Managing Exchange Server Features for Mobile Devices

Mobile access to Exchange Server is supported on any device running Windows Mobile software, including Pocket PC 2002, Pocket PC 2003, and Windows Mobile 5.0. Devices running Windows Mobile 5.0 with Messaging & Security Feature Pack (MSFP) and later versions of Windows Mobile software include extensions for cellular phones that permit the use of additional features, including:

• Autodiscovery

• Direct Push

• Exchange ActiveSync Mailbox Policy

• Remote Device Wipe

• Password Recovery

• Direct File Access

• Remote File Access

• WebReady Document Viewing

In Exchange Server, these features are all enabled by default. The sections that follow discuss how these features work and how related options are configured.

Understanding and Using Autodiscovery

Autodiscovery simplifies the provisioning process for mobile devices by returning the required Exchange settings after a user enters his or her e-mail address and password. This eliminates the need to configure mobile carriers in Exchange Server, as well as the need to download and install the carriers list on mobile devices.

Autodiscovery is enabled by default, and the Default Web Site associated with a particular Web site has an associated Autodiscover virtual directory through which devices are provisioned.

You can manage Autodiscovery using Exchange Management Shell. To disable Auto-discovery, type the following command:

Remove-AutodiscoverVirtualDirectory -Server MyServer

where MyServer is the name of the Client Access server on which this feature should be disabled.

If you later want to enable Autodiscovery, you can type the following command:

New-AutodiscoverVirtualDirectory -Server MyServer

where MyServer is the name of the Client Access server on which this feature should be enabled for the Default Web Site.

Samples 16-5 and 16-6 provide the full syntax and usage for the New-AutodiscoverVir-tualDirectory and Remove-AutodiscoverVirtualDirectory cmdlets, respectively.

Sample 16-5: New-AutodiscoverVirtualDirectory cmdlet syntax and usage

 Syntax New-AutodiscoverVirtualDirectory [-Server 'ServerIdentity']  [-WebSiteName 'WebSiteName']  [-BasicAuthentication <$true | $false>]  [-DigestAuthentication <$true | $false>]  [-WindowsAuthentication <$true | $false>] Usage New-AutodiscoverVirtualDirectory -Server 'CorpMailSvr25'  -WebSiteName 'Secondary Site' -BasicAuthentication $true  -DigestAuthentication $false -WindowsAuthentication $true 

Sample 16-6: Remove-AutodiscoverVirtualDirectory cmdlet syntax and usage

 Syntax Remove-AutodiscoverVirtualDirectory -Identity 'DirectoryIdentity' Usage Remove-AutodiscoverVirtualDirectory -Server 'CorpMailSvr25\Secondary Site' 

Understanding and Using Direct Push

Direct Push automates the synchronization process, enabling a mobile device to make requests to keep itself up-to-date. When the HTTP virtual server used with ActiveSync has SSL enabled, Direct Push allows a mobile device to issue long-lived Hypertext Transfer Protocol Secure (HTTPS) monitoring requests to Exchange Server. Exchange Server monitors activity in the related user's mailbox. If new mail arrives or other changes are made to the mailbox-such as modifications to calendar or contact items- Exchange sends a response to the mobile device, stating that changes have occurred and that the device should initiate synchronization with Exchange Server. The device then issues a synchronization request. When synchronization is complete, the device issues another long-lived HTTPS monitoring request.

Port 443 is the default TCP port used with SSL. For Direct Push to work, port 443 must be opened between the Internet and the organization's Internet-facing Client Access server or servers. You do not need to open port 443 to all of your Client Access servers- only those to which users can establish connections. The Client Access server receiving the request automatically proxies the request so that it can be handled appropriately. If necessary, this may also mean proxying requests between the mobile device and the Client Access server in the user's home site. A user's home site is the Active Directory site where the mailbox server hosting his or her mailbox is located.

Tip Microsoft recommends increasing the maximum time-out value for connections to 30 minutes. In addition, if there is a firewall between the Client Access server in the user's home site and the Mailbox server in the user's home site, TCP port 135 must be opened on the intervening firewall. TCP port 135 is used by the RPC locator service.

Understanding and Using Exchange ActiveSync Mailbox Policy

Exchange ActiveSync Mailbox Policy makes it possible to enhance the security of mobile devices used to access your Exchange servers. As an example, you can use policy to require a password of a specific length and to configure devices to automatically prompt for a password after a period of inactivity.

Each mailbox policy you create has a name and a specific set of rules with which it is associated. Because you can apply policies separately to mailboxes when you create or modify them, you can create different policies for different groups of users. For example, you can have one policy for users and another policy for managers. You can also create separate policies for departments within the organization. For example, you can have separate policies for Marketing, Customer Support, and Technology.

Viewing Existing Exchange ActiveSync Mailbox Policies

In Exchange Management Console, you can view the currently configured Exchange ActiveSync Mailbox policies by completing the following steps:

1. Start Exchange Management Console. Expand the Organization Configuration node, and then select Client Access.

2. In the details pane, you'll see a list of current policies.

In Exchange Management Shell, you can list policies using the Get-MobileMailboxPolicy cmdlet. Sample 16-7 provides the syntax, usage, and sample output. If you do not provide an identity with this cmdlet, all available Exchange ActiveSync Mailbox policies are listed.

Sample 16-7: Get-MobileMailboxPolicy cmdlet syntax and usage

 Syntax Get-MobileMailboxPolicy [-Identity 'PolicyIdentity'] Usage Get-MobileMailboxPolicy Get-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy' Output Schema                             : Microsoft.Exchange.Data.Directory.SystemConfiguration                   .MobileMailboxPolicySchema AllowNonProvisionableDevices       : True AlphanumericDevicePasswordRequired : True AttachmentsEnabled                 : True DeviceEncryptionEnabled            : True DevicePasswordEnabled              : True PasswordRecoveryEnabled            : True DevicePolicyRefreshInterval        : unlimited DocumentBrowseEnabled              : True AllowSimpleDevicePassword          : False MaxAttachmentSize                  : unlimited WSSAccessEnabled                   : True UNCAccessEnabled                   : True MinDevicePasswordLength            : 8 MaxInactivityTimeDeviceLock        : 00:15:00 MaxDevicePasswordFailedAttempts    : 8 DevicePasswordExpiration           : unlimited DevicePasswordHistory              : 0 MailboxPolicyFlags                 : 0 MinAdminVersion                    : -2147453113 AdminDisplayName                   : ObjectCategoryName                 : msExchMobileMailboxPolicy ExchangeVersion                    : 0.1 (8.0.935.0) CurrentObjectVersion               : 0.1 (8.0.935.0) Name                               : Primary ActiveSync Mailbox Policy DistinguishedName                  : CN=Primary ActiveSync Mailbox Policy, CN=Mobile Mailbox Policies, CN=First Organization, CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=cpandl, DC=com Identity                           : Primary ActiveSync Mailbox Policy Guid                               : b7e75848-e300-47c9-ba2f- 4420b950a5a5 ObjectCategory                     : http://cpandl.com/Configuration/Schema/ms-Exch-Mobile- Mailbox-Policy ObjectClass                        : {top, msExchRecipientTemplate, msExchMobileMailboxPolicy} OriginalId                         : Primary ActiveSync Mailbox Policy WhenChanged                        : 10/24/2006 4:01:29 PM WhenCreated                        : 10/24/2006 4:01:29 PM ObjectState                        : Unchanged OriginatingServer                  : http://corpsvr127.cpandl.com IsReadOnly                         : False Id                                 : Primary ActiveSync Mailbox Policy IsValid                            : True 

Creating Exchange ActiveSync Mailbox Policies

The Exchange ActiveSync Mailbox policies you create apply to your entire organization. You apply policies separately after you create them, as discussed in the "Assigning Exchange ActiveSync Mailbox Policies" section of this chapter.

In Exchange Management Console, you can create a new policy by completing the following steps:

1. Start Exchange Management Console. Expand the Organization Configuration node, and then select Client Access.

2. In the details pane, you'll see the Exchange ActiveSync Mailbox Policy node. Right-click an open area of the details pane, and select New Exchange ActiveSync Mailbox Policy.

3. As shown in Figure 16-5, type a descriptive name for the policy, and then use the following options to configure the policy:

   
   Figure 16-5: Create the Exchange ActiveSync Mailbox policy.

   • q Allow Non-Provisionable Devices Non-provisionable devices are older devices that do not support the Autodiscover service. If you select this option, these older devices can connect to Exchange 2007 by using Exchange ActiveSync.

   • q Allow Attachments To Be Downloaded To Device Enables attachments to be downloaded to mobile devices. If you do not select this option, any message attachments are not downloaded with user messages.

   • q Require Alphanumeric Passwords Requires that a password contain numeric and alphanumeric characters. If you do not select this option, users can use simple passwords, which may not be secure.

   • q Enable Password Recovery Enables the device password to be recovered from the server. If you do not select this option and the user forgets his or her password, you will not be able to reset the device password and the user will be unable to access his or her mailbox using the device.

   • q Require Encryption On Device Requires mobile devices to use encryption. Since encrypted data cannot be accessed without the appropriate password, this helps to protect the data on the device. If you select this option, Exchange will only allow devices to download data if they use encryption.

   • q Allow Simple Password Allows the user to use a non-complex password instead of a password that meets the minimum complexity requirements.

   • q Minimum Password Length Allows you to set a minimum password length. You must select the related check box to the desired minimum password length, such as eight characters. The longer the password, the more secure it is. A good minimum password length is between 8 and 12 characters.

   • q Time Without User Input Before Password Must Be Re-Entered Allows you to specify the length of time (in minutes) that a device can go without user input before it locks. You must select the related check box to the desired time interval, such as 15.

   • q Password Expiration Allows you to specify the maximum length of time users can keep a password before they have to change it. You can use this option to require users to change their passwords periodically. A good password expiration value is between 30 and 90 days.

   • q Enforce Password History Allows you to specify how frequently old passwords can be reused. the maximum length of time users can keep a password before they have to change it. You can use this option to discourage users from changing back and forth between a common set of passwords. To disable this option, set the size of the password history to zero. To enable this option, set the desired size of the password history. A good value is between 3 and 6.

4. Click New to create the policy, and then click Finish. Optimize the configuration, as discussed in "Optimizing Exchange ActiveSync Mailbox Policies."

In Exchange Management Shell, you can create new Exchange ActiveSync Mailbox policies using the New-MobileMailboxPolicy cmdlet. Sample 16-8 provides the syntax and usage.

Sample 16-8: New-MobileMailboxPolicy cmdlet syntax and usage

 Syntax New-MobileMailboxPolicy -Name 'Name'  [-AllowNonProvisionableDevices <$true | $false>]  [-AllowSimpleDevicePassword <$true | $false>]  [-AlphanumericDevicePasswordRequired <$true | $false>]  [-AttachmentsEnabled <$true | $false>]  [-DeviceEncryptionEnabled <$true | $false>]  [-DevicePasswordEnabled <$true | $false>]  [-DevicePasswordExpiration 'Limit']  [-DevicePasswordHistory 'Number']  [-MaxAttachmentSize 'Limit']  [-MaxDevicePasswordFailedAttempts 'Limit']  [-MaxInactivityTimeDeviceLock 'Limit']  [-MinDevicePasswordLength <'Null' or 'Number'>]  [-PasswordRecoveryEnabled <$true | $false>]  [-UNCAccessEnabled <$true | $false>]  [-WSSAccessEnabled <$true | $false>] Usage New-MobileMailboxPolicy -Name 'Primary ActiveSync Mailbox Policy'  -AllowNonProvisionableDevices $true  -DevicePasswordEnabled $true  -AlphanumericDevicePasswordRequired $true  -MaxInactivityTimeDeviceLock '00:15:00'  -MinDevicePasswordLength '8'  -PasswordRecoveryEnabled $true  -DeviceEncryptionEnabled $true  -AttachmentsEnabled $true 

Optimizing Exchange ActiveSync Mailbox Policies

When you create an Exchange ActiveSync Mailbox policy, some additional settings are configured automatically. By default, access to both Windows file shares and Microsoft Windows SharePoint Services is allowed. If you specified that passwords were required, by default, the number of failed attempts allowed is eight. If the policy allows devices to download attachments, there is no default limit on the attachment size. You can modify these and other policy settings by completing the following steps:

1. In Exchange Management Console, right-click the policy, and select Properties.

2. On the General tab, use the options to configure whether non-provisionable devices, attachments, or both are allowed. If the policy allows attachments and you want to limit the size of attachments that users can download, select the Maximum Attachment Size (KB) check box, and then enter the size limit in kilobytes (KB), such as 900.

3. If you don't want users to be able to access file shares, SharePoint Services, or both from their mobile devices, clear the Windows File Shares and Windows SharePoint Services check boxes.

4. On the Password tab, you must select the Require Password check box to set controls for device passwords. The options available are the same as when you are creating a policy, with one addition: Number Of Failed Attempts Allowed. To limit the number of failed password attempts that can be made before a user's account is locked, select this check box, and then set the allowed limit. Click OK to apply your settings.

In Exchange Management Shell, you can modify Exchange ActiveSync Mailbox policies using the Set-MobileMailboxPolicy cmdlet. Sample 16-9 provides the syntax and usage.

Sample 16-9: Set-MobileMailboxPolicy cmdlet syntax and usage

 Syntax New-MobileMailboxPolicy -Identity 'Name'  [-AllowNonProvisionableDevices <$true | $false>]  [-AllowSimpleDevicePassword <$true | $false>]  [-AlphanumericDevicePasswordRequired <$true | $false>]  [-AttachmentsEnabled <$true | $false>]  [-DeviceEncryptionEnabled <$true | $false>]  [-DevicePasswordEnabled <$true | $false>]  [-DevicePasswordExpiration 'Limit']  [-DevicePasswordHistory 'Number']  [-MaxAttachmentSize 'Limit']  [-MaxDevicePasswordFailedAttempts 'Limit']  [-MaxInactivityTimeDeviceLock 'Limit']  [-MinDevicePasswordLength <'Null' or 'Number'>]  [-Name <'NewName'>]  [-PasswordRecoveryEnabled <$true | $false>]  [-UNCAccessEnabled <$true | $false>]  [-WSSAccessEnabled <$true | $false>] Usage Set-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy'  -AllowNonProvisionableDevices $false  -DevicePasswordEnabled $true  -AlphanumericDevicePasswordRequired $true  -MaxInactivityTimeDeviceLock '00:08:00'  -MinDevicePasswordLength '6'  -MaxDevicePasswordFailedAttempts '5' 

Assigning Exchange ActiveSync Mailbox Policies

The easiest way to assign Exchange ActiveSync Mailbox policies is to do so when you create user mailboxes. In the New Mailbox wizard, you assign the Exchange ActiveSync Mailbox policy on the Mailbox Settings page.

For existing mailboxes, you can assign an Exchange ActiveSync Mailbox policy by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node, and then select the Mailbox node.

2. Right-click the mailbox with which you want to work, and then select Properties.

3. On the Mailbox Features tab, select Exchange ActiveSync, and then click Properties.

4. Select the Apply An Exchange ActiveSync Mailbox Policy check box.

5. Click Browse. In the Select Mobile Mailbox Policy dialog box, select the policy you want to assign, and then click OK. Click OK twice to apply your settings.

In Exchange Management Shell, you can assign an Exchange ActiveSync Mailbox policy to a mailbox using the MobileMailboxPolicy parameter of the Set-CASMailbox cmdlet. Sample 16-10 provides the syntax and usage.

Sample 16-10: Assigning Exchange ActiveSync Mailbox policy to a mailbox

 Syntax Set-CASMailbox -Identity 'MailboxIdentity'  - MobileMailboxPolicy 'PolicyIdentity' Usage Set-CASMailbox -Identity 'Mark Harrington'  - MobileMailboxPolicy 'Primary ActiveSync Mailbox Policy' 

Removing Exchange ActiveSync Mailbox Policies

When you no longer need an Exchange ActiveSync Mailbox policy, you can remove it. In Exchange Management Console, right-click the policy, and select Remove. As long as no users are assigned to the policy, you'll see a confirmation prompt; clicking Yes tells Exchange Management Console to delete the policy. If users are assigned to the policy, you won't be able to remove it. You'll need to remove the policies from user mailboxes in order to delete the policy.

In Exchange Management Shell, you can remove an Exchange ActiveSync Mailbox policy that is not being used by utilizing the Remove-MobileMailboxPolicy cmdlet. Sample 16-11 provides the syntax and usage.

Sample 16-11: Remove-MobileMailboxPolicy cmdlet syntax and usage

 Syntax Remove-MobileMailboxPolicy -Identity 'Name' Usage Remove-MobileMailboxPolicy -Identity 'Primary ActiveSync Mailbox Policy' 

Understanding and Using Remote Device Wipe

Although passwords help to protect mobile devices, they don't prevent access to the device. Malicious individuals may still gain access to data. In the event that a device is lost or stolen, you can use Remote Device Wipe to instruct a mobile device to delete all its data.

Remotely Wiping a Device

An administrator or the owner of the device can prevent the compromising of sensitive data by initiating a remote device wipe. After you initiate a remote device wipe, the device removes all its data the next time it connects to Exchange Server. Not only does this return the device to its factory default condition, it also removes any data stored on any storage card inserted into the device. Wiping the data prevents it from being compromised.

The easiest way to wipe a device remotely is to have the device owner initiate the wipe. Alternately, an administrator can log on to Outlook Web Access as the device owner and initiate the remote wipe. To do this, follow these steps:

1. Start Internet Explorer. In the Address field, type the Outlook Web Access URL, such as http://http://mail.cpandl.com/owa, and then press Enter to access this page.

2. When prompted, provide the logon credentials of the user whose device you want to wipe. Do not provide your administrator credentials.

3. On the Outlook Web Access toolbar, click Options.

4. The left pane of the Options view provides a list of options. Scroll down, and then click Mobile Devices.

5. The user's mobile devices are listed in the details pane. Select the device you want to wipe, and then click Wipe All Data From Device.

6. Confirm the action when prompted.

7. Click Remove Device From List.

Note

You can use Outlook Web Access for remote device wiping only if the user has used the device previously to access Exchange Server and if you have enabled the Segmentation feature of Exchange Active Directory Integration (which is the default configuration).

Caution

Because wiping a device will cause complete data loss, you should do this only when you've contacted the user directly (preferably in person) and confirmed that the mobile device has been lost and that he or she understands the consequences of wiping the device. If your organization has a formal policy regarding the wiping of lost devices that may contain sensitive company data, be sure you follow this policy and get any necessary approvals.

In Exchange Management Shell, you can list the mobile devices registered as partners for a user's mailbox using the Get-MobileDeviceStatistics cmdlet. The device identity you want is the DeviceId string. If the user has multiple mobile devices, be sure to consult also the DeviceModel and DeviceOperatorNetwork values.

After you know the mobile device identity, you can issue a remote device wipe command using the Clear-ActiveSyncDevice cmdlet. You'll then need to confirm that you want to wipe the device when prompted by pressing the Y key. Samples 16-12 and 16-13 provide the syntax and usage for Get-MobileDeviceStatistics and Clear-ActiveSyncDevice cmdlets, respectively.

Sample 16-12: Get-MobileDeviceStatistics cmdlet syntax and usage

 Syntax Get-MobileDeviceStatistics -Mailbox 'MailboxIdentity' Usage Get-MobileDeviceStatistics -Mailbox 'David Pelton' 

Sample 16-13: Clear-ActiveSyncDevice cmdlet syntax and usage

 Syntax Clear-ActiveSyncDevice - Identity 'MobileDeviceIdentity' Usage Clear-ActiveSyncDevice - Identity 'Mobile_DavidP' 

Reviewing the Remote Wipe Status

When you initiate a remote wipe, the mobile device removes all its data the next time it connects to Exchange Server. You can review the remote wipe status using an alternate syntax for the Get-MobileDeviceStatistics cmdlet. Instead of passing the cmdlet the Mailbox parameter, use the Identity parameter to specify the DeviceId string of the device you wiped. The statistics returned will include these output parameters:

• DeviceWipeRequestTime The time you request a remote wipe.

• DeviceWipeSentTime The time the server sent the remote wipe command to the device.

• DeviceWipeAckTime The time when the device acknowledged receipt of the remote wipe command.

If there is a DeviceWipeSentTime timestamp, the device has connected to Exchange Server and Exchange Server sent the device the remote wipe command. If there is a DeviceWipeAckTime timestamp, the device acknowledged receipt of the remote wipe and has started to wipe its data.

Understanding and Using Password Recovery

Users can create passwords for their mobile devices. If a user forgets his or her password, you can obtain a recovery password that unlocks the device and lets the user create a new password. The user can also recover his or her device password by using Outlook Web Access.

To use Outlook Web Access to recover a user's device password, complete the following steps:

1. Start Internet Explorer. In the Address field, type the Outlook Web Access URL, such as http://http://mail.cpandl.com/owa, and then press Enter to access this page.

2. When prompted, provide the user's logon credentials. Do not provide your administrator credentials.

3. On the Outlook Web Access toolbar, click Options.

4. The left pane of the Options view provides a list of options. Scroll down, and then click Mobile Devices.

5. The user's mobile devices are listed in the details pane. Select the device for which you are recovering the password.

6. Click Display Device Password.

You can display the device recovery password by completing the following steps:

1. In Exchange Management Console, expand the Recipient Configuration node, and then select the Mailbox node.

2. Right-click the user's mailbox, and then select Manage Mobile Device. The device recovery password is displayed in the Manage Mobile Device dialog box.

In Exchange Management Shell, you can display the device recovery password using the ShowRecoveryPassword parameter of the Get-ActiveSyncDeviceStatistics cmdlet. Sample 16-14 provides the syntax and usage.

Sample 16-14: Recovering a device password

 Syntax Get-ActiveSyncDeviceStatistics - Mailbox 'MailboxIdentity'  -ShowRecoveryPassword $true Usage Get-ActiveSyncDeviceStatistics - Mailbox 'HelenB'  -ShowRecoveryPassword $true 

Understanding and Configuring Direct File Access

By default, Exchange Server 2007 allows users to access files directly through Outlook Web Access. This means that users will be able to access files attached to e-mail messages. You can configure how users interact with files using one of three options in the Exchange Management Console:

• Allow Allows users to access files of the specified types and sends the users’ browser information that allows the files to be displayed or opened in the proper applications.

• Block Prevents users from accessing files of the specified types.

• Force Save Forces users to save files of the specified types prior to opening them.

Table 16-3 lists the default file extensions and default Multipurpose Internet Mail Extensions (MIME) values that Exchange Server allows, blocks, or sets to force save by default. These settings are applied to the OWA virtual directory on Client Access servers. If a server has multiple OWA virtual directories or you have multiple Client Access servers, you must configure each directory and server separately.

Table 16-3: Default File Extensions and Default MIME Values for Direct File Access
Open table as spreadsheet

Option	Default File Name Extensions	Default MIME Values
Allow	.avi, .bmp, .doc, .docm, .docx, .gif, .jpg, .mp3, .one, .pdf, .png, .ppsm, .ppsx, .ppt, .pub, .rpmsg, .rtf, .tif, .txt, .vsd, .wav, .wma, .wmv, .xls, .xlsb, .xlsm, .xlsx, .zip	image/jpeg, image/png, image/gif, image/bmp
Block	.ade, .adp, .asx, .app, .asp, .aspx, .asx, .asx, .bas, .bat, .cer, .chm, .cmd, .com, .cpl, .crt, .csh, .dir, .dcr, .der, .exe, .fxp, .hlp, .hta, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc,.msh, .msh1, .mshxml, .msh1xml, .msi, .msp,.mst, .ops, .pcd, .pif, .plg, .prf,.prg, .ps1, .ps2, .psc1, .psc2, .ps1xml, .ps2xml, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .spl, .swf, .tmp, .url, .vb, .vbe, .vbs, .vsmacros, .vss, .vst, .vsw, .ws, .wsc, .wsf, .wsh, .xml	application/hta, application/ javascript, application/msac-cess, application/prg, application/x-javascript, application/ xml, text/javascript, text/ scriptlet, text/xml, x-internet-signup
Force Save	.vsmacros, .mshxml, .aspx, .xml, .wsh, .wsf, .wsc, .vsw, .vst, .vss, .vbs, .vbe, .url, .tmp, .swf, .spl, . shs, .shb, .sct, .scr, .scf, .reg, .pst, .prg, .prf, .plg, .pif, .pcd, .ops, .mst, .msp, .msi, .msh, .msc, .mdz, .mdw, .mdt, .mde, .mdb, .mda, .maw, .mav, .mau, .mat, .mas, .mar, .maq, .mam, .mag, .maf, .mad, .lnk, .ksh, .jse, .its, .isp, .ins, .inf, .hta, .hlp, .fxp, .exe, .dir, .dcr, .csh, .crt, .cpl, .com, .cmd, .chm, .cer, .bat, .bas, .asx, .asp, .app, .adp, .ade, .ws, .vb, .js	Application/x-shockwave-flash, Application/octet-stream, Application/futures-plash, Application/x-director

Note

If there are conflicts between the allow, block, and force save lists, the allow list takes precedence. This means that the allow list settings override the block list and the force save list. As updates are applied to Exchange Server, the default lists may change. Be sure to check the currently applied defaults.

Exchange Server considers all file extensions and MIME types not listed on the allow, block, or force save list to be unknown files and file types. The default setting for unknown file types is force save.

Based on the user's selection, the configuration of his or her network settings, or both, Exchange divides all client connections into one of two classes:

• Public Computer A public computer is a computer being used on a public network.

• Private Computer A private computer is a computer on a private network.

You can enable or disable direct access to files separately for public computers and private computers. However, the allow, block, and force save settings for both types of computers are shared and applied to both public and private computers in the same way.

You can configure direct file access by completing the following steps:

1. In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.

   Table 16-3 Default File Extensions and Default MIME Values for Direct File Access

   Option Default File Name Extensions Default MIME Values

2. In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server you want to configure.

3. In the lower portion of the details pane, you'll see a list of option tabs for the selected server. On the Outlook Web Access tab, right-click the virtual directory for which you are configuring direct file access, and then select Properties. Typically, you'll want to configure the OWA virtual directory on the Default Web Site, as this directory is used by default for Outlook Web Access.

4. To enable or disable direct file access for public computers, on the Public Computer File Access tab, select or clear the Enable Direct File Access check box, as appropriate (see Figure 16-6).

   
   Figure 16-6: Enable or disable direct file access for public computers.

5. To enable or disable direct file access for private computers, on the Private Computer File Access tab, select or clear the Enable Direct File Access check box, as appropriate.

6. On either the Public Computer File Access tab or Private Computer File Access tab, click the Customize button on the Direct File Access panel. The Direct File Access Settings dialog box appears, as shown in Figure 16-7.

   
   Figure 16-7: Configure the direct file access settings.

7. In the Direct File Access Settings dialog box, you can configure allowed files by clicking Allow. The Allow List dialog box appears. Use the following techniques to configure allowed files, and then click OK:

   • q To allow a new file extension, type it in the text box provided. Be sure to include the period, such as .xhtml, and then press Enter or click Add.

   • q To allow a new MIME type, enter it in the text box provided. Be sure to include the full MIME type designator, such as text/xhtml, and then press Enter or click Add.

   • q To stop allowing a file extension or MIME type, select it, and then click the Remove button.

8. In the Direct File Access Settings dialog box, you can configure blocked files by clicking Block. The Block List dialog box appears. Use the following techniques to configure blocked files, and then click OK:

   • q To block a new file extension, type it in the text box provided. Be sure to include the period, such as .src, and then press Enter or click Add.

   • q To block a new MIME type, enter it in the text box provided. Be sure to include the full MIME type designator, such as application/src, and then press Enter or click Add.

   • q To stop blocking a file extension or MIME type, select it, and then click the Remove button.

9. In the Direct File Access Settings dialog box, you can configure allowed files by clicking Force Save. The Force Save List dialog box appears. Use the following techniques to configure force-saved files, and then click OK:

   • q To force save a new file extension, type it in the text box provided. Be sure to include the period, such as .aap, and then press Enter or click Add.

   • q To force save a new MIME type, enter it in the text box provided. Be sure to include the full MIME type designator, such as application/stream, and then press Enter or click Add.

   • q To stop force saving a file extension or MIME type, select it, and then click the Remove button.

10. In the Direct File Access Settings dialog box, you can configure allowed files using the selection list on the Unknown Files panel. Set the desired action to Allow, Block, or Force Save. Click OK to save your settings, and then click OK to close the Properties dialog box for the virtual directory you selected.

In Exchange Management Shell, you can use the Set-OwaVirtualDirectory cmdlet to manage the direct file-access configuration. Set the Identity parameter to the identity of the virtual directory on the server you want to work with, such as:

 Set-OwaVirtualDirectory -Identity 'Corpsvr127\owa (Default Web Site)'  -DirectFileAccessOnPublicComputersEnabled $false   -DirectFileAccessOnPrivateComputersEnabled $true 

If you are unsure of the virtual directory identity value, use the Get-OwaVirtualDirectory cmdlet to retrieve a list of available virtual directories on a named server, as shown in the following example:

 Get-OwaVirtualDirectory -Server 'Corpsvr127' 

Understanding and Configuring Remote File Access

By default, Exchange Server 2007 allows users to access files remotely through Outlook Web Access as long as they have a Premium Client Access License. This means users will be able to access Windows SharePoint Services and Universal Naming Convention (UNC) file shares on SharePoint sites. SharePoint sites consist of Web Parts and Windows ASP.NET–based components that allow users to share documents, tasks, contacts, events, and other information. When you configure UNC file shares on SharePoint sites, you enable users to share folders and files.

You can enable or disable direct remote access to Windows file shares and Windows SharePoint Services separately for public computers and private computers. To configure remote file access, complete the following steps:

1. In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.

2. In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server you want to configure.

3. In the lower portion of the details pane, you'll see a list of option tabs for the selected server. On the Outlook Web Access tab, right-click the virtual directory for which you are configuring remote file access, and then select Properties. Typically, you'll want to configure the OWA virtual directory on the Default Web Site, as this directory is used by default for Outlook Web Access.

4. To configure remote file access for public computers, on the Public Computer File Access tab, use the following techniques to configure remote file access from public computers:

   • q Enable UNC file shares for remote access by selecting the Windows File Shares check box.

   • q Disable UNC file shares for remote access by clearing the Windows File Shares check box.

   • q Enable Web Parts and SharePoint for remote access by selecting the Windows SharePoint Services check box.

   • q Disable Web Parts and SharePoint for remote access by clearing the Windows SharePoint Services check box.

5. To configure remote file access for private computers, on the Private Computer File Access tab, select or clear the Windows File Shares and Windows SharePoint Services check boxes, as appropriate.

6. On the Remote File Servers tab (shown in Figure 16-8), you can specify the host names of servers from which clients are denied or allowed access using block and allow lists, respectively. If there is a conflict between the block list and the allow list, the block list takes precedence.

   
   Figure 16-8: Configure remote file server options.

7. To configure the block list, click Block. Use the following techniques to configure the block list, and then click OK:

   • q To add a server to the block list, type the fully qualified domain name of the server, such as http://mailsvr83.cpandl.com, and then press Enter or click Add.

   • q To remove a server from the block list, select the host entry, and then click the Remove button.

8. To configure the allow list, click Allow. Use the following techniques to configure the allow list, and then click OK:

   • q To add a server to the allow list, type the fully qualified domain name of the server, such as http://mailsvr83.cpandl.com, and then press Enter or click Add.

   • q To remove a server from the allow list, select the host entry, and then click the Remove button.

9. Servers that are not listed on either the allow list or the block list are considered to be unknown servers. By default, access to unknown servers is allowed. On the Remote File Servers tab, use the Unknown Servers selection list to allow or block unknown servers.

10. Users only have access to shares hosted on internal servers. For a server to be considered an internal server, you must tell Exchange about the domain suffixes that should be handled as internal. On the Remote File Servers tab, click the Configure button. Use the following techniques to configure your internal domain suffixes, and then click OK:

    • q To add a domain suffix, type the fully qualified domain name of the suffix, such as http://cpandl.com, and then press Enter or click Add.

    • q To remove a domain suffix, select the suffix entry, and then click the Remove button.

In Exchange Management Shell, you can use the Set-OwaVirtualDirectory cmdlet to manage the direct file access configuration. Set the Identity parameter to the identity of the virtual directory on the server with which you want to work, such as:

 Set-OwaVirtualDirectory -Identity 'Corpsvr127\owa (Default Web Site)' -UNCAccessOnPublicComputersEnabled $false -UNCAccessOnPrivateComputersEnabled $true -WSSAccessOnPublicComputersEnabled $false -WSSAccessOnPrivateComputersEnabled $true 

If you are unsure of the virtual directory identity value, use the Get-OwaVirtualDirectory cmdlet to retrieve a list of available virtual directories on a named server, as shown in the following example:

 Get-OwaVirtualDirectory -Server 'Corpsvr127' 

Understanding and Using WebReady Document Viewing

WebReady Document Viewing allows users to view common file types in Outlook Web Access without having the applications associated with those file types installed on their computer. This allows users to view the following files:

• Adobe PDF documents with the .pdf extension.

• Microsoft Excel spreadsheets with the .xls extension.

• Microsoft Word documents with the .doc extension.

• Microsoft PowerPoint presentations with the .ppt extension.

For attachments, the related MIME types supported are as follows:

• application/pdf

• application/vnd.ms-excel

• application/vnd.ms-powerpoint

• application/word

• application/x-msexcel

• application/x-mspowerpoint

When there are conflicting settings between the direct file, the remote file, and the WebReady Document Viewing settings, you can force clients to use WebReady Document Viewing first, if you want. This means that the documents will be opened within Internet Explorer rather than in a related application, such as Microsoft Word.

You can enable or disable WebReady Document Viewing separately for public Computers and private computers. However, supported document settings for both types of computers are shared and applied to both public and private computers in the same way.

To configure WebReady Document Viewing, complete the following steps:

1. In Exchange Management Console, expand the Server Configuration node, and then select the Client Access node.

2. In the upper portion of the details pane, you'll see a list of your organization's Client Access servers. Select the server you want to configure.

3. In the lower portion of the details pane, you'll see a list of option tabs for the selected server. On the Outlook Web Access tab, right-click the virtual directory for which you are configuring WebReady Document Viewing, and then select Properties. Typically, you'll want to configure the OWA virtual directory on the Default Web Site, as this directory is used by default for Outlook Web Access.

4. Use the following techniques to configure WebReady Document Viewing from public computers:

   • q Enable WebReady Document Viewing by selecting the Enable WebReady Document Viewing check box.

   • q Disable WebReady Document Viewing by clearing the Enable WebReady Document Viewing check box.

   • q Force the use of WebReady Document Viewing first by selecting the Force WebReady Document Viewing First check box.

   • q Allow documents with supported WebReady Document Viewing formats to be opened in related applications by clearing the Force WebReady Document Viewing First check box.

5. To configure WebReady Document Viewing for private computers, on the Private Computer File Access tab, select or clear the Enable WebReady Document Viewing and Force WebReady Document Viewing First check boxes, as appropriate.

6. On either the Public Computer File Access tab or Private Computer File Access tab, click the Supported button on the WebReady Document Viewing panel. The WebReady Document Viewing Settings dialog box appears, as shown in Figure 16-9.

   
   Figure 16-9: Configure WebReady Document Viewing.

7. To allow all supported document types to be used with WebReady Document Viewing, select All Supported Document Types, and then click OK.

8. To customize the supported document types, click Specific Document Types. Use the following techniques to configure supported document types:

   • q To stop allowing a document extension or MIME type, select it, and then click the Remove button.

   • q To restore a previously removed document extension, under Specify Document Extensions, click the Add button, select the document extension to add, and then click OK.

   • q To restore a previously removed MIME type, under Specify The MIME Types Of Documents, click the Add button, select the MIME type to add, and then click OK.

9. Click OK to close the Properties dialog box for the virtual directory.

In Exchange Management Shell, you can use the Set-OwaVirtualDirectory cmdlet to manage the WebReady Document Viewing configuration. Set the Identity parameter to the identity of the virtual directory on the server with which you want to work, such as:

 Set-OwaVirtualDirectory -Identity 'Corpsvr127\owa (Default Web Site)'  -WebReadyDocumentViewingAccessOnPublicComputersEnabled $false  -WebReadyDocumentViewingOnPrivateComputersEnabled $true 

If you are unsure of the virtual directory identity value, use the Get-OwaVirtualDirectory cmdlet to retrieve a list of available virtual directories on a named server, as shown in the following example:

 Get-OwaVirtualDirectory -Server 'Corpsvr127'