Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-06-26
This topic explains how to use Internet Information Services (IIS) Manager and the Exchange Management Shell to configure the virtual directory to use Secure Sockets Layer (SSL) for an offline address book (OAB). By default, when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, a virtual directory named OAB is created on the default IIS Web site on the Exchange server.
When SSL is enabled, both SSL and unencrypted requests to the OAB virtual directory are allowed. You can disallow unencrypted requests by performing the procedures that are detailed later in this topic.
Before You Begin
To perform the following procedures, the account you use must be delegated the following:
- Exchange Organization Administrator role
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Also, before you perform these procedures, be aware of the following:
- To learn more about the various security and authentication
related options that are available for Exchange 2007, we
recommend that you first read Managing Client Access
Security.
- The default self-signed certificate that is available in
Exchange 2007 Setup will not work with
Microsoft Office Outlook 2007 clients that are
using OABs. Instead, you must use a valid SSL certificate that is
created by a certification authority (CA) that is trusted by the
client computer's operating system. For more information about how
to install a valid SSL certificate from a CA that the client
trusts, see How
to Obtain a Server Certificate from a Certification
Authority.
- After you obtain a valid SSL certificate to use with the Client
Access server on the OAB default Web site or on the Web site where
you host your OAB virtual directory, you should test SSL
connectivity by issuing an HTTPS request. Using your browser, type
the following URL in the address bar: https://<server
name>/. The request should return your server's home page.
You can configure the Web site to require SSL. You can also enable
SSL for one or more Web sites that are hosted by the Client Access
server. For more information, see Managing Client Access
Security.
Procedure
To use Internet Information
Services Manager to set up the default Web site for OAB to require
SSL
-
Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
-
In the console tree of Internet Information Services (IIS) Manager, expand the Client Access server on which you are going to configure IIS.
-
Expand Web Sites, and then expand Default Web Site.
-
Right-click OAB, and then click Properties.
-
In OAB Properties, click the Directory Security tab.
-
Under Secure Communications, click Edit.
-
In Secure Communications, select the Require secure channel (SSL) and the Require 128-bit encryption check boxes, and then click OK to save your change.
-
Click OK to close OAB Properties.
To use the Exchange Management
Shell to set up the OAB virtual directory to require SSL
verification and to use an SSL-enabled (HTTPS) external Web
site
-
Run the following command:
Copy CodeSet-OABVirtualDirectory -Identity <VirtualDirectoryIdParameter> -RequireSSL <$true> -ExternalURL <URL>
For example, to require SSL for the OAB default Web site with an external URL for the Contoso company, run the following command:
Copy CodeSet-OABVirtualDirectory -Identity "OAB (Default Web Site)" -RequireSSL $true -ExternalURL "https://exchange.contoso.com/oab"
For detailed syntax and parameter information, see the Set-OABVirtualDirectory reference topic.
For More Information
To learn more about OABs, see Understanding Offline Address Books.
For more information about managing OABs, see the following topics:
For more information about the OAB virtual directory, see How to Create an Offline Address Book Virtual Directory.