Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-18
Compared to earlier versions of Microsoft Exchange Server, Exchange Server 2007 provides additional administrative functionality and other enhancements that improve the overall management of Transport Layer Security (TLS). As you work with this new functionality, you should understand some new TLS-related features and functionality. Some terms and concepts apply to more than one TLS-related feature. In this topic, the brief explanation of each feature is intended to help you understand some differences and general terminology related to TLS and the Domain Security feature set.
- Transport Layer Security TLS is a
standard protocol that is used to provide secure Web communications
on the Internet or intranets. It enables clients to authenticate
servers or, optionally, servers to authenticate clients. It also
provides a secure channel by encrypting communications. TLS is the
latest version of the Secure Sockets Layer (SSL) protocol.
- Mutual TLS TLS with mutual
authentication differs from TLS as TLS is usually deployed.
Typically, when TLS is deployed, it is used only to provide
confidentiality in the form of encryption. No authentication occurs
between the sender and receiver. In addition to this kind of
deployment, sometimes when TLS is deployed, only the receiving
server is authenticated. This deployment of TLS is typical of the
HTTP implementation of TLS. This implementation, where only the
receiving server is authenticated, is SSL.
With mutual TLS authentication, each server verifies the identity of the other server by validating a certificate that is provided by that other server. In this scenario, where messages are received from external domains over verified connections in an Exchange 2007 environment, Microsoft Office Outlook 2007 will display a Domain Secured icon.
- Domain Security Domain Security is the
set of features, such as certificate management, connector
functionality, and Outlook client behavior that enables mutual TLS
as a manageable and useful technology.
- Opportunistic TLS In earlier versions
of Exchange Server, you had to configure TLS manually. In
addition, you had to install a valid certificate, suitable for TLS
usage, on the server running Exchange Server. In
Exchange 2007, Setup creates a self-signed certificate. By
default, TLS is enabled. This enables any sending system to encrypt
the inbound Simple Mail Transfer Protocol (SMTP) session to
Microsoft Exchange. By default, Exchange 2007 also tries
TLS for all remote connections.
- Direct trust By default, all traffic
between Edge Transport servers and Hub Transport servers is
authenticated and encrypted. Again, the underlying mechanism for
authentication and encryption is mutual TLS. Instead of using X.509
validation, Exchange 2007 uses direct trust to authenticate
the certificates. Direct trust means that the presence of the
certificate in the Active Directory directory service or
the Active Directory Application Mode
(ADAM) directory service validates the certificate.
Active Directory is considered a trusted storage mechanism.
When direct trust is used, it doesn't matter if the certificate is
self-signed or signed by a certification authority. When you
subscribe an Edge Transport server to the Exchange organization,
the Edge Subscription publishes the Edge Transport server
certificate in Active Directory for the Hub Transport servers
to validate. The Microsoft Exchange EdgeSync service updates
ADAM with the set of Hub Transport server certificates for the Edge
Transport server to validate.