Issue with Outlook Mobile Access and certificate authorities

If you're running Outlook Mobile Access for cellular phone users, beware of this potential problem with your certificate authority.

Outlook Mobile Access (OMA) is similar to Outlook Web Access (OWA) in that both are Web applications designed to allow employees to access a corporate Exchange Server deployment through a Web browser. The primary difference between the two is their intended use.

OWA is a full-featured Web application designed to look, feel and behave very similarly to Outlook 2003. OMA, on the other hand, offers a minimal user interface for accessing an Exchange organization via cell phone.

In spite of the vast differences in user interfaces and intended uses, OMA and OWA are nearly identical from an architectural standpoint. Both reside in virtual directories hosted by Internet Information Server (IIS). Likewise, they interact with the Exchange information store the same way; and both work in front-end or back-end configurations.

Despite all the similarities, companies need to approach OMA security differently than OWA.

Digital certificates and SSL encryption

OMA and OWA can both be configured to use SSL encryption, but there is a difference in the types of certificates that can be used for each.

When you associate a certificate with Outlook Web Access, you can use just about any type of SSL certificate. Neither Exchange Server nor IIS care where the certificate came from, as long as it's valid. When a user connects to an OWA server through the Internet, IIS uses the certificate you supply to encrypt the data that's flowing back and forth.

In a lab environment, Outlook Mobile Access works exactly the same way. You can associate any valid SSL certificate with OMA. Again, neither Exchange nor IIS care where the certificate came from. There is a catch though. While where you acquired the SSL certificate doesn't matter to Exchange Server, IIS, or even to the client for that matter, it does often matter to the user's cellular service provider.

To put it simply, you usually end up having to use a certificate from a well-known, third-party certificate authority rather than a certificate from your own enterprise certificate authority.

Certificates and cellular service providers

To make SSL encryption work over a cellular Internet connection, you have to use a certificate issued by a certificate authority that your cellular provider trusts. This might sound a little confusing at first. After all, you can use an internally-issued certificate for OWA; and there is no requirement that a user's ISP trust that certificate. So what makes OMA so special?

The requirement has to do with the way that cell phones connect to the Internet. Technically, you could use any Web browser to access OMA. If you issued an OMA certificate from your internal certificate authority, and then used a PC running Internet Explorer to access OMA, the connection would work. However, if you were to access the exact same configuration from a cell phone, it probably wouldn't work.

Many cell phones connect to the Internet by using the Wireless Transport Layer Security (WTLS) protocol across a Wireless Application Protocol (WAP) gateway. The cellular service provider's WAP gateway acts as a proxy that relays requests from the cell phone to the Internet.

Since the WAP gateway is acting as a proxy rather than your phone, it controls the session. So if you connect to a Web site that uses SSL encryption, it's the WAP gateway -- not the phone -- that has to trust the certificate.

The odds of your cellular service provider trusting a certificate from your own internal certificate authority are pretty much zero. So you'll have to get a certificate authority that your cellular service trusts.

Of course, every cellular company does things differently. Not all rely on the WTLS protocol or WAP gateways. Contact your cellular provider prior to assigning a certificate to the OMA Web site to find out what types of certificates will and won't work for your mobile users.

About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Do you have comments on this tip? Let us know.

Next Steps

Tip: What Exchange 2003 SP2 means for mobile messaging

Tip: Evaluating mobile messaging

Exchange Admin 101: Configuring OMA and ActiveSync

Reference Center: Exchange mobile and wireless tips and resources

This was first published in December 2005

Dig deeper on Mobile Devices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close