After you obtain an SSL certificate to use either with your Exchange front-end server on the default Web site or on the Web site where you host the \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, \OMA, \Public, and \RPC virtual directories, you can enable the default Web site to require SSL.
 Note:
The \Exchange, \Exchweb, \Microsoft-Server-ActiveSync, \OMA, and \Public virtual directories are installed by default on any Exchange Server 2003 SP2 installation. The \RPC virtual directory for RPC over HTTP communication is installed manually when you configure Exchange Server 2003 SP2 to support RPC over HTTP.
For information about how to set up Exchange Server 2003 to use RPC over HTTP, see Exchange Server 2003 RPC over HTTP Deployment Scenarios.
 To require SSL on the default Web site
-
1. In the Internet Information Services (IIS) Manager, select the DefaultWeb site or the Web site where you are hosting your Exchange Server 2003 services, and then click Properties.
2. On the Directory Security tab, in the Secure Communications box, click Edit.
3. The following illustration shows the Secure Communications dialog box. Click the Require Secure Channel (SSL) check box. Click OK.
4. Depending upon your installation, the Inheritance Overrides dialog box may appear. Select the virtual directories that should inherit the new setting, for example Microsoft-Server-ActiveSync, and then click OK.
5. On the Directory Security tab, click OK.
|
After you complete this procedure, all virtual directories on the Exchange front-end server that is on the default Web site are configured to use SSL.
Configuring Basic Authentication
The Exchange ActiveSync Web site supports SSL connections as soon as the server certificate is bound to the Web site. However, users still have the option to connect to the Exchange ActiveSync Web site by using a non-secure connection. You can require all client Windows-Mobile based devices to successfully negotiate an SSL link before connecting to the Exchange ActiveSync Web site directories.
We also recommend that you enforce basic authentication on all HTTP directories that the ISA Server makes accessible to external users. In this way, you can take advantage of the ISA Server feature that enables the relay of basic authentication credentials from the firewall to the Exchange ActiveSync Web site.
Require SSL Connection to the Exchange ActiveSync Web Site Directories
This prevents all non-authenticated communications from reaching the Exchange ActiveSync Web site and significantly improves the level of security.
Note:
If you plan to use Certificate Authentication instead of basic configuration, you must deploy SSL by following the instructions for configuring SSL for Exchange ActiveSync, which are located in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
You can repeat these steps with the /Exchange, /Exchweb, /OMA, and /Public directories that are found in the left pane of the IIS MMC console. This can be done to require SSL on the five Web site directories that you can make accessible to remote users:
/Exchange
To require an SSL connection to the Exchange ActiveSync Web site directories
-
-
Click Start, point to Administrative Tools and then click InternetInformation Service (IIS) Manager. In Internet Information Services(IIS) Manager, expand your server name and then expand the Default Web Site node in the left pane of the console.
-
Right-click on the Microsoft-Server-ActiveSync directory so that it is highlighted, and then click Properties.
-
Click Directory Security. In the Authentication and access control frame, click Edit.
-
The following illustration shows the Authentication Methods dialog box. Click to clear all check boxes except for the Basic authentication (password is sent in clear text) check box. Place a check mark in the Basic authentication check box.
Note:
On the back-end (mailbox) server, you must enable Integrated Windows Authentication in order for Exchange ActiveSync to work. Only disable it on the front-end Exchange server.
-
Click Yes in the dialog box that warns you that the credentials should be protected by SSL. In the Default domain text box, type in your domain name.
-
Click OK.
-
In the Exchange Properties dialog box, click Apply, and then click OK.
-
After you have required basic authentication on the directories that you have chosen, close the Internet Information Services (IIS) Manager console.
|
Forms-based authentication can be configured on the Exchange front-end server when not using ISA Server to publish Exchange Web client access. When ISA Server is being used to publish Exchange Web client access, forms-based authentication should only be configured on the ISA Server computer.
Perform the following procedure to confirm that forms-based authentication is not selected on the Exchange front-end server.
To confirm forms-based authentication is not selected on an Exchange front-end server
-
1. Start Exchange System Manager.
2. If administrative groups are enabled, expand Administrative Groups.
3. Expand Servers, and then expand your front-end server.
4. Expand Protocols, expand HTTP, right-click Exchange Virtual Server, and then click Properties.
5. Click the Settings tab, and clear the check box Enable Forms Based Authentication.
6. Click OK.
7. If you receive a message that states that Internet Information Services (IIS) must be restarted, click OK. To restart IIS, type the following command at a command prompt: iisreset.
|
Note:
Perform this procedure on every Exchange front-end server in your environment that will be used for Outlook Web Access.
Configure or Update RSA SecurID Agent (Optional)
If you have chosen to deploy RSA SecurID as an additional security layer, you should set up your Exchange server as an Agent Host within the RSA ACE/Server’s database at this point.
Note:
There have been timing limitations between IIS 6.0 and the RSA/ACE Agent. Be sure to update your RSA/ACE Agent for better compatibility with IIS 6.0. For more information, see the RSA Security Web site.
|
