It is known that the InternalURL for the OAB virtual directory is “http” by default in Exchange 2010. OAB is the only service which uses unencrypted traffic by default. If you check the properties of the OAB directory in Exchange Console, you will see that the url will be “http://cas fqdn/oab” by default. In my case, the CAS server fqdn is hewexch.hew.local.
Checking the properties in IIS shows that the “Require SSL” option for OAB is not checked by default.
Why is it that OAB accepts unencrypted traffic, when we say that Exchange 2010 is secure by design? The reason is that Outlook uses Background Intelligent Transfer Service (BITS) to download OAB and BITS doesn’t work with the self signed certificate that Exchange 2010 installs by default.
The next question will be whether it is possible to have encrypted OAB traffic at all. Yes, you can. It is recommended by Microsoft to turn on SSL for OAB virtual directory in IIS. You can do this as long as you are using a trusted certificate for Exchange 2010 and the OAB url is covered by the certificate.
In my lab, I have a SAN certificate that covers “mail.theucguy.net” and “autodiscover.theucguy.net” urls (Yes, I have split-DNS). Hence, I can turn on SSL in IIS for OAB (or using Shell), as long as my OAB url is “https://mail.theucguy.net/oab”. I can use the autodiscover url, but that won’t be neat!
Now, all of you using trusted certificate, go ahead and turn on SSL for OAB