By default, every user in an Exchange 2000 Server organization can use OWA to access mailbox and public folders. This allows you to deploy customized, Web-based collaboration systems with minimal effort. Just publish a virtual directory, as illustrated in Exercise 1, and your job is done. If you want to implement Internet-based OWA solutions, however, you need to optimize your environment for both security and performance reasons.
This lesson addresses how to provide access to Exchange 2000 Server via OWA in small-scale and large-scale environments. It demonstrates how to access mailbox and public folder resources and explains how to implement load balancing in front end/back end (FE/BE) arrangements.
At the end of this lesson, you will be able to:
Estimated time to complete this lesson: 60 minutes
Single-server environments provide direct access to mailboxes and public servers via the local IIS and the default HTTP virtual server (see Exercise 1). Every user can use a Web browser to connect to his or her home server and access mailbox and public folders via OWA. You can create additional virtual servers and assign them a unique combination of IP address, TCP port, Secure Sockets Layer (SSL) port, and host name to create separate Web server instances for users with different security requirements, as explained in Chapter 11, "Internet-Based Client Access."
NOTE
When working from outside your home domain, you must add the fully qualified domain name (FQDN) to the host name of the HTTP virtual server that provides access to your mailbox, such as http://bluesky-srv1.bluesky-inc-10.com/exchange/. Furthermore, your mailbox-enabled user account must have an SMTP address that conforms to the SMTP address definition in the default recipient policy of your organization (for instance, Administrator@Bluesky-inc-10.com where @Bluesky-inc-10.com is defined for SMTP addresses in the default recipient policy).
It is a good idea to deploy Exchange 2000 Server in an FE/BE arrangement if you want to support a large number of users over the Internet. Front end servers concentrate incoming client connections and proxy them to the appropriate back end servers where the mailboxes reside. The front end server looks up the mailbox location using Active Directory. You can move mailboxes between servers without changing the URL that users use to access their mailboxes, because the name of the actual mailbox or public store is not relevant. Make sure the virtual root names match between the front end and back end systems (that is, Exchange, Public, and roots for alternative public folder hierarchies). The configuration of front end servers was covered in Chapter 4, "Planning the Microsoft Exchange 2000 Server Installation" and discussed further in Chapter 19, "Implementing Advanced Security."
NOTE
OWA URLs are based on host or domain names. The URLs are independent of individual information store information.
In an FE/BE environment, you can group all your front end systems together for load balancing using Microsoft Network Load Balancing or another high- performance hardware load-balancing solution, such as Cisco Local Director. A free alternative is to use a round-robin DNS configuration according to RFC 1794, but there are serious drawbacks. You can read more about Microsoft Network Load Balancing in the Windows 2000 Server product documentation.
Round-robin DNS is based on the simple concept of having the same host name mapped to the IP addresses of multiple front end servers, which are supposed to share the workload. To distribute user connections, DNS rotates host records. This also provides some level of fault tolerance because client requests are repeated if a particular front end server is not responding, which eventually will direct the client to an available system. However, Windows 2000 DNS prioritizes multiple host records based on their IP address to return the IP address closest to the client, preventing round-robin DNS from working properly. The behavior depends on the Enable Round Robin setting, found in the DNS snap-in, via the server Properties dialog box in the Advanced tab. You can read more about the configuration of Windows 2000 DNS in the product documentation.
Round-robin DNS should not be used for load balancing across servers if you use SSL to encrypt the communication between the client and the front end server. The SSL bulk encryption key is maintained on the server and lost if the client is redirected to another host by DNS. In this case, a new session must be established to generate a new bulk encryption key. Microsoft Network Load Balancing carefully manages the connection state and is therefore a more reliable and preferable solution.
You can control access to OWA resources per HTTP virtual server, virtual directory, and user. Unfortunately, when working with the default HTTP virtual server, called Exchange Virtual Server, you have to juggle three different administrative utilities—IIS, Exchange System Manager, and Active Directory Users and Computers. You may find it useful to create a custom Microsoft Management Console (MMC) utility to include all three snap-ins in a single tool for OWA management, as illustrated in Chapter 2, "Integration with Microsoft Windows 2000."
IIS is required to manage the properties (including security settings) for the Default Web Site, which provides access to the OWA virtual directories. Exchange System Manager is the right tool to control access to virtual directories. Each virtual directory provides an Access tab, where you can define Access Control settings, Execute Permissions, and Authentication Settings. Last but not least, you can use Active Directory Users and Computers to enable or disable OWA for mailbox-enabled accounts. Make sure Advanced Features is enabled under View, display the account properties, click on the Exchange Advanced tab, and click Protocol Settings. In the Protocols dialog box, select HTTP, and click Settings. In the HTTP Protocol Details dialog box, disable the Enable For Mailbox check box to prevent the user from accessing Exchange 2000 Server through HTTP. Similarly, you can disable POP3 and IMAP4 per user.
Validated users can work with mailbox and public folders and can search the Global Address List. Generally speaking, they have permissions just as if they were logged on directly using Outlook 2000. When using Internet Explorer 4.0 or Internet Explorer 5.0, IIS obtains your Windows 2000 credentials directly from the browser and OWA automatically connects you to your mailbox. With Netscape Navigator and other browsers you will be prompted for an account name and password. Based on the account information, your mailbox will be determined from Active Directory. IIS uses integrated Windows authentication by default. The configuration of authentication mechanisms was covered in Chapter 11, "Internet-Based Client Access."
Because OWA determines mailbox information automatically based on present account information, you only have to specify the URL http://<Server Name>/Exchange/ to gain access to your personal mailbox. If you want to work with other mailboxes, append the mailbox alias to the URL (such as, http://bluesky-srv1/Exchange/CarlT/). The mailbox alias corresponds to the user-specific portion of the e-mail address, for instance CarlT in CarlT@Bluesky-inc-10.com. It is a good idea to provide your users with an SMTP address that corresponds to the format <Windows 2000 account name>@<domain name>. If you are currently working with an account that does not have the required permissions to access the mailbox, an Enter Network Password dialog box will appear, prompting you for the required account information.
NOTE
You cannot work with two different OWA sessions on the same computer simultaneously.
All access to mailbox and public folder resources is validated. Although you have the option to allow anonymous access to public folders, this does not mean that anonymous users are unknown. By default, the system assigns them the guest account of the IIS, such as IUSR_<SERVERNAME>. You can read more about anonymous access to IIS resources in the Windows 2000 Server product documentation.
It is very important to keep in mind that the IIS guest account, IUSR_<SERVERNAME>, is a valid Windows 2000 user account. Therefore, the Default client permissions are applied and not the Anonymous permissions. For this reason, it is not advisable to enable anonymous access to the MAPI-based public folder hierarchy (published as http://<server name>/public). Anonymous Web users would then be able to browse through your public folder resources just as any regular user in your organization. Instead, create additional virtual directories for those public folders that you want to publish and enable anonymous access only for these virtual resources. You can read more about the administration of public folders in Chapter 17, "Public Folder Management."
NOTE
It is a good idea to mail-enable the IIS guest account. This gives you the opportunity to configure explicit access permissions for anonymous users in Exchange System Manager and Outlook 2000.
To grant anonymous users access to the User Manual virtual directory (created in Exercise 1 of Lesson 1)
NOTE
The name you specify under Anonymous Account is used for informational purposes in Exchange System Manager. This account has no meaning for anonymous access over the Web; however, it is a good idea to reference the IUSR_<SERVERNAME> account, such as IUSR_BLUESKY-SRV1.
NOTE
The only difference between an anonymous user and a validated user is that the former does not own a mailbox (although even this is possible) and does not have to specify account information to access Exchange 2000 Server resources. The Information Store will check whether the anonymous account has the permissions to open the requested resource. If the account has sufficient privileges, the access is granted; otherwise, the user is prompted for account information according to defined authentication settings.
As outlined in Chapter 11, "Internet-Based Client Access," you can stop, start, or pause each virtual server individually. Stopping the HTTP virtual server(s) prevents users from accessing resources via OWA. In Exchange System Manager, select the desired virtual server object, such as Exchange Virtual Server, and then select Stop from the shortcut menu.
IMPORTANT
The default HTTP server provides access to public folder properties through the Exadmin virtual directory. Stopping the virtual server prevents Exchange System Manager from being able to manage public folder settings. You will receive an error notification that access to the public folder has failed.
In this exercise you will work with Inbox, calendar, and public folder items by means of OWA. You will examine various URLs that provide access to the resources.
To view a multimedia demonstration that displays how to perform this procedure, run the EX2CH22.AVI files from the \Exercise_Information\Chapter22 folder on the Supplemental Course Materials CD.
To send and receive messages and test other OWA features
NOTE
If you receive an HTTP 500 Error when starting OWA, click on the Reload button to open the page successfully. If the HTTP 500 Error occurs repeatedly, restart the Exchange 2000 server to re-initialize the Information Store and IIS.
NOTE
If you have installed Office 2000 (without HTML Source Edit) and multimedia messaging for OWA, you may be prompted to insert the Office 2000 CD the first time you use Outlook Web Access. The Office 2000 installer program attempts to install HTML Source Edit. If the Office 2000 CD is not at hand, click Cancel in the installer program. This feature is not required for OWA or Office 2000 to work correctly.
Figure 22.3 Sending a rich text message in OWA
Figure 22.4 Displaying contacts in OWA
NOTE
If you are working on a workstation where the Exchange Multimedia Control is already installed, the Download button will be labeled Re-Install.
Figure 22.5 Displaying items in a custom view
Figure 22.6 Using URLs to access resources directly
With OWA, you have access to all items in your mailbox as well as public folders and the Global Address List. OWA supports exciting new technologies, such as the creation of messages that contain audio or video information using Multimedia Messaging. To access your mailbox, use http://<server name>/Exchange/. To access the MAPI-based public folder hierarchy instead, use http://<server name>/Public/. It is possible to access individual mailboxes, public folders, and items in folders directly. All items can be referenced in a URL and desired actions may be specified in query strings.
As mentioned at the beginning of this chapter, the new OWA is not compatible with OWA of earlier versions of Exchange Server. Unfortunately, any OWA customizations cannot be retained after upgrading. However, you can use the legacy OWA version to access Exchange 2000 Server resources.
During the upgrading of your organization to Exchange 2000 Server, keep in mind that the new OWA cannot access public folders on earlier versions (see Figure 22.7). You should replicate all relevant public folders to Exchange 2000 Server to provide access to them. Another option is to directly upgrade the existing public server first. Upgrade strategies are discussed in Chapter 6, "Coexistence with Previous Microsoft Exchange Server Versions."
Figure 22.7 Outlook Web Access in a mixed environment
The following issues are important in regards to OWA when upgrading an Exchange organization to Exchange 2000 Server: