Calendaring: Exchange can publish to ICS, defaults to insecure

— door Evert Mouw

Originally published on the weblog TechMonks, which no longer exists.

ICS (iCal) is a file format for calendars. Most calendaring software uses it. For example, you can import / export it to Google Calendar. If you have a Google Calendar, you can “publish” your calendar to an ICS file, so you can use it with other software like Mozilla Calendar or web services.

Microsoft Exchange 2010 can also publish calendars to ICS. Which is great, because Exchange and Outlook offer more advanced features for heavyweight calendar users. Like using rich text and images for your descriptions, and adding file attachments. Steve Goodman has written a fine manual on how to enable iCal Calendar Sharing with Exchange 2010 SP1 (recommended reading).

Here I will not give the depressing account of my troubles installing Windows 2008 and Exchange. If you are used to installing Linux servers, prepare a few days instead of a few hours. Even after you have installed everything, after numerous reboots and fixes, buggy graphical config tools and a not-so-grown-up command line, you still have work to do. Like minding security.

If you publish your calendar to ICS, then you will receive an URL which is [1] plain HTTP, while it should default to HTTPS, and [2] not protected by a password.

The first problem can be solved by your firewall – do not allow normal http (80) traffic to your Exchange server. Instruct your users about the ICS URL; they have to replace http by https.

The second problem requires you to start the ISS Manager. Go to the owa/Calendar folder. Disallow the Anonymous access, and allow the Digest access. See the screenshot below.

IIS screenshot
IIS settings.