In many organizations, the Client Access Server is accessible from the Internet for Microsoft Office Outlook Anywhere, Microsoft Office Outlook Web Access, or Microsoft Exchange ActiveSync clients. Therefore, it is critical that you ensure that the Client Access server that faces the Internet is as secure as possible.
Securing Communications between Clients and Client Access Servers
To encrypt the network traffic between messaging clients and the Client Access server, you must secure the network traffic using Secure Sockets Layer (SSL). To configure the Client Access server to use SSL, complete the following steps.
- Obtain and install a server certificate on the Client Access server. Ensure that the certificate name exactly matches the server name that users will use to access the Client Access server. Ensure also that the certificate issued by a Certification Authority (CA) is trusted by all of the client computers and mobile devices that will be accessing the server.
- Configure the following Client Access server virtual directories in Internet Information Services (IIS) to require SSL.
- Enhanced Capability Port (ECP)
- Exchange Web Services (EWS)
- Offline Address Book (OAB)
- Outlook Web Application (OWA)
- Remote Procedure Call (RPC)
Configuring Secure Authentication
Exchange Server 2010 provides several authentication options to clients communicating with the Client Access server. If the server has multiple authentication options enabled, then it negotiates with the client to determine the most secure authentication method that both support.
Standard Authentication Options
The following standard authentication options are available on the Client Access server.
- Integrated Windows authentication. Integrated Windows authentication is the most secure standard authentication option. When you use Integrated Windows authentication and users log on with a domain account, users are not prompted for a user name or password. Instead, the server negotiates with the Windows security packages installed on the client computer to obtain the user name and password of the logged-on user. Unencrypted authentication information is not transferred across the network.
- Digest authentication. Digest authentication secures the password by transmitting it as a hash value over the network.
- Basic authentication. Basic authentication transmits passwords in clear text over the network. Therefore, you should always secure basic authentication by using SSL encryption. Basic authentication is the authentication option that is most widely supported by clients.
Forms-based authentication is enabled by default for Outlook Web App and for Exchange Control Panel.
Protecting the Client Access Server with an Application Layer Firewall
To provide an additional layer of security for network traffic and to protect the Client Access server, deploy an application-layer firewall or reverse proxy, such as Microsoft Internet Security and Acceleration (ISA) Server 2006 or Forefront Threat Management Gateway between the Internet and the Client Access server. Application layer firewalls provide the following benefits.
- You can configure the firewall as the endpoint for the client SSL connection. The firewall can decrypt the client traffic, apply application-layer filtering, and then re-encrypt the traffic before sending it to the Client Access server.
- You can offload SSL decryption to the firewall. If you do not require all connections on your internal network to be secure, you can configure the firewall to decrypt the SSL traffic but not re-encrypt it before sending the traffic to the Client Access server. This means that the Client Access server resources are not used to perform SSL decryption and encryption.
- If you use ISA Server 2006 or Forefront Threat Management Gateway as the application layer firewall, you can configure the firewall to pre-authenticate all client connections using forms-based authentication. This means that only authenticated connections will be allowed into the internal network.