Securing Client Access Servers
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-04-28
This topic summarizes the security and authentication related options available for a computer running Microsoft Exchange Server 2010 that has the Client Access server role installed. The Client Access server role provides access to Outlook Web App, Microsoft Exchange ActiveSync, Outlook Anywhere, Post Office Protocol version 3 (POP3), and Internet Message Access Protocol version 4rev1 (IMAP4). In addition, it supports the Autodiscover service and the Availability service. Each of these protocols and services has unique security needs.
One of the most important security-related tasks you can perform for the Client Access server role is to configure an authentication method. The Client Access server role is installed with a default self-signed digital certificate. A digital certificate does two things:
It authenticates that its holder is who or what the holder claims to be.
It helps protect data exchanged online from theft or tampering.
Although the default, self-signed certificate is supported for Exchange ActiveSync and Outlook Web App, it isn't the most secure method of authentication. Also, it isn't supported for Outlook Anywhere. For additional security, consider configuring your Exchange 2010 Client Access server to use a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) CA. You can configure authentication separately for Exchange ActiveSync, Outlook Web App, Outlook Anywhere, POP3, and IMAP4.
For more information about how to configure authentication, see the following topic:
After you optimize the security of communications between clients and the Exchange 2010 Client Access server, you must optimize the security of the communications between the Exchange 2010 Client Access server and other servers in your organization. By default, HTTP, Exchange ActiveSync, POP3, and IMAP4 communication between the Client Access server and other servers, such as Exchange 2010 servers that have the Mailbox server role installed, domain controllers, and global catalog servers, is encrypted.
For more information about how to manage security for the different components of your Client Access server, see the following topics: