A. Using Secure Sockets Layer (SSL) with Microsoft Exchange Server Outlook Web Access (OWA) lets you provide secure authentication and encryption for OWA users on almost any Web browser, not just Microsoft Internet Explorer (IE). SSL is installed by default with Microsoft Internet Information Server (IIS). However, to avoid browser warning messages, you'll need a trusted site certificate, which you can get from VeriSign, Thawte, or Entrust. (This costs money, but not too much.) These sites have easy-to-follow instructions on installing the certificate into your server.

After you install the certificate, open a browser and load your OWA site, using https instead of http. If you don't get any browser warnings, you have SSL set up and ready to go. If you do get a warning, double-check your new certificate to make sure you have installed it correctly.

Next, you'll want to force your users to use SSL when accessing your OWA site. In the IIS Administrator tool, open the Properties dialog box for your Exchange directory. Make sure you chose the option to apply the setting to all subfolders. You can even force 128-bit SSL if all your users are technically savvy enough to install the 128-bit upgrades to their browsers (and they all live in the United States or Canada).

Now, in IIS Administrator, turn on plain-text authentication for the OWA site. This sounds scary, but because you're requiring that the Exchange site use SSL, all your passwords will be encrypted. Because you don't want your users to have to type https to get to your Web site, use IIS Administrator to set up a redirect from the root of your default Web site that points to https://server.company.com/exchange. This way, users need only to type in http://server.company.com— they'll automatically be redirected to your secured OWA Web site. If you have other stuff in the root of your server, set up a link from your main page to the secured Web site.