Managing SSL for a Client Access Server
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-03-23
Secure Sockets Layer (SSL) is a method for securing communications between a client and a server. For a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed, SSL is used to help secure communications between the server and the clients. Clients include mobile devices, computers inside an organization's network, and computers outside an organization's network.
By default, when you install Exchange 2007, client communications are encrypted by using SSL when you use Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere. By default, Post Office Protocol version 3 (POP3) and Internet Message Access Protocol Version 4 rev1 (IMAP4) are not configured to communicate over SSL.
Although most client communications are encrypted by using SSL by default, there are still several options that you can configure for SSL on your Client Access server. You should understand the differences between the various types of SSL certificates and the steps that are required to install and configure these certificates for your Exchange Server 2007 organization.
Digital certificates are electronic files that work like an online password to verify the identity of a user or a computer. They are used to create the SSL encrypted channel that is used for client communications. A certificate is a digital statement that is issued by a certification authority (CA) that vouches for the identity of the certificate holder and enables the parties to communicate in a secure manner by using encryption.
Digital certificates do the following:
They authenticate that their holders—people, Web sites, and even network resources such as routers—are truly who or what they claim to be.
They protect data that is exchanged online from theft or tampering.
Digital certificates can be issued by a trusted third-party CA or a Microsoft Windows public key infrastructure (PKI) infrastructure by using Certificate Services, or they can be self-signed. Each type of digital certificate has advantages and disadvantages. For more information about the types of certificates, see Understanding SSL for Client Access Servers.
If you have chosen a Windows PKI-generated certificate or a trusted third-party certificate, you must install the digital certificate on the server. For more information about how to install a certificate, see How to Install an SSL Certificate on a Client Access Server. For a Windows PKI-generated certificate or the default self-signed certificate, you must install a copy of the certificate on the client computers and mobile devices. In most cases, client computers and mobile devices already have a copy of the trusted third-party certificate in their trusted root certificate store. For more information about how to install certificates on client devices, see How to Install Root Certification Authority Certificates on a Windows Mobile-based Device.
For more information about SSL and digital certificates, see the following topics: