You might have read or heard many times that, it is important to have your Microsoft Exchange Server secured by SSL certificate but do you really know the reason behind it? Don’t worry, by end of this article, you will not only learn about the importance of exchange server certificate but also will learn the basic steps to successfully installing an SSL certificate on your MS Exchange server.
Firstly, I would like to explain a scenario about the purpose to securing OWA:
If you are in a phishing site where the attacker slowly takes your user name and password through your company emails. You should implement a habit of changing your password very often. Normally in most organizations we only use OutLook Web Access (OWA) as our main e-mail system. But we some time access our company OWA through outside, might be at Airport, Coffee shops etc. The internet connection like these are insecure and will increase the chances of MItM (Man in the middle) attack or other security threats. In this situation we need to secure organization OWA by disabling or locking.
What do we do?
Client Access Server Certificates
Therefore, we need to set up a Client Access Server to isolate all incoming and outgoing mails. It maintains Post Office Protocol V3 (POP3, Internet Message Access Protocol V4 (IMAP4)) to retrieve messages from mail boxes. Also, few additional services are included, such as Outlook Web Access, Active Sync, Auto discover, and Outlook Anywhere.
What are all these?
These are the additional services offered by Microsoft exchange server and can be utilized as per your requirement. Here we took a brief note about each of them.
Out Look Web Access – It is web application, which you use through web browser rather than Outlook 2010 to access your account.
Active Sync – We are all using mobile phones, Client Access Server allows mobile devises to synchronize Exchange Mail Box contents. What a privilege? Also, Active Sync enabled automatically when you install the Client Access server role. It will Sync the data from & to the devices you use to access your outlook.
Auto Discover – Some more rights for all of us. We are all in mobile device world. Auto Discover permits Outlook or a mobile device to be automatically configured on the basis of a users’ email address or logon credentials.
Outlook Anywhere – We are all busy people doing permanent or contract jobs. Most of us are using VPN or Direct Access to access internal servers from outside (public from home to private to company). Therefore Outlook anywhere allows the clients on Internet, to use Outlook anywhere to access internal exchange resources.
What a terminology?
We need to tighten our organization servers with abundant security. We are talking about our client server. How?
When you install Exchange Server, it installs a default self-signed certificate. Trusted Certificate Authority (CA) did not create or sign this certificate. These certificates will be trusted only by other exchange server in your same organization, but, not with any clients in the organization. That means installing an SSL certificate signed by trusted certificate authority will enhance the security of your exchange server.
Who suppose to do this?
Administrators, they need to get clients to trust these certificates. Look for substitute is to getting a certificate from an internal CA (Certificate Authority). For all of these certificate jargon, use different kind of encryption algorithms methods. Secure Socket Layer protocol (SSL) guarantee secure transaction between web servers and browsers.
SSL link confirms that all data passed between the web server and browsers remain private and secure. It is an industry standard SSL certificate which uses in websites to protect their online transactions with their clients.
Which SSL Should I Buy for my MS Exchange Server?
The best and most recommended SSL certificate for MS Exchange server is, SAN certificate. SANs (Subject Alternative Names) correspond to the name of Exchange Server; include server name and the server’s fully qualified domain name. If you want to secure multiple Domain Names with a Single SSL certificate, you need to configure SANs and require SSL certificate that support SAN (which is also known as multi-domain SSL certificate).
When you search for SAN certificate online, you will be surprised to see number of CA’s offering this SSL certificate and there is huge price difference between them. In-fact you can find same certificate being sold at different price from different seller. How? here I have explained the reason behind it and tips to save money when you buy SSL certificate online.
Cut a long story short; there are two types of SSL certificate sellers.
- SSL Certificate Authorities (who are authorized to sign an SSL certificate which is verified and known to client or browsers)
- Authorized SSL certificate resellers like ClickSSL (Who resale same SSL certificate from CA’s at sliced price due to huge volume purchase). They do sell same SSL certificate products at highly discounted price as compare to certificate authorities.
When you buy this SAN certificate for your exchange server from these resellers, you can save huge money and can enjoy the real-time support from vendor.
Wow, how do we install SAN on Exchange Server?
Here is the detailed step by step instruction to install a SAN certificate on your Microsoft Exchange Server:
- Run the Exchange Certificate Wizard
- On Exchange Configuration page, for example for the Client Access server that you want to support Exchange Web Services, Outlook Anywhere, and Auto Discover, you configure the settings appropriately according to your company need.
- On Certificate Domain page you can add additional SANs
- After you install the certificate, assign service such as IMAP, POP, SMTP, IIS
- Verify whether the certificate is correctly assigned by navigating to https://mail.xxx.xxx/owa and by clicking the lock button to view the security report.
If you still need any help in this regards, you can refer this official Microsoft guide explaining this SSL certificate installation process for MS exchange server.
Shiromi Jayawardena – LinkedIn Profile : https://nz.linkedin.com/in/shiromijayawardena/
Shiromi is working as a Senior ICT Instructor\Microsoft Certified Trainer\IT Support\IT Group Development Supervisor at Whitireia Polytechnic in New Zealand with over 12 years of experience within the IT sector. Along the way, She has been working as a project/lab supervisor, networking, and technical supporter plus tutoring.