5.1 Second-generation OWA

The architecture for the first generation of OWA (Exchange 5.0 and 5.5) uses active server pages. Exchange 2000 increased the capabilities and performance of OWA by leveraging:

• Increased browser functionality from IE (Internet Explorer) 5 onward, including the support of new protocols such as XML, XSL, and HTTP-DAV (or WebDAV^[1]).

• More experience in hosting Web applications and the necessary architecture to increase scalability. In particular, Microsoft realized that if it wanted to make OWA scalable, it needed to move as much processing into the Store as possible.

• IIS to support a set of Internet protocol stacks including HTTP.

In addition, by giving every object in the Store an addressable URL, the code required to build a browser interface is easier to write, more supportable, and more easily customized to meet specific needs.

Customer acceptance of Exchange 2000's OWA client delivered a pleasant surprise to Microsoft. The speed and functionality delivered by OWA forced many companies to reconsider how best to deploy and use browser clients, and this led to a flood of requests to add some of the missing features. Microsoft has responded to these requests by incorporating new features in service packs. For example, Exchange 2000 SP2 provides support for new mail notifications and calendar reminders as well as a basic logoff option. When the time came to develop Exchange 2003, Microsoft had done the work to make OWA a highly acceptable client at an architectural level in Exchange 2000, but it needed to build on the foundation to eliminate some rough points and hone OWA's edge. Accordingly, the major themes for OWA 2003 are:

• Performance: Because OWA always connected to a server, Microsoft concentrated on reducing network traffic through techniques such as compression, more intelligent download of page elements, and so on.

• Cross-client compatibility: Outlook 2003 boasts a user interface, and OWA takes many of the same improvements, such as the reading pane, and brings them to the Web world. Apart from generating a better-looking interface, implementing much the same interface across both clients makes it easier for users to move from one to the other. The race between the two clients will continue, because Outlook also continues to improve, but the difference is now very close.

• Security: In common with the general improvement in security across Exchange, OWA increases security through features like controls over the download of Web beacons and specific attachment types as well as the ability to encrypt and sign messages.

• User requests: Microsoft has received many enhancement requests for OWA, so it responded by supporting server-side rules, spell checking, junk mail processing, and so on.

Over the last two releases, Microsoft has made enormous progress to develop the OWA user interface to a point where it comes close to Outlook. Even as the interface becomes richer, performance improves as Microsoft engineers fine-tune communications between client and server to improve responsiveness, especially over slower connections. New controls provide essential elements of the user interface, including the folder list, and restrict the need to communicate with the server.

5.1.1 The strategic relationship between IIS and Exchange

It is important to underline the extremely close interrelationship that exists between IIS and Exchange. Shortly after the Nimda virus struck in September 2001, Gartner analyst John Pescatore issued a recommendation^[2] that Microsoft customers should look at using another Web server instead of IIS. Gartner's recommendation was because the Nimda virus spreads through file shares and known vulnerabilities that exist in an unpatched version of IIS 5.0. Microsoft's patchy history of security holes in Windows and IIS to that point did not help, and many people seriously considered how they could move away from IIS.

Microsoft's immediate response was a "lockdown" tool for IIS. You should apply this tool on all Windows 2000 servers that run IIS 5.0, with the notable caveat that you need to throttle back the restrictions imposed by the lockdown tool, since otherwise OWA cannot work because dynamic content is blocked. See Microsoft Knowledge Base article Q309508 for more information. More importantly, Microsoft has done a lot of work since Nimda appeared to block holes and prevent the same problems from occurring. The result of this work is in IIS 6.0, which is more scalable and has a much better security record than IIS 5.0 or 4.0. Exchange 2003 leverages the Worker Process Isolation Model (WPIM) in IIS 6.0 to protect the interaction between the Store and OWA clients.

You can, of course, follow the Gartner advice and look elsewhere for Web servers, but this decision has enormous consequences for Exchange. As we know, apart from OWA, IIS provides all of the Internet Protocol support used by other components of Exchange. Therefore, if you remove IIS, you remove Internet Protocol support for Exchange. You will still be able to start the Store and connect MAPI clients to mailboxes, but that marks the extent of the server's functionality, and you will be running a configuration that Microsoft is unlikely to support. It is better to implement a proactive security policy that performs the following functions:

• Monitors signs for potential attacks (e.g., by checking sites such as http://securityresponse.symantec.com/ [Symantec's Security Response] and http://www.microsoft.com/security/default.asp [Microsoft's own security site]) daily to keep an eye on what's happening in the world of viruses.

• Establishes how you can learn about new virus attacks if your email server is affected.

• Defines how patches (IIS, Exchange, and Windows) are tested and then applied to production servers; many of the servers afflicted by Nimda and other viruses are not properly maintained and run outdated software.

Another sad fact is that many Exchange administrators do not know IIS well enough to realize when something is wrong and needs fixing. IIS is now a critical component of Exchange, so perhaps the Nimda attack is the necessary wake-up call for all of us to understand IIS better than we have done in the past.

5.1.2 IIS changes in Exchange 2003

The close working relationship between IIS and Exchange is obvious, but the sheer number of attacks involving IIS required Microsoft to make changes in IIS 6.0, some of which affect Exchange. IIS 6.0 implements a different architecture designed to improve management, performance, scalability, reliability, and security. The most important developments are:

• Implementation of the kernel-mode HTTP:SYS listener, which OWA exploits to protect communications with the Store via the epoxy layer. The HTTP:SYS listener replaces the InetInfo process in this role.

• The user-mode service administration and monitoring agent.

• Worker Process Isolation Mode (WPIM), which prevents applications from affecting each other following a failure by requiring administrators to restart the W3Svc process. Exchange supports its Web-based applications such as OWA through WPIM.

You can install Exchange 2003 on Windows 2000 servers, in which case OWA works with IIS 5.0 and you do not gain the benefits outlined here (IIS 6.0 does not run on Windows 2000 servers). However, even on Windows 2000, you still get the improved client interface. Running Exchange 2003 on Windows 2003 introduces IIS 6.0 (remember that you have to install IIS before you install Exchange), and you gain better security, more reliability, and faster performance-all very desirable improvements. Time will tell whether hackers continue to attack IIS, but at least the improvements made in IIS 6.0 lay a good base for the future.

^[1] . See http://www.webdav.org/ for information on the DAV extensions. DAV is now described in RFC 2518.

^[2] . Gartner document FT-14-5524 (September 19, 2001).