I was wondering if the OAB virtual directory should be configured to use SSL? A lot of documents that I have seen have said not to enable SSL for the OAB. I was just wondering what everyones thoughts are on this. I want to have clients to connect via Outlook Anywhere, and it makes sense to me why OAB should be secured using SSL
I am running an Exchange 2007 environment. I have my internal URL configured as https://mail.mydomain.local/oab and external URL configured as https://mail.mydomain.com/oab
Internal URL configured as https://mail.mydomain.local/oab
External URL configured as https://mail.mydomain.com/oab
These are the default settings for Small Business Server 2008 as well, with self-signed certificates, to be precise:
Internal URL: https://remote.mydomain.com/aob (through split DNS referring to https://remote.mydomain.local/aob)
External URL: https://remote.mydomain.com/aob
In SBS 2008, the OAB virtual directory is configured with Require SSL and Require 128-bit encryption. I think these are the most sensible settings.
Microsoft's own recommendations are: Although Web-based distribution is enabled by default and does not require further configuration, we recommend that you enable Secure Sockets Layer (SSL) for the OAB distribution point. For more information, see How to Require SSL for Offline Address Book Distribution.
How to Modify Offline Address Book Virtual Directory Settings
Generally, you should at least configure the external URL to require SSL and 128-bit encryption and make sure no port 80/tcp is open to your Client Access Servers from the Internet. On most Exchange 2007 installations I've seen, though, the internal URL is configured with http://mail.mydomain.local/oab.
Guess this is due to the fact that the default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Unfortunately, this statement about "default self-signed certificate" has evolved to become: "the BITS client does not support self-signed certificates" in general. I've seen a lot of documentation stating this. For instance even the Exchange Team Blog is imprecise:
Exchange 2007 Offline Address Book Web Distribution
For a precise statement and also for how to configure require SSL, see
Dgoldman's WebLog: How to Require SSL for Offline Address Book Distribution
MCTS: Messaging | MCSE: S+M | Small Business Specialist
- Proposed as answer by Andy D-MVP Saturday, January 23, 2010 3:12 PM