Calendaring: Exchange can publish to ICS, defaults to insecure
Originally published on the weblog TechMonks, which no longer exists.
ICS (iCal) is a file format for calendars. Most calendaring software uses it. For example, you can import / export it to Google Calendar. If you have a Google Calendar, you can “publish” your calendar to an ICS file, so you can use it with other software like Mozilla Calendar or web services.
Microsoft Exchange 2010 can also publish calendars to ICS. Which is great, because Exchange and Outlook offer more advanced features for heavyweight calendar users. Like using rich text and images for your descriptions, and adding file attachments. Steve Goodman has written a fine manual on how to enable iCal Calendar Sharing with Exchange 2010 SP1 (recommended reading).
Here I will not give the depressing account of my troubles installing Windows 2008 and Exchange. If you are used to installing Linux servers, prepare a few days instead of a few hours. Even after you have installed everything, after numerous reboots and fixes, buggy graphical config tools and a not-so-grown-up command line, you still have work to do. Like minding security.
If you publish your calendar to ICS, then you will receive an URL which is  plain HTTP, while it should default to HTTPS, and  not protected by a password.
The first problem can be solved by your firewall – do not allow normal http (80) traffic to your Exchange server. Instruct your users about the ICS URL; they have to replace http by https.
The second problem requires you to start the ISS Manager. Go to the owa/Calendar folder. Disallow the Anonymous access, and allow the Digest access. See the screenshot below.
Deze blogpost werd in december 2022 overgezet van WordPress naar een methode gebaseerd op Markdown; het is mogelijk dat hierbij fouten of wijzigingen zijn ontstaan t.o.v. de originele blogpost.