Chapter 16: Managing Client Access Servers | Microsoft Exchange Server 2007 Administrators Pocket Consultant Second Edition

Microsoft Outlook Web Access, Exchange ActiveSync, and Outlook Anywhere are essential technologies for enabling users to access Microsoft Exchange anywhere at any time. As you know from previous discussions, Outlook Web Access lets users access Exchange over the Internet or over a wireless network using a standard Web browser; Exchange ActiveSync lets users access Exchange through a wireless carrier using mobile devices, such as smart phones and Pocket PCs; and Outlook Anywhere lets users access Exchange mailboxes from the Internet using remote procedure call (RPC) over Hypertext Transfer Protocol (HTTP). When users access Exchange mail and public folders over the Internet or a wireless network, HTTP virtual servers hosted by Client Access servers are working behind the scenes to grant access and transfer files. As you'll learn in this chapter, managing mobile access and HTTP virtual servers is a bit different from other tasks you'll perform as an Exchange administrator-and not only because you'll use the Internet Information Services (IIS) Manager snap-in to perform many of the management tasks.

Managing Web and Mobile Access

When you install Exchange Server 2007, Outlook Web Access and Exchange Active-Sync are automatically configured for use. This makes them fairly easy to manage, but there are some essential concepts you need to know to manage these implementations more effectively. This section explains these concepts.

Using Outlook Web Access and Exchange ActiveSync with HTTP Virtual Servers

Outlook Web Access, Exchange ActiveSync, and a default HTTP virtual server are installed automatically when you install a Client Access server. In most cases, you only need to open the appropriate ports on your organization's firewall to allow users to access Exchange data. Then you simply tell users the Uniform Resource Locator (URL) path that they need to type in their browser's Address field. Users can then access Outlook Web Access or Exchange ActiveSync when they're off-site. The URLs for Outlook Web Access and Exchange ActiveSync are different. Typically, the Outlook Web Access URL is http://https://yourserver.yourdomain.com/owa and the Exchange ActiveSync URL is http://https://yourserver.yourdomain.com /Microsoft-Server-ActiveSync.

You can configure Outlook Web Access and Exchange ActiveSync for single-server and multiserver environments. In a single-server environment, you use one Client Access server for all your Web and mobile access needs. In a multiple server environment, you can instruct users to access different URLs in order to access different Client Access servers, or you could use a technique such as Round Robin Domain Name System (DNS) to load-balance between multiple servers automatically while giving all users the same access URLs.

You can use Outlook Web Access and Exchange ActiveSync with firewalls. You configure your network to use a perimeter network with firewalls in front of the designated Client Access servers and then open ports 80 and 443 to the Internet Protocol (IP) addresses of your Client Access servers. If SSL is enabled, and you want all Outlook Web Access clients to use SSL exclusively, you don't need to open port 80.

Working with HTTP Virtual Servers

When you install a Client Access server, Exchange Setup installs and configures a default HTTP virtual server for use. The default HTTP virtual server allows authenticated users to access their messaging data from the Web. In Exchange Management Shell, you can use the Get-OWAVirtualDirectory cmdlet to view information about virtual directories, the New-OWAVirtualDirectory cmdlet to create an OWA directory if one does not exist, the Remove-OWAVirtualDirectory to remove an OWA directory, and the Test-OWAConnectivity cmdlet to test OWA connectivity.

HTTP virtual servers provide the services users need to access Exchange from the Web. If you examine the directory structure for the default HTTP virtual server, you'll find several important directories, including:

Autodiscover Autodiscover is used to enable the Autodiscover service for mobile devices. By default, this directory is configured for integrated authentication only.
Exadmin Exadmin is used for Web-based administration of the HTTP virtual server. By default, this directory is configured for integrated authentication only.
Exchange Exchange is the directory to which users connect to access their mailboxes. By default, this directory is configured for both basic and integrated Microsoft Windows authentication, with the default domain set to the pre-Windows 2000 domain name, such as ADATUM.
ExchWeb ExchWeb is used with Outlook Web Access and provides calendaring, address book, and other important control functions. By default, this directory is configured for anonymous access, but the bin directory (which provides the controls) is restricted and uses both basic and integrated Windows authentication.
Microsoft-Server-ActiveSync Microsoft-Server-ActiveSync is the directory to which Exchange ActiveSync users connect to access their Exchange data. By default, this directory is configured for basic authentication.
OAB OAB is the directory that provides the Offline Address Book (OAB) to clients. By default, this directory is configured for anonymous access.
OWA OWA is the directory to which users connect in their Web browsers to start an Outlook Web Access session. By default, this directory is configured for both basic and integrated Windows authentication.
Public Public is the directory to which users connect to access the default Public Folders tree. By default, this directory is configured for both basic and integrated Windows authentication, with the default domain set to the pre-Windows 2000 domain name, such as ADATUM.
RPC RPC is used to enable the RPC over HTTP proxy services. By default, this directory is configured for both basic and integrated Windows authentication.
RPCWithCert RPCWithCert is used to enable the RPC over SSL (Secure Sockets Layer). By default, this directory is configured for secure authentication only.
UnifiedMessaging UnifiedMessaging is used to enable access to unified messaging services from the Web. By default, this directory is configured for integrated Windows authentication.

This section examines key tasks that you use to manage HTTP virtual servers and their related directories.

Enabling and Disabling Outlook Web Access Features

In Exchange 2007, Microsoft uses the term segmentation to refer to your ability to enable and disable the various features within Outlook Web Access. Segmentation settings applied to the OWA virtual directory on Client Access servers control the features available to users. If a server has multiple OWA virtual directories or you have multiple Client Access servers, you must configure each directory and server separately. Table 16-1 provides a summary of the segmentation features that are enabled by default for use with Outlook Web Access.

Table 16-1: An Overview of Segmentation Features
Open table as spreadsheet
Feature	When enabled, users can…
Exchange ActiveSync Integration	Remove mobile devices, initiate mobile wipe, view their device password, and review their mobile access log.
All Address Lists	View all the available address lists. When disabled, users can only view the default global address lists.
Calendar	Access their calendar in Outlook Web Access.
Contacts	Access their contacts in Outlook Web Access.
Journal	Access their journal in Outlook Web Access.
Junk E-mail	Filtering Filter junk e-mail using Outlook Web Access.
Reminders And Notifications	Receive new e-mail notifications, task reminders, calendar reminders, and automatic folder updates.
Notes	Access their notes in Outlook Web Access.
Premium Client	Use Premium features if they have a Premium access license.
Search Folders	Access their Search folders in Outlook Web Access.
E-mail Signature	Customize their signature and include it in outgoing messages.
Spelling Checker	Access the spelling checker in Outlook Web Access.
Tasks	Access their tasks in Outlook Web Access.
Theme Selection	Change the color scheme in Outlook Web Access.
Unified Messaging Integration	Access their voice mail and faxes in Outlook Web Access. They can also configure voice mail options.
Change Password	Change their passwords in Outlook Web Access.

You can enable or disable segmentation features by completing the following steps:

In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.
In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server you want to configure, as shown in Figure 16-1.

Figure 16-1: Select the Client Access server with which you want to work.
In the lower portion of the details pane, you'll see a list of option tabs for the selected server. On the Outlook Web Access tab, right-click the virtual directory for which you want to implement segmentation, and then select Proper-ties. Typically, you'll want to configure the OWA virtual directory on the Default Web Site, as this directory is used by default for Outlook Web Access.
On the Segmentation tab, select a feature you want to enable or disable. Click Enable to enable the feature. Click Disable to disable the feature. Click OK.

In Exchange Management Shell, you can enable or disable segmentation features using the Set-OwaVirtualDirectory cmdlet. To enable or disable these features for individual users, use the Set-CASMailbox cmdlet.

Configuring Ports, IP Addresses, and Host Names Used by HTTP Virtual Servers

Each HTTP virtual server is identified by a unique Transmission Control Protocol (TCP) port, SSL port, IP address, and host name. The default TCP port is 80. The default SSL port is 443. The default IP address setting is to use any available IP address. The default host name is the Client Access server's DNS name.

When the server is multihomed, or when you use it to provide Outlook Web Access or Exchange ActiveSync services for multiple domains, the default configuration isn't ideal. On a multihomed server, you'll usually want messaging protocols to respond on a specific IP address. To do this, you need to change the default settings. On a server that provides Outlook Web Access and Exchange ActiveSync services for multiple domains, you'll usually want to specify an additional host name for each domain.

To change the identity of an HTTP virtual server, complete the following steps:

If you want the HTTP virtual server to use a new IP address, you must configure the IP address before trying to specify it on the HTTP virtual server. For details, see "Configuring Static IP Addresses" in Chapter 16 of Microsoft Windows Server 2003 Administrator's Pocket Consultant (Microsoft Press, 2003).

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and select Internet Information Services (IIS) Manager.

Note

By default, IIS Manager connects to the services running on the local computer. If you want to connect to a different server, right-click Internet Information Services in the console tree, and then select Connect. In the Connect To Computer dialog box, type the name of the computer to which you want to connect, and then click OK.

In IIS Manager, each HTTP virtual server is represented as a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the Web site that you want to manage, and then select Properties.
On the Web Site tab, click Advanced. As Figure 16-2 shows, you can now use the Advanced Web Site Identification dialog box to configure multiple identities for the virtual server.

Figure 16-2: You can use the Advanced Web Site Identification dialog box to configure multiple identities for the virtual server.
Use the Multiple Identities For This Web Site panel to manage TCP port settings:
- q Add Adds a new identity. Click Add, select the IP address you want to use, and then type the TCP port and host name. Click OK when you're finished.
- q Remove Allows you to remove the currently selected entry from the Multiple Identities For This Web Site list.
- q Edit Allows you to edit the currently selected entry in the Multiple Identities For This Web Site list.
Use the Multiple SSL Identities For This Web Site panel to manage SSL port settings. Click Add to create new entries. Use Edit or Remove to modify or delete existing entries.

More Info If the SSL options are unavailable, you haven't installed them. To enable SSL and the related options, you need to obtain and install an SSL certificate, as discussed in the next section of this chapter.
Click OK twice.

Enabling SSL on HTTP Virtual Servers

SSL is a protocol for encrypting data that is transferred between a client and a server. Without SSL, servers pass data in cleartext to clients, which could be a security risk in an enterprise environment. With SSL, servers pass data encoded using 40-bit or 128-bit encryption.

Although HTTP virtual servers are configured to use SSL on port 443 automatically, the server won't use SSL unless you've created and installed an X.509 certificate. You can create and install an X.509 certificate for an HTTP virtual server by completing the following steps:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.

Note

In IIS Manager, each HTTP virtual server is represented by a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, double-click Web Sites, right-click the Web site that you want to manage, and choose Properties.
On the Directory Security tab, click Server Certificate. This starts the Web Server Certificate Wizard. Use the wizard to create a new certificate. For additional virtual servers on the same Exchange server, you'll want to assign an existing certificate.
Send the certificate request to your certification authority (CA). When you receive the certificate back from the CA, access the Web Server Certificate Wizard from the virtual server's Properties dialog box again. Now you'll be able to process the pending request and install the certificate.

Restricting Incoming Connections and Setting Time-Out Values

You control incoming connections to an HTTP virtual server in several ways; you can set a maximum limit on the bandwidth used, you can set a limit on the number of simultaneous connections, and you can set a connection time-out value.

Normally, virtual servers have no maximum bandwidth limits and accept an unlimited number of connections, and this is an optimal setting in most environments. However, when you're trying to prevent a virtual server from becoming overloaded, you might want to limit the bandwidth available to the site and the number of simultaneous connections.

When either limit is reached, no other clients are permitted to access the server. The clients must wait until the connection load on the server decreases.

The connection time-out value determines when idle user sessions are disconnected. With the default HTTP virtual server, sessions time out after they've been idle for 900 seconds (15 minutes). Although 15 minutes might seem like a short time, it's sound security policy to disconnect idle sessions and force users to log back on to the server. If you don't disconnect idle sessions within a reasonable amount of time, unauthorized persons could gain access to your messaging system through a browser window left unattended on a remote terminal.

You can modify connection limits and time-outs by completing the following steps:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.

Note

In IIS Manager, each HTTP virtual server is represented by a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the Web site that you want to manage, and then select Properties. Click the Performance tab, as shown in Figure 16-3.

Figure 16-3: Use the Performance tab to limit connections and set time-out values for each virtual server.
To remove maximum bandwidth limits, clear the Limit The Network Bandwidth Available To This Web Site checkbox. To set a maximum bandwidth limit, select Limit The Network Bandwidth Available To This Web Site, and then set the desired limit, such as 1024 kilobytes per second.
To remove connection limits, select Unlimited. To set a connection limit, select Connections Limited To, and then type a limit.
On the Web Site tab, the Connection Timeout field controls how long idle user sessions remain connected to the server. The default value is 120 seconds. Type a new value to change the current time-out value. Click OK.

Redirecting Users to Alternate URLs

Sometimes, you may find that you want to redirect users to alternate URLs. For example, you may want users to type http://http://mail.cpandl.com and get redirected to http://https://mail.cpandl.com/owa.

You can redirect users from one URL to another by completing the following steps:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.

Note

In IIS Manager, each HTTP virtual server is represented by a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the Web site or directory that you want to manage, and then select Properties.
On the Home Directory or Directory tab, select the A Redirection To A URL option.
In the Redirect To text box, type the path to which the user should be redirected. To redirect the user to a different server, type the full path, starting with http:// or https://, such as http://https://mailer2.cpandl.com/owa. To redirect the user to a virtual directory on the same server, type a slash mark (/) followed by the directory name, such as /owa. Click OK to save your settings.

Controlling Access to the HTTP Server

HTTP virtual servers support five authentication methods:

Anonymous authentication With anonymous authentication, IIS automatically logs users on with an anonymous or guest account. This allows users to access resources without being prompted for user name and password information.
Basic authentication With basic authentication, users are prompted for logon information. When entered, this information is transmitted unencrypted (as cleartext) across the network. If you've configured secure communications on the server, as described in the section of this chapter entitled "Enabling SSL on HTTP Virtual Servers," you can require that clients use SSL. When you use SSL with basic authentication, the logon information is encrypted before transmission.
Integrated Windows authentication With integrated Windows authentication, IIS uses standard Windows security to validate the user's identity. Instead of prompting for a user name and password, clients relay the logon credentials that users supply when they log on to Windows. These credentials are fully encrypted without the need for SSL, and they include the user name and password needed to log on to the network. Only Microsoft Internet Explorer browsers support this feature.
Digest authentication With digest authentication, user credentials are transmitted securely between clients and servers. Digest authentication is a feature of HTTP 1.1 and uses a technique that can't be easily intercepted and decrypted. This feature is available only when IIS is configured on a server running Microsoft Windows Server 2003 and is part of a Windows 2000 Server or later Active Directory domain. The client is required to use a domain account, and the request is made by Internet Explorer 5.0 or later.
.NET Passport authentication With .NET Passport authentication, the user credentials aren't checked directly. Instead, the server checks for a Passport authentication ticket as one of the cookie files on the user's computer. If the ticket exists and has valid credentials, the server authenticates the client. If the ticket doesn't exist or the credentials aren't valid, the user is redirected to the Passport logon service. Once the user logs on to the Passport service, the user is directed back to the original URL.

By default, both basic and integrated Windows authentication are enabled on the Exchange and Public directories used by the HTTP virtual server, and you should rarely change this setting. However, if your organization has special needs, you can change the authentication settings at the virtual directory level. A virtual directory is simply a folder path that is accessible by a URL. For example, you could create a virtual directory called Data that is physically located on C:∖CorpData∖Data and accessible using the URL http://https://myserver.mydomain.com/Data.

The default public folder tree is accessible through basic and integrated Windows authentication. If you want to grant public access to this folder tree or restrict the tree so that only integrated Windows authentication is allowed, you can do so by editing the individual security settings on the related virtual directory.

Although the mailbox tree is accessible through basic and integrated Windows authentication as well, access to mailboxes is restricted, just as it is from Microsoft Office Outlook 2007. As a result of this security, only William Stanek can access William Stanek's mailbox-unless you've granted special permissions to other users. You should rarely- if ever-change the authentication settings on the Mailbox virtual directory.

The authentication settings on virtual directories are different from authentication settings on the virtual server itself. By default, the virtual server allows anonymous access. This means that anyone can access the server's home page without authenticating themselves. If you disable anonymous access at the server level, users need to authenticate themselves twice: once for the server, and once for the virtual directory they want to access.

You can change the authentication settings for an entire site or for a particular virtual directory by completing the following steps:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.

Note

In IIS Manager, each HTTP virtual server is represented by a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the site or virtual directory that you want to manage, and then select Properties.
On the Directory Security tab, on the Authentication And Access Control panel, click Edit. The Authentication Methods dialog box appears, shown in Figure 16-4.

Figure 16-4: Use the Authentication Methods dialog box to set access control on virtual directories. Virtual directories can have different authentication settings than the virtual server.

To allow anonymous access, select the Enable Anonymous Access check box. To disable anonymous access, clear this check box.

Note

In most cases, the anonymous user account is named IUSR_ServerName, such as IUSR_Mailer1. If you use this account, you don't need to set a password. Instead, let IIS manage the password. If you want to use a different account, click Browse, and then use the Select User dialog box to select the anonymous user account.

Configure the authentication methods you want to use. Keep the following in mind:
- q Disabling basic authentication might prevent some clients from accessing resources remotely. Clients can log on only when you enable an authentication method that they support.
- q A default domain isn't set automatically. If you enable basic or .NET Passport authentication, you can choose to set a default domain that should be used when no domain information is supplied during the logon process. Setting the default domain is useful when you want to ensure that clients authenticate properly.
- q With basic and digest authentication, you can optionally define the realm or realms that can be accessed. Essentially, a realm is a level within the metabase hierarchy. The default realm name is the computer name, which provides access to all levels within the metabase hierarchy. You could limit this by defining specific realms, such as W3SVC (for the Web site's root) or W3SVC/1/Root (for the root of the first Web instance).
- q If you enable .NET Passport authentication, all other authentication settings are ignored. As a result, the server only authenticates using this technique for the specified resource.
Click OK. Before applying changes, IIS checks the existing authentication methods in use for all Web sites and directories within Web sites. If a site or directory node uses a different value, an Inheritance Overrides dialog box appears. Use this dialog box to select the site and directory nodes that should use the new setting, and then click OK.

Starting, Stopping, and Pausing HTTP Virtual Servers and Web Sites

HTTP virtual servers run under a server process that you can start, stop, and pause, much like other server processes. For example, if you're changing the configuration of a virtual server or performing other maintenance tasks, you might need to stop the virtual server, make the changes, and then restart it. When a virtual server is stopped, it doesn't accept connections from users and can't be used to deliver or retrieve mail.

An alternative to stopping a virtual server is to pause it. Pausing a virtual server prevents new client connections, but it doesn't disconnect current connections. When you pause an HTTP virtual server, active clients can continue to retrieve documents, messages, and public folder data in their Web browser. No new connections are accepted, however.

The master process for all HTTP virtual servers is the World Wide Web Publishing service. Stopping this service stops all virtual servers using the process, and all connections are disconnected immediately. Starting this service restarts all virtual servers that were running when you stopped the World Wide Web Publishing Service.

You can start, stop, or pause an HTTP virtual server by completing the following steps:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.

Note

In IIS Manager, each HTTP virtual server is represented by a Web site. The Default Web Site represents the default HTTP virtual server. Double-click the entry for the server with which you want to work, and then double-click Web Sites.
Right-click the virtual server you want to manage. You can now do the following:
- q Select Start to start the virtual server.
- q Select Stop to stop the virtual server.
- q Select Pause to pause the virtual server.

If you suspect there's a problem with the World Wide Web Publishing Service or other related IIS services, you can use the following technique to restart all IIS services:

Start IIS Manager. Click Start, point to Programs or All Programs as appropriate, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.
Right-click the entry for the server with which you want to work, point to All Tasks, and then select Restart IIS. When prompted to confirm, click OK.

Configuring URLs and Authentication for OAB

Outlook 2007 clients can retrieve the Offline Address Book (OAB) from a web distribution point. The default distribution point is the OAB virtual directory on the Default Web Site. Each distribution point has three associated properties:

PollInterval The time interval during which the distribution service should poll the generation server for new updates (in minutes).
ExternalUrl The URL from which Outlook clients outside the corporate network can access the OAB.
InternalUrl The URL from which Outlook clients inside the corporate network can access the OAB.

You can configure web distribution points by completing the following steps:

In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.
In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server with which you want to work.
In the lower portion of the details pane, on the Offline Address Book Distribution tab, you'll see an entry for each OAB web distribution point configured on the server.
Right-click the distribution point you want to configure and then select Properties.
On the General tab, set the desired polling interval using the Polling Interval text box. The default interval is 480 minutes.
On the URLs tab, enter the desired internal and external URLs in the text boxes provided and then click OK.

Configuring URLs and Authentication for OWA

When you install a Client Access server, the server is configured with a Default Web Site and the virtual directories discussed previously. The base URL for these directories can be set so that different URLs are used for internal access and external access and so that different authentication mechanisms are used for each directory.

You can configure virtual directory URLs and authentication by completing the following steps:

In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.
In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server with which you want to work.
In the lower portion of the details pane, on the Outlook Web Access tab, you'll see an entry for each virtual directory used by Exchange Server.
Right-click the virtual directory you want to configure and then select Properties.
On the General tab, enter the internal and external URLs in the text boxes provided.
On the Authentication tab, forms-based authentication is configured by default with the logon format set to Domain∖User Name. Only change this configuration if you have specific requirements that necessitate a change.
Click OK to save your settings.

Configuring URLs and Authentication for Exchange ActiveSync

When you install a Client Access server, the server is configured with a Default Web Site that has a virtual directory for Exchange ActiveSync. The URL for this directory can be set so that different URLs are used for internal access and external access and so that different authentication mechanisms can be used.

You can configure the Exchange ActiveSync URLs and authentication by completing the following steps:

In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.
In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server with which you want to work.
In the lower portion of the details pane, on the Exchange ActiveSync tab, you'll see an entry for each virtual directory used by Exchange Server for ActiveSync.
Right-click the virtual directory you want to configure, and then select Properties.
On the General tab, enter the internal and external URLs in the text boxes provided.
On the Authentication tab, by default, basic authentication is enabled and client certificates are ignored. If your organization uses client certificates, you can clear the Basic Authentication checkbox and then select either Accept Client Certificates or Require Client Certificates, as appropriate.
Click OK to save your settings.