Require SSL for Offline Address Book Distribution
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
You can use Internet Information Services (IIS) Manager and the Shell to configure the virtual directory to use Secure Sockets Layer (SSL) for an offline address book (OAB). By default, when you install the Client Access server role on a computer running Microsoft Exchange Server 2010, a virtual directory named OAB is created on the default IIS Web site on the Exchange server.
When SSL is enabled, both SSL and unencrypted requests to the OAB virtual directory are allowed. You can disallow unencrypted requests by performing the procedures detailed later in this topic.
Looking for other management tasks related to OABs? Check out Managing Offline Address Books.
To learn more about the various security and authentication related options that are available, we recommend that you first read Securing Client Access Servers.
After you obtain a valid SSL certificate to use with the Client Access server on the OAB default Web site or on the Web site where you host your OAB virtual directory, you should test SSL connectivity by issuing an HTTPS request. Using your browser, type the following URL in the address bar: https://<server name>/. The request should return your server's home page. You can configure the Web site to require SSL. You can also enable SSL for one or more Web sites hosted by the Client Access server. For more information, see Securing Client Access Servers.
To perform this procedure, you must be a member of the Administrators group on the local computer.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree of Internet Information Services (IIS) 7 Manager, expand the Client Access server on which you are going to configure IIS.
Expand Sites, expand Default Web Site, and then click OAB.
In the result pane, double-click SSL Settings.
In the SSL Settings property page, select the Require SSL check box, and then select the Require 128-bit SSL check box.
In the action pane, click Apply.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "OAB virtual directory" entry in the Mailbox Permissions topic.
|You can't use the EMC to set up the OAB virtual directory to require SSL verification and to use an SSL-enabled external Web site.|
To set up the OAB virtual directory to require SSL verification and to use an SSL-enabled external Web site, use the following syntax.
Set-OABVirtualDirectory -Identity <VirtualDirectoryIdParameter> -RequireSSL <$true> -ExternalURL <URL>
This example requires SSL for the OAB default Web site with an external URL for the Contoso company.
Set-OABVirtualDirectory -Identity "OAB (Default Web Site)" -RequireSSL $true -ExternalURL "https://exchange.contoso.com/oab"
For detailed syntax and parameter information, see Set-OABVirtualDirectory.