Recommendations for Outlook Anywhere
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-10-24
This topic provides recommendations for using Outlook Anywhere in your Exchange infrastructure.
We recommend that you use the following configuration when you use Microsoft Exchange with Outlook Anywhere:
- NTLM authentication over Secure Sockets Layer (SSL) We recommend that you enable and require SSL on the Microsoft Exchange Server 2007 computer that has the Client Access server role installed for all client-to-server communications. We also recommend using NTLM authentication. The HTTP session should always be established over SSL (port 443). For information about how to configure Outlook Anywhere authentication that uses SSL, see Managing Outlook Anywhere Security.
Important: If you are using a firewall that does not handle NTLM, you must use Basic authentication over SSL.
- Use an advanced firewall server on the perimeter network We recommend that you use a dedicated firewall server to help enhance the security of the Exchange computer. Microsoft Internet Security and Acceleration (ISA) Server 2006 is an example of a dedicated firewall server product. ISA Server 2006 also lets you use NTLM authentication instead of Basic authentication because ISA Server understands NTLM authentication information. Other firewall servers may know how to use NTLM authentication. To determine whether your firewall server allows for NTLM authentication, see the product documentation for your firewall product.
- Obtain a certificate from a third-party certification authority (CA) To enable and require SSL for all communications between the Client Access server and the Outlook clients, you must obtain and publish a certificate at the default Web site level. We recommend that you purchase your certificate from a third-party certification authority whose certificates are trusted by a wide variety of Web browsers.
By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory was enabled for both Basic authentication and Integrated Windows authentication and could not be modified. Even if you were only using one authentication method, both authentication methods were always enabled for the /rpc virtual directory. This was determined to be a security vulnerability and in Exchange 2007 SP1, you can now select to use only one authentication method on the /rpc virtual directory. Although not recommended, you can also choose to allow both Basic and Integrated Windows authentication.
For new installations of Exchange 2007 SP1, by default, the authentication method on the /rpc virtual directory will be the same as the authentication method that you choose when you enable Outlook Anywhere by using the Enable Outlook Anywhere wizard. The default authentication method for Internet Information Services (IIS) can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication or both. As an alternative to using the Enable Outlook Anywhere wizard, the Enable-OutlookAnywhere cmdlet can be used to configure Outlook Anywhere.
|After you upgrade from the RTM version of Exchange 2007 to Exchange 2007 SP1, we recommend that you manually specify a single authentication method by using the Set-OutlookAnywhere cmdlet.|
If you deploy a firewall server that performs authentication delegation, you must change the authentication method on the /rpc virtual directory to a method different from the authentication method that is used by the client. For example, if you deploy a firewall server that performs authentication delegation, the firewall server authenticates to the Client Access server by using NTLM authentication. The client, however, uses Basic authentication. In this example, the firewall server is responsible for delegating the user’s authentication. This is why you configure the /rpc virtual directory in IIS to use NTLM authentication.
Although not recommended, in Exchange 2007 SP1 you can configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication. A common situation in which both authentication methods might be used is when additional services for RPC over HTTP are proxied to the same Client Access server that provides Outlook Anywhere access. In this example, each service requires both authentication methods. To configure the /rpc virtual directory in IIS to use both NTLM and Basic authentication, run the following command:
Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod Basic,NTLM
You can use the Certification Authority tool in Microsoft Windows to install your own certification authority. By default, applications and Web browsers do not trust your root certification authority when you install your own certification authority. When a user tries to connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user loses the connection to Microsoft Exchange. The user is not notified. The user loses the connection when one of the following conditions is true:
The client does not trust the certificate.
The certificate does not match the name to which the client tries to connect.
The certificate date is incorrect.
Therefore, you must make sure that the client computers trust the certification authority. Additionally, if you use your own certification authority, when you issue a certificate to your Client Access server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the Client Access server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully qualified domain name of the computer. For example, they cannot contain a name that resembles mycomputer.contoso.com.