I certainly understand that you want users to connect to Outlook Web Access (OWA) via an SSL connection to protect messages traveling to and from their machines and your network. And because you are also encrypting messages as they travel from the ISA Server firewall to the Exchange Server, you are obviously concerned about maintaining their confidentiality within your own network. One big advantage of an ISA Server firewall is it has an SSL to SSL bridging feature. This works by creating one secure SSL connection between the Web browser client and the external interface of the ISA Server, and a second new session between its internal interface and the Exchange Server. This allows the ISA Server to decrypt the packets from the client and inspect them for attack code. If it determines that the connection is legitimate and the packets do not contain any exploits or attack code, it re-encrypts the packets and sends them to the Exchange Server. While many firewalls can't evaluate the content inside SSL encrypted packets, ISA's SSL bridge allows it to statefully inspect SSL connections and prevent attackers from hiding exploits inside the SSL channel. Although both inbound and outbound connections can be encrypted "end-to-end," there currently isn't an antivirus product that can virus scan messages within these HTTPS sessions, because they pass through the ISA Server.
The only way to scan and block viruses on the ISA Server before they get to your Exchange Server, is to terminate the SSL connection at the ISA Server. This will enable an antivirus program to fully inspect all traffic before it enters your network. Several products scan emails on the ISA Server this way. To learn more about them visit http://www.isaserver.org/software/ISA/Anti-Virus/. If you choose this method, it's important to note that because the ISA Server is handling potentially infected files, its own operating system is vulnerable without some form of real-time virus protection. For example, Symantec's AntiVirus for ISA Server only scans files and email traffic from client applications that are configured to pass files to the virus scan engine, not the actual server itself, so you need to install an antivirus solution for the server as well.
If you are determined to find a solution that enables you to encrypt the traffic between both servers, after the virus scan use SSH to encrypt the session between them. Secure Shell (SSH) is an application layer protocol that provides secure encrypted communications and can be implemented for any type of service using port redirection. To enable your ISA Server to authenticate to your Exchange Server you will need to put an SSH client on the ISA Server and an SSH server on the Exchange Server. SSH then encrypts passwords and network traffic between the two servers to prevent eavesdropping, IP spoofing, IP source routing, DNS spoofing and other network-level attacks. You can get free, open source SSH implementations at www.openssh.comwww.ssh.com. You may need to create a route relationship between the ISA and Exchange Servers, therefore would certainly recommend trialing this on a test system to ensure that it works and doesn't affect the service level of either server. Good luck and remember SSL cannot protect the information stored on the Exchange Server once it arrives.
For More Information:
- Visit our Email Security All-in-One guide and learn how secure your email systems and maximize your email security efforts.
- Visit our resource center for news, tips and expert advice to weigh the pros and cons of Secure Socket Layer.
- Use these resources to discover how to combat viruses, worms and other malware types.
This was first published in June 2006