Mobile Device Security and Exchange 2007


Topic Last Modified: 2008-01-23

Microsoft Exchange Server 2007 uses Secure Sockets Layer (SSL) for increased security between clients and the Exchange server. By default, Exchange ActiveSync, Office Outlook Web Access, and Outlook Anywhere use SSL. If you enable POP3 and IMAP4, you can configure SSL for those protocols also.

To use SSL with Exchange ActiveSync, you must have an SSL certificate on both the Client Access server and the mobile device that you want to use. Installing an SSL certificate on the Exchange 2007 computer that is running the Client Access server role is straightforward. However, installing an SSL certificate on the mobile device is a bit trickier, and not all devices support all kinds of certificates. In addition to using SSL to encrypt communications between the mobile device and the Client Access server, you can use a digital certificate for certificate-based authentication with Exchange ActiveSync. This article describes the steps that you must take to use an SSL certificate to increase security for Exchange ActiveSync communications between mobile devices and the Exchange server. This article also explains the difference between encryption that uses SSL and encryption that uses digital certificates for authentication.

There are two main uses for a digital certificate. The first is to encrypt the communications channel between the client and the server. The second is for authentication.

When a digital certificate is used to encrypt the communications channel between the client and the server, the public key from the server's certificate is used to encrypt the data before it is transmitted. When the client receives the data, the client's private key is used to decrypt the data.

Authentication is the process by which a client and a server verify their identities for transmitting data. In Exchange 2007, authentication is used to determine whether a user or client that wants to communicate with the Exchange server is who or what it says it is. You can use authentication to verify that a device belongs to a particular individual. By default, Exchange ActiveSync uses Basic authentication. However, you can change the authentication method to certificate-based authentication by changing the authentication method on the Exchange ActiveSync virtual directory. For more information about certificate-based authentication, see Choosing an Authentication Method for Your Exchange ActiveSync Server.

By default, when you install the Client Access server role on a computer that is running Exchange 2007, a virtual directory for Exchange ActiveSync is created on the default Internet Information Services (IIS) Web site on the Exchange server.

The Microsoft-Server-ActiveSync virtual directory is automatically configured to use SSL. We recommend that you do not change this setting. By default, a self-signed SSL certificate is installed on the Client Access server. However, Exchange ActiveSync cannot use this self-signed certificate to encrypt communications between a mobile device and the Exchange server. You must install and configure a Windows public key infrastructure (PKI)-based certificate or a trusted third-party certificate before you can use SSL with Exchange ActiveSync.

The only steps that you must take on the Client Access server for Exchange ActiveSync to use SSL are the steps that you must follow to install an SSL certificate on the server. These steps will vary slightly depending on whether you use a trusted third-party certificate or a Windows PKI certificate. For more information about how to configure a Windows PKI certificate or how to obtain a certificate from a trusted third-party, see Understanding SSL for Client Access Servers.

In addition to obtaining a Windows PKI certificate or a trusted third-party certificate, you must also configure your Exchange ActiveSync client devices to use SSL. Exchange ActiveSync does not support using a self-signed certificate to connect to Exchange 2007. A mobile device must be able to validate a digital certificate through its complete chain. A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate. This includes the end certificate, any intermediate Certification Authority certificates, and the root certificate. Every intermediate Certification Authority in the chain holds a certificate issued by the Certification Authority one level above it. A self-signed certificate cannot be validated through the complete chain.

Before you can use a Windows PKI certificate with Exchange ActiveSync, you must have a device that allows installation of a digital certificate in the personal certificate store of the device. Windows Mobile 6.0 devices support this. However, many other devices do not. To determine whether your device supports certificate installation, see the documentation for your device.

We recommend that you use a trusted third-party certificate for Exchange ActiveSync. Windows Mobile devices have several of the most common trusted third-party certificates preinstalled in the trusted root certificate store of the device. If a trusted third-party certificate is not preinstalled on the mobile device, you must determine whether your device supports certificate installation.

If you have to install a copy of the SSL certificate on your Windows Mobile device, use the following procedures.

To save a certificate to a file
  1. On the Client Access server, in IIS Manager, right-click the Default Web Site or the Microsoft-Server-ActiveSync virtual directory, and then click Properties.

  2. Click the Directory Security tab.

  3. Under Secure Communications, click View Certificate.

  4. In the Certificate dialog box, click the Details tab.

  5. Click Copy to File.

  6. In the Certificate Export Wizard, click Next.

  7. Select No, do not export the private key, and then click Next.

  8. Select DER encoded binary X.509 (.CER), and then click Next.

  9. Type a file name, click Next, and then click Finish.

After you have saved your certificate to a file, you can install it on your device. The procedure to use to install the certificate on your device depends on the operating system of your device. Choose the procedure that matches the operating system of your device.

To use the Windows Mobile Device Center to install a certificate on a Windows Mobile 5.0 or Windows Mobile 6.0 device
  1. Within the Windows Mobile Device Center, click File Management, and then click Browse the contents of your device.

  2. Drag the .cer file that was created in the previous procedure into a folder on the device.

  3. On the device, click Start, and then click File Explorer.

  4. Locate the folder that you selected in step 2.

  5. Open the .cer file and, when you are prompted, click Yes.

Many Windows Mobile 5.0 devices implement a security policy that prevents the installation of certificate files directly from a .cer file. If the previous procedure is not completed, use the following procedure.

Use the SmartPhoneAddCert tool to install a certificate on a Windows Mobile 5.0 device
  1. Download the SmartPhoneAddcert.exe tool.

    Some mobile operators provide a signed version of this tool. If a signed version is available for your device, download the signed version from the mobile operator.
  2. Run SmartPhoneAddCert.exe and extract the contents to a folder on your computer.

  3. Copy SmartPhoneAddCert.exe to your device through desktop ActiveSync or the Windows Mobile Device Center.

  4. On your device, create a folder named Storage.

  5. Copy the .cer file to the Storage folder on your device.

  6. Run SmartPhoneAddCert.exe. Select the .cer file that you copied to the Storage folder to install the certificate.

If you create a .cab file that includes the .cer file, you can also copy this .cab file to your device and run the .cab file to install the certificate.

For more information about how to configure your mobile device to synchronize with Exchange 2007, and for complete instructions for how to configure SSL for Windows Mobile devices, see the Windows Mobile Device Center.