Enterprise Vault™ Requesting and Applying an SSL Certificate

Last Published:
Product(s): Enterprise Vault (14.0, 12.5, 12.4, 12.3, 12.2, 12.1, 12.0)

Introduction

From Enterprise Vault 12.3, Enterprise Vault web applications in new installations are configured to use HTTPS with Secure Sockets Layer (SSL) on port 443 by default. If a certificate does not already exist, the Enterprise Vault configuration wizard generates and installs a self-signed certificate, and enables SSL on all Enterprise Vault virtual directories in Internet Information Services (IIS). The self-signed certificate should be regarded as temporary. We strongly recommend that you replace this certificate as soon as possible with one obtained from a trusted certificate authority.

In earlier releases of Enterprise Vault, the default configuration for the Enterprise Vault web applications was HTTP over TCP port 80. If you upgrade to Enterprise Vault 12.3 or later, the existing protocol configured for Enterprise Vault web applications is not changed. To ensure the security of client connections to Enterprise Vault, we strongly recommend that you configure SSL in IIS, and enable it on all Enterprise Vault virtual directories.

Some Enterprise Vault features, such as the Enterprise Vault Office Mail App, require secure connections. Although the information in this document is primarily about securing Enterprise Vault Office Mail App connections, the general procedure is applicable to securing web connections to other Enterprise Vault features.

This document describes how to create an SSL certificate request file and obtain a certificate, and how to apply the certificate using Internet Information Services (IIS) Manager. The document also describes a further optional procedure that is required only if you want to secure all new archive and restore actions, and all archive search requests.

In Enterprise Vault 10.0.3 and later, the Enterprise Vault Office Mail App is the only option for Enterprise Vault functionality in Outlook Web Access (OWA) with Microsoft Exchange Server 2013. With Exchange Server 2013, the Office Mail App replaces the Enterprise Vault OWA Extensions on the Client Access Server, which are required for older versions of Exchange Server.

Microsoft Office Mail Apps must be secured using SSL. Therefore the Enterprise Vault virtual directory on each Enterprise Vault server that services and loads the Enterprise Vault Office Mail App must be secured using SSL. The setup of the Office Mail App determines which servers service requests from Office Mail App users. For information about Office Mail App setup, see the Enterprise Vault Setting up Exchange Server Archiving guide. Additional factors, such as a Microsoft Threat Management Gateway farm or a third-party load balancing device, may affect which Enterprise Vault servers service requests.

The Enterprise Vault virtual directory may need to be secured using different names; for example, EV.domain.com and EV1.domain.local for HTTPS requests. In addition, you may want to request a certificate that contains all your internal server names, such as EV1.domain.local and EV2.domain.local, so the same certificate can be used on different Enterprise Vault servers. In these cases, you may require a Subject Alternative Name (SAN) certificate. These decisions depend on your Office Mail App requirements, and possibly on your requirements for securing Enterprise Vault web-based communication in general.

If only one namespace is required, then the procedures in this document still apply, but you need to add only one name to the certificate. Later on, there may be a requirement to add additional namespaces for expansion of the Enterprise Vault environment. In this case, the procedures are still valid, and a new SAN certificate with the additional namespaces is required from your certificate authority.

In most cases, obtaining a trusted certificate from a certificate authority is recommended and is considered industry best practice. This document assumes that this method is the one in use. However, you can produce a certificate using your own certification of authority. The details of this method are not covered in this document.

The procedures assume that Internet Information Services (IIS) 7.0/7.5 is in use on the Enterprise Vault servers.