Accessing Exchange from the Macintosh

As in the Windows world, people use many different email clients with the Macintosh platform. Two clients interface with Exchange directly (Outlook 2001 and Entourage 2004), whereas the rest must rely on POP3 or IMAP services to connect with the Exchange server. For example, all versions of Entourage prior to Entourage 2004 and Outlook Express for the Mac connect to an Exchange server using IMAP according to best practices. Other third-party mail clients generally use POP3 to connect to a mail server, but a few support both POP3 and IMAP.

This section covers configuring both the Macintosh mail clients and the Exchange services on SBS to allow a variety of Mac-based mail clients to interact with the Exchange server in SBS 2003.

Best Practice: IMAP Instead of POP3

Because so many mail clients now support the IMAP protocol in addition to POP3, there is rarely a need to enable POP3 services on SBS to allow external clients to get to their email. Additionally, the performance benefits of IMAP far outweigh those of POP3.

The main difference between IMAP and POP3 is the way each protocol handles mail on the server by default. POP3 by default attempts to download all messages from the server and then deletes the messages from the server when the connection is done. In an Exchange environment, this is not desired. Although every POP3 mail client has settings to instruct the client to leave the messages on the server instead of deleting them from the mailbox on the server, this is usually not the default setting, and it only takes one time to forget to enable that feature and remove all mail from the server on the first connection.

IMAP, on the other hand, leaves all messages on the server by default, and when it makes its initial connection, it collects only the mail header information for each message instead of downloading the entire message. The full message contents are downloaded only when the user opens the message in the IMAP client. This significantly reduces the amount of time necessary to make the initial mail connection and allows the user to select which messages to download completely. The performance increase is especially significant when there are multiple mail messages with large attachments. POP3 downloads all the messages and attachments by default, whereas IMAP downloads only the header information.

POP3 has been a reliable and familiar mail protocol for a long time, but IMAP is now the preferred protocol to use when interfacing with an Exchange server.

Both POP3 and IMAP have a security risk in that the user's username and password are sent across the network to the server in plain text. Anyone monitoring port 110 or 143 going into your network could get the authentication information for accounts accessing POP3 or IMAP services and thus gain access to other services on the network.

Enable IMAP on SBS

Exchange 2003 does not enable POP3 and IMAP by default as Exchange 2000 did. To allow Macintosh email clients to make an IMAP connection to the Exchange server, the IMAP service must be started and set to automatically start when the server boots. To do this, open the Services control panel, double-click on the Microsoft Exchange IMAP4 service, change the Startup Type to Automatic, click Apply, click Start, and then click OK.

Caution

When enabling IMAP services on the SBS 2003 server, you need to enable port 143 inbound on all firewalls if you want external clients to collect email using IMAP. Internal clients can connect as soon as the IMAP services are enabled, but you need to follow the instructions in Chapter 7, "Routing and Remote Access Service, VPN, and Firewalls," to enable inbound IMAP connections through the RRAS firewall, or review Chapter 24, "Internet Security and Acceleration Server 2004 Advanced Administration," to manually create a server publishing rule in ISA 2004 for IMAP.

Outlook Express

Outlook Express 5 is the latest release of Outlook Express for the Mac. Although it is an OS 9 product, it can be run under Mac OS X in Classic mode. Because Outlook Express 5 is an older product (it has not been updated since October 2002), it should really be used only as a stopgap measure to interact with the Exchange server for email until another, more robust mail client can be installed and used. If Outlook Web Access can be accessed from the Mac, it would be a better choice than Outlook Express in most cases.

Mac OS 9 and `.local`

Interestingly enough, Macs running Mac OS 9.2 also have the same .local name lookup problem, even though the Rendezvous service is not supported on Mac OS 9.2. Using Outlook or Outlook Express on Macs running OS 9.2 can also cause problems if the internal domain name ends in .local. When an OS 9.2 machine does a lookup for a name in the .local namespace, the OS does a multicast DNS lookup instead of a direct DNS query against the DNS server to try and resolve the name to an IP address.

There is no "one size fits all" workaround in Mac OS 9.2 to get past the .local lookup problems as there is for Mac OS 10.3. With OS 9.2, you have to resort to using Hosts files on the Macintoshes to map the names with the internal IP addresses. Fortunately, creating the Hosts file on the Mac is not difficult. Unfortunately, the Hosts file must be updated every time there is a change on the network, and the Hosts file will never work when looking up names for machines that are getting their addresses from DHCP.

Follow these steps to create a Hosts file on a Mac OS 9 machine:

1.	Use SimpleText to create a new file on the desktop.
2.	Enter `[machinename].[domainname].local A 192.168.x.x` in the file, where `machinename` is the name of the server or workstation, `domainname` is the name of the domain, and `192.168.x.x` is the IP address of the machine. Press the Tab key between each section. Repeat this step for as many entries as are needed with each entry on a separate line.
3.	Save the file to the Mac desktop.
4.	Open the TCP/IP control panel by selecting the Apple menu, Control Panels.
5.	Click Select Hosts File.
6.	Locate the file you just saved on the desktop, select it, and click Open.
7.	If a Hosts file already exists, you are prompted to replace the contents of the existing Hosts file with the selected file. Click OK.
8.	Close the TCP/IP control panel and click Save to activate the new configuration.

You now will be able to connect to internal machines by name.

Follow these steps to add an IMAP profile to Outlook Express:

1.	Open Outlook Express.
2.	Select Tools, Accounts from the menu.
3.	In the Accounts window, click New.
4.	Enter the display name and click the right arrow (see Figure 17.13 for the window layout). Figure 17.13. The setup assistants in Mac OS 9 often use "forward" and "back" arrows to navigate through the wizard.
5.	In the Internet E-mail Address window, enter the public email address for the user. Click the right arrow to continue.
6.	In the Email Server Names window, select IMAP from the drop-down menu, and enter the name or IP address of the SBS server in both the Incoming Mail and Outgoing Mail fields. Click the right arrow to continue.
7.	In the Internet Mail Logon window, enter the user's logon name in the Account ID field and enter the password in the Password field. Click the right arrow to continue.
8.	Enter a name for the account in the Account Name field. This name is displayed in the main folder list to identify this account from others that may be configured in the application.
9.	Click Finish when done.
10.	Close the Accounts window.

After the account has been configured, it displays in the folder list in the left pane of the Outlook Express interface. To start the initial connection with the Exchange server, click the Send & Receive button in the button bar. When the transaction completes, an expansion arrow appears next to the account folder. When this folder is expanded, Outlook Express displays the Inbox and a listing of all the unread messages.

Figure 17.14 shows the default status of all the folders on the Exchange server in the Outlook Express configuration. By default, Outlook Express IMAP connections only connect to and download messages in the Inbox. Outlook Express downloads all the names of the folders for the mail account, but it does not download the headers of any messages in any of those folders until the folder is subscribed. To subscribe to a folder, select that folder in the right pane and click the Subscribe button in the button bar. At that point, Outlook Express adds the folder to the list in the left pane and downloads the mail headers for any items in that folder.

Figure 17.14. Outlook Express for Macintosh can make an IMAP connection to the Exchange server.

Mac OS X Mail

Mac OS X includes an email application, called Mail, with the OS. During the initial Macintosh setup, the user is prompted to configure Mail to connect to the .Mac mail service, but additional accounts can be added to Mail, including IMAP connections to Exchange on SBS.

Follow these steps to add an IMAP configuration to the Mail application in Mac OS X:

1.	Open the Mail application.
2.	Open the Mail application preferences (type `Command`- or select Mail, Preferences from the menu).
3.	Click the Accounts tab.
4.	Click the + in the lower-left corner of the Accounts window.
5.	Select IMAP from the Account Type drop-down menu.
6.	Enter a descriptive name for the account in the Description field.
7.	Enter the public email address in the Email Address field.
8.	Enter the username in the Full Name field.
9.	Enter the name or IP address for the SBS server in the Incoming Mail Server field.
10.	Enter the user's logon name in the Username field (no domain name is necessary).
11.	Select Add Server from the Outgoing Mail Server (SMTP) drop-down menu.
12.	Enter the name or IP address for the SBS server in the Outgoing Mail Server field.
13.	Select Password from the Authentication drop-down menu.
14.	Enter the user's logon name and password in the User Name and Password fields. The window should now look like Figure 17.15. Figure 17.15. SMTP authentication requires the username and password, but no domain name is needed.
15.	Click OK. The Accounts window should now look like Figure 17.16. Figure 17.16. The Mail application can also use IMAP to communicate with the SBS Exchange server.
16.	Close the Preferences window.

When Mail finishes making the IMAP connection and has transferred all the information from the mail server, the main application window should appear as shown in Figure 17.17. Messages in the Exchange Inbox appear in the Inbox tray in the left pane. Sent messages appear in the Sent Items tray.

Figure 17.17. The IMAP connection in Mail pulls the mail folder information from the Exchange server.

When you expand the mail service tray (usually listed at the bottom of the left pane), you see all the folders from the Exchange server account. However, because IMAP only handles mail items, you do not see the Outlook calendar when you select the Calendar folder. Instead, you see a mail item that contains an ICS file attachment. Double-clicking on the ICS attachment launches iCal and attempts to add the calendar item into the iCal schedule.

Entourage X

When Microsoft introduced Office X for Mac OS X, it dropped the Outlook product in favor of a new mail and calendaring tool called Entourage. Although Entourage had the look and feel of the other Office applications under OS X, it lacked one significant functionExchange support through MAPI. In fact, until Microsoft released Office Update 10.1.4, Entourage could not connect to an Exchange server other than as a POP3 client. The Exchange compatibility promised in Office Update 10.1.4 only delivered IMAP and LDAP functionality to connect to the Exchange server, not true MAPI connectivity as with other Exchange clients. A full discussion of the pros and cons of the Entourage X mail client has been documented in the Entourage Special Report at MacWindows, http://www.macwindows.com/entourage.html.

Note

If you are using Entourage X in your environment, make sure that Entourage has been updated to Office Update 10.1.6. Updates can be downloaded from http://www.microsoft.com/mac/downloads.aspx.

Follow these steps to set up Entourage X to communicate with your SBS Exchange server:

1.	Open the Accounts window (select Tools, Accounts) in Entourage.
2.	Select the Exchange tab and click New.
3.	In the Basic User Information field, click the Configure Account Manually button.
4.	In the Account Settings tab, fill in the Account Name, Account ID, Password, Domain, Exchange Server, Name, and Email Address fields with the appropriate information (see Figure 17.18). Figure 17.18. The Entourage X Account Settings tab contains the necessary information to connect to the Exchange server.
5.	Click on the Mail tab and enter the name of the SBS server in the SMTP Server field.
6.	Click on the Directory tab and enter the name of the SBS server in the LDAP server field.
7.	Click on the Advanced tab and enter `[servername]/public/` in the Free/Busy Server field, where `[servername]` is the name of the SBS server. Note Use of the Free/Busy server in Entourage X is sketchy at best. Because it uses OWA to update the calendar information, directory security settings in IIS for the Public folder URL have a significant impact on how well this feature functions. When Entourage X was released, OWA for Exchange 2000 did not require SSL for connections, so Entourage X expects no SSL for this connection. If SSL is used (which it is by default in SBS 2003, you will need to modify the Security settings in the Advanced tab by enabling the DAV Service Requires Secure Connections (SSL) check box, unless you are still using the self-signed certificate provided by SBS. Otherwise, you could turn off the SSL requirements on the Public folder in IIS (not recommended) or upgrade to Entourage 2004 and follow the configuration information listed later in this chapter (highly recommended).
8.	Click OK and close the Accounts window.

After the account is set up, Entourage connects to the Exchange server, downloads all the folder and mail information, and displays the contents of the Exchange mailbox as shown in Figure 17.19.

Figure 17.19. The Entourage Mail window displays the folders and mail items for the user's mailbox on the Exchange server.

Exchange

Making an Exchange-aware connection to the mail server is advantageous because the Exchange connection allows you to access more than just mail items and calendar items represented as mail objects. With a full Exchange connection, a mail client can access the Contacts and Public folders on the server and have a better interaction with calendar items. This section looks at three ways to have the full Exchange mail experience from the Macintosh.

Best Practice: Outlook 2001 and Entourage 2004

To get the best possible integration with the Exchange mail server from the Macintosh, use the Outlook 2001 client on Macs running Mac OS 9 or earlier and Entourage 2004 on Macs running Mac OS X. Outlook 2001 has better integration with the Exchange server, but because it has not been updated in several years, it may not be fully compatible with future updates to Exchange 2003.

Entourage 2004 comes the closest to full Exchange integration of any Entourage client released to date. It uses Outlook Web Access as its engine to connect, so in some ways, it is nothing more than a well-written front end to OWA. However, it does have a similar look and feel to Outlook 2003 on the PC and can be used with ease on PowerBooks that move between connecting locally and connecting remotely.

More information on configuring Outlook 2001 and Entourage 2004 is contained within this section of the chapter.

Outlook Web Access (OWA)

The only real difference between Outlook Web Access (OWA) on a Macintosh and a PC is that the Macintosh can only access the Basic version of OWA. When the OWA interface is loaded from a Macintosh, the user is presented with the familiar logon screen, except the only options available are selecting from a Public or Private computer. The option to select from Premium and Basic is not even displayed.

The Basic version of OWA lacks several features of the Premium version. Most notably visible when the OWA interface is fully loaded is the lack of a preview pane. To read a message, the user must click on the message header, and the message contents are displayed in the main web frame instead of opening in a separate web browser window. Other features missing from the Basic version are the interface to add and edit mail routing rules, spell checking tools, and the ability to modify the appearance of the OWA interface.

The biggest challenge to running OWA from a Mac was explained earlier in the chapter. If the SBS installation is using the default self-signed SSL certificate, Internet Explorer for the Mac cannot be used to access OWA. Safari, Netscape, and Firefox are browsers that can interact with OWA from a Mac when the self-signed certificate is used. Each of these programs has its own way of handling the self-signed certificate and will generate a warning when the self-signed certificate is encountered. With Netscape and Firefox, the certificate can be installed into the program's certificate store to avoid the warning each time OWA is accessed. Safari uses the Mac OS X certificate store to check, so the steps earlier in the chapter on installing self-signed certificates into the Mac OS X certificate store will avoid the warning in Safari each time OWA is accessed.

Outlook 2001

Outlook 2001 was the last Macintosh mail client released by Microsoft that fully integrates with Exchange. Fortunately, Outlook 2001 is still available as a free download from the Microsoft website (http://www.microsoft.com/mac/downloads.aspx#Outlook) and will run under both Mac OS 9 and earlier and all versions of Mac OS X that have Classic installed and enabled. Like its PC-based counterpart, Outlook 2001 makes a MAPI connection to Exchange for full functionality. As such, the configuration to connect Outlook 2001 to the Exchange server is very similar. Remember that if the Mac is running Mac OS 9.2 and the internal domain includes .local, you will need to add the SBS server to a Hosts file on the Mac for proper name resolution. See the steps to do this in the "The .local Issue" section earlier in the chapter.

Follow these steps to configure Outlook 2001 to communicate with the SBS server. These steps assume that this is the first time Outlook 2001 has been run on the Macintosh:

1.	Launch Outlook 2001.
2.	Enter the username and organization information into the appropriate fields and click OK.
3.	Select the appropriate time zone and click OK.
4.	Enter a name for the Outlook profile.
5.	Enter the internal name of the SBS server in the Microsoft Exchange Server field.
6.	Enter the user's logon name in the Mailbox Name field.
7.	Click Test Settings (see Figure 17.20). Figure 17.20. Outlook 2001 needs the name of the server and a user account to test the connection to the Exchange server.
8.	When the test completes successfully, click Create Profile.
9.	Enter the login information and click OK.
10.	Outlook connects to the server and displays the full Exchange mailbox, as shown in Figure 17.21. Figure 17.21. Outlook 2001 interfaces with all the features of Exchange mail server.

Entourage 2004

With the release of Microsoft Office 2004, people who want to use Entourage to connect to an Exchange server are going to be pleased with the enhancements made to Entourage and the ease with which it can interact with Exchange 2003. This section specifically covers connecting Entourage 2004 to an SBS 2003 server, but the steps can be extrapolated to any Exchange 2003 server that publishes OWA.

Note

SBS owners can get a copy of Entourage on CD by calling 1-800-360-7561 (in the U.S. and Canada) and asking for part number Q56-00005. You need to provide the agent with your SBS product key to validate ownership. To acquire the Entourage CD outside the U.S. and Canada, contact Microsoft's supplemental part fulfillment group.

Several steps need to be completed for Entourage 2004 to be able to communicate with an SBS 2003 server running Exchange 2003.

Verify Proper DNS Resolution to Server

Open a web browser (not Internet Explorer) and go to https://ServerFQDN/exchange using the full internal DNS name, not the server IP address. If you can log in and use OWA, continue to the next section. Otherwise, you will need to review the earlier sections of this chapter to troubleshoot why the connection is failing.

Configure Entourage to Connect to SBS Exchange Using the Setup Assistant

The account settings in Entourage can be configured in two ways. Follow these steps to use the Entourage Setup assistant:

1.	Open Entourage 2004.
2.	Open the Account Setup screen either in the initial Entourage Setup Assistant or by selecting Tools, Accounts from the menu and clicking New.
3.	Enable the My Account Is on an Exchange Server check box.
4.	In the E-mail Address field, enter the user's public email address.
5.	In the User ID field, enter the logon ID for the user.
6.	In the Domain field, enter the domain for the server using either the NetBIOS domain name or the fully qualified internal domain name.
7.	In the Password field, enter the user's logon password.
8.	Click the right-arrow to continue.
9.	Automatic configuration will probably fail, so click the right-arrow again to continue.
10.	In the Verify and Complete Settings window, enter the user's full name in the Your Name field.
11.	In the Exchange Server field, enter `https://ServerFQDN`/`exchange`, where `ServerFQDN` is the fully qualified internal domain name for the server.
12.	In the LDAP Server field, enter the FQDN of the server (do not include "https://" or "/exchange".
13.	Enable the Use SSL for These Servers check box.
14.	Click the right-arrow to continue.
15.	Click the Verify Settings button. If you have a self-signed certificate on the server, you may get the following error: "Unable to establish a secure connection to [serverFQDN] because the correct root certificate is not installed." Click OK to continue.
16.	If the account settings verify, click the right-arrow to continue. Otherwise, click the left-arrow and correct the information that needs to be corrected.
17.	Click Finish to close the assistant.

Configure Entourage to Connect to SBS Exchange Using a Manual Configuration

The other method for configuring Entourage to connect to the Exchange server avoids the use of the Setup Wizard and lets you configure the account manually. Follow these steps to accomplish this:

1.	Select Tools, Account from the menu and click New.
2.	Enable the My Account Is on an Exchange Server check box.
3.	Click the Configure My Account Manually button.
4.	In the Account ID field, enter the user's logon ID.
5.	In the Password field, enter the user's logon password.
6.	In the Domain field, enter the domain for the server using either the NetBIOS domain name or the fully qualified domain name.
7.	In the Exchange Server field, enter `https://ServerFQDN/exchange`.
8.	In the Name field, enter the user's name as it will appear on outgoing messages.
9.	In the E-mail Address field, enter the user's public reply-to mail address.
10.	Click the Directory tab.
11.	In the LDAP Server field, enter the FQDN of the server.
12.	Click the Click Here for Advanced Options button.
13.	Enable the This Server Requires Me to Log On check box.
14.	Enable the Override Default LDAP Port check box and enter `3268` in the field.
15.	Click the Advanced tab.
16.	In the Public Folder Server field, enter `https://ServerFQDN/public`.
17.	Select the Synchronize All Items to Server radio button.
18.	Enable the DAV Service Requires Secure Connection check box.
19.	Click OK.

Configure Local and Remote Access to Exchange 2003 with Entourage 2004

Mobile users with PowerBooks or iBooks face an interesting challenge when trying to use Entourage to read email when in the office or on the road. Using traditional Entourage configuration for connecting to the server while on the local network will not allow a connection while out of the office. Configuring Entourage to use the public name of the server to get it working while out of the office usually causes problems when trying to connect while on the local network.

The answer to this riddle is technically not a Macintosh or even an Entourage solution but is still worth mentioning in this context. For a PowerBook, configure Entourage to use the public URL of the OWA server for connections. Then configure the internal DNS server on SBS to respond with an internal IP address when a lookup for the public URL is made.

To do this, open the DNS Management Console and create a new lookup zone (see Chapter 5, "DNS, DHCP, and Active Directory Integration," for more information on setting up new DNS lookup zones). Give the zone the public domain name for your OWA server. For example, if your OWA server can be reached at mail.smallbizco.net, you would set up the lookup zone for smallbizco.net. Next, create a Host record for the server in the new lookup zone and point it to the internal IP of the SBS server. In other words, set up mail to point to 192.168.16.2 if your public server name is mail and your SBS server's internal IP address is 192.168.16.2. Then, whenever the PowerBook is connected to the local network, it will get the 192.168.16.2 address when it looks up mail.smallbizco.net in DNS, and it will get the public IP address for your server when it is connected to the public Internet. Using this single configuration allows the user of the PowerBook to keep a single cache of her Exchange mail data instead of dealing with two profiles.