Configuring SSL Encryption. An SSL certificate is required for encryption when a
Microsoft Outlook Web Access (OWA) client
connects to the Client Access server. The only
time an SSL certificate wouldn't be required
on a Client Access server is when you offload
SSL encryption to another device to conserve
resources on your Exchange server.
The good news is that Exchange 2007 is
flexible in the types of certificates it lets you
use. You can use an Exchange 2007 self-signed
certificate, purchase an SSL certificate from a
Certificate Authority (CA), or get a certificate
from a public key infrastructure (PKI) CA. The
advantage of using a self-signed certificate is
that it's free and easy to deploy. However, no
one outside your organization will acknowledge the self-signed certificate as having come
from a credible source. A certificate from a
commercial CA caries credibility but can be
expensive to purchase.
To use a self-signed certificate, you generate the certificate by using the
Exchange Management Shell's New-ExchangeCertificate cmdlet, as follows:
New-ExchangeCertificate -GenerateRequest `
-domainname <yourdomain.com> `
-FriendlyName <yourdomain.com> `
-privatekeyexportable:$true `
-path c:\cert_myserver.txt
In the previous command, you'd replace yourdomain.com with the name
of your domain. You can enter multiple domains separated by commas if you want.
FriendlyName is the name that's displayed for the certificate being generated;
it must be fewer than 64 characters. Figure 4 shows an example of this command and its output.
Regardless of how you obtain an SSL certificate, the procedure for installing
the certificate is basically the same. Open Exchange Management Shell and enter
the following command, where c:\newcert.cer is the path and filename
for the certificate you're importing:
Import-ExchangeCertificate `
-path c:\newcert.cer
Now, copy a digest, or thumbprint, of the certificate data to the Clipboard
by using the following command:
Dir cert\LocalMachine\My |fl
If multiple certificates are displayed, select the appropriate certificate
by its friendly name. Next, use the information from the Clipboard to enable
the certificate on the default Web site by using the following command:
Enable-ExchangeCertificate -thumbprint `
<the value stored in the Clipboard> `
-services "IIS,IMAP,POP"
The last step in the process is to verify that Microsoft IIS is configured
to require SSL encryption for virtual directories. Choose Internet Information
Services (IIS) Manager from the Administrative Tools menu. In the IIS Manager
console tree, navigate to your Default Web site and expand the container to
reveal a list of the virtual directories in the default Web site. For each of
these directories, right-click the directory and choose Properties from the
shortcut menu. In the Properties sheet, click the Directory Security tab, then
click Edit in the Secure Communications section to display the Secure Communications
dialog box. Select the Require Secure Channel check box and the Require 128-Bit
Encryption check box. Click OK twice and move on to the next virtual directory.
When you're done, you'll need to restart the POP3 and IMAP services.
Configuring EAS. You'll need to configure EAS only if
some users in your organization use mobile devices to send and receive email.
For this article, I'll assume that all your mobile users have devices running
Windows Mobile 5.0; older versions aren't supported.
First, create a new EAS mailbox policy. Navigate through Exchange Management
Console to Organization Configuration\Client Access. Now, click the New Exchange
ActiveSync Mailbox Policy link in the Actions pane. Exchange Management Console
opens a screen that lets you enter the particulars for your mailbox policy.
As Figure 5 shows, you must enter a name for
the policy you're creating, and you can set a number of security requirements,
most of which are related to the device's password. Select the requirements
appropriate for your organization, then click New to create the policy.
Keep in mind that merely creating a policy doesn't activate it; an EAS policy
must be assigned to one or more mailboxes to be effective. Therefore, you can
create multiple EAS policies and assign different policies to different users.
To assign an EAS policy to a mailbox,
click the Exchange Management Console's
Recipient Configuration container to display
a list of all the mailboxes in the Exchange
organization. Display the Properties sheet for
the mailbox you want to apply the policy to
and click the Mailbox Features tab. Choose
the Exchange ActiveSync option from the list
of mailbox features, then click Properties to
display the Exchange ActiveSync Properties
dialog box. Select the Apply an Exchange
ActiveSync Mailbox Policy check box, then
click Browse to locate and select the policy you
want. Click OK twice to associate the policy
with the mailbox.
Configuring the Hub Transport Server
You might need to perform as many as three post-installation tasks on servers
hosting the Hub Transport role: configuring the domains for which you'll accept
email, subscribing to an Edge Transport server, and creating a postmaster mailbox.
Depending on the specifics of your Exchange organization, any or all of these
tasks might be optional.
Register
