diff --git a/exchange/exchange-ps/ExchangePowerShell/Enable-ExchangeCertificate.md b/exchange/exchange-ps/ExchangePowerShell/Enable-ExchangeCertificate.md index 1d585aa2b4..6faf4dc524 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Enable-ExchangeCertificate.md +++ b/exchange/exchange-ps/ExchangePowerShell/Enable-ExchangeCertificate.md @@ -53,9 +53,9 @@ The Enable-ExchangeCertificate cmdlet enables certificates by updating the metad After you run the Enable-ExchangeCertificate cmdlet, you might need to restart Internet Information Services (IIS). In some scenarios, Exchange might continue to use the previous certificate for encrypting and decrypting the cookie that's used for Outlook on the web (formerly known as Outlook Web App) authentication. We recommend restarting IIS in environments that use Layer 4 load balancing. -There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). +There are many factors to consider when you configure certificates for Transport Layer Security (TLS) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). -Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). +TLS replaced Secure Sockets Layer (SSL) as the protocol used to encrypt data sent between computer systems. In the past, "TLS" and "SSL" were often used interchangeably. Any reference to SSL in Exchange documentation actually means TLS, unless a version number is also included (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://learn.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions). @@ -124,7 +124,7 @@ Accept wildcard characters: False The Services parameter specifies the Exchange services that the certificate is enabled for. Valid values are: - Federation: Don't use this command to enable a certificate for federation. Creating or modifying a federation trust enables or modifies how certificates are used for federation. You manage the certificates that used for federation trusts with the New-FederationTrust and Set-FederationTrust cmdlets. -- IIS: By default, when you enable a certificate for IIS, the "require SSL" setting is configured on the default web site in IIS. To prevent this change, use the DoNotRequireSsl switch. +- IIS: By default, when you enable a certificate for IIS, the "Require SSL" setting is configured on the default web site in IIS. To prevent this change, use the DoNotRequireSsl switch. - IMAP: Don't enable a wildcard certificate for the IMAP4 service. Instead, use the Set-ImapSettings cmdlet to configure the FQDN that clients use to connect to the IMAP4 service. - POP: Don't enable a wildcard certificate for the POP3 service. Instead, use the Set-PopSettings cmdlet to configure the FQDN that clients use to connect to the POP3 service. - SMTP: When you enable a certificate for SMTP, you're prompted to replace the default Exchange self-signed certificate that's used to encrypt SMTP traffic between internal Exchange. Typically, you don't need to replace the default certificate with a certificate from a commercial CA for the purpose of encrypting internal SMTP traffic. If you want to replace the default certificate without the confirmation prompt, use the Force switch. @@ -194,9 +194,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The DoNotRequireSsl switch prevents the command from enabling the "require SSL" setting on the default web site when you enable the certificate for IIS. You don't need to specify a value with this switch. +The DoNotRequireSsl switch prevents the command from enabling the "Require SSL" setting on the default web site when you enable the certificate for IIS. You don't need to specify a value with this switch. -If you don't use this switch, and you use the Services parameter to enable the certificate for IIS, the command enables the "require SSL" setting for the default web site in IIS. +If you don't use this switch, and you use the Services parameter to enable the certificate for IIS, the command enables the "Require SSL" setting for the default web site in IIS. ```yaml Type: SwitchParameter diff --git a/exchange/exchange-ps/ExchangePowerShell/Enable-OutlookAnywhere.md b/exchange/exchange-ps/ExchangePowerShell/Enable-OutlookAnywhere.md index 300964c824..abc2ac60b5 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Enable-OutlookAnywhere.md +++ b/exchange/exchange-ps/ExchangePowerShell/Enable-OutlookAnywhere.md @@ -66,7 +66,7 @@ You need to be assigned permissions before you can run this cmdlet. Although thi Enable-OutlookAnywhere -Server:Server01 -ExternalHostname:mail.contoso.com -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true ``` -This example enables the server Server01 for Outlook Anywhere. The external host name is set to mail.contoso.com, both Basic and NTLM authentication are used, and SSL offloading is set to $true. +This example enables the server Server01 for Outlook Anywhere. The external host name is set to mail.contoso.com, both Basic and NTLM authentication are used, and the SSLOffloading parameter is set to $true. ### Example 2 ```powershell @@ -156,7 +156,16 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010 -The SSLOffloading parameter specifies whether the Client Access server requires Secure Sockets Layer (SSL). This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server. +The SSLOffloading parameter specifies whether a network device accepts Transport Layer Security (TLS) connections and decrypts them before proxying the connections to the Outlook Anywhere virtual directory on the Exchange server. Valid values are: + +- $true: Outlook Anywhere clients using TLS don't maintain an TLS connection along the entire network path to the Exchange server. A network device in front of the server decrypts the TLS connections and proxies the unencrypted (HTTP) client connections to the Outlook Anywhere virtual directory. The network segment where HTTP is used should be a secured network. This value is the default. +- $false: Outlook Anywhere clients using TLS maintain an TLS connection along the entire network path to the Exchange server. Only TLS connections are allowed to the Outlook Anywhere virtual directory. + +This parameter configures the "Require SSL" setting on the Outlook Anywhere virtual directory. When you set this parameter to $true, "Require SSL" is disabled. When you set this parameter to $false, "Require SSL" is enabled. However, it might take several minutes before the change is visible in IIS Manager. + +You need to use the value $true for this parameter if you don't require TLS connections for internal or external Outlook Anywhere clients. + +The value of this parameter is related to the values of the ExternalClientsRequireSsl and InternalClientsRequireSsl parameters. ```yaml Type: Boolean @@ -216,7 +225,7 @@ Accept wildcard characters: False The ExtendedProtectionFlags parameter is used to customize the options you use if you're using Extended Protection for Authentication. The possible values are: - None: Default setting. -- Proxy: Specifies that a proxy is terminating the SSL channel. A Service Principal Name (SPN) must be registered in the ExtendedProtectionSPNList parameter if proxy mode is configured. +- Proxy: Specifies that a proxy is terminating the TLS channel. A Service Principal Name (SPN) must be registered in the ExtendedProtectionSPNList parameter if proxy mode is configured. - ProxyCoHosting: Specifies that both HTTP and HTTPS traffic might be accessing the Client Access server and that a proxy is located between at least some of the clients and the Client Access server. - AllowDotlessSPN: Specifies whether you want to support valid SPNs that aren't in the fully qualified domain name (FQDN) format, for example ContosoMail. You specify valid SPNs with the ExtendedProtectionSPNList parameter. This option makes extended protection less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: Specifies that the SPN list isn't checked to validate a channel binding token. This option makes Extended Protection for Authentication less secure. We generally don't recommend this setting. @@ -266,7 +275,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow Extended Protection for Authentication is used for connections between the client and Exchange on this virtual directory if both the client and server support Extended Protection for Authentication. Connections that don't support Extended Protection for Authentication on the client and server work, but might not be as secure as a connection using Extended Protection for Authentication. - Require Extended Protection for Authentication is used for all connections between clients and Exchange servers for this virtual directory. If either the client or server doesn't support Extended Protection for Authentication, the connection between the client and server will fail. If you set this option, you must also set a value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. To learn more about Extended Protection for Authentication, see [Understanding Extended Protection for Authentication](https://learn.microsoft.com/previous-versions/office/exchange-server-2010/ff459225(v=exchg.141)). @@ -292,7 +301,7 @@ You might want to enable both Basic and NTLM authentication if you're using the When you configure this setting using the IIS interface, you can enable as many authentication methods as you want. -For more information about configuring this parameter with multiple values, see the example later in this topic. +For more information about configuring this parameter with multiple values, see the example later in this article. ```yaml Type: MultiValuedProperty diff --git a/exchange/exchange-ps/ExchangePowerShell/Get-FederationInformation.md b/exchange/exchange-ps/ExchangePowerShell/Get-FederationInformation.md index d899966f96..a20af7dd42 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Get-FederationInformation.md +++ b/exchange/exchange-ps/ExchangePowerShell/Get-FederationInformation.md @@ -92,7 +92,7 @@ Accept wildcard characters: False The Force switch hides warning or confirmation messages. You don't need to specify a value with this switch. -A confirmation prompt warns you if the host name in the Autodiscover endpoint of the domain doesn't match the Secure Sockets Layer (SSL) certificate presented by the endpoint and the host name isn't specified in the TrustedHostnames parameter. +A confirmation prompt warns you if the host name in the Autodiscover endpoint of the domain doesn't match the Transport Layer Security (TLS) certificate presented by the endpoint and the host name isn't specified in the TrustedHostnames parameter. ```yaml Type: SwitchParameter diff --git a/exchange/exchange-ps/ExchangePowerShell/Import-ExchangeCertificate.md b/exchange/exchange-ps/ExchangePowerShell/Import-ExchangeCertificate.md index 69bbc1e97c..d327b7422e 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Import-ExchangeCertificate.md +++ b/exchange/exchange-ps/ExchangePowerShell/Import-ExchangeCertificate.md @@ -68,9 +68,9 @@ You can use the Import-ExchangeCertificate cmdlet to import the following types After you import a certificate on an Exchange server, you need to assign the certificate to one or more Exchange services by using the Enable-ExchangeCertificate cmdlet. -There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). +There are many factors to consider when you configure certificates for Transport Layer Security (TLS) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). -Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). +TLS replaced Secure Sockets Layer (SSL) as the protocol used to encrypt data sent between computer systems. In the past, "TLS" and "SSL" were often used interchangeably. Any reference to SSL in Exchange documentation actually means TLS, unless a version number is also included (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://learn.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions). diff --git a/exchange/exchange-ps/ExchangePowerShell/New-ActiveSyncVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-ActiveSyncVirtualDirectory.md index 57c9747043..10e9528845 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-ActiveSyncVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-ActiveSyncVirtualDirectory.md @@ -156,7 +156,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -202,7 +202,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -263,7 +263,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -342,7 +342,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/New-AutodiscoverVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-AutodiscoverVirtualDirectory.md index b1efe2e9ee..cfd9aa74f6 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-AutodiscoverVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-AutodiscoverVirtualDirectory.md @@ -47,7 +47,7 @@ New-AutodiscoverVirtualDirectory [-ApplicationRoot ] ## DESCRIPTION If your organization has multiple email domains and each requires its own Autodiscover site and corresponding virtual directory, use the New-AutodiscoverVirtualDirectory cmdlet to create an Autodiscover virtual directory under a new website. -When you're creating an Autodiscover virtual directory, we recommend that you enable Secure Sockets Layer (SSL) for the Autodiscover service. +When you're creating an Autodiscover virtual directory, we recommend that you enable Transport Layer Security (TLS) for the Autodiscover service. You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://learn.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions). @@ -188,7 +188,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -234,7 +234,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -254,7 +254,7 @@ Accept wildcard characters: False This parameter is available only in Exchange Server 2010. -The ExternalUrl parameter specifies the URL used to connect to the virtual directory from outside the network firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -274,7 +274,7 @@ Accept wildcard characters: False This parameter is available only in Exchange Server 2010. -The InternalUrl parameter specifies the URL used to connect to the virtual directory from inside the network firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/New-EcpVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-EcpVirtualDirectory.md index 825155ed1e..ed04306171 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-EcpVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-EcpVirtualDirectory.md @@ -120,7 +120,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -166,7 +166,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -184,9 +184,11 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting is important when Secure Sockets Layer (SSL) is used. You need to set this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). + +You need to specify a value for this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. ```yaml Type: Uri @@ -204,9 +206,11 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. + +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). -This setting is important when SSL is used. You need to set this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. +You need to specify a value for this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/New-ExchangeCertificate.md b/exchange/exchange-ps/ExchangePowerShell/New-ExchangeCertificate.md index 34bd153ff5..c82bd07846 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-ExchangeCertificate.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-ExchangeCertificate.md @@ -66,11 +66,11 @@ New-ExchangeCertificate [-Services ] ``` ## DESCRIPTION -Exchange uses certificates for SSL and TLS encryption. +Exchange uses certificates for Transport Layer Security (TLS) encryption. -There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). +There are many factors to consider when you configure certificates for TLS services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). -Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). To find out why you should disable the SSL protocol and switch to TLS, check out [Protecting you against the SSL 3.0 vulnerability](https://azure.microsoft.com/blog/protecting-against-the-ssl-3-0-vulnerability/). +TLS replaced Secure Sockets Layer (SSL) as the protocol used to encrypt data sent between computer systems. In the past, "TLS" and "SSL" were often used interchangeably. Any reference to SSL in Exchange documentation actually means TLS, unless a version number is also included (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://learn.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions). diff --git a/exchange/exchange-ps/ExchangePowerShell/New-MapiVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-MapiVirtualDirectory.md index 63de2bf232..07ece50dd8 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-MapiVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-MapiVirtualDirectory.md @@ -103,7 +103,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -149,7 +149,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -167,9 +167,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting enforces the Secure Sockets Layer (SSL) protocol and uses the default SSL port. This parameter uses the syntax: `https:///mapi`. For example, `https://external.contoso.com/mapi`. +This setting enforces the Transport Layer Security (TLS) protocol and uses the default TLS port. This parameter uses the syntax: `https:///mapi`. For example, `https://external.contoso.com/mapi`. When you use the InternalUrl or ExternalUrl parameters, you need to specify one or more authentication values by using the IISAuthenticationMethods parameter. @@ -218,9 +218,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. -This setting enforces the Secure Sockets Layer (SSL) protocol and uses the default SSL port. This parameter uses the syntax: `https:///mapi`. For example, `https://internal.contoso.com/mapi`. +This setting enforces the Transport Layer Security (TLS) protocol and uses the default TLS port. This parameter uses the syntax: `https:///mapi`. For example, `https://internal.contoso.com/mapi`. When you use the InternalUrl or ExternalUrl parameters, you need to specify one or more authentication values by using the IISAuthenticationMethods parameter. diff --git a/exchange/exchange-ps/ExchangePowerShell/New-MigrationEndpoint.md b/exchange/exchange-ps/ExchangePowerShell/New-MigrationEndpoint.md index d71d215217..b94ddf2bb1 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-MigrationEndpoint.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-MigrationEndpoint.md @@ -283,13 +283,6 @@ We recommend that you use a migration endpoint created with connection settings ### Example 5 ```powershell -New-MigrationEndpoint -IMAP -Name IMAPEndpoint -RemoteServer imap.contoso.com -Port 993 -Security Ssl -``` - -This example creates an IMAP migration endpoint. The value for the RemoteServer parameter specifies the FQDN of the IMAP server that hosts the migrated mailboxes. The endpoint is configured to use port 993 for SSL encryption. - -### Example 6 -```powershell New-MigrationEndpoint -IMAP -Name IMAP_TLS_Endpoint -RemoteServer imap.contoso.com -Port 143 -Security Tls -MaxConcurrentMigrations 50 -MaxConcurrentIncrementalSyncs 10 ``` @@ -319,7 +312,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE, Exchange Online -For an Exchange migration, the Autodiscover switch specifies whether to get other connection settings for the on-premises server from the Autodiscover service. You don't need to specify a value with this switch. +The Autodiscover switch specifies whether to get other connection settings for the on-premises server from the Autodiscover service for Exchange migrations. You don't need to specify a value with this switch. ```yaml Type: SwitchParameter @@ -904,7 +897,7 @@ Accept wildcard characters: False This parameter is available only in the cloud-based service. -For an IMAP migration, the Port parameter specifies the TCP port number used by the migration process to connect to the remote server. This parameter is required when you want to migrate data from an on-premises IMAP server to cloud-based mailboxes. +The Port parameter specifies the TCP port number used by IMAP migrations to connect to the remote server. This parameter is required when you want to migrate data from an on-premises IMAP server to cloud-based mailboxes. ```yaml Type: Int32 @@ -964,7 +957,11 @@ Accept wildcard characters: False This parameter is available only in the cloud-based service. -For an IMAP migration, the Security parameter specifies the encryption method used by the remote mail server. The options are None, Tls, or Ssl. +The Security parameter specifies the encryption method used by the remote mail server for IMAP migrations. Valid values are: + +- None +- Ssl +- Tls ```yaml Type: IMAPSecurityMechanism diff --git a/exchange/exchange-ps/ExchangePowerShell/New-OabVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-OabVirtualDirectory.md index 33a5604517..404dfc08d3 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-OabVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-OabVirtualDirectory.md @@ -106,7 +106,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -152,7 +152,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection fails. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -170,7 +170,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -188,7 +188,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri @@ -260,10 +260,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The RequireSSL parameter specifies whether the client connection to the virtual directory requires Secure Sockets Layer (SSL) encryption. Valid values are: +The RequireSSL parameter specifies whether client connections to the virtual directory require Transport Layer Security (TLS) encryption. Valid values are: -- $true: SSL encryption is required to connect to the virtual directory. This value is the default. -- $false: SSL encryption isn't required to connect to the virtual directory. +- $true: TLS encryption is required to connect to the virtual directory. This value is the default. +- $false: TLS encryption isn't required to connect to the virtual directory. ```yaml Type: Boolean diff --git a/exchange/exchange-ps/ExchangePowerShell/New-OwaVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-OwaVirtualDirectory.md index e8751f9b9f..ff622e5137 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-OwaVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-OwaVirtualDirectory.md @@ -162,7 +162,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -208,7 +208,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication works, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -267,7 +267,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. This setting is important when Secure Sockets Layer (SSL) is used. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. + +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri @@ -285,7 +287,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. This setting is important when SSL is used. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. + +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/New-PowerShellVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-PowerShellVirtualDirectory.md index e81c361881..97ba828d67 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-PowerShellVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-PowerShellVirtualDirectory.md @@ -139,7 +139,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -185,7 +185,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -203,7 +203,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalUrl parameter specifies the external URL that the PowerShell virtual directory points to. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -221,7 +221,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalUrl parameter specifies the internal URL that the PowerShell virtual directory points to. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri @@ -239,7 +239,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The RequireSSL parameter specifies whether the PowerShell virtual directory should require that the client connection be made using Secure Sockets Layer (SSL). The valid values are $true and $false. The default value is $true. +The RequireSSL parameter specifies whether client connections to the virtual directory require Transport Layer Security (TLS) encryption. Valid values are: + +- $true: TLS encryption is required to connect to the virtual directory. This value is the default. +- $false: TLS encryption isn't required to connect to the virtual directory. ```yaml Type: Boolean diff --git a/exchange/exchange-ps/ExchangePowerShell/New-WebServicesVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/New-WebServicesVirtualDirectory.md index 5fd6367dd4..aa4f2ed159 100644 --- a/exchange/exchange-ps/ExchangePowerShell/New-WebServicesVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/New-WebServicesVirtualDirectory.md @@ -210,7 +210,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -256,7 +256,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -274,9 +274,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting is important when Secure Sockets Layer (SSL) is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri @@ -357,9 +357,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. -This setting is important when SSL is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Remove-ExchangeCertificate.md b/exchange/exchange-ps/ExchangePowerShell/Remove-ExchangeCertificate.md index d0baf2ebd7..f9f300ab37 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Remove-ExchangeCertificate.md +++ b/exchange/exchange-ps/ExchangePowerShell/Remove-ExchangeCertificate.md @@ -43,9 +43,9 @@ Remove-ExchangeCertificate [[-Identity] ] ## DESCRIPTION You can't remove the certificate that's being used. If you want to replace the default certificate for the server with another certificate that has the same fully qualified domain name (FQDN), you must create the new certificate first, and then remove the old certificate. -There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). +There are many factors to consider when you configure certificates for Transport Layer Security (TLS) services. You need to understand how these factors might affect your overall configuration. For more information, see [Digital certificates and encryption in Exchange Server](https://learn.microsoft.com/Exchange/architecture/client-access/certificates). -Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). +TLS replaced Secure Sockets Layer (SSL) as the protocol used to encrypt data sent between computer systems. In the past, "TLS" and "SSL" were often used interchangeably. Any reference to SSL in Exchange documentation actually means TLS, unless a version number is also included (for example, SSL 3.0). For more information, see [Exchange Server TLS configuration best practices](https://learn.microsoft.com/Exchange/exchange-tls-configuration). You need to be assigned permissions before you can run this cmdlet. Although this article lists all parameters for the cmdlet, you might not have access to some parameters if they aren't included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://learn.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions). diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-ActiveSyncVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-ActiveSyncVirtualDirectory.md index 70e34052a8..b5391e054f 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-ActiveSyncVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-ActiveSyncVirtualDirectory.md @@ -247,7 +247,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -293,7 +293,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -352,7 +352,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -406,7 +406,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-AutodiscoverVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-AutodiscoverVirtualDirectory.md index 1691eb2ac3..5e418435a4 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-AutodiscoverVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-AutodiscoverVirtualDirectory.md @@ -181,7 +181,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -227,7 +227,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -247,7 +247,7 @@ Accept wildcard characters: False This parameter is available only in Exchange Server 2010. -The ExternalUrl parameter specifies the URL used to connect to the virtual directory from outside the network firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -267,7 +267,7 @@ Accept wildcard characters: False This parameter is available only in Exchange Server 2010. -The InternalUrl parameter specifies the URL used to connect to the virtual directory from inside the network firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-EcpVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-EcpVirtualDirectory.md index 7ef6fa85ed..348cee1a55 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-EcpVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-EcpVirtualDirectory.md @@ -223,7 +223,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -269,7 +269,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -305,9 +305,11 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting is also important when Secure Sockets Layer (SSL) is used. You need to set this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). + +You need to specify a value for this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. ```yaml Type: Uri @@ -364,9 +366,11 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. + +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). -This setting is also important when SSL is used. You need to set this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. +You need to specify a value for this parameter to allow the Autodiscover service to return the URL for the ECP virtual directory. ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-ImapSettings.md b/exchange/exchange-ps/ExchangePowerShell/Set-ImapSettings.md index 7dbf537398..33ef719abc 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-ImapSettings.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-ImapSettings.md @@ -252,9 +252,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The EnforceCertificateErrors parameter specifies whether to enforce valid Secure Sockets Layer (SSL) certificate validation failures. Valid values are: - -The default setting is $false. +The EnforceCertificateErrors parameter specifies whether to enforce Transport Layer Security (TLS) certificate validation failures. Valid values are: - $true: If the certificate isn't valid or doesn't match the target IMAP4 server's FQDN, the connection attempt fails. - $false: The server doesn't deny IMAP4 connections based on certificate errors. This value is the default. diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-MapiVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-MapiVirtualDirectory.md index cd48e72f02..373255b618 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-MapiVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-MapiVirtualDirectory.md @@ -145,7 +145,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -191,7 +191,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -209,9 +209,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting enforces the Secure Sockets Layer (SSL) protocol and uses the default SSL port. Valid input for this parameter uses the syntax `https:///mapi`(for example, `https://external.contoso.com/mapi`). +This setting enforces the Transport Layer Security (TLS) protocol and uses the default TLS port. Valid input for this parameter uses the syntax `https:///mapi`(for example, `https://external.contoso.com/mapi`). When you use the InternalUrl or ExternalUrl parameters, you need to specify one or more authentication values by using the IISAuthenticationMethods parameter. @@ -260,9 +260,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. -This setting enforces the Secure Sockets Layer (SSL) protocol and uses the default SSL port. Valid input for this parameter uses the syntax `https:///mapi` (for example, `https://internal.contoso.com/mapi`). +This setting enforces the Transport Layer Security (TLS) protocol and uses the default TLS port. Valid input for this parameter uses the syntax `https:///mapi` (for example, `https://internal.contoso.com/mapi`). When you use the InternalUrl or ExternalUrl parameters, you need to specify one or more authentication values by using the IISAuthenticationMethods parameter. diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OabVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-OabVirtualDirectory.md index c998400e9a..ff2ce2d76a 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OabVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OabVirtualDirectory.md @@ -148,7 +148,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -194,7 +194,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -212,7 +212,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -230,7 +230,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri @@ -286,10 +286,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The RequireSSL parameter specifies whether the client connection to the virtual directory requires Secure Sockets Layer (SSL) encryption. Valid values are: +The RequireSSL parameter specifies whether client connections to the virtual directory require Transport Layer Security (TLS) encryption. Valid values are: -- $true: SSL encryption is required to connect to the virtual directory. This value is the default. -- $false: SSL encryption isn't required to connect to the virtual directory. +- $true: TLS encryption is required to connect to the virtual directory. This value is the default. +- $false: TLS encryption isn't required to connect to the virtual directory. ```yaml Type: Boolean diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OutlookAnywhere.md b/exchange/exchange-ps/ExchangePowerShell/Set-OutlookAnywhere.md index a4498d90ac..8bdcf47eef 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OutlookAnywhere.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OutlookAnywhere.md @@ -69,7 +69,7 @@ This example sets the client authentication method to NTLM for the Outlook Anywh Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true ``` -This example sets the SSLOffloading parameter to $false for the Outlook Anywhere virtual directory on the server named EXCH1. This setting informs Outlook Anywhere to expect no SSL decryption between clients and the server, and enables the Require SSL value on the virtual directory. Because SSL is now required for Outlook Anywhere connections, we need to configure internal and external clients to use SSL. +This example sets the SSLOffloading parameter to $false for the Outlook Anywhere virtual directory on the server named EXCH1. This setting informs Outlook Anywhere to expect no TLS decryption between clients and the server, and enables the "Require SSL" setting on the virtual directory. Because TLS is now required for Outlook Anywhere connections, we need to configure internal and external clients to use TLS. ### Example 4 ```powershell @@ -208,7 +208,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -254,7 +254,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -296,10 +296,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalClientsRequireSsl parameter specifies whether external Outlook Anywhere clients are required to use Secure Sockets Layer (SSL). Valid values are: +The ExternalClientsRequireSsl parameter specifies whether external Outlook Anywhere clients are required to use Transport Layer Security (TLS). Valid values are: -- $true: Clients connecting via Outlook Anywhere from outside the organization are required to use SSL. -- $false: Clients connecting via Outlook Anywhere from outside the organization aren't required to use SSL. This value is the default. +- $true: Clients connecting via Outlook Anywhere from outside the organization are required to use TLS. +- $false: Clients connecting via Outlook Anywhere from outside the organization aren't required to use TLS. This value is the default. The value of this parameter is related to the value of the SSLOffloading parameter. @@ -387,10 +387,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalClientsRequireSsl parameter specifies whether internal Outlook Anywhere clients are required to use SSL. Valid values are: +The InternalClientsRequireSsl parameter specifies whether internal Outlook Anywhere clients are required to use Transport Layer Security (TLS). Valid values are: -- $true: Clients connecting via Outlook Anywhere from inside the organization are required to use SSL. -- $false: Clients connecting via Outlook Anywhere from inside the organization aren't required to use SSL. This value is the default. +- $true: Clients connecting via Outlook Anywhere from inside the organization are required to use TLS. +- $false: Clients connecting via Outlook Anywhere from inside the organization aren't required to use TLS. This value is the default. The value of this parameter is related to the value of the SSLOffloading parameter. @@ -446,14 +446,14 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The SSLOffloading parameter specifies whether a network device accepts SSL connections and decrypts them before proxying the connections to the Outlook Anywhere virtual directory on the Exchange server. Valid values are: +The SSLOffloading parameter specifies whether a network device accepts Transport Layer Security (TLS) connections and decrypts them before proxying the connections to the Outlook Anywhere virtual directory on the Exchange server. Valid values are: -- $true: Outlook Anywhere clients using SSL don't maintain an SSL connection along the entire network path to the Exchange server. A network device in front of the server decrypts the SSL connections and proxies the unencrypted (HTTP) client connections to the Outlook Anywhere virtual directory. The network segment where HTTP is used should be a secured network. This value is the default. -- $false: Outlook Anywhere clients using SSL maintain an SSL connection along the entire network path to the Exchange server. Only SSL connections are allowed to the Outlook Anywhere virtual directory. +- $true: Outlook Anywhere clients using TLS don't maintain an TLS connection along the entire network path to the Exchange server. A network device in front of the server decrypts the TLS connections and proxies the unencrypted (HTTP) client connections to the Outlook Anywhere virtual directory. The network segment where HTTP is used should be a secured network. This value is the default. +- $false: Outlook Anywhere clients using TLS maintain an TLS connection along the entire network path to the Exchange server. Only TLS connections are allowed to the Outlook Anywhere virtual directory. -This parameter configures the Require SSL value on the Outlook Anywhere virtual directory. When you set this parameter to $true, Require SSL is disabled. When you set this parameter to $fase, Require SSL is enabled. However, it might take several minutes before the change is visible in IIS Manager. +This parameter configures the "Require SSL" setting on the Outlook Anywhere virtual directory. When you set this parameter to $true, "Require SSL" is disabled. When you set this parameter to $false, "Require SSL" is enabled. However, it might take several minutes before the change is visible in IIS Manager. -You need to use the value $true for this parameter if you don't require SSL connections for internal or external Outlook Anywhere clients. +You need to use the value $true for this parameter if you don't require TLS connections for internal or external Outlook Anywhere clients. The value of this parameter is related to the values of the ExternalClientsRequireSsl and InternalClientsRequireSsl parameters. diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OutlookProvider.md b/exchange/exchange-ps/ExchangePowerShell/Set-OutlookProvider.md index 166c2ab25e..91f7fac942 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OutlookProvider.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OutlookProvider.md @@ -73,9 +73,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The CertPrincipalName parameter specifies the Secure Sockets Layer (SSL) certificate principal name required for connecting to Exchange from an external location. +The CertPrincipalName parameter specifies the Transport Layer Security (TLS) certificate principal name required for connecting to Exchange from an external location. -This parameter is only used for Outlook Anywhere clients. +This parameter is used only for Outlook Anywhere clients. ```yaml Type: String diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-OwaVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-OwaVirtualDirectory.md index 921ca5f56c..f94913bd56 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-OwaVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-OwaVirtualDirectory.md @@ -683,7 +683,7 @@ This parameter is available only in Exchange Server 2010. The CrossSiteRedirectType parameter controls how a Client Access server redirects Outlook Web App to the Client Access server infrastructure in another Active Directory site. Valid values are: -- Silent: Users are automatically redirected when the Client Access server redirects an Outlook Web App request to Client Access server infrastructure in another Active Directory site. If using forms-based authentication, SSL is required. For redirection to occur, the target OWA virtual directory must have an ExternalURL value. +- Silent: Users are automatically redirected when the Client Access server redirects an Outlook Web App request to Client Access server infrastructure in another Active Directory site. If using forms-based authentication, TLS is required. For redirection to occur, the target OWA virtual directory must have an ExternalURL value. - Manual: Users receive a notification that they are accessing the wrong URL and that they must click a link to access the preferred Outlook Web App URL for their mailbox. This notification occurs only when the Client Access server determines that it must redirect an Outlook Web App request to the Client Access server infrastructure in another Active Directory site. For redirection to occur, the target OWA virtual directory must have an ExternalURL value. The default value is Manual. @@ -973,7 +973,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. To enter multiple values and overwrite any existing entries, use the following syntax: `Value1,Value2,...ValueN`. If the values contain spaces or otherwise require quotation marks, use the following syntax: `"Value1","Value2",..."ValueN"`. @@ -1027,7 +1027,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -1124,9 +1124,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting is important when Secure Sockets Layer (SSL) is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri @@ -1603,9 +1603,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. -This setting is important when SSL is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-PopSettings.md b/exchange/exchange-ps/ExchangePowerShell/Set-PopSettings.md index 38da595909..0aab0950e0 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-PopSettings.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-PopSettings.md @@ -250,7 +250,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The EnforceCertificateErrors parameter specifies whether to enforce Secure Sockets Layer (SSL) certificate validation failures. Valid values are: +The EnforceCertificateErrors parameter specifies whether to enforce Transport Layer Security (TLS) certificate validation failures. Valid values are: - $true: If the certificate isn't valid or doesn't match the target POP3 server's FQDN, the connection attempt fails. - $false: The server doesn't deny POP3 connections based on certificate errors. This value is the default. diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-PowerShellVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-PowerShellVirtualDirectory.md index bf18ace465..fd72d56bb0 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-PowerShellVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-PowerShellVirtualDirectory.md @@ -165,7 +165,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory, and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -211,7 +211,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -229,7 +229,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. ```yaml Type: Uri @@ -247,7 +247,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. ```yaml Type: Uri @@ -265,7 +265,10 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The RequireSSL parameter specifies whether the Windows PowerShell virtual directory should require that the client connection be made using Secure Sockets Layer (SSL). The valid values are $true and $false. The default value is $true. +The RequireSSL parameter specifies whether client connections to the virtual directory require Transport Layer Security (TLS) encryption. Valid values are: + +- $true: TLS encryption is required to connect to the virtual directory. This value is the default. +- $false: TLS encryption isn't required to connect to the virtual directory. ```yaml Type: Boolean diff --git a/exchange/exchange-ps/ExchangePowerShell/Set-WebServicesVirtualDirectory.md b/exchange/exchange-ps/ExchangePowerShell/Set-WebServicesVirtualDirectory.md index af15a221bb..9d2991fca5 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Set-WebServicesVirtualDirectory.md +++ b/exchange/exchange-ps/ExchangePowerShell/Set-WebServicesVirtualDirectory.md @@ -205,7 +205,7 @@ The ExtendedProtectionFlags parameter specifies custom settings for Extended Pro - None: This is the default setting. - AllowDotlessSPN: Required if you want to use Service Principal Name (SPN) values that don't contain FQDNs (for example, HTTP/ContosoMail instead of HTTP/mail.contoso.com). You specify SPNs with the ExtendedProtectionSPNList parameter. This setting makes Extended Protection for Authentication less secure because dotless certificates aren't unique, so it isn't possible to ensure that the client-to-proxy connection was established over a secure channel. - NoServiceNameCheck: The SPN list isn't checked to validate a channel binding token. This setting makes Extended Protection for Authentication less secure. We generally don't recommend this setting. -- Proxy: A proxy server is responsible for terminating the SSL channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. +- Proxy: A proxy server is responsible for terminating the TLS channel. To use this setting, you need to register an SPN by using the ExtendedProtectionSPNList parameter. - ProxyCoHosting: HTTP and HTTPS traffic might be accessing the virtual directory and a proxy server is located between at least some of the clients and the Client Access services on the Exchange server. ```yaml @@ -251,7 +251,7 @@ The ExtendedProtectionTokenChecking parameter defines how you want to use Extend - Allow: Extended Protection for Authentication is used for connections between clients and the virtual directory if both the client and server support it. Connections that don't support Extended Protection for Authentication work, but might not be as secure as connections that use Extended Protection for Authentication. - Require: Extended Protection for Authentication is used for all connections between clients and the virtual directory. If either the client or server doesn't support it, the connection will fail. If you use this value, you also need to set an SPN value for the ExtendedProtectionSPNList parameter. -**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy SSL channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. +**Note**: If you use the value Allow or Require, and you have a proxy server between the client and the Client Access services on the Mailbox server that's configured to terminate the client-to-proxy TLS channel, you also need to configure one or more Service Principal Names (SPNs) by using the ExtendedProtectionSPNList parameter. ```yaml Type: ExtendedProtectionTokenCheckingMode @@ -269,9 +269,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The ExternalURL parameter specifies the URL that's used to connect to the virtual directory from outside the firewall. +The ExternalURL parameter specifies the URL that connects to the virtual directory from outside the firewall. -This setting is important when Secure Sockets Layer (SSL) is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri @@ -354,9 +354,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The InternalURL parameter specifies the URL that's used to connect to the virtual directory from inside the firewall. +The InternalURL parameter specifies the URL that connects to the virtual directory from inside the firewall. -This setting is important when SSL is used. +The value of this parameter is important when connections are encrypted by Transport Layer Security (TLS). ```yaml Type: Uri diff --git a/exchange/exchange-ps/ExchangePowerShell/Test-ActiveSyncConnectivity.md b/exchange/exchange-ps/ExchangePowerShell/Test-ActiveSyncConnectivity.md index 4f1a49368e..4eac94c531 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Test-ActiveSyncConnectivity.md +++ b/exchange/exchange-ps/ExchangePowerShell/Test-ActiveSyncConnectivity.md @@ -130,7 +130,7 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Server SE -The AllowUnsecureAccess switch allows the test to continue over an unsecured channel that doesn't require Secure Sockets Layer (SSL). You don't need to specify a value with this switch. +The AllowUnsecureAccess switch allows the test to continue over an unsecured channel that doesn't require Transport Layer Security (TLS). You don't need to specify a value with this switch. ```yaml Type: SwitchParameter diff --git a/exchange/exchange-ps/ExchangePowerShell/Test-MigrationServerAvailability.md b/exchange/exchange-ps/ExchangePowerShell/Test-MigrationServerAvailability.md index 06819bf80a..1d580871d1 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Test-MigrationServerAvailability.md +++ b/exchange/exchange-ps/ExchangePowerShell/Test-MigrationServerAvailability.md @@ -432,7 +432,10 @@ This parameter is available only in the cloud-based service. The Port parameter specifies the TCP port number used by the IMAP migration process to connect to the target server. This parameter is required only for IMAP migrations. -The standard is to use port 143 for unencrypted connections, port 143 for Transport Layer Security (TLS), and port 993 for Secure Sockets Layer (SSL). +The standard values are: + +- 143 for unencrypted connections or Transport Layer Security (TLS) encrypted connections. +- 993 for Secure Sockets Layer (SSL) encrypted connections. ```yaml Type: Int32 diff --git a/exchange/exchange-ps/ExchangePowerShell/Test-OwaConnectivity.md b/exchange/exchange-ps/ExchangePowerShell/Test-OwaConnectivity.md index 4144d034bc..87b4505a3e 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Test-OwaConnectivity.md +++ b/exchange/exchange-ps/ExchangePowerShell/Test-OwaConnectivity.md @@ -65,7 +65,7 @@ If you run the Test-OwaConnectivity cmdlet on a Client Access server without usi To test a single URL, run the Test-OwaConnectivity cmdlet with the URL parameter and credentials for an existing Exchange mailbox. If the URL is behind a load balancer, you can't predict which Client Access server the command tests. Because credentials are required as part of the parameters when you use the URL parameter, you can use any account to run the Test-OwaConnectivity cmdlet when you use the URL parameter. -If the command encounters a virtual directory that doesn't require Secure Sockets Layer (SSL), the command skips that directory unless the AllowUnsecureAccess parameter is used. If the AllowUnsecureAccess parameter is used, communications between servers are sent in clear text for purposes of the test. +If the command encounters a virtual directory that doesn't require Transport Layer Security (TLS), the command skips that directory unless the AllowUnsecureAccess parameter is used. If the AllowUnsecureAccess parameter is used, communications between servers are sent in clear text for purposes of the test. The Test-OwaConnectivity cmdlet can be run as a one-time interactive task or as a scheduled task under Microsoft System Center Operations Manager 2007 control. To run the Test-OwaConnectivity cmdlet as a System Center Operations Manager 2007 task, the Client Access test mailbox must be available on the Mailbox servers that the cmdlet tests against. @@ -85,7 +85,7 @@ This example tests the connectivity for the URL https://mail.contoso.com/owa usi Test-OwaConnectivity -ClientAccessServer:Contoso12 -AllowUnsecureAccess ``` -This example tests the connectivity of a specific Client Access server Contoso12 and tests all Exchange Outlook Web App virtual directories that support Exchange mailboxes. These include the virtual directories that don't require SSL. +This example tests the connectivity of a specific Client Access server Contoso12 and tests all Exchange Outlook Web App virtual directories that support Exchange mailboxes. These include the virtual directories that don't require TLS. ## PARAMETERS @@ -159,9 +159,9 @@ Accept wildcard characters: False > Applicable: Exchange Server 2010 -The AllowUnsecureAccess switch specifies whether virtual directories that don't require SSL are tested. You don't need to specify a value with this switch. +The AllowUnsecureAccess switch specifies whether virtual directories that don't require TLS are tested. You don't need to specify a value with this switch. -If you don't use this switch, the command skips virtual directories that don't require SSL, and an error is generated. +If you don't use this switch, the command skips virtual directories that don't require TLS, and an error is generated. ```yaml Type: SwitchParameter diff --git a/exchange/exchange-ps/ExchangePowerShell/Test-PowerShellConnectivity.md b/exchange/exchange-ps/ExchangePowerShell/Test-PowerShellConnectivity.md index c0853084d2..c2ae64aaf1 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Test-PowerShellConnectivity.md +++ b/exchange/exchange-ps/ExchangePowerShell/Test-PowerShellConnectivity.md @@ -89,7 +89,7 @@ $UserCredentials = Get-Credential Test-PowerShellConnectivity -ConnectionUri https://contoso.com/powershell -TestCredential $UserCredentials -Authentication Basic ``` -This example tests the remote PowerShell virtual directory that's available at `https://contoso.com/powershell`. A mismatch between the SSL certificate and the URL isn't expected, so the TrustAnySSLCertificate switch isn't used. The virtual directory is configured to use Basic authentication. +This example tests the remote PowerShell virtual directory that's available at `https://contoso.com/powershell`. A mismatch between the TLS certificate and the URL isn't expected, so the TrustAnySSLCertificate switch isn't used. The virtual directory is configured to use Basic authentication. The credentials that are used to connect to the virtual directory are stored in the $UserCredentials variable. The test is then run as previously described. diff --git a/exchange/exchange-ps/ExchangePowerShell/Test-WebServicesConnectivity.md b/exchange/exchange-ps/ExchangePowerShell/Test-WebServicesConnectivity.md index 6e29d4210f..b896af654a 100644 --- a/exchange/exchange-ps/ExchangePowerShell/Test-WebServicesConnectivity.md +++ b/exchange/exchange-ps/ExchangePowerShell/Test-WebServicesConnectivity.md @@ -99,7 +99,7 @@ You need to be assigned permissions before you can run this cmdlet. Although thi Test-WebServicesConnectivity -AllowUnsecureAccess ``` -In Exchange 2010, this example tests Exchange Web Services on the local Client Access server and allows the test to use an unsecured connection that doesn't require SSL. A default test account is used. +In Exchange 2010, this example tests Exchange Web Services on the local Client Access server and allows the test to use an unsecured connection that doesn't require TLS. A default test account is used. ### Example 2 ```powershell @@ -200,7 +200,7 @@ Accept wildcard characters: False This parameter is available only in Exchange Server 2010. -The AllowUnsecureAccess switch specifies whether to enable the command to continue to run over an unsecured channel that doesn't require Secure Sockets Layer (SSL). You don't need to specify a value with this switch. +The AllowUnsecureAccess switch specifies whether to enable the command to continue to run over an unsecured channel that doesn't require Transport Layer Security (TLS). You don't need to specify a value with this switch. ```yaml Type: SwitchParameter