How to set up an SSL certificate to encrypt OWA and ActiveSync traffic

Creating an enterprise certificate authority on Windows Server 2003

SSL certificates from third-party certificate authoritjes like VeriSign and Thawte are generally considered better, because they are almost universally recognized. Even so, third-party SSL certificates can be expensive, so some administrators prefer to create their own free SSL certificates in-house.

To generate your own security certificate, you need an enterprise certificate authority. Windows Server 2003 can be configured to act as an enterprise certificate authority, but you need to make extra sure that the server you use for it remains secure. And don't ever configure your Exchange Server to be the certificate authority.

The SSL certificate configuration process is simple, but realize that creating an enterprise certificate authority is a big deal. If someone manages to compromise your certificate authority, they can impersonate your organization. Also, you should use a dedicated server and routinely perform full backups of your certificate authority.

To configure Windows Server 2003 to act as an enterprise certificate authority:

Requesting an SSL certificate

Now you need to associate a certificate with your client access server:

Setting up SSL encryption on OWA and Exchange ActiveSync

Even if your client access server has an SSL certificate installed, SSL encryption is not automatically a requirement for Exchange ActiveSync traffic. You can however, force

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email Encryption Enabling encryption with digital certificates on BlackBerry devices How to protect an Exchange journaling mailbox from email spoofing Using Exchange Server journaling as an email-archiving solution Deploying ISA Server as a firewall for Exchange Server mobile devices SecureZip improves encryption for Microsoft Outlook A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Zip and encrypt Microsoft Outlook email attachments Microsoft Outlook email encryption simplified Microsoft repackages e-mail hosting service Time lag opening and sending encrypted e-mails User Authentication for Microsoft Outlook and OWA Top 5 Outlook Web Access (OWA) tips of 2008 Manage user rights and access to Outlook Web Access (OWA) mailboxes Create a secure Microsoft Outlook Web Access (OWA) redirect page Why does a security alert pop up when accessing Outlook Web Access? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Mobile Devices Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Performing a remote wipe on ActiveSync devices in Exchange Server 2007 Enabling encryption with digital certificates on BlackBerry devices Issues viewing email with attachments on BlackBerry mobile device Email is appearing on BlackBerry mobile devices, but bypassing Outlook 2007

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

OWA and ActiveSync to require SSL encryption:

OWA and Exchange ActiveSync are now configured to require SSL encryption.

Configuring Windows Mobile devices to trust a certificate

Whether you decide to use a third-party or in-house SSL certificate, your Windows Mobile devices must be configured to trust the SSL certificate. Otherwise, Exchange ActiveSync will generate the following error message on the mobile device:

The security certificate on the server is invalid. Contact your Exchange Server administrator or ISP to install a valid certificate on the server.

Configuring a desktop or laptop to trust the SSL certificate is simple. You just add the enterprise root certificate authority that generated the certificate to the machine's Trusted Root Certificate Authority group. In some cases, you may not even have to do that. Windows automatically trusts many third-party certificate authorities.

Windows Mobile handles things differently. If you want your Windows Mobile devices to trust the security certificate, you have to export the enterprise root certificate to a .CER file. You must then copy this file to the mobile device and import it.

To export the SSL certificate:

Now that you have exported the SSL certificate, you must copy it to the Windows Mobile device. If the mobile device is cradled, you can just use Windows Explorer to drag and drop the .CER file that you created.

If cradling g the device isn't an option, place the file onto a memory chip, and then put the chip into the device. Depending on how the devices are configured, you might even be able to email the file.

Once you have copied the file to the Windows Mobile device:

The Windows Mobile device should now trust your SSL security certificate.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

MEMBER FEEDBACK TO THIS EMAIL ENCRYPTION TIP

I went through all the steps that you described for installing an SSL security certificate on my Windows Mobile device, but then I got the same error message that you mention in your article. I am using a certificate from Go Daddy, and it works fine via the Web. Are there any other causes for this issue?
—Tony C.

******************************************

I don't know of any other causes, but that's not to say that there aren't any. You may want to do a Web search on the error message, or contact Go Daddy and see if they have any advice. I wish I could be of more help, but I just don't know anything else to tell you.
—Brien Posey, tip author

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.