Microsoft has started supporting smart card authentication for Outlook Anywhere, provided that Outlook 2007 SP2 and Exchange 2010 SP1 is used (at the time of writing). The SSL should terminate on the CAS server. This throws reverse proxies like TMG 2010 out of the equation.
The prerequisites are:
- Exchange 2010 SP1 running on Windows Server 2008 R2 on CAS and Mailbox servers.
- SSL terminates on the Client Access server. The use of a network device that pre-authenticates SSL sessions in front of Exchange isn’t supported.
- All client Outlook connections must use Outlook Anywhere. After you have enabled smart card authentication for Outlook Anywhere, other connections, such as Outlook connecting over MAPI, won’t work.
- A physical smart card for each user that contains their user certificate. You can’t use software certificates stored in the local computer’s registry for this feature.
- Split DNS may also be required if you have configured different namespaces for internal and external client access.
Read the full story @ source