Understanding Security for Outlook Anywhere
Applies to: Exchange Server 2010
There are several methods available to help secure Outlook Anywhere (formerly known as RPC over HTTP). In a Microsoft Exchange Server 2010 messaging environment enabled for Outlook Anywhere, users can access Exchange from the Internet. When a user accesses their mailbox over the Internet using Outlook Anywhere, each time they create or update their Outlook profile, the Autodiscover service automatically detects their Outlook profile information and provides the user access to Exchange Web services including the Offline Address Book, the Availability service, and Unified Messaging. Because traffic on the Internet is vulnerable to interception and attack, consider a security strategy that involves as many security options as possible.
Looking for management tasks related to Outlook Anywhere? See Managing Outlook Anywhere.
Contents
Using an Advanced Firewall Server for Outlook Anywhere
Using SSL with Outlook Anywhere
Choosing an SSL Deployment Option for Outlook Anywhere
Using SSL Offloading for Outlook Anywhere
Configuring Authentication for Outlook Anywhere
Understanding Authentication for Outlook Anywhere and the /rpc Virtual Directory
Using an Advanced Firewall Server for Outlook Anywhere
Using an advanced firewall server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 improves security for your Outlook Anywhere deployment. ISA Server 2006 provides a setup wizard that lets you configure ISA Server 2006 for Exchange 2010 to work with Outlook Anywhere. For more information, see Using ISA Server with Outlook Anywhere.
Using SSL with Outlook Anywhere
When you use Outlook Anywhere to access Exchange information from the Internet, you must install a valid Secure Sockets Layer (SSL) certificate issued by a certification authority (CA) that's trusted by the client computer's operating system. For more information about how to use SSL certificates for client access, see Understanding Digital Certificates and SSL. For more information about how to use SSL with Outlook Anywhere, see Configure SSL for Outlook Anywhere.
For Outlook 2007 and Outlook 2010 clients that are located outside the organization, Outlook Anywhere provides connectivity to the Exchange organization. In this situation, Outlook 2007 or Outlook 2010 uses Domain Name System (DNS) to locate information about how to connect to the Autodiscover service. Because DNS is open to several kinds of malicious attacks, Outlook 2007 and Outlook 2010 request Autodiscover service information from only two URL combinations secured by SSL.
For an organization named www.contoso.com that has e-mail addresses that are derived from the main site name, for example, kwekua@contoso.com, the two URL combinations would be formed as follows:
- Outlook will first try the URL https://contoso.com/autodiscover/autodiscover.xml.
- If the previous URL cannot locate the Autodiscover service, Outlook will then try https://autodiscover.contoso.com/autodiscover/autodiscover.xml.
Return to top
Choosing an SSL Deployment Option for Outlook Anywhere
There are several ways to use Secure Sockets Layer (SSL) to help secure communication between Outlook 2007 and Outlook 2010 clients and the Autodiscover service. With Outlook Anywhere, Outlook clients query DNS for the Autodiscover service connection point. We recommend that you use the Subject Alternative Name field on your SSL certificate to help secure communication between clients and the Client Access server that's hosting the Autodiscover service. For more information about how to configure the Subject Alternative Name for an SSL certificate, see Configure SSL Certificates to Use Multiple Client Access Server Host Names.
Alternatively, you can use multiple SSL certificates. For more information, see Configure Outlook Anywhere to Use Multiple SSL Certificates.
Another option is to use an SSL certificate together with redirection. For more information, see Configure Outlook Anywhere to Use an SSL Certificate with Redirection.
Using SSL Offloading for Outlook Anywhere
If you have a hardware solution for offloading the SSL encryption for traffic that's destined for your Client Access server, you must configure SSL offloading for Outlook Anywhere. For more information, see Configure SSL Offloading for Outlook Anywhere.
Return to top
Configuring Authentication for Outlook Anywhere
When you use the Enable Outlook Anywhere wizard to configure your Client Access server to provide Outlook Anywhere access, you must select an authentication method for your Outlook clients to use. After you select an authentication method, you can change this method by using the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.
Understanding Authentication for Outlook Anywhere and the RPC Virtual Directory
The authentication method you select for Outlook Anywhere is the authentication method that will be used by the Outlook 2007 or Outlook 2010 client. This authentication method is automatically provided to the client by the Autodiscover service. By default, in Exchange 2010, the RPC virtual directory is enabled for both Basic authentication and Integrated Windows authentication (formerly known as NTLM authentication). The authentication method on the RPC virtual directory can be modified by using the Set-OutlookAnywhere cmdlet to be either NTLM or Basic authentication. We recommend that you choose NTLM. For more information, see Configure Authentication for Outlook Anywhere.
Return to top
Basic Authentication and Outlook Anywhere
You can use Basic authentication with Outlook Anywhere. Basic authentication requires a user name and password, and then sends the user name and password over the Internet in plain text. As long as you use Secure Sockets Layer (SSL) to help secure the connection between the Microsoft Office Outlook Web App client and the Exchange messaging infrastructure, using Basic authentication with Outlook Anywhere is supported. For more information, see Configure Authentication for Outlook Anywhere.
Integrated Windows Authentication and Outlook Anywhere
ISA Server 2006 supports using Integrated Windows authentication for Outlook Anywhere. However, if you're using a firewall that doesn't handle Integrated Windows authentication, you must use Basic authentication with SSL. For more information, see Configure Authentication for Outlook Anywhere.
Return to top