Mastering Microsoft Exchange Server 2007 SP1
Outlook Web Access (OWA) is one of the biggest selling points of Exchange, and it simply gets better with every new version. It is one of the most complex web applications available, and it offers significant levels of customization while retaining a familiar Outlook-like interface, allowing end users to quickly get to grips with it as an interface for their e-mail. From the very moment you access the forms-based login page, you know that you are using something very exceptional. Figure 19.1 shows the default forms-based authentication login page, which can be customized to your company look and feel if required
From the logon page, the user can select a radio button that indicates whether they are using a public or shared computer versus a private computer. If they are using a private computer, their inactivity time-out is 8 hours, but if they select the radio button that indicates they are using a public computer, the inactivity time-out is 15 minutes. This can help improve security by automatically disconnecting inactive users from their mailbox. The time-outs can be configured on a per-server basis via a Registry change.
The first time the end user logs into OWA, they get the chance to set their location and language (see Figure 19.2). This avoids the problems with previous versions of OWA using the location information of the machine being used.
Once you have got logged in, the interface is very familiar. Anyone who has used Outlook or OWA on Exchange 2003 will feel comfortable quickly. You have full access to your mailbox, including all folders, contacts, tasks, and notes, as you would expect. Figure 19.3 shows the full OWA interface.
New in this version is the ability to open another Exchange 2007 mailbox directly from the interface simply by selecting the box in the upper-right corner where your name appears. You are prompted for the name of the other mailbox (provided you have permissions for it).
The list of options has grown considerably, giving you more control over how OWA works for you, displays messages, and works with other users. You can access options by clicking the Options button on the upper-right portion of the OWA interface. Figure 19.4 shows the Options pane and the message options.
There are also options that you're users control their Windows Mobile handheld. With a supported handset, they can wipe the device or recover their password. With Exchange Server 2003 this was only possible through the optional tool Mobile Admin. Administrators can disable this functionality if required and also have control over the device from the server.
Exchange 2007 introduced more control over your Out-of-Office message, allowing you to have one message for known people and another message for everyone else. Outlook Web Access provides an interface for the two messages types through the Options pane. Figure 19.5 shows the Out-of-Office Assistant features that a user can access through the OWA Options interface. Notice a few new Out-of-Office features, including the ability to schedule when the auto-replies are sent, an option for sending a separate Out-of-Office reply to external senders, and the ability to specify whether external senders must exist in your Contacts folder.
Changing your network password through OWA is also now built in rather than the manual configuration that it required with Exchange 2003. Network password control can be turned off as well, should that be required.
If you wish to support password changes for Exchange 2003 mailboxes, the virtual directories will need to be added to the Client Access servers as before. The built-in password change is for Exchange 2007 mailboxes only. Access to attached files has been improved, with a new WebReady feature that allows access to common file types such as Microsoft Word documents without that application needing to be installed on the machine being used to access OWA. This is also used with a new feature for OWA called document access. This allows access to SharePoint sites and documents libraries on your network through the OWA interface.
Regrettably, it is not all good news with the new version of OWA. With Microsoft's decision to deemphasize public folders, access to public folders on Exchange 2007 servers is not possible through OWA at all, though this feature is supposed to be included in Exchange Server 2007 Service Pack 1.
The ability to create and modify rules through OWA has also been removed, so if you want to work with rules, you will need to use the full Outlook client. Modifying and adding distribution groups have also been removed, along with support for S/MIME. Both of these features are supposed to be included in Exchange Server 2007 Service Pack 1.
As with Exchange 2003, the interface that you see for Outlook Web Access depends on the version of Exchange that your mailbox is located on. Therefore, although all users can see the new Exchange 2007 login screen, if their mailbox is on Exchange 2003, they will get OWA for Exchange 2003, not Exchange 2007.
Outlook Web Access is handled by an Exchange 2007 server that has the Client Access server (CAS) role installed. The CAS role replaces the front-end server functionality from previous versions of Exchange.
One of the new features we find useful in Outlook Web Access is the enhanced address book access. If you click the small Address Book icon next to the Find Someone box, you are presented with the Address Book dialog box (shown in Figure 19.6) divided in to three columns.
The first column lets you select what type of addresses you can see. The second column lists the users in the global address list. The third column (which can be turned off) shows you their availability that day. Therefore, you could use this feature to see whether the person you want to call is in a meeting, out of the office, and so on.
Configuring Outlook Web Access
Outlook Web Access is enabled by default, so you don't have to do anything special to enable the feature. However, you do have control over what the end user can do with Outlook Web Access. Most of the Exchange 2007 Outlook Web Access options are enabled on a per-server basis.
Performing Configuration via the Exchange Management Console
To configure the server via the Exchange Management Console (EMC), you need to select the server you want to configure in the Server Configuration work center. In the lower pane, you will see the directories configured on the server. Right-click OWA and choose Properties.
Authentication
The Authentication tab allows you to enable or disable Forms Based Authentication (FBA) and change how much information the end user needs to put in when using FBA. In a single-domain model, you can set a default domain so that the end user just needs to enter their username and password in the logon form. Figure 19.7 shows the Authentication property page of the OWA virtual directory.
Segmentation
The Segmentation tab allows you to enable and disable features in OWA (see Figure 19.8). This can include user management of their handheld device, whether they can change their network password through OWA, access to folders, and other options.
By default, all options are enabled. The following options can be disabled:
-
You can disable Exchange ActiveSync integration, which allows the user to manage their Windows Mobile- or ActiveSync-enabled devices.
-
You can hide all address lists (by disabling All Address Lists) instead of just the global address lists.
-
You can hide the Calendar, Contacts, Journal, Tasks, and Search folders features.
-
You can disable Junk E-mail filtering features.
-
You can require that users use the basic client rather than the premium client.
-
You can disable e-mail signatures.
-
You can disable spell checking features.
-
You can disable the ability to change themes.
-
You can disable the change password feature.
-
You can disable Unified Messaging integration.
Public and Private File Access
Public and private file access allows you to specify the types of files that a user can access if they have selected a public/shared computer (default) or private computer on the OWA logon page. These Public Computer File Access and Private Computer File Access tabs allow you to control access to files - either files attached to e-mail messages or files from Remote File Access - and are identical as far as the options that are available to you. This includes the new WebReady document viewing options, which allow users to view documents for common file types such as Microsoft Word without having the application installed on their machine. Figure 19.9 shows the Private Computer File Access property page.
If you click the Customize button on the Private Computer File Access property page, you can configure direct file access, which allows you to force end users to save certain types of documents to the local machine before access is granted as well as block access to file types altogether. These options were previously available in the OWA Admin Tool for Exchange 2003 but now can be managed via the Exchange Management Console.
Remote File Servers
The Remote File Servers property page (shown in Figure 19.10) controls access to documents and SharePoint on remote servers through OWA.
We discuss remote file access later in this chapter.
Simplify the OWA URL
If the server that the end users are accessing is a dedicated Exchange Client Access server, then you can simplify the URL to remove the need to put /owa at the end of the address. For example, the user can type https://owa.somorita.com rather than http://owa.somorita.com/owa. You do this via a simple change through Internet Information Server (IIS) Manager:
-
Open IIS Manager, and open the website that has OWA enabled on it.
-
Right-click the website container, and choose Properties.
-
Click the Home Directory property page. Select the option A Redirection to a URL. This will enable the option Redirect To. Enter in the box the URL to which you want to redirect users that connect to the default website. In Figure 19.11, we are redirecting the user to https://owa.somorita.com/owa.
-
Select the A Directory below URL Entered radio button.
-
Click OK.
Note that in a mixed environment, you should use the legacy /exchange virtual directory, as /owa will not allow access to Exchange 2003 mailboxes.
Outlook Web Access and Larger Organizations
With the changes in Exchange routing in Exchange 2007, the location of the Client Access server becomes more important. The simple rule now is that in each Active Directory site that has a Mailbox server, there also needs to be a Client Access server. That means OWA, which is one of the functions of the Client Access server role. With the removal of Exchange's own routing capability (via routing groups in Exchange 2003 and 2000), Exchange 2007 now uses AD sites for routing.
However, you are not limited to a single Client Access server. You can have more than one. In some sites, where there is heavy remote access of the environment, you may want to look at having more than one CAS and then using load balancing and the Availability service to ensure that the servers are used to their fullest. We discuss the Availability service and network load balancing in Chapter 17, "Supporting Outlook 2007," and Chapter 15, "Reliability and Availability 101."
Enabling Document Access
Document Access is a new feature of Outlook Web Access that allows users of OWA to access Windows file shares and SharePoint Services sites through the OWA interface. Although the feature is enabled by default, no SharePoint sites or internal file shares are configured.
Whether you want to enable this feature for your servers is something that needs to be carefully considered because the level of control over the access may not be enough for many sites. You should look at what can be accessed through this process before allowing it to be used by the end users.
The feature can be enabled on a per-server or per-user basis, allowing the administrator to control who can and cannot access the resources.
You can also control whether it is enabled depending on the selection of a public or private computer on the login screen. However, because you don't know where these computers are located, this level of control is limited as best. As soon as users figure out that choosing a different option allows the use of different features, they will select the option with the features they want to use wherever they are.
You can grant access to Windows file servers only on a per-server basis. Therefore, if a server hosts a number of shares, all of those shares will be available. However, one way around this limitation is to use a domain distributed file system (DFS) system. However, this involves adding domain.tld (where domain.tld is the DNS name of your Active Directory forest root domain) to the list of shares, which may expose or bring undue attention to other elements of the domain, such as the netlogon share.
Configuring Document Access
You configure Document Access as part of the Outlook Web Access feature set, either via the Exchange Management Console or through the Set-OwaVirtualDirectory command.
Note | Changes to document access and segmentation take effect after 60 minutes of inactivity for users already logged in or when a user logs in. If you want to force the changes to take effect, you need to run the iisreset/noforce command on the Client Access server. |
Exchange Management Console
You can also use the Exchange Management Console to configure the document access options. Because it is part of Outlook Web Access, you configure the options on the OWA virtual directory. Therefore, open EMC and then open the Server Configuration work center. Select the server you want to configure. In the list of directories in the lower pane, select the OWA directory that you want to change, and then choose Properties in the Actions pane to the right.
Access to remote file and SharePoint servers is enabled or disabled on the two file access tabs. In each one, you will see the options to enable access toward the bottom.
To grant or block access, select the tab Remote File Access. When configuring file server access, note that the block list overrides the allow list. When entering the server name, enter just the name - such as server1. Do not enter \server1.
You don't have to enter the fully qualified name for file servers because the list of domain suffixes controls that. However, if you do enter a server name with its fully qualified domain name (server.domain.tld), then domain.tld needs to be in the list of internal domain suffixes.
If you are granting access to a domain DFS, then you need to add the domain to the list of allowed servers and the list of internal DFS suffixes. You can define them in the list of suffixes that are treated internally (see Figure 19.12).
Note | If there is no dot in the URL, then the URL is treated as internal. If there is a dot in the URL, it is treated as internal only if the domain suffix is in the internal sites list. |
Exchange Management Shell Commands
To use the Exchange Management shell to enable access to Windows file shares (UNC paths) for end users who have selected the Public Computer option on the login screen, use the following command:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -UNCAccessOnPublicComputersEnabled $true
For SharePoint access, the command is almost identical:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -WSSAccessOnPublicComputersEnabled $true
For private computers, the command is the same as except the word Private is used instead of Public:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -UNCAccessonPrivateComputersEnabled $true
By default, all servers are blocked; therefore, to grant access you must add servers to the list. To allow access to servers server1 and server2, you would use the following command:
Set-OwaVirtualDirectory -Identity "owa (default web site) -RemoteDocumentsAllowedServers server1,server2
To allow access to a DFS share, the command would be almost the same:
Set-OwaVirtualDirectory -Identity "owa (default web site) -RemoteDocumentsAllowedServers domain.tld
When it comes to blocking servers, you have a number of options. The first option is to set all servers not listed as blocked, which is the default option. The second option is to allow access to all servers except the ones explicitly blocked. Depending on your environment, both options may be of benefit. However, remember that you have to set the options on each CAS server.
To block servers specifically, use the following command:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -RemoteDocumentsBlockedServers server1,server2
To set the default action for servers not listed, use the following command:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -RemoteDocumentsActionForUnknownServers Allow
Replace Allow with Block to block access, as in this example:
Set-OwaVirtualDirectory -Identity "owa (default web site)" -RemoteDocumentsActionForUnknownServers Block
Категории