Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Outlook Anywhere (known as "RPC over HTTP" in Exchange Server 2003), the Exchange + Outlook + Windows Server feature that allows Outlook clients to access Exchange servers without a VPN, does not work with Exchange Server 2007's self-signed certificate.
Yes, this is different from Outlook Web Access (OWA) and Exchange ActiveSync. Both can use the self-signed certificate if the certificate is trusted by installing it in the computer's or mobile device's certificate store (or by using Group Policies to propagate trusted Root CAs to computers). OWA users can also bypass the browser prompt that alerts about certificate-related issues, and continue to access OWA.
However, Outlook Anywhere requires a valid certificate issued by a trusted Certificate Authority. Note, this doesn't necessarily mean an external/third-party CA - it can be an in-house CA that is trusted by clients. Read "How to Configure SSL for Outlook Anywhere" for more information.
You can set up a Certificate Authority very quickly and easily using Windows Servers' Certificate Services. It's included in Windows Server, there are no additional licensing costs involved. If you're interested in security and PKI, I highly recommend setting one up in a test AD Forest, along with Brian Komar's excellent book "Microsoft Windows Server 2003 PKI and Certificate Security". As Komar explains in the book, setting up a PKI infrastructure right for a company of any size isn't as easy as simply installing Certificate Services on a Windows box - chances are you'll make plenty of mistakes without proper understanding and planning.
Setting up a CA in production just for issuing certificates to CAS servers isn't worth it - certificates from commercial CAs can be had for a very low cost (I recommended a CA few posts ago - "DigiCert: A Certificate Authority with excellent customer service"), minus all the headaches of maintaining and managing an in-house CA.
If you're planning to use a certificate with Subject Alternative Names (SAN), also known as Unified Communications certificates in Exchange/UC terminology, here's a tip you should read before creating your certificate request: "Which name should I use as Common Name for my UC certificate?"
Yes, this is different from Outlook Web Access (OWA) and Exchange ActiveSync. Both can use the self-signed certificate if the certificate is trusted by installing it in the computer's or mobile device's certificate store (or by using Group Policies to propagate trusted Root CAs to computers). OWA users can also bypass the browser prompt that alerts about certificate-related issues, and continue to access OWA.
However, Outlook Anywhere requires a valid certificate issued by a trusted Certificate Authority. Note, this doesn't necessarily mean an external/third-party CA - it can be an in-house CA that is trusted by clients. Read "How to Configure SSL for Outlook Anywhere" for more information.
You can set up a Certificate Authority very quickly and easily using Windows Servers' Certificate Services. It's included in Windows Server, there are no additional licensing costs involved. If you're interested in security and PKI, I highly recommend setting one up in a test AD Forest, along with Brian Komar's excellent book "Microsoft Windows Server 2003 PKI and Certificate Security". As Komar explains in the book, setting up a PKI infrastructure right for a company of any size isn't as easy as simply installing Certificate Services on a Windows box - chances are you'll make plenty of mistakes without proper understanding and planning.
Setting up a CA in production just for issuing certificates to CAS servers isn't worth it - certificates from commercial CAs can be had for a very low cost (I recommended a CA few posts ago - "DigiCert: A Certificate Authority with excellent customer service"), minus all the headaches of maintaining and managing an in-house CA.
If you're planning to use a certificate with Subject Alternative Names (SAN), also known as Unified Communications certificates in Exchange/UC terminology, here's a tip you should read before creating your certificate request: "Which name should I use as Common Name for my UC certificate?"
Labels: Exchange Server 2007, Security
4 Comments:
Bharat,
A related question concerning Outlook Anywhere... I’ve been able to configure OA so that our remote users are able to run full-fledged Outlook 2003 on their machines (Exchange server is 2007). Can you confirm whether or not a copy of their messages is put locally on their computers, and if so, is that information encrypted? My main concern is that the (often sensitive) information inside those emails is now available locally, and can easily be hacked into. In the email acct setup, I’ve specified for new emails to go to the Mailbox, not Personal Folders.
Thanks in advance,
Derek.
In Cached Mode, yes - there's a local Store, an OST. It's tied to the Outlook profile. It is encrypted - the encryption key is stored in the user's mailbox on Exchange, and in user's MAPI profile.
PSTs can be opened by anyone using Outlook, OSTs can't. At least not as easily.
The file - OUTLOOK.OST - resides in C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Outlook.
Scenario: Laptop lost or stolen. The password is compromised and the "attacker" is able to log in (has the same user profile available). If Outlook is opened in offline mode (this is the most likely scenario, if not connected to the corp network or vpn - *if* the password is compromised), the data in the OST file can be viewed in offline mode.
If the profile is blown away or only the OST file is accessible, it becomes a little more difficult.
There are utilities available out there that will allow you to recover data from an OST file, like Recovery for Exchange or PSTWalker.
Also take a look at what Brien Posey has to say on SearchExchange.com.
Bharat,
You prefaced your response by saying if the session is using Cached Mode, then the following would happen. Would the same security risks exist if we did not use Cached Mode?
Thanks,
Derek.
You can use a self-signed certificate with Outlook Anywhere and Exchange 2007. See my blog post titled "Generate a Self-Signed Certificate in Exchange Server 2007 to be used for Outlook Anywhere on Outlook 2007".
Hope this helps some people out there!
Post a Comment
Links to this post:
Create a Link
<< Home