Microsoft has started supporting smart card authentication for Outlook Anywhere, provided that Outlook 2007 SP2 and Exchange 2010 SP1 is used (at the time of writing). The SSL should terminate on the CAS server. This throws reverse proxies like TMG 2010 out of the equation.
The prerequisites are:
- Exchange 2010 SP1 running on Windows Server 2008 R2 on CAS and Mailbox servers.
- SSL terminates on the Client Access server. The use of a network device that pre-authenticates SSL sessions in front of Exchange isn’t supported.
- All client Outlook connections must use Outlook Anywhere. After you have enabled smart card authentication for Outlook Anywhere, other connections, such as Outlook connecting over MAPI, won’t work.
- A physical smart card for each user that contains their user certificate. You can’t use software certificates stored in the local computer’s registry for this feature.
- Split DNS may also be required if you have configured different namespaces for internal and external client access.
Read the full story @ source
Thanks Rajith, it is shame that it disabled MAPI access as that would be coming from trusted network or the PC may have two factor authentication already so don’t require two factor at application level. I would find the prereq is limiting for its implementation.
I wonder if it is possible to configure dedicated CAS servers for Outlook anywhere which would be setup for smartcard authentication and other CAS can be configured to MAPI access (or internal access) without smartcard requirement.