Why Is Connection To OAB Virtual Directory “HTTP” In Exchange 2010…

MS Exchange

It is known that the InternalURL for the OAB virtual directory is “http” by default in Exchange 2010. OAB is the only service which uses unencrypted traffic by default. If you check the properties of the OAB directory in Exchange Console, you will see that the url will be “http://cas fqdn/oab” by default. In my case, the CAS server fqdn is hewexch.hew.local.

OAB URL In Exchange 2010

Checking the properties in IIS shows that the “Require SSL” option for OAB is not checked by default.

oab dir in iis

Why is it that OAB accepts unencrypted traffic, when we say that Exchange 2010 is secure by design? The reason is that Outlook uses Background Intelligent Transfer Service (BITS) to download OAB and BITS doesn’t work with the self signed certificate that Exchange 2010 installs by default.

The next question will be whether it is possible to have encrypted OAB traffic at all. Yes, you can. It is recommended by Microsoft to turn on SSL for OAB virtual directory in IIS. You can do this as long as you are using a trusted certificate for Exchange 2010 and the OAB url is covered by the certificate.

In my lab, I have a SAN certificate that covers “mail.theucguy.net” and “autodiscover.theucguy.net” urls (Yes, I have split-DNS). Hence, I can turn on SSL in IIS for OAB (or using Shell), as long as my OAB url is “https://mail.theucguy.net/oab”. I can use the autodiscover url, but that won’t be neat!

Now, all of you using trusted certificate, go ahead and turn on SSL for OAB Winking smile

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

Leave a Comment