SSL Certificate Is Not Installed or Is Not Configured
[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at http://go.microsoft.com/fwlink/?linkid=34707.]
Topic Last Modified: 2008-04-09
The Microsoft Exchange Server Analyzer uses the following Exchange Management Shell cmdlet to query for the value of the VirtualDirectoryName and WebsiteName properties of any target Exchange 2007 servers:
The VirtualDirectoryName parameter returns a string that defines the name of the ActiveSync virtual directory and the WebsiteName parameter returns a string that defines the name of the Exchange ActiveSync Web site.
The Exchange Server Analyzer tool then queries the Internet Information Services (IIS) metabase for the values of the following properties:
A value of true for the AccessSSL property indicates that file access requires SSL file permission processing with or without a client certificate.
The SSLCertHash property specifies the SSL certificate hash which encodes the certificate.
If the Exchange Server Analyzer determines that either of the following conditions exists, the Exchange Server Analyzer displays a best practices message.
The AccessSSL property does not contain a value of True.
The SSLCertHash property does not exist.
This best practices message means that SSL is either not installed or is not configured on the Exchange ActiveSync virtual directory.
Microsoft strongly recommends that you enable Secure Sockets Layer (SSL) encryption on the Exchange ActiveSync virtual directory.
Internet Information Services (IIS) and Internet Explorer Mobile implement SSL to help secure data transmission when a user connects to a server to synchronize Microsoft Exchange data.
The SSL protocol helps Web servers and Web clients communicate more securely through the use of encryption. When SSL is not used, data sent between the client and server is open to packet sniffing by anyone with physical access to the network.
To authenticate using SSL, Basic or Microsoft Windows NT LAN Manager (NTLM) authentication is used. If it is necessary to support Basic authentication, for instance for Web browsers that do not support NTLM, it is recommended that SSL be used as well so that the user's password is not sent in plain text.
For more information about how to use SSL with Exchange ActiveSync, see "How to Configure SSL for Exchange ActiveSync" (http://go.microsoft.com/fwlink/?LinkId=115737).
Configuring an Exchange ActiveSync virtual directory to use SSL is just one step in managing security for Exchange ActiveSync. For more information about how to manage security for Exchange ActiveSync, see "Managing Exchange ActiveSync Security" (http://go.microsoft.com/fwlink/?LinkId=115738).
For more information on Exchange Server 2007 Security Best Practices, see "Top 5 Exchange Server 2007 Security Best Practices" (http://go.microsoft.com/fwlink/?LinkId=115740).