Blog Post

Exchange Team Blog
1 MIN READ

Default settings for Exchange-related virtual directories in Exchange Server 2010

The_Exchange_Team's avatar
Sep 23, 2010

A while ago, we posted the default authentication and SSL settings for Exchange-related virtual directories in Exchange Server 2007. The settings below hold true for Exchange Server 2010 RTM and SP1. You will notice that Unified Messaging is no longer on the list and that is because this virtual directory and the Set-UMVirtualDirectory CMDlet no longer exist in Exchange server 2010. The Unified Messaging mailbox can be created and configured using Enable- or Set-UMMailbox.

Exchange Server 2010 with the Client Access Server (standalone):

Location

Authentication

SSL Setting

Management

Default Web Site

Anonymous

Required

IIS Management Console

aspnet_client

Anonymous

Required

IIS Management Console

Autodiscover

Anonymous / Basic / Windows Authentication

Required

Exchange Management Shell

ECP

Anonymous / Basic

Required

Exchange Management Console or Shell

EWS

Anonymous / Windows Authentication

Required

Exchange Management Shell

Microsoft-Server-ActiveSync

Basic

Required

Exchange Management Console or Shell

OWA

Basic

Required

Exchange Management Console or Shell

Powershell

Anonymous

Not Required

Exchange Management Shell

RPC

Basic / Windows Authentication

Required

Exchange Management Shell

RpcWithCert

all options Disabled

Required (128 bit not checked)

N/A

OAB

Windows Authentication

Not Required

Exchange Management Console or Shell

Exchange Server 2010 Mailbox role (standalone):

Location

Authentication

SSL Setting

Management

Default Web Site

Anonymous

Required

IIS Management Console

PowerShell

Anonymous

Not Required

Exchange Management Shell

CMDlet list for those that can only be modified in the Management Shell:

Set-AutoDiscoverVirtualDirectory

Set-WebServicesVirtualDirectory

Set-PowershellVirtualDirectory

Set-OutlookAnywhere (for the RPC virtual directory)

- Angelique Conde

Published Sep 23, 2010
Version 1.0
  • First, it would be nice if the default redirect was also included in the list.

    Second, it would be nice if someone scripted setting these to their default. If you want to allow IIS to redirect the root directory to OWA and to redirect HTTP to HTTPS, the IIS in Windows 2008 replicates the root changes to the subdirectories and we always have to change the subdirectories back to their default.

    Of course the thing that isn't written down is that the setting for these virtual directories are not independent. I believe that the redirect for /Public is linked to /OWA and also maybe /Exchange change it in one place and it changes in the other.
  • Are you sure, Anonymous Access is really required for Autodiscover? Actually I'm getting some strange errors when it is allowed (Outlook cannot find the Exchangeserver), which seam to be resolved when I disallow Anonymous Access. This is with a CAS-Array, not a standalone CAS. Could you maybe have a list with the settings for servers in a CAS-Array, too?

    Another thing: Could you please make a WARNING that the Authententication methods are for the specific directory ONLY. So they are not necessarily to be inherited by subdirectories. For examle OWA might be fine with just basic authentication, the subfolder OWAauth however requires anonymous access (at least when OWA-Forms-Based-Authentication is used)

    No I have not reset the permission for all subfolders, however if I would have issues which I guess are related to the settings listed above I might try to configure my server EXACTLY that way, which would cause even more trouble, when the settings for subdirectories need to be different.
  • I think Anonymous Access is required for Autodiscover.
  • We are currently planning our upgrade to Exchange 2010.  We are using Exchange 2007 SP2.  Our confusion is around the need to create a legacy.domain.com entry to be used with the external url configurations.  Currently, we do not expose our Exchange environment to the internet - any access to it is through an SSL VPN solution.  So, our Exchange 2007 servers do not have an external OWA or EAS entry on them.  Will we need to create an legacy.domain.com, or does the Exchange 2010 point users back to the Exchange 2007 environment?  Or do we just have to configure the internal urls?

    Thanks.
  • Adding to the commenter above me - the table is broken and nearly useless. one can't tell which folder does each auth modes list belonges to.
    please fix the table with cell boarders.