How to Require SSL for Offline Address Book Distribution

When SSL is enabled, both SSL and unencrypted requests to the OAB virtual directory are allowed. You can disallow unencrypted requests by performing the procedures that are detailed later in this topic.

To perform the following procedures, the account you use must be delegated the following:

• Exchange Organization Administrator role

For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

Also, before you perform these procedures, be aware of the following:

• To learn more about the various security and authentication related options that are available for Exchange 2007, we recommend that you first read Managing Client Access Security.
• The default self-signed certificate that is available in Exchange 2007 Setup will not work with Microsoft Office Outlook 2007 clients that are using OABs. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer's operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts, see How to Obtain a Server Certificate from a Certification Authority.
• After you obtain a valid SSL certificate to use with the Client Access server on the OAB default Web site or on the Web site where you host your OAB virtual directory, you should test SSL connectivity by issuing an HTTPS request. Using your browser, type the following URL in the address bar: https://<server name>/. The request should return your server's home page. You can configure the Web site to require SSL. You can also enable SSL for one or more Web sites that are hosted by the Client Access server. For more information, see Managing Client Access Security.

To use Internet Information Services Manager to set up the default Web site for OAB to require SSL

1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the console tree of Internet Information Services (IIS) Manager, expand the Client Access server on which you are going to configure IIS.
3. Expand Web Sites, and then expand Default Web Site.
4. Right-click OAB, and then click Properties.
5. In OAB Properties, click the Directory Security tab.
6. Under Secure Communications, click Edit.
7. In Secure Communications, select the Require secure channel (SSL) and the Require 128-bit encryption check boxes, and then click OK to save your change.
8. Click OK to close OAB Properties.

To use the Exchange Management Shell to set up the OAB virtual directory to require SSL verification and to use an SSL-enabled (HTTPS) external Web site

Run the following command:

• Set-OABVirtualDirectory -Identity <VirtualDirectoryIdParameter> -SSLRequired <$true> -ExternalURL <URL>

For example, to require SSL for the OAB default Web site with an external URL for the Contoso company, run the following command:

• Set-OABVirtualDirectory -Identity "OAB (Default Web Site) -SSLRequired $true -ExternalURL "https://exchange.contoso.com/oab"

For detailed syntax and parameter information, see the Set-OABVirtualDirectory reference topic.

For More Information

To learn more about OABs, see Understanding Offline Address Books.

For more information about managing OABs, see the following topics:

• Managing Offline Address Books
• How to Create an Offline Address Book

For more information about the OAB virtual directory, see How to Create an Offline Address Book Virtual Directory.

Dave