Exchange 2003, ActiveSync and SSL – Oh, My!

So, a person has a SBS2k3 w/SP1 installed.  Exchange activesync works with SSL turned off via wireless synchronization locally and over the internet. The questions are:


1.)  What are the security related risks, if any, by not using SSL?

2.)  When I try to enable SSL I copy the cert over to the PPC and attempt to run it and it says cannot access certificate. I’m grabbing the cert from \\servername\clientapps\sbscert.  I did install the certificate component from add/remove programs.  Does this screw with it?  I was grabbing at straws trying to figure it out.I don’t know if it matters at all, but I can install a cert if I go to http:\\servername\certsrv and install a DES cert but not the other one.  I get an internet_45 error after that cert is installed.

If question 1 doesn’t lead to significant security risks question 2 becomes mostly moot, although I would like to figure out WHY it won’t install.
Thanks.


Jerry Zhao (MSFT) from Microsoft had the answer:


For the function of the SSL, you can refer to the following articles:

What is TLS/SSL?
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ed5ae700-e05e-45ef-b536-45795dbb99a2.mspx
XADM: How Secure Sockets Layer Works
http://support.microsoft.com/default.aspx?scid=kb;en-us;245152

As for your question 2, from the Exchange 2003 viewpoint, the OMA/Server ActiveSync features don’t require certificates if you don’t plan to enable SSL for the HTTP connections for these mobile features. Also, in the mobile devices with PocketPC 2003 or later as OS, you can choose either using HTTPS or not using HTTPS when you try to use Exchange 2003 OMA/Server ActiveSync features. If you choose using HTTPS, you may have to obtain a certificate from an well-known third party CA or set up and issue your own certificate by using the Windows 2003 CA service, and then implement the certificate in your Exchange 2003 Server to enable SSL for OMA and Server ActiveSync.

NOTE: If you plan to set up Windows 2003 CA Service and issue your own certificate, it will not be trusted by your PPC mobile devices by default and you may want to use the following tool on your PPC devices to disable the SSL check:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D88753B8-8B3A-4F1D-8E94-530A67614DF1&displaylang=en

Leave a Reply

Your email address will not be published. Required fields are marked *