Exchange 5.5 OWA External Access - Security?

[mzodun]

I am curious to know what the security risks are in putting OWA on the public side of our network? We would like to have users be able to access from outside our network, without the use of a VPN client. Is there any sort of encryption that takes place between the client side and the server, or are the username and password sent across in plain text for anyone to sniff?

Thanks,
Mike

 

[remain]

let me start by saying nothing is as simple as you think it should be. That said,

If you set up the IIS server on your OWA server with a secure key and properly configure OWA to use https (mostly making sure it uses the secured directory) then everything is "encrypted." You'll probably have to buy the key (I've only done this for this company and we get ours through verisign). This will make the entire conversation encrypted. The problem is that if someone was sniffing the ENTIRE conversation and they knew which packets had the keys that the two computers exchanged then possibly someone could get your usernames and passwords, but that is about the only way. Let me know if you have any more questions.