How do I configure OMA to use SSL?
Spiceworks provides 100% Free Network Management Software to IT Pros to monitor everything on their network including MS Exchange Server health, network bandwidth, and Windows performance.
There are no tricks or fine print with Spiceworks – their network management software is completely free including support and upgrades and features a wide range of useful IT management functionality.
Outlook Mobile Access (or OMA for short) is a new feature found in Exchange Server 2003 that allows you to connect to your mailbox by means of almost any mobile phone or mobile device–based browsers that support HTML, XHTML, or Compact Hypertext Markup Language (cHTML). These include a wide variety of mobile devices such as mobile phones, Palm OS based devices and Pocket PC based devices.
You can read more about OMA in the featured links at the bottom of this article.
OMA transmits traffic to and from the web browser on the mobile device in HTTP (based upon TCP, port 80) and in clear text, meaning that anyone could potentially "listen" to your talk and grab frames and valuable information from the net.
To secure the transmission of information between Exchange Server 2003 and Outlook Mobile Access (OMA) clients, you can encrypt the information being transmitted by using SSL (Secure Sockets Layer).
To configure SSL for Outlook Mobile Access on Exchange Server 2003 complete the following steps:
- Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites.
- In the console tree, right-click Default Web Site, and then click Properties.
- In the Default Web Site Properties dialog box, click Directory Security.
- On the Directory Security tab, click Server Certificate.
- In the Welcome to the Web Server Certificate Wizard, on the Welcome page, click Next.
- On the Server Certificate page, verify that Create a new certificate is selected, and then click Next.
- On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
Note: If you don't have a Certificate Authority (CA) installed on your server or on a different server on the network you can prepare the request but you'll need to manually send it to the CA.
- On the Name and Security Settings page, in the Name box, type yourservername.domainname.com (or .net, .org, .mil etc. Use your own registered domain name, the one you want people to use when browsing to your site) and then click Next.
Important note - Internet use: You must make sure that either the Name or the Common Name fields (one of them or both of them) exactly match the external FQDN of the website. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, but it will host a website that will require users to enter WWW.KUKU.CO.IL to reach it, you must then use WWW.KUKU.CO.IL as the Name or Common Name in the certificate request wizard, and DO NOT use SERVER1.MYINTERNALDOM.LOCAL.
Important note - Intranet use: For Intranet-only purposes you CAN use the internal FQDN of the server, or even just it's NetBIOS name. For example, if your server's NetBIOS name is SERVER1, and it is located in the MYINTERNALDOM.LOCAL domain, you can use SERVER1.MYINTERNALDOM.LOCAL or just SERVER1 for the Name or the Common Name fields.
You can also change the Bit Length for the encryption key if you want.
- On the Organization Information page, in the Organization box, type your own company name. In the Organizational Unit box, type a descriptive name and then click Next.
- On the Your Sites Common Name page, in the Common name box, type yourservername.domainname.com (see important note in step #9) and then click Next.
- On the Geographical Information page, in the State/province box, type the required info and then click Next.
- On the SSL Port page, in the SSL port this web site should use box, verify that 443 is specified, and then click Next.
- On the Choose a Certification Authority page, in the Certification Authorities box, verify that your online CA is selected, and then click Next.
- On the Certificate Request Submission page, click Next to submit the request, and then click Finish to complete the wizard.
To use the certificate to secure OMA
- In Internet Services Manager, in the console tree, expand SERVERNAME (your local computer), and then expand Web Sites, then expand Default Web Site.
- In the console tree, right-click the OMA virtual directory, and then click Properties.
- In the OMA Properties dialog box, on the Directory Security tab, in the Secure communications area, click Edit.
Note: If EDIT is grayed out then you did not successfully install a certificate for the Default Web Site. Go back to the beginning of the article and follow my instructions.
- In the Secure Communications dialog box, click the Require secure channel (SSL) check box, click the Require 128-bit encryption check box, and then click OK.
- In the OMA Properties dialog box, click OK all the way out, and close Internet Information Services (IIS) Manager. Note that you might want to restart the World Wide Web Publishing service just in case, although generally this is not required.
Verify that SSL is working
To test your new settings connect your mobile device to the Internet (or to your corporate LAN), open a browser and type your server's FQDN (or NetBIOS name, if on the LAN) + /OMA in the address bar (for example: http://server200/oma).
Since you still used HTTP (plain text http, using TCP port 80) you'll get the following error message:
Now re-type the URL by using HTTPS instead of HTTP. You should be able to view the OWA website.
Note: The above example is shown from a Pocket Explorer emulator, but is should look the same on your mobile phone or Palm OS/Pocket PC device.
If configured correctly, you should be able to log into your mailbox by entering the right username in the form of DOMAIN\USERNAME and then the password.
After successfully authenticating you can access your mailbox.
Note: Make sure you renew your certificate a few weeks before it expires in order to prevent mishaps like this one: Expired SSL Website Certificate.
That's it, you're set up and ready to go.
You may find these related articles of interest to you:
- Adding Root Certificates to Windows Mobile 2003 Pocket PC
- Configuring Forms-Based Authentication in OWA and Exchange 2003
- Configure ISA to Publish OWA
- Configure Message Security in OWA 2003
- Configure OMA in Exchange 2003
- Configure OWA 2003 Attachment Blocking
- Configure SSL on OWA
- Configure SSL on Your Website with IIS
- Configure Web Access to Newsgroups Hosted on Exchange 2000/2003
- Disable Spell Checking in OWA 2003
- Enable Password Changing through OWA in Exchange 2003
- Error c1030af1 on Public Folder Properties in ESM
- Install Windows Server 2003 CA
- How to Synchronize a Pocket PC with Exchange 2003?
- Problems with Forms-Based Authentication and SSL in ActiveSync
- Reset OWA 2000/2003 Language
- Temporarily Disable Root Certificates Checking in Windows Mobile 2002/2003 Pocket PC
- Test OMA in Exchange 2003
- Web Access to Alternate PF