Configuring OAB to use SSL
Hello,I was wondering if the OAB virtual directory should be configured to use SSL? A lot of documents that I have seen have said not to enable SSL for the OAB. I was just wondering what everyones thoughts are on this. I want to have clients to connect via Outlook Anywhere, and it makes sense to me why OAB should be secured using SSLI am running an Exchange 2007 environment. I have my internal URL configured as https://mail.mydomain.local/oab and external URL configured as https://mail.mydomain.com/oab ThanksMike
January 23rd, 2010 9:08am

Internal URL configured as https://mail.mydomain.local/oab External URL configured as https://mail.mydomain.com/oab These are the default settings for Small Business Server 2008 as well, with self-signed certificates, to be precise:Internal URL: https://remote.mydomain.com/aob (through split DNS referring to https://remote.mydomain.local/aob)External URL: https://remote.mydomain.com/aobIn SBS 2008, the OAB virtual directory is configured with Require SSL and Require 128-bit encryption. I think these are the most sensible settings.Microsoft's own recommendations are: Although Web-based distribution is enabled by default and does not require further configuration, we recommend that you enable Secure Sockets Layer (SSL) for the OAB distribution point. For more information, see How to Require SSL for Offline Address Book Distribution. How to Modify Offline Address Book Virtual Directory Settingshttp://technet.microsoft.com/en-us/library/bb331969%28EXCHG.80%29.aspxGenerally, you should at least configure the external URL to require SSL and 128-bit encryption and make sure no port 80/tcp is open to your Client Access Servers from the Internet. On most Exchange 2007 installations I've seen, though, the internal URL is configured with http://mail.mydomain.local/oab.Guess this is due to the fact that the default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Unfortunately, this statement about "default self-signed certificate" has evolved to become: "the BITS client does not support self-signed certificates" in general. I've seen a lot of documentation stating this. For instance even the Exchange Team Blog is imprecise:Exchange 2007 Offline Address Book Web Distributionhttp://msexchangeteam.com/archive/2006/11/15/431502.aspxFor a precise statement and also for how to configure require SSL, seeDgoldman's WebLog: How to Require SSL for Offline Address Book Distributionhttp://blogs.msdn.com/dgoldman/archive/2007/06/05/how-to-require-ssl-for-offline-address-book-distribution.aspx MCTS: Messaging | MCSE: S+M | Small Business Specialist
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2010 12:15pm

Jon-Alfred,Thank you much for the reply. I appreciate all the links. Very helpful. I actually replaced the Self-Signed certificate with a UC Cert. Is there a drawback to enabling SSL for the internal website as well?
January 23rd, 2010 8:39pm

SSL is a good thing. :) It should be required for both internal and external access.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2010 9:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics