Outlook Anywhere (known as RPC over HTTP in Exchange Server 2003), the Exchange Server + Outlook + Windows Server feature that allows Outlook clients to access Exchange servers without a VPN, does not work with Exchange Server 2010/2007’s self-signed certificate.
Yes, this is different from Outlook Web Access (OWA, Outlook Web App in Exchange 2010) and Exchange ActiveSync (EAS). Both can use the self-signed certificate if the certificate is trusted by installing it in the computer’s or mobile device’s certificate store (or by using Group Policies to propagate trusted Root CAs to computers). OWA users can also bypass the browser prompt that alerts them about certificate-related issues, and continue to access OWA.
However, Outlook Anywhere requires a valid certificate issued by a trusted Certification Authority. Note, this doesn’t necessarily mean an external/third-party CA — it can be an in-house CA that is trusted by clients. Read “How to Configure SSL for Outlook Anywhere” for more information.
You can set up a CA very quickly and easily using Windows Server Certificate Services (Active Directory Certificate Services in Windows Server 2008). It’s included in Windows Server, and there are no additional licensing costs involved. If you’re interested in security and PKI, I highly recommend setting one up in a test AD Forest, along with Brian Komar’s excellent book “Microsoft Windows Server 2003 PKI and Certificate Security“. As Komar explains in the book, setting up a PKI infrastructure right for a company of any size isn’t as easy as simply installing Certificate Services on a Windows box – chances are you’ll make plenty of mistakes without proper understanding and planning.
Setting up a CA in production just for issuing certificates to your CAS servers isn’t worth the deployment and operational effort nor the added responsibilities of securing it &mdash certificates from commercial CAs can be had for a very low cost (I recommended a CA few posts ago – “DigiCert: A Certificate Authority with excellent customer service“).
If you’re planning to use a certificate with Subject Alternative Names (SANs), also known as Unified Communications certificates in Exchange/UC terminology, here’s a tip you should read before creating your certificate request: “Which name should I use as Common Name for my UC certificate?“