In-Depth
Exchange 2007: Access Anywhere
The Client Access Server gives you many remote access options for Exchange 2007.
You're not in your office. Maybe you're traveling to work on a train, in a
hotel room waiting for a business meeting or conference, or at your home computer
paying your bills. You realize you need to check your e-mail at work. Regardless
of how you connect, if you're getting that mail from an Exchange 2007 Mailbox
server, you'll have to go through a Client Access Server (CAS).
The CAS is an Exchange 2007 server role that handles all external access to
your mail. The Mailbox role still manages direct access from in-house MAPI clients,
but the CAS role gives you access to the mailbox server through a variety of
different external connections.
You can get to your mail through an Internet browser with Outlook Web Access,
a mobile device using ActiveSync, a third-party mail application through POP3/IMAP4
connectivity or through your Outlook 2003/2007 clients across the Internet with
Outlook Anywhere using RPC over HTTP. The CAS role also has other services like
Autodiscover, which helps with automatic client configuration settings.
There must be at least one Client Access Server role installed in every Active
Directory site running a Mailbox server role in order for your Exchange 2007
environment to function. You can now install CAS on the same server running
the Mailbox role if needed.
Besides meeting the hardware and software requirements for Exchange 2007 (which
include PowerShell, the .NET 2.0 Framework, Internet Information Services [IIS]),
you'll also need to make sure the CAS system has ASP.NET 2.0. If you plan on
using Outlook Anywhere, you need to have the RPC over HTTP proxy installed as
well. Depending on the size of your organization, you'll also need enough CAS
servers to manage your message load.
Outlook Web Access (OWA)
Being able to get at your mailbox with any Web browser is appealing not only
to Windows users, but also those working on Macs and Linux systems. The browser
will connect regardless of platform. Although we say "any browser,"
there are actually two versions of Outlook Web Access -- Premium and Light (a
tailored-down version). The Light version is essentially for non-IE browsers
(if you use Firefox, you automatically get the Light version) or slower connections.
The full-featured Premium version (see Figure 1) is impressive in its ability
to provide a true Outlook experience.
[Click on image for larger view.] |
Figure 1. The
Premium edition of OWA gives you the full range of advanced features. |
OWA also gives you read-only access to documents and document libraries stored
on Windows SharePoint Services and file shares. You can also access your voice
mail and manage your mobile devices through OWA. These advanced features are
only available in the Premium version.
You can manage OWA through the Exchange Management Console or the EM Shell.
If you use the Console, you'll find your OWA settings under Client Access and
Server Configuration. Under the Client Access pane, you'll see a tab for Outlook
Web Access that will show you the various Web sites created specifically for
this feature to work. You can confirm these virtual directories by opening your
IIS Manager and looking under the default Web site.
You'll need the /exchweb and /exchange virtual directories for clients to access
mailboxes located on Exchange 2000 or 2003 mailbox servers. The same is true
of the /public virtual directory. This one is for connectivity to Exchange 2000/2003
servers with public folders.
From within the EM Console, you can view the properties of each site, but it's
the OWA directory you'll really want. This is for clients connecting to mailboxes
located on Exchange 2007 Mailbox systems. When you enter the Properties for
this directory, you'll see a variety of tabs to help you do the following:
• General provides information, and basic configuration like the
internal and external URL for the OWA site.
• Authentication lets you establish the type of authentication
method between the browser and the servers. You can choose from standard methods
like Integrated Windows authentication, Digest authentication or Basic authentication
(or all three if you like). You can also use forms-based authentication with
a Domain\user name format, a user principal name (UPN) or a User name only (with
the Domain chosen by you through the settings).
• Segmentation lets you scroll through the various features enabled
by default for OWA, and decide to enable or disable certain features. You can
easily disable features like Calendar, Spelling Checker and the ability to use
the Premium Client.
• Public/Private Computer Files Access relates to the same access
options. When you log into OWA, you're asked if you're on a public or private
computer. Depending on your choice, you'll receive different access permissions.
For example, you can configure the Private settings to access files from file
shares or Windows SharePoint Services, while denying access to Public access
users.
• Remote File Servers lets you establish a list of blocked or
allowed file servers, and determine how clients should access files from file
servers that aren't on the list.
By default, all users have access to OWA. If you want to disable access for
a single user, use the EM Console, open the Recipients folder and go into the
Properties of that user. On the Mailbox Features tab, you can easily select
Outlook Web Access and click Disable (see Figure 2).
[Click on image for larger view.] |
Figure 2. You
can adjust OWA access permissions for a single user. |
You could use the EM Shell or PowerShell as your enable or disable options.
The obvious potential here is to enable/disable users in bulk. To disable a
user, type:
Set-CASMailbox -Identity [email protected] -OWAEnabled $false
If you want to enable or disable OWA users in bulk, use the Get-Mailbox cmdlet
with parameters set to indicate which users to pool together. Then pipeline
it with the Set-CASMailbox cmdlet.
Exchange ActiveSync (EAS)
The ActiveSync protocol, based on HTTP and XML, lets mobile-based Pocket PCs
and smartphones (along with other devices built with the ActiveSync protocol
licensed from Microsoft, like Symbian-based devices) connect with an Exchange
Server and synchronize e-mail, contacts, calendar and tasks. The primary benefit
and distinction here is that you can continue to access that information while
offline. That's one big plus over OWA, which requires a connection for you to
access information.
ActiveSync is enabled by default, so you only need to configure your devices
to synchronize with the server. This doesn't mean you have nothing to do in
terms of ActiveSync administration. You'll have to establish policies that determine
different authentication requirements for added security. In fact, for the CAS,
these are the only policies you have to worry about. They are located in the
console tree under the Organization heading and within the Client Access options.
The policy settings (see Figure 3) let you require an additional layer of security
between the mobile device and your organization. This includes requiring a password,
password length and complexity. One interesting option is to "Allow non-provisionable
devices." This would allow devices that don't support EAS policies to connect
to Exchange 2007. Another setting is "Allow attachments to be downloaded
to device," which you can disable to prevent users from downloading attachments.
[Click on image for larger view.] |
Figure 3. You'll
need to establish and configure settings for an EAS policy. |
Both Windows Mobile 5.0 with the Messaging and Security Feature Pack (MSFP)
and Windows Mobile 6.0 support EAS policies. Mobile 6.0 has many new features
specifically designed to work with Exchange 2007 (many of which are not included
with 5.0 and the MSFP). Check out the feature comparisons between the new 6.0
devices and previous devices at the Microsoft Exchange Team Blog page "Getting
the Most Out of Your Microsoft Exchange Server 2007 Experience with Mobile Devices"
(scroll to the bottom
of this article for easy access to the blog).
Keep in mind that the EM Console lets you create and manage policies, but not
all of the options you can configure are available through the GUI. To use all
those options, you'd need to use PowerShell commands to configure or modify
a policy. One example of these "hidden" settings is the "Maximum
failed password attempts." This determines how many times you can attempt
to enter an incorrect password before the device wipes all data. You can only
manage these settings through the EM Shell. (Read more about this at the Microsoft
Exchange Team Blog entry, "Exchange 2007 ActiveSync Policies" page
linked at the bottom
of this article.)
Creating a policy isn't the final step. Once you have a policy (or policies)
created, you need to apply them to your users. Do this from within the EM Console.
Expand your console tree and go to the Recipient Configuration folder under
Mailbox. Find the user to whom you wish to apply the policy and go into their
Properties. On the Mailbox Features tab, click ActiveSync and then select Properties.
From here, you can browse for the policy you wish to apply.
If you wanted to use the EM Shell to accomplish the same thing (or use it with
the Get-Mailbox cmdlet to bulk manage your users), use the following command:
Set-CASMailbox UserName -ActiveSyncMailboxPolicy (Get-ActiveSyncMailboxPolicy
"Policy Name").Identity
If you use the Get-Mailbox cmdlet to begin the process, you don't need to include
a UserName -- using the pipeline states for whom the command is intended. If
it's just Get-Mailbox, it implies all users. If it's Get-Mailbox with specific
attributes, either group membership or those who match custom attributes, then
it passes on the returned results to the final portion of the command.
Here's an example of a command that uses a custom attribute (Sales Person)
to define the policy setting:
Get-Mailbox | where { $_.CustomAttribute1 -match "Sales Person" }
| Set-CASMailbox -activesyncmailboxpolicy(Get-ActiveSyncMailboxPolicy "Policy
Name").Identity
Outlook Anywhere
You can also go through a virtual private network (VPN) to get at your e-mail
while out of the office. Open your MAPI client (Outlook) and connect to your
mail using RPC over HTTP (or HTTPS, for greater security). With Exchange 2007,
you can still connect to your Exchange environment using RPC over HTTP (formerly
called Outlook Anywhere) but you no longer need to establish a VPN in order
to do this. The process is now much simpler.
For starters, Outlook Anywhere is not enabled by default. To enable it, install
the RPC over HTTP Proxy component in Networking Services through Add/Remove
Programs. Next, install a valid SSL certificate from a trusted certification
authority. There's a default SSL certificate created when you install Exchange.
You can use this for testing, but it's not trusted by the client. The next step
is to kick off the Enable Outlook Anywhere wizard. You can find this in the
EM Console under the Server Configuration node. Select Client Access and on
the Actions pane select Enable Outlook Anywhere.
There's not that much information required. You'll need to provide an external
host name that leads back to your CAS. That name can be as simple as webmail.yourorganization.com.
Whatever name you choose, you'll have to register with public DNS servers to
ensure connectivity from the outside.
You can choose from Basic or NTLM authentication. Basic will send username
and password over the connection in clear-text. Using NTLM, the client and server
will negotiate the communication using hashed values of the users' credentials.
You'd only select "Allow secure channel (SSL) offloading" if you have
a separate server handling SSL encryption/decryption with an accelerator in
place to handle offloading.
Essentially, the most computationally expensive part of an SSL session is the
handshake process. You can offload this with the proper equipment. If you aren't
sure if you have the right gear, don't select this option. Microsoft warns you
that selecting this option without the SSL accelerator will hinder the function
of Outlook Anywhere.
Once you've enabled Outlook Anywhere, you won't see any change in the EM Console.
There are no management options through the console itself other than enabling/disabling
for specific recipients. You'll need PowerShell to manage Outlook Anywhere from
this point.
The final step in the process is to configure your clients' Outlook to work
with Outlook Anywhere. Establish a profile on their system. When configuring
the connection, choose Microsoft Exchange (even though you might be tempted
to choose an Internet e-mail connection). Within the settings on the Connection
tab (see Figure 4), there's a checkbox at the bottom for Connect to Microsoft
Exchange using HTTP. Select this checkbox and the Exchange Proxy Settings box
(also shown in Figure 4).
[Click on image for larger view.] |
Figure 4. Configure
Outlook Anywhere for each of your clients. |
You'll need to indicate the proxy server URL, which is the same as the one
you configured earlier with the Outlook Anywhere wizard. The proxy is actually
your CAS, in this case. You can indicate SSL settings, determine settings based
on connection speed, and choose the authentication method (Basic or NTLM) depending
on how you configured the CAS settings. This should have your client up and
running.
POP3 and IMAP4 Connectivity
In Exchange 2007, POP3/IMAP4 connectivity is disabled by default. There are
several reasons why you might want to turn it on. You may have clients connecting
to your server that use messaging systems based on those protocols (like Outlook
Express, Windows Mail, Mozilla Thunderbird and others). The application connects
to your server, downloads your mail (removing it from the server) and lets you
work offline. Many of the fancy features you'd have using one of the other connection
choices won't be available, but it goes with the territory.
As if to further dissuade you from using POP3/IMAP4 connectivity, the services
(although installed by default) are disabled and there's no way to manage the
settings through the EM Console. To manage these protocols, you'll have to go
through PowerShell.
You could go through the Services console to manually start up those services,
but being that the EM Shell is going to be our new best friend, here's how you
would turn on the services for POP3 and set them to automatic:
Set-Service msExchangePOP3 -Startuptype automatic
Start-Service -Service msExchangePOP3
For IMAP4, just use msExchangeIMAP4. There's much more to learn about POP/IMAP
configuration with PowerShell using the Set-PopSettings and Set -IMAPSettings
cmdlets. If you want to see an entire list of your POP or IMAP settings, type:
get-Imapsettings -server <servername> OR get-Popsettings -Server <servername>
You'll be surprised at the level of detail you are provided. You can configure
all these options through PowerShell.
POP and IMAP are enabled for your clients by default, so you simply need to
configure your client applications to connect at this point. From within PowerShell,
type: get-casmailbox <username>. You'll see
that each of the CAS options are enabled. You can also disable CAS settings
for a user or group of users through PowerShell. For example, if you wanted
to disable IMAP for a user with the login name lgrey, you would type in: Set-CASMailbox
lgrey -Imapenabled $false
Rock the CAS-ba
The Client Access Server certainly helps external users far and wide get at
their e-mail. Commuters on the go, travelers on the road, telecommuters from
home or the local Starbucks -- they all have the CAS to thank for being the
go-between to their mailbox. They have more to thank than the server itself,
though. None of it would work without you, the Exchange admin.
More Information
Additional Links: