How important is a SSL certificate for a single domain exchange 2007 which uses owa and local outlook connections ?
2 Answers
Very. If you don't use an SSL certificate for OWA username and password will travel across the network (Internet if it's online) open to be sniffed. Additionally, it provides verification to the client that they are really talking to the right server. Without an SSL certificate I could man in the middle your traffic and steal the credentials for your network.
For local outlook connections (assuming that it is using the MAPI protocol not IMAP or POP) it matters a lot less as it performs a different form of encryption using means other than the certificate.
Certificates are not that expensive and security breaches are horrendously expensive. Even for small businesses.
- 1,844
- 5
- 27
- 37
-
any recommendations on where to purchase a certificate for my kind of setup? – Jeff Jan 20 '11 at 16:21
-
Well Microsoft officially only supports a couple of certificate authorities (http://support.microsoft.com/kb/929395). Personally I'm a huge fan of StartSSL (http://www.startssl.com/) though I haven't tested their certificates with Exchange. – TrueDuality Jan 20 '11 at 16:28
-
anyone will do. GoDaddy, VeriSign, THawte, etc.. – cwheeler33 Jan 20 '11 at 16:30
-
Well their are multiple domain names that need to be in one certificate for it too function properly across the board of Exchange features. So you need to find support for multiple common names in a certificate. – TrueDuality Jan 20 '11 at 16:33
-
so a standard SSL from godaddy for a single domain would be fine for what i need? thanks - sorry dont have any experience with ssl certs. – Jeff Jan 20 '11 at 16:34
-
@trueduality, sorry i just saw your post. im looking at godaddy and they have a multiple (up to 5 domain) standard ssl license - should i be looking at this for exchange? – Jeff Jan 20 '11 at 16:35
-
That would do the trick, I know you need the SERVERNAME.example.com autodiscover.example.com (replace example.com with your domain, and "SERVERNAME" with the name of the Exchange server). If you are using a separate address for OWA such as "webmail.example.com" or SMTP such as "smtp.example.com" you will need that in there as well. The only two important ones are the autodiscover and the FQDN of the server to the best of my memory. – TrueDuality Jan 20 '11 at 16:40
-
@trueduality, The Microsoft article is a bit outdated, I think the provider support has been extended since 2008. – Vick Vega Feb 10 '11 at 20:53
Besides the obvious need to secure communications to and from your mail server, there are a couple other things to consider.
If you are using Exchange 2007 and higher, your best bet is to get a UC Cert. This will enable to you work with the multiple names that will be needed by Exchange to have all of its services function properly. This is especially important with things like AutoDiscover and Outlook Anywhere. If you use the default setup with a self-signed cert, you will have the burden of installing it manually on any device that wants/needs to connect securely from outside of your LAN, which is a pain when you have a ton of clients and mobile devices.
For local connections, the self-signed will usually work just fine, but with the price of certs being so low, its better to just get one and be done. Personally, when I got my UC cert, I got it from HERE.
Also, see my answer HERE for more info.
Some additional info, I would not recommend GoDaddy, their support and certificate process were a pain. Actually, the easiest part about dealing with them, was actually cancelling and getting my money back, funny how that works.
-
thanks i have no issues with spending money on a cert - and i read about UC certs as well before. im going to check out the links u posted appreciate it – Jeff Jan 20 '11 at 16:38
-
Standard Multiple Domain (UCC) SSL Up to 5 Domains - 2 years (annual) is what i think im going to go with. thanks! – Jeff Jan 20 '11 at 16:48
-
Agree with Dan, you really want to get a UC cert, let alone a cert in general. Exchange 2007+ can have major client issues with self-signed certs if they don't have your test Root CA cert trusted. – Tatas Mar 18 '11 at 13:59