Issue with Outlook Mobile Access and certificate authorities
Please let others know how useful this tip is via the rating scale at the end of it. Do you
have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip
contest and you could win a prize.
Outlook Mobile Access (OMA) is similar to Outlook Web Access (OWA) in that both are Web
applications designed to allow employees to access a corporate Exchange Server deployment through a
Web browser. The primary difference between the two is their intended use.
OWA is a full-featured Web application designed to look, feel and behave very similarly to
Outlook 2003. OMA, on the other hand, offers a minimal user interface for accessing an Exchange
organization
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.
Margie Semilof, Editorial Director
Premium Access
Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy
Dig Deeper
-
People who read this also read...
This was first published in December 2005
via cell phone.
In spite of the vast differences in user interfaces and intended uses, OMA and OWA are nearly
identical from an architectural standpoint. Both reside in virtual directories hosted by Internet
Information Server (IIS). Likewise, they interact with the Exchange
information store the same way; and both work in front-end or back-end configurations.
Despite all the similarities, companies need to approach OMA security differently than OWA.
Digital certificates and SSL encryption
OMA and OWA can both be configured to use SSL
encryption, but there is a difference in the types of certificates that can be used for
each.
When you associate a certificate with Outlook Web Access, you can use just about any type of SSL
certificate. Neither Exchange Server nor IIS care where the certificate came from, as long as it's
valid. When a user connects to an OWA server through the Internet, IIS uses the certificate you
supply to encrypt the data that's flowing back and forth.
In a lab environment, Outlook Mobile Access works exactly the same way. You can associate any
valid SSL certificate with OMA. Again, neither Exchange nor IIS care where the certificate came
from. There is a catch though. While where you acquired the SSL certificate doesn't matter
to Exchange Server, IIS, or even to the client for that matter, it does often matter to the user's
cellular service provider.
To put it simply, you usually end up having to use a certificate from a well-known, third-party
certificate
authority rather than a certificate from your own enterprise certificate authority.
Certificates and cellular service providers
To make SSL encryption work over a cellular Internet connection, you have to use a certificate
issued by a certificate authority that your cellular provider trusts. This might sound a little
confusing at first. After all, you can use an internally-issued certificate for OWA; and there is
no requirement that a user's ISP trust that certificate. So what makes OMA so special?
The requirement has to do with the way that cell phones connect to the Internet. Technically,
you could use any Web browser to access OMA. If you issued an OMA certificate from your internal
certificate authority, and then used a PC running Internet Explorer to access OMA, the connection
would work. However, if you were to access the exact same configuration from a cell phone, it
probably wouldn't work.
Many cell phones connect to the Internet by using the Wireless
Transport Layer Security (WTLS) protocol across a Wireless Application Protocol
(WAP) gateway. The cellular service provider's WAP gateway acts as a proxy that relays requests
from the cell phone to the Internet.
Since the WAP gateway is acting as a proxy rather than your phone, it controls the session. So
if you connect to a Web site that uses SSL encryption, it's the WAP gateway -- not the phone --
that has to trust the certificate.
The odds of your cellular service provider trusting a certificate from your own internal
certificate authority are pretty much zero. So you'll have to get a certificate authority that your
cellular service trusts.
Of course, every cellular company does things differently. Not all rely on the WTLS protocol or
WAP gateways. Contact your cellular provider prior to assigning a certificate to the OMA Web site
to find out what types of certificates will and won't work for your mobile users.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his
work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of
hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he
has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other
technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
Do you have comments on this tip? Let
us know.
Related information from SearchExchange.com:
Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
