Managing CA

Managing Client Access in Exchange Server 2007
Microsoft Corporation Published: June 2007 Author: Microsoft Exchange Documentation Team
Abstract
The purpose of this document is to help you manage and configure Microsoft Exchange Server 2007 Client Access servers. The information and procedures in this document focus specifically on the features of an Exchange 2007 computer that has the Client Access server role installed. This document provides overviews of the supported client protocols and features and the tasks you must perform to manage and configure them. Important: This document is a deployment-specific compilation of several Exchange 2007 Help topics and is provided as a convenience for customers who want to view the topics in print format. To read the most up-to-date deployment topics, visit the Exchange Server 2007 Library.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2007 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows Media, Windows Mobile, Windows NT, Windows PowerShell, Windows Server, Windows Vista, Active Directory, ActiveSync, Excel, Forefront, Internet Explorer, Outlook, SharePoint, SmartScreen and Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Contents
Managing Client Access in Exchange Server 2007..................................................................1 Contents...................................................................................................................................3 Managing Client Access in Exchange Server 2007................................................................11 Understanding Client Access Server Management Tasks......................................................12 Exchange ActiveSync..........................................................................................................12 Outlook Web Access...........................................................................................................14 Outlook Anywhere...............................................................................................................15 POP3 and IMAP4................................................................................................................16 Required Permissions to Manage Client Access....................................................................18 Services Used by a Client Access Server...............................................................................21 Enabling Services...............................................................................................................22 Managing Outlook Web Access..............................................................................................23 Tools for Managing Outlook Web Access............................................................................24 Administrative Tasks for Managing Outlook Web Access....................................................25 Managing Outlook Web Access Virtual Directories in Exchange 2007...................................27 Outlook Web Access Virtual Directories..............................................................................27 Configuring Outlook Web Access Virtual Directories...........................................................29 How to Create an Outlook Web Access Virtual Directory in Exchange 2007..........................31 How to View Properties of an Outlook Web Access Virtual Directory.....................................32 How to Modify Properties on an Outlook Web Access Virtual Directory.................................34 How to Remove an Outlook Web Access Virtual Directory.....................................................35 Managing Outlook Web Access URLs....................................................................................36 Default Outlook Web Access URL.......................................................................................36 How to Enable Explicit Logons in Outlook Web Access..........................................................37 About Explicit Logon............................................................................................................37 How to Simplify the Outlook Web Access URL.......................................................................39 How to Use Outlook Web Access Web Parts.........................................................................41 Permissions for Using Outlook Web Access Web Parts......................................................41 Outlook Web Access Web Parts Syntax..............................................................................42
Using Outlook Web Access Web Parts Manually................................................................49 Managing File and Data Access for Outlook Web Access......................................................49 WebReady Document Viewing............................................................................................49 Public and Private Computer File Access............................................................................50 Data Access Using Outlook Web Access............................................................................50 How to Manage Public and Private Computer File Access.....................................................51 How to Manage WebReady Document Viewing.....................................................................55 How to Manage Maximum Message Size in Outlook Web Access.........................................56 Conditions and Associated Warnings..................................................................................57 Managing Outlook Web Access Advanced Features..............................................................58 Segmentation of Features in Outlook Web Access.............................................................58 Understanding Web Beacons..............................................................................................61 Disabling Web Beacons......................................................................................................62 Language Settings..............................................................................................................62 Character Settings..............................................................................................................63 Gzip Compression Settings.................................................................................................64 Creating Themes for Outlook Web Access..........................................................................65 Customizing the Forms-Based Authentication Logon Page................................................65 How to Manage Segmentation in Outlook Web Access..........................................................66 Segmentation in the Exchange Management Console and the Exchange Management Shell.................................................................................................................................67 How to Configure Gzip Compression Settings........................................................................71 How to Configure Character Settings for Outlook Web Access..............................................72 How to Configure Language Settings for Outlook Web Access..............................................73 About Language Settings....................................................................................................73 How to Create a Theme for Outlook Web Access...................................................................79 What Is Included in a Theme...............................................................................................80 Recommendations..............................................................................................................80 Creating a Theme................................................................................................................81 Changing the Default Outlook Web Access Theme.............................................................87 Customizing the Logon and Logoff Pages...........................................................................87 How to Control Web Beacon and HTML Form Filtering for Outlook Web Access...................96 Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access........................................................................................................................97 Administration.....................................................................................................................97
How to Configure Windows SharePoint Services and Windows File Share Integration for Outlook Web Access...........................................................................................................99 How to Allow or Block Access to Documents in Windows SharePoint Services and Windows File Shares from Specific Servers.....................................................................................102 How to Enable or Block Access from Public and Private Computers....................................104 How to Configure Internal Host Names................................................................................106 Managing Outlook Anywhere................................................................................................107 Managing Outlook Anywhere............................................................................................108 How to Configure Outlook Anywhere with Exchange 2003...................................................109 Configuring Outlook Anywhere for Exchange Server 2003 SP1........................................110 Configuring Outlook Anywhere for Exchange Server 2003................................................110 How to Enable Outlook Anywhere.........................................................................................111 How to Disable Outlook Anywhere........................................................................................113 How to Configure an External Host Name for Outlook Anywhere.........................................115 Managing Exchange ActiveSync...........................................................................................116 Overview of Exchange ActiveSync....................................................................................116 Managing Exchange ActiveSync.......................................................................................117 Managing the Exchange ActiveSync Virtual Directory..........................................................117 Managing the Exchange ActiveSync Virtual Directory.......................................................118 How to Create an Exchange ActiveSync Virtual Directory....................................................119 How to View Properties of an Exchange ActiveSync Virtual Directory..................................120 How to Modify Properties on an Exchange ActiveSync Virtual Directory..............................121 How to Remove an Exchange ActiveSync Virtual Directory.................................................122 Managing Exchange ActiveSync Users................................................................................123 Managing Exchange ActiveSync Users.............................................................................123 How to Enable Exchange ActiveSync for a User..................................................................124 How to Disable Exchange ActiveSync for a User.................................................................125 How to Configure Synchronization Options for Users...........................................................126 Managing an Exchange ActiveSync Server..........................................................................127 Managing an Exchange ActiveSync Server.......................................................................128
How to Disable Exchange ActiveSync..................................................................................129 How to Enable Exchange ActiveSync...................................................................................130 How to Configure Exchange ActiveSync to Access SharePoint Services Sites and Windows File Shares........................................................................................................................131 Configuring Direct Push to Work Through Your Firewall.......................................................133 Overview of Direct Push....................................................................................................133 Configuring Your Firewall for Direct Push..........................................................................133 How to Configure Autodiscover for Exchange ActiveSync....................................................134 Managing Exchange ActiveSync Devices.............................................................................135 Managing Exchange ActiveSync Devices.........................................................................135 Exchange ActiveSync Devices and Compatible Features....................................................136 Devices Enabled for Exchange ActiveSync.......................................................................136 How to Configure a Device for Synchronization...................................................................139 How to Disable a Device for Exchange ActiveSync..............................................................141 How to Enable a Device for Exchange ActiveSync...............................................................142 How to View a List of Devices for a User..............................................................................143 How to Configure Device Password Locking........................................................................144 How to Recover a Device Password....................................................................................146 How to Perform a Remote Wipe on a Device.......................................................................147 How to Install Certificates on a Windows Mobile Powered Device.......................................149 How to Configure Mobile Devices to Synchronize with Exchange Server............................150 Managing Exchange ActiveSync with Policies......................................................................151 Overview of Exchange ActiveSync Mailbox Policies.........................................................152 Managing Exchange ActiveSync Mailbox Policies............................................................152 How to Create an Exchange ActiveSync Mailbox Policy......................................................153 How to Add Users to an Exchange ActiveSync Mailbox Policy.............................................154 How to Modify Exchange ActiveSync Mailbox Policy Settings..............................................156 How to Create Policies for Exchange ActiveSync.................................................................157 Managing Exchange ActiveSync Security.............................................................................159 Exchange ActiveSync Server Security..............................................................................159
Device Security.................................................................................................................160 How to Configure SSL for Exchange ActiveSync..................................................................161 Managing POP3 and IMAP4.................................................................................................162 Managing POP3 and IMAP4 with the Exchange Management Shell................................162 Managing POP3 and IMAP4 with Earlier Versions of Microsoft Exchange........................164 How to Start and Stop the POP3 Service.............................................................................164 How to Start and Stop the IMAP4 Service............................................................................165 How to Manage Calendar Options for POP3........................................................................167 How to Set Connection Limits for POP3...............................................................................168 How to Set Connection Limits for IMAP4..............................................................................170 How to Configure IP Addresses and Ports for POP3 and IMAP4 Access.............................171 How to Set Connection Time-Out Limits for IMAP4..............................................................172 How to Set Connection Time-Out Limits for POP3...............................................................173 How to Configure IMAP4 Access to Exchange 2003 Servers...............................................174 How to Configure POP3 Access to Exchange 2003 Servers................................................176 How to Manage Calendar Options for IMAP4.......................................................................177 How to Enable or Disable POP3 Access for a User..............................................................179 How to Enable or Disable IMAP4 Access for a User............................................................180 How to Enable Protocol Logging for POP3 and IMAP4........................................................181 How to Manage POP3 and IMAP4 Message Retrieval Format Options...............................184 How to Enable POP3 and IMAP4 Users to Use Default Protocol Settings...........................185 Enabling POP3 and IMAP4 on a Client Access Server........................................................187 How to Enable IMAP4 in Exchange 2007.............................................................................187 How to Enable POP3 in Exchange 2007..............................................................................188 Managing the Autodiscover Service.....................................................................................189 Using Separate IIS Web Sites for Internet Access to the Autodiscover Service................190 Using Multiple Sites for Internet Access to the Autodiscover Service................................190 Configuring the Autodiscover Service for Multiple Forests................................................190 Configuring the Autodiscover Service to Use Site Affinity..................................................190
How to Create a New Autodiscover Service Virtual Directory...............................................191 How to Delete the Default Autodiscover Service Virtual Directory........................................192 How to Test Outlook 2007 Autodiscover Connectivity...........................................................193 How to Configure the Autodiscover Service for Internet Access...........................................193 Configuring Internet Access to the Autodiscover Service..................................................194 How to Configure the Autodiscover Service for Multiple Forests..........................................195 How to Configure the Autodiscover Service to Use Site Affinity............................................196 How to Configure Exchange ActiveSync Autodiscover Settings...........................................197 How to Configure the Autodiscover Service for Cross Forest Moves...................................198 How to Configure Exchange Services for the Autodiscover Service.....................................200 Managing the Availability Service.........................................................................................202 How to Configure the Availability Service for Network Load Balanced Computers...............203 Configuring the Availability Server for Network Load Balancing........................................205 How to Configure the Availability Service for Cross-Forest Topologies.................................206 Configuring Windows for Cross-Forest Topologies............................................................207 Exchange 2007 and Exchange 2003 Cross-Forest Availability.........................................209 How to Diagnose Availability Service Issues........................................................................209 Managing Client Access Security..........................................................................................211 Managing Authentication...................................................................................................211 Enhancing Secure Communications Between the Client Access Server and Other Servers .......................................................................................................................................212 How to Add Certificate Manager to Microsoft Management Console....................................212 How to Obtain a Server Certificate from a Certification Authority.........................................213 Managing Outlook Web Access Security..............................................................................214 Authentication Methods.....................................................................................................215 Other Authentication Methods...........................................................................................216 How to Configure Outlook Web Access Virtual Directories to Use SSL................................217 Configuring Forms-Based Authentication for Outlook Web Access......................................218 Using Cookies to Control Access......................................................................................219 Determining User Activity..................................................................................................220 Configuring the Logon Prompt that is Used by Forms-Based Authentication....................220 Understanding Encryption for User Logon from Public and Private Computers................221
Using SSL to Help Secure Outlook Web Access...............................................................222 How to Configure Forms-Based Authentication for Outlook Web Access.............................223 How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value.......225 How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value......227 Configuring Standard Authentication Methods for Outlook Web Access...............................229 Standard Authentication Methods.....................................................................................230 How to Configure Integrated Windows Authentication..........................................................232 How to Configure Basic Authentication.................................................................................233 How to Configure Digest Authentication...............................................................................234 Managing POP3 and IMAP4 Security...................................................................................236 Configuring SSL for POP3 and IMAP4 Clients..................................................................236 Configuring Authentication for POP3 and IMAP4..............................................................236 Configuring TLS and SSL for POP3 and IMAP4 Access......................................................236 How to Configure POP3 to Use TLS or SSL.........................................................................237 How to Configure IMAP4 to Use TLS or SSL.......................................................................238 Configuring Authentication for POP3 and IMAP4.................................................................239 How to Configure Authentication for POP3...........................................................................241 How to Configure Authentication for IMAP4..........................................................................242 How to Configure Ports for POP3 Authentication.................................................................243 How to Configure Ports for IMAP4 Authentication................................................................244 Managing Outlook Anywhere Security..................................................................................244 Using an Advanced Firewall Server..................................................................................245 Using SSL for Outlook Anywhere......................................................................................245 Configuring Authentication for Outlook Anywhere.............................................................245 How to Configure SSL for Outlook Anywhere.......................................................................246 How to Configure Authentication for Outlook Anywhere.......................................................247 How to Configure SSL Offloading for Outlook Anywhere......................................................248 How to Configure SSL Certificates to Use Multiple Client Access Server Host Names........249 Using ISA Server 2006 with Exchange 2007........................................................................253
ISA Server 2006 and Exchange 2007...............................................................................253 Earlier Versions of ISA Server and Exchange 2007..........................................................253 Using ISA Server 2006 with Outlook Web Access................................................................255 Benefits of Using ISA Server 2006 with Outlook Web Access...........................................255 Deployment Options..........................................................................................................259 Deploying ISA Server 2006 for Outlook Web Access........................................................260 How to Configure Reverse Proxy Servers for Outlook Web Access.....................................263 Configuring ISA Server 2006 for Exchange Client Access....................................................265 ISA Server 2006 and Exchange 2007...............................................................................265 Benefits of Using ISA Server 2006 with Exchange 2007...................................................266 New Exchange Publishing Rule Wizard............................................................................268 Using ISA Server 2006 with Outlook Anywhere....................................................................268 ISA Server 2006 Features for Outlook Anywhere Client Access.......................................270 ISA Server 2006 Deployment Options for Outlook Anywhere............................................271 How to Deploy ISA Server 2006 for Outlook Anywhere.....................................................272 Using ISA Server 2006 with Exchange ActiveSync...............................................................273 Benefits of Using ISA Server 2006 with Exchange ActiveSync.........................................273 ISA Server 2006 Deployment Prerequisites for Exchange ActiveSync..............................274 How to Deploy ISA Server 2006 for Exchange ActiveSync...............................................274 Managing Details Templates.................................................................................................276 Elements of the Details Templates Editor..........................................................................277 Details Templates Management Tasks..............................................................................278 How to Customize the Details Template...............................................................................279 How to Add the Details Templates Editor to the Microsoft Management Console................283 How to Restore a Details Template to the Default Configuration..........................................284
Managing Client Access in Exchange Server 2007

This document describes how to manage the Client Access server role. In Microsoft Exchange Server 2007, you can install the Client Access server role on your Exchange Server 2007 computer. The Client Access server role provides access to the following client applications and protocols: Microsoft Outlook Web Access Exchange ActiveSync Post Office Protocol version 3 (POP3) Internet Messaging Application Protocol version 4 (IMAP4)
The Client Access server role also supports services, such as Autodiscover and Web services. This document provides information that will help you manage the Client Access server role in Exchange 2007. After you install the Client Access server role on a computer that is running Exchange 2007, you can configure and manage the various components of the Client Access server role. The Client Access server role includes the following components: Outlook Web Access By default, Outlook Web Access is installed and enabled in an Exchange 2007 organization that has the Client Access server role installed. There are four Outlook Web Access virtual directories that are created in the Internet Information Services (IIS) Web site on the local Exchange 2007 server that let you manage Outlook Web Access. For more information about how to manage Outlook Web Access, see Managing Outlook Web Access and Managing Outlook Web Access Virtual Directories in Exchange 2007. Exchange ActiveSync By default, Exchange ActiveSync is enabled in Exchange 2007. Exchange ActiveSync enables a user to synchronize a mobile device to the user's Exchange mailbox. For more information about how to manage Exchange ActiveSync, see Managing Exchange ActiveSync. POP3 and IMAP4 By default, POP3 and IMAP4 are installed but not enabled when you install the Client Access server role. You can enable them by starting the POP3 and IMAP4 services. POP3 and IMAP4 enable a variety of clients to connect to the Exchange server. These include Outlook, Outlook Express, and third-party clients such as Eudora. For more information about how to manage POP3 and IMAP4 in Exchange 2007, see Managing POP3 and IMAP4.
11
For More Information

For more information about how to install the Client Access server role, see How to Perform a Typical Installation Using Exchange Server 2007 Setup.
Understanding Client Access Server Management Tasks

There are a variety of management tasks that you can perform on an Exchange 2007 computer that has the Client Access server role installed. You can configure various settings for Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3, and IMAP4 by using the Exchange Management Console and the Exchange Management Shell. In addition, there are also tasks that you can perform by using Internet Information Services (IIS) Manager, the command line, and the Outlook Web Access interface. This section lists many of the management tasks that you can perform and how you can perform them.
Exchange ActiveSync
Table 1 lists the most common management tasks for Exchange ActiveSync and the tool or tools that you can use to perform them. Table 1 Management tasks for Exchange ActiveSync Feature Exchange Management Console Limited Exchange Management Shell Complete Complete Internet Information Services (IIS) Manager Limited Other
Managing virtual directories Enabling and disabling Exchange Active Sync Enabling and disabling Exchange Active Sync for a user
Complete
Complete
12
Configuring synchronization options for users Viewing Exchange Active Sync logs Using device history tracking Creating custom alerts for device history tracking Configuring authentication Configuring Windows Share Point Services a nd Universal Naming Convention (UNC) file access Configuring a device for synchronization Recovering a device password Configuring device password locking Performing a remote device wipe Managing Exchange Active Sync mailbox policies
Limited
Limited
Mobile device
Complete
Limited
Complete
Outlook Web Acc ess user interface
Complete
Limited
Limited Complete
Complete
Mobile device
Complete
Complete
Complete
Complete
Limited
Complete
13
Outlook Web Access

Table 2 lists the most common management tasks for Outlook Web Access and the tool or tools that you can use to perform them. Table 2 Management tasks for Outlook Web Access Feature Exchange Management Console Limited Exchange Management Shell Complete Internet Information Services (IIS) Manager Limited Complete Complete Complete Complete Other
Managing virtual directories Simplifying the URL Configuring redirection Managing file access on public and private computers Configuring WebReady Document Viewing Managing data access Managing Gzip compression Managing Web beacons Managing character settings
Complete
Complete
Complete
Complete Complete Complete Windows Registr y Outlook Web Acc ess user interface
Complete
14
Managing language settings Configuring proxy servers Configuring single user signon Configuring Secure Sockets Layer (SSL) certificates Configuring ISA Server
Complete
Complete Internet Security and Acceleration (ISA) Server or RSA SecurID Complete
ISA Server
Outlook Anywhere
Table 3 lists the most common management tasks for Outlook Anywhere and the tool or tools that you can use to perform them.
Table 3 Management tasks for Outlook Anywhere Feature Exchange Management Console Exchange Management Shell Complete Internet Information Services (IIS) Manager Other
Enabling and disabling users for Outlook Anywhe re
15
Enabling Outlook Anywhe re for your organization Disabling Outlook Anywhe re for your organization Configuring SSL offloading for Outlook Anywhe re-enabled Client Access servers Configuring ISA Server 2006 Installing the RPC over HTTP Windows Networking component
Complete
Complete
Complete
Complete
Complete
Complete
ISA Server 2006 Management Console Add or Remove Programs
POP3 and IMAP4

Table 4 lists the most common management tasks for POP3 and IMAP4 and the tool or tools that you can use to perform them. Table 4 Management tasks for POP3 and IMAP4 Feature Exchange Management Console Exchange Management Shell Complete Internet Information Services (IIS) Manager Other
Configuring Transport Layer Security (TLS) or SSL encryption
16
Configuring authentication Configuring ports for authentication Starting and stopping the POP3 and IMAP4 service Managing calendar options Setting connection limits Configuring IP addresses and ports Setting connection timeout limits Configuring access to Exchange 2003 servers
Complete Complete
Microsoft Management Console (MMC) Services snap-in Complete Complete Complete
Complete
Complete

For more information about how to manage the Client Access Server role, see the following topics: Managing Exchange ActiveSync Managing Outlook Web Access Managing Outlook Anywhere Managing POP3 and IMAP4 Required Permissions to Manage Client Access
17
Required Permissions to Manage Client Access

To perform administrative tasks on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed, you must have the required permissions for the user account that you are using to log on. Administrative tasks can be delegated or assigned to users by using Exchange 2007 administrative roles. Table 5 summarizes the minimum permissions that are required to perform administrative tasks on a Client Access server. Table 5 Client Access administrator permissions Task Exchange Organization Administrators Exchange Server Administrators Exchange Recipient Administrators X X X Exchange ViewOnly Administrators
GetCASMailbox SetCASMailbox GetClientAccessSe rver SetX ClientAccessSe rver NewX WebServicesVir tualDirectory GetX WebServicesVir tualDirectory RemoveWebServicesVir tualDirectory SetWebServicesVir tualDirectory X
18
NewAutodiscoverVi rtualDirectory RemoveAutodiscoverVi rtualDirectory
Table 6 summarizes the minimum permissions that are required to perform administrative tasks for Exchange ActiveSync. Table 6 Exchange ActiveSync administrator permissions Task Exchange Organization Administrators X Exchange Server Administrators Exchange Recipient Administrators Exchange ViewOnly Administrators
RemoveActiveSyncDevi ce
ClearX ActiveSyncDevi ce NewActiveSyncVirt ualDirectory RemoveActiveSyncVirt ualDirectory GetActiveSyncVirt ualDirectory SetActiveSyncVirt ualDirectory GetActiveSyncDevi ceStatistics getActiveSyncMail boxPolicy X X
19
newActiveSyncMail boxPolicy setActiveSyncMail boxPolicy removeActiveSyncMail boxPolicy ExportActiveSyncLog testActiveSyncCon nectivity
X X
Table 7 summarizes the minimum permissions that are required to perform administrative tasks for Microsoft Office Outlook Web Access. Table 7 Outlook Web Access administrator permissions Task Exchange Organization Administrators Exchange Server Administrators X Exchange Recipient Administrators Exchange ViewOnly Administrators
NewOWAvirtualDire ctory GetOWAVirtualDire ctory SetOwaVirtualDire ctory RemoveOWAVirtualDire ctory
Table 8 summarizes the minimum permissions that are required to perform administrative tasks for POP3 and IMAP4.
20
Table 8 POP3 and IMAP4 administrator permissions Task Exchange Organization Administrators Exchange Server Administrators X X X X Exchange Recipient Administrators Exchange ViewOnly Administrators
GetPOPSettings SetPOPSettings GetIMAPSettings SetIMAPSettings
Important: Logging on to a computer by using full administrative credentials may pose a security risk to the computer and network. Therefore, as a security best practice, do not log on to a computer by using full administrative credentials when you want to perform routine administrative tasks. Instead, you can use the Secondary Logon service or the Run as command to start applications or additional commands in a different security context without having to log off the computer. The Run as command prompts you to enter different credentials before the application or command can run. For more information about the Run as command, see Using Run as in the Windows Server 2003, Standard Edition online Help.

For more information about how to configure permission in Exchange 2007, see Configuring Permissions. For more information about permission considerations in Exchange 2007, see Permission Considerations.
Services Used by a Client Access Server

This section describes the services that are used by a Microsoft Exchange Server 2007 computer that has the Client Access server role installed. Depending on the protocols that are made available on the Client Access server and the Client Access method or methods that are used to access the Client Access server, some or all the following Exchange services may be required.
21
Enabling Services
To enable services that are used by a Client Access server, use the Services snap-in in Microsoft Management Console (MMC). Table 9 shows the Exchange services that may be required.
Table 9 Services that may be required by a Client Access server Service name W3SVC MSExchangeADTopology Display name World Wide Web Publishing Service Microsoft Exchange Active Directory Topology Service Comments This service is required and must be started. This service provides Active Directory topology information to several Exchange Server components. This service does not have any dependencies. By default, this service is stopped. For clients to use POP3 to connect to Microsoft Exchange, this service must be started. This service depends on the Microsoft Exchange Active Dir ectory Topology service. By default, this service is stopped. For clients to use IMAP4 to connect to Microsoft Exchange, this service must be started. This service depends on the Microsoft Exchange Active Dir ectory Topology service.
POP3Svc
Microsoft Exchange POP3
IMAP4Svc
Microsoft Exchange IMAP4
22
IISAdmin
Internet Information Services Admin Service
This service manages the Internet Information Services (IIS) metabase and provides support for the World Wide Web Publishing Service (W3SVC) service, the POP3 service, and the IMAP4 service, which are required by the Client Access server. IIS Admin also supports other applications, such as the metabase update service, which is an internal component of the system attendant. This service configures the RPC virtual directory in IIS and registry data for Outlook Anywhere. This service depends on the Microsoft Exchange Active Dir ectory Topology service. This service is used to distribute offline address book and custom Unified Messaging prompts. This service depends on the Microsoft Exchange Active Dir ectory Topology service.
MSExchangeServiceHost
Microsoft Exchange Service Host
MSExchangeFDS
Microsoft Exchange File Distribution Service

For more information about the services that are required by Exchange 2007, see Services Installed by Exchange Setup.
Managing Outlook Web Access

This section provides an overview of administration for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007.
23
Exchange 2007 Outlook Web Access offers significant improvements over earlier versions. These include new features for administering Outlook Web Access and a user interface that offers richer functionality and is easier to use. For more information about the improvements in Outlook Web Access, see Client Features in Outlook Web Access. New features, such as segmentation and explicit logon, are available only when you use an Exchange 2007 computer that is running the Client Access server role to connect to an Exchange 2007 server that is running the Mailbox server role.
Tools for Managing Outlook Web Access

Table 10 lists the tools that you can use to configure and manage Outlook Web Access in Exchange 2007. Table 10 Tools for managing Outlook Web Access Tool Exchange Management Console Description This graphical user interface is used to manage an Exchange 2007 organization. The Exchange Management Console can be used to manage the most common settings for Outlook Web Access. This command-line interface for Exchange Server and the associated command-line plug-ins automate administrative tasks and management for many features that are not included in the Exchange Management Console. IIS Manager is used to manage user access to the Outlook Web Access virtual directories, for example, simplifying the URL and forcing users to use an HTTPS address. Some Outlook Web Access settings, such as the ConnectionCacheSize and MaxRequestLength values, must be configured by modifying Web.config because these settings are specific to ASP.NET. Web.config should be modified only by using tools such as Notepad. If you modify web.config by using IIS, you will corrupt the file.
Exchange Management Shell
Internet Information Services (IIS) Manager
Web.config
24
Registry Editor
Some Outlook Web Access configuration settings, such as the PublicClientTimeout, TrustedClientTimeout, and SSLOffloaded values must be configured by using Registry Editor. Caution: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
Administrative Tasks for Managing Outlook Web Access

Table 11 lists the configuration and management tasks that you can perform for Outlook Web Access. Table 11 Configuration and management tasks for Outlook Web Access Task Configure the virtual directories that are created for Web access to Exchange content Description When you install the Client Access server role on your Exchange server, four virtual directories are created in the default Internet Information Services (IIS) Web site on the Exchange 2007 server. Link For more information about how to configure these virtual directories for Outlook Web Access, see Managing Outlook Web Access Virtual Directories in Exchange 2007.
25
Simplify the Outlook Web Access URL
By using IIS Manager, you can simplify the Outlook Web Access URL that users use to access Outlook Web Access. For more information about how to simplify the Outlook Web Access URL , see How to Simplify the Outlook Web Access URL. You can configure what types of attachments can be accessed by using Outlook Web Access and how those attachments are displayed. You can configure authentication methods, such as standard and forms-based authentication, for Outlook Web Access. You can configure the default language and character settings for an Outlook Web Access virtual directory. For more information about how to modify attachment handling settings for Outlook Web Access, see Managing File and Data Access for Outlook Web Access. For more information about how to configure authentication for Outlook Web Access, see Managing Outlook Web Access Security. For more information about how to configure the language and character settings for Outlook Web Access, see How to Configure Language Settings for Outlook Web Access. For more information about how to configure Gzip compression, see How to Configure Gzip Compression Settings.
Modify attachment handling settings
Configure authentication methods
Modify language and character handling settings
Configure Gzip compression settings
Gzip enables data compression. By using Gzip, you can improve performance for users who are using Outlook Web Access over slow network connections.
26
Disable Web beacons
Outlook Web Access prevent s senders from using Web beacons in junk e-mail messages to retrieve e-mail addresses. You can enable or disable specific Outlook Web Access features according to the needs of your organization. Windows SharePoint Service s and Windows file share integration is a new feature in Outlook Web Access Premi um that provides access to documents in Windows SharePoint Servi ces document libraries and Windows file shares.
For more information about how to disable Web beacons, see How to Control Web Beacon and HTML Form Filtering for Outlook Web Access. For more information about segmentation of Outlook Web Access features , see How to Manage Segmentation in Outlook Web Access. For more information, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access.
Configure segmentation settings
Configure Microsoft Windows SharePoi nt Services and Windows file share integration
Monitor Client Access servers Monitoring tools and techniques let you determine your system's health and identify potential issues before a problem occurs.
Managing Outlook Web Access Virtual Directories in Exchange 2007

This section describes how to manage Outlook Web Access virtual directories for Exchange 2007.
Outlook Web Access Virtual Directories

When you install the Client Access server role on your Exchange server, four Outlook Web Access virtual directories are created in the default Internet Information Services (IIS) Web site on the Exchange server. You can manage these virtual directories by
27
using the Exchange Management Shell, the Exchange Management Console, and Internet Information Services (IIS) Manager. Table 12 describes the Exchange 2007 Outlook Web Access virtual directories. Table 12 Exchange 2007 Outlook Web Access Virtual Directories Name /owa Description This virtual directory is used by Outlook Web Access when accessing mailboxes on Exchange 2007 mailbox servers. This virtual directory is used to access public folders by using the Outlook Web Access application for mailboxes that are located on computers that are running Exchange 2007, Exchange Server 2003, or Exchange 2000 Server. Only public folders that are on servers that are running Exchange 2003 or Exchange 2000 will be available through Outlook Web Access. Users must connect to the /Public virtual directory to view public folders. Public folders are not available through the URL that is used to log on to an Exchange mailbox by using Outlook Web Access. This virtual directory is used with the Outlook Web Access application for mailboxes on computers that are running Exchange 2003 or Exchange 2000.
/Public
/Exchweb
28
/Exchange
This virtual directory is used by Outlook Web Access when accessing mailboxes on computers that are running Exchange 2003 or Exchange 2000. If your organization includes Exchange 2000 or Exchange 2003 mailboxes in addition to Exchange 2007 mailboxes, all users can access Outlook Web Access through the /Exchange virtual directory. The Client Access server will automatically redirect Exchange 2007 mailbox users to the /owa virtual directory. Note: If the server that hosts the Client Access server role also hosts the Mailbox server role, users who use the /Exchange virtual directory will be redirected to the /owa virtual directory, which cannot be used by Exchange 2000 or Exchange 2003 mailboxes. If you must support Outlook Web Access access to Exchange 2000 or Exchange 2003 mailboxes, do not install the Client Access and Mailbox roles on the same Exchange 2007 server.
/Exadmin
This virtual directory can access the same folders that are available through other virtual directories and is used to change administrative settings and properties. Only users who have administrative permissions can access the /exadmin virtual directory.
Configuring Outlook Web Access Virtual Directories

Exchange 2007 supports the following topology configurations:
29
Exchange 2007 on Client Access servers and Mailbox servers.
Exchange 2007 on Client Access servers and back-end servers that are running Exchange 2003 or Exchange 2000. In most Exchange 2007 deployments, the default Outlook Web Access virtual directories that are created during installation are sufficient for most organizations. You may not have to create new Outlook Web Access virtual directories. Generally, new Outlook Web Access virtual directories are created by businesses that provide hosting or for troubleshooting issues, such as the deletion and re-creation of Outlook Web Access virtual directories. Perform the following tasks on Outlook Web Access virtual directories depending on the needs of your organization. Create a new Outlook Web Access virtual directory You can use the Exchange Management Shell to create a new Outlook Web Access virtual directory. For more information, see How to Create an Outlook Web Access Virtual Directory in Exchange 2007. Note: When the Client Access server role is installed, all the Outlook Web Access virtual directories are installed under the default Web site. All new virtual directories are installed under the default Web site unless a different Web site is specified when the virtual directory is created. View properties on an Outlook Web Access virtual directory You can use the Exchange Management Shell and the Exchange Management Console to view the properties of an Outlook Web Access virtual directory. For more information, see How to View Properties of an Outlook Web Access Virtual Directory.

For more information about how to install the Client Access server role, see Deploying Server Roles. For more information about how to access public folders through Outlook Web Access, see How to Allow Users to Access Public Folders from Outlook Web Access. For information about how to manage Outlook Web Access virtual directories, see: How to Create an Outlook Web Access Virtual Directory in Exchange 2007 How to View Properties of an Outlook Web Access Virtual Directory How to Modify Properties on an Outlook Web Access Virtual Directory How to Remove an Outlook Web Access Virtual Directory
30
For information about Outlook Web Access URLs, see Managing Outlook Web Access URLs. For more information about how to use the /exadmin virtual directory, see Using the Administrative Virtual Root.
How to Create an Outlook Web Access Virtual Directory in Exchange 2007

This section explains how to use the Exchange Management Shell to create an Outlook Web Access virtual directory in Microsoft Exchange Server 2007. By default, when Exchange 2007 is installed, a new virtual directory named "owa" is created in the default Web site in Internet Information Services (IIS). Alternatively, when you run the New-OWAVirtualDirectory cmdlet in the Exchange Management Shell, a new virtual directory named "owa" is created in the default IIS Web site on the local Exchange 2007 server. To create a new Outlook Web Access virtual directory, the following conditions must be true: The local Exchange 2007 server has the Client Access server role installed. There is a default IIS Web site, for example, /w3svc/1/root. An Outlook Web Access virtual directory named "owa" does not already exist.
If you have to create a new virtual directory for Outlook Web Access, make sure that users are aware of the changes you are making. You will be interrupting mail flow for your users. Important: When the default owa virtual directory is created, both forms-based authentication and Secure Sockets Layer (SSL) encryption are enabled. However, when you create a new virtual directory by using the New-OWAVirtualDirectory cmdlet, FBA and SSL encryption are not enabled.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. For more information about the Outlook Web Access virtual directories in Exchange 2007, see Overview of Outlook Web Access.
31
For more information about how to configure Outlook Web Access virtual directories, see Managing Outlook Web Access Virtual Directories in Exchange 2007. To use the Exchange Management Shell to create an Outlook Web Access virtual directory To create an Outlook Web Access virtual directory, run the following command: New-OWAVirtualDirectory -OwaVirtualDirectory -OWAVersion "ExchangeVersion" -VirtualDirectoryType Mailboxes -Name "VirtualDirectoryName" -Website "Contoso.com" In the previous procedure, a new Outlook Web Access virtual directory is created under the contoso.com Web site. For more information about syntax and parameters, see New-OwaVirtualDirectory.

For more information about the tools that you can use to manage Outlook Web Access and the administrative tasks that you can perform on Outlook Web Access, see Managing Outlook Web Access.
How to View Properties of an Outlook Web Access Virtual Directory

This section explains how to use the Exchange Management Console and the Exchange Management Shell to view the properties for a Microsoft Office Outlook Web Access virtual directory or for virtual directories in Microsoft Exchange Server 2007. You can use the Exchange Management Console or the Exchange Management Shell to view these properties. If you use the Exchange Management Shell to view the properties for an Outlook Web Access virtual directory, the information returned is a subset of the information that is available. For example, if you use the Get-OWAVirtualDirectory command to view properties, Exchange returns the following information: Virtual directory name Server name Exchange server version
You can also retrieve information for a specific virtual directory on a specific server by using the parameters that are available for the command. For more information about the GetOWAVirtualDirectory command parameters, see Get-OWAVirtualDirectory.
32
If you use the Exchange Management Console to view the properties for an Outlook Web Access virtual directory, you will be able to view a complete set of properties for the Exchange server that you are on.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to view the properties for an Outlook Web Access virtual directory 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the work pane, select owa (Default Web Site), and then, in the action pane, select Properties. To use the Exchange Management Shell to view the properties for an Outlook Web Access virtual directory or virtual directories To view properties for all Outlook Web Access virtual directories in all Internet Information Services (IIS) Web sites on all computers that have the Client Access server role installed in an Exchange organization, run the following command: Get-OWAVirtualDirectory To view properties for an Outlook Web Access virtual directory on the default IIS Web site on the local Exchange server, run the following command: Get-OWAVirtualDirectory -identity "<Exchange Server Name>\owa (default web site)" To view properties for all Outlook Web Access virtual directories on an IIS Web site on a specific Exchange server, run the following command: Get-OWAVirtualDirectory -server <Exchange Server Name> To view the values of the properties for every Outlook Web Access virtual directory in all IIS Web sites on all Client Access servers in an Exchange organization, run the following command: Get-OWAVirtualDirectory | format-list For more information about syntax and parameters, see Get-OWAVirtualDirectory.
33

For more information about how to configure settings in Outlook Web Access, see Managing Outlook Web Access Virtual Directories in Exchange 2007.
How to Modify Properties on an Outlook Web Access Virtual Directory

This section explains how to use the Exchange Management Console or the Exchange Management Shell to modify the properties of an Outlook Web Access virtual directory.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to modify the properties on an Outlook Web Access virtual directory 1. In the Exchange Management Console, select Server Configuration, and then select Client Access. 2. On the Outlook Web Access tab, open the properties of the virtual directory that you want to modify. 3. Click the appropriate tab. 4. Make the changes that you want. 5. Click OK to save your changes and close the properties window. To use the Exchange Management Shell to modify the properties on an Outlook Web Access virtual directory Open the Exchange Management Shell and run the SetOwaVirtualDirectory cmdlet. Include the parameters and values that you want in the cmdlet. For example, to turn on forms-based authentication on the virtual directory named "owa" on the default Internet Information Services (IIS) Web site, run the following command: Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true
34
For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For more information about how to modify Outlook Web Access virtual directories, see: Managing Outlook Web Access Virtual Directories in Exchange 2007 Managing File and Data Access for Outlook Web Access Managing Outlook Web Access Advanced Features
Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access Configuring Forms-Based Authentication for Outlook Web Access Configuring Standard Authentication Methods for Outlook Web Access
How to Remove an Outlook Web Access Virtual Directory

This section explains how to use the Exchange Management Shell to remove an Outlook Web Access virtual directory.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Do not use Internet Information Services (IIS) Manager to remove an Outlook Web Access virtual directory. Using IIS Manager to remove an Outlook Web Access virtual directory may result in what is known as an "orphan" virtual directory. Instead, use the procedure in this section. You can also use this procedure to remove orphan virtual directories. If the last Outlook Web Access virtual directory to be removed was an orphan virtual directory, you must manually remove the Outlook Web Access ISAPI filter from the associated Web site. To use the Exchange Management Shell to remove an Outlook Web Access virtual directory To delete a virtual directory named Legacy from a site named "second Web site"
35
on the server named Contoso, run the following command: Remove-OwaVirtualDirectory -identity "Contoso\Legacy (second Web site)"
To use the Exchange Management Shell to find orphan virtual directories To find any orphan virtual directories, run the following command: Get-OwaVirtualDirectory | ? { ! [DirectoryServices.DirectoryEntry]::Exists($_.MetabasePath) }
To use IIS Manager to remove the ISAPI filter when the last Outlook Web Access virtual directory to be removed was an orphan 1. Open IIS Manager. 2. Navigate to the Web site that hosted the Outlook Web Access virtual directory, right-click the Web site name, and then select Properties. 3. Select the ISAPI filters tab. 4. Remove the Exchange OWA Cookie Authentication ISAPI filter entry. For more information about syntax and parameters, see Remove-OWAVirtualDirectory.

For more information about how to manage Outlook Web Access virtual directories, see Managing Outlook Web Access Virtual Directories in Exchange 2007.
Managing Outlook Web Access URLs

Microsoft Office Outlook Web Access in Exchange Server 2007 enables users to read and manage the contents of Exchange 2007, Microsoft Exchange Server 2003, and Microsoft Exchange 2000 Server mailboxes from most Internet browsers. You can use Internet Information Services (IIS) Manager to manage the default URLs to make connecting to Outlook Web Access more secure and easier for users.
Default Outlook Web Access URL

When you install the Client Access server role on an Exchange 2007 server, four virtual directories are created for Outlook Web Access. These virtual directories are named owa, Exchange, ExchWeb, and Public. For more information about these virtual directories, see Managing Outlook Web Access Virtual Directories in Exchange 2007.
36
The default URL for Outlook Web Access for mailboxes on an Exchange 2007 server is http://<servername>/owa. For mailboxes on Exchange 2003 or Exchange 2000 servers, the default URL is http://<server name>/exchange. Note: If a user whose mailbox is on an Exchange 2007 server enters the URL that ends with /exchange, the Client Access server will automatically redirect the connection to the URL that ends with /owa. However, a user whose mailbox is on an Exchange 2000 or Exchange 2003 server must use the URL that ends with /exchange.

For more information about how to manage Outlook Web Access URLs, see: How to Configure Outlook Web Access Virtual Directories to Use SSL
How to Enable Explicit Logons in Outlook Web Access

This section explains how to use the Exchange Management Shell to grant access to a user to open another user's mailbox or a resource mailbox.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
About Explicit Logon

Explicit logon enables a user to open another user's mailbox or a resource mailbox by using Outlook Web Access. To use this feature, the user must have Full Access permissions to the mailbox to be opened. Full Access does not give the user Send As permission or Delegate access to the mailbox.
37
When explicit logon is used to open a resource mailbox in Outlook Web Access, there will be a set of options available to manage that resource. To use the Exchange Management Shell to grant full access to a mailbox To grant full access to the mailbox named TestA to the user named TestB, run the following command: Add-MailboxPermission -identity TestA -User TestB -AccessRights FullAccess
To open any mailbox from a URL 1. Open a Web browser. 2. Enter the URL for your organization's Outlook Web Access, and then add the SMTP address of the mailbox that you want to open to the end of the URL. For example, to open the mailbox conferenceroom@contoso.com, you would enter <Outlook Web Access URL>/conferenceroom@contoso.com. A mailbox can have more than one SMTP address. You can use any of them to open the mailbox. 3. Log on by using your user name and password. Note: To use this procedure, you must have Full Access permissions for the mailbox that you want to open. To open another user's mailbox or a resource mailbox from Outlook Web Access 1. Log on to Outlook Web Access. 2. At the top of the Outlook Web Access window, click your mailbox name to open the Open Other Mailbox window. 3. Enter the name of the mailbox that you want to open, and then click Open. Note: To open another user's mailbox or a resource mailbox, your mailbox and the mailbox that you are opening must be Exchange 2007 mailboxes. For more information about syntax and parameters, see add-MailboxPermission.

For more information about mailbox permissions, see: How to Grant Send As Permissions for a Mailbox How to Allow Mailbox Access
38
For more information about resource mailboxes, see Managing Resource Scheduling.
How to Simplify the Outlook Web Access URL

This section explains how to simplify the Microsoft Office Outlook Web Access URL in Microsoft Exchange Server 2007. By using Internet Information Services (IIS) Manager, you can simplify the Outlook Web Access URL that users use to access their mailbox. The first procedure in this section configures a request that is sent to the root of the Web server (https://server name) to redirect to the Exchange virtual directory. For example, a request to https://server/ is directed to https://server/owa for an Exchange 2007 server or to https://server/exchange for an Exchange Server 2003 server. The second procedure redirects a request to http://server to https://server/owa for an Exchange 2007 server or to https://server/exchange for an Exchange 2003 server. To help secure the information that is sent between the client and the server, the default Web site is set to require Secure Sockets Layer (SSL) at installation. To simplify access to Outlook Web Access for your users, you may want to configure the Outlook Web Access Web page, which is usually the default Web site in IIS, to automatically redirect users to https.
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use IIS Manager to simplify the Outlook Web Access URL 1. Open IIS Manager, and then navigate to Web Sites/Default Web Site. Rightclick Default Web Site, and then click Properties. 2. Click the Home Directory tab, and then click the A redirection to a URL option. 3. In Redirect to, type /directory name. For example, to redirect https://server name requests to https://server name/exchange, in Redirect to, type /exchange. If all the mailboxes that will be accessed by using Outlook Web Access are located on Exchange 2007 servers, you can replace /exchange with /owa. Doing
39
this will redirect all requests to https://server name to https://servername/owa. 4. In the The client will be sent to: list, select A directory below URL entered. Note: To access other mailboxes, users must enter the full URL, including the user name. Note: The server name in the URL must be what users type into their browsers to reach Outlook Web Access, and might differ from the host name of the Client Access server, depending on the topology of the network. To use IIS Manager to simplify the Outlook Web Access URL and redirect users to https 1. Create the following file in Notepad and save it to drive:\inetpub\wwwroot as SSLRedirect.htm, replacing <server name> with the name of your Client Access server: <html> <head> <title>HTML Redirection to https:</title> <META HTTP-EQUIV="Refresh" CONTENT="1; URL=https://<servername>/exchange"> </head> <body> This page is attempting to redirect you to <a href="https:// <servername>/exchange/">https:// <servername>/exchange</a><br> If you are not redirected within a few seconds, please click the link above to access Outlook Web Access. </body></html> 2. Open IIS Manager, and then navigate to Web Sites/Default Web Site. Rightclick Default Web Site, and then click Properties. 3. Click the Home Directory tab, and then select A redirection to a URL. 4. In Redirect to, enter /Exchange. 5. Select The client will be sent to: A directory below the URL entered above. 6. Click the Custom Errors tab, and then find HTTP Error 403;4 in the table. Click 403;4 to select it, and then click Edit. 7. Click Browse to locate the file that you created at the start of this procedure. 8. Click OK to save your changes. 9. Open a Command Prompt window, and then type iisreset /noforce to restart IIS.
40

For more information about how to manage Outlook Web Access, see Managing Outlook Web Access. For more information about how to manage Client Access, see Managing Client Access.
How to Use Outlook Web Access Web Parts

This section describes Microsoft Office Outlook Web Access Web Parts and explains how to use them to open specific folders. You can use Outlook Web Access Web Parts to specify the mailbox to open, the folder within that mailbox to open, and the content view to use. Outlook Web Access Web Parts let you access Outlook Web Access content directly from a URL. The URL can be entered into a Web browser or embedded in an application. Generally, Web Parts are not created manually. Instead, they are created programmatically based on selections made in a user interface (UI), or they are embedded directly in an application, such as a Microsoft Office SharePoint Server 2007 page. The code behind the UI then creates the URL. One use for Outlook Web Access Web Parts is to display a user's Inbox or Calendar in an Office SharePoint Server 2007 page. Note: To use Outlook Web Access Web Parts, both the user's mailbox and the mailbox being opened through a Web Part must be in the same Active Directory forest.
Permissions for Using Outlook Web Access Web Parts

To use Outlook Web Access Web Parts, you must, at a minimum, be delegated "Reviewer" access to the content that you are opening. If you have embedded an Outlook Web Access Web Part that requires authentication into an application, you must pass authentication information through together with the request for the Web Part. One way to do this is by configuring the Outlook Web Access virtual directory to use Integrated Windows authentication. Integrated Windows authentication lets users who have already logged on by using their Active Directory account use Outlook Web Access without having to enter their credentials again.
41
Outlook Web Access Web Parts Syntax

Exchange 2007 Outlook Web Access has a new URL format to use for requests to the /owa virtual directory. These requests can be made by typing a URL directly into a Web browser or by embedding the URL in a Web application, such as an Office SharePoint Server page. Outlook Web Access Web Parts can be used to create URLs of varying complexity. A simple Web Part URL can be used to open the Inbox of any mailbox. A more complex Web Part URL could be used to specify the mailbox to open, the folder within that mailbox to open, and the content view to use. For example, the simple Web Part URL https://<server name>/owa/?cmd=contents will open the Inbox of the mailbox that is determined by the user's logon. The more complex Web Part URL https://<server name>/owa/<SMTP address>/?cmd=contents&f=inbox %2fProjects&view=by%20subject will open the mailbox that is specified by the SMTP address to the subfolder Projects, sorted by subject. Depending on the security measures that have been applied to your network, you may have to configure encoding for the Web Parts URL. After you configure the encoding, the code behind the UI will create the URL by using the URL-encoded parameters. URL-encoded parameters use %20 in place of spaces and %2f in place of the path delimiter "/". All examples in this section use encoded parameters. Supported Microsoft Exchange 2000 and Exchange 2003 Web Parts are automatically translated to Exchange 2007 Web Parts. Table 13 lists the parameters of a Web Part and examples of how they are used. Table 13 Web Part parameters and how they are used URL parameter Server name and directory (required) Description The URL of the Outlook Web Access virtual directory. Values and examples This may be the same URL that users use to log on to Outlook Web Access, for example: https://<server name>/owa
42
Exchange 2007 explicit logon mailbox identification (optional)
Any SMTP address that is associated with the mailbox to be opened. If this section of the URL is missing, the default mailbox of the authenticated user is opened. If no additional parameters are specified, the default behavior is to open the Inbox.
To open the mailbox with the SMTP address tsmith@fourthcoffee.com, use: https://<server name>/owa/tsmith@fourthcoff ee.com
cmd (required if you are specifying any parameter other than the explicit logon mailbox identification)
?cmd=contents displays the Outlook Web Access Web Part that is specified by the parameters instead of the full Outlook Web Access user interface.
If no mailbox is specified, this parameter follows the server directory: https://<server name>/owa/? cmd=contents If a mailbox is specified, this parameter follows the explicit mailbox identification: https://<server name>/owa/<SMTP address>/?cmd=contents If no additional parameters are specified, the default behavior is to open the Inbox.
id (optional)
The folder ID of the folder from which the Web Part should display contents. This can be obtained by using Web services and can be used in applications to dynamically select which folder to open.
The folder ID is the Base64encoded PR_ENTRY_ID of the folder: https://<server name>/owa/? cmd=contents&id=<PR_ENT RY_ID>
43
f (optional)
A string that specifies the mailbox folder to be shown in the Web Part. The Web Part URL may have to be written by using URL encoding so that it can pass through firewalls. When you use URL encoding, a space becomes %20, and a path delimiter (/) becomes %2f. The folder hierarchy should start from the mailbox root. This folder path can point to ordinary folders or search folders.
To open the subfolder Projects in the Inbox, use: https://<server name>/owa/? cmd=contents&f= inbox %2fprojects
module (optional)
This parameter can be used to specify any of the four default folders without knowing the localized name.
Values for the module parameter are not case sensitive, and include the following: Inbox Calendar Contacts Tasks
To open the calendar of a mailbox regardless of localization: https://<server name>/owa/? cmd=contents&module=calen dar
44
view (optional)
This parameter specifies the view to be displayed for the folder. The default views when this parameter is not present are as follows: s Calendar Daily Messages Message
The views available vary according to the folder type. Calendar views: Daily The daily calendar view Weekly The weekly calendar view Message views: Messages One line message view, with default sort By%20Sender One line message view sorted by From with sender names that begin with "a" on top By%20Subject One line message view sorted by Subject with subjects that begin with "a" on top By%20Conversation %20Topic Conversation View, available only in Outlook Web Access Pre mium Two%20Line Two line message view, with default sort, available only in Outlook Web Access Pre mium
Contacts Two %20Line Tasks By%20Due %20Date Note: The strings for the default views are automatically URL encoded. The default sort for a view is the way the folder would be sorted if it was opened in the Outlook Web Access client. Exchange 2003 Web Part views that are not supported in Exchange 2007 are as follows: Calendar Monthly
Contacts Address card and detailed address card
Contact Views: Messages Unread by conversation topic and Phone%20List One sent to. line contact view, with default sort The strings identifying the views are not localized and not case sensitive. Two%20Line Two line contact view with default sort, available only in 45
d, m, y (optional)
Specifies the date for which the calendar should be displayed. These parameters can be entered in any order and can be used singly or together. If any of these parameters are not specified, the default values are the current day, month, and year values. For example, if the current day is May 3, 2007 and you specify a month value of "9" for September, the date displayed will be September 3, 2007.
The valid values for the data parameters are as follows: d=[1-31] m=[1-12] y=[four digit year] To open a calendar to the date May 3, 2007, you would use https://<server name>/owa/? cmd=content&f=calendar&vie w=daily&d=3&m=5&y=2007
part (optional)
Specifies that Outlook Web Access should display a smaller Web Part.
When you use Web Parts to access Outlook Web Access content, the UI that is displayed will be smaller than the full Outlook Web Access UI. The part parameter reduces the UI further. This example shows the tasks list in the smallest Web Part format: https://<server name>/owa/? cmd=contents&f=tasks&part= 1 Figures 1 and 2 show the UI that Outlook Web Access will display with and without part=1 applied to the Tasks Web Part.
46
Figure 1 shows the Outlook Web Access Tasks Web Part without the parameter part=1. Figure 1 Web Part URL without Part=1
47
Figure 2 shows the Outlook Web Access Tasks Web Part with the parameter part=1. Figure 2 Web Part URL with Part=1
You can use multiple parameters to specify the folder to be displayed and the format to display it in. If more than one folder parameter is used, the precedence order is id, f, and then module. If none of these parameters is present, the Inbox will be shown by default. Note: If a feature has been turned off by using segmentation, that feature will not be available as a Web Part. For example, if the Outlook Web Access calendar has been disabled, you will not be able to access calendars by using Outlook Web Access Web Parts.
48
Using Outlook Web Access Web Parts Manually

Outlook Web Access Web Parts can be also be entered manually in a Web browser. For example, a user can use an Outlook Web Access Web Part URL to open another user's calendar. To open a specific calendar in Weekly view: 1. Open a Web browser window. 2. Enter the URL for Outlook Web Access and add the following string to the end of the URL: <mailbox SMTP address>/?cmd=contents&f=calendar&view=weekly. 3. Enter logon credentials, if you are prompted to do this. For example, if the URL of Outlook Web Access is https://email.fourthcoffee.com/owa, then https://email.fourthcoffee.com/owa/tsmith@fourthcoffee.com/? cmd=contents&f=calendar&view=weekly will open the calendar that belongs to the user tsmith in Weekly view.

For more information about Web Parts and how to plan Web pages, see the following: Web Parts (How Do Iin Windows SharePoint Services) Plan Web pages
For more information about Outlook Web Access authentication, see the following: Configuring Standard Authentication Methods for Outlook Web Access How to Configure Integrated Windows Authentication
Managing File and Data Access for Outlook Web Access

You can manage the different ways users access information in Microsoft Office Outlook Web Access by using the Exchange Management Console.
WebReady Document Viewing

Microsoft Exchange Server 2007 includes a new feature named WebReady Document Viewing. WebReady Document Viewing lets users view common file types in the Outlook Web Access Web browser without having the applications associated with those file types installed on the computer they are using.
49
Users can view the following kinds of files by using WebReady Document Viewing: .doc .pdf .ppt .xls
Additionally, the supported MIME types are as follows: application/pdf application/vnd.ms-excel application/vnd.ms-powerpoint application/word application/x-mspowerpoint application/x-msexcel
For more information about how to manage WebReady Document Viewing for users, see How to Manage WebReady Document Viewing.
Public and Private Computer File Access

In addition to file access within Outlook Web Access, you can also configure how users interact with files by using the Allow, Block, or Force Save options for direct file access in the Exchange Management Console. This means that you can specify the types of files that users can access. More important, you can directly specify which types of files are prohibited. For more information about how to manage public and private computer file access, see How to Manage Public and Private Computer File Access.
Data Access Using Outlook Web Access

Using Outlook Web Access, you can access remote files that are stored on both Windows SharePoint Services (WSS) and Windows file share (also known as UNC) servers. You can configure how users interact with files on these servers by using the Allow and Block options in the Exchange Management Console. This means that you can specify which servers your users can access. You can also specify the behavior for WSS and Windows file share servers that have not been specifically allowed or blocked when users try to access them using Outlook Web Access. For more information about how to manage data access for Outlook Web Access, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access.
50

For more information about how to manage Outlook Web Access on the computer that is running Microsoft Exchange Server 2007, see Managing Outlook Web Access.
How to Manage Public and Private Computer File Access

This section explains how to manage direct file access for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007 for both public and private computers. Direct file access lets users open files that are attached to e-mail messages, and files that are stored in Microsoft Windows SharePoint Services document libraries and in Windows file shares. By default, public computer direct file access is enabled for new installations and upgrades of Outlook Web Access. Therefore, when users in your organization select This is a public or shared computer or This is a private computer on the Outlook Web Access logon page, they will be able to access files that are attached to e-mail messages. When you enable private or public computer file access for users, you can use the Exchange Management Console to specify individual file types and MIME types. Table 14 lists the file name extensions and MIME types that, by default, are set to Allow, Block, or Force Save for the \owa virtual directory. Allow File and MIME types in the Allow list can be opened from Outlook Web Access, if the application that is needed to open the files is installed on the client computer. Allow overrides Block and Force Save. Block File and MIME types in the Block list cannot be opened. Block overrides Force Save, and is overridden by Allow. Force Save File and MIME types in the Force Save list must be saved to the client computer before they can be opened. Force Save is overridden by Allow and Block. Note: Although it appears that you can set the values for private and public computer access individually, you cannot. When you specify behavior for private access, you also set it for public access. Table 14 Default file name extensions and MIME values for the Allow, Block, and Force Save settings for the \owa virtual directory Option Description Default file name extensions Default MIME types
51
Allow
This option specifies the file types that are always enabled for direct file access.
.rpmsg, .xlsx, image/jpeg, .xlsm, .xlsb, .pptx, image/png, image/gif, .pptm, .ppsx, image/bmp .ppsm, .docx, .docx, .docm, .xls, .wmv, .wma, .wav, vsd, .txt, .tif, .rtf, .pub, .ppt, .png, .pdf, .one, .mp3, .jpeg, .gif, .doc, .bmp, .avi .ade, .adp, .asx, .app, .asp, .aspx, .asx, .asx, .bas, .bat, .cer, .chm, .cmd, .com, .cpl, .crt, .csh, .dir, .dcr, .der, .exe, .fxp, .hlp, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc,.msh, .msh1, .mshxml, .msh1xml, .msi, .msp,.mst, .ops, .pcd, .pif, .plg, .prf,.prg, .ps1, .ps2, .psc1, .psc2, .ps1xml, .ps2xml, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .spl, .swf, .tmp, .url, .vb, .vbe, .vbs, .vsmacros, .vss, .vst, .vsw, .ws, .wsc, .wsf, .wsh, .xml application/xjavascript, application/javascript, application/msaccess, x-internet-signup, text/javascript, application/prg, application/hta, text/scriptlet
Block
This option specifies the file types that are always blocked from direct file access.
52
Force Save
This option specifies the files that users can access only after they have saved them to the local computer.
.vsmacros, .mshxml, .aspx, .xml, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe, .url, .tmp, .swf, .spl, . shs, .shb, .sct, .scr, .scf, .reg, .pst, .prg, .prf, .plg, .pif, .pcd, .ops, .mst, .msp, .msi, .msh, .msc, .mdz, .mdw, .mdt, .mde, .mdb, .mda, .maw, .mav, .mau, .mat, .mas, .mar, .maq, .mam, .mag, .maf, .mad, .lnk, .ksh, .jse, .its, .isp, .ins, .inf, .hta, .hlp, .fxp, .exe, .dir, .dcr, .csh, .crt, .cpl, .com, .cmd, .chm, .cer, .bat, .bas, .asx, .asp, .app, .adp, .ade, .ws, .vb, .js
Application/xshockwave-flash, Application/octetstream, Application/futurespla sh, Application/xdirector, Application/xml, text/xml
There is also a default setting for unknown file types. You can set the setting for unknown file types to one of the following values: Allow Block Force Save
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
53
To use the Exchange Management Console to configure Direct File Access policy settings for Outlook Web Access 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the action pane, in Outlook Web Access, click Properties. 3. On the Outlook Web Access Properties page, click either the Public Computer File Access tab or the Private Computer File Access tab. 4. Under Direct file access, select the check box next to Enable direct file access to let users download attachments. 5. To modify the types of attachments that you want users to be able to access, click the Customize button next to Customize direct file access. 6. On the Direct File Access Settings page, do one of the following: To set the file types and MIME types that you want users to access, click the Allow button, and then set the file name extensions and MIME values on the Allow List page. To set the file types and MIME types that you want to block users from accessing, click the Block button, and then and set the file name extensions and MIME values on the Block List page. To set the file types and MIME types that you want to force users to save before they access them, click the Force Save button, and then set the file name extensions and MIME values on the Force Save List page. For unknown file types, select an option from the list in the Unknown Files box. Select Allow, Block, or Force Save. 7. Click OK to save your settings. To use the Exchange Management Shell to configure attachments policy settings for Outlook Web Access Run the following command: Set-OwaVirtualDirectory Use the syntax in the following example to prevent users on public computers from downloading files: Set-OwaVirtualDirectory -identity "owa (Default Web Site)" -DirectFileAccessOnPublicComputersEnabled $false For more information about syntax and parameters, see Set-OwaVirtualDirectory.
54

For more information about file access in Outlook Web Access, see Managing File and Data Access for Outlook Web Access. For more information about how to manage Outlook Web Access on the computer that is runningExchange 2007, see Managing Outlook Web Access.
How to Manage WebReady Document Viewing

WebReady Document Viewing lets users access file attachments in Microsoft Office Outlook Web Access. Users can access common file types such as Microsoft Word documents without having the application installed. This section explains how to manage WebReady Document Viewing for Outlook Web Access in Microsoft Exchange 2007. When you manage WebReady Document Viewing, you can specify files that you want users to be able to access within Outlook Web Access for private and public computers. However, you cannot specify individual settings for only private or public computers. By default, public computer file access is not enabled for Outlook Web Access. Therefore, when users select the This is a public or shared computer option or the This is a private computer option on the Outlook Web Access logon page, they will be unable to access files attached to e-mail messages.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to manage WebReady Document Viewing settings for Outlook Web Access 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the work pane, select owa (Default Web Site),and then, in the action pane, click Properties. 3. On the Outlook Web Access Properties page, click the Private Computer File Access or Public Computer File Access tab.
55
4. Under WebReady Document Viewing, select the check box next to Enable WebReady Document Viewing to let users view common file types in Outlook Web Access. 5. To modify the types of files that you want users to be able to view in Outlook Web Access, click the Supported button under WebReady Document Viewing. 6. On the WebReady Document Viewing Settings page, select the default values, or delete one or more of the file types. 7. Click OK to save your changes. To use the Exchange Management Shell to configure attachments policy settings for Outlook Web Access The following example uses the Set-OwaVirtualDirectory cmdlet to prevent users on public computers from downloading files: Set-OwaVirtualDirectory -identity "owa (Default Web Site)" -WebReadyDocumentViewingPublicComputersEnabled $false
For information about syntax and parameters, see Set-OwaVirtualDirectory.

For more information about how to manage Outlook Web Access on the computer that is running Microsoft Exchange Server 2007, see Managing Outlook Web Access.
How to Manage Maximum Message Size in Outlook Web Access

This section explains how to edit the Web.config file on a Microsoft Exchange Server 2007 computer that has the Client Access server role installed to enable large messages to be sent by using Outlook Web Access. Outlook Web Access is an application that uses ASP.NET and is affected by the configuration of ASP.NET settings. The ASP.NET setting that determines the maximum amount of data that the Web browser can submit to the Client Access server is maxRequestLength. The maxRequestLength setting is found in the Web.config file. If the setting for the maximum message size for sending on a mailbox is more than the maxRequestLength setting, messages that are sent from Outlook Web Access that exceed the maxRequestLength value will generate an error that might be confusing to users. To avoid having this occur, you must configure the maxRequestLength to be at least as large as the largest maximum send size on the mailboxes in your organization.
56
Conditions and Associated Warnings

If a user tries to create or send a message that exceeds the maximum message size or maxRequestLength, a warning will appear in Outlook Web Access. The text of the warning will vary depending on the conditions that generated it. When a user tries to upload an attachment that is larger than the maximum message size, they receive the following error message in the upload dialog box: "The attachment you are trying to upload exceeds the maximum size limit for attachments allowed by your organization. For more information, contact technical support for your organization." When a user tries to upload one or more attachments that are larger than the ASP.NET MaxRequestLength, they receive the following error message in the Information Bar within the message: "The files <file names> were not attached because they exceed the maximum size limit of <size limit> megabytes (MB) for attachments." If a user attaches several files, each of which is smaller than either the maximum message size or maxRequestLength but which together amount to more than the maximum message size, when they click SendOutlook Web Access will show the following message as a banner on the message form: "This message could not be sent because it exceeds the maximum size allowed."
Before You Begin

To perform the following procedure, the account you use must be delegated membership in the local Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations. To change the maxRequestLength value by using Notepad 1. Find the Outlook Web Access Web.config file on the Client Access server. The default location is <drive>\Program Files\Microsoft\ExchangeServer\ClientAccess\Owa. 2. Make a backup copy of the file. 3. Open the original file by using an editor such as Notepad. Do not use IIS to edit the web.config file. 4. Find maxRequestLength and change it to the value that you want. The value is stored in kilobytes (KB). The default value is 30000. The following example shows the maxRequestLength value in the Web.config file: <httpRuntime maxRequestLength="30000" /> 5. Save and close the file.
57
Caution: Before making changes to the Web.config file, make a copy of the file, and store it in a safe location.

For more information about how to set the maximum message size in Exchange 2007, see: Set-Mailbox Set-SendConnector Set-ReceiveConnector
Managing Outlook Web Access Advanced Features

You can manage advanced features in Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007 by using the Exchange Management Console and the Exchange Management Shell. In Exchange 2007, you can enable and disable Outlook Web Access features for your whole organization or for individual users by using segmentation. To increase protection against spammers, you can disable Web beacons in Outlook Web Access. If the default language and character settings for Outlook Web Access at initial logon are not appropriate for your users, you can change them by using the language and character settings. If users will be using Outlook Web Access over a slow network connection, you can enable Gzip compression to improve the performance of Outlook Web Access on the client computer.
Segmentation of Features in Outlook Web Access

Segmentation lets you enable and disable features that are available to users in Exchange 2007 Outlook Web Access. By default, any mail-enabled user in your Exchange 2007 organization can access their mailbox by using Outlook Web Access. Depending on the needs of your organization, you can use segmentation to configure the following restrictions for user access: Restrict access to Outlook Web Access for specific users. Control access to certain Outlook Web Access features for specific users. Disable an Outlook Web Access feature completely.
58
Many features can be set for an Outlook Web Access virtual directory by using the Exchange Management Console. You can use the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell to enable or disable the same features that you can enable and disable by using the Exchange Management Console, in addition to many other Outlook Web Access features for an Outlook Web Access virtual directory. For example, to disable the Reminders feature in Outlook Web Access, you can use the RemindersandNotificationsEnabled parameter. The Reminders feature enables users to receive new mail notifications. You can also modify other Outlook Web Access features, such as Tasks, Contacts, and Themes. For more information about the parameters that you can use to configure segmentation for all users, see Set-OwaVirtualDirectory. For more information about the features that can be configured by using the Exchange Management Console, see How to Manage Segmentation in Outlook Web Access. For more information about how to enable and disable features for specific users, see SetCASMailbox.
Segmentation Features in Exchange Server 2003 and Exchange Server 2007

Table 15 lists the differences between Outlook Web Access segmentation in Exchange Server 2003 and Exchange 2007. Table 15 Outlook Web Access segmentation in Exchange Server 2003 and Exchange Server 2007 Type Exchange Server 2003 Exchange Server 2007
59
Segmentation basis
Segmentation can be performed for individual users and for individual servers. The segmentation setting for each Outlook Web Access feature is stored as a DWORD value in the registry. If the DWORD value is 1, the Outlook Web Access feature is enabled. If the DWORD value is 0, the Outlook Web Access feature is disabled. By default, all features are enabled.
Segmentation can be performed for individual users and for individual virtual directories. You can administer the user and virtual directory segmentation settings for each Outlook Web Access feature by using the Exchange Management Shell. Unlike in Exchange Server 2003, segmentation settings in Exchange 2007 are not configured by editing the registry. The segmentation value that is set for an Outlook Web Access virtual directory is stored on the virtual directory object. The segmentation value that is set for a user is stored in the msExchMailboxFolderS etActive Directory attribut e on the user object. By default, the msExchMailboxFolderSet attribute exists for each user, but the value is not configured. Use the SetCASMailbox cmdlet to configure values for individual users.
Storing segmentation values
The DWORD values that are set for users and for servers are the same. However, they are stored in different locations. The server DWORD value is stored in a registry key. The user DWORD value is stored in the msExchMailboxFolderS etActive Directory attribut e on the user object. By default, the msExchMailboxFolderSet attribute exists, but the value is not configured.
60
New features in Outlook Web Access in Exch ange 2007 that can be segmented
Not applicable
You can segment the following new Outlook Web Access features: Unified Messaging integration Microsoft Window s SharePoint Service s and Windows file shares integration Microsoft Exchan ge ActiveSync integra tion from Mobile Settings on the Options page
Understanding Web Beacons

A Web beacon is a file object, such as a transparent graphic or an image, which is put on a Web site or in an e-mail message. Web beacons are typically used together with HTML cookies to monitor user behavior on a Web site or to validate a recipient's e-mail address when an e-mail that contains a Web beacon is opened. Web beacons frequently come in the form of images that are downloaded onto a user's computer when the user opens a junk e-mail message. After the images are downloaded, a Web beacon notification is sent to the sender of the junk e-mail that informs the sender that the recipient e-mail address is valid. After a user opens a message that sends a Web beacon notification back to the junk e-mail sender, the user may receive junk e-mail more frequently because the junk e-mail sender has verified that the user's e-mail address is valid. Web beacons can also contain harmful code and be used to circumvent e-mail filters to deliver a spammer's message. Note: By default, Outlook Web Access disables all potential Web beacon content in e-mail messages.
In Outlook Web Access, an incoming e-mail message that has any content that can be used as a Web beacon, regardless of whether the message actually contains a Web beacon,
61
prompts Outlook Web Access to display a warning message to the user to inform the user that the content has been blocked. If a user knows that a message is legitimate, they can enable the blocked content. If a user does not recognize the sender or the message, they can open the message without unblocking the content and then delete the message without triggering beacons. If your organization does not want to use this feature, you can disable the blocking option for Outlook Web Access.
Disabling Web Beacons

The configuration settings for filtering Web beacons are stored in the Active Directory directory service. You can configure how Web beacons are filtered by using the SetOwaVirtualDirectory cmdlet in the Exchange Management Shell. For more information about syntax and parameters, see Set-OwaVirtualDirectory. The following list describes the parameters in the FilterWebBeacons property for Web beacon filtering in Outlook Web Access: UserFilterChoice By using the UserFilterChoice parameter, you can let users decide whether they want to enable or continue to disable the blocked Web beacon content. Outlook Web Access blocks all potential Web beacon content in an e-mail message and displays the following message in the information bar when a user receives an e-mail message that contains potential Web beacon content: "To protect your privacy, Outlook Web Access has blocked some images, sounds, or other external content. To restore, Click Here." To view the blocked Web beacon content, the user can click the Click Here option. Note: By default, the UserFilterChoice parameter is enabled on Outlook Web Access. ForceFilter By using the ForceFilter parameter, you can block all potential Web beacon content. Users cannot override the ForceFilter parameter to view the blocked Web beacon content. DisableFilter By using the DisableFilter parameter setting, you can enable all Web beacon content on Outlook Web Access. For more information about how to disable Web beacons, see How to Control Web Beacon and HTML Form Filtering for Outlook Web Access.
Language Settings
By using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, you can configure the following language parameter settings on an Outlook Web Access virtual directory:
62
DefaultClientLanguage The DefaultClientLanguage parameter, a Regional property setting, specifies the Outlook Web Access language that is used when a user who has not selected a specific language on the Options page logs on to Outlook Web Access. This prevents the user from being able to view the initial page to set the time zone and language, but does not prevent the user from changing these settings using the Options in Outlook Web Access after they have logged on. This parameter does not apply to Microsoft Exchange 2000 Server or Exchange 2003 virtual directories. LogonAndErrorLanguage The LogonAndErrorLanguage parameter specifies which language Outlook Web Access uses for forms-based authentication and for error messages that occur when a users current language setting cannot be read. This parameter applies to Exchange 2003 virtual directories. The user can configure the language that is used by Outlook Web Access by using the Regional Settings option in the Options menu after he or she is successfully authenticated for an Outlook Web Access session. The LogonAndErrorLanguage parameter can be configured only by an administrator. The administrator must configure the LogonAndErrorLanguage parameter before the user authenticates into Outlook Web Access. Note: To make all Arabic, Asian, Hebrew, and Urdu text to display correctly in Outlook Web Access, support for languages that are read from right-to-left and script languages must be installed on the client computer. Other languages may also require that the appropriate language pack be installed on the client computer. For more information about syntax and parameters, see Set-OwaVirtualDirectory. For more information about how to configure the language settings for an Outlook Web Access virtual directory, see How to Configure Language Settings for Outlook Web Access.
Character Settings
The Charset parameter specifies how the Web browser decodes data and appends the character set, for example, ISO-8859-15, of the content-type header in the Response object of the Web page. You can use the Response object to send output to the client. By using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell, you can configure the character settings on an Outlook Web Access virtual directory. You can configure the following character settings on an Outlook Web Access virtual directory: OutboundCharset The OutboundCharset parameter specifies the character set that is used on messages that are sent by users on a specific Outlook Web Access virtual directory. It accepts three settings: autodetect, alwaysutf8, and userlanguagechoice. Autodetect causes Exchange to examine the first 2 kilobytes (KB) of text and deduce the
63
character set to use. This is the preferred method. AlwaysUTF8 causes Exchange to always use UTF-8 encoded UNICODE characters on outgoing messages. UserLanguageChoice causes Exchange to use the language that is used in the Outlook Web Access user interface to encode messages. This can be a problem if the preferred language and the language that is used on an individual message are not the same. UseGB18030 The UseGB18030 parameter, a Regional property setting, specifies when the character set GB18030 is used. This parameter is a character-handling key in Active Directory that works in coordination with the OutboundCharset registry key. If USEGB18030 is on and OutboundCharset is set to Autodetect, Outlook Web Access will use GB18030 whenever GB18032 is detected. UseISO8859-15 The UseISO8859-15 parameter, a Regional property setting, specifies when the character set ISO8859-15 is used. This parameter is a characterhandling key in Active Directory that works in coordination with the OutboundCharset registry key. If USEISO8859-15 is on and OutboundCharset is set to Autodetect, Outlook Web Access will use ISO8859-15 whenever ISO8859-1 is detected For more information about syntax and parameters, see Set-OwaVirtualDirectory. For more information about how to configure the character settings for Outlook Web Access, see How to Configure Character Settings for Outlook Web Access.
Gzip Compression Settings

Gzip compression enables data compression. Data compression helps optimize response time over slow network connections. Depending on the type of compression setting that you select, Outlook Web Access compresses static Web pages, dynamic Web pages, or both static Web pages and dynamic Web pages. Gzip compression is performed by the Client Access server. You can configure Gzip compression settings on an Outlook Web Access virtual directory by using the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell. You can use the Get-OWAVirtualDirectory cmdlet to retrieve information about the current settings on an Outlook Web Access virtual directory. For more information about syntax and parameters, see Set-OwaVirtualDirectory. Table 16 describes the three levels of data compression settings for Outlook Web Access. Table 16 Data compression settings for Outlook Web Access Data compression setting High Description This setting compresses static and dynamic pages.
64
Low
This setting compresses only static pages. By default, Gzip compression is set to low on Exchange 2007 virtual directories and on Exchange 2000 and Exchange 2003 virtual directories on Exchange 2007 servers that are hosting only the Client Access server role. Compression is not supported on Exchange 2000 and Exchange 2003 virtual directories on Exchange 2007 servers that have the Mailbox server role installed.
Off
No compression is used.
For more information about how to configure Gzip settings, see How to Configure Gzip Compression Settings.
Creating Themes for Outlook Web Access

You can customize the appearance of Outlook Web Access for your organization by creating one or more themes. After you create a theme, you can use segmentation to set the default theme. You can also use segmentation to enable or disable user access to theme selection in Outlook Web Access options.
Customizing the Forms-Based Authentication Logon Page

You can customize the appearance of the forms-based authentication page by writing a new version of the logon page that sends the same HTML form to the Outlook Web Access application as the original forms-based authentication logon page. The forms-based authentication page is enabled for anonymous access. Therefore, you must use caution when deciding what content to display on the Outlook Web Access logon page. Do not reveal any sensitive data that may pose a security risk for your organization on the Outlook Web Access logon page. If you customize the logon page, your changes may be overwritten when you install hot fixes and service packs on the Client Access server that is providing the logon page.

For more information about Outlook Web Access advanced features, see the following topics: Set-OwaVirtualDirectory
65
Set-CASMailbox How to Manage Segmentation in Outlook Web Access How to Control Web Beacon and HTML Form Filtering for Outlook Web Access How to Configure Language Settings for Outlook Web Access How to Configure Character Settings for Outlook Web Access How to Configure Gzip Compression Settings
How to Manage Segmentation in Outlook Web Access

This section describes how to manage segmentation in Microsoft Office Outlook Web Access for Microsoft Exchange Server 2007. Segmentation lets you enable and disable many features in Outlook Web Access by using either the Exchange Management Console or the Exchange Management Shell. By default, segmentation changes take effect after 60 minutes of inactivity for users who are logged on to Outlook Web Access, or when a user logs on to Outlook Web Access. To force the changes to take effect immediately, restart Internet Information Services (IIS) by running the command iisreset/noforce on the Client Access server.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
To use the Exchange Management Console to configure Outlook Web Access segmentation 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the work pane, select owa (Default Web Site), and then, in the action pane, click Properties. 3. On the owa (Default Web Site)Properties page, click the Segmentation tab. 4. The Segmentation window provides a list of features for Outlook Web Access
66
that you can enable or disable for all users. 5. To enable or disable a feature for Outlook Web Access for all users, select a feature, and then click Enable or Disable. 6. The status for all features is displayed in the center section in the Segmentation window.
Segmentation in the Exchange Management Console and the Exchange Management Shell
Table 17 lists the segmentation options that are available through the Exchange Management Console and by using Exchange Management Shell parameters. You can use the SetOwaVirtualDirectory cmdlet together with the parameters listed in the table to enable or disable the features on the Segmentation tab that were discussed earlier in Step 3. Table 17 Segmentation options that can be set in the Exchange Management Console and by using Exchange Management Shell parameters Exchange Management Console Exchange ActiveSync Integration Exchange Management Shell Parameter ActiveSyncIntegrationEnable d Description If it is enabled, this option lets users manage a mobile device by using the Options feature in Outlook Web Access. If it is disabled, the option is not visible. If it is enabled, this option lets users see all address lists in the Exchange organization. If it is disabled, the user will see only the default global address list. If it is enabled, this option lets users see Calendar folders by using Outlook Web Access. If it is disabled, the Calendar is still available by using Outlook, but will not be visible from Outlook Web Access.
All Address Lists
AllAddressListsEnabled
Calendar
CalendarEnabled
67
Contacts
ContactsEnabled
If it is enabled, this option lets users see Contacts folders by using Outlook Web Access. If it is disabled, Contacts folders are still available by using Outlook, but will not be visible from Outlook Web Access. If it is enabled, this option lets users see the Journal folder by using Outlook Web Access. If it is disabled, the Journal is still available by using Outlook, but will not be visible from Outlook Web Access. If it is enabled, this option enables users to control the junk e-mail settings for their mailbox from Outlook Web Access. If it is disabled, the user will be unable to control the junkemail settings from Outlook Web Access, but any settings that are set by an administrator or set by using Outlook will still be applied.
Journal
JournalEnabled
Junk E-mail Filtering
JunkEmailEnabled
68
Reminders and Notifications
RemindersAndNotificationsE nabled
If it is enabled, this option lets users receive reminders for calendar items and tasks and notifications for new messages when they are using Outlook Web Access Premiu m. If it is disabled, users will not receive reminders and notifications. Reminders and notifications are not available in Outlook Web Access Light.
Notes
NotesEnabled
If it is enabled, this option makes the Notes folder visible in Outlook Web Access. Outlook Web Access provides view-only access to Notes. If it is enabled, this option lets users access the Outlook Web Access Premiu m client. If it is disabled, only Outlook Web Access Light will be available. If it is enabled, this option lets users see the Search Folders icon in the Outlook Web Access navigati on pane and lets users access any search folders that exist on the server. If it is disabled, the Search Folders icon remains visible in Outlook Web Access, but the folders will not be available. For more information about how to create search folders, see the Outlook Help.
Premium Client
PremiumClientEnabled
Search Folders
SearchFoldersEnabled
69
E-mail Signature
SignaturesEnabled
If it is enabled, this option lets users use the Outlook Web Access Options to manage signatures for outgoing e-mail messages. If it is enabled, this option lets users check spelling in Outlook Web Access. This feature is not available in Outlook Web Access Light. If it is enabled, this option makes the Tasks features in Outlook Web Access availabl e to users. This feature is not available in Outlook Web Access Light. If it is enabled, this option lets users select a theme by using the Options feature in Outlook Web Access. This feature is not available in Outlook Web Access Light. If it is enabled, this option lets users manage their Unified Messaging settings by using Outlook Web Access.
Spelling Checker
SpellCheckerEnabled
Tasks
TasksEnabled
Theme Selection
ThemeSelectionEnabled
Unified Messaging Integration UMIntegrationEnabled
70
Change Password
ChangePasswordEnabled
If it is enabled, this option lets users change their Active Directory account password by using Outlook Web Access. Note: To enable users to change passwords that have expired or have been set to User must change at next logon, see Implementing the Change Password feature with Outlook Web Access.

For more information about how to manage Outlook Web Access, see the following topics: Managing Outlook Web Access Managing Outlook Web Access Advanced Features Client Features in Outlook Web Access Client Access Server Role: Overview
For more information about syntax and instructions for using the Exchange Management Shell to manage Outlook Express segmentation, see Set-OwaVirtualDirectory.
How to Configure Gzip Compression Settings

This section explains how to use the Exchange Management Shell to configure Gzip compression for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. Gzip compression improves performance over slow network connections by compressing content on the server. Gzip compression might slow performance on the server.
71
Note: By default, Gzip compression is set to low on all virtual directories. To use the Exchange Management Shell to configure Gzip compression Run the following command to configure Gzip compression to High on an Outlook Web Access virtual directory that is named owa in the default Internet Information Services (IIS) Web site on the local server: Set-OwaVirtualDirectory -identity "owa (Default Web Site)" -GzipLevel High Run the following command to set Gzip compression to Off on an Outlook Web Access virtual directory that is named owa in the default IIS Web site on the local server: Set-OwaVirtualDirectory -identity "owa (Default Web Site)" -GzipLevel Off Note: You must restart Internet Information Services (IIS) by using the command iisrest/noforce for these changes to take effect. For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For more information about Gzip compression settings, see Managing Outlook Web Access Advanced Features.
How to Configure Character Settings for Outlook Web Access

This section describes how to use the Exchange Management Shell to configure the character settings on Microsoft Office Outlook Web Access virtual directories in Microsoft Exchange Server 2007. For more information about character settings in Outlook Web Access, see Managing Outlook Web Access Advanced Features.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.
72
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure character settings for Outlook Web Access Run the following command to configure Outlook Web Access to always use UTF-8 encoded UNICODE characters on all outgoing e-mail messages: Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -OutboundCharset AlwaysUTF8 Note: The AlwaysUTF8 character setting on the Outlook Web Access virtual directory takes precedence over user-defined settings. Outlook Web Access sets the UTF8 character on all outgoing e-mail messages, regardless of the user's language choice in Outlook Web Access. For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For more information about character settings in Outlook Web Access, see Managing Outlook Web Access Advanced Features. For information about how to set the default language setting in Outlook Web Access, see How to Configure Language Settings for Outlook Web Access.
How to Configure Language Settings for Outlook Web Access

This section describes how to use Microsoft Office Outlook Web Access or the Exchange Management Shell to configure language settings for Outlook Web Access in Microsoft Exchange Server 2007. The language setting determines the language of the Outlook Web Access logon page and error messages, and can be changed by the user at any time.
About Language Settings

There are three language settings that you can configure for Outlook Web Access. The logon and error language setting applies to individual Outlook Web Access virtual directories. The logon and error language is the language that will be used for
73
errors and the forms-based authentication logon page. If a value is not set for this language, the default value is 0. This means that the default logon and error language is not defined. If the logon and error language is not defined, Outlook Web Access will default first to the language set on Internet Explorer on the client computer. If the language set on Internet Explorer on the client computer is not supported by Outlook Web Access, Outlook Web Access will use the language of the Client Access server. The default client language setting applies to individual Outlook Web Access virtual directories. The default client language is the client language that is used by Outlook Web Access unless the user uses Regional Settings in Outlook Web Access to change the language and time zone. The default value for this setting is 0. This means the default client language is not defined. If the default client language is not defined, users will be prompted to choose a language and time zone the first time that they log on to Outlook Web Access. If the default client language value is defined, users will not be prompted to choose a language and the Outlook Web Access time zone will use the time zone of the Client Access server. Defining the default client language causes the default folders to be renamed based on the specified language. Users can change the client language and time zone by using Regional Settings in Outlook Web Access, and can rename the default folders after they log on. The client languages are set on individual mailboxes and affect the language that is used in Outlook and Outlook Web Access. If multiple languages are configured, the first language in the list that is supported by the Web browser will be used. If none of the languages in the default languages list is supported by the Web browser, the Client Access server language will be used.
Before You Begin

To perform the following Exchange Management Shell procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Note: For all Arabic, Hebrew, and Urdu text to display correctly in Outlook Web Access, support for languages that are read from right-to-left and for script languages must be installed on the client computer. Asian languages might also require that the East Asian language support be installed on the client computer. Table 18 lists the languages and locales that can be configured in the Exchange Management Shell, and their associated codes.
74
Table 18 Available languages and locales and their associated codes Language (Locale) Arabic (Algeria) Arabic (Bahrain) Arabic (Egypt) Arabic (Iraq) Arabic (Jordan) Arabic (Kuwait) Arabic (Lebanon) Arabic (Libya) Arabic (Morocco) Arabic (Oman) Arabic (Qatar) Arabic (Saudi Arabia) Arabic (Syria) Arabic (Tunisia) Arabic (U.A.E.) Arabic (Yemen) Basque Bulgarian Catalan Chinese (Hong Kong S.A.R) Chinese (Macau S.A.R) Chinese (People's Republic of China) Chinese (Singapore) Chinese (Taiwan) Croatian Czech Danish Dutch (Belgium) Code 5121 15361 3073 2049 11265 13313 12289 4097 6145 8193 16385 1025 10241 7169 14337 9217 1069 1026 1027 3076 5124 2052 4100 1028 1050 1029 1030 2067
75
Dutch (Netherlands) English (Australia) English (Belize) English (Canada) English (Caribbean) English (Ireland) English (Jamaica) English (New Zealand) English (Republic of the Philippines) English (South Africa) English (Trinidad) English (United Kingdom) English (United States) English (Zimbabwe) Estonian Finnish French (Belgium) French (Canada) French (France) French (Luxembourg) French (Principality of Monaco) French (Switzerland) German (Austria) German (Germany) German (Liechtenstein) German (Luxembourg) German (Switzerland) Greek Hebrew
1043 3081 10249 4105 9225 6153 8201 5129 13321 7177 11273 2057 1033 12297 1061 1035 2060 3084 1036 5132 6156 4108 3079 1031 5127 4103 2055 1032 1037
76
Hindi Hungarian Icelandic Indonesian Italian (Italy) Italian (Switzerland) Japanese Kazakh Korean Latvian Lithuanian Malay Norwegian (Bokml) Persian Polish Portuguese (Brazil) Portuguese (Portugal) Romanian Russian Serbian (Cyrillic) Serbian (Latin) Slovak Slovenian Spanish (Argentina) Spanish (Bolivia) Spanish (Chile) Spanish (Colombia) Spanish (Costa Rica) Spanish (Dominican Republic)
1081 1038 1039 1057 1040 2064 1041 1087 1042 1062 1063 1086 1044 1065 1045 1046 2070 1048 1049 3098 2074 1051 1060 11274 16394 13322 9226 5130 7178
77
Spanish (Ecuador) Spanish (El Salvador) Spanish (Guatemala) Spanish (Honduras) Spanish (Mexico) Spanish (Nicaragua) Spanish (Panama) Spanish (Paraguay) Spanish (Peru) Spanish (Puerto Rico) Spanish (International Sort) Spanish (Traditional Sort) Spanish (Uruguay) Spanish (Venezuela) Swedish (Finland) Swedish (Sweden) Thai Turkish Ukrainian Urdu Vietnamese
12298 17418 4106 18442 2058 19466 6154 15370 10250 20490 3082 1034 14346 8202 2077 1053 1054 1055 1058 1056 1066
To use the Outlook Web Access client to configure language settings 1. Use a Web browser to access Outlook Web Access. 2. Click Options, and then click Regional Settings. 3. Under Language, in the Choose language list, click the language that you want to use. Note: The language that you select will determine the date and time settings in the Date and Time Formats section.
78
4. Click Save to save your language settings. To use the Exchange Management Shell to configure the logon and error language settings for Outlook Web Access Run the following command to set the logon and error language setting: Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -LogonAndErrorLanguage <language code>
To use the Exchange Management Shell to configure the default client language setting for an Outlook Web Access virtual directory Run the following command to set the default client language setting: Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -DefaultClientLangugage <language code>
To use the Exchange Management Shell to configure the client languages setting for an individual mailbox Run the following command to set the client languages setting for an individual mailbox: Set-Mailbox identity <mailbox identity> -languages <language code>
For more information about syntax and parameters, see Set-OwaVirtualDirectory and SetMailbox.
How to Create a Theme for Outlook Web Access

This section explains how to create a custom theme for Microsoft Office Outlook Web Access. A theme is a collection of files and style sheets that control the appearance of Outlook Web Access. By default, two themes are installed when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007. The two themes are Seattle Sky and Carbon Black. Only Outlook Web Access Premium supports custom themes. You cannot create custom themes for Outlook Web Access Light.
79
What Is Included in a Theme

A theme is a collection of media files and cascading style sheets (.css files). The files are stored on the Client Access server in the installation directory in \Client Access\OWA\version\themes. Each theme is stored in a subdirectory of themes. The .css files define colors, gradients, and fonts. The image files (.gif files) provide the icons and other graphic elements. If you edit any of the icons, do not change their size. If you change the size of other graphic elements, test your changes to verify that the elements still fit together correctly. The default theme (Seattle Sky) is the base theme and is found in \themes\base. The base folder contains all the files that are needed to define a theme. These include colors, fonts, icons, and graphics.
You can create additional themes by copying selected files into a new directory and modifying the files to fit the needs of your organization. In the Outlook Web Access user interface, themes are referred as color schemes. When a user selects a custom theme, the elements in the directory of the custom theme are used first, and any necessary elements that have not been customized are drawn from the base theme. For example, if you create a new theme by copying only the header graphics to a new theme and modifying them, when a user selects that theme, the header graphics will come from the new theme, and the rest of the theme properties will come from the base theme. Themes are saved on each Client Access server. If you have more than one Client Access server, and you want a custom theme to be available on all servers, you must copy the theme to the themes directory on each Client Access server.
Recommendations
Many elements of an Outlook Web Access theme can be changed. To avoid creating instability in Outlook Web Access, we recommend that you start by changing only the header, logon and logoff pages, and the colors that are used for selecting and highlighting. If you want to make more complex changes, first study how .css files work. After you have developed a good understanding of cascading style sheets, change a few elements at a time and test your changes to make sure that the result is what you expect. As a best practice, we recommend that you use the following guidelines:
80
Always make backup copies of the original files before you start editing them, especially when you are editing files in the \themes\base directory. Do not delete the folder \Client Access\OWA\version\themes\base or any of the files in it. Do not change the information bars that appear at the top of messages to warn users about potentially harmful content, phishing attacks, viruses, and blocked or missing content. The following figure illustrates an Outlook Web Access calendar request with two information bars. Figure 3 Outlook Web Access information bars
Before You Begin

To perform the following procedures, you must log on to the server that is hosting Outlook Web Access and the account that you use must be delegated membership in the local Administrators group.
Creating a Theme
The following procedure gives you the general steps for creating a custom theme for Outlook Web Access. Specifics procedures for changing individual elements in an Outlook Web Access theme are included in the following sections. To create a new Outlook Web Access theme 1. On the Client Access server that is hosting Outlook Web Access, open Windows Explorer, and then find the Exchange server installation directory. 2. In \Client Access\OWA\<version>\themes, create a new folder. 3. Copy the premium.css and owafonts.css files from the base theme to the new folder. 4. Copy the files that you want change to create your theme from the base theme to
81
the new folder that you created. 5. Modify the files in the new theme folder to create your theme. 6. Restart Internet Information Services (IIS) by using the iisreset/noforce command. 7. Test the new theme by logging on to Outlook Web Access and selecting the new theme.
Naming a Custom Theme

You can name a custom theme in two ways. The first way is to give the folder in which you created the new theme the name that you want the theme to have. For example, to name a custom theme "Fourth Coffee", name the folder in which you created the new theme Fourth Coffee. You can also name a custom theme by copying the themeinfo.xml file from the base theme to the folder in which you created the custom theme, and then editing the file. You can edit the themeinfo.xml file by using a text editor such as Notepad to change the theme display name to the theme name that you want the theme to have.
To name a custom theme by editing the themeinfo.xml file 1. Copy the themeinfo.xml file from the base theme folder to the folder in which you created the custom theme. 2. Open the copy of themeinfo.xml that is in the custom theme folder. 3. Find the theme displayname value, and change the value to the name that you want the theme to have. Example: To name your theme Fourth Coffee, the file should read theme displayname = "Fourth Coffee". 4. Save your changes, and then close themeinfo.xml. Note: If you change the name of a theme, you must stop and start IIS for the change to take effect. You can do this by opening a Command Prompt window and using the command iisreset/noforce.
82
Creating a Custom Header

You can customize the header of the main Outlook Web Access page. To change the header in Outlook Web Access, you will need the following files: premium.css owafonts.css logopt.gif logopb.gif nbbkg.gif
Premium.css and owafonts.css define the fonts and colors that are used by Outlook Web Access. Logopt.gif, logopb.gif, and nbbkg.gif are the image files that are used to create the header at the top of the page in Outlook Web Access. Open the .gif files in an image editing tool to see how they are used to create the header in Outlook Web Access. The following figure illustrates the original files that are used to create the header for the Seattle Sky Outlook Web Access theme. Figure 4 Outlook Web Access header files
To create a custom header 1. Copy premium.css, owafonts.css, logopt.gif, logopb.gif, and nbbkg.gif from the base theme folder to the custom theme folder. 2. In the custom theme folder, open premium.css by using a text editor such as Notepad. 3. To remove "Connected to Microsoft Exchange" from the header, find "background:url("logopb.gif") no-repeat;" and add display:none; immediately after it. 4. To change the logo, use an image editing tool to open and modify logopt.gif. 5. If you change the background color in logopt.gif, use your image editing tool to edit logopb.gif and nbbkg.gif to have the same background color. 6. After you edit the files, save your changes.
83
7. To test the changes to your custom theme, log on to Outlook Web Access, click Options, click General Settings, and then select your custom theme from the Appearance menu. You must save your changes and then click Refresh Internet Explorer to see the new theme.
Changing Colors in a Theme

To change the colors in a theme, you must find the values in the premium style sheet (premium.css) and then determine the HTML RGB values for the colors that you want to use. The HTML RGB color values are defined by a seven character string in the format of the number sign (#) followed by a string of six characters. To find the HTML RGB values for many colors, see the Color Table in the MSDN Library. If you must match a specific color and you cannot find a match for the color online, you can use an image editing tool to sample a color and determine its HTML RGB value.
To change the highlight color of the selected module in the navigation bar 1. Open the premium.css file by using a text editor such as Notepad. 2. In the file, find the following: a.nbHiLt { background-color:#FFEFB2; } 3. Replace the RGB value with the RGB value of the color that you want. 4. To test the changes to your custom theme, log on to Outlook Web Access, click Options, click General Settings, and then select your custom theme from the Appearance menu. You must save your changes and then click Refresh to see the new theme. If you already have an active Outlook Web Access session, press F5 to refresh the page so that you can see your changes. The following figure illustrates a section of the Outlook Web Access Navigation bar with the Mail module highlighted.
84
Figure 5 Navigation pane that displays the Mail module highlighted
To change the primary and secondary list selection colors 1. Open the premium.css file by using a text editor such as Notepad. 2. Find the following to change the primary selection color: tr.sel, tr.srsel, tr.lrsel { background-color: #FFEFB2; 3. Find the following to change the secondary selection color: tr.shdw, tr.srshdw, tr.lrshdw { background-color:#F8F0D2;
85
4. Replace the RGB values for the primary and secondary selection colors with the RGB values of the colors that you want. 5. To test your custom theme, log on to Outlook Web Access, click Options, click General Settings, and then select your custom theme from the Appearance menu. You must save your changes and then click Refresh to see the new theme. If you already have an active Outlook Web Access session, press F5 to refresh the page to see your changes. The primary selection color is used to highlight the selected item in the list pane when the focus is in that pane. If the user then moves the focus to the preview pane or navigation pane, the selected item in the list pane will be highlighted with the secondary selection color. The following figure illustrates the difference between primary and secondary selection colors in Outlook Web Access. Figure 6 Primary and secondary selection colors in Outlook Web Access
Note: You can use the method that was used in the previous procedure to change the RGB values for other theme elements.
86
Changing the Default Outlook Web Access Theme

You can change the default Outlook Web Access theme for a virtual directory from the base theme to a custom theme by using the Set-OwaVirtualDirectory cmdlet. You can also use the Set-OwaVirtualDirectory cmdlet to disable the theme selection option in Outlook Web Access. If you have multiple Outlook Web Access virtual directories, you can use the following procedures to set a default theme for each virtual directory. When you set a default theme, only users who have not previously logged on to Outlook Web Access and selected a new theme will be forced to use the default theme. To force all users to use the default theme, you must disable theme selection in addition to setting a new default theme. To use the Exchange Management Shell to set the default theme for Outlook Web Access To set the default theme for Outlook Web Access where the server name is "FourthCoffee", the virtual directory name is "owa", the Web site name is "Default Web site", and the theme is in the folder named "Custom", run the following command: set-owavirtualdirectory -identity "fourthcoffee\owa (default web site)" -defaulttheme Custom
To use the Exchange Management Shell to disable theme selection in Outlook Web Access To disable theme selection in Outlook Web Access where the server name is "FourthCoffee", the virtual directory name is "owa", and the Web site name is "Default Web site", run the following command: set-owavirtualdirectory -identity "fourthcoffee\owa (default web site)" -themeselectionenabled $false You can also complete both commands at the same time by running the following command: set-owavirtualdirectory -identity "fourthcoffee\owa (default web site)" -defaulttheme Custom -themeselectionenabled $false
Customizing the Logon and Logoff Pages

The Outlook Web Access logon, language selection, and logoff pages are always created based on graphics and the logon.css file in the base theme folder. Therefore, to use custom logon and logoff pages, you must modify the files in the base theme folder. You can find the base theme folder in the Exchange installation directory at \Client Access\OWA\version\themes\base.
87
The logon, language selection, and logoff pages use the logon.css file to define text styles and colors. The pages are created by combining several images for the border top, bottom, and sides and also include repeating images and corners for expansion. The following files create the logon page: logon.css lgnbotl.gif lgnbotm.gif lgnbotr.gif lgnexlogo.gif lgnleft.gif lgnright.gif lgntopl.gif lgntopm.gif lgntopr.gif
It is easiest to create a new look by using a solid color because the same collection of images is used for three pages: the logon page, the language selection page that is shown on the first logon per mailbox, and the logoff page. The pages resize horizontally and vertically based on the contents of the page. If you have multiple Client Access servers and want them all to use the same logon and logoff pages, you must copy the modified logon and logoff files to each Client Access server. Caution: Because you must change the files in the base theme to create custom logon and logoff pages, back up copies of all the files that you will be changing before you start to create your custom logon and logoff pages. The following figures illustrate the default Outlook Web Access logon page as it appears if the user clicks show explanation and selects This is a private computer and Use Outlook Web Access Light. One figure shows how the graphics files that create the page fit together. The other figure shows how the logon.css file determines the colors of the background and text on the logon page.
88
Figure 7 Outlook Web Access logon page displaying custom graphics files
89
Figure 8 Default Outlook Web Access logon page displaying text options
The following figures illustrate the default Outlook Web Access logoff page. One figure shows how the graphic files that create the page fit together. The other shows how the logon.css file determines the colors of the background and text on the logoff page.
90
Figure 9 Outlook Web Access logoff page displaying custom graphics files
Figure 10 Default Outlook Web Access logoff page displaying text options
91
Testing Changes to the Logon and Logoff Pages

After you have opened the Outlook Web Access logon or logoff page in Internet Explorer, you can test your changes without having to reset IIS or exit Internet Explorer. To test changes to the logon and logoff pages 1. Open the Outlook Web Access logon or logoff page in Internet Explorer. 2. On the toolbar, click Tools, and then click Internet Options. 3. On the General tab, under Browsing history, click Delete. 4. Under Temporary Internet Files, click Delete files, and then click Yes when you are asked whether you are sure that you want to delete all temporary Internet Explorer files 5. Click OK to close Internet Options. 6. Click Refresh to see your changes. Repeat these steps to see your changes every time that you make a change to the logon or logoff page files. If you are making several changes, you can leave the logon or logoff page open and repeat the steps to see your changes.
Changing the Logo

To customize Outlook Web Access, you can change the Outlook Web Access logo on the logon and logoff pages to your organization's logo. To change the logo in Outlook Web Access 1. Create copies of the files that you want to change, and then save them to a safe location so that you can restore the original pages, if it is necessary. 2. Open the lgntopl.gif file by using an image editing tool, and then modify it to create the logo that you want to use. 3. Save your changes, and then click the Refresh button to see your changes. Note: If you have changed the background color of lgntopl.gif, we recommend that you modify the remaining files that are used to create the logon and logoff pages to match.
92
Changing the Font Styles and Colors

You can edit the logon.css file to change font styles and some of the colors that are used on the pages. This includes the background color that is behind the controls in the center of the logon page and the language selection page. If you have changed the color of these pages, we recommend that you change the background color to match. To change the background and font colors of the logon, language selection, and logoff pages, you must find the values in the logon style sheet (logon.css) and then determine the HTML RGB values for the colors that you want to use. The HTML RGB color values are defined by a seven character string in the format of the number sign (#) followed by a string of six characters. To find the HTML RGB values for many colors, see the Color Table in the MSDN Library. If you must match a specific color and you cannot find a match for the color online, you can use an image editing tool to sample a color and determine its HTML RGB value. To test your changes, open Internet Explorer and enter the URL for Outlook Web Access. If you are testing the changes to the Default Web site on the Client Access server that is hosting the Outlook Web Access virtual directory, you can test them by opening Internet Explorer and entering the URL https://localhost/owa. Note: The language selection page appears only the first time that a user logs on to Outlook Web Access. Table 19 lists the elements of the logon and logoff tables and a description for each element. Table 19 Logon and logoff page elements and their descriptions Element to change Background color String to search for Background: #7F90b1 Description The background color of the logon and logoff pages. If you change the background color of the graphics files, you should change the background color to match.
93
Warning text
wrng{color:#f8d328}
The color of the warning text that appears when a user selects This is a private computer. On the existing Outlook Web Access logon page, this warning text light yellow and stands out well against the blue background. If you change the background color of the logon page, you may also want to change the color of the warning text so that it is readable. The primary text color is white. It indicates options that can be selected and entry fields on the Outlook Web Access logon page. Examples include the labels for the user name and password fields, and the text next to the security options. If you have chosen a dark color for your logon pages, white will still work well for this text. Link on the logon page that a user can click to show or hide the explanation of Private and Public logons.
Primary text color
select, table {color:#ffffff;}
Show explanation
a{color#ffe052;
Outlook Web Access Light description
disBis{color:#c8d3e3;} When a user selects Use Outlook Web Access Light, a short explanation about Outlook Web Access Light is displayed. ;color:#fffff; The words Connected to Microsoft Exchange appear at the lower-left corner of the logon and logoff pages. Changing this value changes the color of the text in those words.
Connected to Microsoft Exchange
94
Dividing lines
#A9AAc4
All three pages that use logon.css have thin lines that divide them into sections. These pages include logon, logoff, and language selection. After you change the background and font colors, you may want to change the color of the lines so that the lines will still be visible, but not more visible than the text.
After you have decided which elements you want to change the color of and identified the HTML RGB color values that you will be changing those elements to, use the following procedure to change the color of any element that is defined by a .css file. To change the color of an element 1. Open logon.css. 2. Use the logon and logoff page elements in Table 19 included earlier in this section to find the string that matches the element that you want to change. 3. Replace the HTML RGB color value of the element that you want to change with the new HTML RGB color value that you want to use for that element. 4. Save your changes and close logon.css. 5. Test your changes by opening Internet Explorer and entering the URL for the Outlook Web Access logon page. Note: If you have already opened the Outlook Web Access logon URL, you can test your changes by deleting the temporary Internet files and refreshing Internet Explorer. To do this, click Tools, and then click Internet Options. On the General tab, under Browsing history, click Delete. Under Temporary Internet Files, click Delete files, and then click Yes when you are asked whether you are sure that you want to delete all temporary Internet Explorer files Click OK to close Internet Options, and then press F5 to refresh the logon page.
95
How to Control Web Beacon and HTML Form Filtering for Outlook Web Access
This section describes how to use the Exchange Management Shell to disable Web beacons and HTML forms on Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. A Web beacon is a file object, such as a transparent graphic or an image, which is put on a Web site or in an e-mail message. Web beacons are typically used together with HTML cookies to monitor user behavior on a Web site or to validate a recipient's e-mail address when an e-mail message that contains a Web beacon is opened. Web beacons and HTML forms can also contain harmful code and can be used to circumvent e-mail filters. By default, Web beacons and HTML forms are set to UserFilterChoice, which blocks all Web beacons and HTML forms but lets the user unblock them on individual messages. An administrator can use the Exchange Management Shell to change the type of filtering that is used for Web beacon and HTML form content in Outlook Web Access. For more information about Web beacons, see Managing Outlook Web Access Advanced Features.
Before You Begin

To perform the following procedure in the Exchange Management Shell, the account you use must be delegated membership in the local Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to disable Web beacons and HTML forms in Outlook Web Access Run the following command to block all Web beacon and HTML form content on an Outlook Web Access virtual directory named owa in the default Internet Information Services (IIS) Web site on the local server: Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -FilterWebBeaconsAndHtmlForms ForceFilter The possible values for FilterWebBeaconsandHtmlforms are as follows: UserFilterChoice By default, this value blocks Web beacons and HTML forms, but lets the user allow Web beacons and HTML forms on individual messages. ForceFilter This value blocks all Web beacons and HTML forms. DisableFilter This value allows Web beacons and HTML forms.
96

For more information about Web beacons, see Managing Outlook Web Access Advanced Features.
Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access
This section explains a new feature in Outlook Web Access in Microsoft Exchange Server 2007: integration of Microsoft Windows SharePoint Services and Windows file shares. Windows file shares are also known as Universal Naming Convention (UNC) file shares. The integration of Windows SharePoint Services and Windows file shares in Outlook Web Access gives users read-only access to documents on centralized or personal Windows SharePoint Services document libraries or Windows file shares. Users cannot change files that are stored on Windows SharePoint Services document libraries or Windows file shares when they retrieve them by using Outlook Web Access. Windows SharePoint Services is the engine that lets the administrator create Web sites for information-sharing and document collaboration. Windows SharePoint Services document libraries offer file storage capabilities for saving files and sharing information. This functionality helps users collaborate on documents. Important: The Windows SharePoint Services and Windows file share integration feature is available only in the Exchange 2007 Outlook Web Access Premium client and when either Basic or forms-based authentication is used.
Administration
This section explains the administrative tasks that you can perform to configure the Windows SharePoint Services and Windows file share integration feature in Outlook Web Access. You can use the Exchange Management Console and the Exchange Management Shell to perform the following tasks: Allow or block access to Windows SharePoint Services and Windows file share documents on specific servers. Allow or block access to Windows SharePoint Services and Windows file share documents from public and private computers.
97
Create a list of host names to be treated as internal. Only documents on internal hosts can be accessed from Outlook Web Access. Enable or disable document access to Windows SharePoint Services and Windows file shares by using segmentation. You can do this on individual Outlook Web Access virtual directories by using the Set-OwaVirtualDirectory cmdlet or on a per-user basis by using the Set-CASMailbox cmdlet. Note: By default, segmentation changes take effect after 60 minutes of inactivity for users who are logged on to Outlook Web Access or when a user logs on to Outlook Web Access. To force the changes to take effect immediately, restart IIS by running the command iisreset/noforce on the Client Access server. Windows SharePoint Services and Windows file share integration is configured separately for public and private computer logons.
Default Settings
Table 20 describes the default settings for the Windows SharePoint Services and Windows file share integration feature in Outlook Web Access. Table 20 Default settings for the Windows SharePoint Services and Windows file share integration feature in Outlook Web Access Feature Windows SharePoint Services and Windows file share integration features Block lists Allow lists Document access to Windows SharePoint Services and Windows file shares on unknown servers Windows SharePoint Services and Windows file share document access from public computers Default setting Enabled None None Enabled
Enabled

For more information about how to configure access to Windows SharePoint Services document libraries and Windows files shares, see the following topics:
98
How to Configure Windows SharePoint Services and Windows File Share Integration for Outlook Web Access How to Allow or Block Access to Documents in Windows SharePoint Services and Windows File Shares from Specific Servers How to Enable or Block Access from Public and Private Computers How to Configure Internal Host Names
For more information about how to use segmentation to manage Outlook Web Access features for individual virtual directories or on a per-user basis, see the following topics: Set-OwaVirtualDirectory Set-CASMailbox
How to Configure Windows SharePoint Services and Windows File Share Integration for Outlook Web Access
This section describes how to use the Exchange Management Shell to configure Microsoft Windows SharePoint Services and Windows file share integration for Microsoft Outlook Web Access in Exchange 2007. By default, these features are enabled.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to enable or disable integration of Windows SharePoint Services document libraries and Windows file shares 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. On the Outlook Web Access tab, select the virtual directory that you want to configure. 3. To configure access through public connections, click the Public Computer File Access tab.
99
4. To configure access through private connections, click the Private Computer File Access tab. 5. Select the Windows File Shares check box to enable or disable access to Windows file shares. 6. Select the Windows SharePoint Services check box to enable or disable access to document libraries on Windows SharePoint Services. 7. Click OK to save your changes or click Cancel to discard them. To use the Exchange Management Shell to enable or disable integration of Windows SharePoint Services document libraries and Windows file shares Open the Exchange Management Shell and run the following command to enable or disable Windows file share access for public computers: Set-OwaVirtualDirectory -Identity "owa (default web site)" -UNCAccessonPublicComputersEnabled <$true|$false>
You can use the following parameters to enable or disable direct access to Windows SharePoint Services document libraries or Windows file shares: UNCAccessOnPrivateComputersEnabled UNCAccessonPublicComputersEnabled WSSAccessOnPublicComputersEnabled WSSAccessonPrivateComputersEnabled
To use the Exchange Management Console to manage access to Windows SharePoint Services document libraries and Windows file shares 1. Open the Exchange Management Console. 2. Locate Server Configuration/Client Access. 3. On the Outlook Web Access tab, select the virtual directory that you want to configure. 4. Click the Remote File Servers tab. 5. Click Block to manage the list of servers to which you want to block access. 6. Click Allow to manage the list of servers that can be accessed. 7. Select the behavior for Unknown Servers by selecting Allow or Block from the list. 8. Click Configure to manage the list of servers that you want to be handled as internal. 9. Click OK to save your changes or click Cancel to discard them.
100
To use the Exchange Management Shell to manage access to Windows SharePoint Services document libraries and Windows file shares 1. Open the Exchange Management Shell and run the following command to manage the list of servers that are blocked: Set-OwaVirtualDirectory -Identity "owa (default web site)" -RemoteDocumentsBlockedServers <server name1, server name2, > 2. Open the Exchange Management Shell and run the following command to allow or block access to documents on unknown servers. Use either <allow> or <block>. Set-OwaVirtualDirectory -Identity "owa (default web site) -RemoteDocumentsActionforUnknownServers <allow/block> You can use the following parameters to manage access to Windows SharePoint Services document libraries or Windows file shares: Note: By default, changes to these properties take effect after 30 minutes of user inactivity or the next time that the user logs on to Outlook Web Access. To force the changes to take effect immediately, restart Internet Information Services (IIS) by using the command iisreset/noforce. Note: When you add host names to the Block and Allow lists, you must enter a server name. Entering a Windows file share name will not work. RemoteDocumentsActionForUnknownServers RemoteDocumentsAllowedServers RemoteDocumentsBlockedServers RemoteDocumentsInternalDomainSuffixList

For more information about direct access to Windows SharePoint Services document libraries and Windows file shares, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access. For more information about syntax and parameters, see Set-OwaVirtualDirectory.
101
How to Allow or Block Access to Documents in Windows SharePoint Services and Windows File Shares from Specific Servers
This section describes how to use the Microsoft Exchange Management Shell and Exchange Management Console to allow and block access to documents in Windows SharePoint Services document libraries and Windows file shares on specific servers. You can use the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell to create a list of host names for servers for which you want to allow or block access to Windows SharePoint Services and Windows file share documents. For more information about the settings that you can configure on Outlook Web Access, see SetOwaVirtualDirectory. Table 21 lists the parameters that you can configure on an Outlook Web Access virtual directory to allow or block access to documents on specific servers. Table 21 Parameters that can be configured on an Outlook Web Access virtual directory to allow or block access to documents Parameter RemoteDocumentsActionForUnknownServer s Description The RemoteDocumentsActionForUnknownServer s parameter determines whether to allow or block a server host name that is not included in the Allow list or Block list. The RemoteDocumentsAllowedServers parameter creates a list of host names of servers that can be accessed. The RemoteDocumentsBlockedServer parameter creates list of host names of servers that are blocked.
RemoteDocumentsAllowedServers
RemoteDocumentsBlockedServers
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.
102
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to allow or block access to documents from specific servers 1. Open the Exchange Management Console, select Server Configuration, and then select Client Access. 2. On the Outlook Web Access tab, select the virtual directory that you want to configure, and then double-click it to view its properties. 3. Click the Remote File Servers tab. 4. Click the Block or Allow button, and then add the host names of the servers to which you want to allow or block access. 5. Click OK to save your changes, and then click OK again to exit the properties. To use the Exchange Management Shell to allow or block access to documents on specific servers To allow access, run the following command: Set-OWAVirtualDirectory -Identity "owa (Default web site)" -RemoteDocumentsAllowedServers <host name> To block access, run the following command: Set-OWAVirtualDirectory -Identity "owa (Default web site)" -RemoteDocumentsBlockedServers <host name> To specify the action for unknown servers, run the following command: Set-OWAVirtualDirectory -Identity "owa (Default web site)" -RemoteDocumentsActionforUnknownServers <Allow|Block> Use Allow to allow access to documents on unknown servers, or Block to block access to documents on unknown servers. Note: When you add host names to the Block and Allow lists, you must enter a server name. Entering a Windows file share name will not work. For more information about syntax and parameters, see Set-OwaVirtualDirectory.
103

For more information about how to configure Windows SharePoint Services and Windows file shares for Outlook Web Access, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access.
How to Enable or Block Access from Public and Private Computers

You can use the Set-OwaVirtualDirectory cmdlet in the Exchange Management Shell to allow or block access to Windows SharePoint Services document libraries and Windows file share documents for users who are connecting from public and private computers. For more information about the settings that you can configure on Office Outlook Web Access, see SetOwaVirtualDirectory. Table 22 lists the parameters that you can configure on an Outlook Web Access virtual directory to allow or block access to Windows SharePoint Services document libraries and Windows file share documents.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Table 22 Parameters you can configure to allow or block access for users who are connecting from public and private computers Parameter UNCAccessOnPrivateComputersEnabled Description This parameter determines the availability of Windows file share documents when formsbased authentication is enabled and the This is a private computer option is selected during Outlook Web Access logon. This parameter also determines availability when standard authentication is used. Standard authentication includes Basic, Digest, and Integrated Windows authentication.
104
UNCAccessOnPublicComputersEnabled
This parameter determines the availability of Windows file share documents when formsbased authentication is enabled and the This is a public computer option is selected during Outlook Web Access logon. You can also use Basic authentication. This parameter determines the availability of documents in Windows SharePoint Services document libraries when forms-based authentication is enabled and the This is a private computer option is selected during Outlook Web Access logon. This parameter also determines availability when Basic authentication is used and the target server is using Windows SharePoint Services version 2 or later. This also applies to Digest and Integrated Windows authentication when the target server is using Windows SharePoint Services version 3 and it has been configured to accept Digest and Integrated Windows authentication. This parameter determines the availability of documents in Windows SharePoint Services document libraries when forms-based authentication is enabled and the This is a public computer option is selected during Outlook Web Access logon.
WSSAccessOnPrivateComputersEnabled
WSSAccessOnPublicComputersEnabled
To use Exchange Management Console to enable or disable access to Windows SharePoint Services document libraries and Windows file shares 1. Open the Exchange Management Console, click Server Configuration, and then click Client Access. 2. On the Outlook Web Access tab, select the virtual directory that you want to configure, and then double-click it to view its properties. 3. Click the Public Computer File Access tab or the Private Computer File Access tab. 4. Select the check box next to Windows File Shares to enable or disable access to files. 5. Select the check box next to Windows SharePoint Services to enable or
105
disable access to document libraries. 6. Click OK to save your changes and exit the properties. To use the Exchange Management Shell to enable or disable access to Windows SharePoint Services document libraries and Windows file shares on a public computer Run the following command: Set-OWAVirtualDirectory -Identity "owa (Default Web Site)" WSSAccessOnPublicComputersEnabled $true|$false

For more information about how to configure Windows SharePoint Services and Windows file shares for Outlook Web Access, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access. For information about how to identify internal hosts, see How to Configure Internal Host Names.
How to Configure Internal Host Names

Microsoft Outlook Web Access allows access only to internal Windows SharePoint Services document libraries and Windows file shares. A simple set of criteria is used to determine whether an address is internal or external. If there are no dots in a URL that a user clicks, it is treated as internal. If there are one or more dots in the URL, it is treated as internal only if the domain suffix has been added to the list of sites to be treated as internal.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to manage the list of domain suffixes to be treated as internal 1. Open the Exchange Management Console, select Server Configuration, and then select Client Access.
106
2. On the Outlook Web Access tab, select the virtual directory that you want to configure, and then double-click it to view its properties. 3. Click the Remote File Servers tab. 4. Click the Configure button at the bottom of the page. 5. Enter the domain suffix that you want to add in the text box, and then click Add to add it to the list of domain suffixes to be treated as internal. 6. Click OK to save your changes, and then click OK again to exit the properties. To use the Exchange Management Shell to manage the list of domain suffixes to be treated as internal 1. Run the following command: Set-OWAVirtualDirectory -Identity "owa (Default Web Site)" -RemoteDocumentsInternalDomainSuffixList <subdomain.domain.com> <subdomain.domain.com> can be any domain that you want included in the list of internal domains. 2. To add multiple domains, separate each domain name by using a comma (,). Note: This parameter overwrites existing values. If you want to add a single domain to an existing list, you must include all domains in the command. For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For more information about how to configure Windows SharePoint Services and Windows file shares for Outlook Web Access, see Configuring Windows SharePoint Services and Windows File Share Integration for Outlook Web Access.
Managing Outlook Anywhere

The Outlook Anywhere feature (formerly known as RPC over HTTP) for Microsoft Exchange Server 2007 provides Internet-based access to your messaging environment. If you have enabled Outlook Anywhere on a server that is running Exchange 2007 that has the Client Access server role installed, users who are on Exchange 2007 servers that have the Mailbox server role installed can use RPC over HTTP to connect to their Exchange mailbox. Outlook Anywhere eliminates the need to use virtual private networks (VPNs) to access servers that are running Exchange Server 2003 that have
107
Service Pack 1 (SP1) installed and Exchange 2007 servers that are located in your organization's network. Outlook Anywhere gives users a reliable, efficient way to connect to their Exchange information.
Managing Outlook Anywhere

Outlook Anywhere in Exchange 2007 is much simpler to manage than RPC over HTTP in Exchange Server 2003. The Exchange Management Console lets you enable or disable Outlook Anywhere for your organization by using the Enable Outlook Anywhere Wizard. For information about how to enable Outlook Anywhere, see How to Enable Outlook Anywhere. Alternatively, you can enable, disable, and modify Client Access servers that are providing access to your Exchange messaging environment through Outlook Anywhere by using the Exchange Management Shell. For more information about the Outlook Anywhere cmdlets, see Outlook Anywhere Cmdlets.
Managing Servers in Outlook Anywhere

In environments that are comprised only of Exchange 2007 servers, Client Access servers that are enabled for Outlook Anywhere will automatically manage which Exchange 2007 servers that have the Mailbox server role installed can be accessed. Additionally, when you add or remove Exchange 2007 Mailbox servers, the Client Access server that is enabled for Outlook Anywhere will automatically provide access to these Mailbox servers for client computers that are running Outlook 2007.
Managing Earlier Versions of Exchange by Using Outlook Anywhere

If you are using Exchange 2003 back-end servers with Exchange 2003 SP1, Client Access servers that are enabled for Outlook Anywhere will automatically detect these back-end servers after you enable them for RPC over HTTP access by using the Exchange 2003 System Manager. Designate the servers that you will enable for RPC over HTTP access as back-end servers. If you are using Exchange 2003 servers that do not have SP1 installed, you must modify the registry on these back-end servers and manage these servers individually to enable them to be accessed by Outlook 2007 or Outlook 2003 clients that are using RPC over HTTP. Therefore, we recommended that you upgrade your Exchange 2003 back-end servers to SP1 or a later version.
Managing Multiple Sites in Outlook Anywhere

If you have multiple sites that are separated by low-bandwidth network connectivity, you can enable a Client Access server in each site. The Autodiscover service will then automatically
108
detect which Client Access server is closest to the user's mailbox that resides on either an Exchange 2007 Mailbox server or on an Exchange 2003 back-end server that is enabled for RPC over HTTP. After the user has connected across the Internet by using RPC over HTTP, the Client Access server will then use RPC requests. This ensures that RPC requests stay within the site's intranet. For more information about how to provide an external host name for Outlook Anywhere, see How to Configure an External Host Name for Outlook Anywhere.
Managing Users in Outlook Anywhere

When you enable Outlook Anywhere on a Client Access server, all users who have mailboxes on Exchange 2007 Mailbox servers will be enabled for Outlook Anywhere. Users who have mailboxes on Exchange Server 2003 servers with SP1 or a later version or Exchange 2003 servers that have been enabled for RPC over HTTP will also be able to access their Exchange information from the Internet. You can manage the Outlook Anywhere feature at the server level by using the Exchange Management Shell.

For more information about Outlook Anywhere, see the following topics: Overview of Outlook Anywhere Managing Outlook Anywhere Security
How to Configure Outlook Anywhere with Exchange 2003

This section explains how to configure the Microsoft Exchange Server 2007 feature Outlook Anywhere (formerly known as RPC over HTTP) for Exchange deployments that involve earlier versions of Exchange. These versions include the following: Exchange Server 2003 Exchange Server 2003 with Service Pack 1 (SP1) or a later version
When you deploy Outlook Anywhere on a computer that is running Exchange 2007 that has the Client Access server role installed that will provide access to Exchange 2003 or Exchange 2003 SP1 or a later version, you must configure those servers by using the configuration steps for RPC over HTTP for those versions of Exchange.
109
Configuring Outlook Anywhere for Exchange Server 2003 SP1

Client Access servers that are deployed in environments that have existing Exchange 2003 back-end servers enabled for RPC over HTTP will automatically use these back-end servers to access Outlook Anywhere. If you are supporting mailboxes that are running on Exchange 2003 with SP1 or a later version, you must follow these steps in order: 1. Install a valid Secure Sockets Layer (SSL) certificate from a certification authority (CA) that is trusted by the operating system of the client computer. 2. Install the Windows RPC over HTTP Proxy component. 3. Run the Enable Outlook Anywhere Wizard on at least one Client Access server in your Exchange deployment. 4. If you have not already enabled an Exchange 2003 server for RPC over HTTP access, use the Exchange System Manager RPC over HTTP user interface in Exchange 2003 to enable it. After you enable Outlook Anywhere on an Exchange 2007 Client Access server in your organization, you can continue to add Exchange 2003 SP1 back-end servers or Exchange 2007 servers that have the Mailbox server role installed. The Client Access server will automatically manage access to these servers. However, if you add Exchange 2003 back-end servers that do not have Exchange 2003 SP1 or a later version, you must follow the instructions for enabling RPC over HTTP for Exchange 2003 without SP1. For more information, see Deployment Scenarios for RPC over HTTP.
Configuring Outlook Anywhere for Exchange Server 2003

If your Client Access servers are deployed in environments that include Exchange 2003 backend servers that have not been upgraded to SP1 or a later version, you must manually configure your registry on the following servers to manage Outlook Anywhere: Client Access servers that are providing Outlook Anywhere access Exchange 2003 back-end servers Domain controllers
We recommend that you upgrade your Exchange 2003 servers to SP1 or a later version. If you must use Exchange 2003 servers that do not have SP1, you must follow these steps in order: 1. On the Client Access server, disable the RpcHttpConfigurator by editing the registry.
110
2. Follow the steps to deploy RPC over HTTP for Exchange 2003 servers. For more information, see Deployment Scenarios for RPC over HTTP.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Note: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. To use Registry Editor to disable the RpcHttpConfigurator 1. On the Client Access server, log on by using the Exchange administrator account, and then start Registry Editor (regedit).
2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigur ator\ 3. Right-click the PeriodicPollingMinutes DWORD value, and then click Modify. 4. In Edit DWORD Value, in the Value Data box, enter 0. 5. Click OK to save your changes.

For more information about Outlook Anywhere, see the following topics: Overview of Outlook Anywhere Managing Outlook Anywhere
How to Enable Outlook Anywhere

This section explains how to use the Exchange Management Console or the Exchange Management Shell to enable Outlook Anywhere for your organization.
111
Before You Begin

To enable Outlook Anywhere, you must follow these steps in the following order: 1. Install a valid Secure Sockets Layer (SSL) certificate from a trusted certification authority (CA) that the client trusts. 2. Install the Windows RPC over HTTP Proxy component. 3. Enable Outlook Anywhere on a computer that has the Exchange Server 2007 Client Access server role installed. When you install Exchange 2007, you can install a default SSL certificate that is created by Exchange Setup. However, this certificate is not a valid SSL certificate that is trusted by the client. To use Outlook Anywhere, you must install an SSL certificate that is trusted by the client. To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To install the RPC over HTTP Windows Networking component 1. Click Start, point to Settings, click Control Panel, and then double-click Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. On the Windows Components page, in the Components window, select Networking Services, and then click the Details button. 4. On the Networking Services page, in the Subcomponents of Networking Services window, select the check box next to RPC over HTTP Proxy, and then click OK. 5. On the Windows Components page, click Next. 6. Click Finish to close the Windows Components Wizard.
To use the Exchange Management Console to enable Outlook Anywhere 1. In the console tree, expand Server Configuration, and then click Client Access. 2. In the action pane, click Enable Outlook Anywhere. 3. In the Enable Outlook Anywhere Wizard, in the box under External host name, type the external host name for your organization.
112
4. Select an available external authentication method. You can select Basic authentication or NTLM authentication. 5. If you are using an SSL accelerator and you want to do SSL offloading, select the check box next to Allow secure channel (SSL) offloading. Note: Do not use this option unless you are sure that you have an SSL accelerator that can handle SSL offloading. If you do not have an SSL accelerator that can handle SSL offloading and you select this option, Outlook Anywhere will not function correctly. 6. Click Enable to apply these settings and enable Outlook Anywhere. 7. Click Finish to close the Enable Outlook Anywhere Wizard. To use the Exchange Management Shell to enable Outlook Anywhere Run the following command: enable-OutlookAnywhere -Server:'ServerName' -ExternalHostName:'ExternalHostName'ExternalAuthenticationMethod:'Basic' -SSLOffloading:$false Note: Running this cmdlet with the ExternalAuthenticationMethod and SSLOffloading parameters will enable Outlook Anywhere with Basic authentication and no SSL offloading. For more information about syntax and parameters, see Enable-OutlookAnywhere.

For more information about Outlook Anywhere, see the following topics: Overview of Outlook Anywhere Recommendations for Outlook Anywhere Managing Outlook Anywhere
How to Disable Outlook Anywhere

This section explains how to use the Exchange Management Console or the Exchange Management Shell to disable Outlook Anywhere for your organization.
113
Before You Begin

If you want to disable Outlook Anywhere access for your whole organization, you must disable it on each computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed that is enabled for Outlook Anywhere in all sites for your organization. However, you can disable access to Exchange mailbox servers on a site-to-site basis by disabling Outlook Anywhere only on each Client Access server that is in the site that you want to be disabled for Outlook Anywhere access. To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to disable Outlook Anywhere 1. In the Exchange Management console tree, expand Server Configuration, and then click Client Access. 2. In the action pane, click Disable Outlook Anywhere. 3. Click Yes on the confirmation message when you are asked if you want to disable Outlook Anywhere for this server. To use the Exchange Management Shell to disable Outlook Anywhere Run the following command: disable-OutlookAnywhere -Server:'ServerName'
For more information about syntax and parameters, see Disable-OutlookAnywhere.

For more information about Outlook Anywhere, see the following topics: Overview of Outlook Anywhere Recommendations for Outlook Anywhere Managing Outlook Anywhere How to Enable Outlook Anywhere
114
How to Configure an External Host Name for Outlook Anywhere

This section explains how to create an external host name for Outlook Anywhere on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. If you manage more than one Exchange site, we recommend that you create separate external host names for each site that has a Client Access server that is enabled for Outlook Anywhere. When you create separate external host names for each site, Microsoft Office Outlook 2007 clients automatically use the Client Access server that is closest to their mailbox. Note: For Outlook 2007 clients to be able to automatically use the Client Access server that is closest to their mailbox, the user's mailbox must be located on either an Exchange 2003 server that has Service Pack 1 (SP1) or later versions installed or on an Exchange 2007 server that has the Mailbox server role installed. Note: Users who are using Outlook 2003 must have their profiles manually updated to use the external host name that is closest to their mailbox.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Important: To successfully complete this procedure, either the Client Access server must be enabled for Outlook Anywhere or the external host name must be specified by using the Enable Outlook Anywhere Wizard. To use the Exchange Management Console to configure an external host name for Outlook Anywhere 1. In the console tree, expand Server Configuration, and then click Client Access. 2. In the action pane, click Properties. 3. On the Exchange (Default Web Site) Properties page, click the Outlook
115
Anywhere tab. 4. In the text box under External host name, enter the external host name to use for this site. 5. Click OK to save your changes. To use the Exchange Management Shell to configure an external host name for Outlook Anywhere Run the following command: set-OutlookAnywhere -Server:'CAS01' -ExternalHostName:'site.contoso.com'
For more information about syntax and parameters, see How to Configure an External Host Name for Outlook Anywhere.

For more information about how to enable Outlook Anywhere, see the following topics: How to Enable Outlook Anywhere Managing Outlook Anywhere
Managing Exchange ActiveSync

There are many tasks that you can perform after you successfully install the Client Access server role on a computer that is running Microsoft Exchange Server 2007. You can configure Exchange ActiveSync by using the Exchange Management Console or the Exchange Management Shell. This section gives you information that will help you manage Exchange ActiveSync.
Overview of Exchange ActiveSync

The Exchange ActiveSync protocol, based on HTTP and XML, lets mobile devices such as browser-enabled cellular telephones or Microsoft Windows Mobile powered devices access an organization's information on a server that is running Microsoft Exchange. Exchange ActiveSync enables mobile users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they are working offline.
116
Note: Exchange ActiveSync can synchronize e-mail messages, calendar items, contacts, and tasks. You cannot use Exchange ActiveSync to synchronize notes that are in Microsoft Outlook.
Managing Exchange ActiveSync

By default, after you install the Client Access server role on the Exchange 2007 server, Exchange ActiveSync is enabled. Users need only configure their mobile devices to synchronize with the Exchange Server computer to use Exchange ActiveSync. There are a variety of management tasks that you can perform by using Exchange ActiveSync. These include configuring Exchange ActiveSync mailbox policies and configuring authentication for increased security. You can perform some of these tasks in the Exchange Management Console and all of them in the Exchange Management Shell. Administrative permissions are required to manage the Exchange 2007 server that has the Client Access server role installed. For more information about the permissions that are required to perform administrative tasks for Exchange ActiveSync, see Required Permissions to Manage Client Access.

For more information about how to manage Exchange ActiveSync, see the following topics: Overview of Exchange ActiveSync Managing the Exchange ActiveSync Virtual Directory Managing Exchange ActiveSync with Policies Managing Exchange ActiveSync Users Managing an Exchange ActiveSync Server Managing Exchange ActiveSync Devices
Managing the Exchange ActiveSync Virtual Directory

When you install the Client Access server role on the computer that is running Microsoft Exchange Server 2007, a virtual directory is created in the default Internet Information Services (IIS) Web site on the Exchange Exchange Server server. This section provides information about how to manage the Exchange ActiveSync virtual directory.
117
Managing the Exchange ActiveSync Virtual Directory

The Exchange ActiveSync virtual directory is created in the default Web site and is always named Microsoft-Server-ActiveSync. You can manage the Exchange ActiveSync virtual directory by using the Exchange Management Shell, the Exchange Management Console, and IIS Manager. Note: You can use the Exchange Management Shell to manage all virtual directory settings except the configuration of Secure Sockets Layer (SSL). To configure SSL on the Exchange ActiveSync virtual directory, you must use IIS Manager.
Management Scenarios
The following are several tasks that you can perform on the Exchange ActiveSync virtual directory: Modify the accepted authentication types for communication between mobile devices and Exchange ActiveSync. Configure which Windows SharePoint Services and Windows file share servers are allowed and blocked. Configure proxying for your Client Access servers. Configure the Autodiscover URL for Exchange ActiveSync. Enable Bad Item Logging.

For more information about how to manage Exchange ActiveSync virtual directories, see the following topics: How to Create an Exchange ActiveSync Virtual Directory How to View Properties of an Exchange ActiveSync Virtual Directory How to Modify Properties on an Exchange ActiveSync Virtual Directory How to Remove an Exchange ActiveSync Virtual Directory
118
How to Create an Exchange ActiveSync Virtual Directory

This section explains how to use the Exchange Management Shell to create an Exchange ActiveSync virtual directory in Microsoft Exchange Server 2007. By default, when Exchange 2007 is installed, a new virtual directory is created in the default Web site in Internet Information Services (IIS). This virtual directory is named MicrosoftServer-ActiveSync. You can create additional Exchange ActiveSync virtual directories under Web sites other than the default Web site. All Exchange ActiveSync virtual directories you create will have the name Microsoft-Server-ActiveSync. Note: You can also use this procedure to create a new Exchange ActiveSync virtual directory if you have removed the virtual directory because it has become corrupted.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to create an Exchange ActiveSync virtual directory 1. In this example, a new Exchange ActiveSync virtual directory is created under the contoso.com Web site. 2. Run the following command: New-ActiveSyncVirtualDirectory -WebSiteName "Contoso.com" For more information about syntax and parameters, see New-ActiveSyncVirtualDirectory.

For more information about how to manage Exchange ActiveSync virtual directories, see Managing the Exchange ActiveSync Virtual Directory.
119
How to View Properties of an Exchange ActiveSync Virtual Directory

This section explains how to use the Exchange Management Console and the Exchange Management Shell to view the settings an Exchange ActiveSync virtual directory in Microsoft Exchange Server 2007. You can use either the Exchange Management Console or the Exchange Management Shell to perform this task.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Exchange Management Console to view the properties on an Exchange ActiveSync virtual directory 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the work pane, click the Exchange ActiveSync tab. 3. In the action pane, under Microsoft-Server-ActiveSync, click Properties. To use the Exchange Management Shell to view the properties on an Exchange ActiveSync virtual directory Run the following command: Get-ActiveSyncVirtualDirectory For more information about syntax and parameters, see Get-ActiveSyncVirtualDirectory.

120
How to Modify Properties on an Exchange ActiveSync Virtual Directory

This section explains how to use the Exchange Management Console and the Exchange Management Shell to modify the settings on an Exchange ActiveSync virtual directory in Microsoft Exchange 2007.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to modify the properties on an Exchange ActiveSync virtual directory 1. In the Exchange Management Console, click Server Configuration, and then click Client Access. 2. In the work pane, click the Exchange ActiveSync tab. 3. In the action pane, under Microsoft-Server-ActiveSync, click Properties. 4. Modify any of the available properties and click OK to apply your changes. To use the Exchange Management Shell to modify the properties on an Exchange ActiveSync virtual directory Run the following command: Set-ActiveSyncVirtualDirectory -Identity "Server Name\Microsoft-Server-ActiveSync (Default Web Site)" -CompressionEnabled: $true -ExternalURL "www.contoso.com/Microsoft-Server-ActiveSync" For more information about syntax and parameters, Set-ActiveSyncVirtualDirectory.

121
How to Remove an Exchange ActiveSync Virtual Directory

This section explains how to use the Exchange Management Shell to remove an Exchange ActiveSync virtual directory in Microsoft Exchange Server 2007. By default, when Exchange 2007 is installed, a new virtual directory is created in the default Web site in Internet Information Services (IIS). This virtual directory is named MicrosoftServer-ActiveSync. You can create additional Exchange ActiveSync virtual directories under Web sites other than the default Web site. All Exchange ActiveSync virtual directories that you create will have the name Microsoft-Server-ActiveSync. You can remove the default Exchange ActiveSync virtual directory or any additional Exchange ActiveSync virtual directories that you create. Note: You can also use this procedure to remove an Exchange ActiveSync virtual directory if the virtual directory settings have become corrupted.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to remove an Exchange ActiveSync virtual directory In this example, the Exchange ActiveSync virtual directory under the contoso.com Web site is removed. Run the following command: Remove-ActiveSyncVirtualDirectory -Identity "Contoso.com\Microsoft-Server-ActiveSync"
For more information about syntax and parameters, see Remove-ActiveSyncVirtualDirectory.

122
Managing Exchange ActiveSync Users

You can manage Exchange ActiveSync properties for users by using the Exchange Management Shell or the Exchange Management Console.
Managing Exchange ActiveSync Users

By default, if the Client Access server role is installed in a Microsoft Exchange organization that is running Exchange Server 2007, Exchange ActiveSync is enabled for all users. You can disable Exchange ActiveSync for a user or group of users and also manage various settings for your Exchange ActiveSync users. To simplify management of your Exchange ActiveSync users, you can create Exchange ActiveSync mailbox policies. These policies help you apply specific settings to a single user or group of users. Some of the available settings include the following: Require a password Require an alphanumeric password Allow attachments to be downloaded to the device Allow access to Microsoft Windows SharePoint Services documents Enable device encryption
For more information about Exchange ActiveSync mailbox policies, see Managing Exchange ActiveSync with Policies. For more information about how to use the Exchange Management Console to manage an Exchange ActiveSync user, see the following topics: How to Enable or Disable Exchange ActiveSync for a Mailbox User How to Add Users to an Exchange ActiveSync Mailbox Policy How to Configure Synchronization Options for Users
Administrative permissions are required to manage the computer that is running Exchange 2007 that has the Client Access server role installed. For more information about the permissions that are required to perform administrative tasks for Exchange ActiveSync, see Required Permissions to Manage Client Access.

For more information about Exchange ActiveSync, see Overview of Exchange ActiveSync. For more information about how to manage Exchange ActiveSync, see Managing Exchange ActiveSync.
123
How to Enable Exchange ActiveSync for a User

By default, in Microsoft Exchange Server 2007, users are enabled for Exchange ActiveSync. If Exchange ActiveSync is disabled for a user, it can be manually enabled. This section describes how to enable a user for Exchange ActiveSync.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform these procedures, confirm that you have enabled Exchange ActiveSync on the Exchange Server 2007 server that has the Client Access server role installed. Note: By default, Exchange ActiveSync is enabled on a Client Access server. To enable a user for Exchange ActiveSync using the Exchange Management Console 1. Open the Exchange Management Console. 2. Under Recipient Configuration, select Mailbox. 3. Select Properties from the action pane or right-click the user's mailbox, and then click Properties. 4. Click the Client Access tab. 5. Select User Initiated Sync, and then click Enable. 6. Click OK. To enable a user for Exchange ActiveSync using the Exchange Management Shell Run the following command: Set-CASMailbox -Identity <SMTP Address of user> -ActiveSyncEnabled $true For more information about syntax and parameters, see Set-CASMailbox.
124

For more information about the Exchange Management Shell, see Exchange Management Shell. For information about how to disable a user for Exchange ActiveSync, see How to Disable Exchange ActiveSync for a User.
How to Disable Exchange ActiveSync for a User

By default, in Microsoft Exchange Server 2007, users are enabled for Exchange ActiveSync. This section describes how to disable Exchange ActiveSync for a user.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform these procedures, confirm that you have enabled Exchange ActiveSync on the Exchange Server 2007 server that has the Client Access server role installed. Note: By default, Exchange ActiveSync is enabled on a Client Access server. To disable Exchange ActiveSync for a user by using the Exchange Management Console 1. Open the Exchange Management Console. 2. Under Recipient Configuration, select Mailbox. 3. Select Properties from the action pane or right-click the user's mailbox, and then click Properties. 4. Click the Client Access tab. 5. Select User Initiated Sync, and then click Disable. 6. Click OK.
125
To disable Exchange ActiveSync for a user by using the Exchange Management Shell Run the following command: Set-CASMailbox -Identity<SMTP Address of user> -MobileSyncEnabled $false For more information about syntax and parameters, see Set-CASMailbox.

For more information about the Exchange Management Shell, see Exchange Management Shell. For information about how to enable a user for Exchange ActiveSync, see How to Enable Exchange ActiveSync for a User.
How to Configure Synchronization Options for Users

This section explains how to use Microsoft Windows Mobile to configure synchronization options for users. Microsoft Exchange ActiveSync can synchronize e-mail messages, contacts, calendar items, and tasks between a user's Microsoft Exchange mailbox and their mobile device. Exchange ActiveSync cannot synchronize Microsoft Outlook Notes to a mobile device. There are a variety of different devices that use Microsoft Exchange ActiveSync and synchronize with Exchange Server 2007. The steps in this section are designed for Windows Mobile 5.0. Note: For information about how to configure devices that do not use Windows Mobile, or devices that use versions of Windows Mobile other than Windows Mobile 5.0 to synchronize with Exchange Server, see the device documentation.
Before You Begin

To perform the procedures in this section, confirm the following: You have reviewed the manufacturer's documentation for the mobile device that you want to configure.
126
Exchange ActiveSync is enabled on the Microsoft Exchange 2007 computer that has the Client Access server role installed. You have established a device partnership with the Exchange server. For more information about how to establish a device partnership, see How to Configure a Device for Synchronization. To use ActiveSync on a mobile device to configure synchronization options 1. On the mobile device, select Start, select Programs, and then select ActiveSync to start the ActiveSync application. 2. Select Menu, and then select Options to display the Options screen. 3. Select or clear Contacts, Calendar, E-mail, or Tasks. 4. To configure options for any of these data types, select the data type, and then select Settings. To use Pocket Outlook on a mobile device to configure e-mail synchronization options 1. On the mobile device, select Outlook E-mail to start the Pocket Outlook application. 2. Select Menu, select Tools, and then select Manage Folders to display the folder list screen. 3. Select or clear the check box next to the folder name. Selecting the check box enables the folder for synchronization. Clearing the check box disables synchronization for that folder.

For more information about Exchange ActiveSync, see the following topics: Managing Exchange ActiveSync Managing Exchange ActiveSync Devices
For more information about how to manage Windows Mobile powered smartphones, visit the Windows Mobile Center Web site.
Managing an Exchange ActiveSync Server

By default, when you install the Client Access server role in a Microsoft Exchange 2007 organization, Microsoft Exchange ActiveSync is enabled. You can disable Exchange ActiveSync by stopping the Web services on the Exchange ActiveSync virtual
127
directory. You can configure Exchange ActiveSync to access Microsoft Windows SharePoint Services sites and Windows file shares, view Exchange ActiveSync protocol logs, and configure authentication on your Exchange ActiveSync server.
Managing an Exchange ActiveSync Server

You can perform the following tasks on an Exchange ActiveSync server. Enable and disable Exchange ActiveSync By default, Exchange ActiveSync is enabled when the Client Access server role is installed in an organization. You can disable Exchange ActiveSync for a user or a group of users by using the Exchange Management Console or the Exchange Management Shell. If you must disable Exchange ActiveSync across your organization, you can configure the Exchange ActiveSync virtual directory to refuse all connections by stopping the Web services on that virtual directory. For more information about how to enable and disable Exchange ActiveSync, see the following topics: How to Disable Exchange ActiveSync How to Enable Exchange ActiveSync
Manage access to Windows SharePoint Services sites and Windows file shares Exchange ActiveSync lets users access documents and links stored on Windows SharePoint Services sites and Windows file shares. You can configure specific sites to be allowed or blocked. Sites that are allowed can be accessed by any user who has Windows SharePoint Services or Windows file share access. Blocked sites cannot be accessed under any circumstances. You can also configure the default behavior for sites that are not specified in the Allowed List or Block List. For more information about how to configure access to Windows SharePoint Services sites and Windows file shares, see How to Configure Exchange ActiveSync to Access SharePoint Services Sites and Windows File Shares. View Exchange ActiveSync protocol logs Exchange ActiveSync contains several reports that you can use to manage your Exchange ActiveSync server. Configure authentication for Exchange ActiveSync By default, Exchange ActiveSync is configured to use Basic authentication and requires Secure Sockets Layer (SSL). You can configure other authentication methods including RSA SecurID.

For more information about Exchange ActiveSync, see Overview of Exchange ActiveSync. For more information about how to manage Exchange ActiveSync, see Managing Exchange ActiveSync.
128
How to Disable Exchange ActiveSync

This section describes how to disable Microsoft Exchange ActiveSync. When you disable Exchange ActiveSync on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed, you disable the application pool that Exchange ActiveSync uses. An application pool is a group of processes that Internet Information Services (IIS) uses to perform a task.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform these procedures, confirm the following: You have installed the Microsoft Internet Information Services (IIS) component Microsoft ASP.NET. The ASP.NET Web service extension status is set to Allowed, not Prohibited. You can verify the status of the ASP.NET Web service extension in IIS Manager by expanding the server name, and then clicking Web Service Extensions. If the ASP.NET Web service extension is not set to Allowed, right-click the Web service extension to change the status. To use IIS Manager to disable Exchange 2007 ActiveSync 1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Double-click to expand the server name, and then double-click to expand the Application Pools folder. 3. Right-click MSExchangeSyncAppPool, and then click Stop to disable Exchange ActiveSync. Note: If the Stop command is unavailable, Exchange ActiveSync is already disabled on this server.

For more information about how to install the Client Access server role, see How to Perform a Typical Installation Using Exchange Server 2007 Setup.
129
For more information about how to enable Exchange ActiveSync, see How to Enable Exchange ActiveSync. For more information about how to enable a user for Exchange ActiveSync, see How to Enable Exchange ActiveSync for a User. For more information about how to disable a user for Exchange ActiveSync, see How to Disable Exchange ActiveSync for a User.
How to Enable Exchange ActiveSync

This section describes how to enable Microsoft Exchange ActiveSync. By default, Exchange ActiveSync is enabled when you install the Client Access server role on the computer that is running Exchange Server 2007.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform these procedures, confirm the following: You have installed the Internet Information Services (IIS) component ASP.NET. Note: Exchange Server 2007 ActiveSync supports the same devices as Exchange Server 2003 ActiveSync Service Pack 2 does. For information about which devices that are supported for Exchange Server 2007, see Exchange Server 2007 Support for Mobile Devices. The ASP.NET Web service extension status is Allowed, not Prohibited. You can verify the status of the ASP.NET Web service extension in IIS Manager by expanding the server name and then clicking Web Service Extensions. If the ASP.NET Web service extension is not set to Allowed, right-click the Web service extension to change the status. To use IIS Manager to enable Exchange 2007 ActiveSync 1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Double-click to expand the server name, and then double-click to expand the Application Pools folder.
130
3. Right-click MSExchangeSyncAppPool, and then click Start to enable Exchange ActiveSync. Note: If the Start command is unavailable, Exchange ActiveSync is already enabled on this server.

For information about how to install the Client Access server role, see How to Perform a Typical Installation Using Exchange Server 2007 Setup. For information about how to disable Exchange ActiveSync, see How to Disable Exchange ActiveSync. For information about how to enable a user for Exchange ActiveSync, see How to Enable Exchange ActiveSync for a User. For information about how to disable a user for Exchange ActiveSync, see How to Disable Exchange ActiveSync for a User.
How to Configure Exchange ActiveSync to Access SharePoint Services Sites and Windows File Shares
This section explains how to use the Exchange Management Console or the Exchange Management Shell to manage the list of Windows SharePoint Services sites and Windows file shares that Microsoft Exchange ActiveSync users can access from their mobile devices. Note: The lists of Windows SharePoint Services sites and Windows file shares that are allowed and blocked apply to the whole Exchange ActiveSync virtual directory. You cannot configure these lists for individual users. However, you can disable Windows SharePoint Services sites and Windows file share access for individual users by using Exchange ActiveSync policies.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role.
131
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to configure access to Windows SharePoint Services sites and Windows file shares 1. Open the Exchange Management Console. 2. Under Server Configuration, select Client Access. 3. Select Exchange ActiveSync. 4. In the action pane, under Microsoft-Server-ActiveSync, click Properties. 5. Click the Remote File Servers tab. 6. Click the Block button to add host names of sites that clients are prohibited from accessing. 7. Click the Allow button to add host names of sites that clients are permitted to access. 8. Use the list in the Unknown Servers section to specify the default action that should be taken when a client tries to access a file from a server that is not entered in either the Allow List or Block List. 9. Click the Configure button to enter the domain suffixes that should be treated as internal. Note: If you specify that a domain suffix should be treated as internal, the Exchange ActiveSync client will use the intranet connection to access the content instead of an Internet connection. To use the Exchange Management Shell to configure access to Windows SharePoint Services sites and Windows file shares Run the following command to add two sites to the Block list and one to the Allow list, specify an internal domain suffix, and configure the default action to take when a client tries to access a file from a server that is not entered in the Allow or Block lists: Set-ActiveSyncVirtualDirectory -Identity:"ServerName\Microsoft-Server-ActiveSync (Default Web Site)" -RemoteDocumentsBlockedServers:"ServerName1,ServerName2" -RemoteDocumentsAllowedServers:"ServerName3" RemoteDocumentsInternalDomainSuffixList:"DomainSuffix" -RemoteDocumentsActionForUnknownServers:"Block"
For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.
132

For more information about how to manage the Exchange ActiveSync virtual directory, see Managing the Exchange ActiveSync Virtual Directory.
Configuring Direct Push to Work Through Your Firewall

Direct Push lets your mobile device stay up to date with your Microsoft Exchange Server 2007 mailbox. This section provides information about how to configure your firewall to support Direct Push.
Overview of Direct Push

Direct Push operates by maintaining a long-standing HTTPS request between the mobile device and the Exchange Server computer. This request tells the Exchange Server computer to immediately notify the mobile device if any items in synchronized folders change during the life of the request. If any items change, the mobile device issues a synchronization request, synchronizes with the server, and then reissues the HTTPS request. If no items change during the life of the request, the request is reissued.
Configuring Your Firewall for Direct Push

Because the request and the response travel over an HTTPS connection, the only port that you have to open on your firewall is port 443 for HTTPS traffic. No additional ports are required for Direct Push to operate. To verify that port 443 is open, see your firewall documentation. You should also configure your firewall time-out value to be between 15 and 30 minutes. This ensures that the longstanding HTTPS request can stay open without expiring.

For more information about Direct Push, see Understanding Direct Push.
133
How to Configure Autodiscover for Exchange ActiveSync

Microsoft Exchange Server 2007 introduces a new service that makes it easier to provision devices for end users. The Autodiscover service provisions a user's device when the user's email address and password are supplied. The Autodiscover service returns the address to a computer that is running Exchange 2007 that has the Client Access server role installed. By default, the Autodiscover service is enabled. This section explains how to use the Exchange Management Shell to enable the Autodiscover service in Microsoft Exchange ActiveSync. You cannot configure the Autodiscover service for Exchange ActiveSync by using the Exchange Management Console. Note: The ability to use Autodiscover depends on the mobile device operating system that you are using. Not all mobile device operating systems that support synchronization with Exchange Server 2007 support Autodiscover. For more information about operating systems that support Autodiscover, contact the manufacturer of your device.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure Autodiscover in Exchange ActiveSync Run one of the following commands: Set-ActiveSyncVirtualDirectory -Identity "COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL "https://servername.com/" or Set-ActiveSyncVirtualDirectory -Identity "COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ActiveSyncServer "https://servername.com/" For more information about syntax and parameters, see Set-ActiveSyncVirtualDirectory.
134

For more information about Autodiscover, see Managing the Autodiscover Service.
Managing Exchange ActiveSync Devices

There are a variety of mobile devices that can use Exchange ActiveSync to synchronize with Microsoft Exchange Server 2007. You can manage the various devices that synchronize with Exchange 2007 by using Exchange ActiveSync mailbox policies. You can manage Exchange ActiveSync properties for devices by using the Exchange Management Shell or the Exchange Management Console.
Managing Exchange ActiveSync Devices

By default, if the Client Access server role is installed in an Exchange Server 2007 organization, Exchange ActiveSync is enabled for all users. A user can configure any device that supports Exchange ActiveSync to synchronize with the Exchange server. To simplify management of your Exchange ActiveSync devices, you can create Exchange ActiveSync mailbox policies. These policies can be applied to each Exchange ActiveSync user and can help you apply specific settings to a user's device. You can require that all devices accept the Exchange ActiveSync mailbox policy before they can synchronize with the Exchange server. Some of the available settings include the following: Require a password Require an alphanumeric password Allow attachments to be downloaded to the device Allow access to Microsoft Windows SharePoint Services documents Enable device encryption
For more information about Exchange ActiveSync mailbox policies, see Managing Exchange ActiveSync with Policies. For more information about how to use the Exchange Management Console and the Exchange Management Shell to manage an Exchange ActiveSync device, see the following topics: How to Configure a Device for Synchronization How to View a List of Devices for a User How to Configure Device Password Locking How to Recover a Device Password
135
How to Perform a Remote Wipe on a Device
Administrative permissions are required to manage the computer that is running Exchange 2007 that has the Client Access server role installed. For more information about the permissions that are required to perform administrative tasks for Exchange ActiveSync, see Required Permissions to Manage Client Access.

For more information about how to manage Windows Mobile powered devices, visit the Windows Mobile Center.
Exchange ActiveSync Devices and Compatible Features

Exchange ActiveSync in Microsoft Exchange Server 2007 enables users to synchronize their mobile devices with their Exchange mailbox. Users can synchronize e-mail messages, calendar information, contact and task data, and manage Out of Office settings, e-mail signatures, and Deleted Items folders. This section provides information about the different types of devices that synchronize with Exchange 2007.
Devices Enabled for Exchange ActiveSync

Users can take advantage of Exchange ActiveSync by selecting mobile devices that are compatible with Exchange ActiveSync. These devices are available from a variety of manufacturers. Most of these devices do not support Direct Push. However, they do support synchronization with Microsoft Exchange. For more information, see the device documentation. Some of the mobile devices that are compatible with Microsoft Exchange include the following: Nokia Nokia offers Mail for Exchange on their Eseries mobile devices. E-mail, calendar, and contact data can be synchronized over a cellular network or a wireless LAN. Sony Ericsson Sony Ericsson offers Exchange ActiveSync support on several of their newer smartphone devices. They also support Direct Push through a third-party program. Palm Palm offers two smartphones that have the Windows Mobile 5.0 operating system. These devices support Direct Push. Palm also supports Exchange ActiveSync on the Treo 650 and 680 series smartphones. These devices do not support Direct Push.
136
Motorola Motorola has its own synchronization framework that enables over-the-air synchronization through Exchange ActiveSync on a variety of its devices. Symbian Symbian Limited licenses Exchange ActiveSync for use in the Symbian operating system. This operating system is an open standard operating system for mobile telephones.
Windows Mobile Software Feature Matrix

Mobile devices that have a version of Windows Mobile software as their operating system offer the greatest functionality when synchronizing with Exchange 2007. Table 23 illustrates some of the features that are available with different versions of Windows Mobile software. Table 23 Windows Mobile software features Operating system Features
137
Windows Mobile 6.0
Direct Push HTML e-mail support Message flags Quick message retrieval Task synchronization Global address book lookup Enhanced calendar views Meeting attendee information Out of Office management Exchange search
Windows SharePoint Services and Windows file share (UNC) document access Enforcement of Exchange ActiveSync mailbox policies Remote device wipe Basic authentication
Integration with Internet Security and Acceleration (ISA) Server Certificate-based authentication
S/MIME support (with Exchange 2007 SP1) Device storage card encryption Support for rights management
138
Windows Mobile powered devices with the Messaging & Security Feature Pack
Direct Push Global address book lookup Task synchronization
Enforcement of Exchange ActiveSync mailbox policies Remote device wipe
Secure Sockets Layer (SSL) encryption Basic authentication Integration with ISA Server Certificate-based authentication
S/MIME support (with Exchange 2007 SP1) All Windows Mobile powered devices Synchronization of e-mail messages, calendar, and contact data SSL encryption Basic authentication Integration with ISA Server

For more information about how to manage Windows Mobile powered devices, see the Windows Mobile Center Web site.
How to Configure a Device for Synchronization

This section explains how to provision a mobile device, such as a Pocket PC or a Microsoft Windows Mobile device. When you provision a mobile device, you configure it to synchronize with Microsoft Exchange. Perform this procedure on each mobile device in your organization.
139
Before You Begin

To perform the procedures in this section, confirm the following: You have reviewed the manufacturer's documentation for the mobile device that you want to configure. Exchange ActiveSync is enabled on the Microsoft Exchange Server 2007 computer that has the Client Access server role installed. To configure a mobile device to use Exchange ActiveSync 1. On the mobile device, from the home screen, click Start, and then click ActiveSync. 2. Click Menu, and then click Configure Server. 3. Enter the server address. This is the same as your Microsoft Office Outlook Web Access server address. 4. If you have configured Exchange ActiveSync to require Secure Sockets Layer (SSL), select the This server requires an encrypted (SSL) connection check box. 5. Click Next. 6. Enter your user name, password, and domain. 7. Select the Save password check box. 8. Click Next. 9. Select the check box next to each type of information that you want to synchronize with the server, and then click Finish.

For more information about how to synchronize mobile devices with your Exchange server, see the following topics: Managing Exchange ActiveSync Managing Exchange ActiveSync Devices
For more information about how to manage Windows Mobile-powered smartphones, visit the Windows Mobile Center Web site.
140
How to Disable a Device for Exchange ActiveSync

Microsoft Exchange Server 2007 enables you to restrict access to Exchange ActiveSync by using the device ID. This feature prevents users from synchronizing unauthorized devices with Exchange 2007. You can configure this restriction on each user's mailbox. By default, if Exchange ActiveSync is enabled for a user, the user can synchronize their Exchange mailbox with any device. To restrict a user to a specific device, populate the ActiveSyncAllowedDeviceIDs parameter from the Set-CASMailbox task. If Exchange ActiveSync is not enabled for the user, they will be unable to synchronize any device with Exchange. This section provides instructions for how to prevent a specific device from synchronizing with Microsoft Exchange. This task can be completed only by using the Exchange Management Shell.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Recipient Administrator role and membership in the local Administrators group on the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform this procedure, make sure that Exchange ActiveSync is enabled for the user. To use the Exchange Management Shell to disable a device for Exchange ActiveSync To prevent a device from synchronizing with Microsoft Exchange, you must remove its device ID from the ActiveSyncAllowedDeviceIDs parameter list. To do this, run the following command: Set-CASMailbox -Identity: "EmailAlias" -ActiveSyncAllowedDeviceIDs: "<DeviceID_1>","<DeviceID_2>" Note: There is no built-in functionality for retrieving the device ID before the user synchronizes with the Exchange server. After the user has synchronized the device with the Exchange server, you can run the following command to retrieve the device ID: Get-ActiveSyncDeviceStatistics -Mailbox:"<EmailAlias>" |fl DeviceID
141
For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage Windows Mobile powered devices, visit the Windows Mobile Center Web site.
How to Enable a Device for Exchange ActiveSync

Microsoft Exchange Server 2007 enables you to restrict access to Microsoft Exchange ActiveSync by using the device ID. This feature prevents users from synchronizing unauthorized devices with Exchange 2007. You can configure this restriction on each user's mailbox. By default, if Exchange ActiveSync is enabled for a user, the user can synchronize their Exchange mailbox with any device. To restrict a user to a specific device, populate the ActiveSyncAllowedDeviceIDs parameter from the Set-CASMailbox task. If Exchange ActiveSync is not enabled for the user, they will be unable to synchronize any device with Exchange. This section provides instructions for how to enable a specific device for Exchange ActiveSync. This task can be completed only by using the Exchange Management Shell.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Recipient Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform this procedure, make sure that Exchange ActiveSync is enabled for the user. To use the Exchange Management Shell to enable a device for Exchange ActiveSync Run the following command: Set-CASMailbox -Identity: "EmailAlias" -ActiveSyncAllowedDeviceIDs: "<DeviceID_1>","<DeviceID_2>" Note: There is no built-in functionality for retrieving the device ID before the user
142
synchronizes with the Exchange server. After the user has synchronized the device with the Exchange server, you can run the following command to retrieve the device ID: Get-ActiveSyncDeviceStatistics -Mailbox:"<EmailAlias>" |fl DeviceID For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage Windows Mobile powered devices, visit the Windows Mobile Center Web site.
How to View a List of Devices for a User

Users can configure multiple devices for synchronization with Microsoft Exchange Server 2007. This section explains how to use the Exchange Management Console or the Exchange Management Shell to view a list of mobile devices that are associated with a specific user. Note: This section also provides instructions for how to use Microsoft Outlook Web Access to view a list of devices that are associated with a user's mailbox. The user must be logged on to Outlook Web Access to view a list of devices that are associated with their mailbox.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Outlook Web Access to view a list of devices for a user 1. In Outlook Web Access, click Options. 2. In the Navigation pane, select Mobile Devices. 3. The list displays a variety of device statistics including the device name, last synchronization time, and status. Note:
143
All mobile devices the user has configured for Exchange ActiveSync are displayed in this list. To determine the correct mobile device, use the device name and the last synchronization time from the list of devices. To use the Exchange Management Console to view a list of devices for a user 1. Open the Exchange Management Console. 2. Under Recipient Configuration, select Mailbox. 3. Select a user, and then select Manage Mobile Device from the action pane. The Manage Mobile Device dialog box will display a list of all devices that are configured for synchronization. Note: The Manage Mobile Device link is only available in the action pane for users who have established a mobile device partnership with the Exchange server. To use the Exchange Management Shell to view a list of devices for a user Run the following command: Get-ActiveSyncDeviceStatistics -Mailbox:"alias" For more information about syntax and parameters, see Get-ActiveSyncDeviceStatistics.

For more information about mobile devices, see: Managing Exchange ActiveSync Devices
How to Configure Device Password Locking

This section explains how to use the Exchange Management Console or the Exchange Management Shell to configure device password locking. You can require users to lock their devices by using a password. You can also enforce a variety of policy settings that guide the usage of device passwords. The settings that you can configure include the following: Enforcing an alphanumeric password. Enabling password recovery. Requiring encryption on the mobile device.
144
Specifying a minimum password length.
Specifying a period of inactivity before you must reenter a device password. This is known as device password locking. This section explains how to configure the device password locking setting.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also before you perform the following procedures, make sure that you have created an Exchange ActiveSync Mailbox policy. For information about how to create an Exchange ActiveSync Mailbox policy, see How to Create an Exchange ActiveSync Mailbox Policy. To use the Exchange Management Console to configure device password locking 1. In the console tree, expand Organization Configuration, and then click Client Access. 2. In the work pane, right-click an existing mobile mailbox policy, and then click Properties. 3. Click the Password tab. 4. Click to select the Require password check box. 5. Click to select the Time without user input before password must be entered (in seconds) check box. 6. Enter the inactivity time-out value in seconds. 7. Click OK. To use the Exchange Management Shell to configure device password locking Run the following command: Set-ActiveSyncMailboxPolicy -Identity "PolicyName" -DevicePasswordEnabled: $true -MaxInactivityTimeDeviceLock: 00:15:00 For more information about syntax and parameters, see set-ActiveSyncMailboxPolicy.
145

For more information about Exchange ActiveSync Mailbox policies, see Understanding Exchange ActiveSync Mailbox Policies.
How to Recover a Device Password

This section explains how to use the Exchange Management Console, the Exchange Management Shell, or Outlook Web Access to recover a device password. You can require a device password through Microsoft Exchange ActiveSync policies. A user can configure a device password even if your Exchange ActiveSync policies do not require one. If the user forgets their password, you can obtain a recovery password by using the Exchange Management Console or the Exchange Management Shell. The recovery password unlocks the device and lets the user create a new password. The user can also recover their device password by using Outlook Web Access.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Note: To use Outlook Web Access to recover a user's device password, you must be able to log on to Outlook Web Access by using the user's credentials. To use the Exchange Management Console to display the device recovery password 1. Open the Exchange Management Console. 2. Under Recipient Configuration, select Mailbox. 3. Select a user, and then select Manage Mobile Device from the action pane. The device recovery password will be displayed in the Manage Mobile Device dialog box. To use the Exchange Management Shell to display the device recovery password Run the following command: Get-ActiveSyncDeviceStatistics -Mailbox:"alias" -ShowRecoveryPassword:$true
146
To use Outlook Web Access to recover a device password 1. In Outlook Web Access, click Options. 2. Select Mobile Devices from the Navigation pane. 3. Select the mobile device from the list. Note: All mobile devices that the user has configured for Exchange ActiveSync are displayed in this list. To determine the correct mobile device, use the device name and the last synchronization time displayed in the list of devices. 4. Click Display Device Password. For more information about syntax and parameters, see Get-ActiveSyncDeviceStatistics.

For more information about how to lock a device, see How to Configure Device Password Locking. For more information about how to manage Exchange ActiveSync by using policies, see Managing Exchange ActiveSync with Policies.
How to Perform a Remote Wipe on a Device

Microsoft Exchange Server 2007 enables you to send a command to a mobile device that will perform a wipe of the device. This process, known as a remote device wipe, clears all Exchange information that is stored on the device. You can use this procedure to clear data from a stolen device or to clear a device before assigning it to another user.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
147
Note: To perform a remote device wipe on a device by using the Exchange Management Console, the user must be assigned to an Exchange ActiveSync mailbox policy. For more information about how to add users to an Exchange ActiveSync mailbox policy, see How to Add Users to an Exchange ActiveSync Mailbox Policy. To use the Exchange Management Console to perform a remote device wipe 1. Open the Exchange Management Console. 2. Under Recipient Configuration, select Mailbox. 3. Select the user from the Mailbox window. 4. In the action pane, click Manage mobile device, or right-click the user's mailbox, and then click Manage mobile device. 5. Select the mobile device from which you want to clear all data. 6. In the Actions section, click Clear. 7. Click Clear again. To use Outlook Web Access to perform a remote device wipe 1. Open Outlook Web Access. 2. Log on to the device owner's mailbox. 3. Click Options. 4. In the Navigation pane, select Mobile Devices. 5. Select the ID of the device that you want to wipe and remove from the list. 6. Click Wipe all data from device. 7. Click OK. 8. Click Remove Device from List. To use the Exchange Management Shell to perform a remote device wipe 1. Run the following command to obtain the identity of the device: Get-ActiveSyncDeviceStatistics - Mailbox jeffhays | fl Identity 2. Run the following command: Clear-ActiveSyncDevice -Identity WM_jeffhayes For more information about syntax and parameters, see Get-ActiveSyncDeviceStatistics and Clear-ActiveSyncDevice.
148

For more information, see the following topics: Managing Exchange ActiveSync Devices. Managing Exchange ActiveSync Users.
How to Install Certificates on a Windows Mobile Powered Device

This section explains how to save a digital certificate to a file and install a digital certificate on a device that is running Microsoft Windows Mobile. Microsoft Exchange ActiveSync enables a variety of mobile devices to synchronize with your Exchange mailbox. If you have configured Exchange ActiveSync certificate-based authentication and you use a certificate that is not from a trusted commercial certification authority (CA), you must install a copy of this certificate in the trusted root store of your device. This section explains how to install a certificate on your Windows Mobile powered device. For more information about how to install a certificate on a device that is not running Windows Mobile software, see the documentation for your device. Note: This section provides instructions for both Windows Mobile 5.0 and Windows Mobile 5.0 with the Microsoft Messaging and Security Feature Pack. For earlier versions of Windows Mobile software, see the device documentation. Note: If you use a certificate from a trusted commercial CA, you might not need to install the certificate on your device. Most devices have certificates from several trusted commercial CAs preinstalled in the device's root store. For more information, see your device documentation.
Before You Begin

To perform the following procedure on a Windows Mobile powered device, make sure that you have an ActiveSync connection between the device and a desktop or portable computer. You must be able to copy the certificate file to the device before you install the certificate. To use Internet Information Services Manager to save a certificate to a file 1. Right-click the Default Web Site, and then click Properties. 2. Click the Directory Security tab.
149
3. Under Secure Communications, click View Certificate. 4. In the Certificate dialog box, click the Details tab. 5. Click Copy to File. 6. In the Certificate Export Wizard, click Next. 7. Select No, do not export the private key, and then click Next. 8. Select DER encoded binary X.509 (.CER), and then click Next. 9. Type a file name, click Next, and then click Finish. After you have saved your certificate to a file, you can copy it to your device. To use ActiveSync to install a certificate on a Windows Mobile powered device 1. With your device connected to your computer, click Tools, and then click Explore Smartphone. 2. Drag the .cer file that was created in the previous procedure into a folder on the device. 3. On the device, click Start, and then click File Explorer. 4. Locate the folder that you selected in step 2. 5. Open the .cer file and, when you are prompted, answer Yes.

For more information about Windows Mobile devices, see: Windows Mobile Device Center
How to Configure Mobile Devices to Synchronize with Exchange Server

This section explains how to configure a mobile device, such as a Pocket PC or Windows Mobile device, to use Microsoft Exchange ActiveSync. Perform this procedure on each mobile device in your organization.
150
Before You Begin

To perform the procedures in this section, confirm the following: You have reviewed the manufacturer's documentation for the mobile device that you want to configure. Exchange ActiveSync is enabled on the Microsoft Exchange Server 2007 computer that has the Client Access server role installed. To configure a mobile device to use Exchange ActiveSync 1. On the mobile device, from the home screen, click Start, and then click ActiveSync. 2. Click Menu, and then click Configure Server. 3. Enter the server address. This is the same as your Microsoft Office Outlook Web Access server address. 4. If you have configured ActiveSync to require Secure Sockets Layer (SSL), select the This server requires an encrypted (SSL) connection check box. 5. Click Next. 6. Enter your user name, password, and domain. 7. Select the Save password check box. 8. Click Next. 9. Select the check box next to each type of information that you want to synchronize with the server, and then click Finish.

For more information about how to synchronize mobile devices with your Exchange server, see the following topics: Managing Exchange ActiveSync Managing Exchange ActiveSync Devices
Managing Exchange ActiveSync with Policies

In Microsoft Exchange Server 2007 you can create Exchange ActiveSync mailbox policies to apply a common set of policies or security settings to a collection of users. After you deploy
151
Exchange ActiveSync in your Exchange 2007 organization, you can create new Exchange ActiveSync mailbox policies or modify existing policies. This section discusses Exchange ActiveSync mailbox policies and how they can be managed in your Exchange 2007 organization.
Overview of Exchange ActiveSync Mailbox Policies

You can use Exchange ActiveSync mailbox policies to manage a variety of settings. These include the following settings: Require a password Specify the minimum password length Require a number or special character in the password
Designate how long a device can be inactive before requiring the user to enter a password again Wipe a device after a specific number of failed password attempts
For more information about all the settings that you can configure, see setActiveSyncMailboxPolicy.
Managing Exchange ActiveSync Mailbox Policies

After you install the Client Access server role on a computer that is running Exchange Server 2007, you can create, configure, and manage Exchange ActiveSync mailbox policies. After you create an Exchange ActiveSync mailbox policy, you can add users individually or add a filtered list of users to the policy by using the Exchange Management Shell. You can use the Exchange Management Console to manage some Exchange ActiveSync mailbox policy settings and the Exchange Management Shell to manage all the Exchange ActiveSync mailbox policy settings.

For more information about Exchange ActiveSync mailbox policies, see Understanding Exchange ActiveSync Mailbox Policies. For more information about how to deploy Exchange ActiveSync, see Deploying Exchange ActiveSync.
152
For more information about how to manage an Exchange ActiveSync server, see Managing an Exchange ActiveSync Server.
How to Create an Exchange ActiveSync Mailbox Policy

This section explains how to use the Exchange Management Console or the Exchange Management Shell to create a mailbox policy. A mailbox policy holds a group of settings for Microsoft Exchange ActiveSync. These settings include password, encryption, and attachment settings. When you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, no mailbox policies exist. You can create multiple mailbox policies and assign users to these policies.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to create an Exchange ActiveSync mailbox policy 1. In the console tree, expand the Organization Configuration node, and then click Client Access. 2. In the action pane, click New ActiveSync mailbox policy. 3. On the New ActiveSync Mailbox Policy wizard page, enter a name in the Mailbox policy name box. 4. Select one or more of the optional check boxes. 5. Click New to finish creating your mailbox policy. 6. Click Finish to close the New ActiveSync Mailbox Policy Wizard. To use the Exchange Management Shell to create an Exchange ActiveSync mailbox policy Run the following command: New-ActiveSyncMaiboxPolicy -Name PolicyName -DevicePasswordEnabled:$false
153
-AlphanumericDevicePasswordRequired:$false -MaxInactivityTimeDeviceLock:'unlimited' -MinDevicePasswordLength:$null -PasswordReciveryEnabled:$false -DeviceEncryptionEnabled:$false -AttachmentsEnabled:$true Note: This command creates a new mailbox policy that has the default settings. For more information about how to change the default settings on an Exchange ActiveSync mailbox policy, see How to Modify Exchange ActiveSync Mailbox Policy Settings. For more information about syntax and parameters, see Get-ActiveSyncMailboxPolicy.

For more information about mailbox policies, see the following topics: Managing Exchange ActiveSync with Policies Understanding Exchange ActiveSync Mailbox Policies How to Add Users to an Exchange ActiveSync Mailbox Policy
How to Add Users to an Exchange ActiveSync Mailbox Policy

After you create an Exchange ActiveSync mailbox policy, you can add users to that Exchange ActiveSync mailbox policy. By default, users are not assigned to an Exchange ActiveSync mailbox policy. You can add a user to only one Exchange ActiveSync mailbox policy at a time. If you add a user to an Exchange ActiveSync mailbox policy and that user is a member of another Exchange ActiveSync mailbox policy, that user is removed from the original Exchange ActiveSync mailbox policy and added to the new Exchange ActiveSync mailbox policy. You can add users individually or add a filtered group of users to an Exchange ActiveSync mailbox policy.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
154
In addition, before performing the following procedures, ensure that you have created an Exchange ActiveSync mailbox policy. For more information about creating an Exchange ActiveSync mailbox policy, see How to Create an Exchange ActiveSync Mailbox Policy. To use the Exchange Management Console to add users to an Exchange ActiveSync mailbox policy 1. In the console tree, expand the Recipient Configuration node, and then click Mailbox. 2. In the work pane, right-click the user who you want to assign to a policy, and then click Properties. 3. In the user's Properties dialog box, click Mailbox Features. 4. Click ActiveSync, and then click Properties. 5. Select the Apply an ActiveSync mailbox policy check box. 6. Click Browse to view the Select Exchange ActiveSync Mailbox Policy dialog box. 7. Select an available policy, and then click OK three times to apply your changes. Note: You can add multiple users to a policy at the same time. However, that task must be accomplished by using the Exchange Management Shell. To use the Exchange Management Shell to add users to an Exchange ActiveSync mailbox policy Run the following command: Set-CASMailbox UserName -ActiveSyncMailboxPolicy(GetActiveSyncMailboxPolicy "Policy Name").Identity
To use the Exchange Management Shell to add all users to an Exchange ActiveSync mailbox policy Run the following command: Get-Mailbox | Set-CASMailbox -ActiveSyncMailboxPolicy(GetActiveSyncMailboxPolicy "Policy Name").Identity
To use the Exchange Management Shell to add a filtered list of users to an Exchange ActiveSync mailbox policy Run the following command: Get-Mailbox | where { $_.CustomAttribute1 -match "Manager"
155
} | Set-CASMailbox -activesyncmailboxpolicy(GetActiveSyncMailboxPolicy "Policy Name").Identity Note: You can substitute CustomAttribute1 for any of the properties on the GetMailbox object. To view the full list, type: Get-Mailbox username |fl For more information about syntax and parameters, see Set-CASMailbox, GetActiveSyncMailboxPolicy, and Get-Mailbox.

For more information about mobile mailbox policies, see the following topics: Managing Exchange ActiveSync with Policies Understanding Exchange ActiveSync Mailbox Policies How to Add Users to an Exchange ActiveSync Mailbox Policy
How to Modify Exchange ActiveSync Mailbox Policy Settings

This section explains how to use the Exchange Management Console and the Exchange Management Shell to modify the properties of an Exchange ActiveSync mailbox policy. After you have created an Exchange ActiveSync mailbox policy, you can modify several settings. These include password requirements, number of failed password attempts allowed, attachment settings, and device requirements.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also before you perform these procedures, confirm that an Exchange ActiveSync mailbox policy has been created. To use the Exchange Management Console to modify the properties of an Exchange ActiveSync mailbox policy 1. In the console root of the Exchange Management Console, expand the
156
Organization Configuration node. 2. In the result pane, click Client Access. 3. In the work pane, click the Exchange ActiveSync mailbox policy that you want to change. 4. In the action pane, click Properties. 5. In the Exchange ActiveSync mailbox policy properties window, configure the settings for the Exchange ActiveSync mailbox policy, and then click OK to accept your changes. To use the Exchange Management Shell to modify the properties of an Exchange ActiveSync mailbox policy Run the following command: Set-ActiveSyncMailboxPolicy -Identity MyPolicy -AllowNonProvisionableDevices $true -AllowSimpleDevicePassword $true -AlphanumericDevicePasswordRequired $true -AttachmentsEnabled $true -DeviceEncryptionEnabled $false -DevicePasswordEnabled $true -DevicePasswordExpiration 12 -DevicePasswordHistory 20 -DevicePolicyRefreshInterval 00:60:00 -MaxAttachmentSize 4 -MaxDevicePasswordFailedAttempts 5 -MaxInactivityTimeDeviceLock 00:15:00 -MinDevicePasswordLength 4 -PasswordRecoveryEnabled $true -UNCAccessEnabled $false -WSSAccessEnabled $false For more information about syntax and parameters, see Set-ActiveSyncMailboxPolicy.

For more information about Exchange ActiveSync mailbox policies, see the following topics: Managing Exchange ActiveSync with Policies How to Create an Exchange ActiveSync Mailbox Policy How to Add Users to an Exchange ActiveSync Mailbox Policy
How to Create Policies for Exchange ActiveSync

This section explains how to use the Exchange Management Console or the Exchange Management Shell to create an Exchange ActiveSync policy. An Exchange ActiveSync policy holds a group of settings for Microsoft Exchange ActiveSync. These settings include password settings, encryption settings, and attachment settings. When you install the Client
157
Access server role on a computer that is running Microsoft Exchange Server 2007, no Exchange ActiveSync policies exist. You can create multiple Exchange ActiveSync policies and assign users to these policies.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Recipient Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to create an Exchange ActiveSync mailbox policy 1. In the console tree, expand Organization Configuration, and then click Client Access. 2. In the action pane, click New Exchange ActiveSync mailbox policy. 3. Type a name in the Mailbox policy name text box. 4. Click to select the optional check boxes for password requirements and password settings that you want. 5. Click New to create your Exchange ActiveSync policy. 6. Click Finish to close the New Exchange ActiveSync Mailbox Policy Wizard. To use the Exchange Management Shell to create an Exchange ActiveSync mailbox policy Run the following command: New-ActiveSyncMailboxPolicy -Name PolicyName -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -MaxInactivityTimeDeviceLock:'unlimited' -MinDevicePasswordLength:$null -PasswordReciveryEnabled:$false -DeviceEncryptionEnabled:$false -AttachmentsEnabled:$true Note: This creates a new Exchange ActiveSync policy that has the default settings. For more information about how to change the default settings, see How to Modify Exchange ActiveSync Mailbox Policy Settings. For more information about syntax and parameters, see New-ActiveSyncMailboxPolicy.
158

For more information about mailbox policies, see the following topics: Managing Exchange ActiveSync with Policies Understanding Exchange ActiveSync Mailbox Policies
Managing Exchange ActiveSync Security

Exchange ActiveSync enables users to synchronize mobile devices with Microsoft Exchange Server 2007. This gives users access to a wide variety of Exchange data, including e-mail messages, calendar and contact data, tasks, and Unified Messaging data such as fax messages and voice mail messages. Note: To view fax messages on a mobile device, users may have to install additional thirdparty software. There are several security concerns that you must consider when you deploy Exchange ActiveSync. This section provides an overview of security options for the deployment of Exchange ActiveSync.
Exchange ActiveSync Server Security

There are several security-related tasks that you can perform on a server that is running Exchange ActiveSync. One of the most important tasks is to configure an authentication method. Exchange ActiveSync runs on an Exchange 2007 server that has the Client Access server role installed. This server role is installed with a default self-signed digital certificate. Although the self-signed certificate is supported for Exchange ActiveSync, it is not the most secure method of authentication. For additional security, consider deploying a trusted certificate from a third-party commercial certification authority (CA) or a trusted Windows public key infrastructure (PKI) certification authority. For more information about how to configure a trusted digital certificate, see How to Configure SSL for Exchange ActiveSync.
Selecting an Authentication Method for Exchange ActiveSync

In addition to deploying a trusted digital certificate, you should consider the various authentication methods that are available for Exchange ActiveSync. By default, when the Client Access server role is installed, Exchange ActiveSync is configured to use Basic authentication with Secure Sockets Layer (SSL). To provide increased security, consider
159
changing your authentication method to Digest authentication or Integrated Windows authentication.
Using ISA Server with Exchange ActiveSync

Microsoft Internet Security and Acceleration (ISA) Server 2006 and Exchange 2007 have been designed to provide increased security for client access to Microsoft Exchange when you use Exchange ActiveSync. ISA Server 2006 enables you to configure authentication methods for Exchange ActiveSync when you run the New Exchange Publishing Rule wizard.
Device Security
In addition to enhancing the security of the Exchange ActiveSync server, you should also consider enhancing the security of your users' mobile devices. There are several methods that you can use to enhance the security of mobile devices.
Exchange ActiveSync Mailbox Policies

Exchange ActiveSync for Exchange 2007 enables you to create Exchange ActiveSync mailbox policies to apply a common set of security settings to a collection of users. Some of these settings include the following: Requiring a password. Specifying the minimum password length. Requiring numbers or special characters in the password.
Designating how long a device can be inactive before the user is required to re-enter their password. Specifying that the device be wiped if an incorrect password is entered more than a specific number of times. For more information about Exchange ActiveSync mailbox policies, see Managing Exchange ActiveSync with Policies.
Remote Device Wipe

Mobile devices can store sensitive corporate data and provide access to many corporate resources. If a device is lost or stolen, that data can be compromised. Remote device wipe is a feature that enables the Exchange server to set a mobile device to delete all data the next time that the device connects to the Exchange server. A remote device wipe effectively removes all synchronized information and personal settings from a mobile device. This can be useful when a device is lost, stolen, or otherwise compromised.
160
Caution: After a remote device wipe has occurred, data recovery will be very difficult. However, no data removal process leaves a device as free from residual data as it is when it is new. Recovery of data from a device may still be possible by using sophisticated tools. For more information about remote device wipe, see Understanding Remote Device Wipe.
How to Configure SSL for Exchange ActiveSync

This section explains how to configure Exchange ActiveSync virtual directories to use Secure Sockets Layer (SSL). By default, when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, an Exchange ActiveSync virtual directory is created on the default Internet Information Services (IIS) Web site on the Exchange server. After you obtain an SSL certificate to use together with the Client Access server on the default Web site or on the Web site where you host your Exchange ActiveSync virtual directory, you can configure the Web site to require SSL. You can enable SSL for all Web sites that are hosted by the Client Access server or enable SSL only for Exchange ActiveSync. Configuring an Exchange ActiveSync virtual directory to use SSL is just one step in managing security for Exchange ActiveSync. For more information about how to manage security for Exchange ActiveSync, see Managing Exchange ActiveSync Security.
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange View-Only Administrator role and membership in the local Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Important: Before you perform this procedure, read Managing Client Access Security. To use Internet Information Services (IIS) Manager to configure SSL on the Exchange ActiveSync virtual directory 1. In Internet Information Services (IIS) Manager, select the Default Web site or the Microsoft-Server-ActiveSync virtual directory, and then click Properties.
161
Note: If you want to configure SSL only for Exchange ActiveSync, select the Microsoft-Server-ActiveSync virtual directory under the Default Web site. Otherwise you will configure SSL for all virtual directories that are hosted on the Client Access server. 2. On the Directory Security tab, in Secure Communications, click Edit. 3. In Secure Communications, select Require Secure Channel (SSL). 4. After you complete this procedure, your Exchange ActiveSync virtual directory on the Web site is configured to use SSL.

For more information about Exchange ActiveSync security, see the following topics: Managing Client Access Security Managing Exchange ActiveSync Security
Managing POP3 and IMAP4

If you have to administer Post Office Protocol version 3 (POP3) and Internet Message Access Protocol Version 4rev1 (IMAP4) in Microsoft Exchange 2007, you will perform all your administrative tasks in the Exchange Management Shell. There is no user interface for managing POP3 or IMAP4 settings in Exchange 2007.
Managing POP3 and IMAP4 with the Exchange Management Shell

The Exchange Management Shell gives you a powerful command-line interface for administering Exchange 2007. You can use the Exchange Management Shell to manage the POP3 and IMAP4 services and your POP3 and IMAP4 users.
Managing POP3 and IMAP4 on a Client Access Server

The Exchange Management Shell enables you to modify and view the POP3 and IMAP4 settings by using the cmdlets described in Table 24. Table 24 Cmdlets for managing POP3 and IMAP4 on a Client Access server Cmdlet name Description
162
Set-PopSettings Set-ImapSettings
This cmdlet lets you modify all available settings for POP3 on a Client Access server. This cmdlet lets you modify all available settings for IMAP4 on a Client Access server.
Managing POP3 and IMAP4 Settings on a Per-User Basis

You can use the Set-CASMailbox cmdlet in the Exchange Management Shell to manage POP3 and IMAP4 settings for individual users by modifying properties on their mailbox, Table 25 describes the parameters you can use with the Set-CASMailbox cmdlet. Table 25 Parameters to use with the Set-CASMailbox to manage POP3 and IMAP4 Parameter name ImapEnabled ImapMessagesRetrievalMimeFormat ImapUseProtocolDefaults Description This parameter specifies whether the IMAP4 protocol is enabled for this mailbox. This parameter specifies the format of messages that are retrieved from the server. This parameter specifies whether to use the default protocol settings that are specified on the Client Access server for the IMAP4 protocol. This parameter specifies whether the POP3 protocol is enabled for a mailbox. This parameter specifies the format of messages that are retrieved from the server. This parameter specifies whether to use the default protocol settings that are specified on the Client Access server for the POP3 protocol.
PopEnabled PopMessagesRetrievalMimeFormat PopUseProtocolDefaults
For more information about how to use the Set-CASMailbox cmdlet to manage POP3 and IMAP4 settings for a user, see Set-CASMailbox.
163
Managing POP3 and IMAP4 with Earlier Versions of Microsoft Exchange

When you deploy Client Access servers to support clients that are using POP3 and IMAP4 and their mailboxes are located on Exchange Server 2003 back-end servers, you must use Basic authentication, and you will be unable to use Secure Sockets Layer (SSL) encryption. Instead, you must use Internet Protocol Security (Ipsec) to help secure the communication between these servers.

For more information about how to use the Exchange Management Shell, see Using the Exchange Management Shell. For more information about how to use the Exchange Management Shell to administer POP3 and IMAP4, see POP3 and IMAP4 Cmdlets.
How to Start and Stop the POP3 Service

By default, Post Office Protocol version 3 (POP3) is disabled in Microsoft Exchange Server 2007. After you enable POP3, Exchange 2007 accepts unsecured POP3 client communications on port 110 and over Port 995 using Secure Sockets Layer (SSL). You can perform the following procedures by using the Exchange 2007 computer that has the Client Access server role installed.
Before You Begin

To perform the following procedures on a computer that has the Client Access server role installed, you must log on by using a domain account that has the permissions assigned to the Local Service Account. The account must also be a member of the local Administrators group on that computer. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Microsoft Management Console to start and stop the POP3 service 1. Click Start, point to Programs, point to Administrative Tools, and then click Services. 2. To start the Microsoft Exchange POP3 service, in the results pane, right-click
164
Microsoft Exchange POP3, and then click Start. 3. To stop the Microsoft Exchange POP3 service, in the results pane, right-click Microsoft Exchange POP3, and then click Stop. To use net start to start and stop the POP3 service 1. On the Exchange server that has the Client Access server role installed, open a Command Prompt window. 2. To start the service, at the command prompt, type net start MSExchangePOP3, and then press Enter. 3. To stop the service, at the command prompt, type net stop MSExchangePOP3, and then press Enter. 4. Close the Command Prompt window. To verify that the POP3 service is running 1. On the Exchange server that has the Client Access server role installed, open a Command Prompt window. 2. At the command prompt, type telnet localhost 110, and then press ENTER. POP3 is working correctly if Telnet returns "+OK Microsoft Exchange 2007 POP3 server ready". 3. Close Telnet, and then close the Command Prompt window.

For more information about how to manage POP3 services, see Managing POP3 and IMAP4.
How to Start and Stop the IMAP4 Service

By default, IMAP4 is disabled in Microsoft Exchange Server 2007. After you enable IMAP4, Exchange 2007 accepts unsecured IMAP4 client communications on port 143 and over port 993 using Secure Sockets Layer (SSL). You can perform the following procedures by using the Exchange 2007 computer that has the Client Access server role installed.
165
Before You Begin

To perform the following procedures on a computer that has the Client Access server role installed, you must log on by using a domain account that has the permissions assigned to the Local Service Account. The account must also be a member of the local Administrators group on that computer. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Microsoft Management Console to start and stop the IMAP4 service 1. Click Start, point to Programs, point to Administrative Tools, and then click Services. 2. To start the Microsoft Exchange IMAP4 service, in the results pane, right-click Microsoft Exchange IMAP4, and then click Start. 3. To stop the Microsoft Exchange IMAP4 service, in the results pane, right-click Microsoft Exchange IMAP4, and then click Stop. To use net start to start and stop the IMAP4 service 1. On the Exchange server that has the Client Access server role installed, open a Command Prompt window. 2. To start the service, at the command prompt, type net start MSExchangeIMAP4, and then press ENTER. 3. To stop the service, at the command prompt, type net stop MSExchangeIMAP4, and then press ENTER. 4. Close the Command Prompt window. To verify that the IMAP4 service is running 1. On the Exchange server that has the Client Access server role installed, open a Command Prompt window. 2. At the command prompt, type telnet localhost 143, and then press ENTER. IMAP4 is working correctly if Telnet returns "+OK Microsoft Exchange IMAP4 server ready." 3. Close Telnet, and then close the Command Prompt window.

For more information about how to manage IMAP4 services, see Managing POP3 and IMAP4.
166
How to Manage Calendar Options for POP3

This section describes how to set the calendaring options that are available on a computer that is running Microsoft Exchange Server 2007 that has the Post Office Protocol version 3 (POP3) service enabled. You can set different calendar options for your organization when you are using POP3 as the e-mail protocol for your users. You can use the CalendarItemRetrievalOption setting for the Set-POPSettings cmdlet to select different calendar options. Table 26 describes this setting for your POP3 users. Note: After you have specified the calendar options for POP3, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service. Table 26 POP3 calendar options for the Set-POPSettings cmdlet Setting iCalendar Value 0 Description This setting lets users use the iCalendar standard for calendar items. The iCalendar standard is a standard for exchanging calendar information. This setting lets you specify an internal URL for users to use to access their calendar information. This setting lets you specify an external URL for users to use to access their calendar information. This setting lets you specify a Microsoft Office Outlook Web Access server for users to use to access their calendar information.
IntranetUrl
InternetUrl
Custom
167
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to set the calendar options for POP3 1. To enable POP3 to use iCalendar, run the following command: Set-PopSettings -Identity CAS01 -CalenderItemRetrievalOption 0 2. To enable POP3 users to access internal calendar information from an internal server, run the following command: Set-PopSettings -Identity CAS01 -CalenderItemRetrievalOption 1 -IntranetUrl "Server01" 3. To enable POP3 users to access calendar information from the Internet on an external server, run the following command: Set-PopSettings -CalenderItemRetrievalOption 2 InternetUrl "https://Server01" 4. To enable POP3 users to access calendar information by using Outlook Web Access, run the following command: Set-PopSettings -CalenderItemRetrievalOption 3 -OwaServerUrl "https://OwaServer01" For more information about syntax and parameters, see Set-POPSettings.

For more information about how to manage POP3 access to Exchange 2007, see Managing POP3 and IMAP4.
How to Set Connection Limits for POP3

This section describes how to set the connection limits on the Microsoft Exchange Server 2007 computer that has the Post Office Protocol version 3 (POP3) service enabled. When you specify connection limits for POP3, you can select connection limits for the server, IP address, or a specific user. Table 27 describes the three settings for connection limits.
168
Note: After you have set the connection limits for POP3, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service. Table 27 Descriptions of commands for setting connection limits for POP3 and IMAP4 Command MaxConnections Description Specifies the total number of connections the specified server will accept. This includes authenticated and unauthenticated connections. Specifies the number of connections that the server will accept from a single IP address. Default Value 2,000 Limits 1-25,000
MaxConnectionsFro mSingleIP
20
1-1,000
MaxConnectionsPer User
Specifies the 10 maximum number of connections that the server will accept from a particular user.
1-1,000
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to set connection limits for a server, IP address, or a user To set the connection limit for a server, run the following command: Set-PopSettings -Identity CAS01 -MaxConnections Value To set the connection limit for an IP address, run the following command:
169
Set-PopSettings -Identity CAS01 -MaxConnectionsFromSingleIP Value To set the connection limit for a user, run the following command: Set-PopSettings -MaxConnectionsPerUser Value For more information about syntax and parameters, see Set-POPSettings.
How to Set Connection Limits for IMAP4

This section describes how to set the connection limits on the Microsoft Exchange Server 2007 computer that has the Internet Message Access Protocol version 4rev1 (IMAP4) service enabled. When you specify connection limits for IMAP4, you can select connection limits for the server, IP address, or a specific user. Table 28 describes the three settings for connection limits. Note: After you set connection limits, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service. Table 28 Descriptions of commands for setting connection limits for IMAP4 Command MaxConnections Description Specifies the total number of connections the specified server will accept. This includes authenticated and unauthenticated connections. Specifies the number of connections that the server will accept from a single IP address. Default Value 2,000 Limits 1-25,000
MaxConnectionsFro mSingleIP
20
1-1,000
170
MaxConnectionsPer User
Specifies the 10 maximum number of connections that the server will accept from a particular user.
1-1,000
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to set connection limits for a server, IP address, or a user for IMAP4 To set the connection limit for a server, run the following command: Set-ImapSettings -Identity CAS01 -MaxConnections Value To set the connection limit for an IP address, run the following command: Set-ImapSettings -Identity CAS01 -MaxConnectionsFromSingleIP Value To set the connection limit for a user, run the following command: Set-ImapSettings -MaxConnectionsPerUser Value For more information about syntax and parameters, see Set-IMAPSettings.
How to Configure IP Addresses and Ports for POP3 and IMAP4 Access
This section explains how to use the Exchange Management Shell to configure Microsoft Exchange to use ports other than the default ports on the Microsoft Exchange Server 2007 computer that has the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) services enabled. Note: After you configure IP addresses and ports for POP3 and IMAP4 access, you must restart the POP3 or IMAP4 service. For more information about how to restart the
171
POP3 or IMAP4 services, see How to Start and Stop the POP3 Service and How to Start and Stop the IMAP4 Service.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure IP addresses and ports for POP3 and IMAP4 1. To set the IP address and port for communicating with Exchange by using POP3 with Secure Sockets Layer (SSL), run the following command: Set-PopSettings -SSLBindings: IPaddress:Port 2. To set the IP address and port for communicating with Exchange by using POP3 with no encryption or Transport Layer Security (TLS) encryption, run the following command: Set-PopSettings -UnencryptedOrTLSBindings IPaddress:Port 3. To set the IP address and port for communicating with Exchange by using IMAP4, run the following command: Set-ImapSettings -SSLBindings: IPaddress:Port 4. To set the IP address and port for communicating with Exchange by using IMAP4 with no encryption or TLS encryption, run the following command: Set-ImapSettings -UnencryptedOrTLSBindings IPaddress:Port For more information about syntax and parameters, see Set-POPSettings and SetIMAPSettings.
How to Set Connection Time-Out Limits for IMAP4

This section explains how to use the Exchange Management Shell to configure your connection time-out limits for idle authenticated and unauthenticated connections for IMAP4.
172
Note: After you have set the connection time-out limits for IMAP4, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

To perform the following procedures on a computer that has the IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure authentication time-out limits for IMAP4 1. To set the connection time-out limit for idle authenticated connections, run the following command: Set -ImapSettings -Identity CAS01 -AuthenticatedConnectionTimeout Timespan 2. To set the connection time-out limit for idle unauthenticated connections, run the following command: Set -ImapSettings -Identity CAS01 -PreAuthenticatedConnectionTimeout Timespan For more information about syntax and parameters, see Set-IMAPSettings.

For more information about how to manage IMAP4 settings on the computer that is running Microsoft Exchange Server 2007, see Managing POP3 and IMAP4.
How to Set Connection Time-Out Limits for POP3

This section explains how to use the Exchange Management Shell to configure your connection time-out limits for idle authenticated and unauthenticated Post Office Protocol version 3 (POP3) connections.
173
Note: After you have set the connection time-out limits for POP3, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure connection time-out limits for POP3 1. To set the connection time-out limit for idle authenticated connections, run the following command: Set -PopSettings -Identity CAS01 -AuthenticatedConnectionTimeout TimeValue 2. To set the connection time-out limit for idle unauthenticated connections, run the following command: Set -PopSettings -Identity CAS01 -PreAuthenticatedConnectionTimeout TimeValue For more information about syntax and parameters, see Set-POPSettings.

For more information about how to configure POP3 on the Exchange 2007 server, see Managing POP3 and IMAP4.
How to Configure IMAP4 Access to Exchange 2003 Servers

This section explains how to use the Exchange Management Shell to configure connectivity options for connecting to Microsoft Exchange Server 2003 servers for Internet Message Access Protocol version 4rev1 (IMAP4) access. By using the settings for this cmdlet, you can specify the port to use to connect Microsoft Exchange Server 2007 servers that have the Client Access server role installed to Exchange 2003 servers. By default, this value should be set to use port 143. This cmdlet also lets you disable access to Exchange 2003 servers.
174
Note: After you have configured IMAP4 access to Exchange 2003, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

You can configure Exchange 2007 Client Access servers to connect to mailboxes located on Exchange 2003 servers. However, when you do this, you must disable Secure Sockets Layer (SSL) encryption and enable Basic authentication on the Exchange 2003 server. Because the user name and password are sent in clear text when Basic authentication is used without encryption, we recommended that you secure the traffic between the Client Access server and Exchange Server 2003 server by using Internet Protocol security (IPsec). To perform the following procedures on a computer that has the IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure IMAP4 access to Exchange 2003 servers 1. To configure IMAP4 access to Exchange 2003 servers by using the default port value, run the following command: Set-ImapSettings -ProxyTargetPort 143 2. To disable IMAP4 access to Exchange 2003 servers, run the following command: Set-ImapSettings -ProxyTargetPort 0 For more information about syntax and parameters, see Set-IMAPSettings.

For more information about how to use IMAP4 with Exchange 2007, see the following topics: Overview of POP3 and IMAP4 Managing POP3 and IMAP4
175
How to Configure POP3 Access to Exchange 2003 Servers

This section explains how to use the Exchange Management Shell to configure your connectivity options for connecting to Microsoft Exchange Server 2003 servers by using Post Office Protocol version 3 (POP3). By using the settings for this cmdlet, you can specify the ports to use to connect Microsoft Exchange Server 2007 computers that have the Client Access server role installed to Exchange 2003 servers. By default, this value should be set to use port 110. This cmdlet also lets you disable access to Exchange 2003 servers. Note: After you have configured POP3 access to Exchange 2003, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

You can configure Exchange 2007 Client Access servers to connect to mailboxes located on Exchange 2003 servers. However, when you do this, you must disable Secure Sockets Layer (SSL) encryption and enable Basic authentication on the Exchange 2003 server. Because the user name and password are sent in clear text when Basic authentication is used without encryption, we recommended that you secure the traffic between the Client Access server and Exchange Server 2003 server by using Internet Protocol security (IPsec). To perform the following procedures on a computer that has the POP3 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure POP3 access to Exchange 2003 servers 1. To configure POP3 access to Exchange 2003 servers by using the default port value of 110, run the following command: Set-PopSettings -ProxyTargetPort 110 2. To disable POP3 access to Exchange 2003 servers, run the following command: Set-PopSettings -ProxyTargetPort 0 For more information about syntax and parameters, see Set-POPSettings.
176

For more information about how to use POP3 with Exchange 2007, see the following topics: Overview of POP3 and IMAP4 Managing POP3 and IMAP4
How to Manage Calendar Options for IMAP4

This section describes how to set the calendaring options that are available on the Microsoft Exchange Server 2007 computer that has the IMAP4 service enabled. You can set different calendar options for your organization when you are using IMAP4 as the e-mail protocol for your users. You can use the CalendarItemRetrievalOption setting for the Set-IMAPSettings cmdlet to select different calendar options. Table 29 describes this setting for IMAP4 users. Note: After you have specified the calendar options for IMAP4, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service. Table 29 IMAP4 calendar options for the Set-IMAPSettings cmdlet Setting iCalendar Value 0 Description This setting lets users use the iCalendar standard for calendar items. The iCalendar standard is a standard for exchanging calendar information. This setting lets you specify an internal URL for users to access their calendar information. This setting lets you specify an external URL for users to access their calendar information.
IntranetUrl
InternetUrl
177
Custom
This setting lets you specify a Microsoft Office Outlook Web Access server for users to access their calendar information.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to set the calendar options for IMAP4 1. To enable IMAP4 to use iCalendar, run the following command: Set-ImapSettings -Identity CAS01 -CalenderItemRetrievalOption 0 2. To enable IMAP4 users to access internal calendar information from an internal server, run the following command: Set-ImapSettings -Identity CAS01 -CalenderItemRetrievalOption 1 -IntranetUrl "Server01" 3. To enable IMAP4 users to access calendar information from the Internet on an external server, run the following command: Set-ImapSettings -CalenderItemRetrievalOption 2 -InternetUrl "https://Server01" 4. To enable IMAP4 users to access calendar information by using Outlook Web Access, run the following command: Set-ImapSettings -CalenderItemRetrievalOption 3 -OwaServerUrl "https://OwaServer01" For more information about syntax and parameters, see Set-IMAPSettings.

For more information about how to manage IMAP4 access for Exchange 2007, see Managing POP3 and IMAP4.
178
How to Enable or Disable POP3 Access for a User

This section describes how to enable or disable Post Office Protocol version 3 (POP3) access for a user on the computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed and that has the POP3 service enabled. Note: After you have enabled or disabled POP3 access for a user, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

To perform the following procedure on a computer that has the POP3 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to enable or disable POP3 access for a user 1. To enable POP3 for a user, run the following command: Set-CASMailbox -Identity CAS01 -PopEnabled $true 2. To disable POP3 for a user, run the following command: Set-CASMailbox -Identity CAS01 -PopEnabled $false For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage POP3 settings, see Managing POP3 and IMAP4.
179
How to Enable or Disable IMAP4 Access for a User

This section describes how to enable or disable IMAP4 access for a user on the computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed and that has the IMAP4 service enabled. Note: After you have enabled or disabled IMAP4 access for a user, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

To perform the following procedure on a computer that has the IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to enable or disable IMAP4 access for a user 1. To enable IMAP4 for a user, run the following command: Set-CASMailbox -Identity CAS01 -Imap4Enabled $true 2. To disable IMAP4 for a user, run the following command: Set-CASMailbox -Identity CAS01 -ImapEnabled $false For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage IMAP4 settings, see Managing POP3 and IMAP4.
180
How to Enable Protocol Logging for POP3 and IMAP4

This section explains how to enable protocol logging for Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. You can enable protocol logging for POP3 and IMAP4 by modifying the following files: POP3 Microsoft.Exchange.Pop3.exe.config IMAP4 Microsoft.Exchange.Imap4.exe.config
Both files are located in C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap. The Microsoft.Exchange.Pop3.exe.config and Microsoft.Exchange.Imap4.exe.config files contain parameters that define how protocol logging for POP3 and IMAP4 works. Table 30 explains these parameters. Table 30 Fields used to classify each protocol event Parameter name AgeQuotaInHours Description This value is set to 24. The protocol log file will be re-created automatically every 24 hours. This value is set to 10000000. The protocol log file will be automatically re-created when the file size exceeds 10000000 bytes. If the file size does not exceed this value, the file will be re-created automatically after the 24hour time period is exceeded. This value is set to 1000000. The protocol log file will create one additional new file every time that the 1000000 byte file size is exceeded.
SizeQuota
PerFileSizeQuota
The information that is on each line of the POP3 and IMAP4 protocol logs is organized by fields that are separated by commas. Table 31 explains the fields that are used to classify each protocol event. Table 31 Fields used to classify each protocol event Field name Description
181
date-time
The date and time of the protocol event. The value is formatted as yyyy-mmddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu. Zulu is another way to indicate Coordinated Universal Time (UTC). This field is not used for POP3 and IMAP4 protocol logging. A GUID that is unique for each SMTP session but is the same for each event that is associated with that SMTP session. A counter that starts at 0 and is incremented for each event in the same session. The local endpoint of a POP3 or IMAP4 session. This consists of an IP address and TCP port number that is formatted as <IP address>:<port>. The remote endpoint of a POP3 or IMAP4 session. This consists of an IP address and TCP port number that is formatted as <IP address>:<port>. A single character that represents the protocol event. The possible values for the event are as follows: + Connect - Disconnect > Send < Receive * Information
connector-id session-id
sequence-number local-endpoint
remote-endpoint
event
data context
Text information that is associated with the POP3 or IMAP4 event. This field is not used for POP3 and IMAP4 protocol logging.
182
To perform the following procedures on a computer that has the POP3 and IMAP4 services enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To enable protocol logging for POP3 1. To enable protocol logging for POP3, open the following file in Notepad: C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\ Microsoft.Exchange.Pop3.exe.config. Note: The parameter names in the <add key=../> section are case sensitive. 2. Change the following line in the <appSettings> section from: <addkey="ProtocolLog" value="false" /> to: <addkey="ProtocolLog" value="true" /> 3. Save, and then close the Microsoft.Exchange.Pop3.exe.config file. To enable protocol logging for IMAP4 1. To enable protocol logging for IMAP4, open the following file in Notepad: C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\ Microsoft.Exchange.Imap4.exe.config. Note: The parameter names in the <add key=../> section are case sensitive. 2. Change the following line in the <appSettings> section from: <addkey="ProtocolLog" value="false" /> to: <addkey="ProtocolLog" value="true" /> 3. Save, and then close the Microsoft.Exchange.Imap4.exe.config file.

For more information about how to manage POP3 and IMAP4, see Managing POP3 and IMAP4.
183
How to Manage POP3 and IMAP4 Message Retrieval Format Options

This section describes how to manage message retrieval format options for users on the Microsoft Exchange Server 2007 computer that has the Client Access server role installed and the Post Office Protocol version 3 (POP3) service or the Internet Message Access Protocol version 4rev1 (IMAP4) service enabled. You can manage the message retrieval options for IMAP4 and POP3 access for an individual user's mailbox by using the Set-CASMailbox cmdlet. Table 32 describes the message retrieval format options that are available for POP3 and IMAP4 users. Note: After you have specified message retrieval format options for POP3 and IMAP4, you must restart the POP3 or IMAP4 service. For more information about how to restart the POP3 and IMAP4 services, see How to Start and Stop the POP3 Service and How to Start and Stop the IMAP4 Service. Table 32 Message retrieval format options for POP3 and IMAP4 for the SetCASMailbox cmdlet Setting PopMessageRetrievalFormat Value ImapMessageRetrievalForma t 0:Text Only 1:HTML Only 2:HTML and Text 3:Rich Text Only 4:UUEncode 5:UUEncodeBinHex 6:Best Body Format 0:Text Only 1:HTML Only 2:HTML and Text 3:Rich Text Only 4:UUEncode 5:UUEncodeBinHex 6:Best Body Format This setting lets you set the IMAP4 message retrieval format for an individual user. Description This setting lets you set the POP3 message retrieval format for an individual user.
184
Before You Begin

To perform these procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
To use the Exchange Management Shell to set the message retrieval format for a POP3 user Run the following command: Set-CASMailbox -Identity CAS01 -POPMessageRetrievalFormat value Use one of the message retrieval format options listed in the Value column in table 32. To use the Exchange Management Shell to set the message retrieval format for a IMAP4 user Run the following command: Set-CASMailbox -Identity CAS01 -ImapMessageRetrievalFormat value Use one of the message retrieval format options listed in the Value column in table 32. For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage POP3 and IMAP4 access for Exchange 2007, see Managing POP3 and IMAP4.
How to Enable POP3 and IMAP4 Users to Use Default Protocol Settings
This section describes how to enable POP3 and IMAP4 users to use default protocol settings on the Microsoft Exchange Server 2007 Client Access server that has the Internet Message Access Protocol version 4rev1 (IMAP4) service or Post Office Protocol version 3 (POP3) service enabled.
185
When you use the Set-PopSettings or Set-ImapSettings cmdlets to manage POP3 and IMAP4 settings for all your users, you can also use the Set-CASMailbox cmdlet to specify individual POP3 and IMAP4 settings for your users. You can also use the Set-CASMailbox cmdlet to enable a user to use the default protocol settings for a server when you use the Set-PopSettings or Set-ImapSettings cmdlets. Table 33 shows the parameters to use to configure a POP3 or IMAP4 user to use protocol defaults as specified on the Client Access server. Table 33 POP3 and IMAP4 parameters for the Set-CASMailbox cmdlet Parameter PopUseProtocolDefaults Value $true $false Description This parameter lets you use the protocol defaults as specified by the SetPopSettings cmdlet. This parameter lets you use the protocol defaults as specified by the SetImapSettings cmdlet.
ImapUseProtocolDefaults
$true $false
For more information about the Set-CASMailbox cmdlet, see Set-CASMailbox.
Before You Begin

To perform the following procedures on the Exchange 2007 Client Access server that has the POP3 or IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to enable a POP3 user to use default protocol settings 1. To enable a POP3 user to use the default protocol settings for the server, run the following cmdlet: Set-CASMailbox -Identity CAS01 -PopProtocolDefaults $true 2. To disable the default protocol settings for a POP3 user on the server, run the following cmdlet: Set-CASMailbox -Identity CAS01 -PopProtocolDefaults $false
186
To use the Exchange Management Shell to configure an IMAP4 user to use default protocol settings 1. To enable an IMAP4 user to use the default protocol settings for the server, run the following cmdlet: Set-CASMailbox -Identity CAS01 -ImapProtocolDefaults $true 2. To disable the default protocol settings for an IMAP4 user on the server, run the following cmdlet: Set-CASMailbox -Identity CAS01 -ImapProtocolDefaults $false For more information about syntax and parameters, see Set-CASMailbox.

For more information about how to manage POP3 and IMAP4 access for Exchange 2007, see Managing POP3 and IMAP4.
Enabling POP3 and IMAP4 on a Client Access Server

By default, Post Office Protocol version 3 (POP3) and Internet Message Access Protocol Version 4 rev1 (IMAP4) are disabled in Microsoft Exchange Server 2007. To use these protocols, you must first start the POP3 and IMAP4 services on the computer that is running Exchange 2007. You must also configure SMTP for your POP3 and IMAP4 clients to send email. For detailed steps for how to enable the POP3 and IMAP4 services, see How to Enable POP3 in Exchange 2007 and How to Enable IMAP4 in Exchange 2007.
How to Enable IMAP4 in Exchange 2007

This section explains how to enable the Internet Message Access Protocol version 4rev1 (IMAP4) service for Microsoft Exchange Server 2007. When you install Exchange 2007, the IMAP4 service is not started. To enable the IMAP4 service, you can use the Services snap-in in Microsoft Management Console (MMC) or the Exchange Management Shell.
187
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Microsoft Management Console to enable IMAP4 1. In the Services snap-in, in the console tree, click Services (Local). 2. In the results pane, right-click Microsoft Exchange IMAP4, and then click Properties. 3. On the General tab, under Startup type, select Automatic, and then click Apply. 4. Under Service status, click Start, and then click OK. To use the Exchange Management Shell to enable IMAP4 1. Run the following command: Set-service msExchangeIMAP4 -startuptype automatic 2. Run the following command: Start-service msExchangeIMAP4

For more information about how to manage the IMAP4 protocol, see Managing POP3 and IMAP4.
How to Enable POP3 in Exchange 2007

This section explains how to enable the Post Office Protocol version 3 (POP3) service for Microsoft Exchange Server 2007. When you install Exchange 2007, the POP3 service is not started. You can use the Services snap-in in Microsoft Management Console (MMC) or the Exchange Management Shell to set the POP3 service to start automatically.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and local Administrators group for the target server.
188
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use Microsoft Management Console to enable POP3 1. In the Services snap-in, in the console tree, click Services (Local). 2. In the results pane, right-click Microsoft Exchange POP3, and then click Properties. 3. On the General tab, under Startup type, select Automatic, and then click Apply. 4. Under Service status, click Start, and then click OK. To use the Exchange Management Shell to enable POP3 1. Run the following command: Set-service msExchangePOP3 -startuptype automatic 2. Run the following command: Start-service -service msExchangePOP3

For more information about how to manage the POP3 protocol, see Managing POP3 and IMAP4.
Managing the Autodiscover Service

Microsoft Exchange Server 2007 computers that have the Client Access server role installed include a new feature named the Autodiscover service. The Autodiscover service provides Outlook 2007 users with the profile settings that are required to connect to the Exchange server. Before you start to manage the Autodiscover service, read the following topics: Overview of the Autodiscover Service Deployment Options for the Autodiscover Service
The following sections contain information that is required to manage the Autodiscover service.
189
Using Separate IIS Web Sites for Internet Access to the Autodiscover Service
You can use the Autodiscover service to automatically configure your Outlook 2007 clients to connect to the available Exchange features. For more information, see the following topics: Deployment Options for the Autodiscover Service How to Configure the Autodiscover Service for Internet Access
Using Multiple Sites for Internet Access to the Autodiscover Service

We recommend that you host the Autodiscover service on a separate site if you manage a Web site that is frequently visited that also hosts your e-mail traffic. You can host the Autodiscover service on a separate site that is on the same computer as other Microsoft Exchange features. For more information, see How to Configure the Autodiscover Service for Internet Access.
Configuring the Autodiscover Service for Multiple Forests

You can deploy Microsoft Exchange in multiple forests. Two of these deployment scenarios include the resource forest topology and the multiple trusted forest topology. For more information about how to configure the Autodiscover service for multiple forests, see How to Configure the Autodiscover Service for Multiple Forests.
Configuring the Autodiscover Service to Use Site Affinity

If you manage a large, distributed organization that has sites that are separated by lowbandwidth network connectivity, we recommend that you use site affinity for the Autodiscover service. For more information, see How to Configure the Autodiscover Service to Use Site Affinity.
190
How to Create a New Autodiscover Service Virtual Directory

This section explains how to use the Exchange Management Shell to create a new Autodiscover service virtual directory for Microsoft Exchange Server 2007. Note: You cannot use the Exchange Management Console to create a new Autodiscover service virtual directory. Note: The ability to use the Autodiscover service together with supported mobile devices depends on the operating system that is running on the mobile device. Not all mobile device operating systems that support synchronization with Exchange 2007 also support the Autodiscover service. For more information, contact the manufacturer of your mobile device.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, before you perform this procedure, confirm that the Autodiscover service is disabled on the Exchange 2007 server. The Autodiscover service is disabled if the Autodiscover service virtual directory is not present under the Default Web Site node in the Internet Information Services (IIS) console tree. For more information about how to disable the Autodiscover service, see How to Delete the Default Autodiscover Service Virtual Directory. To use the Exchange Management Shell to create a new Autodiscover service virtual directory Run the following command: New-AutodiscoverVirtualDirectory -Websitename <websitename> -BasicAuthentication:$true -WindowsAuthentication:$true For more information about syntax and parameters, see New-AutodiscoverVirtualDirectory.

For more information about the Autodiscover service, see the following topics:
191
Managing the Autodiscover Service How to Delete the Default Autodiscover Service Virtual Directory
How to Delete the Default Autodiscover Service Virtual Directory

This section explains how to use the Exchange Management Shell to delete the default Autodiscover service virtual directory for Microsoft Exchange Server 2007. Note: You cannot use the Exchange Management Console to delete the default Autodiscover service virtual directory.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to disable the Autodiscover service Run the following command: Remove-AutodiscoverVirtualDirectory -Identity "MyServer\autodiscover(autodiscover.contoso.com)" For more information about syntax and parameters, see RemoveAutodiscoverVirtualDirectory.

For more information about the Autodiscover service, see Managing the Autodiscover Service.
192
How to Test Outlook 2007 Autodiscover Connectivity

This section explains how to use the Exchange Management Shell to verify that the Autodiscover service settings are configured correctly.
Before You Begin

To run the Test-OutlookWebServices cmdlet, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to test Autodiscover connectivity Run the following command: Test-OutlookWebServices -ClientAccessServer "CASServer01" For detailed syntax and parameter information, see the Test-OutlookWebServices reference topic.

For more information about the Autodiscover service, see the Managing the Autodiscover Service topic.
How to Configure the Autodiscover Service for Internet Access

This section explains how to configure the Autodiscover service for Internet-based access on a Microsoft Exchange Server 2007 computer that has the Client Access server role installed. If you have deployed Exchange 2007 in your messaging environment, you can let the Autodiscover service automatically configure Microsoft Office Outlook 2007 clients for features such as the Availability service, Unified Messaging, and Outlook Anywhere. If you plan to allow external access to the Autodiscover service for Outlook 2007 clients that connect from the Internet, you must configure a valid Secure Sockets Layer (SSL) certificate from a certification authority (CA) that is trusted by the client computer's operating system.
193
Configuring Internet Access to the Autodiscover Service

We recommend that you host the Autodiscover service on a separate site if you manage a Web site that is frequently visited and that hosts your e-mail traffic. To allow external access to the Autodiscover service for Outlook 2007 clients that are connected from the Internet, we recommend that you follow these steps in order. Note: You must use one IP address per site. 1. (Optional) Configure a separate site on a Client Access computer to host the Autodiscover service You can create a separate site to host Autodiscover service traffic by using the New-AutodiscoverVirtualDirectory cmdlet. This optional step is recommended if the Simple Mail Transfer Protocol (SMTP) address domain is the same as the corporate Web site address and your corporate Web site is frequently visited. For example, if the company Web site is www.contoso.com, the e-mail SMTP domain is contoso.com, and the company Web site (www.contoso.com) is frequently visited, we recommend that you create a separate site and host the Autodiscover service on autodiscover.contoso.com. For more information, see How to Create a New Autodiscover Service Virtual Directory. 2. (Required) Configure a valid SSL certificate Configure a valid SSL certificate from a CA that the client computer trusts. If you have decided to host the Autodiscover service on a separate site, see How to Configure SSL Certificates to Use Multiple Client Access Server Host Names. 3. (Optional) Update the SCP Object If you have created an additional IIS site for the Autodiscover service, you must update the service connection point (SCP) object in the Active Directory directory service to specify to which Client Access server and Autodiscover virtual directory you want clients to connect. For more information about SCP objects, see Publishing with Service Connection Points. After you have completed these steps, you should configure the firewall for the address space and configure the SSL certificate for the Autodiscover service. The following procedures explain how to create an Autodiscover virtual directory for a new Web site.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.
194
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure a new Web site for the Autodiscover service 1. If you have not already done this, create a new Web site for the Autodiscover service by using Internet Information Services (IIS) Manager. 2. Create a new Autodiscover virtual directory in IIS for the Autodiscover service by running the following command: New-AutodiscoverVirtualDirectory -Websitename <websitename> -BasicAuthentication:$true -WindowsAuthentication:$true Note: A Web site that uses SSL requires that you use a unique IP address. 3. Configure a trusted third-party SSL certificate on the Autodiscover service Web site. For more information about syntax and parameters, see New-AutodiscoverVirtualDirectory.

For more information about the Autodiscover service, see the following topics: Overview of the Autodiscover Service Managing the Autodiscover Service
How to Configure the Autodiscover Service for Multiple Forests

This section explains how to use the Exchange Management Shell to configure the Autodiscover service when your Exchange deployment has two or more trusted forests. If your Exchange deployment has two or more trusted forests, you must update the Active Directory directory service so that users who are running Microsoft Office Outlook 2007 in one forest can access the Client Access servers in the remote (or target) forest to use the Autodiscover service. To do this, run the ExportAutodiscoverConfig cmdlet in each forest that contains the Client Access servers that are providing the Autodiscover service against the target forests. This will configure the service connection point (SCP) information for the Autodiscover pointer in Active Directory.
195
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure the Autodiscover service for multiple forests 1. On an Exchange 2007 Client Access server in the source forest, run the following command to retrieve the credentials that you will use to run the ExportAutodiscoverConfig cmdlet: $a = Get-Credential 2. On an Exchange 2007 Client Access server in the source forest, run the following command: Export-AutoDiscoverConfig -DomainController <FQDN> TargetForestDomainController <String> -TargetForestCredentials $a -MultipleExchangeDeployments $true For more information about syntax and parameters, see Export-AutoDiscoverConfig.

How to Configure the Autodiscover Service to Use Site Affinity

This section explains how to use the Exchange Management Shell to configure site affinity for the Autodiscover service on the computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. You can configure the Autodiscover service to use site affinity to specify Active Directory sites that are preferred for clients to connect to a particular instance of the Autodiscover service. For more information about how to use site affinity with the Autodiscover service, see Deployment Considerations for the Autodiscover Service. Configuring the Autodiscover service to use site affinity is achieved by using the Set-ClientAccessServer cmdlet.
196
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure site affinity for the Autodiscover service Run the following command: Set-ClientAccessServer -Identity "ServerName" -AutodiscoverServiceInternalURI "https://internalsitename/autodiscover/autodiscover.xml" AutodiscoverSiteScope "SiteName" For more information about syntax and parameters, see Set-ClientAccessServer.

For more information about the Autodiscover service, see the following topics: Overview of the Autodiscover Service Deployment Considerations for the Autodiscover Service Managing the Autodiscover Service
How to Configure Exchange ActiveSync Autodiscover Settings

Microsoft Exchange Server 2007 introduces a new service that makes it easier to provision mobile devices for users. The Autodiscover service returns an XML file that is used to provision a user's device when the user's e-mail address and password are supplied. The Autodiscover service returns the address to a computer that is running Exchange 2007 that has the Client Access server role installed. By default, the Autodiscover service is enabled. This section explains how to use the Exchange Management Console to enable the Autodiscover service in Microsoft Exchange ActiveSync. Note: The ability to use the Autodiscover depends on the mobile device operating system that you are using. Not all mobile device operating systems that support synchronization with Exchange Server 2007 support Autodiscover. For more
197
information about mobile device operating systems that support Autodiscover, contact the manufacturer of your mobile device.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure the Autodiscover service in Exchange ActiveSync Run one of the following commands: Set-ActiveSyncVirtualDirectory -Identity "COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL "https://servername.com/" or Set-ActiveSyncVirtualDirectory -Identity "COMPUTERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ActiveSyncServer "https://servername.com/" For more information about syntax and parameters, Set-ActiveSyncVirtualDirectory.

For more information about the Autodiscover service, see Managing the Autodiscover Service.
How to Configure the Autodiscover Service for Cross Forest Moves

This section explains how to use the Exchange Management Shell to configure your Microsoft Exchange deployment to handle mailboxes that are moved from one forest to another for the Autodiscover service. For a cross-forest mailbox move, the two forests must be trusted. For the Autodiscover service to handle this move, you must configure a mail contact in the original forest where the user's mailbox resided. When you configure a mail contact, the user will authenticate to the original forest where the mailbox resided, and the user will receive a redirect that uses the new e-mail address. The
198
client will then try to contact the Autodiscover service by using the new e-mail address against the new forest. For example, mail1.contoso.com and mail2.contoso.com are separate, trusted forests and the mailbox for a user is kwekua@mail1.contoso.com. This user originally resided in the forest named mail1.contoso.com and was moved to the forest named mail2.contoso.com. For this example, you have to set a contact in mail1.contoso.com by using the following command in the Exchange Management Shell: New-MailContact -ExternalEmailAddress 'SMTP:kwekua@mail2.contoso.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'mail1.contoso.com/Users' -FirstName 'Kweku' -Initials '' -LastName 'Ako Adjei' After you configure the contact, when the user connects to mail1.contoso.com and uses the mail1.contoso.com credentials, the following request is sent to the Outlook 2007 client: <?xml version="1.0" encoding="utf-8" ?>\r\n <Autodiscover xmlns="http://schemas.contoso.com/exchange/autodiscover/outlook/requ estschema/2006">\r\n <Request>\r\n <EMailAddress>kwekua@mail1.contoso.com</EMailAddress>\r\n <AcceptableResponseSchema>http://schemas.contoso.com/exchange/autodi scover/outlook/responseschema/2006a</AcceptableResponseSchema>\r\n </Request>\r\n </Autodiscover> The Outlook 2007 client will receive the following redirect response from mail1.contoso.com: <?xml version="1.0" encoding="utf-8"?>\r\n <Autodiscover xmlns="http://schemas.contoso.com/exchange/autodiscover/responsesche ma/2006"><Response xmlns="http://schemas.contoso.com/exchange/autodiscover/outlook/resp onseschema/2006a">\r\n <Account>\r\n <Action>redirectAddr</Action>\r\n <RedirectAddr>kwekua@mail2.contoso.com</RedirectAddr>\r\n </Account>\r\n </Response></Autodiscover>
199
The user will then be able to connect to the Autodiscover service by using this new e-mail address in the mail2.contoso.com forest.
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to create a new mail contact for the Autodiscover service to handle cross-forest mailbox moves Run the following command: New-MailContact -ExternalEmailAddress 'SMTP:kwekua@mail2.contoso.com' -Name 'Kweku Ako Adjei' -Alias 'kwekua' -OrganizationalUnit 'mail1.contoso.com/Users' -FirstName 'Kweku' -Initials '' -LastName 'Ako Adjei' For more information about syntax and parameters, see new-MailContact.
How to Configure Exchange Services for the Autodiscover Service

This section explains how to configure Microsoft Exchange services, such as the Availability service, for the Autodiscover service on a Microsoft Exchange Server 2007 computer that has the Client Access server role installed. When you enable Outlook Anywhere, you must also configure external access to Microsoft Exchange services for the Autodiscover service. This includes the URLs for the Availability service, Exchange Web Services, Unified Messaging (UM), and the offline address book. If you do not configure the external URL values, the Autodiscover service information provided to the Microsoft Office Outlook 2007 client may be incorrect for clients that are connecting from outside your network. They may be able to connect to their Microsoft Exchange mailbox. However, they will be unable to use Exchange features such as Out of Office functionality, the Availability service, Unified Messaging, or offline address book downloads. Generally, the internal URL is configured by Microsoft Exchange Setup. However, the external URLs must be configured by using the virtual directory cmdlet for each component.
200
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure the external host name for Outlook Anywhere for the Autodiscover service Run the following command: Enable-OutlookAnywhere -Server CAS01 -ExternalHostname "mail.contoso.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False For more information about syntax and parameters, see Enable-OutlookAnywhere. To use the Exchange Management Shell to configure the external URL for the offline address book for the Autodiscover service Run the following command: Set-OABVirtualDirectory -identity "CAS01\OAB (Default Web Site)" -externalurl https://mail.contoso.com/OAB -RequireSSL: $true For more information about syntax and parameters, see Set-OabVirtualDirectory. To use the Exchange Management Shell to configure the external URL for Unified Messaging for the Autodiscover service Run the following command: Set-UMVirtualDirectory -identity "CAS01\UnifiedMessaging (Default Web Site)" -externalurl https://mail.contoso.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True For more information about syntax and parameters, see Set-UMVirtualDirectory. To use the Exchange Management Shell to configure the external URL for Exchange Web Services for the Autodiscover service Run the following command: Set-WebServicesVirtualDirectory -identity "CAS01\EWS (Default Web Site)" -externalurl https://mail.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$True
201
For more information about syntax and parameters, see Set-WebServicesVirtualDirectory.

For more information, see the following topics: Managing Outlook Anywhere Managing the Availability Service Managing the Autodiscover Service Managing Offline Address Books Managing Unified Messaging
Managing the Availability Service

The Microsoft Exchange Server 2007 Availability service improves information workers' free and busy data by providing secure, consistent, and up-to-date free and busy information to computers running Microsoft Office Outlook 2007. Outlook 2007 uses the Autodiscover service to obtain the URL of the Availability service. The Autodiscover service is similar to the Domain Name System (DNS) Web service for Outlook 2007. Essentially, the Autodiscover service helps Outlook 2007 locate various Web services, such as the Unified Messaging, Offline Address Book, and Availability services. For more information about the Autodiscover service, see Managing the Autodiscover Service. Note: If you have Outlook 2007 clients running on Exchange Server 2003 mailboxes, Outlook 2007 will use public folders for the free and busy information. The Availability service is part of the Exchange 2007 programming interface. It will be available as a public Web service to allow developers to write third-party tools for integration purposes. The following topics in this section explain how to manage the Availability service in your Exchange 2007 organization. How to Configure the Availability Service for Network Load Balanced Computers How to Configure the Availability Service for Cross-Forest Topologies How to Diagnose Availability Service Issues
202

For more information about the Autodiscover service, see the following topics: Managing the Autodiscover Service How to Create a New Autodiscover Service Virtual Directory How to Delete the Default Autodiscover Service Virtual Directory
For more information about developing with Exchange 2007 Web services, see Development: Overview. For more information on providing secure Web communications on the Internet or intranets, see Creating a Certificate or Certificate Request for TLS.
How to Configure the Availability Service for Network Load Balanced Computers
This section explains how to use the Exchange Management Shell to configure the Availability service for single forest topologies. Note: You cannot use the Exchange Management Console to configure the Availability service. The Availability service improves information workers' free/busy data by providing secure, consistent, and up-to-date free/busy information to computers that are running Microsoft Office Outlook 2007. By default, this service is installed with Microsoft Exchange Server 2007. For single forest topologies, in which all connecting client computers are running Outlook 2007, only the Availability service is used to retrieve free/busy information. For single forest topologies that contain Exchange 2007 servers and in which the client computers are running Outlook 2007 or Office Outlook 2003 (or earlier), either the Availability service (for the Outlook 2007 clients) or public folders (for the Outlook 2003 (or earlier)) are used to retrieve free/busy information. For single forest topologies that contain both servers running Exchange 2007 and Exchange Server 2003 and in which the client computers are running Outlook 2007 or Outlook 2003 (or earlier), either the Availability service (for the Outlook 2007 clients) or public folders (for the Outlook 2003 (or earlier)) are used to retrieve free/busy information. Table 34 lists the different methods used to retrieve free/busy information in various single forest topologies.
203
Table 34 Methods to retrieve free/busy information in various single forest topologies Client Outlook 2007 Logged on mailbox Exchange 2007 Target mailbox Exchange 2007 Free/Busy retrieval method The Availability service reads free/busy information from the target mailbox. The Availability service makes HTTP connections to the /public virtual directory of the Exchange 2003 mailb ox. Free/busy information is published in local public folders. Free/busy information is published in local public folders. Outlook Web Access 2007 calls the Availability service API, which reads the free/busy information from the target mailbox. Outlook Web Access 2007 calls the Availability service API, which makes an HTTP connection to the /public virtual directory of the Exchange 2003 mailb ox.
Outlook 2007
Exchange 2007
Exchange 2003
Outlook 2003
Exchange 2007
Exchange 2007
Outlook 2003
Exchange 2007
Exchange 2003
Outlook Web Access 2007
Exchange 2007
Exchange 2007
Outlook Web Access 2007
Exchange 2007
Exchange 2003
204
Any
Exchange 2003
Exchange 2007
Free/busy information is published in local public folders.
Configuring the Availability Server for Network Load Balancing

Outlook 2007 discovers the Availability service URL using the Autodiscover service. The internal URL is used from the intranet, and the external URL is used from the Internet. If you want to use the same URL for both internal and external traffic, make sure that Domain Name System (DNS) is properly configured to route internal traffic directly to the internal Web site. Also, make sure that the URL is properly accessible both internally and externally. For the Autodiscover and Availability services to work, make sure that DNS is properly configured so that mail.example.com and autodiscover.mail.example.com point to the Network Load Balancing (NLB) array of Client Access servers. Note: For more information about NLB, see Network Load Balancing Technical Reference and Network Load Balancing Clusters. You can also search for third-party loadbalancing software Web sites. For information about diagnosing Availability service issues, see How to Diagnose Availability Service Issues. For more information about the Autodiscover service, see the Overview of the Autodiscover Service.
Before You Begin

To run the Set-WebServicesVirtualDirectory cmdlet, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure the Availability service for network load balanced computers Run the following command: Set-WebServicesVirtualDirectory -Identity "EWS*" -ExternalUrl "Https://Contoso.mail.com/EWS/Exchange.asmx" -InternalUrl "Https://Contoso.mail.com/EWS/Exchange.asmx"
205
Note: If you have a load balanced set of Client Access servers, you do not have to specify the name of each server when you run the command. You only need to use the name of one of the servers in the network load balanced servers. For detailed syntax and parameter information, see the Set-WebServicesVirtualDirectory reference topic.

For more information about the Availability service, see the following topics: Understanding the Availability Service Managing the Availability Service
How to Configure the Availability Service for Cross-Forest Topologies

This section explains how to use the Exchange Management Shell to configure the Availability service for cross-forest topologies. The Availability service improves information workers' free/busy data by providing secure, consistent, and up-to-date free/busy information to computers that are running Microsoft Office Outlook 2007. By default, this service is installed with Microsoft Exchange Server 2007. In cross-forest topologies where all connecting client computers are running Outlook 2007, the Availability service is the only method of retrieving free/busy data. Note: You cannot use the Exchange Management Console to configure the Availability service for cross-forest topologies. You can use the Availability service in cross-forest topologies across trusted or untrusted forests. The type of free/busy information is determined by whether the cross-forest free/busy data is configured as a per-user or an organization-wide service. Per-user free/busy information is possible only in a trusted cross-forest topology and makes it possible for the Availability service to make cross-forest requests on behalf of a particular user. This also allows a user in a remote forest to grant detailed free/busy information to a cross-forest user.
206
However, with organization-wide free/busy data, the Availability service can make cross-forest requests only on behalf of a particular organization. With organization-wide free/busy data, a user's default free/busy information is returned, and it is not possible to control the level of free/busy information that is returned to users in the other forest.
Configuring Windows for Cross-Forest Topologies

To configure Microsoft Windows for a cross-forest topology, you must install and configure GAL Synchronization (GALSync). For complete information about how to install and configure the GALSync feature in Microsoft Identity Integration Server (MIIS) 2003, see the following resources: Microsoft Identity Integration Server 2003 Scenarios Microsoft Identity Integration Server 2003
If you are running Office Outlook 2003 or earlier, you must use the Microsoft Exchange InterOrganization Replication tool to synchronize free/busy data across multiple forests. For more information about the Microsoft Exchange Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication.
Before You Begin

To run the Get-ClientAccessServer cmdlet, the account you use must be delegated the Exchange View-Only Administrator role. To run the Add-ADPermission cmdlet, the account you use must be delegated the Exchange Organization Administrator role. To run the Add-AvailabilityAddressSpace cmdlet, the account you use must be delegated the Exchange Organization Administrator role. To run the Set-AvailabilityConfig cmdlet, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure per-user free/busy data in a trusted cross-forest topology On a Client Access server in the target forest, run the following commands to configure the Availability service for per-user free/busy data: Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright -Extendedrights "ms-ExchEPI-Token-Serialization" -User "<Remote Forest Domain>\Client
207
Access servers" On the local Client Access server in the source forest, run the following command to define the access method and associated credentials: Add-AvailabilityAddressSpace -Forestname ContosoForest.com -AccessMethod PerUserFB -UseServiceAccount:$true Note: To configure bidirectional cross-forest availability, repeat these steps in the target forest. For more information about syntax and parameters, see the following cmdlet reference topics: Get-ClientAccessServer Add-ADPermission Add-AvailabilityAddressSpace Set-AvailabilityConfig
To use the Exchange Management Shell to configure organization-wide free/busy data in an untrusted cross-forest topology 1. On a Client Access server in the target forest, run the following command to set the organization-wide account on the availability configuration object to configure the access level for free/busy information: Set-AvailabilityConfig -OrgWideAccount "Contoso.com\User" 2. Run the following commands to add the Availability address space configuration object for the source forest: $a = get-credential (Enter the credentials for organizationwide user in Contoso.com domain) Add-AvailabilityAddressspace -Forestname Contoso.com -Accessmethod OrgWideFB -Credential:$a If you choose to configure cross-forest availability with trust, and choose to use a service account (instead of specifying organization-wide or per-user credentials), you need to run the following command in the target forest to give Client Access servers in the source forest permission to serialize original user context. To use the Exchange Management Shell to configure trusted cross-forest availability with a service account Run the following command to configure trusted cross-forest availability with a service account: Get-ClientAccessServer | Add-ADPermission -Accessrights Extendedright -Extendedright "ms-Exch-EPI-Token-Serialization" 208
-User "<Remote Forest Domain>\Exchange servers"
Exchange 2007 and Exchange 2003 CrossForest Availability

For Outlook 2007 and Exchange 2007 users to view the free/busy information of Exchange Server 2003 users in another forest, you must configure the Availability service by using the Add-AvailabilityAddressSpace cmdlet. You will only need to run this command once on any server in the Exchange 2007 forest. To use the Exchange Management Shell to configure Exchange 2007 and Exchange 2003 cross-forest availability Run the following command to set public folder free/busy availability: Add-AvailabilityAddressSpace -ForestName Contoso.com -AccessMethod PublicFolder Note: To replicate free/busy information and public folder content between Exchange organizations you must use the Microsoft Exchange InterOrganization Replication tool. For more information about the Microsoft Exchange Inter-Organization Replication tool, see Microsoft Exchange Server Inter-Organization Replication.
How to Diagnose Availability Service Issues

This section explains how to use the Exchange Management Shell to diagnose Availability service issues in the following scenarios: For an individual user On a Client Access server Across different sites
The Autodiscover service provides Microsoft Office Outlook 2007 with configuration information that is needed to connect to Exchange. The Test-OutlookWebServices cmdlet is a diagnostic task that verifies whether the Autodiscover service and the Availability service are correctly configured and can service Outlook client requests. For more information about the Autodiscover service, see the following topics: Overview of the Autodiscover Service
209
Managing the Autodiscover Service
Before You Begin

To run the Test-OutlookWebServices cmdlet, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Before you perform these procedures, be aware that you can also diagnose Availability service issues by using Event Viewer. Specifically, search Event Viewer on your Client Access server for event logs that contain the event source "MSExchange Availability." To use the Exchange Management Shell to diagnose Availability service issues for an individual user Run the following command: Test-OutlookWebServices -Identity: User1@Contoso.com
To use the Exchange Management Shell to diagnose Availability service issues for a Client Access server Run the following command: Test-OutlookWebServices -ClientAccessServer ClientAccessServer01
To use the Exchange Management Shell to diagnose Availability service issues across different sites Run the following command: Test-OutlookWebServices -Identity User1@Site1.Contoso.com -TargetAddress User2@Site2.Fabrikam.com For more information about syntax and parameters, see Test-OutlookWebServices.

For more information about how to configure the Availability service, see the following topics: How to Configure the Availability Service for Network Load Balanced Computers How to Configure the Availability Service for Cross-Forest Topologies
210
For more information about managing the Availability service, see Managing the Availability Service. For more information about the Autodiscover service, see the following topics: Overview of the Autodiscover Service Managing the Autodiscover Service
Managing Client Access Security

This section provides an overview of the various security and authentication related options that are available for a Microsoft Exchange Server 2007 computer that has the Client Access server role installed. The Client Access server role provides access to Microsoft Office Outlook Web Access, Microsoft Exchange ActiveSync, Outlook Anywhere, Post Office Protocol version 3 (POP3), and Internet Message Access Protocol version 4rev1 (IMAP4). In addition, it supports the Autodiscover service and the Availability service. Each of these protocols and services has unique security needs.
Managing Authentication
One of the most important security-related tasks that you can perform for the Client Access server role is to configure an authentication method. The Client Access server role is installed with a default self-signed digital certificate. A digital certificate does two things: It authenticates that its holder is who or what they claim to be. It protects data exchanged online from theft or tampering.
Although the default, self-signed certificate is supported for Exchange ActiveSync and Outlook Web Access, it is not the most secure method of authentication. In addition, it is not supported for Outlook Anywhere. For additional security, consider configuring your Exchange 2007 Client Access server to use a trusted certificate from either a third-party commercial certification authority (CA) or a trusted Windows Public Key Infrastructure (PKI) CA. You can configure authentication separately for Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3, and IMAP4. For more information about how to configure authentication, see the following topics: Configuring Forms-Based Authentication for Outlook Web Access Configuring Authentication for POP3 and IMAP4 Configuring Standard Authentication Methods for Outlook Web Access
211
Enhancing Secure Communications Between the Client Access Server and Other Servers
After you optimize the security of your communications between clients and the Exchange 2007 server, you must optimize the security of the communications between the Exchange 2007 server and other servers in your organization. HTTP, Exchange ActiveSync, POP3, and IMAP4 communication between the Client Access server and other servers, such as Exchange 2007 servers that have the Mailbox server role installed, domain controllers, and global catalog servers, is encrypted by default.

For more information about how to manage security for the various components of your Client Access server, see the following topics: Managing Outlook Web Access Security Managing Outlook Anywhere Security Managing POP3 and IMAP4 Security
How to Add Certificate Manager to Microsoft Management Console

This section explains how to add Certificate Manager to Microsoft Management Console (MMC).
Before You Begin

Adding Certificate Manager to MMC is part of configuring Secure Sockets Layer (SSL) for Microsoft Exchange Server 2007. For more information about the procedures that you must follow to configure SSL for the various client access components in Exchange 2007, see the following topics: How to Configure Outlook Web Access Virtual Directories to Use SSL Configuring TLS and SSL for POP3 and IMAP4 Access
To perform this procedure, the account you use must be delegated the membership in the local Administrators group. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
212
To add Certificate Manager to Microsoft Management Console 1. Click Start, click Run, type mmc, and then click OK. 2. In the File menu, click Add/Remove Snap-in. 3. In the Add/Remove Snap-in box, click Add. 4. In the Available Standalone Snap-ins list, click Certificates, and then click Add. 5. Click Computer Account, and then click Next. 6. Click the Local computer (the computer this console is running on) option, and then click Finish. 7. Click Close, and then click OK.
How to Obtain a Server Certificate from a Certification Authority

This section describes how to obtain a server certificate from a certification authority (CA). Obtaining a server certificate from a certification authority is one step in configuring Secure Sockets Layer (SSL) or Transport Layer Security (TLS). You can obtain server certificates from a third-party CA. A third-party CA may require that you provide proof of identity before a certificate is issued. You can also issue your own server certificates by using an online CA, such as Microsoft Certificate Services. For more information about server certificates, see the Microsoft Windows Server 2003 IIS documentation. Note: Microsoft Exchange Server 2007 includes a default self-signed Secure Sockets Layer (SSL) certificate. You can replace this certificate with a third-party certificate from a certification authority. To do this, you must first delete the self-signed certificate. For more information about how to replace the self-signed certificate, see How to Install an SSL Certificate on a Client Access Server.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange View-Only Administrator role.
213
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Important: Before you perform this procedure, you must read Managing Client Access Security. Important: As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc". To use the Exchange Management Shell to obtain a server certificate from a certification authority 1. Run the following command: New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, , autodiscover.contoso.com -PrivateKeyExportable:$true -path c:\certrequest_cas01.txt This command will create a text file that contains a certificate request in PKCS#10 format. 2. Use the procedures specified by your chosen CA to send the certificate request to the CA.

For more information about the procedures that you must follow to configure SSL for Outlook Web Access and Exchange ActiveSync, see the following topics. How to Configure Outlook Web Access Virtual Directories to Use SSL. How to Install an SSL Certificate on a Client Access Server How to Configure SSL for Exchange ActiveSync
Managing Outlook Web Access Security

This section describes the authentication methods that you can use to help secure Microsoft Office Outlook Web Access on Microsoft Exchange Server 2007 computers that have the Client Access server role installed.
214
Authentication Methods
Client Access Servers in Exchange Server 2007 support more authentication methods than front-end servers in Exchange Server 2003. You can configure the following types of authentication methods on the Exchange 2007 Client Access server: Standard Forms-based authentication
In addition, you can use the following forms of authentication, which are discussed in more detail at the end of this section: ISA Server forms-based authentication Smart card and certificate authentication RSASecureID authentication
Standard and Forms-Based Authentication

You can configure standard and forms-based authentication methods for Outlook Web Access by using the Exchange Management Console or the Exchange Management Shell. Standard authentication methods Standard authentication methods include Integrated Windows authentication, Digest authentication, and Basic authentication. For more information about how to configure standard authentication methods, see Configuring Standard Authentication Methods for Outlook Web Access. Forms-based authentication Forms-based authentication creates a logon page for Outlook Web Access. Forms-based authentication uses cookies to store encrypted user logon credentials and password information. For more information about forms-based authentication, see Configuring Forms-Based Authentication for Outlook Web Access. Note: If you configure multiple authentication methods, Internet Information Services (IIS) uses most restrictive method first. IIS then searches the list of available authentication protocols starting with the most restrictive until an authentication method that is supported by the client and the server is found.
Comparison of Standard and Forms-Based Authentication Methods

Table 35 compares the standard and forms-based authentication methods by using security levels, handling of user logon credentials, and client requirements as the criteria.
215
Table 35 Comparison of standard and forms-based authentication Authentication method Basic authentication Security level Low (unless Secure Sockets Layer (SSL) is enabled) Medium How passwords are sent Base 64-encoded clear text Hashed by using MD5. Hashed when Integrated Windows authentication is used; Kerberos ticket when Kerberos is used. Integrated Windows authentication includes the Kerberos and NTLM authentication methods. Client requirements All browsers support Basic authentication. Microsoft Internet Exp lorer 5 or later versions Internet Explorer 2.0 or later versions for Integrated Windows authentication. Microsoft Windows 20 00 Server or later versions with Internet Explorer 5 or later versions for Kerberos.
Digest authentication
Integrated Windows authentication
Low (unless SSL is enabled)
Forms-based authentication
High
Encrypts user Internet Explorer authentication information and stores it in a cookie. Requires SSL to keep the cookie secure.
Other Authentication Methods

There are other authentication methods that you can use to help secure Outlook Web Access. These methods include: ISA Server forms-based authentication Using ISA Server, you can securely publish Outlook Web Access servers by using mail server publishing rules. ISA Server also lets you configure forms-based authentication and control e-mail attachment availability to help protect resources for your organization when they are accessed through Outlook Web Access. For more information about how to use ISA Server as an advanced firewall solution, see the Internet Security and Acceleration Server Web site.
216
Note: The third-party Web site information in this section is provided to help you find the technical information you need. The URLs are subject to change without notice. Smart card and certificate authentication Certificates can reside either in the certificate store on a client computer or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) protocols. In EAP-TLS certificate authentication, the client and the server prove their identities to one another. For example, an Outlook Web Access client on a user's computer presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the Outlook Web Access client computer. This provides mutual authentication. For more information about smart card and other certificate authentication methods, see the Windows Server 2003 Product Help Web site. RSA SecurID authentication You can use the third-party product, RSA SecurID, to configure RSA SecurID authentication methods on the client Access server. For more information about RSA SecurID, see http://www.rsasecurity.com. Note: The third-party Web site information in this section is provided to help you find the technical information you need. The URLs are subject to change without notice.
How to Configure Outlook Web Access Virtual Directories to Use SSL

This section explains how to use Internet Information Services (IIS) Manager to configure Microsoft Office Outlook Web Access virtual directories to use Secure Sockets Layer (SSL). By default, when you install the Client Access server role on a server that is running Microsoft Exchange Server 2007, four Outlook Web Access virtual directories are created in the default IIS Web site on the Exchange server. The four virtual directories are named \owa, \exchange, \public, and \exchweb. By default, these virtual directories and the default Web site are configured to require SSL. If you want to use SSL to help secure additional Outlook Web Access virtual directories or Web sites that you have created, you must do so manually. To configure a site to use SSL, you must obtain a certificate and configure the Web site or virtual directory to require SSL by using that certificate.
217
Before You Begin

Identify the SSL certificate that you will use. For more information about how to obtain and manage SSL certificates, see Managing Client Access Security. To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use IIS Manager to configure SSL on Outlook Web Access virtual directories 1. In IIS Manager, select the Default Web site or the Web site where you are hosting your Outlook Web Access virtual directories, and then click Properties. 2. On the Directory Security tab, in Secure Communications, click Edit. 3. In Secure Communications, select Require Secure Channel (SSL). Note: If you are using an SSL certificate that was created during Microsoft Exchange Setup, an error message will appear to notify you that the certificate is not a trusted certificate. Make sure that you trust the certification authority (CA) that issued the certificate or use an SSL certificate that is trusted by your CA. 4. Click OK to save your changes. After you complete this procedure, all Outlook Web Access virtual directories on the Web site for which you have not explicitly disabled SSL will be configured to use SSL.

For more information about Outlook Web Access virtual directories, see Managing Outlook Web Access Virtual Directories in Exchange 2007. For more information about the default SSL certificate, see How to Trust the Default SSL Certificate.
Configuring Forms-Based Authentication for Outlook Web Access

This section explains forms-based authentication for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. Forms-based authentication enables a logon page for
218
Outlook Web Access that uses a cookie to store a user's encrypted logon credentials in the Internet browser. Tracking the use of this cookie enables the Exchange server to monitor the activity of Outlook Web Access sessions on public and private computers. If a session is inactive for too long, the server blocks access until the user re-authenticates.
Using Cookies to Control Access

The first time that the user name and password are sent to the Client Access server to authenticate an Outlook Web Access session, an encrypted cookie is created that is used to track user activity. When the user closes the Internet browser or clicks Log Off to log off their Outlook Web Access session, the cookie is cleared. The user name and password are sent to the Client Access server only for the initial user logon. After the initial logon is complete, only the cookie is used for authentication between the client computer and the Client Access server.
Setting the Value for Cookie Time-Out on Public Computers

By default, when a user selects the This is a public or shared computer option on the Outlook Web Access logon page, the cookie on the computer expires automatically and the user is logged off after they have not used Outlook Web Access for 15 minutes. Automatic time-out is valuable because it helps protect users' accounts from unauthorized access. To match the security requirements of your organization, you can configure the inactivity time-out values on the Exchange Client Access server. Although automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the chance that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you warn users to take precautions to avoid risks, such as by telling them to log off from Outlook Web Access and close the Web browser when they have finished using Outlook Web Access. For more information about how to configure cookie time-out values for public computers, see How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value.
Setting the Value for Cookie Time-Out on Private Computers

When a user selects the This is a private computer option on the Outlook Web Access logon page, the Exchange server allows a longer period of inactivity before automatically ending the Outlook Web Access session. The default time-out value for private logon is eight hours. The private computer cookie time-out option is intended to benefit Outlook Web Access users who are using their own computer or a computer that is on a corporate network.
219
It is important to warn users about the risks that are associated with selecting the This is a private computer option. A user should select the private computer option only if they are the sole operator of the computer and the computer complies with the security policies for your organization. For more information about how to configure cookie time-out values for private computers, see How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value.
Determining User Activity

After an Outlook Web Access session has been inactive for a certain period of time, the Client Access server no longer has the decryption key to read the cookie and the user will be denied access until they authenticate again. Exchange 2007 uses the following information to determine user activity: Interaction between the client computer and the Client Access server that is initiated by the user is considered to be activity. For example, if a user opens, sends, or saves an item; switches folders or modules; or updates the view or the Web browser window, Exchange 2007 considers this to be activity. Note: Interaction between the client computer and the server that is automatically generated by the Client Access server is not considered activity. For example, new e-mail notifications and reminders that are generated by the Client Access server in an Outlook Web Access session are not considered activity. In Outlook Web Access Light any user activity other than entering text is considered activity. In Outlook Web Access Premium, any user interaction, including entering text in an e-mail message or meeting request, is considered activity.
Configuring the Logon Prompt that is Used by Forms-Based Authentication

Instead of a pop-up window, forms-based authentication creates a logon page for Outlook Web Access. You can configure the text of the logon prompt that is given by formsbased authentication by using the Exchange Management Console or the Exchange Management Shell. The configuration changes that you make change only the text of the logon prompt. They do not change the format in which the user must log on. For example, you can configure the forms-based authentication logon page to prompt users to provide their logon information in the format domain\user name, but a user can also enter his user principal name (UPN) and the logon will be successful.
220
The following types of logon prompts can be used by forms-based authentication on the Outlook Web Access logon page. Select the prompt that will be easiest for your users to understand and use. FullDomain The domain and user name of the user in the format domain\user name. For example, Contoso\Kweku. PrincipalName The UPN. The UPN has two parts: the UPN prefix that is the user account name and the UPN suffix that is the DNS domain name. The prefix and the suffix are joined together by the at (@) sign to make the complete UPN. For example, Kweku@contoso.com. UserName The user name only. The domain name is not included. For example, Kweku. This logon format will work only if the domain name has been configured. Note: If necessary, you can change the format the user must use to log on to Outlook Web Access by configuring the Active Directory directory service and Internet Information Services (IIS). Using Active Directory and IIS to set which user name formats users can enter to be authenticated is independent of the Outlook Web Access forms-based authentication prompt discussed earlier.
Understanding Encryption for User Logon from Public and Private Computers
Encryption of user logon credentials for both public and private Outlook Web Access logon types involves a set of six hashed message authentication codes (HMACs). HMACs are 160bit keys that are generated on the Client Access server. HMACs improve logon security by combining hashing algorithms with cryptographic functions to encrypt user logon credentials. Encryption and decryption of a cookie are performed by the same Client Access server. Only the Client Access server that generated the authentication key has the key to decrypt that cookie. When forms-based authentication for Outlook Web Access is used, the Client Access server cycles through a set of three keys for each type of logon, public and private, at a set rate. This is referred to as the recycle time. The recycle time for a key is one half of the time-out value for the logon. For example, when the time-out value for the public logon is set to 15 minutes, the public key recycle time is 7.5 minutes. The six logon keys are created by the Client Access server when the Outlook Web Access virtual directories are started. Three are used with public computer logons, and three are used with private computer logons. When a user logs on, the current key for their logon type is used to encrypt the user's authentication information into a cookie. When the recycle time has passed, the Client Access server moves to the next key. After all three keys for a type of logon have been used, the Client Access server deletes the oldest
221
key and creates a new one. The Client Access server always keeps three keys available for each logon type: the current key and the two most recent keys. The recycling of keys continues as long as Outlook Web Access is running on the Client Access server. The same keys are used for all users. Any cookie that has been encrypted by using an active key will be accepted. When a user activity request is received by the Client Access server, the cookie for that request is replaced with a new cookie that has been encrypted with the newest key. A user session is timed out when the cookie associated with it is encrypted by an older key that has been discarded. Because of the relationship between the recycle time of encryption keys and user time-out configured on the server, the actual time-out period for a user can be between the configured time-out and the configured time-out plus one-half of that value. For example, if the configured time-out is 30 minutes, the actual time-out for any user session may be between 30 minutes and 45 minutes. Table 36 provides information about the cookie time-out and authentication key recycling time based on a user logon from a public or private computer. Table 36 Default cookie time-out and authentication key recycling time for each user logon type Logon Cookie time-out value Recycle time for authentication key if you use the default time-out value 7.5 minutes 4 hours
Public Private
One minute to 30 days. The default is 15 minutes. One minute to 30 days. The default is 8 hours.
Note: You can configure the cookie time-out value in minutes by using the registry. The recycle time of the authentication key is at least one-third, and not more than onehalf, that of the cookie time-out value.
Using SSL to Help Secure Outlook Web Access

By default, Secure Sockets Layer (SSL) encryption is turned on when you install the Client Access server role. If SSL is not used, the user name and password will be sent in clear text at initial logon. When SSL is used, it encrypts all communications between the client computer and the Client Access server and helps prevent sensitive information, such as user names, passwords, and e-mail messages, from being viewed by third parties. A default SSL certificate is installed with the Client Access server role, but is not trusted.
222

For more information about how to configure a forms-based authentication logon page, see How to Configure Forms-Based Authentication for Outlook Web Access. For more information about how to configure the cookie time-out value on an Outlook Web Access virtual directory on a public computer, see How to Set the FormsBased Authentication Public Computer Cookie Time-Out Value. For more information about how to configure the cookie time-out value on an Outlook Web Access virtual directory on a private computer, see How to Set the FormsBased Authentication Private Computer Cookie Time-Out Value. For more information about security, see Managing Client Access Security.
For more information about how to customize the forms-based authentication logon page, see Managing Outlook Web Access Advanced Features.
How to Configure Forms-Based Authentication for Outlook Web Access

This section describes how to configure forms-based authentication and the logon prompt that is used by forms-based authentication on a Microsoft Outlook Web Access virtual directory that is on a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. Forms-based authentication gives you three options for the default logon format. These options change only the text on the Outlook Web Access logon page. They do not cause a particular format to be required. The user can use any of the standard logon formats regardless of the text on the page. FullDomain This is the domain and user name of the user in the format domain\user name. For example, for a user named Kweku in the domain Contoso, the logon would be contoso\kweku. PrincipalName If user principal name (UPN) logon format is specified, the User Name field on the Outlook Web Access logon page guides the user to enter their e-mail address. For example, kweku@contoso.com. If a user's UPN is not identical to their email address, the user cannot access Outlook Web Access by using the PrincipalName logon prompt. We recommend that you do not use the PrincipalName logon prompt if users' UPNs do not match their e-mail addresses. UserName This is the user name only and does not include the domain name. For example, Kweku. If you use the UserName logon prompt for forms-based authentication, you must also specify the DefaultDomain property. The DefaultDomain property determines the default domain to use when a user tries to access Outlook Web Access.
223
For example, if the default domain is Contoso, and a domain user named Kweku logs on to Outlook Web Access, only Kweku must be entered as the user name. The server will use the default domain Contoso. If the user is not a member of the Contoso domain, the domain and user name must be entered.
Before You Begin

To perform the following procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. If you set a virtual directory that supports Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 to use forms-based authentication, such as the default Exchange virtual directory, you must also set the Exchweb virtual directory to use formsbased authentication. If you do not set both virtual directories to use forms-based authentication, users whose mailboxes are on Exchange 2000 or Exchange 2003 mailbox servers will receive two authentication prompts. To use the Exchange Management Console to configure forms-based authentication for Outlook Web Access 1. In the Exchange Management Console, select Server Configuration, and then select Client Access. 2. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use forms-based authentication. 3. Click the Authentication tab. 4. Select Use forms-based authentication. 5. Select the logon format that you want to use. Note: You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect. To use the Exchange Management Shell to configure forms-based authentication for Outlook Web Access To configure forms-based authentication on an Outlook Web Access virtual directory in the default IIS Web site on the local Exchange server, open the Exchange Management Shell and run the following command: Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true
224
To configure the type of logon method that is used by forms-based authentication, run one of the following commands. To configure a full domain logon format, run the following command: Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat FullDomain To configure a UPN logon format, run the following command: Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat PrincipalName To configure a user name logon format and set the default domain, run the following command: Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain "<domain name>" Note: You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.

For more information about forms-based authentication, see Configuring FormsBased Authentication for Outlook Web Access. For information about how to use Secure Sockets Layer (SSL) encryption to help secure Outlook Web Access, see How to Configure Outlook Web Access Virtual Directories to Use SSL. For more information about how to use the Exchange Management Shell to configure forms-based authentication, see Set-OwaVirtualDirectory.
How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value
This section explains how to configure the cookie time-out values for public computers by using forms-based authentication on a Microsoft Outlook Web Access virtual directory that is on a Microsoft Exchange 2007 server that has the Client Access server role installed.
225
Caution: Although automatic time-out reduces the risk of unauthorized access, it does not completely eliminate the possibility that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you warn users to take precautions to avoid risks.
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Note: The Outlook Web Access virtual directory must be configured to use forms-based authentication. Caution: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. To use Registry Editor to set the cookie time-out values for public computers using forms-based authentication 1. On the Client Access server, log on by using the Exchange administrator account, and then start Registry Editor (regedit). 2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA 3. On the Edit menu, point to New, and then click DWORD Value. In the details pane, name the new value PublicTimeout. 4. Right-click the PublicTimeout DWORD value, and then click Modify. 5. In Edit DWORD Value, under Base, click Decimal. 6. In the Value Data box, type a value in minutes between 1 and 43,200 for a maximum of 30 days. Click OK. Note: You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect.
226
To use the Microsoft Command Shell to set the cookie time-out values for public computers using forms-based authentication 1. Open the Microsoft Command Shell and run the following command to set the public computer cookie time-out value: set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PublicTimeout -value <amount of time> -type dword Note: You must restart IIS by using the command iisreset/noforce for these changes to take effect. 2. Run the following command to view the public computer cookie time-out value: get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PublicTimeout

For more information about the authentication methods that you can use to help secure Outlook Web Access, see Managing Outlook Web Access Security. For more information about how to configure Outlook Web Access to use formsbased authentication, see How to Configure Forms-Based Authentication for Outlook Web Access. For more information about how to configure the cookie time-out value for a private computer, see How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value.
How to Set the Forms-Based Authentication Private Computer Cookie Time-Out Value
This section explains how to configure the cookie time-out values for private computers by using forms-based authentication on a Microsoft Outlook Web Access virtual directory in Microsoft Exchange Server 2007. Private computers are also known as trusted computers. Caution: It is important that you warn users of the risks that are associated with selecting the This is a private computer option. A user should select This is a private computer
227
only if the user is the sole operator of the computer, and the computer complies with your organization's security policies.
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Also, make sure that the Outlook Web Access virtual directory is configured to use formsbased authentication. Caution: Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. To use Registry Editor to set the cookie time-out values for private computers by using forms-based authentication 1. On the Exchange Client Access server, log on by using your Exchange administrator account, and then start Registry Editor (regedit). 2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA 3. On the Edit menu, point to New, and then click DWORD Value. In the details pane, name the new value PrivateTimeout. 4. Right-click the PrivateTimeout DWORD value, and then click Modify. 5. In Edit DWORD Value, under Base, click Decimal. 6. In the Value Data box, type a value in minutes between 1 and 43,200 for a maximum of 30 days. Click OK. Note: You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect. To use the Microsoft Command Shell to set the cookie time-out values for private computers using forms-based authentication 1. Open the Microsoft Command Shell and run the following command to set the
228
private computer cookie time-out value: set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PrivateTimeout -value <amount of time> -type dword Note: You must restart IIS is by using the command iisreset/noforce for these changes to take effect. 2. Run the following command to view the private computer cookie time-out value: get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PrivateTimeout

For more information about the authentication methods that you can use to help secure Outlook Web Access, see Managing Outlook Web Access Security. For more information about how to configure Outlook Web Access to use formsbased authentication, see How to Configure Forms-Based Authentication for Outlook Web Access. For more information about how to configure the cookie time-out value for a public computer, see How to Set the Forms-Based Authentication Public Computer Cookie Time-Out Value.
Configuring Standard Authentication Methods for Outlook Web Access

This section describes standard authentication methods that help secure your computers that are running Microsoft Exchange Server 2007 that have the Client Access server role installed for Microsoft Office Outlook Web Access. In Exchange 2007, Client Access servers support Integrated Windows authentication and HTTP 1.1 Digest authentication for Exchange 2007 virtual directories. Exchange 2000 and Exchange 2003 virtual directories on a server that is running only the Client Access server role support only Basic and forms-based authentication. Note: Exchange Server 2003 back-end servers support forms-based, Basic, Integrated Windows, and Digest authentication. Exchange Server 2003 front-end servers do not support Integrated Windows or Digest authentication.
229
Standard Authentication Methods

This section describes standard authentication methods. Standard authentication methods include Basic authentication, Digest authentication, and Integrated Windows authentication. Note: By default, Exchange 2007 enables forms-based authentication.
Basic Authentication
Basic authentication is a simple authentication mechanism that is defined by the HTTP specification that encodes a user's logon name and password before the user's credentials are sent to the server. Basic authentication does not support single sign-on. Microsoft Windows Server 2003 authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain one time by using a single password or smart card and authenticate to any computer in the domain. Basic authentication is supported by all Web browsers, but is not secure unless you require Secure Sockets Layer (SSL) encryption.
Digest Authentication
Digest authentication transmits passwords over the network as a hash value for additional security. Digest authentication can be used only in Windows Server 2003 and Windows 2000 Server domains for users who have an account that is stored in the Active Directory directory service. For more information about Digest authentication, see the Windows Server 2003 and Internet Information Services (IIS) Manager documentation. Digest authentication is available only on Exchange 2007 virtual directories. Important: If you are using Digest or Basic authentication, when a user uses a kiosk, caching credentials can pose a security risk if the user cannot close the browser and end the browser process between sessions. This risk occurs because a user's credentials remain in the cache when the next user accesses the kiosk. To enable Outlook Web Access on a kiosk, make sure that the user can close the browser between sessions and end the browser processes. Otherwise, consider using a thirdparty product that incorporates two-factor authentication, in which the user must present a physical token together with a password to use Outlook Web Access on the kiosk.
230
Integrated Windows Authentication

Integrated Windows authentication requires that users have a valid Windows 2000 Server or Windows Server 2003 user account name and password to access information. Users logged on to the local network are not prompted for their user names and passwords. Instead, the server negotiates with the Windows security packages that are installed on the client computer. This method enables the server to authenticate users without prompting them for logon information. The authentication credentials are protected, but all other communication will be sent in clear text unless SSL is used. Microsoft Internet Explorer allows single sign-on for Web applications that include Outlook Web Access Web parts if the server that is being accessed has Integrated Windows authentication enabled. Users have to enter credentials only one time for each browser session. However, their credentials are cached in the browser process. On an Exchange 2007 server on which only the Client Access server role is installed, Integrated Windows authentication can be used only with Exchange 2007 virtual directories. On a server that has both the Client Access and Mailbox roles installed, Integrated Windows authentication can be used with any virtual directory. For more information about Integrated Windows authentication, see the Windows Server 2003 documentation. Note: Integrated Windows authentication is supported only on computers that are running a Windows operating system and Internet Explorer. Integrated Windows authentication may work with other Web browsers if they have been configured to pass the user's logon credentials to the server that is requesting authentication.

For more information about how to configure Integrated Windows authentication on an Outlook Web Access virtual directory, see How to Configure Integrated Windows Authentication. For more information about how to configure Digest authentication on an Outlook Web Access virtual directory, see How to Configure Digest Authentication. For more information about how to configure Basic authentication on an Outlook Web Access virtual directory, see How to Configure Basic Authentication. For more information about security, see Managing Client Access Security.
231
How to Configure Integrated Windows Authentication

This section describes how to configure Integrated Windows authentication for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. Integrated Windows authentication enables the server to authenticate users who are logged on to the network without prompting them for their user name and password and without transmitting information that is not encrypted over the network. Note: Integrated Windows authentication can be set only on Exchange 2007 virtual directories on an Exchange 2007 server that has only the Client Access server role installed. Integrated Windows authentication can be set on any Outlook Web Access virtual directory on an Exchange 2007 server that has both the Client Access and Mailbox server roles installed.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to configure Integrated Windows authentication for Outlook Web Access 1. Open the Exchange Management Console. 2. Locate Server Configuration\Client Access. 3. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use Integrated Windows authentication. 4. Click the Authentication tab. 5. Select Use one or more of the following standard authentication methods. 6. Select Integrated Windows authentication. 7. Click OK. To use the Exchange Management Shell to configure Integrated Windows authentication for Outlook Web Access To configure Integrated Windows authentication on the default Outlook Web Access virtual directory in the default Internet Information
232
Services (IIS) Web site on the local Exchange server, open the Exchange Management Shell and run the following command: Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication <$true|$false> For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For information about the authentication methods that you can use for Outlook Web Access, see the following topics: Configuring Standard Authentication Methods for Outlook Web Access Configuring Forms-Based Authentication for Outlook Web Access.
For more information about how to make communication between client computers and the Client Access server more secure, see Managing Client Access Security.
How to Configure Basic Authentication

This section describes how to configure Windows Basic authentication for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. Basic authentication sends the user's logon name and password in clear text and should not be used without using Secure Sockets Layer (SSL) encryption between the client computers and the computer that has the Client Access server role installed. Basic authentication is supported on Microsoft Exchange Server 2003 and Exchange 2007.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to configure Basic authentication for Outlook Web Access 1. Open the Exchange Management Console. 2. Locate Server Configuration\Client Access. 3. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use Basic authentication.
233
4. Click the Authentication tab. 5. Select Use one or more of the following standard authentication methods. 6. Select Basic authentication. 7. Click OK. To use the Exchange Management Shell to configure Basic authentication for Outlook Web Access To configure Basic authentication on the default Outlook Web Access virtual directory in the default Internet Information Services (IIS) Web site on the local Exchange server, open the Exchange Management Shell and run the following command: Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -BasicAuthentication <$true|$false>

For information about the authentication methods that you can use for Outlook Web Access, see the following topics: Configuring Standard Authentication Methods for Outlook Web Access Configuring Forms-Based Authentication for Outlook Web Access.
How to Configure Digest Authentication

This section describes how to configure Windows Digest authentication for Microsoft Office Outlook Web Access in Microsoft Exchange Server 2007. Digest authentication transmits passwords over the network as a hash value for additional security. Digest authentication is not fully secure if the user is unable to close the browser and end the browser process between sessions. This problem may occur if the user is using Outlook Web Access on a kiosk. If the browser cannot be closed, the user's credentials remain in the cache where the next user may be able to access them. Note: Digest authentication can be set only on Exchange 2007 virtual directories.
234
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to configure Digest authentication for Outlook Web Access 1. Open the Exchange Management Console. 2. Locate Server Configuration\Client Access. 3. On the Outlook Web Access tab, open the properties of the virtual directory that you want to configure to use Digest authentication. 4. Click the Authentication tab. 5. Select Use one or more of the following standard authentication methods. 6. Select Digest authentication. 7. Click OK. To use the Exchange Management Shell to configure Digest authentication for Outlook Web Access To configure Digest authentication on the default Outlook Web Access virtual directory in the default Internet Information Services (IIS) Web site on the local Exchange server, open the Exchange Management Shell and run the following command: Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -DigestAuthentication <$true|$false>

For more information about the authentication methods that you can use for Outlook Web Access, see the following topics: Configuring Standard Authentication Methods for Outlook Web Access Configuring Forms-Based Authentication for Outlook Web Access
235
Managing POP3 and IMAP4 Security

This section explains security settings that you can use on the Microsoft Exchange Server 2007 computer that has the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) services installed.
Configuring SSL for POP3 and IMAP4 Clients

To help secure communications between your POP3 and IMAP4 clients and the Exchange 2007 server that has the Client Access server role installed, it is strongly recommended that you use Secure Sockets Layer (SSL). For more information about how to use SSL with POP3 and IMAP4, see Configuring TLS and SSL for POP3 and IMAP4 Access.
Configuring Authentication for POP3 and IMAP4

When you use POP3 and IMAP4 clients, you can set authentication options, such as the ability to use TLS encryption, and configure ports for communication with clients. For information about authentication options for POP3 and IMAP4, see Configuring Authentication for POP3 and IMAP4.
Configuring TLS and SSL for POP3 and IMAP4 Access

This section describes how to configure Transport Layer Security (TLS) and Secure Sockets Layer (SSL) on the Microsoft Exchange Server 2007 computer that has the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) services enabled. Before you configure TLS and SSL to help secure POP3 and IMAP4 access, make sure that you understand the process for configuring SSL for the Exchange 2007 server that has the Client Access server role installed. For more information about how to help secure communications, see Managing Client Access Security.
Configuring TLS and SSL for POP3 and IMAP4

You can use the Exchange Management Shell to configure SSL for POP3 and IMAP4 on an Exchange 2007 server. For more information about how to use the Exchange Management Console to configure SSL for POP3 and IMAP4, see the following topics:
236
How to Configure POP3 to Use TLS or SSL How to Configure IMAP4 to Use TLS or SSL
Configuring SSL for POP3 and IMAP4

When you use TLS and SSL for POP3 and IMAP4 access, the Exchange server uses the ports listed in Table 37 to communicate with clients. Table 37 Ports for POP3 and IMAP4 access when using SSL Protocol IMAP4/SSL IMAP4 with or without TLS POP3/SSL POP3 with or without TLS Default Port 993 (TCP) 143 (TCP) 995 (TCP) 110 (TCP)
By default, the values in Table 37 are used for communicating with clients. You can specify other ports to use with POP3 and IMAP4 clients if you want to disable communication through the default ports. For more information about how to configure ports for Exchange 2007 POP3 and IMAP4 clients, read How to Configure IP Addresses and Ports for POP3 and IMAP4 Access.
How to Configure POP3 to Use TLS or SSL

This section explains how to use the Exchange Management Shell to configure Post Office Protocol version 3 (POP3) to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Note: After you have configured POP3 to use TLS or SSL, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

237
To use the Exchange Management Shell to configure POP3 to use TLS or SSL Run the following command: Set-PopSettings server Server01 -X509CertificateName CertificateName01 For more information about syntax and parameters, see Set-POPSettings.

For more information about how to set up TLS or SSL on a computer that is running Microsoft Exchange Server 2007, see Managing Client Access Security. For more information about how to manage the POP3 protocol, see Managing POP3 and IMAP4.
How to Configure IMAP4 to Use TLS or SSL

This section explains how to use the Exchange Management Shell to configure Internet Message Access Protocol version 4rev1 (IMAP4) to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Note: After you have configured IMAP4 to use TLS or SSL, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

To perform the following procedures on a computer that has the IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure IMAP4 to use TLS or SSL Run the following command: Set-ImapSettings server Server01 -X509CertificateName CertificateName01 For more information about syntax and parameters, see Set-IMAPSettings.
238

For more information about how to set up TLS or SSL on the computer that is running Microsoft Exchange Server 2007, see Managing Client Access Security. For more information about how to manage the IMAP4 protocol, see Managing POP3 and IMAP4.
Configuring Authentication for POP3 and IMAP4

This section describes how to configure authentication options on the Microsoft Exchange Server 2007 computer that has the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4rev1 (IMAP4) services enabled.
Before You Begin

Before you configure the authentication options to use with POP3 and IMAP4, make sure that you understand the process for configuring Secure Sockets Layer (SSL) for the Exchange 2007 server that has the Client Access server role installed. For more information about how to help secure communications, read Managing Client Access Security. To perform the following procedures on a computer that has the POP3 service enabled, you must use an account that has been delegated the Exchange Server Administrators role and membership in the local Administrators group on that computer. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
Authentication Options for POP3 and IMAP4

There are three different authentication options that you can use with POP3 and IMAP4. These options are configured when you use the Set ImapSettings cmdlet in the Exchange Management Shell. Additionally, there are default ports that are used, depending on the authentication setting you are using. Table 38 describes the default ports that are used with different authentication settings. Table 38 Authentication options for POP3 and IMAP4 Authentication Method Value Default Port Description
239
PlainTextLogin
110 (POP3) 995 (POP3 SSL) 143 (IMAP4) 993 (IMAP4 SSL)
TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL. For IMAP4, this corresponds to using the "login" command to authenticate to the Exchange 2007 computer that has the Mailbox server role installed.
PlainTextAuthenticati on
TLS encryption is not required on port 110 and port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption. For IMAP4, this corresponds to using the "authenticate" command to authenticate to the Mailbox server.
SecureLogin
Connection on port 110 and port 143 must use TLS encryption before authenticating.
You can use the Exchange Management Shell to configure the ports that you want to use depending on the authentication setting you are using for POP3 and IMAP4 on an Exchange 2007 server.
240
You can also specify connection time-out limits for users. For more information about how to use the Exchange Management Console to configure authentication options for POP3 and IMAP4, see the following topics: How to Configure Authentication for POP3 How to Configure Authentication for IMAP4 How to Configure Ports for POP3 Authentication How to Configure Ports for IMAP4 Authentication
How to Configure Authentication for POP3

This section explains how to use the Exchange Management Shell to configure the authentication options for Post Office Protocol version 3 (POP3). Note: After you have configured authentication for POP3, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

To perform the following procedures on a computer that has the POP3 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure authentication for POP3 1. If you will not be using TLS encryption and you want to allow Basic authentication on an unsecured port, run the following command: Set-PopSettings -LoginType PlainTextLogin 2. If you will not be using TLS, but you want to restrict Basic authentication to use only secured ports, run the following command: Set-PopSettings -LoginType PlainTextAuthentication 3. If you want to use TLS encryption before authentication, run the following command: Set-PopSettings -LoginType SecureLogin
241
For more information about syntax and parameters, see Set-POPSettings.

For more information about how to set up Secure Sockets Layer (SSL) on the computer that is running Microsoft Exchange Server 2007, see Managing Client Access Security. For more information about how to manage the POP3 protocol, see Managing POP3 and IMAP4.
How to Configure Authentication for IMAP4

This section explains how to use the Exchange Management Shell to configure the authentication options for Internet Message Access Protocol version 4rev1 (IMAP4). Note: After you have configured the authentication options for IMAP4, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

To perform the following procedures on a computer that has the IMAP4 service enabled, the account you use must be delegated the Exchange Server Administrators role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure authentication for IMAP4 1. If you will not be using TLS encryption and you want to allow Basic authentication on an unsecured port, run the following command: Set-ImapSettings -LoginType PlainTextLogin 2. If you will not be using TLS, but you want to restrict Basic authentication to use only secured ports, run the following command: Set-ImapSettings -LoginType PlainTextAuthentication 3. If you want to use TLS encryption before authentication, run the following command: Set-ImapSettings -LoginType SecureLogin
242
For more information about syntax and parameters, see Set-IMAPSettings.

For more information about how to set up Secure Sockets Layer (SSL) on the computer that is running Microsoft Exchange Server 2007, see Managing Client Access Security. For more information about how to manage the IMAP4 protocol, see Managing POP3 and IMAP4.
How to Configure Ports for POP3 Authentication

This section explains how to use the Exchange Management Shell to configure Exchange to use ports other than the default ports. Note: After you have configured ports for POP3, you must restart the POP3 service. For more information about how to restart the POP3 service, see How to Start and Stop the POP3 Service.
Before You Begin

To perform the following procedures on a computer that has the POP3 service enabled, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure ports for POP3 authentication To set the port to a value other than the default port number, run the following command: Set-PopSettings -UnencryptedOrTLSBindings IPaddress:Port For more information about syntax and parameters, see Set-POPSettings.
243

For more information about the default port values that you can use with the available authentication settings, see How to Configure Authentication for POP3.
How to Configure Ports for IMAP4 Authentication

This section explains how to use the Exchange Management Shell to configure Microsoft Exchange to use ports other than the default ports. Note: After you have configured ports for IMAP4, you must restart the IMAP4 service. For more information about how to restart the IMAP4 service, see How to Start and Stop the IMAP4 Service.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Shell to configure ports for IMAP4 authentication To set the port to a value other than the default port number, run the following command: Set-ImapSettings -UnencryptedOrTLSBindings IPaddress:Port For more information about syntax and parameters, see Set-IMAPSettings.

For more information about the default port values that you can use with the available authentication settings, see How to Configure Authentication for IMAP4.
Managing Outlook Anywhere Security

This section describes the Outlook Anywhere security options for your Exchange deployment.
244
Outlook Anywhere lets users access Exchange from the Internet. Because traffic on the Internet is more vulnerable than traffic within an intranet, we recommend that you consider a security strategy that involves as many security options as possible.
Using an Advanced Firewall Server

Using an advanced firewall server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 improves security for your Outlook Anywhere deployment. ISA 2006 provides a setup wizard that lets you configure ISA 2006 for Microsoft Exchange Server 2007 by using Outlook Anywhere.
Using SSL for Outlook Anywhere

When you use Outlook Anywhere to access Exchange information from the Internet, you must install a valid Secure Sockets Layer (SSL) certificate issued by a certification authority (CA) that is trusted by the client computer's operating system. For more information, see How to Configure SSL for Outlook Anywhere.
Using SSL Offloading for Outlook Anywhere

If you have a hardware solution that is offloading the SSL encryption for traffic that is destined for your Client Access server, you must configure SSL offloading for Outlook Anywhere. For more information, see How to Configure SSL Offloading for Outlook Anywhere.
Configuring Authentication for Outlook Anywhere

When you use the Enable Outlook Anywhere Wizard to configure your Client Access server to provide Outlook Anywhere access, you must select an authentication method to use. For more information, see How to Configure Authentication for Outlook Anywhere.

For more information about security, see: Managing Client Access Security Security and Protection
245
How to Configure SSL for Outlook Anywhere

This section explains how to configure the rpc virtual directory to use Secure Sockets Layer (SSL) for Outlook Anywhere. By default, when you install the Client Access server role on a computer that is running Microsoft Exchange Server 2007, a virtual directory named rpc is created on the default Internet Information Services (IIS) Web site on the Exchange server. Unlike Microsoft Office Outlook Web Access and Exchange ActiveSync, the default selfsigned certificate that is available in Exchange 2007 Setup will not work with Outlook 2007 and Outlook 2003 clients that are using Outlook Anywhere. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer's operating system. For more information about how to install a valid SSL certificate from a CA that the client trusts, see How to Obtain a Server Certificate from a Certification Authority. After you obtain a valid SSL certificate to use with the Client Access server on the default Web site or on the Web site where you host your rpc virtual directory, you can configure the Web site to require SSL. You can enable SSL for all Web sites that are hosted by the Client Access server or enable SSL only for the rpc virtual directory. If you plan to close the SSL connection from the client computer that is running Outlook 2007 or Outlook 2003 to the firewall, you can choose to use SSL offloading. This means that the traffic from the firewall to the Client Access server will not be encrypted by using SSL. For this to work, you must have a certificate on the firewall that the client trusts. We recommend that you encrypt all traffic from the client to the Client Access server. For more information about how to enable SSL offloading, see How to Configure SSL Offloading for Outlook Anywhere. Configuring the rpc virtual directory to use SSL is only one step in managing security for Outlook Anywhere and external client access to Exchange. For more information about how to manage security for Outlook Anywhere, see Managing Client Access Security.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange View-Only Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Important: Before you perform this procedure, read Managing Client Access Security.
246
To use Internet Information Services (IIS) to configure SSL on the rpc virtual directory 1. In IIS, select the Default Web site or the rpc virtual directory, and then click Properties. Note: If you want to configure SSL only for Exchange ActiveSync, select the rpc virtual directory under the Default Web site. Otherwise you will configure SSL for all virtual directories that are hosted on the Client Access server. 2. On the Directory Security tab, in Secure Communications, click Edit. 3. In Secure Communications, select Require Secure Channel (SSL). 4. After you complete this procedure, your rpc virtual directory is configured to use SSL.

For more information about how to manage Client Access security, see Managing Client Access Security
How to Configure Authentication for Outlook Anywhere

This section explains how to use the Exchange Management Console and the Exchange Management Shell to configure authentication for Outlook Anywhere. The first time that you run the Enable Outlook Anywhere Wizard, you can select the authentication method that you want to use for Microsoft Office Outlook 2007 or Outlook 2003 clients. However, if you want to configure authentication and you have already run the Enable Outlook Anywhere Wizard, you can use the Set-OutlookAnywhere cmdlet in the Exchange Management Shell.
Before You Begin

247
To use the Exchange Management Shell to configure authentication for Outlook Anywhere 1. To use Basic authentication for Outlook Anywhere, run the following command: Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod Basic 2. To use NTLM authentication for Outlook Anywhere, run the following command: Set-OutlookAnywhere -Name Server01 -ExternalAuthenticationMethod NTLM For more information about syntax and parameters, see Set-OutlookAnywhere.

For more information about how to configure security for Outlook Anywhere, see Managing Outlook Anywhere Security.
How to Configure SSL Offloading for Outlook Anywhere

This section explains how to use the Exchange Management Console and the Exchange Management Shell to configure Secure Sockets Layer (SSL) encryption offloading for Outlook Anywhere. The first time that you run the Enable Outlook Anywhere Wizard, you can enable SSL offloading by selecting the check box next to Allow secure channel (SSL) offloading. However, if you want to enable SSL offloading and you have already run the Enable Outlook Anywhere Wizard without selecting this option, you can use the Exchange Management Shell and the Set-OutlookAnywhere cmdlet to set up SSL offloading.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use the Exchange Management Console to enable SSL offloading 1. In the Exchange Management Console tree, expand Server Configuration, and then click Client Access.
248
2. In the action pane, click Enable Outlook Anywhere. 3. In the Enable Outlook Anywhere Wizard, in the box under External host name, type the external host name for your organization. 4. Select an available external authentication method. You can select Basic authentication or NTLM authentication. 5. If you are using an SSL accelerator and you want to do SSL offloading, select the check box next to Allow secure channel (SSL) offloading. Note: Do not use this option unless you are sure that you have an SSL accelerator that can handle SSL offloading. If you do not have an SSL accelerator that can handle SSL offloading and you select this option, Outlook Anywhere will not function correctly. 6. Click Enable to apply these settings and enable Outlook Anywhere. 7. Click Finish to close the Enable Outlook Anywhere Wizard. To use the Exchange Management Shell to configure SSL offloading Run the following command: Set-OutlookAnywhere -Name Server01 -SSLOffloading $true
For more information about syntax and parameters, see Set-OutlookAnywhere.

For more information about how to configure security for Outlook Anywhere, see Managing Outlook Anywhere Security.
How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
This section explains how to use the Exchange Management Shell to configure your Secure Sockets Layer (SSL) certificates to use multiple host names. When you deploy your computers that are running Microsoft Exchange Server 2007 that have the Client Access server role installed, you must make sure that all your clients, such as Outlook Web Access and Outlook 2007, will be able to connect to the services by using an
249
encrypted session without receiving an error message that states that the certificate is not trusted. By using the Exchange Management Shell, you can create a certificate request to include all the DNS host names of the Client Access servers. Then you can enable users to connect to the certificate for services such as Outlook Anywhere, Autodiscover, POP3 and IMAP4, or Unified Messaging that are listed in the alternate names attribute. For example, your users may be able to connect to your Exchange services by specifying the name as shown in the following examples: https://CAS01/owa https://CAS01.FQDN.name/owa https://CASIntranetName/owa https://autodiscover.emaildomain.com
Instead of having to require multiple certificates and maintain the configuration of multiple IP addresses and Internet Information Services (IIS) Web sites for each IP port and certificate combination, you can create a single certificate that enables clients to successfully connect to each host name by using SSL or Transport Layer Security (TLS). You can create a single certificate by adding all the possible DNS name values to the certificate Subject Alternative Name property on the certificate request. A Microsoft Windowsbased Certificate Services certification authority should create a certificate for such a request. Note: Third-party or Internet-based certification authorities will issue certificates only for DNS names for which you are authorized. Therefore intranet DNS names will likely not be allowed. To configure your SSL certificates to use multiple Client Access server host names, do the following: 1. Use the New-ExchangeCertificate cmdlet to create a certificate request file. 2. Send this file to a Windows Certificate Services certification authority and use the Web server template on the Certification Authority page. This will result in a .cer file that can be imported to the Client Access server. 3. Use the Get-ExchangeCertificate cmdlet to determine the thumbprint for your certificate. 4. After you have imported the certificate, you can assign it to IIS, IMAP4, and POP3 by using the Enable-ExchangeCertificate cmdlet.
250
Before You Begin

To perform the following procedures, the account you use must be delegated the Exchange View-Only Administrators role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. Important: Before you perform the following procedures, you must read Managing Client Access Security. Important: As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc". Important: There are many variables that you must consider when configuring certificates for SSL or TLS services. You must make sure that you understand how these variables may affect your overall configuration. Before you proceed, read How to Create a Certificate or Certificate Request for SSL/TLS. To use the Exchange Management Shell to create a certificate request file Run the following command: New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, , autodiscover.contoso.com -path c:\certrequest_cas01.txt This command will create a text file that contains a certificate request in PKCS#10 format. To use the Exchange Management Shell to import a certificate Run the following command: Import-ExchangeCertificate -path <certificate_file_name>.cer -friendlyname "Contoso CAS01"
251
To use the Exchange Management Shell to determine the thumbprint of your certificate To determine the thumbprint, run the following command: Get-ExchangeCertificate -DomainNane "CAS01" Note: This command will return multiple certificates if there are several certificates that match the host name that you specified. Therefore, make sure that you select the thumbprint of the correct certificate for your request. To use the Exchange Management Shell to assign the certificate to IIS, POP3, and IMAP4 1. To assign the certificate to IIS, POP3, and IMAP4, run the following command: Enable-ExchangeCertificate -thumbprint <certificatethumbprint> -services "IIS,POP,IMAP" 2. Or, alternatively, to assign the certificate to a server, which in turn assigns the certificate to all services that are running on the Exchange server, run the following command: Import-ExchangeCertificate -path <certificate file name> -friendlyname "Contoso CAS01" | enable-exchangecertificate -services "IIS,POP,IMAP" For more information about syntax and parameters for the Import-ExchangeCertificate, Enable-ExchangeCertificate, Get-ExchangeCertificate and New-ExchangeCertificate cmdlets, see Global Cmdlets.

For more information about how to create certificates or certificate requests for SSL or TLS, see Creating a Certificate or Certificate Request for TLS.
252
Using ISA Server 2006 with Exchange 2007

This section describes how to configure firewalls for use with a server that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. You can use software and hardware solutions as a firewall to help secure your messaging environment. We recommend that you use an advanced firewall server such as Microsoft Internet Acceleration and Security (ISA) Server 2006 with Exchange 2007 because of these two products were designed to work together. ISA Server 2006 and Exchange 2007 were designed to help secure and enhance the client access experience.
ISA Server 2006 and Exchange 2007

ISA Server 2006 and Exchange 2007 were developed to coexist and provide an increased level of security for your messaging environment. When you use the New Exchange Publishing Rule Wizard to configure your ISA Server computer to allow client access, you automatically configure ISA Server settings that are required for the new features in both Exchange 2007 and ISA Server 2006 to work correctly. For more information about how to configure ISA Server 2006 for Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.
Earlier Versions of ISA Server and Exchange 2007

When you deploy Exchange 2007, we recommend that you upgrade any earlier versions of ISA Server that you are using. Deploying Exchange 2007 in an environment that has been configured to use an earlier version of ISA Server, such as ISA Server 2004, will require changes to your ISA Server rules that you might have configured for client access. When you configure ISA Server 2004 or ISA Server 2000, you will have to create new server or Web publishing rules for the new Client Access servers that you want your users to access. Table 39 describes the virtual directories to use as paths for the Web and server publishing rules that you must create for client access to Exchange when you use an earlier version of ISA Server than ISA Server 2006. Make sure that you use only the paths for the client applications that you plan to use. For example, if you do not plan to use Microsoft Exchange ActiveSync, you do not have to publish the Microsoft-Server-ActiveSync virtual directory.
253
Table 39 Exchange 2007 virtual directories that are used as paths in ISA Server publishing rules Path Name /owa Description This virtual directory is used by the Microsoft Office Outlook Web Access applicat ion to access mailboxes on Exchange 2007 computers that have the Mailbox server role installed. This virtual directory is used by the Outlook Web Access application to access public folders for mailboxes that are located on computers that are running Exchange 2007, Microsoft Exchange Server 2003, or Microsoft Exchange 2000 Server. This virtual directory is used by the Outlook Web Access application for mailboxes on computers that are running Exchange 2003 or Exchange 2000. This virtual directory is used by Outlook Web Access to access mailboxes on computers that are running Exchange 2003 or Exchange 2000. This virtual directory is used for Unified Message access. This virtual directory is used by the Exchange 2007 ActiveSync application. This virtual directory is used for Exchange Web Services. This virtual directory is used by the Autodiscover service for the Exchange ActiveSync and Outlook clients. This virtual directory is used by the Outlook Anywhere feature in Outlook 2007.
/public
/exchweb
/exchange
/UnifiedMessaging /Microsoft-Server-ActiveSync /EWS /Autodiscover
/rpc
254

For more information about how to configure client access to Exchange, see the following topics: Using ISA Server 2006 with Outlook Web Access Configuring ISA Server 2006 for Exchange Client Access
Using ISA Server 2006 with Outlook Web Access

Outlook Web Access for Exchange Server 2007 is designed to take full advantage of the new features that are available in Internet Security and Acceleration (ISA) Server 2006. Exchange 2007 is also designed to integrate with earlier versions of ISA Server. When you deploy Exchange 2007 in an environment where ISA Server 2006 is being used to help secure your corporate network, the full set of features for Exchange Client Access are available.
Benefits of Using ISA Server 2006 with Outlook Web Access

Table 40 lists features in ISA Server 2006 that can help you secure your Microsoft Exchange messaging environment that includes Outlook Web Access. Table 40 ISA Server 2006 features with Outlook Web Access Feature Description
255
Link Translation
ISA Server 2006 redirects Outlook Web Access requests for internal URLs that are contained in the body of any object in Outlook Web Access, such as an email message or calendar entry. Users no longer have to remember the external namespaces for internal corporate information that is mapped to an external namespace. For example, if a user sends a link in an e-mail message to an internal namespace such as http://contoso, and this internal URL is mapped to an external namespace such as http://www.contoso.com, the internal URL is automatically translated into the external URL when the user clicks the internal URL. ISA Server 2006 can load balance client requests and send them to an array of Client Access servers. When ISA Server 2006 receives a request for a connection to Outlook Web Access, it selects a Client Access server and then sends the name of the Client Access server back to the Web browser in a cookie. In the past, if you used forms-based authentication on the ISA Server computer that had Exchange Server 2003 and ISA Server 2004 or ISA Server 2000 installed, it was not possible to use Gzip compression. This was because ISA Server could not decompress and recompress the information correctly. ISA Server 2006 can decompress, inspect, and then recompress data before it sends the data to your Exchange servers. Note: Gzip compression is available in ISA Server 2004, Service Pack 2 (SP2).
Web Publishing Load Balancing
HTTP Compression
256
Exchange server locations are hidden
When you publish an application through ISA Server, you are protecting the server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then creates a connection to the Client Access server according to the conditions of the server publishing rule.
257
SSL bridging and inspection
Secure Sockets Layer (SSL) bridging protects against attacks that are hidden in SSLencrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts the request, inspects it, and acts as the endpoint for the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. When you use SSL bridging, the secure Web publishing rule is configured to forward the request by using Secure HTTP (HTTPS). ISA Server then initiates a new SSL connection with the published server. Because the ISA Server computer has become an SSL client, it requires the published Web server to respond with a certificate. An additional advantage of SSL bridging is that an organization has to buy SSL certificates from an external certification authority only for the ISA Server computers. Servers that use ISA Server as a reverse proxy can either not require SSL or use SSL certificates that are generated internally. You can also terminate the SSL connection at the ISA Server computer and continue to the Client Access server with a connection that is not encrypted. This is known as SSL offloading. If you do this, the internal URL for Outlook Web Access must be set to use HTTP and the external URL must be set to use HTTPS. The internal URL and external URL can be configured through the Exchange Management Console, or by using the SetOwaVirtualDirectory cmdlet with the InternalURL parameter and ExternalURL parameter in the Exchange Management Shell. For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage 258
Single Sign-On
Single sign-on enables users to access a group of published Web sites without being required to authenticate with each Web site. When you use ISA Server 2006 as a reverse proxy server for Outlook Web Access, ISA Server 2006 can be configured to obtain the user's credentials and pass them to the Client Access server so that users are prompted for their credentials only one time.
For more information about the new enhancements to ISA Server 2006 when it is used with Exchange 2007, see What's New and Improved in ISA Server 2006.
Deployment Options
When you deploy ISA Server 2006 together with Exchange 2007, you will not have to do any additional configuration to your Microsoft Exchange infrastructure. However, ISA Server 2006 can be configured in different ways to enable Exchange client access by using Outlook Web Access, POP3 or IMAP access, Exchange ActiveSync, and Outlook Anywhere. The configuration options depend on the authentication method that you want to use to access Exchange. Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000 when they are deployed with Exchange 2007, do not have the same deployment options for authentication. Additionally, if you are deploying Exchange 2007 with both ISA Server 2006 and an earlier version of ISA Server, you can use the following authentication options: Basic authentication for Outlook Web Access If you plan to use Basic authentication for Outlook Web Access, ISA Server 2006 and earlier versions of ISA Server should all use Web Publishing to publish Outlook Web Access. Client certificate authentication If you plan to use a client certificate-based authentication method, ISA Server will automatically perform authentication on the computer that is running ISA Server. Earlier versions of ISA Server, including ISA Server 2004 and ISA Server 2000, require server publishing to use client certificate authentication. If you use client certificate authentication, you cannot use ISA Server to inspect the SSL packets before they are sent to the Client Access server.
259
Deploying ISA Server 2006 for Outlook Web Access

When you deploy ISA Server 2006 for Outlook Web Access, you use the New Exchange Publishing Rule Wizard on the firewall policy tasks. This new wizard shows you the specific settings that you must configure to enable access to Microsoft Exchange. Important: If you have multiple versions of Microsoft Exchange in your Exchange organization, you must create an Exchange publishing rule for each version of Microsoft Exchange that you support. Configuring ISA Server 2006 for Outlook Web Access involves the following steps: 1. Creating a new publishing rule. 2. Configuring additional options. The following sections describe the settings that you must apply to the new publishing rule to successfully deploy ISA Server 2006 for Outlook Web Access.
Create a New Exchange Publishing Rule

During this process, you must provide the following information: Exchange publishing rule name Provide a friendly name for your publishing rule, such as "Exchange E-mail Access". Supported client access services On the Select Services page, select the version of Microsoft Exchange that you are deploying and the client access services that you want to support for your users. By default, when you select Exchange Server 2007, Outlook Web Access is selected. Publishing type On the Publishing Type page, select an option to use depending on whether you plan to publish a single site or an external load balancer, a Web server farm, or multiple Web sites. Server connection security This page lets you select whether to use Secure Sockets Layer (SSL) or non-secured connections from the ISA Server computer to Microsoft Exchange. Internal publishing details On the Internal Publishing Details page, enter the internal site name of Outlook Web Access or select the option to use a computer name or IP address to connect to Microsoft Exchange. Public name details The Public name details page lets you select which domains you will accept requests from. You must also provide a public name, for example, www.contoso.com.
260
Select web listener The Select web listener page lets you specify the listener for the Exchange server to which you are connecting. A listener is used to specify the authentication type that will be used when the client first contacts the ISA Server computer. The listener contains information about how the ISA Server computer accepts requests from clients, such as the encryption, compression, and authentication that is used on the external connection. You can use this page to create a new listener or edit existing listeners. Authentication delegation The Authentication delegation page lets you specify the type of authentication mechanism that the Client Access server should expect from the ISA Server. Select from the following: No delegation, but client may authenticate directly Basic authentication NTLM authentication Negotiate (Kerberos/NTLM) Kerberos constrained delegation
User sets The User sets page lets you select which users can use this rule to connect to Exchange. If you have configured the ISA Server computer to authenticate users, you should configure the Outlook Web Access virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication on the Outlook Web Access virtual directories together with ISA Server 2006 authentication, users are prompted for their logon information only one time. Note: If you select forms-based authentication for the ISA listener, the user will be prompted to reenter authentication credentials if the Outlook Web Access session times out. However, Integrated Windows authentication disallows access from Outlook Web Access to documents on Windows file shares or in Windows SharePoint Services document libraries. If you must access documents from Outlook Web Access, you must use Basic authentication on the Outlook Web Access virtual directory. After you complete the wizard, the wizard creates the Exchange publishing rule. The rule you create appears in the Firewall Policy Rules list on the Firewall Policy tab. Note: After you finish creating your publishing rule, you must wait for the settings to take effect. You can monitor ISA Server 2006 publishing rule progress by using the Monitoring node in the ISA Server 2006 Management console.
261
Configure Additional Options

You can configure additional features, such as link translation and HTTP compression, for the new rule that you created in the ISA Server 2006 Management console. Additional settings for link translation and HTTP compression are managed under the General node on the ISA Server 2006 Management console. Configuring Link Translation To configure link translation, you must select the Exchange publishing rule that you created, and then click Edit Selected Rule under Policy Editing Tasks. On the Link Translation tab, you can configure link translation based on the needs of your users. Configuring HTTP Compression The HTTP compression option can be configured in the General node under Configuration in the ISA Server 2006 Management console. Click Define HTTP compression preferences, and then select the options that you want to support for your users. After you finish configuring these options, the ISA Server configuration for Microsoft Exchange is complete.
Install a Server Certificate for ISA Server 2006

To enable an encrypted channel by using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer or users will receive a warning that the certificate is not trusted. For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.

For more information about how to use ISA Server 2006 with Exchange 2007, see Using ISA Server 2006 with Exchange 2007. For more information about ISA Server 2006, see the ISA Server Web site.
For more information about ISA Server 2006 features, see ISA Server 2006 Features at a Glance. For more information about how to use a reverse proxy server, see How to Configure Reverse Proxy Servers for Outlook Web Access.
262
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage Outlook Web Access virtual directories, see the following topics: Set-OwaVirtualDirectory How to Modify Properties on an Outlook Web Access Virtual Directory
For more information about how to configure Outlook Web Access, see: Managing Outlook Web Access Security Configuring Standard Authentication Methods for Outlook Web Access
How to Configure Reverse Proxy Servers for Outlook Web Access

You may want to use a reverse proxy server to manage incoming requests to a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed or to servers that provide Outlook Web Access. A reverse proxy server provides the following advantages over a direct connection to a Client Access server: Security The reverse proxy server provides an extra protective layer between the network and external computers. As a security best practice, use a reverse proxy server so that your Client Access server is not directly exposed to the Internet. SSL encryption and acceleration Instead of configuring the Client Access server to provide Secure Sockets Layer (SSL) encryption, you can offload that function to the reverse proxy server. In addition to encrypting data that is sent between the Web browser and the Client Access server, this enables the reverse proxy server to inspect the data packets and apply filters before they reach the Client Access server. If SSL encryption is offloaded to a proxy server, data that is sent between the reverse proxy server and the Client Access server will not be encrypted unless you use SSL bridging. SSL bridging If you must encrypt communication between the reverse proxy server and the Client Access server, you can end the SSL session between the Web browser and reverse proxy server, and then establish a new SSL session between the reverse proxy server and the Client Access server. This protects the Client Access server from direct access from the Internet, enables the reverse proxy server to filter the data packets before they reach the Client Access server, and encrypts the data along the whole path between the Web browser and the Client Access server. Only the reverse proxy server will require a certificate from a reliable certification authority. The Client Access server can use either a self-signed certificate or a certificate from an enterprise certification authority. If your reverse proxy server is connected to multiple internal servers, this may reduce certificate costs.
263
SSL offloading You can also terminate the SSL connection at the reverse proxy server and continue to the Client Access server with a connection that is not encrypted. This is known as SSL offloading. If you use SSL offloading, the internal URL for Outlook Web Access must be set to use HTTP and the external URL must be set to use HTTPS. You can configure the internal URL and external URL by using the Exchange Management Console or by using the Set-OwaVirtualDirectory cmdlet with the InternalURL parameter and ExternalURL parameter in the Exchange Management Shell. Load balancing A reverse proxy server can distribute the traffic that is destined for a single URL to a group of servers. You can use Microsoft Internet Security and Acceleration (ISA) Server as a reverse proxy server. For more information about how to use ISA Server as a reverse proxy server, see the Microsoft Internet Security and Acceleration Server Web site.
Before You Begin

To perform the following procedure on an ISA Server 2006 computer, the account you use must be delegated the ISA Server Enterprise Administrator role. To configure Outlook Web Access on the Exchange Client Access server, the account you use must be delegated the Exchange Server Administrator role and must be a member of the local Administrators group for the target server. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To use ISA Server 2006 to configure a reverse proxy for Outlook Web Access 1. In the ISA Server 2006 console, use the Publish Exchange Web Client Access wizard to publish Outlook Web Access. 2. Configure ISA Server to authenticate users when they connect to the Outlook Web Access virtual directories (optional). For more information about how to configure ISA Server, see Publishing Exchange Server 2007 with ISA Server 2006. If you have configured the ISA Server computer to authenticate users, we recommend that you configure the Outlook Web Access virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication, users are prompted for their logon information only one time. Note: Integrated Windows authentication prohibits access to documents on Windows file shares or in Windows SharePoint Services document libraries from
264
Outlook Web Access. If you must access documents from Outlook Web Access, you must use Basic authentication.

For more information about how to use ISA Server 2006 with Exchange 2007, see the following topics: Configuring ISA Server 2006 for Exchange Client Access Using ISA Server 2006 with Exchange 2007
For more information about Outlook Web Access authentication methods, see the following topics: Managing Outlook Web Access Security How to Configure Integrated Windows Authentication How to Configure Basic Authentication
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage Outlook Web Access virtual directories, see the following topics: Set-OwaVirtualDirectory How to Modify Properties on an Outlook Web Access Virtual Directory
Configuring ISA Server 2006 for Exchange Client Access

Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Exchange Server 2007 are designed to work together to provide a more secure messaging environment.
ISA Server 2006 and Exchange 2007

ISA Server acts as an advanced firewall that controls Internet-based traffic between multiple networks that are connected to it through its multi-networking feature. When you deploy ISA Server 2006 for Exchange 2007, ISA Server handles all client requests for Exchange information. This includes incoming and outgoing Internet communication.
265
Benefits of Using ISA Server 2006 with Exchange 2007

New features for ISA Server 2006 are designed specifically to enhance functionality for Exchange 2007. Table 41 describes these features. Table 41 New features for ISA Server 2006 and Exchange 2007 Feature Web Publishing Load Balancing Description ISA Server 2006 balances the request from the client to an array of published servers. This eliminates the need to deploy Network Load Balancing (NLB) on the published array. How To Web load balancing features are automatically implemented when you publish Outlook Web Access and Outlook Anywhere. Outlook Web Access automat ically selects a rule by using cookie-based load balancing. With cookie-based load balancing, all requests related to the same session (the same unique cookie provided by the server in each response) are forwarded to the same server. Outlook Anywhere uses sourceIP based load balancing. With source-IP based load balancing, all requests from the same client (source) IP address are forwarded to the same server.
266
Link Translation
Some published Web sites may include references to internal names of computers. Because only the ISA Server 2006 firewall and external namespaces are available to external clients, these references appear as broken links. ISA Server 2006 includes a link translation feature that you can use to create a dictionary of definitions for internal computer names that map to publicly known names. For authenticated and encrypted client access, ISA Server 2006 provides end-toend security and application layer filtering by using SSLto-SSL bridging. This means that encrypted data is inspected before it reaches the Exchange server. The ISA Server 2006 firewall decrypts the SSL stream, performs stateful inspection, and then re-encrypts the data and forwards it to the published Web server. Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid.
ISA Server 2006 implements link translation automatically when you configure Web publishing for Outlook Web Access.
Secure Sockets Layer (SSL) Bridging Support
ISA Server 2006 implements SSL Bridging Support automatically when you configure Web publishing for Outlook Web Access.
267
In addition to the features listed in Table 41, ISA Server 2006 is designed to work specifically with the client access methods that you can use with Exchange 2007.
New Exchange Publishing Rule Wizard

When you deploy ISA Server 2006, you use the New Publishing Rule Wizard on the firewall policy tasks to help you with the settings that must be configured to allow access for the following features: Outlook Web Access When you deploy ISA Server 2006 for Outlook Web Access, you use the New Exchange Publishing Rule Wizard that is on the Firewall Policy tasks. This new wizard shows the specific settings that must be configured to allow for client access by using Outlook Web Access. For more information about how to configure ISA Server 2006 to use Outlook Web Access, see Using ISA Server 2006 with Outlook Web Access. Exchange ActiveSync When you deploy ISA Server 2006 for Exchange ActiveSync, you use the New Exchange Publishing Rule Wizard on the Firewall Policy tasks. This new wizard shows you the specific settings that must be configured to allow for Exchange ActiveSync access. Follow the instructions in the New Exchange Publishing Rule Wizard for ISA Server 2006 to configure your Exchange deployment to use Exchange ActiveSync. Outlook Anywhere When you deploy ISA Server 2006 for Outlook Anywhere, you use the New Exchange Publishing Rule Wizard on the Firewall Policy tasks. This new wizard shows you the specific settings that must be configured to allow for Outlook Anywhere access. Follow the instructions in the New Exchange Publishing Rule Wizard for ISA Server 2006 to configure your Exchange deployment to use Outlook Anywhere. POP3 and IMAP4 Access When you deploy ISA Server 2006 for POP3 and IMAP4 access to Exchange 2007, you use the New Exchange Publishing Rule Wizard on the Firewall Policy tasks. This new wizard shows you the specific settings that must be configured to allow for POP3 and IMAP4 access. Follow the instructions in the New Exchange Publishing Rule Wizard for ISA Server 2006 to configure your Exchange deployment to use POP3 and IMAP4.
Using ISA Server 2006 with Outlook Anywhere

This section describes how you can use Microsoft Internet Security and Acceleration (ISA) Server 2006 with Microsoft Outlook Anywhere. We recommend that you use ISA Server 2006 for all available client access methods in Microsoft Exchange Server 2007. When you publish Outlook Anywhere client access with ISA Server 2006, communications from the
268
Outlook clients located on the Internet to the ISA Server computer and from the ISA Server computer to the Client Access server are encrypted by using Secure Sockets Layer (SSL). In many organizations, users must have mailbox access when they are not in the office. Outlook Anywhere ensures that users can interact with their Exchange information from any location. To support this client access method, specific paths must be published on the ISA Server computer. Table 42 lists the Exchange services that are supported by ISA Server 2006 for Exchange 2007 and used by Outlook Anywhere clients. Table 42 Exchange 2007 services used with ISA Server 2006 Feature Outlook Anywhere Path /rpc/* Description Internet based access to an Exchange deployment by using RPC over HTTP or RPC over HTTPS. Exchange 2007 Unified Messaging puts all e-mail, voice, and fax messages into one Exchange 2007 mailbox that can be accessed from a variety of devices. An offline address book (OAB) is a copy of an address book that has been downloaded so that an Outlook user can access address book information while disconnected from the server. This virtual directory is used for the Autodiscover service and the availability service to provide free/busy information.
Unified Messaging
/unifiedmessaging/*
Offline Address Book
/OAB/*
Exchange Web Services
/ews/*
269
Autodiscover
/Autodiscover/*
The Autodiscover service provides access to Microsoft Exchange features for Microsoft Office Outlook 2 007 clients that are connected to your Microsoft Exchange messaging environment.
ISA Server 2006 Features for Outlook Anywhere Client Access

Table 43 describes several of the benefits of using ISA Server 2006 to protect Outlook Anywherebased client access to your Exchange deployment. Table 43 ISA Server 2006 features for Outlook Anywhere Feature Exchange server locations are hidden Description More information
When you publish an Publishing Exchange Server application through ISA 2007 with ISA Server 2006 Server, you are protecting the server from direct external access because the name and IP address of the server cannot be accessed by the user. The user accesses the ISA Server computer. This computer forwards the request to the server according to the conditions of the server publishing rule.
270
SSL Bridging and Inspection
SSL bridging protects against Best Practices for attacks that are hidden in Performance in ISA Server SSL-encrypted connections. 2006 For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts it, inspects it, and ends the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request by using secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires the published Web server to respond with a server-side certificate.
ISA Server 2006 Deployment Options for Outlook Anywhere

Before you deploy ISA Server 2006 to help secure communication from Outlook Anywhere clients on the Internet to Exchange Client Access servers, you must verify that you have correctly configured your Exchange deployment to support Outlook Anywhere clients. For more information, see Deploying Outlook Anywhere. You will then run the Exchange Publishing Rule Wizard to provide Outlook Anywhere access to your Exchange deployment.
Install a Server Certificate for ISA Server 2006

To enable an encrypted channel by using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This
271
certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer. For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.
How to Deploy ISA Server 2006 for Outlook Anywhere

You can run the Exchange Publishing Rule Wizard to provide Outlook Anywhere access to your Exchange deployment by following these steps: 1. Create a server farm (optional) When you have more than one Exchange Client Access server, you can use ISA Server to provide load balancing for these servers. The server farm properties determine the following: Servers that are included in the farm
Connectivity verification method that ISA Server will use to verify that the servers are functioning 2. Create a Web listener When you create a Web publishing rule, you must specify a Web listener to use. The Web listener properties determine the following: IP addresses and ports on the specified networks that the ISA Server computer uses to listen for Web requests (HTTP or HTTPS) Server certificates to use with IP addresses Authentication method to use Number of concurrent connections that are allowed Single sign on (SSO) settings
3. Create an Exchange Web client access publishing rule When you publish an internal Exchange 2007 Client Access server through ISA Server 2006, you protect the Web server from direct external access because the name and IP address of the server cannot be accessed by the user. The user accesses the ISA Server computer. The ISA Server computer forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange client access. For more information about how to use the Exchange Publishing Rule Wizard, see Publishing Exchange Server 2007 with ISA Server 2006.
272

For more information about how to use ISA Server 2006 with Exchange 2007, see Using ISA Server 2006 with Exchange 2007.
Using ISA Server 2006 with Exchange ActiveSync

We recommend that you use Internet Security and Acceleration (ISA) Server 2006 to enhance the security of all available client access methods in your Microsoft Exchange Server 2007 deployment. When you configure Exchange ActiveSync client access with ISA Server 2006, communications between the Exchange ActiveSync clients and the Exchange server computer pass through an ISA Server computer to add an additional layer of Secure Sockets Layer (SSL) encryption. Exchange ActiveSync enables information workers to access their Microsoft Exchange messaging data by using a mobile device. For more information about Exchange ActiveSync, see the following topics: Overview of Exchange ActiveSync Managing Exchange ActiveSync
Benefits of Using ISA Server 2006 with Exchange ActiveSync

Table 44 describes several of the benefits of using ISA Server 2006 to protect client access through Outlook Anywhere to your Exchange deployment. Table 44 ISA Server 2006 features for Exchange ActiveSync Feature Exchange server locations are hidden Description When you publish an application through ISA Server, you are protecting the server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then forwards the request to the server according to the conditions of the server publishing rule.
273
SSL Bridging and Inspection
SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, after ISA Server receives the client's request, ISA Server decrypts it, inspects it, and ends the SSL connection with the client computer. The Web publishing rules determine how ISA Server communicates the request for the object to the published Web server. If the secure Web publishing rule is configured to forward the request by using Secure HTTP (HTTPS), ISA Server initiates a new SSL connection with the published server. Because the ISA Server computer is now an SSL client, it requires the published Web server to respond with a server-side certificate.
ISA Server 2006 Deployment Prerequisites for Exchange ActiveSync

When you deploy ISA Server 2006 to help secure communication from Exchange ActiveSync clients on the Internet to Exchange 2007 computers that have the Client Access server role installed, we recommend that you confirm the following: Forms based authentication is not configured on the Exchange Client Access server. When ISA Server 2006 is being used to publish Exchange client access, we recommend forms-based authentication be configured only on the ISA Server computer. A server certificate is installed on the Exchange Client Access server. This certificate can be from an internal certification authority (CA) or a public CA. SSL is required on all Exchange Client Access virtual directories.
After you confirm these settings, you can configure ISA Server 2006 to provide Exchange ActiveSync access for your clients.
How to Deploy ISA Server 2006 for Exchange ActiveSync

To enable an encrypted channel between the client computer and the ISA Server computer, you first have to install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the
274
Internet. If a private CA is used, the root certificate from the private CA must be installed on any computer that requires a secure (HTTPS) connection to the ISA Server computer. For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006. After a server certificate is installed on the ISA Server computer, you can run the New Exchange Publishing Rule Wizard. Running the New Exchange Publishing Rule Wizard to provide Exchange ActiveSync access involves the following steps: 1. Create a server farm (optional) When you have more than one Client Access server within your organization, you can use ISA Server to provide load balancing for these servers. The server farm properties determine the following: The specific servers included in the farm.
The connectivity verification method that ISA Server will use to verify that the servers are functioning correctly. 2. Create a Web listener When you create a Web publishing rule, you must specify a Web listener. The Web listener properties determine the following: The IP addresses and ports on the specified networks that the ISA Server computer uses to listen for Web requests (HTTP or HTTPS). Which server certificates to use with IP addresses. The Authentication method to use. The number of concurrent connections that are allowed. Single sign-on (SSO) settings.
3. Create an Exchange Web client access publishing rule When you publish an internal Exchange 2007 Client Access server through ISA Server 2006, you are protecting the Web server from direct external access because the name and IP address of the server cannot be viewed by the user. The user accesses the ISA Server computer. The ISA Server computer then forwards the request to the internal Web server according to the conditions of your Web server publishing rule. An Exchange Web client access publishing rule is a Web publishing rule that contains default settings appropriate to Exchange client access. For more information about how to use the New Exchange Publishing Rule Wizard, see Microsoft ISA Server 2006. Important: There is a software update that is required for ISA Server 2006 before you can publish Exchange Server 2007. For more information about that update, see Update for Publishing Microsoft Exchange Server 2007 for Internet Security and Acceleration (ISA) Server 2006.
275

For more information about how to configure ISA Server 2006 for client access, see Configuring ISA Server 2006 for Exchange Client Access.
Managing Details Templates

Details templates control the appearance of the object properties that are accessed by using address lists in MAPI 32-bit client applications, such as Microsoft Outlook. For example, when a user opens an address list in Outlook, the properties of the recipients in that address list are presented as defined by the details template that exists in your Exchange organization. The following figure illustrates the properties of the recipient Kim Akers as it appears in Outlook 2007. Using the Details Templates Editor in Exchange 2007, you can modify the organization of and content within the various objects that appear on this property page. Figure 11 Default details template as viewed from Outlook 2007
276
Elements of the Details Templates Editor

This section describes the user interface elements in the Details Templates Editor. Figure 12 Details Template Editor
Toolbox pane The toolbox pane appears at the far left of the Details Templates Editor. Drag objects from the toolbox pane to the designer pane. You can add the following elements to the template: Check box Edit text box Group box Label List box Multi-valued drop-down box Multi-valued list box
Note: Not all of the elements are available for all template types. Designer pane The designer pane appears in the middle of the Details Templates Editor. In the designer pane, you can design the template to meet your organization's specifications. Select an item and edit the object's properties in the properties pane. In
277
addition, you can move or resize objects in the template. To delete an object, select the object, and then press DELETE on your keyboard. To save your changes, from the File menu, click Save. Properties pane The properties pane appears at the far right of the Details Templates Editor. Use the properties pane to edit the properties of an object on the designer pane. For example, you can change the text, height, width, or position of an object.
Details Templates Management Tasks

This section lists the management tasks that you can perform within the Details Templates Editor and includes links to topics that will help you complete the task. How to Add the Details Templates Editor to the Microsoft Management Console
The Details Templates Editor is a snap-in for the Microsoft Management Console (MMC). You cannot perform this procedure by using the Exchange Management Console or the Exchange Management Shell. You must use the MMC. How to Customize the Details Template
You can use the default details template or you can customize the template to better suit the needs of your users. You can use the Details Templates Editor to customize the following Outlook objects: Contacts Users Groups Mailbox agents Public folders Search dialogs
The objects may be customized by changing field sizes, adding or removing fields, adding or removing tabs, and rearranging fields. The layout of these templates can vary by language. The following languages are supported: Arabic, Basque, Brazilian, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, German, Greek, English, Estonian, Finnish, French, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, and Ukrainian. How to Restore a Details Template to the Default Configuration
278
The Details Templates Editor does not contain an Undo button, nor can you use a keyboard shortcut to undo an action. If you want to undo changes after you have saved, you can restore the template. When you restore a template, all customization is lost, and the template is restored to its original configuration.

For detailed syntax and parameter information about details template cmdlets, see the following topics: Get-DetailsTemplate Restore-DetailsTemplate Set-DetailsTemplate
How to Customize the Details Template

This section explains how to use the Details Templates Editor in the Microsoft Management Console (MMC) to customize details templates. Note: You cannot use the Exchange Management Console or the Exchange Management Shell to customize the details templates. You must use the MMC snap-in. You can use the default details template or you can customize the template to better suit the needs of your users. You can use the Details Templates Editor to customize the following Microsoft Outlook objects: Contacts Users Groups Mailbox agents Public folders Search dialog boxes
You can customize these objects by changing field sizes, adding or removing fields, adding or removing tabs, and rearranging fields. The layout of these templates can vary by language. The following languages are supported: Arabic, Basque, Brazilian, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, German, Greek, English, Estonian, Finnish, French, Hebrew, Hungarian, Italian, Japanese, Korean, Latvian,
279
Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, and Ukrainian.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations. Also, to perform this procedure, you must add the Details Templates Editor snap-in to MMC. For more information, see How to Add the Details Templates Editor to the Microsoft Management Console. To use the Microsoft Management Console to customize the details template 1. In the Details Templates Editor, in the console root, click Details Template. 2. In the details pane, the following columns are displayed: Template Type This column lists the type of template that you can customize. Language This column lists the language in which the template was created. Identity This column lists the unique identity of the template. Created This column lists the date and time that the template was created.
Modified This column lists the date and time that the template was last modified. 3. To edit the template, right-click the template, and then click Edit. For example, the English contacts details template is shown in Figure 13. Figure 13 Default details template as viewed from Outlook 2007
280
4. After you click Edit, there are several tasks you can perform to customize a details template: To move an object in the designer pane, select the object, and then drag it to its new location on the template. As you move the object, you are provided with alignment lines. To change a label's text, select the label in the design pane. In the properties pane, type the new text in the Text box. To create keyboard shortcuts, you can use the ampersand (&) symbol. Place the ampersand (&) before the letter that you want to use as the shortcut. To change the size of an object, select the object, and then drag the sizing handles until the object is the shape and size you want. To delete an object, select the object, and then press DELETE on your keyboard. Note: The Details Templates Editor does not contain an Undo button, nor can you use a keyboard shortcut to undo an action. To undo an addition you made to
281
the template, you must use the DELETE key. To undo a deletion, you must reapply the setting. You can also revert to the original settings by exiting the Details Templates Editor without saving your changes. If you want to undo changes after you have saved, you can restore the template. When you restore a template, all customization is lost, and the template is restored to its original configuration. For more information about how to restore the details template, see How to Restore a Details Template to the Default Configuration. To add an Edit text box, Listbox, MultiValued Dropdown box, or MultiValued Listbox, in the toolbox pane, drag the object to the design pane. Set the attribute of the object by clicking the attribute drop-down box in the properties pane, and then selecting the attribute that will be used by Exchange Server. Note: You must link the object to an attribute for it to be used by Exchange Server. In addition, the attribute also determines the content that is displayed to the end user in Outlook. If you do not select an attribute, a random attribute is selected automatically. To add a Groupbox, drag the object to the design pane, and then, in the properties pane, type a name in the Text box. Use the Groupbox to group similar objects. To add a tab to the template, right-click an existing tab, and then click Add Tab. A blank tab appears. To name the tab, type the name in the Text box in the properties pane. To remove a tab from the template, right-click the tab, and then click Remove Tab. A warning appears. Click OK to confirm that you want to remove the tab. To change the tabbing order of the objects on a tab so that users can use the TAB key to navigate the objects in the order you want, select the object in the design pane, and then, in the properties pane, use the TabIndex box to change the order. Note: To make sure that users are not able to use the TAB key to access the labels of an object (for example Name or Alias), change the order of the labels so that they are last in the tabbing order. 5. To save changes to the details template, on the File menu, click Save.

For more information about the Details Templates Editor, see the following topics: Managing Details Templates
282
How to Add the Details Templates Editor to the Microsoft Management Console
How to Add the Details Templates Editor to the Microsoft Management Console
This section explains how to add the Details Templates editor snap-in to Microsoft Management Console 3.0. In Microsoft Exchange Server 2007, you have the ability to customize the client-side graphical user interface (GUI) presentation of object properties that are accessed by using address lists in the Microsoft Outlook client application. When a user opens an address list in Outlook, for example, the properties of a particular object are presented as defined by the details template in the Exchange organization. You can use the Details Templates editor to customize the following Outlook objects: Contacts Users Groups Mailbox agents Public folders Search dialogs
The objects may be customized by changing field sizes, adding or removing fields, adding or removing tabs, and rearranging fields. The layout of these templates can vary by language.
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations. To add the Details Templates editor snap-in to Microsoft Management Console 1. On the taskbar, click Start, and then click Run. 2. Type MMC in the Open field. 3. On the Console menu bar, click File, and then click Add/RemoveSnap-in. 4. In Add/Remove Snap-in, on the Standalone tab, click Add. 5. In Add Standalone Snap-in, select Details Templates Editor from the list of
283
available stand-alone snap-ins, and then click Add. 6. Click Close to close the Available Snap-ins dialog box, and then click OK on the Add/Remove Snap-in dialog box. 7. To save the Details Templates to the Microsoft Management Console, on the Console menu bar, click File, and then click Save.

For more information about how to filter the result pane for details templates, see How to Filter the Result Pane in the Exchange Management Console. For more information about details templates, see the following topics: Managing Details Templates How to Customize the Details Template How to Restore a Details Template to the Default Configuration
For information about how to use the Exchange Management Shell configure details templates, see the following topics: Set-DetailsTemplate Get-DetailsTemplate
How to Restore a Details Template to the Default Configuration

The Details Templates Editor does not contain an Undo button, nor can you use a keyboard shortcut to undo an action. To undo an addition you made to the template, you must use the DELETE key. To undo a deletion, you must reapply the setting. You can also revert to the original settings by exiting the Details Templates Editor without saving your changes. If you want to undo changes after you have saved, you can restore the template. When you restore a template, all customization is lost, and the template is restored to its original configuration. This section explains how to use the Microsoft Management Console (MMC) or the Exchange Server Management Shell to restore a details template to its default configuration. Note: You cannot use the Exchange Server Management Console to perform this task. You must use the MMC snap-in or the Exchange Server Management Shell.
284
Before You Begin

To perform this procedure, the account you use must be delegated the Exchange Server Organization Administrator role. For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations. Also, before you begin, you will need to add the Details Templates Editor snap-in to MMC. For detailed instructions, see How to Add the Details Templates Editor to the Microsoft Management Console. To use MMC to restore a details template to the default configuration 1. Start the Details Templates Editor. 2. In the details pane, right-click the template that you want to restore, and then click Restore. 3. Click Yes to confirm that you want to restore the template to its original state. All customization will be lost. To use the Exchange Management Shell to restore a details template to the default configuration Run the following command: Restore-DetailsTemplate -Identity <DetailsTemplateIdParameter> For example, to restore the United States English contacts details template, run the following command: Restore-DetailsTemplate -en-US\Contact For detailed syntax and parameter information, see the Restore-DetailsTemplate reference topic.

For more information about managing details templates, see Managing Details Templates.
285

Managing CA

Uploaded by

Copyright:

Available Formats

Managing CA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managing CA

Uploaded by

Copyright:

Available Formats

Managing Client Access in Exchange Server 2007

Managing Client Access in Exchange Server 2007

For More Information

Understanding Client Access Server Management Tasks

Outlook Web Acc ess user interface

Outlook Web Acc ess user interface

Outlook Web Acc ess user interface

Outlook Web Access

Enabling and disabling users for Outlook Anywhe re

ISA Server 2006 Management Console Add or Remove Programs

POP3 and IMAP4

Configuring Transport Layer Security (TLS) or SSL encryption

Microsoft Management Console (MMC) Services snap-in Complete Complete Complete

For More Information

Required Permissions to Manage Client Access

NewAutodiscoverVi rtualDirectory RemoveAutodiscoverVi rtualDirectory

newActiveSyncMail boxPolicy setActiveSyncMail boxPolicy removeActiveSyncMail boxPolicy ExportActiveSyncLog testActiveSyncCon nectivity

NewOWAvirtualDire ctory GetOWAVirtualDire ctory SetOwaVirtualDire ctory RemoveOWAVirtualDire ctory

GetPOPSettings SetPOPSettings GetIMAPSettings SetIMAPSettings

For More Information

Services Used by a Client Access Server

Microsoft Exchange POP3

Microsoft Exchange IMAP4

Internet Information Services Admin Service

Microsoft Exchange Service Host

Microsoft Exchange File Distribution Service

For More Information

Managing Outlook Web Access

Tools for Managing Outlook Web Access

Exchange Management Shell

Internet Information Services (IIS) Manager

Administrative Tasks for Managing Outlook Web Access

Simplify the Outlook Web Access URL

Modify attachment handling settings

Configure authentication methods

Modify language and character handling settings

Configure Gzip compression settings

Disable Web beacons

Configure segmentation settings

Managing Outlook Web Access Virtual Directories in Exchange 2007

Outlook Web Access Virtual Directories

Configuring Outlook Web Access Virtual Directories

Exchange 2007 on Client Access servers and Mailbox servers.

For More Information

How to Create an Outlook Web Access Virtual Directory in Exchange 2007

Before You Begin

For More Information

How to View Properties of an Outlook Web Access Virtual Directory

Before You Begin

For More Information

How to Modify Properties on an Outlook Web Access Virtual Directory

Before You Begin

For more information about syntax and parameters, see Set-OwaVirtualDirectory.

For More Information

How to Remove an Outlook Web Access Virtual Directory

Before You Begin

For More Information

Managing Outlook Web Access URLs

Default Outlook Web Access URL