Understanding SSL for Outlook Anywhere
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-11-11
Outlook Anywhere client connectivity is encrypted using Secure Sockets Layer (SSL) on the Microsoft Exchange Server 2010 Client Access server. This topic explains SSL certificates, SSL offloading, and using SSL to manage security for Outlook Anywhere.
Looking for management tasks related to Outlook Anywhere? See Managing Outlook Anywhere.
The default self-signed certificate that's available in Exchange 2010 Setup works with Outlook Web App and Exchange ActiveSync, but it doesn't work with Outlook 2007 or Outlook 2010 and Outlook 2003 clients that are using Outlook Anywhere. Instead, you must use a valid SSL certificate that's created by a certification authority (CA) that's trusted by the client computer's operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts, see Obtain a Server Certificate from a Certification Authority.
After you obtain a valid SSL certificate to use with the Client Access server on the default Web site or on the Web site where you host your /rpc virtual directory, you can configure the Web site to require SSL. You can enable SSL for all Web sites that are hosted by the Client Access server or enable SSL only for the /rpc virtual directory.
If you plan to close the SSL connection from the client computer running Outlook 2007, Outlook 2010, or Outlook 2003 to the firewall, you can use SSL offloading. With SSL offloading, the traffic from the firewall to the Client Access server won't be encrypted by using SSL. For SSL offloading to work, you must have a certificate on the firewall that the client trusts. We recommend that you encrypt all traffic from the client to the Client Access server. For more information, see Configure SSL Offloading for Outlook Anywhere.
When you install Exchange Server 2010, a default virtual directory named /rpc is created on the default Internet Information Services (IIS) Web site on the Exchange Server 2010 Client Access server. You can configure the /rpc virtual directory to use SSL to manage security for Outlook Anywhere and external client access. For more information, see Configure SSL for Outlook Anywhere. Configuring the /rpc virtual directory to use SSL is only one step in managing security. For more information, see Securing Client Access Servers and Managing Outlook Anywhere Security.