Data encryption between Outlook and Exchange within Office 365

The user JPM2013 had a question regarding the data encryption between Outlook and the Exchange Server in the backend of Office 365. He observed that a mailbox profile setting called "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" was not enabkled by default and one cannot configure this option because it is greyed out.

I can confirm the traffic between Outlook and Exchange Online in Office 365 is encrypted regardless of the "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" setting.

In the early Exchange days Outlook was communicating directly with the server using MAPI/RPC. This communication was unencrypted by default in the past. Starting with Microsoft Outlook 2007 the MAPI/RPC encryption was enforced by enabling the setting "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" by default.

However, the default Microsoft Outlook 2003 (and former versions) configuration did not have this option enabled. If one uses the Set-MailboxServer cmdlet on an Exchange 2007 server (and later versions) to force encrypted MAPI/RPC connections on users mailboxes, and the "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" setting is turned off in Outlook, users cannot connect to their mailbox successfully. Please read Microsoft Knowledge Base article When you use Outlook with an Exchange 2007 mailbox, you cannot connect to Exchange 2007, and you receive an error message and Outlook connection issues with Exchange 2010 mailboxes because of the RPC encryption requirement for more information.

All this changed with the arrival of the remote procedure call (RPC) over HTTPS feature in Microsoft Exchange Server 2003 (now called Outlook Anywhere). Exchange Server 2003 (and later versions) together with Microsoft Office Outlook 2003 (and later versions) and Microsoft Windows Server 2003 (and later versions) support the use of RPC over HTTPS to access servers that are running Exchange Server. By using RPC over HTTPS, users no longer have to use a virtual private network (VPN) connection or the "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" setting to connect securely to Exchange mailboxes. The Windows RPC over HTTPS feature enables an RPC client such as Outlook 2003 (and later versions) to establish MAPI/RPC connections by tunneling the RPC traffic over HTTPS.

You can verify this easily:

  1. Go to the Control Panel and open the Mail applet.
  2. Look at your mailbox settings.
  3. In the Microsoft Exchange Server window, go to the Connection tab.
  4. Notice that you should have a box called "Connect to my Exchange mailbox using HTTP" checked at the middle of the tab.
  5. Click on the "Exchange Proxy Settings" button.
    1. In the Connection Settings box you can find the FQDN (Fully Qualified Domain Name) of the RPC Proxy server from Office 365 to connect to your Exchange Online server.
    2. The setting "Connect using SSL only" makes sure that every communication between Outlook and Exchange is tunneled through an encrypted Secure Socket Layer (SSL) connection.
    3. The setting "Mutually authenticate the session when connecting with SSL" enables the use of mutual authentication. The client will only connect to proxy servers that have this principal name in their certificate.

This complex configuration was a burden to setup in the past. Starting with Exchange Server 2007 and Microsoft Outlook 2007 the Autodiscover technology makes it incredibly easy to use this today. That is why it is so important to set the correct CNAME for the Autodiscover process in the Domain Name System (DNS) for every Office 365 deployment.

If you would like to know more about this technology I recommend to read The Autodiscover Service and Outlook Providers - how does this stuff work and of course the Security in Office 365 Whitepaper?

Have fun!