none
Configuring OAB to use SSL

    Question

  • Hello,

    I was wondering if the OAB virtual directory should be configured to use SSL? A lot of documents that I have seen have said not to enable SSL for the OAB. I was just wondering what everyones thoughts are on this. I want to have clients to connect via Outlook Anywhere, and it makes sense to me why OAB should be secured using SSL

    I am running an Exchange 2007 environment. I have my internal URL configured as https://mail.mydomain.local/oab and external URL configured as https://mail.mydomain.com/oab

    Thanks

    Mike
    Saturday, January 23, 2010 6:08 AM

Answers

  • SSL is a good thing. :) It should be required for both internal and external access.

    • Marked as answer by Mike_NJ Saturday, January 23, 2010 6:28 PM
    Saturday, January 23, 2010 6:01 PM

All replies

  • Internal URL configured as https://mail.mydomain.local/oab
    External URL configured as https://mail.mydomain.com/oab  

    These are the default settings for Small Business Server 2008 as well, with self-signed certificates, to be precise:

    Internal URL: https://remote.mydomain.com/aob (through split DNS referring to https://remote.mydomain.local/aob)
    External URL: https://remote.mydomain.com/aob

    In SBS 2008, the OAB virtual directory is configured with Require SSL and Require 128-bit encryption. I think these are the most sensible settings.

    Microsoft's own recommendations are: Although Web-based distribution is enabled by default and does not require further configuration, we recommend that you enable Secure Sockets Layer (SSL) for the OAB distribution point. For more information, see How to Require SSL for Offline Address Book Distribution.
    How to Modify Offline Address Book Virtual Directory Settings
    http://technet.microsoft.com/en-us/library/bb331969%28EXCHG.80%29.aspx


    Generally, you should at least configure the external URL to require SSL and 128-bit encryption and make sure no port 80/tcp is open to your Client Access Servers from the Internet. On most Exchange 2007 installations I've seen, though, the internal URL is configured with http://mail.mydomain.local/oab.

    Guess this is due to the fact that the default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Unfortunately, this statement about "default self-signed certificate" has evolved to become: "the BITS client does not support self-signed certificates" in general. I've seen a lot of documentation stating this. For instance even the Exchange Team Blog is imprecise:

    Exchange 2007 Offline Address Book Web Distribution
    http://msexchangeteam.com/archive/2006/11/15/431502.aspx

    For a precise statement and also for how to configure require SSL, see
    Dgoldman's WebLog: How to Require SSL for Offline Address Book Distribution
    http://blogs.msdn.com/dgoldman/archive/2007/06/05/how-to-require-ssl-for-offline-address-book-distribution.aspx


    MCTS: Messaging | MCSE: S+M | Small Business Specialist

    • Proposed as answer by Andy DavidMVP Saturday, January 23, 2010 3:12 PM
    Saturday, January 23, 2010 9:15 AM
  • Jon-Alfred,

    Thank you much for the reply. I appreciate all the links. Very helpful. I actually replaced the Self-Signed certificate with a UC Cert. Is there a drawback to enabling SSL for the internal website as well?
    Saturday, January 23, 2010 5:39 PM
  • SSL is a good thing. :) It should be required for both internal and external access.

    • Marked as answer by Mike_NJ Saturday, January 23, 2010 6:28 PM
    Saturday, January 23, 2010 6:01 PM