Tip

Issue with Outlook Mobile Access and certificate authorities

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to our tip contest and you could

    Requires Free Membership to View

win a prize. 


Outlook Mobile Access (OMA) is similar to Outlook Web Access (OWA) in that both are Web applications designed to allow employees to access a corporate Exchange Server deployment through a Web browser. The primary difference between the two is their intended use.

OWA is a full-featured Web application designed to look, feel and behave very similarly to Outlook 2003. OMA, on the other hand, offers a minimal user interface for accessing an Exchange organization via cell phone.

In spite of the vast differences in user interfaces and intended uses, OMA and OWA are nearly identical from an architectural standpoint. Both reside in virtual directories hosted by Internet Information Server (IIS). Likewise, they interact with the Exchange information store the same way; and both work in front-end or back-end configurations.

Despite all the similarities, companies need to approach OMA security differently than OWA.

Digital certificates and SSL encryption

OMA and OWA can both be configured to use SSL encryption, but there is a difference in the types of certificates that can be used for each.

When you associate a certificate with Outlook Web Access, you can use just about any type of SSL certificate. Neither Exchange Server nor IIS care where the certificate came from, as long as it's valid. When a user connects to an OWA server through the Internet, IIS uses the certificate you supply to encrypt the data that's flowing back and forth.

In a lab environment, Outlook Mobile Access works exactly the same way. You can associate any valid SSL certificate with OMA. Again, neither Exchange nor IIS care where the certificate came from. There is a catch though. While where you acquired the SSL certificate doesn't matter to Exchange Server, IIS, or even to the client for that matter, it does often matter to the user's cellular service provider.

To put it simply, you usually end up having to use a certificate from a well-known, third-party certificate authority rather than a certificate from your own enterprise certificate authority.

Certificates and cellular service providers

To make SSL encryption work over a cellular Internet connection, you have to use a certificate issued by a certificate authority that your cellular provider trusts. This might sound a little confusing at first. After all, you can use an internally-issued certificate for OWA; and there is no requirement that a user's ISP trust that certificate. So what makes OMA so special?

The requirement has to do with the way that cell phones connect to the Internet. Technically, you could use any Web browser to access OMA. If you issued an OMA certificate from your internal certificate authority, and then used a PC running Internet Explorer to access OMA, the connection would work. However, if you were to access the exact same configuration from a cell phone, it probably wouldn't work.

Many cell phones connect to the Internet by using the Wireless Transport Layer Security (WTLS) protocol across a Wireless Application Protocol (WAP) gateway. The cellular service provider's WAP gateway acts as a proxy that relays requests from the cell phone to the Internet.

Since the WAP gateway is acting as a proxy rather than your phone, it controls the session. So if you connect to a Web site that uses SSL encryption, it's the WAP gateway -- not the phone -- that has to trust the certificate.

The odds of your cellular service provider trusting a certificate from your own internal certificate authority are pretty much zero. So you'll have to get a certificate authority that your cellular service trusts.

Of course, every cellular company does things differently. Not all rely on the WTLS protocol or WAP gateways. Contact your cellular provider prior to assigning a certificate to the OMA Web site to find out what types of certificates will and won't work for your mobile users.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

 


Do you have comments on this tip? Let us know.


Related information from SearchExchange.com:

 

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.