How to Require SSL for Offline Address Book Distribution
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-06-26
This topic explains how to use Internet Information Services (IIS) Manager and the Exchange Management Shell to configure the virtual directory to use Secure Sockets Layer (SSL) for an offline address book (OAB). By default, when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, a virtual directory named OAB is created on the default IIS Web site on the Exchange server.
When SSL is enabled, both SSL and unencrypted requests to the OAB virtual directory are allowed. You can disallow unencrypted requests by performing the procedures that are detailed later in this topic.
To perform the following procedures, the account you use must be delegated the following:
Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform these procedures, be aware of the following:
To learn more about the various security and authentication related options that are available for Exchange 2007, we recommend that you first read Managing Client Access Security.
The default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer's operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts, see How to Obtain a Server Certificate from a Certification Authority.
After you obtain a valid SSL certificate to use with the Client Access server on the OAB default Web site or on the Web site where you host your OAB virtual directory, you should test SSL connectivity by issuing an HTTPS request. Using your browser, type the following URL in the address bar: https://<server name>/. The request should return your server's home page. You can configure the Web site to require SSL. You can also enable SSL for one or more Web sites that are hosted by the Client Access server. For more information, see Managing Client Access Security.
Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree of Internet Information Services (IIS) Manager, expand the Client Access server on which you are going to configure IIS.
Expand Web Sites, and then expand Default Web Site.
Right-click OAB, and then click Properties.
In OAB Properties, click the Directory Security tab.
Under Secure Communications, click Edit.
In Secure Communications, select the Require secure channel (SSL) and the Require 128-bit encryption check boxes, and then click OK to save your change.
Click OK to close OAB Properties.
Run the following command:
Set-OABVirtualDirectory -Identity <VirtualDirectoryIdParameter> -RequireSSL <$true> -ExternalURL <URL>
For example, to require SSL for the OAB default Web site with an external URL for the Contoso company, run the following command:
Set-OABVirtualDirectory -Identity "OAB (Default Web Site)" -RequireSSL $true -ExternalURL "https://exchange.contoso.com/oab"
For detailed syntax and parameter information, see the Set-OABVirtualDirectory reference topic.
To learn more about OABs, see Understanding Offline Address Books.
For more information about managing OABs, see the following topics:
For more information about the OAB virtual directory, see How to Create an Offline Address Book Virtual Directory.