In-Depth

Exchange 2007: Access Anywhere

The Client Access Server gives you many remote access options for Exchange 2007.

• By J. Peter Bruzzese
• 10/01/2007

The CAS is an Exchange 2007 server role that handles all external access to your mail. The Mailbox role still manages direct access from in-house MAPI clients, but the CAS role gives you access to the mailbox server through a variety of different external connections.

You can get to your mail through an Internet browser with Outlook Web Access, a mobile device using ActiveSync, a third-party mail application through POP3/IMAP4 connectivity or through your Outlook 2003/2007 clients across the Internet with Outlook Anywhere using RPC over HTTP. The CAS role also has other services like Autodiscover, which helps with automatic client configuration settings.

There must be at least one Client Access Server role installed in every Active Directory site running a Mailbox server role in order for your Exchange 2007 environment to function. You can now install CAS on the same server running the Mailbox role if needed.

Besides meeting the hardware and software requirements for Exchange 2007 (which include PowerShell, the .NET 2.0 Framework, Internet Information Services [IIS]), you'll also need to make sure the CAS system has ASP.NET 2.0. If you plan on using Outlook Anywhere, you need to have the RPC over HTTP proxy installed as well. Depending on the size of your organization, you'll also need enough CAS servers to manage your message load.

Outlook Web Access (OWA)
Being able to get at your mailbox with any Web browser is appealing not only to Windows users, but also those working on Macs and Linux systems. The browser will connect regardless of platform. Although we say "any browser," there are actually two versions of Outlook Web Access -- Premium and Light (a tailored-down version). The Light version is essentially for non-IE browsers (if you use Firefox, you automatically get the Light version) or slower connections. The full-featured Premium version (see Figure 1) is impressive in its ability to provide a true Outlook experience.

[Click on image for larger view.]

Figure 1. The Premium edition of OWA gives you the full range of advanced features.

OWA also gives you read-only access to documents and document libraries stored on Windows SharePoint Services and file shares. You can also access your voice mail and manage your mobile devices through OWA. These advanced features are only available in the Premium version.

You can manage OWA through the Exchange Management Console or the EM Shell. If you use the Console, you'll find your OWA settings under Client Access and Server Configuration. Under the Client Access pane, you'll see a tab for Outlook Web Access that will show you the various Web sites created specifically for this feature to work. You can confirm these virtual directories by opening your IIS Manager and looking under the default Web site.

You'll need the /exchweb and /exchange virtual directories for clients to access mailboxes located on Exchange 2000 or 2003 mailbox servers. The same is true of the /public virtual directory. This one is for connectivity to Exchange 2000/2003 servers with public folders.

From within the EM Console, you can view the properties of each site, but it's the OWA directory you'll really want. This is for clients connecting to mailboxes located on Exchange 2007 Mailbox systems. When you enter the Properties for this directory, you'll see a variety of tabs to help you do the following:

• General provides information, and basic configuration like the internal and external URL for the OWA site.

• Authentication lets you establish the type of authentication method between the browser and the servers. You can choose from standard methods like Integrated Windows authentication, Digest authentication or Basic authentication (or all three if you like). You can also use forms-based authentication with a Domain\user name format, a user principal name (UPN) or a User name only (with the Domain chosen by you through the settings).

• Segmentation lets you scroll through the various features enabled by default for OWA, and decide to enable or disable certain features. You can easily disable features like Calendar, Spelling Checker and the ability to use the Premium Client.

• Public/Private Computer Files Access relates to the same access options. When you log into OWA, you're asked if you're on a public or private computer. Depending on your choice, you'll receive different access permissions. For example, you can configure the Private settings to access files from file shares or Windows SharePoint Services, while denying access to Public access users.

• Remote File Servers lets you establish a list of blocked or allowed file servers, and determine how clients should access files from file servers that aren't on the list.

By default, all users have access to OWA. If you want to disable access for a single user, use the EM Console, open the Recipients folder and go into the Properties of that user. On the Mailbox Features tab, you can easily select Outlook Web Access and click Disable (see Figure 2).

[Click on image for larger view.]

Figure 2. You can adjust OWA access permissions for a single user.

You could use the EM Shell or PowerShell as your enable or disable options. The obvious potential here is to enable/disable users in bulk. To disable a user, type:

Set-CASMailbox -Identity [email protected] -OWAEnabled $false

If you want to enable or disable OWA users in bulk, use the Get-Mailbox cmdlet with parameters set to indicate which users to pool together. Then pipeline it with the Set-CASMailbox cmdlet.

Exchange ActiveSync (EAS)
The ActiveSync protocol, based on HTTP and XML, lets mobile-based Pocket PCs and smartphones (along with other devices built with the ActiveSync protocol licensed from Microsoft, like Symbian-based devices) connect with an Exchange Server and synchronize e-mail, contacts, calendar and tasks. The primary benefit and distinction here is that you can continue to access that information while offline. That's one big plus over OWA, which requires a connection for you to access information.

ActiveSync is enabled by default, so you only need to configure your devices to synchronize with the server. This doesn't mean you have nothing to do in terms of ActiveSync administration. You'll have to establish policies that determine different authentication requirements for added security. In fact, for the CAS, these are the only policies you have to worry about. They are located in the console tree under the Organization heading and within the Client Access options.

The policy settings (see Figure 3) let you require an additional layer of security between the mobile device and your organization. This includes requiring a password, password length and complexity. One interesting option is to "Allow non-provisionable devices." This would allow devices that don't support EAS policies to connect to Exchange 2007. Another setting is "Allow attachments to be downloaded to device," which you can disable to prevent users from downloading attachments.

[Click on image for larger view.]

Figure 3. You'll need to establish and configure settings for an EAS policy.

Both Windows Mobile 5.0 with the Messaging and Security Feature Pack (MSFP) and Windows Mobile 6.0 support EAS policies. Mobile 6.0 has many new features specifically designed to work with Exchange 2007 (many of which are not included with 5.0 and the MSFP). Check out the feature comparisons between the new 6.0 devices and previous devices at the Microsoft Exchange Team Blog page "Getting the Most Out of Your Microsoft Exchange Server 2007 Experience with Mobile Devices" (scroll to the bottom of this article for easy access to the blog).

Keep in mind that the EM Console lets you create and manage policies, but not all of the options you can configure are available through the GUI. To use all those options, you'd need to use PowerShell commands to configure or modify a policy. One example of these "hidden" settings is the "Maximum failed password attempts." This determines how many times you can attempt to enter an incorrect password before the device wipes all data. You can only manage these settings through the EM Shell. (Read more about this at the Microsoft Exchange Team Blog entry, "Exchange 2007 ActiveSync Policies" page linked at the bottom of this article.)

Creating a policy isn't the final step. Once you have a policy (or policies) created, you need to apply them to your users. Do this from within the EM Console. Expand your console tree and go to the Recipient Configuration folder under Mailbox. Find the user to whom you wish to apply the policy and go into their Properties. On the Mailbox Features tab, click ActiveSync and then select Properties. From here, you can browse for the policy you wish to apply.

If you wanted to use the EM Shell to accomplish the same thing (or use it with the Get-Mailbox cmdlet to bulk manage your users), use the following command:

Set-CASMailbox UserName -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy 
  "Policy Name").Identity

If you use the Get-Mailbox cmdlet to begin the process, you don't need to include a UserName -- using the pipeline states for whom the command is intended. If it's just Get-Mailbox, it implies all users. If it's Get-Mailbox with specific attributes, either group membership or those who match custom attributes, then it passes on the returned results to the final portion of the command.

Here's an example of a command that uses a custom attribute (Sales Person) to define the policy setting:

Get-Mailbox | where { $_.CustomAttribute1 -match "Sales Person" } 
  | Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Policy 
  Name").Identity 

Outlook Anywhere
You can also go through a virtual private network (VPN) to get at your e-mail while out of the office. Open your MAPI client (Outlook) and connect to your mail using RPC over HTTP (or HTTPS, for greater security). With Exchange 2007, you can still connect to your Exchange environment using RPC over HTTP (formerly called Outlook Anywhere) but you no longer need to establish a VPN in order to do this. The process is now much simpler.

For starters, Outlook Anywhere is not enabled by default. To enable it, install the RPC over HTTP Proxy component in Networking Services through Add/Remove Programs. Next, install a valid SSL certificate from a trusted certification authority. There's a default SSL certificate created when you install Exchange. You can use this for testing, but it's not trusted by the client. The next step is to kick off the Enable Outlook Anywhere wizard. You can find this in the EM Console under the Server Configuration node. Select Client Access and on the Actions pane select Enable Outlook Anywhere.

There's not that much information required. You'll need to provide an external host name that leads back to your CAS. That name can be as simple as webmail.yourorganization.com. Whatever name you choose, you'll have to register with public DNS servers to ensure connectivity from the outside.

You can choose from Basic or NTLM authentication. Basic will send username and password over the connection in clear-text. Using NTLM, the client and server will negotiate the communication using hashed values of the users' credentials. You'd only select "Allow secure channel (SSL) offloading" if you have a separate server handling SSL encryption/decryption with an accelerator in place to handle offloading.

Essentially, the most computationally expensive part of an SSL session is the handshake process. You can offload this with the proper equipment. If you aren't sure if you have the right gear, don't select this option. Microsoft warns you that selecting this option without the SSL accelerator will hinder the function of Outlook Anywhere.

Once you've enabled Outlook Anywhere, you won't see any change in the EM Console. There are no management options through the console itself other than enabling/disabling for specific recipients. You'll need PowerShell to manage Outlook Anywhere from this point.

The final step in the process is to configure your clients' Outlook to work with Outlook Anywhere. Establish a profile on their system. When configuring the connection, choose Microsoft Exchange (even though you might be tempted to choose an Internet e-mail connection). Within the settings on the Connection tab (see Figure 4), there's a checkbox at the bottom for Connect to Microsoft Exchange using HTTP. Select this checkbox and the Exchange Proxy Settings box (also shown in Figure 4).

[Click on image for larger view.]

Figure 4. Configure Outlook Anywhere for each of your clients.

You'll need to indicate the proxy server URL, which is the same as the one you configured earlier with the Outlook Anywhere wizard. The proxy is actually your CAS, in this case. You can indicate SSL settings, determine settings based on connection speed, and choose the authentication method (Basic or NTLM) depending on how you configured the CAS settings. This should have your client up and running.

POP3 and IMAP4 Connectivity
In Exchange 2007, POP3/IMAP4 connectivity is disabled by default. There are several reasons why you might want to turn it on. You may have clients connecting to your server that use messaging systems based on those protocols (like Outlook Express, Windows Mail, Mozilla Thunderbird and others). The application connects to your server, downloads your mail (removing it from the server) and lets you work offline. Many of the fancy features you'd have using one of the other connection choices won't be available, but it goes with the territory.

As if to further dissuade you from using POP3/IMAP4 connectivity, the services (although installed by default) are disabled and there's no way to manage the settings through the EM Console. To manage these protocols, you'll have to go through PowerShell.

You could go through the Services console to manually start up those services, but being that the EM Shell is going to be our new best friend, here's how you would turn on the services for POP3 and set them to automatic:

Set-Service msExchangePOP3 -Startuptype automatic
  Start-Service -Service msExchangePOP3

For IMAP4, just use msExchangeIMAP4. There's much more to learn about POP/IMAP configuration with PowerShell using the Set-PopSettings and Set -IMAPSettings cmdlets. If you want to see an entire list of your POP or IMAP settings, type:

get-Imapsettings -server <servername> OR get-Popsettings -Server <servername>

You'll be surprised at the level of detail you are provided. You can configure all these options through PowerShell.

POP and IMAP are enabled for your clients by default, so you simply need to configure your client applications to connect at this point. From within PowerShell, type: get-casmailbox <username>. You'll see that each of the CAS options are enabled. You can also disable CAS settings for a user or group of users through PowerShell. For example, if you wanted to disable IMAP for a user with the login name lgrey, you would type in: Set-CASMailbox lgrey -Imapenabled $false

Rock the CAS-ba
The Client Access Server certainly helps external users far and wide get at their e-mail. Commuters on the go, travelers on the road, telecommuters from home or the local Starbucks -- they all have the CAS to thank for being the go-between to their mailbox. They have more to thank than the server itself, though. None of it would work without you, the Exchange admin.