Exchange Server Administration - Exchange 2003, OWA, OMA, ActiveSync & SSL

Author

Exchange 2003, OWA, OMA, ActiveSync & SSL

Research University

2004-03-29, 11:36 pm

We are running Exchange 2003 Enterprise on a Windows 2003 Enterprise Member Server in a Windows 2000 Active Directory Forest. We are simply one of many "independently" manages child domains and also manage our own Exchange box (which is part of the singl
e Exchange Organization in the Forest). We have no hardware or software firewalls in place.

We only have 1 Exchange 2003 Server which holds our mailbox stores and provides web access (so it's a single box providing Front- and Back-end functions). We have configured the server for Forms-based Authentication. Is it even possible to do RPC over H
TTPS with a single box?

Does anyone have definitive documentation about how "tight" we can make Exchange 2003 as far as SSL on the various Exchange virtual directories, and which levels of authentication we can tighten down on those virtual directories?

We've SSL'd (Thawte) the box, and have installed the certificate on SMTP (although not requiring it), IMAP (required), and every HTTP virtual directory - these as not required (Exadmin, exchange, ActiveSync, OMA, aspnet_client) and these set as required (
Exchweb, Public, IISADMPWD).

Ideally we'd like to force SSL over every connection, especially wireless connectivity from nokia WAP browsing phones, motorola ActiveSync SmartPhones, Web browsers, etc.

Reading MS KB 822177, we were not able to require SSL on /exchange (we only had to uncheck the require SSL box and didn’t have to create the extra virtual directory and such to make /OMA work over non-SSL connections - but we'd really like to force SSL
on this but some of our phone must not "understand" the Thawte SSL cert as they receive an error when connection SSL-wise.)

Any whitepaper references or experience from others who have already gone through this would be greatly appreciated. Thanks for any pointers and help.