EAS SSL Encryption and server authentication
June 25, 2014
To help protect outgoing and incoming data, you can deploy SSL to encrypt all Exchange Server traffic. You can configure SSL security features on an Exchange server to help prevent Internet-based server spoofing attacks and other types of attacks. The Exchange server, just like any web server, requires a valid server certificate to establish SSL communications.
By default, when the Client Access Server role is installed, Exchange ActiveSync is configured to use either Basic authentication or Certificate-Based authentication (CBA) with Secure Sockets Layer (SSL).
Exchange ActiveSync runs on a computer with Exchange that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it isn't the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority.
It is possible to save a digital certificate to a file and install a digital certificate on a Windows Phone. A digital certificate might need to be installed on the Windows Phone device if Exchange ActiveSync is required to use Secure Sockets Layer (SSL) and your organization uses a certificate that isn't from a trusted commercial certification authority (CA).
For more information about using SSL for server authentication, see Configuring SSL and Exchange ActiveSync in the TechNet Exchange Server content library.