Beruflich Dokumente
Kultur Dokumente
E change E change !er"er 2013 #ailbo an$ %lient &ccess !er"ers %lient &ccess !er"er Digital Certificates and SSL %reate a 'igital %erti(icate )e*uest E change 2013 %erti(icate #anagement +,
'igital certi(icates are electronic (iles that 0or- li-e an online 3ass0or$ to "eri(y the i$entity o( a user or a com3uter1 They5re use$ to create the !!L encry3te$ channel that5s use$ (or client communications1 & certi(icate is a $igital statement that5s issue$ by a certi(ication authority .%&/ that "ouches (or the i$entity o( the certi(icate hol$er an$ enables the 3arties to communicate in a secure manner using encry3tion1 'igital certi(icates $o the (ollo0ing7 They authenticate that their hol$ers83eo3le2 0ebsites2 an$ e"en net0or- resources such as routers8are truly 0ho or 0hat they claim to be1 They 3rotect $ata that5s e change$ online (rom the(t or tam3ering1 'igital certi(icates can be issue$ by a truste$ thir$93arty %& or a 6in$o0s 3ublic -ey in(rastructure .:;,/ using %erti(icate !er"ices2 or they can be sel(9signe$1 Each ty3e o( certi(icate has a$"antages an$ $isa$"antages1 Each ty3e o( $igital certi(icate is tam3er9 3roo( an$ can5t be (orge$1 %erti(icates can be issue$ (or se"eral uses1 These uses inclu$e 0eb user authentication2 0eb ser"er authentication2 !ecure<#ulti3ur3ose ,nternet #ail E tensions .!<#,#E/2 ,nternet :rotocol security .,:sec/2 Trans3ort Layer !ecurity .TL!/2 an$ co$e signing1
& certi(icate contains a 3ublic -ey an$ attaches that 3ublic -ey to the i$entity o( a 3erson2 com3uter2 or ser"ice that hol$s the corres3on$ing 3ri"ate -ey1 The 3ublic an$ 3ri"ate -eys are use$ by the client an$ the ser"er to encry3t the $ata be(ore it5s transmitte$1 For 6in$o0s9base$ users2 com3uters2 an$ ser"ices2 trust in a %& is establishe$ 0hen there5s a co3y o( the root certi(icate in the truste$ root certi(icate store an$ the certi(icate contains a "ali$ certi(ication 3ath1 For the certi(icate to be "ali$2 the certi(icate must not ha"e been re"o-e$ an$ the "ali$ity 3erio$ must not ha"e e 3ire$1
Ty3es o( certi(icates
There are three 3rimary ty3es o( $igital certi(icates7 sel(9signe$ certi(icates2 6in$o0s :;,9 generate$ certi(icates2 an$ thir$93arty certi(icates1
!el(9signe$ certi(icates
6hen you install E change 20132 a sel(9signe$ certi(icate is automatically con(igure$ on the #ailbo ser"ers1 & sel(9signe$ certi(icate is signe$ by the a33lication that create$ it1 The sub=ect an$ the name o( the certi(icate match1 The issuer an$ the sub=ect are $e(ine$ on the certi(icate1 This sel(9signe$ certi(icate is use$ to encry3t communications bet0een the %lient &ccess ser"er an$ the #ailbo ser"er1 The %lient &ccess ser"er trusts the sel(9signe$ certi(icate on the #ailbo ser"er automatically2 so no thir$93arty certi(icate is nee$e$ on the #ailbo ser"er1 6hen you install E change 20132 a sel(9signe$ certi(icate is also create$ on the %lient &ccess ser"er1 This sel(9signe$ certi(icate 0ill allo0 some client 3rotocols to use !!L (or their communications1 E change &cti"e!ync an$ Outloo- 6eb &33 can establish an !!L connection by using a sel(9signe$ certi(icate1 Outloo- &ny0here 0on5t 0or- 0ith a sel(9 signe$ certi(icate on the %lient &ccess ser"er1 !el(9signe$ certi(icates must be manually co3ie$ to the truste$ root certi(icate store on the client com3uter or mobile $e"ice1 6hen a client connects to a ser"er o"er !!L an$ the ser"er 3resents a sel(9signe$ certi(icate2 the client 0ill be 3rom3te$ to "eri(y that the certi(icate 0as issue$ by a truste$ authority1 The client must e 3licitly trust the issuing authority1 ,( the client con(irms the trust2 then !!L communications can continue1
Note: By default, the digital certificate installed on the Mailbox server or servers is a self-signed certificate. You dont need to replace the self-signed certificate on the Mailbox servers in your organization with a trusted third-party certificate. The lient !ccess server auto"atically trusts the self-signed certificate on the Mailbox server and no other configuration is needed for certificates on the Mailbox server.
Fre*uently2 small organi4ations $eci$e not to use a thir$93arty certi(icate or not to install their o0n :;, to issue their o0n certi(icates1 They might ma-e this $ecision because those solutions are too e 3ensi"e2 because their a$ministrators lac- the e 3erience an$ -no0le$ge to create their o0n certi(icate hierarchy2 or (or both reasons1 The cost is minimal an$ the setu3 is sim3le 0hen you use sel(9signe$ certi(icates1 Ho0e"er2 it5s much more $i((icult to establish an in(rastructure (or certi(icate li(e9cycle management2 rene0al2 trust management2 an$ re"ocation 0hen you use sel(9signe$ certi(icates1
The secon$ ty3e o( certi(icate is a 6in$o0s :;,9generate$ certi(icate1 & :;, is a system o( $igital certi(icates2 certi(ication authorities2 an$ registration authorities .)&s/ that "eri(y an$ authenticate the "ali$ity o( each 3arty that5s in"ol"e$ in an electronic transaction by using 3ublic -ey cry3togra3hy1 6hen you im3lement a :;, in an organi4ation that uses &cti"e 'irectory2 you 3ro"i$e an in(rastructure (or certi(icate li(e9cycle management2 rene0al2 trust management2 an$ re"ocation1 Ho0e"er2 there is some a$$itional cost in"ol"e$ in $e3loying ser"ers an$ in(rastructure to create an$ manage 6in$o0s :;,9generate$ certi(icates1 %erti(icate !er"ices are re*uire$ to $e3loy a 6in$o0s :;, an$ can be installe$ through Add Or Remove Programs in %ontrol :anel1 >ou can install %erti(icate !er"ices on any ser"er in the $omain1 ,( you obtain certi(icates (rom a $omain9=oine$ 6in$o0s %&2 you can use the %& to re*uest or sign certi(icates to issue to your o0n ser"ers or com3uters on your net0or-1 This enables you to use a :;, that resembles a thir$93arty certi(icate "en$or2 but is less e 3ensi"e1 These :;, certi(icates can5t be $e3loye$ 3ublicly2 as other ty3es o( certi(icates can be1 Ho0e"er2 0hen a :;, %& signs the re*uestor5s certi(icate by using the 3ri"ate -ey2 the re*uestor is "eri(ie$1 The 3ublic -ey o( this %& is 3art o( the certi(icate1 & ser"er that has this certi(icate in the truste$ root certi(icate store can use that 3ublic -ey to $ecry3t the re*uestor5s certi(icate an$ authenticate the re*uestor1 The ste3s (or $e3loying a :;,9generate$ certi(icate resemble those re*uire$ (or $e3loying a sel(9signe$ certi(icate1 >ou must still install a co3y o( the truste$ root certi(icate (rom the :;, to the truste$ root certi(icate store o( the com3uters or mobile $e"ices that you 0ant to be able to establish an !!L connection to #icroso(t E change1 & 6in$o0s :;, enables organi4ations to 3ublish their o0n certi(icates1 %lients can re*uest an$ recei"e certi(icates (rom a 6in$o0s :;, on the internal net0or-1 The 6in$o0s :;, can rene0 or re"o-e certi(icates1
Thir$93arty or commercial certi(icates are certi(icates that are generate$ by a thir$93arty or commercial %& an$ then 3urchase$ (or you to use on your net0or- ser"ers1 One 3roblem 0ith sel(9signe$ an$ :;,9base$ certi(icates is that2 because the certi(icate is not automatically truste$ by the client com3uter or mobile $e"ice2 you must ma-e sure that you im3ort the certi(icate into the truste$ root certi(icate store on client com3uters an$ $e"ices1 Thir$93arty or commercial certi(icates $o not ha"e this 3roblem1 #ost commercial %& certi(icates are alrea$y truste$ because the certi(icate alrea$y resi$es in the truste$ root certi(icate store1 Because the issuer is truste$2 the certi(icate is also truste$1 +sing thir$9 3arty certi(icates greatly sim3li(ies $e3loyment1 For larger organi4ations or organi4ations that must 3ublicly $e3loy certi(icates2 the best solution is to use a thir$93arty or commercial certi(icate2 e"en though there is a cost associate$ 0ith the certi(icate1 %ommercial certi(icates may not be the best solution (or small an$ me$ium9si4e organi4ations2 an$ you might $eci$e to use one o( the other certi(icate o3tions that are a"ailable1 )eturn to to3
store1 ,n this case2 neither a sel(9signe$ certi(icate nor a certi(icate (rom a 6in$o0s :;, %& can be installe$ on the mobile $e"ice1
,,!
&ll the (ollo0ing E change ser"ices use the same certi(icate on a gi"en E change %lient &ccess ser"er7 Outloo- 6eb &33 E change &$ministration %enter .E&%/ E change 6eb !er"ices E change &cti"e!ync Outloo- &ny0here &uto$isco"er
Outloo- &$$ress Boo- $istribution Because only a single certi(icate can be associate$ 0ith a 0ebsite2 an$ because all these ser"ices are o((ere$ un$er a single 0ebsite by $e(ault2 all the names that clients o( these ser"ices use must be in the certi(icate .or (all un$er a 0il$car$ name in the certi(icate/1
:O:<,#&:
%erti(icates that are use$ (or :O: or ,#&: can be s3eci(ie$ se3arately (rom the certi(icate that5s use$ (or ,,!1 Ho0e"er2 to sim3li(y a$ministration2 0e recommen$ that you inclu$e the :O: or ,#&: ser"ice name in your ,,! certi(icate an$ use a single certi(icate (or all these ser"ices1
!#T:
& se3arate certi(icate can be use$ (or each recei"e connector that you con(igure1 The certi(icate must inclu$e the name that !#T: clients .or other !#T: ser"ers/ use to reach that connector1 To sim3li(y certi(icate management2 consi$er inclu$ing all names (or 0hich you ha"e to su33ort TL! tra((ic in a single certi(icate1
#any E change $e3loyments use re"erse 3ro ies to 3ublish E change ser"ices on the ,nternet1 )e"erse 3ro ies can be con(igure$ to terminate !!L encry3tion2 e amine the tra((ic in the clear on the ser"er2 an$ then o3en a ne0 !!L encry3tion channel (rom the re"erse 3ro y ser"ers to the E change ser"ers behin$ them1 This is -no0n as !!L bri$ging1 ¬her 0ay to con(igure the re"erse 3ro y ser"ers is to let the !!L connections 3ass straight through to the E change ser"ers behin$ the re"erse 3ro y ser"ers1 6ith either $e3loyment mo$el2 the clients on the ,nternet connect to the re"erse 3ro y ser"er using a host name (or E change access2 such as mail1contoso1com1 Then the re"erse 3ro y ser"er connects to E change using a $i((erent host name2 such as the machine name o( the E change %lient &ccess ser"er1 >ou $on5t ha"e to inclu$e the machine name o( the E change %lient &ccess ser"er on your certi(icate because most common re"erse 3ro y ser"ers are able to match the original host name that5s use$ by the client to the internal host name o( the E change %lient &ccess ser"er1
!3lit 'N! is a technology that allo0s you to con(igure $i((erent ,: a$$resses (or the same host name2 $e3en$ing on 0here the originating 'N! re*uest came (rom1 This is also -no0n
as s3lit9hori4on 'N!2 s3lit9"ie0 'N!2 or s3lit9brain 'N!1 !3lit 'N! can hel3 you re$uce the number o( host names that you must manage (or E change by allo0ing your clients to connect to E change through the same host name 0hether they5re connecting (rom the ,nternet or (rom the intranet1 !3lit 'N! allo0s re*uests that originate (rom the intranet to recei"e a $i((erent ,: a$$ress than re*uests that originate (rom the ,nternet1 !3lit 'N! is usually unnecessary in a small E change $e3loyment because users can access the same 'N! en$3oint 0hether they5re coming (rom the intranet or the ,nternet1 Ho0e"er2 0ith larger $e3loyments2 this con(iguration 0ill result in too high o( a loa$ on your outgoing ,nternet 3ro y ser"er an$ your re"erse 3ro y ser"er1 For larger $e3loyments2 con(igure s3lit 'N! so that2 (or e am3le2 e ternal users access mail1contoso1com an$ internal users access internal1contoso1com1 +sing s3lit 'N! (or this con(iguration ensures that your users 0on5t ha"e to remember to use $i((erent host names $e3en$ing on 0here they5re locate$1
;erberos authentication an$ ;erberos encry3tion are use$ (or remote 6in$o0s :o0er!hell access2 (rom both the E change &$ministration %enter .E&%/ an$ the E change #anagement !hell1 There(ore2 you 0on5t ha"e to con(igure your !!L certi(icates (or use 0ith remote 6in$o0s :o0er!hell1 )eturn to to3
To 3re"ent clients (rom recei"ing errors regar$ing untruste$ certi(icates2 the certi(icate that5s use$ by your E change ser"er must be issue$ by someone that the client trusts1 <hough most clients can be con(igure$ to trust any certi(icate or certi(icate issuer2 it5s sim3ler to use a truste$ thir$93arty certi(icate on your E change ser"er1 This is because most clients alrea$y trust their root certi(icates1 There are se"eral thir$93arty certi(icate issuers that o((er certi(icates con(igure$ s3eci(ically (or E change1 >ou can use the E&% to generate certi(icate re*uests that 0or- 0ith most certi(icate issuers1
#a-e sure that the %& su33orts the -in$s o( certi(icates that youEll use1 %onsi$er using sub=ect alternati"e name .!&N/ certi(icates1 Not all %&s su33ort !&N certi(icates2 an$ other %&s $on5t su33ort as many host names as you might nee$1 #a-e sure that the license you buy (or the certi(icates allo0s you to 3ut the certi(icate on the number o( ser"ers that you inten$ to use1 !ome %&s only allo0 you to 3ut a certi(icate on one ser"er1 %om3are certi(icate 3rices bet0een %&s1
,n a$$ition to using as (e0 certi(icates as 3ossible2 you shoul$ also use as (e0 host names as 3ossible1 This 3ractice can sa"e money1 #any certi(icate 3ro"i$ers charge a (ee base$ on the number o( host names you a$$ to your certi(icate1 The most im3ortant ste3 you can ta-e to re$uce the number o( host names that you must ha"e an$2 there(ore2 the com3le ity o( your certi(icate management2 is not to inclu$e in$i"i$ual ser"er host names in your certi(icate5s sub=ect alternati"e names1
The host names you must inclu$e in your E change certi(icates are the host names use$ by client a33lications to connect to E change1 The (ollo0ing is a list o( ty3ical host names that 0oul$ be re*uire$ (or a com3any name$ %ontoso7 Mail.contoso.com This host name co"ers most connections to E change2 inclu$ing #icroso(t Outloo-2 Outloo- 6eb &332 Outloo- &ny0here2 the O((line &$$ress Boo-2 E change 6eb !er"ices2 :O:32 ,#&:G2 !#T:2 E change %ontrol :anel2 an$ &cti"e!ync1 Autodiscover.contoso.com This host name is use$ by clients that su33ort &uto$isco"er2 inclu$ing #icroso(t O((ice Outloo- 200H an$ later "ersions2 E change &cti"e!ync2 an$ E change 6eb !er"ices clients1 Legacy.contoso.com This host name is re*uire$ in a coe istence scenario 0ith E change !er"er 2003 or E change 200H1 ,( you5ll ha"e clients 0ith mailbo es on either E change !er"er 2003 or E change 200H an$ E change 20132 con(iguring a legacy host name 3re"ents your users (rom