Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can OWA Replace the Outlook Client and the VPN?

Posted by Cliff on from the for-those-who-have-pained-outlooks dept.

IPAQ2000 writes "This past week, I attended a panel discussion sponsored by Microsoft and other major players in the space. One of the ideas brought up by one of the expert panel attendees from a company called Seaside Software claimed that large organizations should rely mainly on Outlook Web Access (OWA) for Exchange 2K access for remote users. He claimed that OWA access with SSL makes it perfect for secure access and saves the hassle of the VPN client support. I can see how avoiding the VPN client and the Outlook client together on desktops around large organizations (like mine) could be a good thing (by saving money), and how moving to OWA for remote users makes sense. In fact, it looks like MS themselves are putting much more emphasis on the browser in Exchange 2003 (OWA and Outlook are almost identical) so that users can run whatever version is appropriate for their needs, according to connectivity speeds, location, etc. There was a discussion regarding mobility and remote solutions in the enterprise. I thought that this might be a good subject for a Slashdot discussion, especially as it relates to Exchange. What do you think about OWA as main way of accessing Exchange, especially as OWA keeps getting richer with each version of Exchange?"

1 of 73 comments (clear)

  1. Re:Not as great as it looks by Jeremiah+Cornelius · · Score: 4, Informative
    Here are some of the problems with OWA:

    * IIS must be secured against cross-site and Unicode attacks. In reality, this means URLScan and IISLockdown. URLScan often makes undeliverable, messages which can be accessed via the Outlook 'fat' client. Example: the message with a subject-line 'This is the Visio...' will be acceptable to Outlook. OWA will turn this subject-line into the document name at the end of a URL. URLScan sees 'https://(fq.servername)/exchange/This is the Visio....msg', and parses the sequence of four 'dots' as a possible directory traversal. Access is denied! User sees a 404, big PITA. Expect lots of tech support calls on issues similar to this one.

    * All the groovy advanced features are supported only under IE. Other browsers get a functional, if unexceptional subset. There is no activeX plugin or anything - MS just uses nifty, DHTML and VBScript for drag-n-drop, etc. in OWA. The server-side ASP on OWA effectively generates a different, alternate interface for non-IE clients.

    Weigh your options, and see if it isn't better to publish Exchange access through an SSL-style VPN appliance like Neoteris or Aventail.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."