15.3 Configuring Post Office Security

You can configure the POA in various ways to meet the security needs of the post office.

15.3.1 Securing Client Access through an External Proxy Server

If the server where the POA runs is behind your firewall, you can link it to an external proxy server in order to provide client/server access to the post office for GroupWise client users who are outside the firewall. You could also use generic proxy, network address translation (NAT), and port address translation (PAT) to achieve the same results.

If the POA is configured with both an internal IP address and an external proxy IP address, the POA returns both IP addresses to the GroupWise client when it attempts to log in. The client tries the internal address first, and if that does not succeed, it tries the external proxy address, then it records which address succeeded. If the user moves from inside the firewall to outside the firewall, the client might fail to log in on the first attempt, but succeeds on the second attempt.

  1. In the GroupWise Admin console, browse to and click the POA.

  2. Click the Agent Settings tab, and find the Network Address section.

  3. In the External IP Address field in the Network Address section, specify the external IP address of the external server that GroupWise client users access from outside your firewall.

    Typically, this is the public IP address presented by your external proxy server, generic proxy, NAT, or PAT.

  4. (Conditional) If you want to use a different port number for the external proxy server than you are using for client/server access to the POA itself, provide the port number in the External Port field in the Client/Server section.

    The network router is responsible for enabling the Network Address Translation (NAT) or Port Address Translation (PAT) between the external client requests and the internal network address of the POA. The external proxy server address and port should be listed as they are seen from the external GroupWise clients. The POA provides this address and port to clients that attempt to connect from outside the firewall.

    If you are using NAT, provide an external server IP address for the POA, and in the Port field, use port 1677 (the default) for the external client/server port. If you are using PAT, provide an external server IP address for the POA, and in the Port field, use a unique external client/server port.

  5. Click Save, then click Close to return to the main Admin console window.

POA Console You can list all POAs in your GroupWise system, along with their external IP addresses. On the Configuration page, click IP Addresses Redirection Table under the General Settings heading.

15.3.2 Controlling Client Redirection Inside and Outside Your Firewall

When a user tries to access his or her mailbox without providing the IP address of the POA for his or her post office, any POA or a GroupWise name server POA can redirect the request to the POA for the user’s post office.

A POA that is configured with both an internal IP address and an external IP address automatically redirects internal users to internal IP addresses and external users to external IP addresses. However, if you want to control which users are redirected to which IP addresses based on criteria other than user location, you can configure a post office with one POA to always redirect users to internal IP addresses and a second POA to always redirect users to external IP addresses. Users are then redirected based on which POA IP address they provide in the GroupWise Startup dialog box when they start the GroupWise client to access their mailboxes.

  1. Configure the initial POA for the post office with the IP address that you want for internal users.

    Do not fill in the External IP Address field on the Agent Settings tab of the POA object.

  2. Create a second POA object in the post office and give it a unique name, such as POA_EXT.

    For instructions, see Creating a New POA in the GroupWise Admin Console.

  3. Configure this second POA with an external IP address.

    For instructions, see Securing Client Access through an External Proxy Server.

    Do not fill in the TCP/IP Address field on the Agent Settings tab of the POA object.

  4. Start the new instance of the POA.

  5. Give users that you want to be redirected to internal IP addresses the IP address you used in Step 1.

  6. Give users that you want to be redirected to external IP addresses the IP address you used in Step 3.

15.3.3 Securing the Post Office with SSL Connections to the POA

Secure Sockets Layer (SSL) ensures secure communication between the POA and other programs by encrypting the complete communication flow between the programs. By default, the POA is enabled to use SSL connections, but SSL connections are not required.

For background information about SSL and how to set it up on your system, see Configuring Server Certificates and TLS.

To configure the POA to require SSL:

  1. In the GroupWise Admin console, browse to and click the POA.

  2. Click the SSL Settings tab.

  3. (Conditional) If you need to generate a new GroupWise CA signed certificate for the POA:

    The GroupWise Admin Service generates a certificate signing request (CSR) and a private key file, and then sends them to the GroupWise certificate authority (CA) on the primary domain. The CA issues the requested certificate, which is then returned to the local server.

    1. Click Generate Certificate.

    2. Specify and confirm the password for the private key file for the new SSL certificate, then click OK.

      The newly created SSL certificate and private key files display on the SSL Settings tab.

    3. Click Save to save the SSL certificate and key files.

  4. (Conditional) If you already have an SSL certificate and key file for the POA:

    1. In the SSL Certificate File field, click the Browse icon.

    2. Click Upload Local File to Server, then click Browse.

    3. Browse to and select the SSL certificate file on your local workstation.

      You can use certificate files in the PEM, PFX, CRT, B64, or CER format.

    4. Click Upload to upload the certificate file into the GroupWise certificates folder on the server where the POA is running.

    5. Click OK.

    6. In the SSL Key File field, browse to, select, and upload the private key file, then click OK.

    7. Click Save to save the SSL certificate and key files.

  5. To enable or require SSL connections with the MTA, with GroupWise clients, and with other programs that communicate with the POA, click the Agent Settings tab.

  6. To enable or require SSL connections between the POA and its MTA, select Enabled or Required in the Message Transfer SSL drop-down list.

    The MTA must also use SSL for the connection to be secure. See Securing the Domain with ssl Connections to the MTA.

    IMPORTANT:To prevent closed links between agents, select Enabled when you are initially configuring agents for SSL. Select Required for tighter security only after all agents are successfully using SSL.

  7. To enable or require SSL for other protocols, scroll down the Agent Settings tab to the SSL fields and select the desired SSL settings.

  8. Click Save, then click Close to return to the main Admin console window.

Corresponding Startup Switches: You can also use the ‑‑certfile, ‑‑keyfile, ‑‑keypassword, ‑‑httpssl, ‑‑mtpssl, ‑‑imapssl, and ‑‑imapsslport switches in the POA startup file to configure the POA to use SSL.

POA Console: You can view SSL information for the POA on the Status and Configuration pages. In addition, when you list the client/server users that are accessing the post office, SSL information is displayed for each user.

15.3.4 Providing LDAP Authentication for GroupWise Users

By default, GroupWise client users’ passwords are stored in GroupWise user databases, and the POA authenticates users to their GroupWise mailboxes by using those GroupWise passwords. For background information about passwords, see Section 91.0, GroupWise Passwords.

By enabling LDAP authentication for the POA, users’ password information can be retrieved from an LDAP directory such as NetIQ eDirectory and Microsoft Active Directory. For background information about LDAP, see Authenticating to GroupWise with Passwords Stored in an LDAP Directory.

When you enable LDAP authentication, it is important to provide fast, reliable access to the LDAP directory because GroupWise client users cannot access their mailboxes until they have been authenticated.

  1. Set up an LDAP directory for use with GroupWise.

    For instructions, see Setting Up an LDAP Directory.

  2. Set up at least one LDAP server for use with the LDAP directory.

    For instructions, see Setting Up an LDAP Server.

  3. Click Post Offices, click the name of a post office where you want to provide LDAP authentication for GroupWise users, then click the Security tab.

  4. Select LDAP Authentication.

  5. Move at least one LDAP server from the Available LDAP Servers list to the Selected LDAP Servers list.

    For more information, see Configuring a Pool of LDAP Servers.

  6. Click Save, then click Close to return to the main Admin console window.

15.3.5 Configuring Intruder Detection

By default, the POA is configured to detect system break-in attempts in the form of repeated unsuccessful logins. You can customize how the POA recognizes and responds to break-in attempts.

  1. In the GroupWise Admin console, browse to and click the name of the post office.

  2. Click the Client Settings tab.

  3. Specify how many unsuccessful login attempts are allowed before the user is locked out.

    The default is 5; valid values range from 3 to 10.

  4. Specify in minutes how long unsuccessful login attempts are counted.

    The default is 15; valid values range from 15 to 60.

  5. Specify in minutes how long the user login is disabled.

    The default is 30; the minimum setting is 15.

  6. Click Save, then click Close to return to the main Admin console window.

If a user is locked out by intruder detection, his or her GroupWise account is disabled. To restore access, follow the instructions in Unlocking GroupWise Accounts.

Corresponding Startup Switches: You can also use the ‑‑intruderlockout, ‑‑incorrectloginattempts, ‑‑attemptsresetinterval, and ‑‑lockoutresetinterval startup switches in the POA startup file to configure the POA for intruder detection.

POA Console: You can view current intruder detection settings on the Configuration page. If the POA console is password protected as described in Configuring the POA Console, you can change the settings by clicking the Intruder Detection link. You cannot disable intruder detection from the POA console.

15.3.6 Configuring Trusted Application Support

Trusted applications are third-party programs that can log into POAs and GWIAs in order to access GroupWise mailboxes without needing personal user passwords. Trusted applications might perform such services as message retention or synchronization with mobile devices.

For background information about setting up trusted applications, see Trusted Applications.