TLS Functionality and Related Terminology in Exchange 2007
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-18
Compared to earlier versions of Microsoft Exchange Server, Exchange Server 2007 provides additional administrative functionality and other enhancements that improve the overall management of Transport Layer Security (TLS). As you work with this new functionality, you should understand some new TLS-related features and functionality. Some terms and concepts apply to more than one TLS-related feature. In this topic, the brief explanation of each feature is intended to help you understand some differences and general terminology related to TLS and the Domain Security feature set.
Transport Layer Security TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.
Mutual TLS TLS with mutual authentication differs from TLS as TLS is usually deployed. Typically, when TLS is deployed, it is used only to provide confidentiality in the form of encryption. No authentication occurs between the sender and receiver. In addition to this kind of deployment, sometimes when TLS is deployed, only the receiving server is authenticated. This deployment of TLS is typical of the HTTP implementation of TLS. This implementation, where only the receiving server is authenticated, is SSL.
With mutual TLS authentication, each server verifies the identity of the other server by validating a certificate that is provided by that other server. In this scenario, where messages are received from external domains over verified connections in an Exchange 2007 environment, Microsoft Office Outlook 2007 will display a Domain Secured icon.
Domain Security Domain Security is the set of features, such as certificate management, connector functionality, and Outlook client behavior that enables mutual TLS as a manageable and useful technology.
Opportunistic TLS In earlier versions of Exchange Server, you had to configure TLS manually. In addition, you had to install a valid certificate, suitable for TLS usage, on the server running Exchange Server. In Exchange 2007, Setup creates a self-signed certificate. By default, TLS is enabled. This enables any sending system to encrypt the inbound Simple Mail Transfer Protocol (SMTP) session to Microsoft Exchange. By default, Exchange 2007 also tries TLS for all remote connections.
Direct trust By default, all traffic between Edge Transport servers and Hub Transport servers is authenticated and encrypted. Again, the underlying mechanism for authentication and encryption is mutual TLS. Instead of using X.509 validation, Exchange 2007 uses direct trust to authenticate the certificates. Direct trust means that the presence of the certificate in the Active Directory directory service or the Active Directory Application Mode (ADAM) directory service validates the certificate. Active Directory is considered a trusted storage mechanism. When direct trust is used, it doesn't matter if the certificate is self-signed or signed by a certification authority. When you subscribe an Edge Transport server to the Exchange organization, the Edge Subscription publishes the Edge Transport server certificate in Active Directory for the Hub Transport servers to validate. The Microsoft Exchange EdgeSync service updates ADAM with the set of Hub Transport server certificates for the Edge Transport server to validate.