Which two actions should you perform?

You have an Exchange Server 2013 organization.
You plan to deploy Exchange ActiveSync for mobile devices. Each mobile device will be authenticated by using certificates issued by an internal certification authority (CA).
You need to configure the organization to authenticate the mobile devices by using the certificates.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From Internet Information Services (IIS) Manager on each Client Access server, configure the Microsoft-Server-ActiveSync virtual directory to require client certificates.
B. From Exchange Admin Center, configure the Microsoft-Server-ActiveSync virtual directory to require client certificates.
C. From Internet Information Services (IIS) Manager on each Client Access server, enable Active Directory Client Certificate Authentication.
D. From Internet Information Services (IIS) Manager on each Mailbox server, enable Active Directory Client Certificate Authentication.

Correct Answer: BC
Explanation/Reference:
Explanation:
NOT A
Enable Active Directory Client Certificate Authentication within IIS but configure the Microsoft-Server-ActiveSync virtual directory to require client certificates is performed in Exchange Admin Center
NOT D
IIS is configured on the Client Access Server not the Mailbox Server
B
After you’ve installed the Exchange 2013 Client Access server, there are a variety of configuration tasks that you can perform.
Although the Client Access server in Exchange 2013 doesn’t handle processing for the client protocols, several settings need to be applied to the Client Access server, including virtual directory settings and certificate settings.
http://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx
Exchange Server 2013 automatically configures multiple Internet Information Services (IIS) virtual directories during installation.
This topic contains information about the default IIS authentication settings and default Secure Sockets Layer (SSL) settings for the Client Access and Mailbox servers.
The following table lists the default settings on a stand-alone Exchange 2013 Client Access server.
Default Client Access server IIS authentication and SSL settings
Virtual directory Authentication method SSL settings
Management method
Microsoft-Server-ActiveSync Basic authentication SSL required Requires 128-bit encryption
EAC or Shell


C
Configure certificate-based authentication for Exchange ActiveSync
http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-forexchangeactivesync.
aspx
Client Access Server Configuration
To configure the Client Access server to enforce certificate based authentication :
1. Verify if Certificate Mapping Authentication is installed on the server.
Right click on Computer in the start menu and choose Manage.
Expand Roles and click on Web Server (IIS)
Scroll down to the Role Services section. Under the Security section you should see Client Certificate Mapping
Authentication installed.


If you don’t see Client Certificate Mapping Authentication installed, click add Role Services > (scroll) Security and select Client Certificate Mapping Authentication and then click Install.
Reboot your server.