48.4 Securing Internet Agent Connections with SSL

The Internet Agent can use the SSL (Secure Socket Layer) protocol to enable secure connections to other SMTP hosts, POP/IMAP clients, and the Internet Agent Web console. For the Internet Agent to do so, you must ensure that it has access to a server certificate file and that you have configured the connection types (SMTP, POP, IMAP, HTTP) you want secured through SSL. The following sections provide instructions:

48.4.1 Defining the Certificate File

To use SSL, the Internet Agent requires access to a server certificate file and key file. The Internet Agent can use any Base64/PEM or PFX formatted certificate file located on its server. If the Internet Agent’s server does not have a server certificate file, you can use the GroupWise Generate CSR utility to help you obtain one. For information, see Section 5.17.5, GroupWise Generate CSR Utility (GWCSRGEN).

To define the certificate file and key file that the Internet Agent will use:

  1. In ConsoleOne, right-click the Internet Agent object, then click Properties.

  2. Click GroupWise > SSL Settings to display the SSL Settings page.

    SSL Settings property page

    For background information about certificate files and SSL key files, see Section 75.2, Server Certificates and SSL Encryption.

    By default, the GWIA looks for the certificate file and SSL key file in the same directory where the GWIA executable is located, unless you provide a full path name.

  3. Fill in the Certificate File, SSL Key File, and Set Password fields:

    Certificate File: Specify the server certificate file that the Internet Agent will use. The certificate file must be in Base64/PEM or PFX format. If you type the filename rather than using the Browse button to select it, use the full path if the file is not in the same directory as the Internet Agent program. This setting corresponds to the Internet Agent’s /certfile switch.

    SSL Key File: Specify the key file associated with the certificate. The key file must be password protected in order for SSL to function correctly. If the private key is included in the certificate file rather than in a separate key file, leave this field blank. If you type the filename rather than using the Browse button to select it, use the full path if the file is not in the same directory as the Internet Agent program. This setting corresponds to the Internet Agent’s /keyfile switch.

    Set Password: Click Set Password to specify the password for the key. If the key does not require a password, do not use this option. This setting corresponds to the /keypasswd switch.

  4. If you want to define which connections (HTTP, SMTP, POP3, or IMAP4) use SSL, click Apply to save your changes, then continue with the next section, Section 48.4.2, Defining Which Connections Use SSL.

    or

    Click OK to save your changes.

48.4.2 Defining Which Connections Use SSL

After you define the Internet Agent’s certificate and key file (see Section 48.4.1, Defining the Certificate File), you can configure which connections you want to use SSL. You can enable SSL connections to other SMTP hosts and the Internet Agent Web console, which means that an SSL connection is used if the other SMTP host or the Web browser (running the Web console) supports SSL. You can also enable or require SSL connections to POP3, IMAP4, and LDAP clients. If SSL is enabled, an SSL connection is used if the client supports SSL; if SSL is required, only SSL connections are accepted.

For more information about POP3 and IMAP4 clients, see Section 46.2, Configuring POP3/IMAP4 Services. For more information about LDAP clients, see Section 46.3, Configuring LDAP Services.

To configure connections to use SSL:

  1. In ConsoleOne, if the Internet Agent object’s property pages are not already displayed, right-click the Internet Agent object, then click Properties.

  2. Click GroupWise > Network Address to display the Network Address page.

    Network Address page
  3. Configure the SSL settings for the following connections:

    Message Transfer: Select Required if you want the Internet Agent to use a secure connection to the MTA. The MTA must also be enabled to use SSL.

    HTTP: Select Enabled to enable the Internet Agent to use a secure connection when passing information to the Internet Agent Web console. The Web browser must also be enabled to use SSL; if it is not, a non-secure connection is used.

    SMTP: Select from the following options to configure the Internet Agent’s use of secure connections to other SMTP hosts. The SMTP host must also be enabled to use SSL or TLS (Transport Layer Security); if it is not, a non-secure connection is used. All connections are through port 25.

    • Disabled: The Internet Agent does not support SSL connections.

    • Enabled: The other SMTP host determines whether an SSL connection or non-SSL connection is used with an SSL-enabled Internet Agent.

    • Required: The Internet Agent forces SSL connections. Non-SSL connections are denied.

    POP: Select from the following options to configure the Internet Agent’s use of secure connections to POP clients:

    • Disabled: The Internet Agent does not support SSL connections. All connections are non-SSL through port 110.

    • Enabled: The POP client determines whether an SSL connection or non-SSL connection is used with an SSL-enabled Internet Agent. An SSL-enabled Internet Agent allows SSL connections on port 995 and non-SSL connections on port 110.

    • Required: The Internet Agent forces SSL connections on port 995 and port 110. Non-SSL connections are denied.

    IMAP: Select from the following options to configure the Internet Agent’s use of secure connections to IMAP clients:

    • Disabled: The Internet Agent does not support SSL connections. All connections are non-SSL through port 143.

    • Enabled: The IMAP client determines whether an SSL connection or non-SSL connection is used with an SSL-enabled Internet Agent. An SSL-enabled Internet Agent allows SSL connections on port 993 and non-SSL connections on port 143.

    • Required: The Internet Agent forces SSL connections on port 993 and port 143. Non-SSL connections are denied.