121124120121120120 for instructions about how to enable forms-based authentication. Using an SSL appliance in combination with multiple OWA servers provides excellent performance. Of course you can use the SSL appliance for SSL sessions on other servers, SSL VPNs, and other load-balancing functions, making the appliance easier to cost justify. I recently set up a two-node cluster for a client by using an SSL appliance with load balancing. The client's OWA performs better across the Internet than my own internal OWA server. I guess it's time for me to buy an SSL appliance.
Tip: Renewing SSL Certificates
When you renew an SSL certificate via Windows Server 2003 and Microsoft Internet Information Services (IIS) 6.0, you might receive an error that the request doesn't contain a valid country code. Evidently, this is a bug in IIS 6.0 when you issue a renewal request for an SSL certificate. One workaround is to create a dummy Web site on your server and issue a new certificate request from the dummy Web Site. When you receive the certificate, you can install it on your OWA Web site. This bug may be fixed with Windows 2003 Service Pack 1 (SP1).