In versions of Microsoft Exchange Server prior to Exchange Server 2007 a server could be deployed into an organization and, by default, would not require HTTPS (SSL) for any of its client-server or server-server communications.

Of course for organizations that recognized the value of securing their network communications the wise move was to install an SSL certificate for the IIS instance on the Exchange Server and use SSL for user access to services such as Outlook Web Access and ActiveSync, at least for external access if not for internal access as well.

However this was not mandatory and it certainly isn’t unusual to encounter legacy Exchange environments that allow external access over insecure HTTP connections. This lack of SSL encryption exposes end authentication credentials in clear text and risks them being compromised by attackers and used to gain access to your network.

Since the release of Exchange Server 2007 Microsoft has changed the default behaviour so that SSL was required for many services, even when they are only used internally.  So a newly installed Exchange Server server that hosted the Client Access server role has SSL required by default for services such as:<

  • Outlook Web App (OWA)
  • ActiveSync (mobile device access)
  • Exchange Web Services
  • Outlook Anywhere (aka RPC-over HTTPS)

Because of this “secure by default” behaviour the Exchange Server installation process generates self-signed SSL certificates to bind to IIS and use for those services.

Although this means that services such as Outlook Web App, Outlook Anywhere, and ActiveSync are secure right from the moment the Exchange server is installed, the use of self-signed SSL certificates in Exchange Server 2013 is only intended to be temporary while the administrator acquires and installs the correct SSL certificates for the server.

Exchange Server administrators should acquire and install SSL certificates on new Exchange Server deployments to replace those self-signed certificates. You can read more about this process at the following resources:

Aliyu Garba

The author Aliyu Garba

Leave a Response