Diadema
Junior Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Step 1: Obtain an SSL certificate
There are three options for obtaining an SSL certificate:
- Option 1: Use the self-signed SSL certificate that Exchange 2007 installs by default. This is not supported by Outlook Anywhere or the Offline Address Book. Exchange ActiveSync will require the device to have the corresponding Trusted Root Certificate installed.
- Option 2: Purchase an SSL Certificate from a well known Certificate Authority
- Option 3: Obtain an SSL Certificate from a Windows PKI Certificate Authority
- If you choose Option 1 please skip Steps 2 and 3 go straight to Step 4.
- If you choose Option 2 or Option 3 please proceed to Step 2.
- NOTE: For all three options Exchange ActiveSync will require the device to have the corresponding Trusted Root Certificate installed.
Step 2: Generate and submit the certificate request
Create a new certificate request for Secure Sockets Layer (SSL) services.
- Open the Exchange Management Shell.
- Run the following command replacing domainname and friendlyname with the appropriate values: New-ExchangeCertificate -GenerateRequest -domainname mail.contoso.msft,autodiscover.contoso.msft,myserver,myserver.internal.contoso.msft -FriendlyName mail.contoso.msft -privatekeyexportable:$true -path c:\cert_myserver.txt
- Note: "DomainName" is used to populate one or more domain names (FQDN) or server names in the resulting certificate request.
- Note: "FriendlyName" is used to specify a friendly name for the resulting certificate. The friendly name must be less than 64 characters.
- Submit the request to the Certificate Authority and have the CA generate the certificate.
Step 3: Enable the certificate on the Default Website
Once you have the newly generated certificate you must import it and then enable that certificate on the Default Web Site.
- From the machine where Step 2 was run, import the certificate. To import the certificate do the following:
- Open the Exchange Management Shell.
- Run the following command where "c:\newcert.cer" is the location and name of your certificate: Import-ExchangeCertificate -path c:\newcert.cer
- Copy the thumbprint, which is the digest of the certificate data, of the certificate to the clipboard by doing the following:
- Open the Exchange Management Shell.
- Run the following command: dir cert:\LocalMachine\My | fl
- Locate the certificate you just imported by finding the one that matches the FriendlyName from Step 2 and copy the Thumbprint property to the Windows Clipboard.
- Enable the certificate on the Default Web Site by doing the following:
- Open the Exchange Management Shell.
- Run the following command: enable-ExchangeCertificate -thumbprint [value you got from above] -services "IIS,IMAP,POP"
- Using the "enable-ExchangeCertificate" cmdlet will update the certificate mapping thus replacing the self-signed certificate installed by default with Exchange 2007 and configured in IIS, IMAP4 and POP3 configuration.
Step 4: Require the Client Access Server virtual directories to use SSL
The IIS Default Web Site is, by default, configured to require SSL for all virtual directories except for Offline Address Book. Since it is possible to configure additional virtual directories, for each client access feature that you plan to use you must ensure that the virtual directory uses SSL. For each of the virtual directories listed below repeat the steps described also below in the Internet Information Services Manager to require SSL
For each of the virtual directories listed below repeat the steps described also below in the Internet Information Services Manager to require SSL.
- Outlook Web Access 2007 virtual directory is “owa”
- Outlook Web Access 2003 and WebDAV the virtual directories are “exchange” and “public”
- Exchange ActiveSync virtual directory is “Microsoft-Server-ActiveSync"
- Outlook Anywhere virtual directory is “Rpc”
- Autodiscover virtual directory is "Autodiscover"
- Exchange Web Services virtual directory is “EWS”
- Unified Messaging virtual directory is “Unified Messaging”
- Offline Address Book virtual directory is “OAB”
- For each of the virtual directories above that you are going to use, open up the Internet Information Services (IIS) Manager and perform the steps below.
- Select the desired virtual directory under Default Web Site, "owa" for example.
- Right-click and choose “Properties”.
- Select the “Directory Security” tab.
- Under the “Secure Communications” section choose the “Edit…” button.
- In the “Secure Communications” dialog ensure that the “Require secure channel (SSL)” checkbox is checked, and the “Require 128-bit encryption” checkbox.
- Click the “OK” button to save changes.
- Restart POP3 and IMAP4 services by opening the Component Services Windows administrative tool, selecting "Microsoft Exchange POP3" or "Microsoft Exchange IMAP4", right-clicking, and choosing "Restart". IIS does not need to be restarted.
Additional information on configuring SSL on the Client Access Server
Read the following topic to find out more about SSL on the Client Access Server.
- Managing Client Access Security
Получение и экспорт сертификата производится командами:
Код: CERTREQ -attrib "CertificateTemplate:WebServer" <requestfile>
CERTREQ -retrieve <RequestID> <dcname>.cer <dcname>.p7b
|
|
Всего записей: 185 | Зарегистр. 17-01-2006 | Отправлено: 12:49 02-02-2007 | Исправлено: Diadema, 09:02 04-02-2007 |
|
