Default settings for Exchange virtual directories in Exchange Server

Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services (IIS) virtual directories during the server installation. The tables in the following sections show the settings for the Client Access (frontend) services on Mailbox servers and the default IIS authentication and Secure Sockets Layer (SSL) settings.

Client Access services (frontend) on Mailbox servers

The following table lists the default settings in the Client Access services (the default web site) on Exchange Mailbox servers.

Virtual directory Authentication method SSL settings Management method
Default Web Site Anonymous Required IIS management console
API1 Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
aspnet_client Anonymous authentication SSL required
Requires 128-bit encryption
IIS management console
Autodiscover Anonymous authentication
Basic authentication
Windows authentication
SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
ecp Anonymous authentication
Basic authentication
SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
EWS Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
MAPI Windows authentication SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
Microsoft-Server-ActiveSync Basic authentication SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
OAB Windows authentication SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
owa Basic authentication SSL required
Requires 128-bit encryption
EAC or Exchange Management Shell
PowerShell By default, all authentication methods are disabled. Not required EAC or Exchange Management Shell
Rpc Basic authentication
Windows authentication
Not required EAC or Exchange Management Shell

1 The API virtual directory is available in Exchange 2016 CU3 or newer.

Back End Virtual Directories on Mailbox servers

The following table lists the default settings in the back end services on Exchange Mailbox servers.

Virtual directory Authentication method SSL settings Management method
Exchange Back End Anonymous authentication SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
API1 Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
Autodiscover Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
ecp Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
EWS Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
Microsoft-Server-ActiveSync Basic authentication SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
OAB Windows authentication SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
owa Anonymous authentication
Windows authentication
SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
PowerShell Windows authentication SSL required
Requires 128-bit encryption
This virtual directory shouldn't be configured by the user.
Rpc Windows authentication Not required This virtual directory shouldn't be configured by the user.
RpcWithCert Windows authentication Not required This virtual directory shouldn't be configured by the user.

1 The API virtual directory is available in Exchange 2016 CU3 or newer.

See also

Virtual directory management