How to Configure SSL for Outlook Anywhere

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.


Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to configure the rpc virtual directory to use Secure Sockets Layer (SSL) for Outlook Anywhere. By default, when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, a virtual directory named rpc is created on the default Internet Information Services (IIS) Web site on the Exchange server.

Unlike Microsoft Office Outlook Web Access and Exchange ActiveSync, the default self-signed certificate that is available in Exchange 2007 Setup will not work with Outlook 2007 and Outlook 2003 clients that are using Outlook Anywhere. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer's operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts, see How to Obtain a Server Certificate from a Certification Authority.

After you obtain a valid SSL certificate to use with the Client Access server on the default Web site or on the Web site where you host your rpc virtual directory, you can configure the Web site to require SSL. You can enable SSL for all Web sites that are hosted by the Client Access server or enable SSL only for the rpc virtual directory.

If you plan to close the SSL connection from the client computer that is running Outlook 2007 or Outlook 2003 to the firewall, you can choose to use SSL offloading. This means that the traffic from the firewall to the Client Access server will not be encrypted by using SSL. For this to work, you must have a certificate on the firewall that the client trusts. We recommend that you encrypt all traffic from the client to the Client Access server. For more information about how to enable SSL offloading, see How to Configure SSL Offloading for Outlook Anywhere.

Configuring the rpc virtual directory to use SSL is only one step in managing security for Outlook Anywhere and external client access to Exchange. For more information about how to manage security for Outlook Anywhere, see Managing Client Access Security.

Before You Begin

To perform this procedure, the account you use must be delegated the Exchange View-Only Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.


Before you perform this procedure, read Managing Client Access Security.


To use Internet Information Services (IIS) to configure SSL on the rpc virtual directory

  1. In IIS, select the Default Web site or the rpc virtual directory, and then click Properties.


    If you want to configure SSL only for Exchange ActiveSync, select the rpc virtual directory under the Default Web site. Otherwise you will configure SSL for all virtual directories that are hosted on the Client Access server.

  2. On the Directory Security tab, in Secure Communications, click Edit.

  3. In Secure Communications, select Require Secure Channel (SSL).

  4. After you complete this procedure, your rpc virtual directory is configured to use SSL.

For More Information

For more information about how to manage Client Access security, see Managing Client Access Security