Upload
mae-boyd
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Securing GroupWise® end-to-end with SSL
Mike BillsATT Engineer, Novell [email protected]
© March 9, 2004 Novell Inc.2
one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions.
The one Net vision
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
© March 9, 2004 Novell Inc.3
The one Net vision
Novell Nterprise is an innovative family of products which gives you the power to enable and manage the constant interaction of people with your business systems — regardless of who they are or where they are.
Novell Nterprise™
Novell exteNd™
Novell Nsure™
Novell Nterprise™
Novell NgageSM
:
:
:
:
Access Points
MTA
POA
Inte
rnet
Web Server &GWIA
WebAccess Agent
Client Outside The Firewall:
WebAccess | Windows Client| Pop or IMAP
Administrator using Web Console
Public IP
Private IP
Private IP
Firew
all
Private IP
Web
Con
sole
Web Console
Inn
er Fire
wall
Client Inside the firewall
Reducing Your Network Costs
CorporateNetwork
WAN
Reducing Your Network Costs
InternetGroupWise® 6.5 Corporate
Network
GroupWise® agents use OpenSSL implementation
Generating Certificate Signing Request (CSR)• GWCSRGEN.EXE with GroupWise 6 SP1• OpenSSL—create CSR or self-signed certificates
Obtaining certificates • Third-party Certificate Authorities
– Verisign, Thawte, Entrust• Novell Certificate Server• Novell Self Signed Certificate
SSL and Certificates
Securely Using the Internet as a WAN: Prerequisites
GroupWise 6 SP1 agents at all WAN nodes• MTA-MTA (Domain-to-Domain)• MTA-POA (Domain-to-Post Office)
GroupWise 6.5 • POA – Client (PO-to-End User)
Signed certificates imported to all WAN node agents
• GWCSRGEN.EXE available for generating CSRs
Agent with certificate is now SSL-enabled for message transfer
Filenames must be 8.3 formatUse 2 char abbreviation
Do not use abbreviation
Fully qualified DNS hostname of server
*Note: All fields MUST be filled in
Using GWCSRGEN
Novell® Certificate Server
*the POA is done exactly the same way…
Step 1
Step 2
Required
Recommended
SSL Enabling the Agents
*Only 6.5 clients can access the
POA if Required is set
Enabled vs Required
Must set Proxy Server Address
SSL POA to Client
Secure SMTP transactions using STARTTLS
• Connecting SMTP host must also support STARTTLS
• To use SSL support for sending SMTP messages to other SMTP daemons, you must still use the default port of 25
GWIA - Securing Your Connections
Secure POP3/IMAP4 connections
• POP3 uses port 995 (SSL)• IMAP4 uses port 993 (SSL)• STARTTLS method is supported on
ports 110 (POP3) and 143 (IMAP4)
GWIA - Securing Your Connections
SSL
Security SSL
WebAccessApplication
WebAccessAgent
User 1GroupWise
Admin
SSL
Web Consol
e
WebAccess Agent• SSL to POA and Web Console
Security SSL
WebAccess Agent – SSL Settings Page• Certificate File• SSL Key File
Agent Configuration/Network Address
Use IP Address or DNS Host Name
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.