Recommendations for Deploying Outlook Anywhere
Applies to: Exchange Server 2010 Beta Topic Last Modified: 2008-12-11
This topic provides recommendations for using Outlook Anywhere in your Exchange infrastructure.
We recommend that you use the following configuration when you use Microsoft Exchange with Outlook Anywhere:
NTLM authentication over Secure Sockets Layer (SSL) We recommend that you enable and require SSL on the Microsoft Exchange Server 2010 computer that has the Client Access server role installed for all client-to-server communications. We also recommend using NTLM authentication. The HTTP session should always be established over SSL (port 443). For information about how to configure Outlook Anywhere authentication that uses SSL, see Managing Outlook Anywhere Security.
Important: If you are using a firewall that does not handle NTLM, you must use Basic authentication over SSL.
Use an advanced firewall server on the perimeter network We recommend that you use a dedicated firewall server to help enhance the security of the Exchange computer. Microsoft Internet Security and Acceleration (ISA) Server 2006 is an example of a dedicated firewall server product. ISA Server 2006 also lets you use NTLM authentication instead of Basic authentication because ISA Server understands NTLM authentication information. Other firewall servers may know how to use NTLM authentication. To determine whether your firewall server allows for NTLM authentication, see the product documentation for your firewall product.
Obtain a certificate from a third-party certification authority (CA) To enable and require SSL for all communications between the Client Access server and the Outlook clients, you must obtain and publish a certificate at the default Web site level. We recommend that you purchase your certificate from a third-party certification authority whose certificates are trusted by a wide variety of Web browsers.
By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory is enabled for both Basic authentication and Integrated Windows authentication and cannot be modified. In Exchange 2007 SP1, only one authentication method is enabled at any time on the /rpc virtual directory. By default, this authentication method is the same as the authentication method that you choose when you enable Outlook Anywhere by using either the Enable Outlook Anywhere wizard or the Set-OutlookAnywhere cmdlet. The default authentication method can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication. For more information about authentication and Outlook Anywhere, see Enable Outlook Anywhere.
Alternatively, you can use the Certification Authority tool in Microsoft Windows to install your own certification authority. By default, applications and Web browsers do not trust your root certification authority when you install your own certification authority. When a user tries to connect in Microsoft Office Outlook 2007 or Outlook 2003 by using Outlook Anywhere, that user loses the connection to Microsoft Exchange. The user is not notified. The user loses the connection when one of the following conditions is true:
The client does not trust the certificate.
The certificate does not match the name to which the client tries to connect.
The certificate date is incorrect.
Therefore, you must make sure that the client computers trust the certification authority. Additionally, if you use your own certification authority, when you issue a certificate to your Client Access server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the Client Access server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully qualified domain name of the computer. For example, they cannot contain a name that resembles mycomputer.contoso.com.