Issue with Outlook Mobile Access and certificate authorities

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

Outlook Mobile Access (OMA) is similar to Outlook Web Access (OWA) in that both are Web applications designed to allow employees to access a corporate Exchange Server deployment through a Web browser. The primary difference between the two is their intended use.

OWA is a full-featured Web application designed to look, feel and behave very similarly to Outlook 2003. OMA, on the other hand, offers a minimal user interface for accessing an Exchange organization via cell phone.

In spite of the vast differences in user interfaces and intended uses, OMA and OWA are nearly identical from an architectural standpoint. Both reside in virtual directories hosted by Internet Information Server (IIS). Likewise, they interact with the Exchange information store the same way; and both work in front-end or back-end configurations.

Despite all the similarities, companies need to approach OMA security differently than OWA.

Digital certificates and SSL encryption

OMA and OWA can both be configured to use SSL encryption, but there is a difference in the types of certificates that can be used for each.

When you associate a certificate with Outlook Web Access, you can use just about any type of SSL certificate. Neither Exchange Server nor IIS care where the certificate came from, as long as it's valid. When a user connects to an OWA server through the Internet, IIS uses the certificate you supply to encrypt the data that's flowing back and forth.

In a lab environment, Outlook Mobile Access works exactly the same way. You can associate any valid SSL certificate with OMA. Again, neither Exchange nor IIS care where the certificate came from. There is a catch though. While where you acquired the SSL certificate doesn't matter to Exchange Server, IIS, or even to the client for that matter, it does often matter to the user's cellular service provider.

To put it simply, you usually end up having to use a certificate from a well-known, third-party certificate authority rather than a certificate from your own enterprise certificate authority.

Certificates and cellular service providers

To make SSL encryption work over a cellular Internet connection, you have to use a certificate issued by a certificate authority that your cellular provider trusts. This might sound a little confusing at first. After all, you can use an internally-issued certificate for OWA; and there is no requirement that a user's ISP trust that certificate. So what makes OMA so special?

The requirement has to do with the way that cell phones connect to the Internet. Technically, you could use any Web browser to access OMA. If you issued an OMA certificate from your internal certificate authority, and then used a PC running Internet Explorer to access OMA, the connection would work. However, if you were to access the exact same configuration from a cell phone, it probably wouldn't work.

Many cell phones connect to the Internet by using the Wireless Transport Layer Security (WTLS) protocol across a Wireless Application Protocol (WAP) gateway. The cellular service provider's WAP gateway acts as a proxy that relays requests from the cell phone to the Internet.

Since the WAP gateway is acting as a proxy rather than your phone, it controls the session. So if you connect to a Web site that uses SSL encryption, it's the WAP gateway -- not the phone -- that has to trust the certificate.

The odds of your cellular service provider trusting a certificate from your own internal certificate authority are pretty much zero. So you'll have to get a certificate authority that your cellular service trusts.

Of course, every cellular company does things differently. Not all rely on the WTLS protocol or WAP gateways. Contact your cellular provider prior to assigning a certificate to the OMA Web site to find out what types of certificates will and won't work for your mobile users.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange mobile and wireless tips and resources

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Outlook and Outlook Web Access Tips How to access SharePoint sites through Microsoft Outlook What makes Microsoft Outlook 2007's Search feature special? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Uncovering Microsoft Outlook 2007's hidden diagnostic tools How Microsoft Office Communicator enhances Outlook 2007 functionality How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues Tool exports messages from Microsoft Outlook to Unix .EML file format DetachPipe: Outlook add-in tool saves and restores email attachments Exchange Server Administration Tips Exchange Server 2007 hardware planning for continuous replication Benefits of SAN-based storage in Microsoft Exchange Server 2007 How to generate HTML reports with the Exchange Management Shell (EMS) Hosted Exchange Server adoption to infiltrate the enterprise Using ActiveSync without a front-end Exchange server Use the Exchange Management Shell Set command to block senders Why boot an Exchange server from a storage area network (SAN)? How to test Exchange Management Shell commands Grant or deny permissions to access a user's Exchange 2007 mailbox Control query results with Exchange Management Shell's Format command Mobile Devices Configure a mobile device to receive POP3 email from Exchange Server Email sent to a PDA doesn't get saved in Exchange Server mailbox Synchronizing Apple iPhone email with Microsoft Exchange Server Use the free Windows Mobile emulator to test mobility on Exchange Using ActiveSync without a front-end Exchange server Why Exchange ActiveSync fails with NAT firewalls Is it time to upgrade users' Windows Mobile devices? Deploying ISA Server as a firewall for Exchange Server mobile devices Adjust your firewall to avoid Exchange 2007 Direct Push failures How to solve common ActiveSync error messages RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.