We are running Exchange 2003 Enterprise on a Windows 2003 Enterprise Member 
Server in a Windows 2000 Active Directory Forest.  We are simply one of many
 "independently" manages child domains and also manage our own Exchange box 
(which is part of the singl
e Exchange Organization in the Forest).  We have no hardware or software fir
ewalls in place.

We only have 1 Exchange 2003 Server which holds our mailbox stores and provi
des web access (so it's a single box providing Front- and Back-end functions
).  We have configured the server for Forms-based Authentication.  Is it eve
n possible to do RPC over H
TTPS with a single box?

Does anyone have definitive documentation about how "tight" we can make Exch
ange 2003 as far as SSL on the various Exchange virtual directories, and whi
ch levels of authentication we can tighten down on those virtual directories
?

We've SSL'd (Thawte) the box, and have installed the certificate on SMTP (al
though not requiring it), IMAP (required), and every HTTP virtual directory 
- these as not required (Exadmin, exchange, ActiveSync, OMA, aspnet_client) 
and these set as required (
Exchweb, Public, IISADMPWD).

Ideally we'd like to force SSL over every connection, especially wireless co
nnectivity from nokia WAP browsing phones, motorola ActiveSync SmartPhones, 
Web browsers, etc.

Reading MS KB 822177, we were not able to require SSL on /exchange (we only 
had to uncheck the require SSL box and didn’t have to create the extra vir
tual directory and such to make /OMA work over non-SSL connections - but we'
d really like to force SSL
on this but some of our phone must not "understand" the Thawte SSL cert as t
hey receive an error when connection SSL-wise.)

Any whitepaper references or experience from others who have already gone th
rough this would be greatly appreciated.  Thanks for any pointers and help.

[ Post a follow-up to this message ]