Securing Exchange Server 2007 Client Access
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-18
This topic provides an overview of the security and authentication related options that are available for a Microsoft Exchange Server 2007 computer that has the Client Access server role installed. The Client Access server role provides access to Microsoft Office Outlook Web Access, Microsoft Exchange ActiveSync, Outlook Anywhere, Post Office Protocol version 3 (POP3), and Internet Message Access Protocol version 4rev1 (IMAP4). In addition, it supports the Autodiscover service and the Availability service. Each of these protocols and services has unique security needs.
One of the most important security-related tasks that you can perform for the Client Access server role is to configure an authentication method. The Client Access server role is installed with a default self-signed digital certificate. A digital certificate does two things:
It authenticates that its holder is who or what they claim to be.
It helps protect data exchanged online from theft or tampering.
Although the default, self-signed certificate is supported for Exchange ActiveSync and Outlook Web Access, it is not the most secure method of authentication. In addition, it is not supported for Outlook Anywhere. For additional security, consider configuring your Exchange 2007 Client Access server to use a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) CA. You can configure authentication separately for Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3, and IMAP4.
For more information about how to configure authentication, see the following topics:
After you optimize the security of communications between clients and the Exchange 2007 Client Access server, you must optimize the security of the communications between the Exchange 2007 Client Access server and other servers in your organization. By default, HTTP, Exchange ActiveSync, POP3, and IMAP4 communication between the Client Access server and other servers, such as Exchange 2007 servers that have the Mailbox server role installed, domain controllers, and global catalog servers, is encrypted.
For more information about how to manage security for the various components of your Client Access server, see the following topics: