Understanding Security for Outlook Anywhere
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2010-09-13
There are several methods available to help secure Outlook Anywhere (formerly known as RPC over HTTP). In a Microsoft Exchange Server 2010 messaging environment enabled for Outlook Anywhere, users can access Exchange from the Internet. When a user accesses their mailbox over the Internet using Outlook Anywhere, each time they create or update their Outlook profile, the Autodiscover service automatically detects their Outlook profile information and provides the user access to Exchange Web services including the Offline Address Book, the Availability service, and Unified Messaging. Because traffic on the Internet is vulnerable to interception and attack, consider a security strategy that involves as many security options as possible.
Looking for management tasks related to Outlook Anywhere? See Managing Outlook Anywhere.
Using an advanced firewall server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 improves security for your Outlook Anywhere deployment. ISA Server 2006 provides a setup wizard that lets you configure ISA Server 2006 for Exchange 2010 to work with Outlook Anywhere. For more information, see Using ISA Server with Outlook Anywhere.
When you use Outlook Anywhere to access Exchange information from the Internet, you must install a valid Secure Sockets Layer (SSL) certificate issued by a certification authority (CA) that's trusted by the client computer's operating system. For more information about how to use SSL certificates for client access, see Understanding Digital Certificates and SSL. For more information about how to use SSL with Outlook Anywhere, see Configure SSL for Outlook Anywhere.
For Outlook 2007 and Outlook 2010 clients that are located outside the organization, Outlook Anywhere provides connectivity to the Exchange organization. In this situation, Outlook 2007 or Outlook 2010 uses Domain Name System (DNS) to locate information about how to connect to the Autodiscover service. Because DNS is open to several kinds of malicious attacks, Outlook 2007 and Outlook 2010 request Autodiscover service information from only two URL combinations secured by SSL.
For an organization named www.contoso.com that has e-mail addresses that are derived from the main site name, for example, firstname.lastname@example.org, the two URL combinations would be formed as follows:
Outlook will first try the URL https://contoso.com/autodiscover/autodiscover.xml.
If the previous URL cannot locate the Autodiscover service, Outlook will then try https://autodiscover.contoso.com/autodiscover/autodiscover.xml.
There are several ways to use Secure Sockets Layer (SSL) to help secure communication between Outlook 2007 and Outlook 2010 clients and the Autodiscover service. With Outlook Anywhere, Outlook clients query DNS for the Autodiscover service connection point. We recommend that you use the Subject Alternative Name field on your SSL certificate to help secure communication between clients and the Client Access server that's hosting the Autodiscover service. For more information about how to configure the Subject Alternative Name for an SSL certificate, see Configure SSL Certificates to Use Multiple Client Access Server Host Names.
Alternatively, you can use multiple SSL certificates. For more information, see Configure Outlook Anywhere to Use Multiple SSL Certificates.
Another option is to use an SSL certificate together with redirection. For more information, see Configure Outlook Anywhere to Use an SSL Certificate with Redirection.
When you use the Enable Outlook Anywhere wizard to configure your Client Access server to provide Outlook Anywhere access, you must select an authentication method for your Outlook clients to use. After you select an authentication method, you can change this method by using the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.
The authentication method you select for Outlook Anywhere is the authentication method that will be used by the Outlook 2007 or Outlook 2010 client. This authentication method is automatically provided to the client by the Autodiscover service. You choose the authentication type for the RPC virtual directory when you enable Outlook Anywhere. You can choose to allow Basic authentication, NTLM authentication, or both Basic authentication and NTLM authentication. You may want to enable both Basic and NTLM authentication if you're using the IIS virtual directory with multiple applications that require different authentication methods.
|When you configure this setting using the IIS interface, you can enable as many authentication methods as you want.|
The authentication method on the RPC virtual directory can be modified by using the Set-OutlookAnywhere cmdlet. For more information, see Configure Authentication for Outlook Anywhere.
You can use Basic authentication with Outlook Anywhere. Basic authentication requires a user name and password, and then sends the user name and password over the Internet in plain text. As long as you use Secure Sockets Layer (SSL) to help secure the connection between the Microsoft Office Outlook Web App client and the Exchange messaging infrastructure, using Basic authentication with Outlook Anywhere is supported. For more information, see Configure Authentication for Outlook Anywhere.
ISA Server 2006 supports using Integrated Windows authentication for Outlook Anywhere. However, if you're using a firewall that doesn't handle Integrated Windows authentication, you must use Basic authentication with SSL. For more information, see Configure Authentication for Outlook Anywhere.