Using Outlook Web Access | Microsoft Small Business Server 2003 Unleashed

Outlook Web Access, or OWA, allows remote users to access email, contacts, calendar items, tasks, and public folders remotely using only a web browser. OWA is often described by clients as "Outlook in a web browser," because it looks so similar to Outlook. In fact, the average passerby may not be able to tell the difference between the two. This similarity is by design to help minimize the learning curve for network users. If the users can operate Outlook at the office, they should be able to access the same data stored on the Exchange server using OWA with minimal training and the proper URL.

Enormous similarities aside, there are key differences between Outlook and OWA. For example, although Outlook can cache information locally and function offline, OWA requires a live network or Internet connection to the Exchange server. And although Outlook requires a disc or network install point and credentials to install the application on a client machine, OWA is just a website accessible via a URL through a web browser and doesn't need to be installed on the client.

The key thought to keep in mind is that there are benefits and drawbacks to both technologies. There is no perfect solution, and clients may require a combination of Outlook and OWA to fit their business needs. OWA is an excellent choice for high- or low-bandwidth environments and allows multiple users access to their Exchange data without storing multiple profiles on the local machine. But it's not as robust as Outlook and is unavailable when there is no network connectivity. So the rule of thumb is to use Outlook 2003 for the knowledge worker who spends all day accessing Exchange data, and use OWA for the occasional user and shared computer user at the office, or for the knowledge worker who wants to check her email and schedule from home.

OWA has actually been around for a while and was available in previous versions of SBS. Enhancements in bandwidth reduction, compression, and forms-based authentication, and an improved user interface built into Exchange Server 2003 make the new version of OWA 60% to 70% faster for low-bandwidth users. The faster logon time and page load times improve the end user experience. Better compression cuts OWA traffic across the wire by 40% to 60%, resulting in a cost savings for pay-by-the-byte bandwidth customers.

From an administrative standpoint, OWA is installed and enabled by default on the SBS server. Users inside and outside the firewall type in an abbreviated http:// URL in a standard web browser and are then automatically redirected to the https:// SSL secured 128-bit login page, so their credentials and all other traffic are encrypted.

Network users inside the firewall can access OWA in two ways; by opening the URL http://servername/exchange in their web browser, or by clicking on the Remote E-mail Access hyperlink on the default SBS intranet located at http://companyweb.

Users outside the corporate firewall can access OWA via the Internet. But external OWA access is disabled by default, so the administrator must enable access. To enable OWA for external users, follow these steps:

Click Start, and click Server Management.

Expand the Standard Management tree and click Internet and E-mail.

Click Connect to the Internet to launch the CEICW Wizard, and click Next.

On the Connection Type page click Do Not Change Connection Type radio button, and click Next.

On the Web Services Configuration page, check the Allow Access Only to the Following Web Site Services from the Internet radio button, make sure that the Outlook Web Access box is checked, and click Next.

If you have already set up RPC over HTTP earlier in this chapter, you should now see an existing SSL certificate (for example, sbs.smallbizco.net) on the Web Server Certificate page. If so, click Do Not Change Current Web Server Certificate, and click Next.

On the Internet E-mail page, click Do Not Change Internet Email Configuration, and click Next.

Review your changes on the final screen, and click Finish.

The CIECW Wizard now automatically opens the proper ports for you in the RRAS (SBS Standard) or ISA Server (SBS Premium) firewall. In the case of OWA, the external ports needing to be open are port 80 (http) and port 443 (https). When the wizard has completed successfully, you should see four green check marks next to Network Configuration, Firewall Configuration, Secure Web Site Configuration, and E-mail Configuration. Click Close.

Best Practice: Make Sure That the Proper Ports Are Open on Both the Firewall and the Router

It may seem like a platitude, but never assume anything, especially in a network environment. Even though the SBS wizards open the necessary ports in the firewall, that doesn't mean your job is done. Always double-check to make sure that corresponding ports are also open on the router connecting the SBS server to the Internet. Some ISPs block all inbound port traffic on routers they control, and you have to contact them with the specific port numbers you need opened. More than a few SBS administrators have run the wizards, tested OWA or RWW from the Internet, failed, and immediately assumed that the wizards didn't "take" and the problem was inside SBS. Learn from their pain, and before you bang your head in frustration, call the ISP and make sure that those router ports are open.

10.

If you have not already done so, the CEICW Wizard now prompts you to enable password policies. Click Yes.

Caution

Having strong passwords on a network is always a good idea. But after you enable OWA, RWW, or any of the other SBS technologies that allow access to your network from the Internet, it is critical that strong passwords be enabled. After you open ports in your firewall, the only things keeping company information safe from prying eyes on the Internet are a username and a password. Because most companies use an employee's username in her email address, a hacker already has one of the two puzzle pieces, and even strong passwords need to be changed routinely.

11.

Check the Password Must Meet Complexity Requirements check box and select a password length, an expiration frequency, and an effective date that meet your company's individual needs (see Figure 11.4). Click OK.

Figure 11.4. It's especially important to enable strong password policies when using OWA and other remote features in SBS.

Note

If you're unsure about which password settings to use, you can always rerun the Configure Password Policies Wizard again at a later time. It's located in Server Manager, Standard Management, Users, Configure Password Policies. You can click the More Information button to learn about all the options in Figure 11.4.

Whether connecting to OWA inside the firewall or across the Internet, three different varieties of OWA are available in SBS 2003: OWA Basic, OWA Premium, and OWA Premium with ActiveX. When initially logging in to OWA, the user is given a choice of OWA Basic or Premium; OWA Premium with Active X is not shown on the login menu (see Figure 11.5). The user must also choose one of two OWA security settings; either Public or Shared Computer or Private Computer. The advantages and drawbacks of each OWA version and security settings are discussed in detail.

Figure 11.5. OWA allows users to choose client and security settings that match their environment.

Outlook Web Access Basic

OWA Basic is just like the name soundsthe most basic version of email access via a web browser (see Figure 11.6). As nice as having many features can be, sometimes less is more, especially in low-bandwidth or high-security scenarios. Because OWA Basic runs in a single web browser window, it loads faster than OWA Premium. It's also useful in Mac and UNIX environments.

Figure 11.6. OWA Basic offers a simple and straightforward interface.

However, OWA Basic can't pop up additional windows or dialog boxes, so it lacks key features, including spell checking, search capabilities, the capability to mark messages as read or unread, and new mail notification. To check for new mail the user must manually refresh the browser window, typically by pressing F5 in Internet Explorer, Firefox, or Opera.

Outlook Web Access Premium

If given a choice, most users opt for OWA Premium (see Figure 11.7). The feature set in Premium is much closer to what users are accustomed to in Outlook 2003, and the layout is nearly identical. Feature improvements over Basic include spell checking, message flags, reminder windows, message sensitivity, and search capabilities. Premium also includes the aesthetic features such as the Reading Pane and five different OWA color schemes available in the Options menu.

Figure 11.7. OWA Premium mimics the features and layout of Outlook 2003 (refer to Figure 11.1).

Spell Checking

The spell checking available in OWA is great feature, but this is not the full version of spell checking found in Outlook 2003. OWA Premium spell checking checks only the first 96K of the email, and it checks only the reply portion of the email. Also, because the spell checking is performed by the server and not on the client or web browser, you cannot add new words to the dictionary. Keep in mind that spell checking is not available in OWA Basic.

Outlook Web Access Premium with ActiveX

The third, and most overlooked, version of Outlook Web Access is OWA Premium with ActiveX. This is OWA Premium with an ActiveX control installed on the client machine. The necessary ActiveX control, called the S/MIME control, can be downloaded and installed from the Options page in OWA Premium (see Figure 11.8).

Figure 11.8. Downloading and installing the S/MIME ActiveX control turns OWA Premium into OWA Premium with ActiveX.

Once installed, the ActiveX control can be viewed or removed from the Add/Remove Programs Wizard in the Control Panel of Windows. The system requirements are a client OS of Windows 2000 or greater, the web browser must be IE6 or higher, and the user must have sufficient privileges to install the ActiveX control locally.

The ActiveX version of OWA supports S/MIME, which is the standard for sending signed and encrypted email. This makes sure that your email content is always encrypted when going over the network. It also allows better drag-and-drop attachment handling.

Best Practice: Download the Outlook Web Access Administration Kit

As powerful and useful as OWA is, more features are hidden under the surface that can be unlocked by downloading and installing the Outlook Web Access Administration Kit from the following URL: http://www.microsoft.com/exchange/downloads.

In a nutshell, the OWA Admin Kit allows a network administrator to configure the registry keys that control OWA, and it gives you a single location to see all the OWA settings available. You also get an in-depth explanation of what each setting does. The OWA Administration tool requires IE6 or higher, and for security reasons, it should be installed on a separate workstation on the domain, not on the SBS server.

After installation of the OWAAdmin.MSI file, an icon will be added to the Microsoft Exchange program group in the Start menu called Outlook Web Access Administration. Alternatively, you can access the OWA Admin tool from the URL https://servername/OWAAdmin in Internet Explorer (see Figure 11.9).

Figure 11.9. The Outlook Web Access Administration Kit exposes the hidden settings in OWA.

Perhaps the single biggest reason to download and use the OWA Administration Kit is to enable remote workers or users without a dedicated workstation to change their domain password through OWA. Without this feature, all OWA users must periodically log in to a workstation on the domain or VPN in to the network to change their password when it expires. True, OWA does notify users that their domain password is about to expire, and that's helpful, but a standard installation of SBS doesn't allow password changes through OWA. If the user's password expires and he keeps entering the password repeatedly, the user account will become locked, and that's a sure-fire recipe for a help desk call.

To enable the ability to change passwords in OWA, open the OWAAdmin toolkit as described previously, click on Security, scroll down to the Enable Change Password section, click the Yes radio button, and click OK (see Figure 11.10). Before enabling this feature, you should also read Microsoft KB article 297121 (http://support.microsoft.com/?id=297121).

Figure 11.10. The Security tab contains several options, including the ability to change passwords in OWA.

If you successfully installed the change password configuration, OWA users should see a new button on their Options tab in OWA (see Figure 11.11).

Figure 11.11. Notice the new Change Password button between the Contact Options and Recover Deleted Items sections.

Outlook Web Access Security Settings

The OWA login screen provides two security options: Public or Shared Computer and Private Computer.

Public or Shared Computer Security Setting

The Public or Shared Computer security configuration for OWA is selected by default and is the most secure configuration. Users are automatically logged off after a short period of inactivity (default 15 minutes). This setting is beneficial for web kiosks, computer labs, or computers in public places. Because this configuration "times out" more quickly, users may be inadvertently logged off when typing long emails or when temporarily distracted by a phone call or visitor, so instruct users to periodically save their work when using public mode.

Private Computer Security Setting

The Private Computer security configuration for OWA is often used at remote offices, warehouses, employees' homes, and other locations where the computer is in a more secure physical location. Users of this setting are automatically logged off after a longer period of inactivity (default 24 hours).

Note

Most SBS administrators consider the 1520 minute window too long for a session timeout on a public machine. Fortunately, the session timeout duration, or cookie authentication timeout, can be adjusted manually by the network administrator. To adjust this OWA setting and others such as custom logon pages, attachment blocking, and forms-based authentication, see the Microsoft knowledge base article 830827, "How to manage Outlook Web Access features in Exchange Server 2003" (http://support.microsoft.com/?id=830827).