Issue with Outlook Mobile Access and certificate authorities

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize.

Outlook Mobile Access (OMA) is similar to Outlook Web Access (OWA) in that both are Web applications designed to allow employees to access a corporate Exchange Server deployment through a Web browser. The primary difference between the two is their intended use.

OWA is a full-featured Web application designed to look, feel and behave very similarly to Outlook 2003. OMA, on the other hand, offers a minimal user interface for accessing an Exchange organization via cell phone.

In spite of the vast differences in user interfaces and intended uses, OMA and OWA are nearly identical from an architectural standpoint. Both reside in virtual directories hosted by Internet Information Server (IIS). Likewise, they interact with the Exchange information store the same way; and both work in front-end or back-end configurations.

Despite all the similarities, companies need to approach OMA security differently than OWA.

Digital certificates and SSL encryption

OMA and OWA can both be configured to use SSL encryption, but there is a difference in the types of certificates that can be used for each.

When you associate a certificate with Outlook Web Access, you can use just about any type of SSL certificate. Neither Exchange Server nor IIS care where the certificate came from, as long as it's valid. When a user connects to an OWA server through the Internet, IIS uses the certificate you supply to encrypt the data that's flowing back and forth.

In a lab environment, Outlook Mobile Access works exactly the same way. You can associate any valid SSL certificate with OMA. Again, neither Exchange nor IIS care where the certificate came from. There is a catch though. While where you acquired the SSL certificate doesn't matter to Exchange Server, IIS, or even to the client for that matter, it does often matter to the user's cellular service provider.

To put it simply, you usually end up having to use a certificate from a well-known, third-party certificate authority rather than a certificate from your own enterprise certificate authority.

Certificates and cellular service providers

To make SSL encryption work over a cellular Internet connection, you have to use a certificate issued by a certificate authority that your cellular provider trusts. This might sound a little confusing at first. After all, you can use an internally-issued certificate for OWA; and there is no requirement that a user's ISP trust that certificate. So what makes OMA so special?

The requirement has to do with the way that cell phones connect to the Internet. Technically, you could use any Web browser to access OMA. If you issued an OMA certificate from your internal certificate authority, and then used a PC running Internet Explorer to access OMA, the connection would work. However, if you were to access the exact same configuration from a cell phone, it probably wouldn't work.

Many cell phones connect to the Internet by using the Wireless Transport Layer Security (WTLS) protocol across a Wireless Application Protocol (WAP) gateway. The cellular service provider's WAP gateway acts as a proxy that relays requests from the cell phone to the Internet.

Since the WAP gateway is acting as a proxy rather than your phone, it controls the session. So if you connect to a Web site that uses SSL encryption, it's the WAP gateway -- not the phone -- that has to trust the certificate.

The odds of your cellular service provider trusting a certificate from your own internal certificate authority are pretty much zero. So you'll have to get a certificate authority that your cellular service trusts.

Of course, every cellular company does things differently. Not all rely on the WTLS protocol or WAP gateways. Contact your cellular provider prior to assigning a certificate to the OMA Web site to find out what types of certificates will and won't work for your mobile users.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Reference Center: Exchange mobile and wireless tips and resources

---

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Outlook and Outlook Web Access Tips OWA 2007 configuration tricks to boost performance Pros and cons of Outlook 2007's storage engine redesign Lock down direct file access and protect OWA users Simplify an OWA URL on Windows Server 2008 Windows Mobile 6.5 touts Internet Explorer, OWA improvements Custom error message redirects OWA users When OWA's default configurations aren't good enough Save time typing Outlook 2007 messages with Quick Parts Troubleshoot Microsoft Outlook Web Access problems Control Outlook 2007 in cached mode settings with group policies Exchange Server Administration Tips Is your Exchange 2007 hub transport server healthy? Avoid Outlook 2007 performance issues during repairs Developing an Exchange 2007 server role DR plan How DSAccess service improves Exchange Server 2007 reliability An introduction to the Exchange Remote Connectivity Analyzer tool Monitor Exchange 2007 with disk- and RPC-related counters DPM 2007 replica inconsistencies in Exchange databases Track Exchange 2007 mailbox server health using database counters Digging deeper into Exchange Server 2010 Exchange admins: Is it time to rethink your email address policy? Mobile Devices Top 5 Exchange ActiveSync tips Windows Mobile 6.5 touts Internet Explorer, OWA improvements Windows Mobile 6.5 touts ActiveSync and Outlook Mobile improvements What are your options for sending text messages from Outlook 2007? Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.