Outlook Anywhere and Exchange’s Self-Signed Certificate

by Bharat Suneja

Outlook Anywhere (known as RPC over HTTP in Exchange Server 2003), the Exchange Server + Outlook + Windows Server feature that allows Outlook clients to access Exchange servers without a VPN, does not work with Exchange Server 2010/2007’s self-signed certificate.

Yes, this is different from Outlook Web Access (OWA, Outlook Web App in Exchange 2010) and Exchange ActiveSync (EAS). Both can use the self-signed certificate if the certificate is trusted by installing it in the computer’s or mobile device’s certificate store (or by using Group Policies to propagate trusted Root CAs to computers). OWA users can also bypass the browser prompt that alerts them about certificate-related issues, and continue to access OWA.

However, Outlook Anywhere requires a valid certificate issued by a trusted Certification Authority. Note, this doesn’t necessarily mean an external/third-party CA — it can be an in-house CA that is trusted by clients. Read “How to Configure SSL for Outlook Anywhere” for more information.

You can set up a CA very quickly and easily using Windows Server Certificate Services (Active Directory Certificate Services in Windows Server 2008). It’s included in Windows Server, and there are no additional licensing costs involved. If you’re interested in security and PKI, I highly recommend setting one up in a test AD Forest, along with Brian Komar’s excellent book “Microsoft Windows Server 2003 PKI and Certificate Security“. As Komar explains in the book, setting up a PKI infrastructure right for a company of any size isn’t as easy as simply installing Certificate Services on a Windows box – chances are you’ll make plenty of mistakes without proper understanding and planning.

Setting up a CA in production just for issuing certificates to your CAS servers isn’t worth the deployment and operational effort nor the added responsibilities of securing it &mdash certificates from commercial CAs can be had for a very low cost (I recommended a CA few posts ago – “DigiCert: A Certificate Authority with excellent customer service“).

If you’re planning to use a certificate with Subject Alternative Names (SANs), also known as Unified Communications certificates in Exchange/UC terminology, here’s a tip you should read before creating your certificate request: “Which name should I use as Common Name for my UC certificate?

{ 6 comments… read them below or add one }

Anonymous October 16, 2007 at 5:09 pm

Bharat,
A related question concerning Outlook Anywhere… I’ve been able to configure OA so that our remote users are able to run full-fledged Outlook 2003 on their machines (Exchange server is 2007). Can you confirm whether or not a copy of their messages is put locally on their computers, and if so, is that information encrypted? My main concern is that the (often sensitive) information inside those emails is now available locally, and can easily be hacked into. In the email acct setup, I’ve specified for new emails to go to the Mailbox, not Personal Folders.

Thanks in advance,
Derek.

Reply

Bharat Suneja October 16, 2007 at 6:16 pm

In Cached Mode, yes – there’s a local Store, an OST. It’s tied to the Outlook profile. It is encrypted – the encryption key is stored in the user’s mailbox on Exchange, and in user’s MAPI profile.

PSTs can be opened by anyone using Outlook, OSTs can’t. At least not as easily.

The file – OUTLOOK.OST – resides in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Outlook.

Scenario: Laptop lost or stolen. The password is compromised and the “attacker” is able to log in (has the same user profile available). If Outlook is opened in offline mode (this is the most likely scenario, if not connected to the corp network or vpn – *if* the password is compromised), the data in the OST file can be viewed in offline mode.

If the profile is blown away or only the OST file is accessible, it becomes a little more difficult.

There are utilities available out there that will allow you to recover data from an OST file, like Recovery for Exchange or PSTWalker.

Also take a look at what Brien Posey has to say on SearchExchange.com.

Reply

Anonymous October 25, 2007 at 10:10 am

Bharat,
You prefaced your response by saying if the session is using Cached Mode, then the following would happen. Would the same security risks exist if we did not use Cached Mode?

Thanks,
Derek.

Reply

Kirk Ouimet June 11, 2008 at 2:44 pm

You can use a self-signed certificate with Outlook Anywhere and Exchange 2007. See my blog post titled “Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007”.

Hope this helps some people out there!

Reply

Alex July 29, 2008 at 5:41 am

Where is fine tool-how to open a .ost file-open *.ost files and convert them into *.pst files, that can be opened by any program, compatible with Microsoft Outlook email client,allows opening ost files and to store your personal data independently from Microsoft Exchange Server, it is very important, if you’d like to access your contacts and email archive from outside of your company,convert them to a suitable format, that can be read by other email client.

Reply

Anonymous September 2, 2008 at 9:05 am

The default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer’s operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts

Based on the above our OAB does not connecting to MS exchange for users with Outlook 2007. when i click on send/receive button it says connecting for as long as forever but never connects. i am trying to get an SSL from a public CA. You guide me on how to install this error free, the requirement and updates needed what to avoid doing this in a production environment.

thanks
TB

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: