Microsoft Exchange Server 2003 Client

Access Guide

Microsoft Corporation

Published: December 12, 2006

Author: Exchange Server Documentation Team

Abstract
This guide provides information about working with Microsoft Exchange Server 2003 and
client access. It describes the new features for Exchange 2003 and Office Outlook 2003, in
addition to improvements in Outlook Web Access 2003.

Comments? Send feedback to [email protected].

Contents
Microsoft Exchange Server 2003 Client Access Guide.............................................................1

Contents...................................................................................................................................3

Exchange Server Client Access Guide...................................................................................10

Introduction to the Exchange Server 2003 Client Access Guide.............................................10

Who Should Read This Guide?...........................................................................................10
Hardware Requirements......................................................................................................11
Software Requirements.......................................................................................................11

Understanding Exchange Server 2003 Client Access.............................................................11

New Features for Exchange 2003 and Outlook 2003.............................................................12

Exchange Server Access Through the Internet (RPC over HTTP)......................................12
Synchronization Improvements...........................................................................................12
New Data File Type (.pst)....................................................................................................12
Kerberos Authentication Protocol........................................................................................13
Cached Exchange Mode.....................................................................................................13

Improvements in Outlook Web Access 2003..........................................................................13

Mobile Services for Exchange................................................................................................17

Exchange ActiveSync..........................................................................................................17
Outlook Mobile Access........................................................................................................17
Understanding Outlook Mobile Access Security Requirements...........................................18
For More Information...........................................................................................................18

Planning Your Exchange Client Access Infrastructure............................................................19

Configuring Exchange Server 2003 for Client Access............................................................19

Securing Your Exchange Messaging Environment.................................................................20

Updating Your Server Software...........................................................................................20
Securing the Exchange Messaging Environment................................................................20
Securing Communications..................................................................................................21

How to Use SSL to Secure the Communications Between the Client Messaging Applications
and the Exchange Front-End Server...................................................................................25
Before You Begin................................................................................................................25
Procedure............................................................................................................................26

How to Set Up SSL on a Server.............................................................................................26

 Before You Begin................................................................................................................26
Procedure............................................................................................................................27

How to Obtain a Server Certificate from a Certification Authority...........................................27

Before You Begin................................................................................................................27
Procedure............................................................................................................................28

How to Add Certificate Manager to Microsoft Management Console......................................28

Procedure............................................................................................................................28

How to Back Up Your Server Certificate.................................................................................29

Before You Begin................................................................................................................29
Procedure............................................................................................................................29
For More Information...........................................................................................................30

How to Configure Virtual Directories to Use SSL....................................................................30

Before You Begin................................................................................................................30
Procedure............................................................................................................................31

Enabling SSL for the Default Web Site...................................................................................31

Securing Communications Between Exchange Front-End Server and Other Servers...........32

Using IPSec to Encrypt IP Traffic............................................................................................32

Deploying the Exchange Server Architecture.........................................................................33

Configuring an Exchange Front-End Server...........................................................................33

How to Designate a Front-End Server....................................................................................33

Before You Begin................................................................................................................34
Procedure............................................................................................................................34
For More Information...........................................................................................................34

Configuring Exchange for Client Access.................................................................................35

Configuring Outlook 2003 Features........................................................................................35

Configuring RPC over HTTP for Outlook 2003....................................................................35

Configuring Mobile Device Support........................................................................................35

Configuring Synchronization...............................................................................................36
Configuring Exchange ActiveSync to Use RSA SecurID.....................................................36
Configuring Devices to Use Exchange ActiveSync Features..............................................36
Configuring Exchange ActiveSync......................................................................................37
Adding a Root Certificate to a Windows Mobile-based 5.0 Device......................................37

How to Use RSA SecurID with Exchange ActiveSync............................................................38

Procedure............................................................................................................................38
 For More Information...........................................................................................................39

How to Verify ACE/Agent is Configured to Protect the Entire Web Server..............................39

Before You Begin................................................................................................................39
Procedure............................................................................................................................40
For More Information...........................................................................................................40

How to Limit SecurID Authentication to the Microsoft-Exchange-ActiveSync Virtual Directory

............................................................................................................................................40
Before You Begin................................................................................................................40
Procedure............................................................................................................................41
For More Information...........................................................................................................41

How to Configure Custom HTTP Responses for Devices.......................................................41

Before You Begin................................................................................................................42
Procedure............................................................................................................................42

How to Configure a Mobile Device to Use Exchange ActiveSync...........................................42

Procedure............................................................................................................................42
For More Information...........................................................................................................43

How to Specify a Mobile Operator for Up-to-Date Notifications on a Device..........................43

Before You Begin................................................................................................................44
Procedure............................................................................................................................44
For More Information...........................................................................................................44

How to Enable and Disable Exchange ActiveSync Features at the Organizational Level......44
Procedure............................................................................................................................45
For More Information...........................................................................................................45

How to Enable and Disable Exchange ActiveSync Features at the User Level......................45
Before You Begin................................................................................................................46
Procedure............................................................................................................................46
For More Information...........................................................................................................46

Configuring Outlook Web Access...........................................................................................47

Setting Up a Logon Page....................................................................................................47
Enabling Forms-Based Authentication................................................................................47
Setting the Cookie Authentication Time-Out........................................................................47
Configuring Client Security Options for Users.....................................................................48
Outlook Web Access Compression.....................................................................................49
Requirements for Outlook Web Access Compression.........................................................49
Simplifying the Outlook Web Access URL...........................................................................50

How to Enable Forms-Based Authentication..........................................................................50

Before You Begin................................................................................................................51
 Procedure............................................................................................................................51
For More Information...........................................................................................................51

How to Set the Outlook Web Access Forms-Based Authentication Public Computer Cookie
Time-Out Value...................................................................................................................52
Before You Begin................................................................................................................52
Procedure............................................................................................................................52
For More Information...........................................................................................................53

How to Set the Outlook Web Access Forms-Based Authentication Trusted Computer Cookie
Time-Out Value...................................................................................................................53
Before You Begin................................................................................................................53
Procedure............................................................................................................................54
For More Information...........................................................................................................54

How to Enable Outlook Web Access Data Compression........................................................55

Before You Begin................................................................................................................55
Procedure............................................................................................................................56
For More Information...........................................................................................................56

How to Simplify the Outlook Web Access URL.......................................................................56

Before You Begin................................................................................................................56
Procedure............................................................................................................................57
For More Information...........................................................................................................57

Configuring POP3 and IMAP4 Virtual Servers........................................................................57

How to Enable a POP3, IMAP4, or NNTP Virtual Server........................................................58

Procedure............................................................................................................................58
For More Information...........................................................................................................58

How to Start, Pause, or Stop a Virtual Server.........................................................................58

Procedure............................................................................................................................59
For More Information...........................................................................................................59

Configuring Outlook Mobile Access........................................................................................59

Configuring Your Exchange 2003 Front-End Server for Outlook Mobile Access.................60
Enabling Outlook Mobile Access on the Exchange Server..................................................60
Instructing Users to Use a Mobile Connection to Outlook Using Outlook Mobile Access....60

How to Enable or Disable Outlook Mobile Access at the Organizational Level.......................61

Procedure............................................................................................................................61
For More Information...........................................................................................................61

How to Enable or Disable Outlook Mobile Access at the User Level......................................62

Before You Begin................................................................................................................62
Procedure............................................................................................................................62
 For More Information...........................................................................................................63

How to Access Exchange Data Using Outlook Mobile Access...............................................63

Procedure............................................................................................................................63
For More Information...........................................................................................................64

Managing Client Access to Exchange Server 2003................................................................64

Managing Protocols................................................................................................................64

Enabling a Virtual Server........................................................................................................65

Assigning Ports and an IP Address to a Virtual Server........................................................65
Setting Connection Limits....................................................................................................66
Starting, Pausing, or Stopping a Virtual Server...................................................................67
Disconnecting Users...........................................................................................................67

How to Assign Ports and IP Addresses to Virtual Servers......................................................68

Before You Begin................................................................................................................68
Procedure............................................................................................................................69
For More Information...........................................................................................................69

How to Set Connection Limits.................................................................................................69

Before You Begin................................................................................................................70
Procedure............................................................................................................................70
For More Information...........................................................................................................70

How to Disconnect Users from a Virtual Server......................................................................71

Procedure............................................................................................................................71
For More Information...........................................................................................................71

Managing Calendaring Options for the POP3 and IMAP4 Virtual Servers..............................71

How to Configure Calendaring Options for a POP3 or IMAP4 Virtual Server.........................72

Before You Begin................................................................................................................72
Procedure............................................................................................................................73
For More Information...........................................................................................................73

Managing the HTTP Virtual Server.........................................................................................73

How to Create a New HTTP Virtual Server.............................................................................74

Before You Begin................................................................................................................74
Procedure............................................................................................................................75
For More Information...........................................................................................................75

Managing the Exchange Virtual Server..................................................................................75

Working with IMAP4-Specific Settings....................................................................................75

How to Enable Fast Message Retrieval for an IMAP4 Virtual Server.....................................76
Procedure............................................................................................................................77
For More Information...........................................................................................................78

How to Include All Public Folders When a Folder Is Requested on an IMAP4 Virtual Server. 78
Procedure............................................................................................................................78
For More Information...........................................................................................................79

Configuring NNTP Posting Limits and Moderation Settings....................................................79

How to Configure Posting Limits and Moderation Settings for an NNTP Virtual Server..........80
Before You Begin................................................................................................................80
Procedure............................................................................................................................81
For More Information...........................................................................................................82

Managing Outlook Web Access..............................................................................................82

Enabling and Disabling Outlook Web Access for Internal Clients Only...............................83
Using Browser Language Settings......................................................................................83
Blocking Web Beacons.......................................................................................................84
Configuring Attachment Handling........................................................................................85
Blocking Attachments..........................................................................................................85

How to Enable Outlook Web Access for Internal Clients Only................................................86

Procedure............................................................................................................................86
For More Information...........................................................................................................87

How to Disable Outlook Web Access for Specific Users.........................................................87

Procedure............................................................................................................................87
For More Information...........................................................................................................87

How to Modify the Default Browser Language Settings for Outlook Web Access...................88
Before You Begin................................................................................................................89
Procedure............................................................................................................................89
For More Information...........................................................................................................89

How to Disable Blocking of Web Beacons..............................................................................89

Before You Begin................................................................................................................90
Procedure............................................................................................................................90
For More Information...........................................................................................................90

How to Modify Attachment Handling Settings.........................................................................90

Before You Begin................................................................................................................91
Procedure............................................................................................................................91
For More Information...........................................................................................................92

Specifying Front-End Servers That Allow for Attachment Handling........................................92

How to Specify the Front-End Servers That Allow for Attachment Handling...........................92
Before You Begin................................................................................................................92
Procedure............................................................................................................................93
For More Information...........................................................................................................93

Filtering Junk E-Mail Messages..............................................................................................94

Managing Mobile Services......................................................................................................94

Managing Exchange ActiveSync.........................................................................................94
Enabling Up-to-Date Notifications for Your Organization.....................................................95

How to Enable or Disable Exchange ActiveSync for Your Organization.................................96

Before You Begin................................................................................................................96
Procedure............................................................................................................................97
For More Information...........................................................................................................97

How to Configure the Exchange ActiveSync Up-to-Date Notifications Feature......................97

Procedure............................................................................................................................97
For More Information...........................................................................................................98

How to Enable Up-to-Date Notifications for Your Organization...............................................98

Procedure............................................................................................................................98
For More Information...........................................................................................................99

How to Enable and Disable Up-to-Date Notifications at the User Level.................................99

Procedure............................................................................................................................99
For More Information.........................................................................................................100

How to Configure a Mobile Carrier When Using Up-to-Date Notifications............................100

Procedure..........................................................................................................................101
For More Information.........................................................................................................101

How to Set the Enable Notifications to User-Specified SMTP Address Option for Your
Organization......................................................................................................................101
Procedure..........................................................................................................................101
For More Information.........................................................................................................102

Managing Outlook Mobile Access.........................................................................................102

Configuring Exchange to Use Outlook Mobile Access.......................................................102
Enabling Outlook Mobile Access for Your Organization.....................................................103

Copyright..............................................................................................................................103
 10

Exchange Server Client Access Guide

This guide provides information about working with Microsoft® Exchange Server 2003 and
client access. It describes the features for Exchange Server 2003 and Microsoft Office
Outlook® 2003, in addition to improvements in Outlook Web Access 2003. It contains
configuration information, such as how to secure your messaging environment, deploy the
server architecture, and configure Exchange servers for your supported client access
methods. This guide also describes how to manage protocols, Exchange Virtual Server,
Outlook Web Access, Exchange ActiveSync®, and Outlook Mobile Access.

Note:
Download Microsoft Exchange Server 2003 Client Access Guide to print or read
offline.

Introduction to the Exchange Server 2003

Client Access Guide
This guide provides essential information about working with Microsoft® Exchange
Server 2003 and client access. This guide describes the features for Exchange 2003 and
Microsoft Office Outlook® 2003, in addition to improvements in Microsoft Office Outlook Web
Access 2003. It contains configuration information, such as how to help secure your
messaging environment, deploy the server architecture, and configure the Exchange servers
for your supported client access methods. Finally, this guide describes how to manage
protocols, the Exchange Virtual Server, Outlook Web Access, Exchange ActiveSync®, and
Microsoft Outlook Mobile Access.

Who Should Read This Guide?

Anyone with a technical background can benefit from reading this guide; however, it is
designed to produce maximum benefits for the following professionals.

Systems Architects
Those individuals responsible for planning and crafting overall business strategies and
solutions

Enterprise Exchange Administrators

Those individuals responsible for installation, maintenance, and administration of software
in the enterprise
 11

Exchange User Account Managers

Those individuals responsible for setting up individual e-mail accounts and modifying
individual Exchange accounts in the Microsoft Active Directory® directory service

Messaging Support Staff

Those individuals who specialize in troubleshooting the causes of problems that end-users
have with their messaging environment

Helpdesk Operators
Those individuals who help end-users with a variety of hardware and software issues,
including simple messaging issues

Hardware Requirements
You need the following hardware to do the procedures in this guide. This list does not include
your general Exchange servers, storage hardware, and so on. It includes only security-
specific hardware requirements:

• Two firewalls (or routers)

• RSA SecurID PIN generators (for each mobile client)

• A minimum of one front-end server running Internet Security and Acceleration (ISA)
Server

Software Requirements
You need the following software to do the procedures in this guide:

• Microsoft Exchange Server 2003 Enterprise Edition

• Microsoft Internet Security and Acceleration (ISA) Server

• Microsoft Windows® 2000 Advanced Server

• RSA SecurID Server version 1.x

Understanding Exchange Server 2003

Client Access
Exchange 2003 provides users with increased client messaging functionality. Exchange 2003
builds on the technologies of earlier versions of Exchange and now includes several
significant messaging capabilities. New for Exchange 2003 are the following:

• Microsoft® Office Outlook® 2003 cached mode

 12

• Outlook 2003 using RPC over HTTP

• Mobile device support using Outlook Mobile Access and Exchange ActiveSync®

• Improved Outlook Web Access for Exchange 2003

The new and improved clients enable you to provide your users with a simplified remote
access, more access options, and an improved user experience.

New Features for Exchange 2003 and

Outlook 2003
The following sections describe the new features in Exchange 2003 and Outlook 2003 that
make your messaging and information management tasks easier to perform.

Exchange Server Access Through the Internet

(RPC over HTTP)
Outlook can now connect to Exchange 2003 through the Internet without the need to use
slow and sometimes unavailable virtual private network (VPN) connections. This feature
enables you to access your Exchange 2003 account from the Internet when you are working
outside your organization's firewall without any special connections or hardware, such as
smart cards and security tokens. For more information about configuring Exchange 2003 to
use RPC over HTTP, see Exchange Server 2003 RPC over HTTP Deployment Scenarios.

Synchronization Improvements
To reduce the amount of information that is sent between the Outlook 2003 client and
Exchange 2003 servers, Exchange 2003 performs data compression. Exchange 2003 also
reduces the total requests for information between the client and server, thereby optimizing
the communication between the client and the server.

New Data File Type (.pst)

Outlook introduces a new file format for personal folder (.pst) files that offers greater storage
capacity for items and folders and support for multilingual Unicode data.

Note:
A file created with the new Outlook .pst file format is not compatible with earlier
versions of Outlook. For compatibility with earlier versions of Outlook, create files by
 13

using the .pst file format for Outlook 97 through Outlook 2002. Outlook 2003 can view
and create files of either type.

Kerberos Authentication Protocol

Exchange 2003 allows Outlook 2003 clients to authenticate to Exchange 2003 servers by
using Kerberos authentication.

Cached Exchange Mode

The addition of Cached Exchange Mode, combined with the synchronization and optimization
improvements, significantly enhances the remote end-user's experience with Outlook. For
example, in earlier versions of Outlook, dialog boxes would display requests for information
from an Exchange server; however, in Outlook 2003, these requests no longer appear on a
user's Outlook client because the user works primarily from their local Exchange mailbox data
file (this functionality also reduces the total load on your Exchange servers). More importantly,
if network connectivity is lost between the Outlook client and the network, Outlook 2003 will
operate without interruption.

Improvements in Outlook Web Access 2003

The new version of Outlook Web Access in Exchange 2003 contains improvements such as
forms-based authentication, rules, spell checking, and the ability to send and receive digitally
signed and encrypted e-mail messages. The user interface has also been redesigned to
provide a user experience that is similar to that provided with Outlook 2003, including right
preview pane and improved navigation pane.

Outlook Web Access for Exchange 2003 can perform faster, especially over slow
connections, and therefore will be more responsive to user interactions.

The following sections briefly describes some of the new features for Outlook Web Access for
Exchange 2003.

Bytes over the wire

The speed of Outlook Web Access has been improved by reducing the amount of information
that must travel from the server to the browser. Fewer bytes are sent over the wire from
server to browser. However, be aware that the logon process involves more bytes than the
logon process in Outlook 2003.

Compression support

Administrators can configure compression support for Outlook Web Access, which improves
performance on slow network connections and provides increased performance for most
 14

actions on slow network connections. Outlook Web Access compression works by

compressing either static or dynamic or both types of Web pages, depending on the
compression setting you are using. You can enable compression from Exchange System
Manager.

Forms -based authentication

You can enable a new logon page for Outlook Web Access that will store the user's name and
password in a cookie instead of in the browser. When a user closes the browser, the cookie is
cleared. Additionally, after a period of inactivity, the cookie is cleared automatically. The new
logon page requires users to enter their domain, user name, and password, or their full user
principal name (UPN) e-mail address and password. To enable the Outlook Web Access
logon page, you must enable forms-based authentication on the server.
S/MIME support

Secure/Multipurpose Internet Mail Extensions (S/MIME) increases the security of Internet e-

mail by enabling digital signing of messages, in addition to message encryption. Digital
signatures provide authentication, non-repudiation, and data integrity. Message encryption
provides confidentiality and data integrity.

Outlook Web Access in Exchange 2000 did not support signed and encrypted e-mail. Now,
with the new Microsoft Outlook Web Access S/MIME ActiveX control, users can digitally sign
and encrypt e-mail messages. The S/MIME control works with any X.509 v3-based public key
infrastructure (PKI) to provide the signing and encryption capabilities.

For more information about S/MIME support in Outlook Web Access, see What's New in
Exchange Server 2003.

The improvements in features, functionality, and performance may affect decisions about
which client your users should primarily use to access their Exchange information. In remote
sites, Outlook Web Access may be the primary choice, which is a consideration when
planning WAN connections and server placement.

Outlook Web Access versions

Exchange 2003 now includes two versions of Outlook Web Access:

Outlook Web Access Premium

Outlook Web Access Premium is designed for Microsoft Internet Explorer 5.01 or later.
Outlook Web Access Premium contains all the Outlook Web Access features, including the
new enhanced features for Exchange 2003.

Note:
Microsoft Internet Explorer 6 is required for some features.

Outlook Web Access Basic

Outlook Web Access Basic is designed to work in browsers that support the HTML 3.2 and
the European Computer Manufacturers Association (ECMA) script standards. It provides a
 15

subset of the features available in Outlook Web Access Premium.

Increased browser support

The following table shows the new level of browser support for the operating systems offered
by Outlook Web Access for Exchange 2003.

Browser support for Outlook Web Access for Microsoft operating systems

Windows 98 Windows ME Windows 200 Windows XP Windows

Second 0 Server 2003
Edition

Internet B,P None B,P None None

Explorer 5.1

Internet B,P B,P B,P None None

Explorer 5.5

SP2

Internet B,P B,P B,P B,P None

Explorer 6

Internet B,P B,P B,P B,P B,P

Explorer 6
SP1

MSN version None None None B,P B,P

8 and later

Netscape B B B B B
Navigator 4.8

Netscape B B B B B
Navigator 7

Key:

• B - Basic version of Outlook Web Access supported

• B,P - Both the Basic and Premium versions of Outlook Web Access are supported

• None - Neither the Basic nor Premium versions of Outlook Web Access are
supported

The following table shows the level of functionality for the operating systems and browsers for
Outlook Web Access.
 16

Browser support for Outlook Web Access with other operating systems

Browser Apple OS 9.x Apple OS 10.1 and Sun Microsystems

later Solaris HP/UX

Internet Explorer 5.0 B B N/A

and later for Apple

Internet Explorer 5.5 None None None

SP2

Internet Explorer 6 None None None

Internet Explorer 6 None None None

SP1

MSN version 8 and None None None

later

Netscape B B B
Navigator 4.8

Netscape B B B
Navigator 6.2

Netscape Navigator 7 B B B

Key:

• B - Basic version of Outlook Web Access supported

• B,P - Both the Basic and Premium versions of Outlook Web Access are supported

• None - Neither the Basic nor Premium versions of Outlook Web Access are
supported

Additionally, support for the following browsers and operating systems has been discontinued
for Exchange 2003:

• Microsoft Internet Explorer 4.5

• Internet Explorer 5 on all versions of Microsoft Windows

• Internet Explorer 5 for UNIX 6.0

• Internet Explorer 4.57 for Apple OS 9 and later

• Microsoft Windows 95

• Microsoft Windows 98

• Microsoft Windows NT 4.08

• Apple OS 8.17
 17

For information about:

• Comparing messaging features in Outlook Web Access (Premium and Basic) with
earlier versions of Outlook, see Comparing Office Outlook Web Access to Earlier
Versions.

• The new features for Outlook Web Access, see What's New in Exchange Server
2003.

• Configuring and managing Outlook Web Access, see the following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

Mobile Services for Exchange

Exchange Server 2003 supports mobile access by using the synchronization and browse
capabilities of mobile devices. You can deploy mobile services to enable your users to access
their Exchange information from mobile devices such as the Microsoft Pocket PC 2002
Phone Edition device, or any mobile device with a mobile browser.

For information about configuring and managing mobile services for Exchange, see the
following topics:

• Configuring Mobile Device Support

• Managing Mobile Services

Exchange ActiveSync
Exchange 2003 now includes the ability to use Pocket PC 2002 devices to synchronize
Exchange data with Microsoft® Exchange ActiveSync®. By default, when you install
Exchange, all your users are enabled for synchronization.

By synchronizing a device to an Exchange server, your users can access their Exchange
information without having to be always connected to a mobile network. Specifically, users
can use their mobile carrier connection to synchronize their Exchange information to their
Pocket PC Phone Edition or Smartphone device and then access this information while
offline.

Outlook Mobile Access

Exchange 2003 now includes the Microsoft® Office Outlook® Mobile Access application,
which enables users to use mobile devices to access their e-mail, Contacts, Calendar, and
Tasks folders. Outlook Mobile Access can be used with a mobile device that has a mobile
 18

browser. The mobile browser must support one of the following markup languages: HTML,
xHTML, or cHTML. To deploy your Exchange server to use Outlook Mobile Access, follow the
same steps involved in deploying an Exchange server to use Outlook Web Access.

Understanding Outlook Mobile Access Security

Requirements
When you enable Outlook Mobile Access for your users, a security issue exists when using
Mobile Operators that use Wireless Application Protocol (WAP) 1.x gateways. These
gateways translate secure traffic from Internet protocols to wireless protocols. Because of this
translation, a WAP 1.x gateway stops a Secure Sockets Layer (SSL) session over TCP/IP, re-
encrypts the data using Wireless Transport Layer Security (WTLS), and then sends the
information over the wireless network using Wireless Session Protocol (WSP). During this
translation at the WAP gateway, all data will be briefly unencrypted as it is decrypted from the
SSL session and re-encrypted again as part of the WTLS session. This security issue affects
your messaging infrastructure if your corporation is not hosting your own WAP gateway in the
perimeter network.

Outlook Mobile Access for Exchange 2003 supports WAP 2.0 devices only. However, this
does not eliminate the possibility of certain devices being able to use a WAP 1.x gateway.
Therefore, the security issue exists whenever a WAP 2.0 device, that can use a WAP 1.x
gateway, uses a Mobile Operator with WAP 1.x gateways deployed.

To resolve this issue, you can purchase and install your own corporate WAP gateway. This
solution requires that you situate a WAP gateway in the perimeter network and limit your
mobile users to use this gateway alone.

Alternatively, you can choose to provide only WAP 2.0 devices that use only carriers that
have WAP 2.0 gateways deployed. WAP 2.0 gateways allow SSL sessions to be passed
through directly to WAP 2.0 devices that support SSL without decrypting and re-encrypting
the session.

For More Information

For detailed information about mobile devices, see Step-by-Step Guide to Deploying
Windows Mobile-based Devices with Microsoft Exchange Server 2003 SP2.
 19

Planning Your Exchange Client Access

Infrastructure
To plan your Exchange client access infrastructure, you must first identify the technical
requirements for your Exchange messaging system. After you understand your technical
requirements, you can perform a gap analysis and determine what changes must be made to
your existing environment, including network infrastructure, hardware, and software
upgrades. Additionally, you must understand the basic concepts behind the factors that you
need to consider when planning your Exchange infrastructure. Some of these factors are:

• Security
• Topological boundaries and limitations

• Centralized vs. distributed messaging systems

• Routing design

• Server design and placement

• Server sizing and tuning

• User requirements

All these factors help you to design the client access infrastructure to meet your messaging
requirements. For more information about designing and planning your messaging system,
see Planning an Exchange Server 2003 Messaging System.

Configuring Exchange Server 2003 for

Client Access
This section provides information about configuring the Exchange Server 2003 features for
client access. Before you deploy the client access features, take time to review the affect that
these features will have on your messaging environment. Additionally, deploying client
features for Exchange 2003 involves the following activities:

• Securing your Exchange messaging environment

• Deploying your server architecture

• Configuring the Exchange servers for your supported client access methods
 20

Securing Your Exchange Messaging

Environment
Follow these steps to secure your Exchange messaging environment:

1. Update your server software.

2. Secure the messaging environment.

3. Secure communications.

To secure your messaging system, complete these steps in the order given.

Updating Your Server Software

After you install Exchange Server 2003, you should update the server software on your
Exchange servers and any other server that Exchange communicates with, such as global
catalog servers and domain controllers. For more information about updating your software
with the latest security updates, see the Microsoft® Exchange Server Security Center Web
site. For more information about Microsoft security, see the Microsoft Security Web site.

Securing the Exchange Messaging Environment

An alternative best practice to placing your front-end Exchange 2003 servers in the perimeter
network is to deploy Microsoft Internet Security and Acceleration (ISA) Server 2000. ISA
Server acts as advanced firewalls that control Internet traffic entering your network. When
you use this configuration, you put all your Exchange 2003 servers in your corporate network
and use ISA Server as the advanced firewall server exposed to Internet traffic in your
perimeter network.

Securing the messaging environment also involves configuring the front-end servers in a
manner that disables the features and settings for the front-end server that are not necessary
in a front-end and back-end server architecture. For more information about how to configure
a front-end server for the front-end and back-end server architecture, see Exchange Server
2003 and Exchange 2000 Server Front-End and Back-End Topologies.

All inbound Internet traffic bound to your Exchange servers (such as Outlook Web Access,
RPC over HTTP communication from Microsoft® Office Outlook® 2003 clients, Outlook
Mobile Access, Post Office Protocol version 3 (POP3), Internet Message Access Protocol
version 4rev1 (IMAP4), and so on) is processed by the ISA Server. When ISA Server receives
a request for an Exchange server, ISA Server proxies the requests to the appropriate
Exchange servers on your internal network. The internal Exchange servers return the
requested data to the ISA Server, and then ISA Server sends the information to the client
 21

through the Internet. The following figure shows an example of a recommended ISA Server
deployment.

Deploying Exchange 2003 behind ISA Server

Securing Communications
To secure communications for your Exchange messaging environment, you need to do the
following tasks:

• Secure the communications between the client messaging applications and the
Exchange front-end server.

• Secure the communications between the Exchange front-end server and the internal
network.

The following sections include information about securing communications for these two
situations.

Securing Communications Between the Client and Exchange

Front-End Server
To secure data transmitted between the client and the front-end server, it is highly
recommended that you enable the front-end server to use Secure Sockets Layer (SSL).
 22

Additionally, to ensure that user data is always secure, you should configure the front-end
server to require SSL (you can set this option in the SSL configuration). When using basic
authentication, it is critical to protect the network traffic by using SSL to protect user
passwords from network packet sniffing.

Caution:
If you do not use SSL between clients and the front-end server, HTTP data
transmission to your front-end server will not be secure. It is highly recommended
that you configure the front-end server to require SSL.

It is recommended that you obtain an SSL certificate by purchasing a certificate from a third-
party certification authority (CA). Purchasing a certificate from a certification authority is the
preferred method because most browsers trust many of these certification authorities.
As an alternative, you can use Certificate Services to install your own certification authorities.
Although installing your own certification authority may be less expensive, browsers will not
trust your certificate, and users will receive a warning message indicating that the certificate
is not trusted. For more information about SSL, see Microsoft Knowledge Base article
320291, "XCCC: Turning On SSL for Exchange 2000 Server Outlook Web Access."

Using Secure Sockets Layer

To protect outbound and inbound mail, deploy SSL to encrypt messaging traffic. You can
configure SSL security features on an Exchange server to verify the integrity of your content,
verify the identity of users, and encrypt network transmissions. Exchange, like any Web
server, requires a valid server certificate to establish SSL communications. You can use the
Web Server Certificate Wizard to either generate a certificate request file (NewKeyRq.txt, by
default) that you can send to a certification authority, or to generate a request for an online
certification authority, such as Microsoft Certificate Services.
If you are not using Certificate Services to issue your own server certificates, a third-party
certification authority must approve your request and issue your server certificate. For more
information about server certificates, see "Obtaining and Installing Server Certificates" later in
this section. Depending on the level of identification assurance offered by your server
certificate, you can expect to wait several days to several months for the certification authority
to approve your request and send you a certificate file. You can have only one server
certificate for each Web site.

After you receive a server certificate file, use the Web Server Certificate Wizard to install it.
The installation process attaches (or binds) your certificate to a Web site.

If you require 128-bit key encryption, your users must use Web browsers that support 128-bit
encryption. For more information about upgrading to 128-bit encryption capability, see the
Microsoft Product Support Services Web site.
 23

For a detailed overview of the steps required to configure Secure Sockets Layer, see How to
Use SSL to Secure the Communications Between the Client Messaging Applications and the
Exchange Front-End Server.

Configuring the Server to Use SSL

The first step in configuring SSL is to configure the Web site or file that you want to protect to
require SSL. You do this using IIS Manager. For detailed steps for configuring this initial
setting, see How to Set Up SSL on a Server.

Obtaining and Installing Server Certificates

You can obtain server certificates from an outside CA, or you can issue your own server
certificates by using Microsoft Certificate Services. After you obtain a server certificate, you
can install it. When you use the Web Server Certificate Wizard to obtain and install a server
certificate, the process is referred to as creating and assigning a server certificate.

This section explains the issues to consider when deciding whether to obtain your server
certificates from an outside CA or to issue your own server certificates. This section includes
the following information:

• Obtaining server certificates from a CA

• Issuing your own server certificates

• Installing server certificates

• Backing up server certificates

Obtaining Server Certificates from a Certification Authority

If you are replacing your current server certificate, IIS continues to use that certificate until the
new request has been completed. When you are selecting a CA, consider the following
questions:

• Will the CA be able to issue a certificate that is compatible with all the browsers used
to access my server?

• Is the CA a recognized and trusted organization?

• How will the CA provide verification of my identity?

• Does the CA have a system for receiving online certificate requests, such as requests
generated by the Web Server Certificate Wizard?

• How much will the certificate cost initially, and how much will renewal or other
services cost?

• Is the CA familiar with my organization or my company's business interests?

 24

Note:
Some certification authorities require you that you prove your identity before they will
process your request or issue a certificate.

For detailed steps for obtaining a server certificate from a certification authority, see How to
Obtain a Server Certificate from a Certification Authority.

Issuing Your Own Server Certificates

When deciding whether to issue your own server certificates, consider the following:

• Understand that Microsoft Certificate Services accommodates different certificate

formats and provides for auditing and logging of certificate-related activity.
• Compare the cost of issuing your own certificates against the cost of buying a
certificate from a certification authority.

• Remember that your organization will require an initial adjustment period to learn,
implement, and integrate Certificate Services with existing security systems and policies.

• Assess the willingness of your connecting clients to trust your organization as a

certificate supplier.

Use Certificate Services to create a customizable service for issuing and managing
certificates. You can create server certificates for the Internet or for corporate intranets, which
gives your organization complete control over certificate management policies. For more
information about using Certificate Services, see "Certificate Services" in Microsoft®
Windows Server™ 2003 Help.

Online requests for server certificates can be made only to local and remote Enterprise
Certificate Services and remote stand-alone Certificate Services. The Web Server Certificate
Wizard does not recognize a stand-alone installation of Certificate Services on the same
computer when requesting a certificate. If you need to use Web Server Certificate Wizard on
the same computer as a stand-alone Certificate Services installation, use the offline
certificate request to save the request to a file and then process it as an offline request. For
more information about using Certificate Services, see "Certificate Services" in Microsoft
Windows Server 2003 Help.

Note:
If you open a Server Gated Cryptography (SGC) certificate, you may receive the
following notice on the General tab: The certificate has failed to verify for all
its intended purposes. This notice is issued because of how SGC certificates
interact with Windows and does not necessarily indicate that the certificate does not
work correctly.
 25

Installing Server Certificates

After you obtain a server certificate from a CA, or after you issue your own server certificate
by using Certificate Services, use the Web Server Certificate Wizard to install it.

Backing up Server Certificates

You can use the Web Server Certificate Wizard to back up server certificates. Because IIS
works closely with Windows, you can use Certificate Manager, which is called Certificates in
Microsoft Management Console (MMC), to export and back up your server certificates. After
you install Certificate Manager, you can back up your certificate.

• For detailed steps for adding Certificate Manager to the MMC, see How to Add
Certificate Manager to Microsoft Management Console.
• For detailed steps for backing up your server certificate, see How to Back Up Your
Server Certificate.

After you configure your network to issue server certificates, you need to secure your
Exchange front-end server and the services for your Exchange server by requiring SSL
communication to the Exchange front-end server. You do this by enabling SSL for your
default Web site.

How to Use SSL to Secure the

Communications Between the Client
Messaging Applications and the
Exchange Front-End Server
Encrypting messaging traffic can help protect outgoing and incoming mail. This topic explains
how to deploy Secure Sockets Layer (SSL) to encrypt messaging traffic. You can configure
SSL security features on an Exchange server to verify the integrity of your content, verify the
identity of users, and encrypt network transmissions.

Before You Begin

Before you perform the procedures in this topic, it is important that you first read "Using
Secure Sockets Layer" in Securing Your Exchange Messaging Environment.
 26

Procedure
To use SSL to secure the communications between client messaging applications
and the Exchange front-end server
1. Set up SSL on a server. For detailed steps, see How to Set Up SSL on a Server.

2. Obtain and install server certificates. You can obtain a server certificate from a
certification authority or issue your own certificate.

• For information about obtaining and installing server certificates, see "Using
Secure Sockets Layer" in Securing Your Exchange Messaging Environment.

• For detailed steps for obtaining a certificate from a certificate authority, see
How to Obtain a Server Certificate from a Certification Authority.

3. Back up your certificates using Certificate Manager.

• For detailed steps for adding Certificate Manager to MMC, see How to Add
Certificate Manager to Microsoft Management Console.

• For detailed steps for backing up certificates, see How to Back Up Your
Server Certificate.

4. Enable SSL for the default Web site. For detailed steps for enabling SSL for the
default Web site, see How to Configure Virtual Directories to Use SSL.

How to Set Up SSL on a Server

The first step in configuring SSL, is to configure the Web site or file that you want to protect to
require SSL. You do this using IIS Manager.

Before You Begin

This step is just one part of configuring SSL. For an overview to the procedures you must
follow to configure SSL, see "How to Use SSL to Secure the Communications Between the
Client Messaging Applications and the Exchange Front-End Server" in the Exchange Server
2003 Client Access Guide.

Before you perform this procedure, you must read "Using Secure Sockets Layer" in "Securing
Your Exchange Messaging Environment" in the Exchange Server 2003 Client Access Guide.
 27

Important:
You must be a member of the Administrators group on the local computer to perform
the following procedure, or you must have been delegated the appropriate authority.
As a security best practice, log on to your computer using an account that is not in
the Administrators group, and then use the Run as command to run Internet
Information Services (IIS) Manager as an administrator. At the command prompt,
type the following command: runas /user:administrative_accountname "mmc
%systemroot%\system32\inetsrv\iis.msc"

Procedure
To set up SSL on a server
1. In IIS Manager, expand the local computer, and then expand the Web Sites
folder. Right-click the Web site or file that you want to protect with SSL, and then click
Properties.

2. Under Web site identification, click Advanced.

3. In the Advanced Web site identification box, under Multiple identities for this
Web site, verify that the Web site IP address is assigned to port 443 (the default port
for secure communications), and then click OK. Optionally, to configure more SSL
ports for this Web site, click Add under Multiple identities of this Web site, and
then click OK.

4. On the Directory Security tab, under Secure communications, click Edit.

5. In the Secure Communications box, select the Require secure channel (SSL)
check box.

How to Obtain a Server Certificate from a

Certification Authority
You can obtain server certificates from an outside certification authority (CA), or you can
issue your own server certificates by using Microsoft Certificate Services.

Before You Begin

Obtaining a server certificate from a certification authority is one step in the process of
configuring SSL. For an overview to the procedures you must follow to configure SSL, see
 28

"How to Use SSL to Secure the Communications Between the Client Messaging Applications
and the Exchange Front-End Server" in the Exchange Server 2003 Client Access Guide.

For questions you should consider when selecting a certificate authority, see "Obtaining
Server Certificates from a Certification Authority" in "Securing Your Exchange Messaging
Environment" in the Exchange Server 2003 Client Access Guide.

Note:
Some certification authorities require that you prove your identity before they will
process your request or issue a certificate.

Procedure
To obtain a server certificate from a certification authority
1. Use the Web Server Certificate Wizard to create a certificate request.

2. In the Web Server Certificate Wizard, on the Delayed or Immediate Request

page, click Prepare the request now, but send it later.

3. Use the Web Server Certificate Wizard to send the request to the certification
authority. The CA will process the request and then send you the certificate.

4. Finish using the Web Server Certificate Wizard.

How to Add Certificate Manager to

Microsoft Management Console
Before you can use Certificate Manager, you must add Certificate Manager to Microsoft
Management Console (MMC).

Procedure
To add Certificate Manager to Microsoft Management Console
1. Click Start, and then click Run.

2. In the Open box, type mmc, and then click OK.

3. In the File menu, click Add/Remove Snap-in.

4. In the Add/Remove Snap-in box, click Add.

 29

5. In the Available Standalone Snap-ins list, click Certificates, and then click
Add.

6. Click Computer Account, and then click Next.

7. Click the Local computer (the computer this console is running on) option, and
then click Finish.

8. Click Close, and then click OK.

How to Back Up Your Server Certificate

To back up your server certificates, you use the Export feature of Certificate Manager.

Before You Begin

Backing up a server certificate is just one step in configuring SSL. For an overview of the
procedures you must follow to configure SSL, see "How to Use SSL to Secure the
Communications Between the Client Messaging Applications and the Exchange Front-End
Server" in the Exchange Server 2003 Client Access Guide.

Note:
If you do not have Certificate Manager installed in Microsoft Management Console
(MMC), see How to Add Certificate Manager to Microsoft Management Console. After
you install Certificate Manager, you can back up your server certificate.

Procedure
To back up your server certificate
1. Locate the correct certificate store. This store is typically the Local Computer
store in Certificate Manager.

Note:
When you have Certificate Manager installed, it points to the correct Local
Computer certificate store.

2. In the Personal store, click the certificate that you want to back up.

3. On the Action menu, point to All tasks, and then click Export.

4. In the Certificate Manager Export Wizard, click Yes, export the private key.
 30

5. Follow the wizard default settings, and enter a password for the certificate
backup file when prompted.

Note:
Do not select Delete the private key if export is successful because this
option disables your current server certificate.

6. Complete the wizard to export a backup copy of your server certificate.

For More Information

For conceptual information about how configuring SSL, see "Using Secure Sockets Layer" in
"Securing Your Exchange Messaging Environment" in the Exchange Server 2003 Client
Access Guide.

For detailed steps for adding Certificate Manager to MMC, see How to Add Certificate
Manager to Microsoft Management Console.

How to Configure Virtual Directories to Use

SSL
After you obtain an SSL certificate to use either with your Exchange front-end server on the
default Web site or on the site where you host the \RPC, \OMA, \Microsoft-Server-
ActiveSync, \Exchange, \Exchweb, and \Public virtual directories, you can configure the
default Web site to require Secure Sockets Layer (SSL).

Note:
The \Exchange, \Exchweb, \Public, \OMA, and \Microsoft-Server-ActiveSync virtual
directories are installed by default on any Exchange 2003 installation. The \RPC
virtual directory for RPC over HTTP communication is installed manually when you
configure Exchange to support RPC over HTTP. For more information about how to
set up Exchange to use RPC over HTTP, see Exchange Server 2003 RPC over
HTTP Deployment Scenarios.

Before You Begin

Configuring virtual directories to use SSL is just one step in configuring SSL. For an overview
of the procedures that you must follow to configure SSL, see "How to Use SSL to Secure the
Communications Between the Client Messaging Applications and the Exchange Front-End
Server" in the Exchange Server 2003 Client Access Guide.
 31

Before you perform this procedure, you must read "Using Secure Sockets Layer" in "Securing
Your Exchange Messaging Environment" in the Exchange Server 2003 Client Access Guide.

Procedure
To configure virtual directories to use SSL
1. In Internet Information Services (IIS), select the Default Web site or the Web site
where you are hosting your Exchange services, and then click Properties.

2. On the Directory Security tab, in Secure Communications, click Edit.

3. In Secure Communications, select Require Secure Channel (SSL).

4. After you complete this procedure, all virtual directories on the Exchange front-
end server on the default Web site are configured to use SSL.

Enabling SSL for the Default Web Site

After you obtain an SSL certificate to use either with your Exchange front-end server on the
default Web site or on the site where you host the \RPC, \OMA, \Microsoft-Server-
ActiveSync, \Exchange, \Exchweb, and \Public virtual directories, you can configure the
default Web site to require SSL.

Note:
The \Exchange, \Exchweb, \Public, \OMA, and \Microsoft-Server-ActiveSync virtual
directories are installed by default on any Exchange 2003 installation. The \RPC
virtual directory for RPC over HTTP communication is installed manually when you
configure Exchange to support RPC over HTTP. For more information about how to
set up Exchange to use RPC over HTTP, see "Configuring RPC over HTTP for
Outlook 2003" in Configuring Outlook 2003 Features.

For detailed steps for enabling SSL for the default Web site, see How to Configure Virtual
Directories to Use SSL.
 32

Securing Communications Between

Exchange Front-End Server and Other
Servers
After you secure your communications between the client computers and the Exchange
servers, you must secure the communications between the Exchange server and other
servers in your organization. HTTP, POP, and IMAP communications between the front-end
server and any server with which the front-end server communicates (such as back-end
servers, domain controllers, and global catalog servers) is not encrypted. When the front-end
and back-end servers are in a trusted physical or switched network, this lack of encryption is
not an issue. However, if front-end and back-end servers are kept in separate subnets,
network traffic may pass over nonsecure areas of the network. The security risk increases
when there is greater physical distance between the front-end and back-end servers. In this
case, it is recommended that this traffic be encrypted to protect passwords and data.

Using IPSec to Encrypt IP Traffic

Windows 2000 supports Internet Protocol security (IPSec), which is an Internet standard that
allows a server to encrypt any IP traffic, except traffic that uses broadcast or multicast IP
addresses. Generally, you use IPSec to encrypt HTTP traffic; however, you can also use
IPSec to encrypt Lightweight Directory Access Protocol (LDAP), RPC, POP, and IMAP traffic.
With IPSec you can:

• Configure two servers running Windows 2000 to require trusted network access.

• Transfer data that is protected from modification (using a cryptographic checksum on

every packet).

• Encrypt any traffic between the two servers at the IP layer.

In a front-end and back-end topology, you can use IPSec to encrypt traffic between the front-
end and back-end servers that would otherwise not be encrypted. For more information about
configuring IPSec with firewalls, see Microsoft Knowledge Base article 233256, "How to
Enable IPSec Traffic Through a Firewall."
 33

Deploying the Exchange Server

Architecture
After you secure your Exchange messaging environment, you can deploy the Exchange front-
end and back-end server architecture. For more information about the Exchange front-end
and back-end server architecture, see Front-End and Back-End Server Topology Guide
for Exchange Server 2003 and Exchange 2000 Server.

To configure the Exchange front-end and back-end server architecture, you need to configure
one Exchange server as a front-end server. Make sure you review your deployment options
before you continue with the installation process. The following sections help you decide if
you want to deploy Exchange 2003 in a front-end and back-end server configuration.

A front-end and back-end configuration is recommended for multiple-server organizations that

use Outlook Web Access, POP, or IMAP and for organizations that want to provide HTTP,
POP, or IMAP access to their employees.

Configuring an Exchange Front-End Server

A front-end server is an ordinary Exchange server until it is configured as a front-end server. A
front-end server must not host any users or public folders and must be a member of the same
Exchange 2003 organization as the back-end servers (therefore, a member of the same
Windows 2000 Server or Windows Server 2003 forest). Servers that are running either
Exchange Server 2003 Enterprise Edition or Exchange Server 2003 Standard Edition can be
configured as front-end servers.

• For detailed steps for designating a server to be a front-end server, see How to
Designate a Front-End Server.

• For more information about front-end and back-end scenarios, configurations, and
installation, see the following guides:

• Planning an Exchange Server 2003 Messaging System

• Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End
Topologies

How to Designate a Front-End Server

A front-end server is an Exchange server that accepts requests from clients and proxies
them to the appropriate back-end server for processing.
 34

Before You Begin

To successfully complete the procedures in this topic, confirm the following:

• The server that you will designate as a front-end server is a member of the same
Microsoft® Windows® forest as the back-end servers.

• The server that you will designate as a front-end server is a member of the same
Exchange organization as the back-end servers.

Procedure
To designate a front-end server
1. Install the server that will be running Exchange Server in the organization.

Note:
With Exchange 2000 Server, only Enterprise Edition servers can be
configured as front-end servers. In Exchange Server 2003, both Standard
Edition and Enterprise Edition can be configured as front-end servers.

2. Use Exchange System Manager to go to the server object, right-click the server
object, and then click Properties.

3. Select This is a front-end server, and then close the page.

4. To begin using the front-end server do one of the following:

• Restart the computer.

• Stop and restart the HTTP, POP3, and IMAP4 services.

5. The default Exchange virtual directories have now been configured for you.
However, it is recommended that you also configure SSL. For detailed instructions on
how to configure SSL for POP3, IMAP4, and SMTP, see "How to Configure SSL for
POP3, IMAP4, and SMTP" in the Exchange Server 2003 and Exchange 2000 Server
Front-End and Back-End Server Topology Guide. For detailed instructions about how
to configure SSL for HTTP, see How to Configure SSL for HTTP in the Exchange
Server 2003 and Exchange 2000 Server Front-End and Back-End Server Topology
Guide.

For More Information

• For more information, see:

• "Configuring Exchange Front-end Servers" in the Exchange Server 2003 and

Exchange 2000 Server Front-End and Back-End Server Topology Guide
 35

• "How to Set Up a Front-End and Back-End Topology with a Front-End Server

Behind a Firewall" in the Exchange Server 2003 and Exchange 2000 Server Front-
End and Back-End Server Topology Guide

• Exchange Server 2003 Client Access Guide

Configuring Exchange for Client Access

Configuring Exchange for client access involves configuring Exchange to handle the
protocols and clients that you want to support. The following section describes how to enable
the client protocols supported by Exchange on the Exchange server. This section includes the
following sections:

• Configuring Outlook 2003 Features

• Configuring Mobile Device Support

• Configuring Outlook Web Access

• Configuring POP3 and IMAP4 Virtual Servers

Configuring Outlook 2003 Features

Outlook 2003 enables you to use the Windows RPC over HTTP feature to provide remote
access to Exchange for your users. Combined with Cached Exchange Mode, which enables
your users to use a copy of their Exchange mailbox on their local computer, your users will be
able to access Exchange from environments in which network connectivity is slow,
inconsistent, or non-existent.

Configuring RPC over HTTP for Outlook 2003

Deploying RPC over HTTP to support your Outlook 2003 clients for remote access to
Exchange requires that you carefully follow the steps necessary to deploy this feature. For
more information about how to deploy this feature and configure your users with
Outlook 2003, see Exchange Server 2003 RPC over HTTP Deployment Scenarios.

Configuring Mobile Device Support

Perform the following activities to configure mobile device support for Exchange 2003:

• Configure synchronization.
 36

• Configure Exchange ActiveSync to use RSA SecurID.

• Enable Outlook Mobile Access.

For an overview of mobile devices support features for Exchange Server 2003, see Mobile
Services for Exchange.

Configuring Synchronization
When you install Exchange, synchronization access to Exchange is enabled by default for all
users in your organization. You can disable synchronization at the organizational level using
Exchange System Manager. You can also use the Active Directory Users and Computers
snap-in to enable or disable synchronization access for a user or groups of users.

Configuring Exchange ActiveSync to Use RSA

SecurID
As an added level of security, you can use Microsoft Windows Mobile devices with Exchange
ActiveSync with RSA SecurID two-factor authentication.

Note:
No additional device configuration is required to support RSA SecurID. The device
presents the appropriate authentication automatically when synchronizing with an
Exchange ActiveSync server protected by RSA SecurID.

The steps to use RSA SecurID with Exchange ActiveSync include the following:

1. Set up the RSA SecurID server components.

2. Configure IIS to use RSA SecurID.

3. Set up user accounts.

For detailed steps for configuring RSA SecurID with Exchange ActiveSync, see How to Use
RSA SecurID with Exchange ActiveSync.

Configuring Devices to Use Exchange

ActiveSync Features
After you have configured your Exchange environment for synchronization, you must also
configure the client devices. You must individually configure each mobile device in your
organization. Alternatively you can instruct users how to configure their own devices.

• For detailed steps for configuring a mobile device to use Exchange ActiveSync, see
How to Configure a Mobile Device to Use Exchange ActiveSync.
 37

• For detailed steps for configuring a mobile device to use AUTD, see How to Specify a
Mobile Operator for Up-to-Date Notifications on a Device.

Configuring Exchange ActiveSync

The following topics explain how to configure Exchange ActiveSync in your organization.

• For detailed information about how to enable ActiveSync features at the

organizational level, see How to Enable and Disable Exchange ActiveSync Features at
the Organizational Level.

• For information about how to enable Exchange ActiveSync for individual users or
groups of users, see How to Enable and Disable Exchange ActiveSync Features at the
User Level.

Adding a Root Certificate to a Windows Mobile-

based 5.0 Device
Microsoft Windows Mobile-based 5.0 devices use the Microsoft CryptoAPI (CAPI) certificate
store to securely store root certificates. Exchange ActiveSync checks the root certificate store
on the mobile device to verify that the certificate on the server it is connecting to was issued
by a trusted authority.

Root certificates that are included with a Windows Mobile 5.0 device represent the following
certificate authorities:

• VeriSign

• GTE CyberTrust

• Equifax
• Entrust

• GlobalSign

• Thawte

For the procedure to add a root certificate to a Windows Mobile-based 5.0 device, see the
Installing a Root Certificate in the Windows Mobile Version 5.0 SDK.

For information about how to add root certificates to the Windows Mobile 2003 Smartphone
and to Windows Mobile 2002 Smartphone, see the Microsoft Knowledge Base article 841060,
"How to add root certificates to Windows Mobile 2003 Smartphone and to Windows Mobile
2002 Smartphone."
 38

How to Use RSA SecurID with Exchange

ActiveSync
As an added level of security, you can use Microsoft® Windows Mobile™ devices with
Exchange ActiveSync® with RSA SecurID two-factor authentication.

Note:
No additional device configuration is required to support RSA SecurID. The device
presents the appropriate authentication automatically when synchronizing with an
Exchange ActiveSync server protected by RSA SecurID.
Use the procedures in this topic to use RSA SecurID with Exchange ActiveSync.

Procedure
How to use RSA SecurID with Exchange ActiveSync
1. Set up the RSA SecurID server components. To configure the RSA SecurID
server components, you need to:

• Set up the RSA ACE/Server The RSA ACE/Server is the RSA server that
stores and manages authentication tickets and credentials for your users. To set
up the RSA ACE/Server, follow the procedures as outlined in the RSA SecurID
documentation provided by RSA Security Inc.

• Set up the RSA ACE/Agent on the front-end server The RSA ACE/Agent
is the Internet Server Application Programming Interface (ISAPI) filter that
performs authentication and communicates to the ACE/Server to retrieve
SecurID credentials. To set up the RSA ACE/Agent, follow the procedures as
outlined in the RSA documentation provided by RSA Security Inc.

2. Configure Internet Information Services (IIS) to use RSA SecurID. To configure

IIS to use RSA Secure ID, do the following:

a. Protect the Exchange ActiveSync virtual directories. You can protect this
virtual directory in one of the following two ways:

• Protect the entire Web server (recommended) In this option, you protect
all virtual roots on the IIS server with RSA ACE/Agent, including any other
services implemented by the front-end server. For example, you may have
configured your front-end Exchange server as an access point for Outlook Mobile
Access or for Outlook Web Access. For information about how to verify that the
ACE/Agent is configured to protect the entire Web server, see How to Verify
ACE/Agent is Configured to Protect the Entire Web Server.
 39

• Protect only the Exchange ActiveSync virtual directories In this option,

you configure the RSA ACE/Agent so that SecurID protects only Exchange
ActiveSync. Use this option if you intend to enable additional services, such as
Outlook Web Access and Outlook Mobile Access, on the same server without
protecting those services with SecurID. For detailed steps for how to limit RSA
SecurID authentication to Exchange ActiveSync, see How to Limit SecurID
Authentication to the Microsoft-Exchange-ActiveSync Virtual Directory.

Note:
By default, the ACE/Agent is configured to protect the entire Web server.

3. Set up user accounts. User accounts for SecurID should be set up by the
administrator as recommended by the RSA SecurID product documentation, with the
following restriction:

Important:
For all users, SecurID user IDs must be selected to match the Windows
account name. Exchange ActiveSync with SecurID does not function for
users who have a distinct RSA user ID that does not match their Windows
account name.

For More Information

For an overview of RSA Secure ID, see "Configuring Exchange ActiveSync to Use RSA
SecureID" in Configuring Mobile Device Support.

How to Verify ACE/Agent is Configured to

Protect the Entire Web Server
When deploying RSA SecureID in your organization, you must configure Internet Information
Services (IIS) to protect the virtual directories that your users access when they use
Exchange ActiveSync. Microsoft® Exchange Server 2003 uses the \Microsoft-Server-
ActiveSync virtual directory.

This procedure shows you how to verify that the ACE/Agent is configured to protect the entire
Web server. By default, the ACE/Agent is configured to protect the entire Web server.

Before You Begin

This procedure is only one of a series of steps that you must perform when deploying RSA
SecurID two-factor authentication. Before performing the steps in this procedure, see "How to
 40

Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access
Guide.

If you do not want to protect the entire Web server with RSA SecurID, you configure the RSA
ACE/Agent so that SecurID protects only Exchange ActiveSync. You may want to do this if
you intend to enable additional services, such as Outlook Web Access and Outlook Mobile
Access, on the same server without protecting those services with SecurID. For detailed
steps for how to limit RSA SecurID authentication to Exchange ActiveSync, see How to Limit
SecurID Authentication to the Microsoft-Exchange-ActiveSync Virtual Directory.

Procedure
To verify ACE/Agent is configured to protect the entire Web server
1. In the Internet Information Services snap-in for MMC, right-click the default Web
server and select Properties.

2. Click the RSA SecurID tab, and verify that the Protect This Resource check
box is selected.

For More Information

For an overview of RSA SecureID, see "Configuring Exchange ActiveSync to Use RSA
SecureID" in "Configuring Mobile Device Support" in the Exchange Server 2003 Client
Access Guide.

How to Limit SecurID Authentication to the

Microsoft-Exchange-ActiveSync Virtual
Directory
By default, the ACE/Agent is configured to protect the entire Web server. When deploying
RSA SecurID in your organization, you can configure the front-end server so that RSA
SecurID authentication is limited to Exchange ActiveSync.

Before You Begin

This procedure is only one of a series of steps that you can perform when deploying RSA
SecurID two-factor authentication. Before performing the steps in this procedure, see "How to
Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access
Guide.
 41

Procedure
To limit SecurID authentication to the Microsoft-Exchange-ActiveSync virtual
directory
1. To disable server-wide protection, in the Internet Information Services (IIS) snap-
in, right-click the default Web server, and then click Properties.

2. Click the RSA SecurID tab, and then clear the Protect This Resource check
box. (This step ensures that RSA SecurID is not enabled for the entire server, but
rather only for the virtual roots that you specify.)

3. To enable protection for the virtual directories, in the IIS snap-in, right-click the
Microsoft-Server-ActiveSync virtual directory, and then click Properties.

4. Select the RSA SecurID tab, and then select the Protect This Resource check
box.

Note:
If the check box is selected and shaded, this means that the virtual directory
is inheriting its setting from the parent directory. Inspect the properties for the
parent directory, and clear the Protect This Resource check box if you do
not want the parent directory to be protected. Then, return to the child
directory and make sure the check box is selected.

For More Information

For an overview of RSA SecureID, see "Configuring Exchange ActiveSync to Use RSA
SecureID" in "Configuring Mobile Device Support" in the Exchange Server 2003 Client
Access Guide.

How to Configure Custom HTTP

Responses for Devices
When deploying RSA SecurID in your organization, the ActiveSync client on the Microsoft®
Windows Mobile™ device must be able to distinguish between RSA SecurID authentication
and Exchange ActiveSync responses. To enable this capability, you must configure custom
HTTP response headers on the WebID virtual root that contains the HTML forms configured
by RSA ACE/Agent.
 42

Before You Begin

This procedure is only one of a series of steps that you must perform when deploying RSA
SecurID two-factor authentication. Before performing the steps in this procedure, read "How
to Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access
Guide.

Procedure
To configure custom HTTP responses for devices
1. In the IIS snap-in for MMC, locate the WebID virtual directory on the front-end server. This virtual direc

2. Right-click the WebID virtual directory, and then click Properties to open the properties for this virtual d

3. Click the HTTP Headers tab, click the Add button, and then enter the following header information.

Note:
The following value is case-sensitive and must be entered on one line.

Custom Header Name: MSAS-TwoFactorAuth Custom Header Value: True Custom Header Name: MS-AS
Value:
Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection

How to Configure a Mobile Device to Use

Exchange ActiveSync
The following procedure explains how to configure a mobile device such as the Pocket PC
Phone Edition to use Exchange ActiveSync®. We recommend you perform this procedure on
each mobile device in your organization. As an alternative, you can instruct your users how to
configure their own devices.

Procedure
To configure a mobile device to use Exchange ActiveSync
1. On the mobile device, from the Today screen, tap Start, and then tap
ActiveSync.

2. Tap Tools, tap Options, and then tap the Server tab.
 43

3. Select the check box next to each type of information that you want to
synchronize with the server.

4. To configure synchronization options for each type of information, select the type
of information, and then tap Settings.

5. In the Server Name field, enter the address or name of the server to connect to
when synchronizing Exchange data.

6. Tap Advanced.

7. On the Connection tab, enter the user name, password, and domain name.

8. On the Rules tab, select the rule that best applies to you, for how you want
synchronization to work whenever information about your device and your Exchange
server have both been changed.

9. Tap OK to accept the changes you made to ActiveSync.

10. Repeat this procedure for each of your users' Pocket PC Phone Edition devices.
As an alternative, instruct your users about how to configure their devices for use
with Exchange ActiveSync.

For More Information

To resolve Exchange ActiveSync and Outlook Mobile Access errors, see the Microsoft
Knowledge Base article 817379: Exchange ActiveSync and Outlook Mobile Access errors
occur when SSL or forms-based authentication is required for Exchange Server 2003.

To troubleshoot Exchange ActiveSync issues, see Microsoft support Web cast,

Troubleshooting Microsoft Exchange Server 2003 ActiveSync issues (TechNet Support Web
Cast).

To get information on Exchange ActiveSync 4.0 error codes, see the Microsoft Knowledge
Base article 915152: Information about Microsoft ActiveSync 4.0 error codes, error
messages, and how to troubleshoot the error codes.

How to Specify a Mobile Operator for Up-

to-Date Notifications on a Device
This topic explains how to specify a mobile operator on a device that will be using Microsoft®
Exchange ActiveSync up-to-date notifications.
 44

Before You Begin

The procedure in this topic is designed to help you understand how to set the mobile operator
on a device.

Procedure
To specify a mobile operator for up-to-date notifications on a device
1. In ActiveSync, on a mobile device that is powered by Microsoft Windows®, tap
Tools, and then tap Options.
2. On the Server tab, tap Options.

3. On the Server Synchronization Options screen, tap Device Address.

4. On the Device Address screen, do one of the following:

• If your users are using a mobile operator that you specify, select Corporate
Service Provider, and then enter the Device Phone Number and Service
Provider Name in the fields that are provided.

5. If your users are using their own mobile operators, select Device SMS Address,
and then enter the device address in the field provided.

For More Information

For conceptual information about up-to-date notifications, see "Enabling Up-to-Date
Notifications for Your Organization" in "Managing Client Access to Exchange Server 2003" in
the Exchange Server 2003 Client Access Guide.

How to Enable and Disable Exchange

ActiveSync Features at the
Organizational Level
The following procedure describes how to enable or disable user-initiated synchronization
and up-to-date notifications for your organization.
 45

Procedure
To enable and disable Exchange ActiveSync features at the organizational level
1. Start Exchange System Manager.

2. Expand Global Settings, right-click Mobile Services, and then click Properties.

3. On the Mobile Services Properties page, under Exchange ActiveSync, select

from the following check boxes:

• Select Enable user initiated synchronization to allow users to use Pocket

PC 2002 devices to synchronize their Exchange data.

• Select Enable up-to-date notifications to enable users to receive

notifications that are sent from the Exchange server to devices that allow
notifications.

• Select Enable notifications to user specified SMTP addresses to enable

users to use their own SMTP carrier for notifications.

Note:
With this feature enabled, when a new message arrives in a user's
mailbox, up-to-date notifications allow synchronization to occur on a
user's device. Enable this feature if you have users who are using mobile
devices to synchronize, and you do not want to specify the carrier.

4. Click Apply, and then click OK.

For More Information

For detailed steps for enabling ActiveSync features at the user level see How to Enable and
Disable Exchange ActiveSync Features at the User Level.

For detailed steps for how to configure a mobile device to use Exchange ActiveSync, see
How to Configure a Mobile Device to Use Exchange ActiveSync.

How to Enable and Disable Exchange

ActiveSync Features at the User Level
The following procedures describe how to enable or disable the Exchange ActiveSync
application for a specific user or group of users in your organization.
 46

Before You Begin

You can perform these tasks using Active Directory User and Computers, with or without the
Exchange Task Wizard. The advantage to performing it with the Exchange Task Wizard is that
you can modify the settings for multiple objects at one time.

Procedure
To enable and disable Exchange ActiveSync features at the user level
1. On the Exchange server with the user's mailbox, log on with the Exchange
administrator account, and then start Active Directory Users and Computers.

2. Expand the domain, and then open the location for the users that you want to
manage.

3. Right-click the user or users whose Exchange ActiveSync settings you want to
modify, and then select Exchange Tasks.

4. In the Exchange Task Wizard, on the Available Tasks page, select Configure
Exchange Features, and then click Next.

5. On the Configure Exchange Features page, select User initiated

synchronization, and then select one of the following:

• To permit users to use Exchange ActiveSync to synchronize their Exchange

mailbox with their mobile devices, select Enable.

• To prevent users from using Exchange ActiveSync, select Disable.

• To prevent the users' settings from being modified when you have selected
more than one user, select Do not modify.

6. Click Next to apply your changes.

7. Click Finish.

Note:
To view a detailed report of the settings and the changes you made to users,
select View detailed report when this wizard closes.

For More Information

For detailed steps for enabling ActiveSync features at the organizational level, see How to
Enable and Disable Exchange ActiveSync Features at the Organizational Level.

For detailed steps for how to configure a mobile device to use Exchange ActiveSync, see
How to Configure a Mobile Device to Use Exchange ActiveSync.
 47

For complete information about configuring the Exchange ActiveSync up-to-date notifications
feature in your organization, see How to Configure the Exchange ActiveSync Up-to-Date
Notifications Feature.

Configuring Outlook Web Access

By default, Outlook Web Access is enabled for all your users after you install Exchange 2003.
However, you can enable the following features for Outlook Web Access:

• Set up a logon page.

• Configure authentication.

• Configure security options.

• Configure Outlook Web Access compression.

• Simplify the Outlook Web Access URL.

Setting Up a Logon Page

You can enable a new logon page for Outlook Web Access that stores the user's name and
password in a cookie instead of in the browser. When a user closes a browser, the cookie is
cleared. Additionally, after a period of inactivity, the cookie is cleared automatically. The new
logon page requires the user to enter a domain, user name, and password, or a full user
principal name (UPN) e-mail address and password, to access e-mail.

To enable this logon page, you must first enable forms-based authentication on the server,
and then secure the logon page by setting the cookie time-out period and adjusting client-side
security settings.

Enabling Forms-Based Authentication

To enable the Outlook Web Access logon page, you must enable forms-based authentication
on the server.

For detailed steps about enabling forms-based authentication, see How to Enable Forms-
Based Authentication.

Setting the Cookie Authentication Time-Out

In Exchange 2003, Outlook Web Access user credentials are stored in a cookie. When the
user logs off Outlook Web Access, the cookie is cleared and it is no longer valid for
authentication. Additionally, by default, if your user is using a public computer, and selects the
 48

Public or shared computer option on the Outlook Web Access logon screen, the cookie on
this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from
unauthorized access. However, although the automatic time-out greatly reduces the risk of
unauthorized access, it does not completely eliminate the possibility that an unauthorized
user might access an Outlook Web Access account if a session is left running on a public
computer. Therefore, make sure that you educate users about precautions to take to avoid
risks.

To match the security requirements of your organization, an administrator can configure the
inactivity time-out values on the Exchange front-end server. To configure the time-out value,
you must modify the registry settings on the server.

Note:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

• For detailed steps about how to configure the public computer cookie time out value,
see How to Set the Outlook Web Access Forms-Based Authentication Public Computer
Cookie Time-Out Value.

• For detailed steps about how to configure the trusted computer cookie time out value,
see How to Set the Outlook Web Access Forms-Based Authentication Trusted Computer
Cookie Time-Out Value.

Configuring Client Security Options for Users

The Outlook Web Access logon page enables the user to select the security option that best
fits their requirements. The Public or shared computer option (selected by default) provides
a short default time-out option of 15 minutes. Users should select the Private computer
option only if the user is the sole operator of the computer, and the computer adheres to that
user's organizational security policies. When selected, the Private computer option allows
for a much longer period of inactivity before automatically ending the session—its internal
default value is 24 hours. Essentially, this option is intended to benefit Outlook Web Access
users who are using personal computers in their office or home.

To match the security requirements of your organization, an administrator can configure the
inactivity time-out values.

Note:
The default value for the public computer cookie time-out is fifteen minutes. To
change this, you must modify the registry settings on the server.
 49

Note:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

• For detailed steps about how to configure the public computer cookie time out value,
see How to Set the Outlook Web Access Forms-Based Authentication Public Computer
Cookie Time-Out Value.

• For detailed steps about how to configure the trusted computer cookie time out value,
see How to Set the Outlook Web Access Forms-Based Authentication Trusted Computer
Cookie Time-Out Value.

Outlook Web Access Compression

Outlook Web Access supports data compression, which is optimal for slow network
connections. Depending on the compression setting you use, Outlook Web Access
compresses static Web pages, dynamic Web pages, or both. The following table lists the
compression settings that are available in Exchange Server 2003 for Outlook Web Access.

Compression settings for Outlook Web Access

Compression setting Description

High Compresses both static and dynamic pages.

Low Compresses only static pages.

None No compression is used.

Requirements for Outlook Web Access

Compression
To use data compression for Outlook Web Access in Exchange Server 2003, verify that your
organization meets the following prerequisites:

• The Exchange server that users authenticate against for Outlook Web Access must
be running Windows Server 2003.

• Your users' mailboxes must be on Exchange 2003 servers. (If you have a mixed
deployment of Exchange mailboxes, you can create a separate virtual server on your
Exchange server just for Exchange 2003 users and enable compression on it.)

• Client computers must be running Internet Explorer version 6 or later. The client
computers must also be running Microsoft® Windows® XP or Microsoft
 50

Windows® 2000 Server and have installed on them the security update that is discussed
in Microsoft Security Bulletin MS02-066, "Cumulative Patch for Internet Explorer
(Q328970)."

Note:
If a user does not have a supported browser for compression, the client computer
still operates normally.

• You may need to enable HTTP 1.1 support through proxy servers for some dial-up
connections. (HTTP 1.1 support is required for compression to function correctly.)

For detailed steps about how to enable Outlook Web Access compression, see How to
Enable Outlook Web Access Data Compression.

Simplifying the Outlook Web Access URL

The HTTP virtual server that is created by Exchange during installation has the following
URLs for user access:

• http://server_name/public This URL provides access to public folders.

• http:// server_name/exchange/mailbox_name This URL provides access to

mailboxes.

However, users frequently request that a URL that is simpler than the default URL be made
available for accessing their mailboxes. Creating this simple URL makes the URL both easier
to remember and easier to enter in a Web browser. For example, http://www.contoso1.com is
an easier URL for users to remember than http://contosoexchange01/exchange.

The following procedure provides a method for simplifying the URL that is used to access
Outlook Web Access. This procedure configures a request sent to the root directory of the
Web server (http://server_name/) to redirect to the Exchange virtual directory. For example, a
request to http://server_name/ is directed to http://server_name/exchange/, which then
triggers implicit logon.

For detailed steps about how to simplify the Outlook Web Access URL, see How to Simplify
the Outlook Web Access URL.

How to Enable Forms-Based

Authentication
To enable the Outlook Web Access logon page, you must enable forms-based authentication
on the server.
 51

Before You Begin

If you are using forms-based authentication with Secure Sockets Layer (SSL) offloading, you
must configure your Exchange Server front-end servers to handle this scenario.

For detailed steps, see "How to Enable Forms-Based Authentication When Using SSL
Offloading" in the Exchange Server 2003 and Exchange 2000 Server Front-End and Back-
End Server Topology Guide.

Procedure
To enable forms-based authentication
1. On the Exchange server, log on with the Exchange administrator account, and
then start Exchange System Manager.

2. In the console tree, expand Servers.

3. Expand the server for which you want to enable forms-based authentication, and
then expand Protocols.

4. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.

5. In the Exchange Virtual Server Properties dialog box, on the Settings tab, in
the Outlook Web Access pane, select the Enable Forms Based Authentication
option.

6. Click Apply, and then click OK.

For More Information

For more information, see the following topics in the Exchange Server 2003 Client Access
Guide:

• For detailed steps about how to configure the public computer cookie time-out value,
see "How to Set the Outlook Web Access Forms-Based Authentication Public Computer
Cookie Time-Out Value."

• For detailed steps about how to configure the trusted computer cookie time-out value,
see "How to Set the Outlook Web Access Forms-Based Authentication Trusted Computer
Cookie Time-Out Value."

• For information about managing and configuring Outlook Web Access, see the
following topics:

• "Configuring Outlook Web Access"

• "Managing Outlook Web Access"

 52

How to Set the Outlook Web Access

Forms-Based Authentication Public
Computer Cookie Time-Out Value
In Microsoft® Exchange Server 2003, Outlook Web Access user credentials are stored in a
cookie. When the user logs off Outlook Web Access, the cookie is cleared and it is no longer
valid for authentication. Additionally, by default, if your user is using a public computer, and
selects the Public or shared computer option on the Outlook Web Access logon screen, the
cookie on this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from
unauthorized access. To match the security requirements of your organization, an
administrator can configure the inactivity time-out values on the Exchange front-end server.
To configure the time-out value, you must modify the registry settings on the server.

Before You Begin

Caution:
Although the automatic time-out greatly reduces the risk of unauthorized access, it
does not completely eliminate the possibility that an unauthorized user might access
an Outlook Web Access account if a session is left running on a public computer.
Therefore, make sure that you educate users about precautions to take to avoid
risks.

Procedure
To set the Outlook Web Access forms-based authentication public computer
cookie time-out value
1. On the Exchange front-end server, log on with the Exchange administrator
account, and then start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the details pane, name the new value PublicClientTimeout.

5. Right-click the PublicClientTimeout DWORD value, and then click Modify.

6. In Edit DWORD Value, under Base, click Decimal.

 53

7. In the Value Data box, type a value (in minutes) between 1 and 432,000.

8. Click OK.

For More Information

• For detailed steps about how to configure the trusted computer cookie time-out value,
see How to Set the Outlook Web Access Forms-Based Authentication Trusted Computer
Cookie Time-Out Value.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

How to Set the Outlook Web Access

Forms-Based Authentication Trusted
Computer Cookie Time-Out Value
In Microsoft® Exchange Server 2003, Outlook Web Access user credentials are stored in a
cookie. When the user logs off Outlook Web Access, the cookie is cleared and it is no longer
valid for authentication.

Users should select the Private computer option only if the user is the sole operator of the
computer, and the computer adheres to that user's organizational security policies. When
selected, the Private computer option allows for a much longer period of inactivity before
automatically ending the session—its internal default value is 24 hours. This option is
intended to benefit Outlook Web Access users who are using personal computers in their
office or home.

To match the security requirements of your organization, an administrator can configure the
inactivity time-out values.

Before You Begin

Caution:
As indicated earlier, users should select the Private computer option only if the user
is the sole operator of the computer, and the computer adheres to that user's
organizational security policies. Users should be educated about precautions to take
to avoid risks when they select the Private computer option.
 54

Note:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

Procedure
To set the Outlook Web Access forms-based authentication trusted computer
cookie time-out value
1. Start Registry Editor (regedit).

2. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the details pane, name the new value TrustedClientTimeout.

5. Right-click the TrustedClientTimeout Dword value, and then click Modify.

6. In Edit DWORD Value, under Base, click Decimal.

7. In the Value Data box, type a value (in minutes) between 1 and 432,000.

8. Click OK.

For More Information

• For detailed steps for how to configure the public computer cookie time-out value,
see How to Set the Outlook Web Access Forms-Based Authentication Public Computer
Cookie Time-Out Value.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

 55

How to Enable Outlook Web Access Data

Compression
Outlook Web Access supports data compression, which is optimal for slow network
connections. Depending on the compression setting you use, Outlook Web Access
compresses static Web pages, dynamic Web pages, or both. The following table lists the
compression settings that are available in Microsoft® Exchange Server 2003 for Outlook Web
Access.

Compression settings for Outlook Web Access

Compression setting Description

High Compresses both static and dynamic pages.

Low Compresses only static pages.

None No compression is used.

Before You Begin

To use data compression for Outlook Web Access in Exchange Server 2003, verify that your
organization meets the following prerequisites:

• The Exchange server that users authenticate against for Outlook Web Access must
be running Microsoft Windows Server™ 2003.

• Your users' mailboxes must be on Exchange 2003 servers. (If you have a mixed
deployment of Exchange mailboxes, you can create a separate virtual server on your
Exchange server just for Exchange 2003 users and enable compression on it.)

• Client computers must be running Microsoft Internet Explorer version 6 or later. The
client computers must also be running Microsoft Windows® XP or Microsoft
Windows 2000 Server and have installed on them the security update that is discussed in
Microsoft Security Bulletin MS02-066, "Cumulative Patch for Internet Explorer
(Q328970)."

Note:
If a user does not have a supported browser for compression, the client computer
still operates normally.

• You may need to enable HTTP 1.1 support through proxy servers for some dial-up
connections. (HTTP 1.1 support is required for compression to function correctly.)
 56

Procedure
To enable Outlook Web Access data compression
1. Start Exchange System Manager.

2. In the details pane, expand Servers, expand the server you want, and then
expand Protocols.

3. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.

4. In Exchange Virtual Server Properties, on the Settings tab, under Outlook

Web Access, use the Compression list to select the compression level you want
(None, Low, or High).

5. Click Apply, and then click OK.

For More Information

For information about managing and configuring Outlook Web Access, see the following
topics in the Exchange Server 2003 Client Access Guide:

• Configuring Outlook Web Access

• Managing Outlook Web Access

How to Simplify the Outlook Web Access

URL
Users commonly request that a simpler URL for Outlook Web Access be made available for
accessing their mailbox. This procedure configures a request sent to the root of the Web
server (http://server/) to redirect to the Exchange virtual directory. For example, a request to
https://mail/ is directed to https://mail/exchange/, which then triggers implicit logon.

Before You Begin

Before you perform the procedures in this topic, it is important that you first read "How a
Front-End and Back-End Topology Works" in the Exchange Server 2003 and Exchange 2000
Server Front-End and Back-End Server Topology Guide.

To successfully complete the procedures in this topic, confirm the following:

• The front-end server has authentication enabled.

 57

Procedure
To simplify the Outlook Web Access URL
1. Using the Internet Services Manager, open the properties for the Default Web
Site.

2. Click the Home Directory tab, and then select A redirection to a URL.

3. In Redirect to, type /<directory name>, and then click A directory below URL
entered. For example, to redirect https://mail/ requests to https://mail/exchange, in
Redirect to, you would type /exchange.

If you want your users to use SSL to access their server, you can redirect client requests
to https://mail/<directory name>. To require users to use SSL, In Redirect to, type
https://mail/<directory name>, and then click A directory below URL entered. This
setting hard codes the name of the server; therefore if you redirect client requests to
https://mail, the client must be able to resolve the name mail.

Note:
Users still must enter the full URL, including username, to access other mailboxes or
content in folders other than the inbox.

For More Information

For more information about enabling authentication on the front-end server (also known as
implicit logon), see "How a Front-End and Back-End Topology Works" in the Exchange
Server 2003 and Exchange 2000 Server Front-End and Back-End Server Topology Guide.

Configuring POP3 and IMAP4 Virtual

Servers
By default, the POP3 and IMAP4 virtual servers are disabled on a new installation of
Exchange Server 2003. To enable the POP3 and IMAP4 virtual servers, you must first use
the Services snap-in to MMC and set the services to start automatically.

For detailed steps about how to enable POP3, or IMAP4 using the Services snap-in, see How
to Enable a POP3, IMAP4, or NNTP Virtual Server.

If you set the services to start automatically and then need to start, pause, or stop the
services, use Exchange System Manager. For detailed steps, see How to Start, Pause, or
Stop a Virtual Server..
 58

How to Enable a POP3, IMAP4, or NNTP

Virtual Server
By default, the POP3 and IMAP4 virtual servers are disabled on a new installation of
Microsoft® Exchange Server 2003. To enable the POP3 and IMAP4 virtual servers, you must
first use the Services snap-in to Microsoft Management Console (MMC) and set the services
to start automatically.

Procedure
To enable a POP3, IMAP4, or NNTP virtual server
1. In the Services snap-in, in the console tree, click Services (Local).

2. In the details pane, right-click Microsoft Exchange POP3 or Microsoft

Exchange IMAP4, or Network News Transfer Protocol (NNTP), and then click
Properties.

3. On the General tab, under Startup type, select Automatic, and then click
Apply.

4. Under Service status, click Start, and then click OK.

5. Repeat this procedure on all nodes that will be running the POP3, IMAP4, or
NNTP virtual server.

For More Information

• For information about how to start, pause, or stop a virtual server, see How to Start,
Pause, or Stop a Virtual Server.

• For information about configuring and managing client protocols, see Managing
Protocols.

How to Start, Pause, or Stop a Virtual

Server
If you set services to start automatically and then must start, pause, or stop the services, use
Exchange System Manager.
 59

Procedure
To start, pause, or stop the virtual server
• In Exchange System Manager, right-click the IMAP4, POP3, or NNTP virtual
server you want to manage, and do one of the following:

• To start the service, click Start.

• To change the server status to paused or to restart a server that has

previously been paused, click Pause.

Note:
When a server is paused, an icon indicating that the server is paused
appears next to the server name in the console tree.

• To change the server status to stopped, click Stop.

Note:
When a server is stopped, an icon indicating that the server is stopped
appears next to the server name in the console tree.

For More Information

For more information, see the following topics in the Exchange Server 2003 Client Access
Guide:

• For information about how to enable POP3, IMAP4, and NNTP virtual servers, see
How to Enable a POP3, IMAP4, or NNTP Virtual Server.

• For information about configuring and managing client protocols, see Managing
Protocols.

Configuring Outlook Mobile Access

By default, all users are enabled for Exchange ActiveSync and Outlook Mobile Access.
However, only Exchange ActiveSync is enabled on the Exchange server; by default, Outlook
Mobile Access is disabled. This section describes how to enable Outlook Mobile Access on
your Exchange server.

Follow these steps to enable your Exchange 2003 users to use Outlook Mobile Access.

1. Configure your Exchange 2003 front-end server for Outlook Mobile Access.

2. Enable Outlook Mobile Access on the Exchange server.

 60

3. Configure user devices to use a mobile connection.

4. Instruct your users about how to use Outlook Mobile Access.

Configuring Your Exchange 2003 Front-End

Server for Outlook Mobile Access
By default, the Outlook Mobile Access virtual directory (which allows your users to access
Exchange from a mobile device) is installed with Exchange 2003. This virtual directory has
the same configuration settings as the Outlook Web Access virtual directory. When you
configure a server to use Outlook Mobile Access, you should configure the server in the same
way you configure a server for Outlook Web Access. For more information about how to
configure your Exchange 2003 servers to use Outlook Web Access, see Exchange Server
2003 and Exchange 2000 Server Front-End and Back-End Topologies.

Enabling Outlook Mobile Access on the

Exchange Server
After you configure your front-end server to use Outlook Mobile Access, you need to enable
Outlook Mobile Access on your Exchange servers. After you enable Outlook Mobile Access,
you can modify the Outlook Mobile Access settings for users or groups of users by using the
Active Directory Users and Computers snap-in.

• For detailed information about enabling Outlook Mobile Access at the organizational
level, see How to Enable or Disable Outlook Mobile Access at the Organizational Level.

• For detailed steps for enabling Outlook Mobile Access at the user level, see How to
Enable or Disable Outlook Mobile Access at the User Level.

Instructing Users to Use a Mobile Connection to

Outlook Using Outlook Mobile Access
To access Exchange 2003 using Outlook Mobile Access, users must have a mobile device
from a mobile operator who has an established data network for mobile data. However,
before your users connect to Exchange 2003 and use Outlook Mobile Access, they need to
know how to access their Exchange server and use Outlook Mobile Access. You must
therefore instruct them about how to configure their devices to use a mobile network, or
provide them with resources that explain how to do so.

For detailed steps about how to configure a Pocket PC Phone Edition device to use Outlook
Mobile Access, see How to Access Exchange Data Using Outlook Mobile Access.
 61

How to Enable or Disable Outlook Mobile

Access at the Organizational Level
By default, Outlook Mobile Access is disabled when you install Microsoft® Exchange
Server 2003. For users to use Outlook Mobile Access, you must first enable it. You enable
Outlook Mobile Access at the organizational level using Exchange System Manager.

Procedure
To enable or disable Outlook Mobile Access at the organizational level
1. On the Exchange server where the user's mailbox is located, log on as an
Exchange administrator and start Exchange System Manager.

2. Expand Global Settings, right-click Mobile Services, and then click Properties.

3. On the Mobile Services properties page, in Outlook Mobile Access, select

Enable Outlook Mobile Access.

4. To enable users to use unsupported devices, select the Enable unsupported

devices check box.

Note:
For more information about supported devices for Exchange and planning for
mobile device support with Exchange, see the section "Mobile Device
Support for Exchange Server 2003" in Planning an Exchange Server 2003
Messaging System.

5. Click OK.

For More Information

For detailed steps for configuring Outlook Mobile Access for a specific user or group of users,
see How to Enable or Disable Outlook Mobile Access at the User Level.

For an overview of how to deploy Outlook Mobile Access in your organization, see
"Configuring Outlook Mobile Access" in the Exchange Server 2003 Client Access Guide.
 62

How to Enable or Disable Outlook Mobile

Access at the User Level
By default, Outlook Mobile Access is disabled when you install Microsoft® Exchange Server
2003. For users to use Outlook Mobile Access, you must first enable it. You enable Outlook
Mobile Access for specific users or groups of users with Active Directory Users and
Computers.

Before You Begin

You can perform this task using Active Directory Users and Computers, with or without the
Exchange Task Wizard. The advantage to doing it with the Exchange Task Wizard is that you
can modify the settings for multiple objects at one time.

Procedure
To enable or disable Outlook Mobile Access at the user level
1. Log on to the Exchange server as an Exchange administrator with the user's
mailbox, and then start Active Directory Users and Computers.

2. Expand the domain, and then open the location for the users whose settings that
you want to modify.

3. Right-click the user or users whose Outlook Mobile Access settings you want to
modify, and then select Exchange Tasks.

4. In the Exchange Task Wizard, on the Available Tasks page, select Configure
Exchange Features, and then click Next.

5. On the Configure Exchange Features page, select Outlook Mobile Access,

and then select one of the following:

• To allow users to use Outlook Mobile Access, select Enable.

• To prevent users from using Outlook Mobile Access, select Disable.

• To prevent the users' settings from being modified when you have selected
more than one user, select Do not Modify.

6. Click Next to apply your changes.

7. Click Finish.
 63

For More Information

For detailed steps for configuring Outlook Mobile Access at the organizational level, see How
to Enable or Disable Outlook Mobile Access at the Organizational Level.

For an overview of how to deploy Outlook Mobile Access in your organization, see
"Configuring Outlook Mobile Access" in the Exchange Server 2003 Client Access Guide.

How to Access Exchange Data Using

Outlook Mobile Access
After you configure Microsoft® Exchange Server 2003 for Outlook Mobile Access, and your
users have mobile devices that can use a mobile network to access Exchange 2003 servers,
they must know how to access their Exchange server and use Outlook Mobile Access. The
following procedure describes how to use Outlook Mobile Access on a Pocket PC Phone
Edition device.

Procedure
To access Exchange data using Outlook Mobile Access
1. On the device, from the Today screen, tap Start, and then tap Internet Explorer.

2. On the Internet Explorer screen, tap View, and then tap Address Bar to open
the address bar in your browser window.

3. Tap anywhere inside the address bar, enter the following URL, and then tap the
Go button: https://ExchangeServerName/oma, where ExchangeServerName is the
name of your Exchange server running Outlook Mobile Access.

Note:
If a connection bubble does not appear, you may have to connect to your
network manually.

4. At the Network Log On screen, enter the user name, password, and domain in
the spaces provided, and then tap OK.

5. Repeat this procedure for each of your users' Pocket PC Phone Edition devices.
As an alternative, instruct your users about how to configure their devices for use
with Exchange ActiveSync.
 64

For More Information

For an overview of how to deploy Outlook Mobile Access in your organization, see
"Configuring Outlook Mobile Access" in the Exchange Server 2003 Client Access Guide.

Managing Client Access to Exchange

Server 2003
This section describes how to manage the client access settings for the protocols and clients
that you support. This section also reviews basic client access concepts, and how you
manage the protocols that are used by the individual clients that access Microsoft®
Exchange Server 2003 and the front-end and back-end server architecture.

Note:
To correctly manage client access to Exchange 2003, you must first understand how
Microsoft Windows technologies, such as Internet Information Services (IIS) and
Microsoft Active Directory® directory service, interact with Exchange. You must also
understand protocols such as HTTP and MAPI, and how client applications such as
Exchange ActiveSync® and Microsoft Office Outlook® 2003 use these respective
protocols to interact with Exchange.

Managing Protocols
In your Exchange messaging deployment configuration, you use Exchange System Manager
to manage the protocols that you support. When you use Exchange System Manager to
manage protocols, you handle settings on the individual virtual servers for the protocol that is
to be configured. The virtual servers that are associated with the various protocols, such as
the Exchange Virtual Server and the Internet Message Access Protocol version 4rev1
(IMAP4) virtual server, contain settings based on the capabilities and use of the specific
protocol. For example, the Exchange Virtual Server, which manages HTTP access to
Exchange, provides settings for Microsoft Office Outlook 2003 Web Access, such as gzip
compression support.

Generally, managing the virtual server for one protocol is the same as managing a virtual
server for a different protocol. The common management tasks include enabling a virtual
server, assigning ports, setting connection limits, starting or stopping a virtual server, and
disconnecting users. However, there are some server-specific management tasks. The
following sections describe the common tasks for all virtual servers associated with protocols
and the server-specific tasks for the Exchange Virtual Server, IMAP4 virtual server, and the
Network News Transfer Protocol (NNTP) virtual server.
 65

Note:
To manage individual Exchange client access settings, use Active Directory Users
and Computers.

Enabling a Virtual Server

When you install Exchange, the services that are necessary to support clients such as
Outlook 2003, Outlook Web Access, and Exchange ActiveSync are enabled by default. For
example, Exchange enables the SMTP service because it is the underlying protocol used to
route messages internally within an Exchange organization and externally to messaging
systems outside an Exchange organization. Similarly, Exchange enables HTTP because it is
the underlying protocol for all Internet communication.

Note:
Although Outlook Mobile Access uses the HTTP protocol, Outlook Mobile Access is
disabled by default and must be enabled by using Exchange System Manager.

However, Exchange installs, but does not enable services for Post Office Protocol version 3
(POP3), IMAP4, and NNTP. If your client access model relies on communications that use
POP3, IMAP4, or NTTP, you must manually enable them.

To enable either the POP3 or IMAP4 service, you use the Services snap-in to set the service
to start automatically. Then, you start the service by using Exchange System Manager. To
enable NNTP, use the Services snap-in to set the NNTP service to start automatically, and
then use Exchange System Manager to start the service.

• For detailed steps on how to configure the POP3, IMAP4, or NNTP services to start
automatically, see How to Enable a POP3, IMAP4, or NNTP Virtual Server.

• For detailed steps on how to start, pause, or stop a POP3, IMAP4, or NNTP virtual
server, see How to Start, Pause, or Stop a Virtual Server.

Assigning Ports and an IP Address to a Virtual

Server
When you create a virtual server for a protocol, you have the option of using the default port
assignments and Internet Protocol (IP) address for the server. The following table shows the
default port assignments associated with the protocols. The default IP address is (All
Unassigned), which means that a specific IP address has not been assigned and the virtual
server will use the IP address of the Exchange server that is currently hosting the virtual
server. These default values provide a virtual server with automatic discovery—the server can
immediately receive incoming connections by using the default IP address and ports.
 66

Default port assignments

Protocols TCP port Secure Sockets Layer (SSL)

port

SMTP 25 Not available

IMAP4 143 993

POP3 110 995

NNTP 119 563

Important:
If you do not use the recommended port assignments, some clients may be not able
to connect. You may also have to reconfigure your client software manually to
connect to the new port assignments.

Note:
To fully enable SSL on the POP3 virtual server, you must request and install a
certificate. You must do this even if you leave the default SSL port set at 995 on the
POP3 virtual server. For more information about installing certificates, see "Using
Secure Sockets Layer" in Securing Your Exchange Messaging Environment.

Although it is highly recommended that you use the default port assignments, you do not
have to use the default IP address. You can use the IP address from any available network
card as the IP address for the virtual server.

If you plan to create multiple virtual servers, each virtual server must have a unique
combination of ports and IP address. Because the port settings are standard and should not
be changed, you will need to provide each virtual server with a unique IP address.

Besides creating a unique combination of ports and IP address for each virtual server, you
can also configure multiple identities for your virtual server. Multiple identities enable you to
associate multiple host or domain names with a single virtual server.

For detailed steps for assign a unique IP address to a virtual server or to assign multiple
identities to a virtual server, see How to Assign Ports and IP Addresses to Virtual Servers.

Setting Connection Limits

A virtual server can accept an unlimited number of inbound connections and is limited only by
the resources of the computer where the virtual server is running. To prevent a computer from
becoming overloaded, you can limit the number of connections that can be made to the
virtual server at the same time. By default, Exchange does not limit the number of incoming
connections.
 67

After users are connected, you can also limit the length of time that idle connections remain
logged on to the server. By default, Exchange disconnects idle sessions after 10 minutes.

In topologies that contain Exchange front-end and back-end servers, the connection time-out
setting varies based on server role. On back-end servers, the connection time-out setting
limits the length of time clients can be connected to the server without performing any activity.
However, on front-end servers, the connection time-out setting limits the total length of the
client session, regardless of client activity. Therefore, in front-end and back-end server
environments, you should configure the time-out value on your front-end servers high enough
so that users can download the maximum message size that is permitted over the slowest
connection speed that you want to support. Setting this value high enough ensures that
clients are not disconnected while they are downloading messages. For more information
about configuring your Exchange front-end and back-end server architecture, see the
Exchange Server 2003 Deployment Guide.

Note:
Setting the connection time-out setting too low can cause clients to be unexpectedly
disconnected from the server and possibly receive error messages. Thirty minutes is
the lowest recommended connection time-out setting.

For detailed steps about how to configure connection limits, see How to Set Connection
Limits.

Starting, Pausing, or Stopping a Virtual Server

Managing virtual servers frequently requires you to start, pause, or stop Exchange services.
You manage Exchange services through the Computer Management console and Exchange
System Manager.

For detailed steps on how to start, pause, or stop a POP3, IMAP4, or NNTP virtual server,
see How to Start, Pause, or Stop a Virtual Server.

Disconnecting Users
You can immediately disconnect a single user or all users if they are accessing the virtual
server without permission.

For detailed steps on how to disconnect users, see How to Disconnect Users from a Virtual
Server.
 68

How to Assign Ports and IP Addresses to

Virtual Servers
When you create a virtual server for a protocol, you have the option of using the default port
assignments and Internet Protocol (IP) address for the server. The following table shows the
default port assignments associated with the protocols.

The default IP address is (All Unassigned), which means that a specific IP address has not
been assigned and the virtual server will use the IP address of the Microsoft® Exchange
2003 server that is currently hosting the virtual server. These default values provide a virtual
server with automatic discovery—the server can immediately receive incoming connections
by using the default IP address and ports.

Default port assignments

Protocols TCP port Secure Sockets Layer (SSL)

port

SMTP 25 Not available

IMAP4 143 993

POP3 110 995

NNTP 119 563

Before You Begin

Although it is highly recommended that you use the default port assignments, you do not
have to use the default IP address. You can use the IP address from any available network
card as the IP address for the virtual server.

If you plan to create multiple virtual servers, each virtual server must have a unique
combination of ports and IP address. Because the port settings are standard and should not
be changed, you will need to provide each virtual server with a unique IP address.

Besides creating a unique combination of ports and IP address for each virtual server, you
can also configure multiple identities for your virtual server. Multiple identities enable you to
associate multiple host or domain names with a single virtual server.

Important:
If you do not use the recommended port assignments, some clients may be not able
to connect. You may also have to reconfigure your client software manually to
connect to the new port assignments.
 69

Note:
To fully enable SSL on the POP3 virtual server, you must request and install a
certificate. You must do this even if you leave the default SSL port set at 995 on the
POP3 virtual server. For more information about installing certificates, see "Using
Secure Sockets Layer" in Securing Your Exchange Messaging Environment.

Procedure
To assign ports and IP addresses to virtual servers
1. Log on the Exchange server where the virtual server is running using the
Exchange administrator account that has local Administrator permissions and
Exchange Full Administrator permissions.

2. In Exchange System Manager, expand Protocols, right-click the protocol that is

to be assigned a new IP address or to which you want to add a new identity, and then
click Properties.

3. On the General tab, click Advanced.

4. In the Advanced dialog box, click Edit to change the IP address to a unique
value, or click Add to add a new identity (that is, a new IP address and port
combination).

For More Information

• For information about configuring and managing client protocols, see Managing
Protocols.

How to Set Connection Limits

A virtual server can accept an unlimited number of inbound connections and is limited only by
the resources of the computer where the virtual server is running. To prevent a computer from
becoming overloaded, you can limit the number of connections that can be made to the
virtual server at the same time. By default, Microsoft® Exchange does not limit the number of
incoming connections.

After users are connected, you can also limit the length of time that idle connections remain
logged on to the server. By default, Exchange disconnects idle sessions after 10 minutes.
 70

Before You Begin

In topologies that contain Exchange front-end and back-end servers, the connection time-out
setting varies based on server role. On back-end servers, the connection time-out setting
limits the length of time clients can be connected to the server without performing any activity.
However, on front-end servers, the connection time-out setting limits the total length of the
client session, regardless of client activity. Therefore, in front-end and back-end server
environments, you should configure the time-out value on your front-end servers high enough
so that users can download the maximum message size that is permitted over the slowest
connection speed that you want to support. Setting this value high enough ensures that
clients are not disconnected while they are downloading messages.

Note:
Setting the connection time-out setting too low can cause clients to be unexpectedly
disconnected from the server and possibly receive error messages. Thirty minutes is
the lowest recommended connection time-out setting.

Procedure
To set connection limits
1. Log on to the Exchange server where the virtual server is running using the
Exchange administrator account that has local Administrator permissions and
Exchange Full Administrator permissions.

2. In Exchange System Manager, expand Protocols, right-click the protocol for

which you want to change connection limits, and then click Properties.

3. On the General tab, set the appropriate connection limits.

For More Information

• For information about configuring and managing client protocols, see Managing
Protocols.

• For more information about configuring an Exchange 2003 front-end server, see and
back-end server architecture, see Configuring an Exchange Front-End Server.
 71

How to Disconnect Users from a Virtual

Server
Use this procedure to immediately disconnect a single user or all users if they are accessing
the virtual server without permission.

Procedure
To disconnect users from a virtual server
1. In Exchange System Manager, expand SMTP, IMAP4, or POP3, and then
double-click the virtual server from which you want to disconnect users.

2. To disconnect users from the Current Sessions node under the virtual server,
use one of the following methods:

• To disconnect a single user, click Terminate.

• To disconnect all users, click Terminate all.

For More Information

For information about configuring and managing client protocols, see Managing Protocols.

Managing Calendaring Options for the

POP3 and IMAP4 Virtual Servers
You can configure a URL for access to calendaring information for your POP3 and IMAP4
messaging clients. This functionality enables you to use a POP3 or IMAP4 messaging client
and Outlook Web Access to manage your calendar. The options that you select for this
feature control the format of the URL.

Note:
In topologies that contain Exchange front-end and back-end servers, configure the
URL that is used to access calendaring information about the back-end server.
Exchange does not recognize any URL settings that you configure on the front-end
servers.

When downloading meeting requests through POP3 and IMAP4, a URL to the meeting
request in Outlook Web Access is added to the plain text/HTML part of the message. Users
click the URL to access the meeting request, and then accept or decline the request. (Some
 72

IMAP4 and POP3 messaging clients include a graphical user interface that allows those
clients to accept or decline meetings without having to click the URL.) If users accept the
request, Exchange automatically adds it to their calendar.

Note:
The URL to the meeting request does not work for POP3 clients that are configured
to download messages from the server. This situation occurs because the message
is downloaded to the client. As a result, the URL points to a message that is no
longer on the server.

For detailed steps, see How to Configure Calendaring Options for a POP3 or IMAP4 Virtual
Server.

How to Configure Calendaring Options for

a POP3 or IMAP4 Virtual Server
You can configure a URL to gain access to calendaring information for your POP3 and IMAP4
messaging clients. This enables you to use a POP3 or IMAP4 messaging client and Outlook
Web Access to manage your calendar. The options that you select for this feature control the
format of the URL.

Before You Begin

For more information about the user experience when calendaring using POP3 or IMAP4,
see Managing Calendaring Options for the POP3 and IMAP4 Virtual Servers.

Note:
In topologies that contain Exchange front-end and back-end servers, configure the
URL that is used to access calendaring information about the back-end server.
Exchange does not recognize any URL settings that you configure on the front-end
servers.

Note:
The URL to the meeting request does not work for POP3 clients that are configured
to download messages from the server. The URL does not work because the
message is downloaded to the client. As a result, the URL points to a message that is
no longer on the server.
 73

Procedure
To configure calendaring options for a POP3 or IMAP4 virtual server
1. In Exchange System Manager, expand First Administrative Group, expand the
Servers node, and then expand the Exchange server for which you want to manage
POP3 or IMAP4 calendaring options.

2. Expand the Protocols node, and then right-click the POP3 or IMAP4 protocol
and select Properties.

3. On the Calendaring tab, select the server where recipients download meeting
requests:

• To designate the recipient's home server as the server where the recipient
downloads meeting requests, select Use recipient's server.

This is the default setting. If you select this option, the URL has the following
format:

http://<HomeServerName>/Exchange/Username/Inbox/Team%20Meeting.eml

• To designate a front-end server as the server where recipients download

meeting requests, select Use front-end server.

This option is useful if you have configured your Outlook Web Access users to
access their mailboxes through a front-end server. If you select this option, the
URL has the following format:

http://<FQDomainName>/Exchange/Username/Inbox/Team%20Meeting.eml

4. To use SSL to connect to the Exchange servers, select Use SSL connections.

Note:
If you select this option, the URL syntax includes https:// instead of http://.

5. Click OK to save your settings.

For More Information

For information about configuring and managing client protocols, see Managing Protocols.

Managing the HTTP Virtual Server

Outlook Web Access, Outlook Mobile Access, and Exchange ActiveSync rely on the HTTP
protocol to access Exchange information. These clients also use the WebDAV protocol, a set
of rules that enable computers to exchange information and execute instructions through the
 74

Exchange front-end server, as well as retrieve and handle information in the Exchange store.
By supporting both HTTP and WebDAV, Exchange 2003 can provide more data access
functionality to users. For example, users of Outlook Web Access can do calendar request
operations and can store Microsoft Office files, such as Microsoft Office Word documents, in
the Exchange store.

Exchange provides support for both HTTP and WebDAV through the HTTP virtual server.
When you install Exchange, Exchange automatically installs and configures an HTTP virtual
server. You administer this default server only from IIS.

However, to provide for several collaboration scenarios and to supplement the access to
folders that is provided by the default Web site in IIS, you can create new HTTP virtual
servers in Exchange System Manager. As with any virtual server, each new HTTP virtual
server that you create requires a unique combination of IP address, TCP port, SSL port, and
host name. Furthermore, for each virtual server that you create, you must define one virtual
directory as the root directory of the server for publishing content.

Note:
The folder contents displayed by the HTTP virtual server are converted to Web pages
and sent to a user's browser by IIS.

For detailed steps about how to create a new HTTP virtual server, see How to Create a New
HTTP Virtual Server.

How to Create a New HTTP Virtual Server

When you install Microsoft® Exchange Server 2003, Exchange automatically installs and
configures an HTTP virtual server. You administer this default server only from Internet
Information Services (IIS).

However, to provide for several collaboration scenarios and to supplement the access to
folders that is provided by the default Web site in IIS, you can create new HTTP virtual
servers in Exchange System Manager.

Note:
The folder contents displayed by the HTTP virtual server are converted to Web pages
and sent to a user's browser by IIS.

Before You Begin

As with any virtual server, each new HTTP virtual server that you create requires a unique
combination of IP address, TCP port, SSL port, and host name. Furthermore, for each virtual
server that you create, you must define one virtual directory as the root directory of the server
for publishing content.
 75

Procedure
To create a new HTTP virtual server
1. In Exchange System Manager, expand the First Administrative Group, expand
the Servers node, and then expand the Exchange server where you want to create a
new HTTP virtual directory.

2. Expand the Protocols node, right-click the HTTP protocol, select New and then
click HTTP Virtual Server.

3. In the Properties dialog box for the new HTTP virtual server, configure the
settings for your new Exchange virtual directory.

For More Information

For information about configuring and managing client protocols, see Managing Protocols.

Managing the Exchange Virtual Server

The Exchange Virtual Server contains the virtual directories that provide access to Exchange
for the HTTP clients that Exchange supports, such as Outlook Web Access, Outlook Mobile
Access, and Exchange ActiveSync. Although you enable settings for Outlook Web Access,
including forms-based authentication and gzip compression, by using the Exchange Virtual
Server, you manage most settings for the Exchange virtual directories in the IIS snap-in.

Specifically, in Exchange 2003, if you need to configure authentication settings to your

Exchange virtual directories, use the IIS snap-in. To configure access control for the
\Exchange, \Public, and \Exadmin virtual directories, use Exchange System Manager instead.

Working with IMAP4-Specific Settings

The IMAP4 virtual server has two protocol-specific settings:

• Include all public folders when a folder is requested Unlike POP3, which allows
clients to access only mail messages, IMAP4 clients have access to folders other than
the Inbox folder. However, this ability to access other folders must be enabled on the
virtual server.

• Enable fast message retrieval Fast message retrieval improves performance by

approximating message size, as opposed to actually calculating the message size.
Performance improves because less processor work is required.
 76

You select these settings on the General tab in the Default IMAP4 Virtual Server
Properties dialog box.

The General tab in the Default IMAP4 Virtual Server Properties dialog box

For detailed steps about how to configure these settings, see the following topics:

• How to Enable Fast Message Retrieval for an IMAP4 Virtual Server

• How to Include All Public Folders When a Folder Is Requested on an IMAP4 Virtual
Server

How to Enable Fast Message Retrieval for

an IMAP4 Virtual Server
Fast message retrieval improves performance by approximating message size, as opposed
to actually calculating the message size. Performance improves because less processor work
 77

is required. You select these settings on the General tab in the Default IMAP4 Virtual
Server Properties dialog box.

Procedure
To enable fast message retrieval for an IMAP4 virtual server
1. In Exchange System Manager, navigate to the IMAP4 Virtual Server you want to
configure.

2. In the console tree, right-click a virtual server, and then click Properties.

3. On the General tab, click Enable fast message retrieval to improve

performance.

The General tab in the Default IMAP4 Virtual Server Properties dialog box
 78

For More Information

• Another option you can configure on an IMAP4 virtual server is to include all public
folders when a folder is requested. For detailed steps, see How to Include All Public
Folders When a Folder Is Requested on an IMAP4 Virtual Server.

• For information about configuring and managing client protocols, see Managing
Protocols.

How to Include All Public Folders When a

Folder Is Requested on an IMAP4 Virtual
Server
Unlike POP3, which allows clients to access only mail messages, IMAP4 clients have access
to folders other than the Inbox folder. However, this ability to access other folders must be
enabled on the virtual server. You select these settings on the General tab in the Default
IMAP4 Virtual Server Properties dialog box.

Procedure
To include all public folders when a folder is requested on an IMAP4 virtual server
1. In Exchange System Manager, navigate to the IMAP4 virtual server that you want
to configure.

2. In the console tree, right-click a virtual server, and then click Properties.

3. On the General tab, configure the options you want:

• Click Include all public folders when a folder list is requested to allow
IMPA4 clients to access folders other than the Inbox folder.

• Click Enable fast message retrieval to improve performance.

The General tab in the Default IMAP4 Virtual Server Properties dialog box
 79

For More Information

• Another option you can configure on an IMAP4 virtual server is fast message
retrieval. For detailed steps about how to do this, see How to Enable Fast Message
Retrieval for an IMAP4 Virtual Server.

• For information about configuring and managing client protocols, see Managing
Protocols.

Configuring NNTP Posting Limits and

Moderation Settings
Exchange Server 2003 uses NNTP to enable users to participate in newsgroup discussions.
Exchange also enables users who are running client applications that support NNTP to
access newsgroup public folders on computers that are running Exchange. Users can read
 80

and post items, such as messages and documents, to NNTP newsgroups that are
represented in Exchange as public folders. For example, users can share information by
posting messages to a newsgroup public folder in their area of interest. Other users can read
and respond to items in the newsgroup. Items in newsgroups can be replicated to USENET
host computers through newsfeeds.

A newsfeed is the flow of items from one USENET site to another. Newsfeeds enable users of
different news sites to read and post articles to newsgroups as though they are using one
news site. A news site is a collection of related newsgroups. An article posted to one news
site is sent to other news sites where it can be read. You need to create a newsfeed to each
remote server to which you want to distribute news articles.

Because the reason for using newsgroups is to post and share information, you will likely
need to manage the size of these postings in relation to the resources available on the NNTP
virtual server. Accepting articles that are too large or accepting too much data during one
connection can cause increased traffic, overload your network, and quickly fill your hard disk.
Be sure to set a size limit that matches your server's capabilities.

For detailed steps on how to configure posting limits and moderations settings, see How to
Configure Posting Limits and Moderation Settings for an NNTP Virtual Server.

How to Configure Posting Limits and

Moderation Settings for an NNTP Virtual
Server
Microsoft® Exchange Server 2003 uses NNTP to enable users to participate in newsgroup
discussions. Because newsgroups are used to post and share information, you will likely
need to manage the size of these postings in relation to the resources available on the NNTP
virtual server. Accepting articles that are too large or accepting too much data during one
connection can cause increased traffic, overload your network, and quickly fill your hard disk.
Be sure to set a size limit that matches the capabilities of your server.

Before You Begin

Before performing this procedure, see Configuring NNTP Posting Limits and Moderation
Settings.
 81

Procedure
To configure posting limits and moderation settings for an NNTP virtual server
1. Log on to the Exchange server where the virtual server is running using the
Exchange administrator account that has local Administrator permissions and
Exchange Full Administrator permissions.

2. In Exchange System Manager, expand Protocols, right-click the protocol for

which you want to change connection limits, and then click Properties.

3. On the Settings tab (see the figure below), select from the following options:

• To allow clients to post articles to newsgroups on this NNTP virtual server,

select Allow client posting. This option permits users to post and read articles in
newsgroups that they can access, unless the newsgroup is set to read-only. You
can also limit the size of the article that clients post in addition to the size of the
connection.

• To allow clients to post articles to newsfeeds on the NNTP virtual server,

select Allow feed posting. You can limit the size of articles that are posted by
using the Limit post size check box. You can limit the amount of data that is sent
to a newsfeed during a single connection by using the Limit connection size
check box.

The Settings tab in the Default NNTP Virtual Server Properties dialog box
 82

Note:
For more information about configuring NTTP, see the Exchange Server 2003
Help.

For More Information

For information about configuring and managing client protocols, see Managing Protocols.

Managing Outlook Web Access

Outlook Web Access for Exchange 2003 includes significant improvements related to the
user interface and administration. For information about the user experience improvements in
Outlook Web Access, see "Client Features" in What's New in Exchange Server 2003.

You use both Exchange System Manager and the IIS snap-in to manage Outlook Web
Access. Use:
 83

• Exchange System Manager to modify settings for access control to Outlook Web
Access.

• The IIS snap-in to control the authentication settings for the virtual directories for
Outlook Web Access, including \Exchange, \Exchweb, and \Public.

The IIS snap-in to enable SSL for Outlook Web Access. For more information about using
SSL with Outlook Web Access, see "Configuring Exchange Server 2003 for Client Access" in
the Exchange Server 2003 Deployment Guide.

The following sections show how to use Exchange System Manager and the IIS snap-in to do
management tasks associated with Outlook Web Access.

Enabling and Disabling Outlook Web Access for

Internal Clients Only
You can enable users in your corporate network to access Outlook Web Access, while at the
same time denying access to external clients. The steps you need to follow to do this involve
creating a new recipient policy and creating a new HTTP virtual server. After you complete
these steps, users whose e-mail addresses do not have the same SMTP domain as the
HTTP virtual server will not be able to log on and access Outlook Web Access. Also, as long
as you do not use the SMTP domain as the default domain, external users cannot determine
what the SMTP domain is because the domain does not appear in the From field when users
send e-mail messages outside the organization.

For detailed steps on how to enable Outlook Web Access for internal clients only, see How to
Enable Outlook Web Access for Internal Clients Only.

Besides enabling Outlook Web Access for users in your corporate network, you can also
prevent specific internal users from accessing Outlook Web Access. You do this by disabling
the HTTP and NNTP protocols for those users.

For detailed steps on how to disable Outlook Web Access for specific users, see How to
Disable Outlook Web Access for Specific Users.

Using Browser Language Settings

When using Microsoft Internet Explorer 5 or later to access Outlook Web Access, new
installations and upgrades to Exchange 2003 use the browser's language settings to
determine the character set to use to encode information, such as e-mail messages and
meeting requests.

If you upgrade a server running Exchange 2000 that was modified to use a browser's
language setting, Exchange 2003 continues to function in the same manner. The following
table lists the language groups and respective character sets.
 84

Outlook Web Access language group and character sets

Language group Character set

Arabic Windows 1256

Baltic iso-8859-4

Chinese (Simplified) Gb2131

Chinese (Traditional) Big5

Cyrillic koi8-r

Eastern European iso-8859-2

Greek iso-8859-7

Hebrew windows-1255

Japanese iso-2022-jp

Korean ks_c_5601-1987

Thai windows-874

Turkish iso-8859-9

Vietnamese windows-1258

Western European iso-8859-1

If you expect Outlook Web Access users in your organization to send mail frequently, you can
modify registry settings so that users who are running Internet Explorer 5 or later can use
UTF-8 encoded Unicode characters to send mail.

Note:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

For detailed steps on modifying the default language setting, see How to Modify the Default
Browser Language Settings for Outlook Web Access.

Blocking Web Beacons

In Exchange 2003, Outlook Web Access makes it more difficult for people who send junk e-
mail messages to use beacons to retrieve e-mail addresses. Beacons frequently come in the
form of images that are downloaded onto a user's computer when the user opens a junk e-
mail item. After the images download, a beacon notification is sent to the sender of the junk e-
 85

mail informing the sender that the e-mail address of your user is valid. The result is that the
user will receive junk e-mail more frequently because the junk e-mail sender now knows that
the e-mail address is valid.

In Outlook Web Access, an incoming message with any content that can be used as a
beacon, regardless of whether the message actually contains a beacon, prompts Outlook
Web Access to display the following warning message:

If users know that a message is legitimate, they can click the Click here to unblock content
link in the warning message and unblock the content. If your users do not recognize the
sender or the message, they can open the message without unblocking the content and then
delete the message without triggering beacons. If your organization does not want to use this
feature, you can disable the blocking option for Outlook Web Access.
For detailed steps for disabling the blocking of Web beacons, see How to Disable Blocking of
Web Beacons.

Configuring Attachment Handling

Outlook Web Access can be configured to handle e-mail attachments as your organization
requires. You have three options for how your Exchange servers handle attachments:

• Do not allow attachments

• Allow attachments (pending file-type filtering)

• Allow attachment access only through specific back-end servers

Additionally, you can specify a list of front-end servers that are exceptions to the "Allow
attachment access through backend servers" option thereby allowing the users that connect
through the specified front-end servers to be able to accept attachments. Note that if you set
the server to "Allow all attachments" or "Don't allow any attachments," this value is ignored.
Also, if a request is through a front-end server specified in this list of front-end servers that
can accept attachments, the attachments must still pass Level 1 and 2 restrictions.

Blocking Attachments
With Outlook Web Access, you can block users from opening, sending, or receiving specified
attachment types. In particular, you can:

• Prevent users from accessing certain file type attachments By default, all new
Exchange 2003 installations block attachments of Levels 1 and 2 file types, and Levels 1
and 2 MIME types. This feature is particularly useful in stopping Outlook Web Access
users from opening attachments at public Internet terminals, which could potentially
compromise corporate security. If an attachment is blocked, a warning message
indicating that the user cannot open the attachment appears in the InfoBar of the e-mail
message.
 86

Outlook Web Access users who are working in their offices or connected to the corporate
network from home can open and read attachments. You can enable full intranet access
to attachments by providing the URL to the back-end servers and allowing attachments
on the Exchange back-end servers.

• Prevent users from sending or receiving attachments with specific file

extensions that could contain viruses This feature in Outlook Web Access matches
the attachment blocking functionality in Outlook. For received messages, a warning
message indicating that an attachment is blocked appears in the InfoBar of the e-mail
message. For sent messages, users cannot upload any files with extensions that appear
on the block list.

To change the attachment blocking settings, you must modify the registry settings on the
server.

For detailed steps for modifying attachment blocking settings, see How to Modify Attachment
Handling Settings.

How to Enable Outlook Web Access for

Internal Clients Only
You can enable users in your corporate network to access Outlook Web Access, while at the
same time denying access to external clients. To enable Outlook Web Access for internal
clients only, you must create a new recipient policy and create a new HTTP virtual server.

After you complete these steps, users whose e-mail addresses do not have the same SMTP
domain as the HTTP virtual server will not be able to log on and access Outlook Web Access.
Also, if you do not use the SMTP domain as the default domain, external users will not be
able to determine what the SMTP domain is because the domain does not appear in the
From field when users send e-mail messages outside the organization.

Procedure
To enable Outlook Web Access for internal clients only
1. Create a recipient policy with an SMTP domain name. Users who are connecting
to an HTTP virtual server must have an e-mail address with the same SMTP domain
as the virtual server. Creation of a recipient policy is an efficient way to apply the
same SMTP domain to multiple users.

Note:
Outlook Web Access users do not have to know the name of the SMTP
 87

domain.

2. Apply the recipient policy to the user accounts for which you want to enable
access.

3. Then, on the front-end server, create a new HTTP virtual server that specifies the
domain that is used in the recipient policy.

For More Information

• For detailed steps for how to disable Outlook Web Access for specific users, see How
to Disable Outlook Web Access for Specific Users.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

How to Disable Outlook Web Access for

Specific Users
You can prevent specific users from inside your organization from accessing Outlook Web
Access. You do this by disabling the HTTP and NNTP protocols for those users.

Procedure
To disable Outlook Web Access for specific users
1. In Active Directory Users and Computers, open the user's Properties dialog
box.

2. On the Exchange Features tab, clear the settings for HTTP and NNTP.

For More Information

• For detailed steps for how to enable Outlook Web Access for internal clients only, see
How to Enable Outlook Web Access for Internal Clients Only.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

 88

• Managing Outlook Web Access

How to Modify the Default Browser

Language Settings for Outlook Web
Access
When they use Microsoft® Internet Explorer 5 or later versions to access Outlook Web
Access, new installations and upgrades to Microsoft Exchange Server 2003 use the
browser's language settings to determine the character set to use to encode information,
such as e-mail messages and meeting requests.

If you upgrade a server running Exchange 2000 Server that was modified to use a browser's
language setting, Exchange Server 2003 continues to function in the same manner. The
following table lists the language groups and respective character sets.

Outlook Web Access language group and character sets

Language group Character set

Arabic Windows 1256

Baltic iso-8859-4

Chinese (Simplified) Gb2131

Chinese (Traditional) Big5

Cyrillic koi8-r

Eastern European iso-8859-2

Greek iso-8859-7

Hebrew windows-1255

Japanese iso-2022-jp

Korean ks_c_5601-1987

Thai windows-874

Turkish iso-8859-9

Vietnamese windows-1258

Western European iso-8859-1

 89

If you expect Outlook Web Access users in your organization to send mail frequently, you can
modify registry settings so that users who are running Internet Explorer 5 or later versions
can use UTF-8-encoded Unicode characters to send mail.

Before You Begin

Note:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

Procedure
To modify the default language setting for Outlook Web Access
1. On the Exchange server, log on with the Exchange administrator account, and
start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeWEB\OWA\UseRegionalCharset

3. Create a DWORD value named UseRegionalCharset.

4. Right-click the UseRegionalCharset DWORD value, and then click Modify.

5. In Edit DWORD Value, in the Value data box, type 1, and then click OK.

For More Information

For information about managing and configuring Outlook Web Access, see the following
topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

How to Disable Blocking of Web Beacons

In Microsoft® Server Exchange 2003, Outlook Web Access implemented a Web beacon
blocking feature that makes it more difficult for people who send junk e-mail messages to use
beacons to retrieve e-mail addresses. In Outlook Web Access, an incoming message with
 90

any content that can be used as a beacon, regardless of whether the message actually
contains a beacon, prompts Outlook Web Access to display the following warning message:

To help protect your privacy, links to images, sounds, or other external content in this
message have been blocked. Click here to unblock content.

If your organization does not want to use this feature, you can have your users perform the
following procedure to disable the blocking option for Outlook Web Access.

Before You Begin

For an overview of how Web beacons apply to Outlook Web Access deployments, see
"Blocking Web Beacons" in Managing Outlook Web Access.

Procedure
To disable the blocking of Web beacons
1. Use a Web browser to gain access to Outlook Web Access.

2. Click Options.

3. Under Privacy and Junk E-mail Prevention, clear the Block external content
in HTML e-mail messages check box.

For More Information

For information about managing and configuring Outlook Web Access, see the following
topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

How to Modify Attachment Handling

Settings
Microsoft® Outlook Web Access can be configured to handle e-mail attachments in different
ways, depending on the requirements of your organization. You can block users from
opening, sending, or receiving specified attachment types.

Your Exchange server can handle attachments in the following three ways:

• Do not allow attachments

 91

• Allow attachments (pending file-type filtering)

• Allow attachment access only through specific back-end servers

Before You Begin

Before modifying attachment handling settings, read "Configuring Attachment Handing" in
Managing Outlook Web Access. Note that if you set the attachment handling setting on the
server to "Allow all attachments" or "Don't allow any attachments," the attachment setting that
you configure to determine which front-end servers will handle messages is ignored. For
specific steps for how to specify the front-end servers that will handle attachments, see How
to Specify the Front-End Servers That Allow for Attachment Handling.

Caution:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

Procedure
To modify the attachment blocking settings on an Exchange server
1. Log on to the Exchange server using the Exchange administrator account, and
then start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click DWORD Value.

4. In the details pane, name the new value DisableAttachments.

5. Right-click DisableAttachments, and then click Modify.

6. Under Base, in Edit DWORD Value, click Decimal.

7. In the Value data box, type one of the following numbers:

• To allow all attachments, type 0.

• To disallow all attachments, type 1.

• To allow attachments from back-end servers only, type 2.

8. Click OK.
 92

For More Information

• You may also want to determine which servers will allow attachment handling. For
specific steps, see How to Specify the Front-End Servers That Allow for Attachment
Handling.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

Specifying Front-End Servers That Allow

for Attachment Handling
You can specify a list of front-end servers that are exceptions to the "Allow attachment access
through backend servers" option thereby allowing the users that connect through the
specified front-end servers to be able to accept attachments. Note that if you set the server to
"Allow all attachments" or "Don't allow any attachments," this value is ignored. Also, if a
request is through a front-end server specified in this list of front-end servers that can accept
attachments, the attachments must still pass Level 1 and 2 restrictions.

For detailed steps about how to specify the front-end servers that can accept attachments,
see How to Specify the Front-End Servers That Allow for Attachment Handling.

How to Specify the Front-End Servers That

Allow for Attachment Handling
You can specify a list of front-end servers that are not impacted by the attachment blocking
settings level you have configured in the registry. Users who connect through the front-end
servers specified in this list can open attachments.

Before You Begin

If you have configured attachment handling on the server to either allow attachments or block
attachments, the list of front-end servers that you do not want to be impacted by attachment
blocking is ignored. Also, any request through a front-end server specified in the list must still
pass Level 1 and 2 restrictions. For information about these restrictions, see "Configuring
Attachment Handing" in Managing Outlook Web Access.
 93

For steps for how to configure the value that determines how a server will block attachments,
see How to Modify Attachment Handling Settings.

Caution:
Incorrectly editing the registry can cause serious problems that may require you to
reinstall your operating system. Problems resulting from editing the registry
incorrectly may not be able to be resolved. Before editing the registry, back up any
valuable data.

Procedure
To specify the front-end servers that allow for attachment handling
1. Log on to the Exchange server using the Exchange administrator account, and
then start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA

3. On the Edit menu, point to New, and then click String Value.

4. In the details pane, name the new value AcceptedAttachmentFrontEnds.

5. Right-click AcceptedAttachmentFrontEnds, and then click Modify.

6. In Edit String Value, under Value Data, enter the names of the front-end servers
that you want to allow attachments.

7. Click OK.

For More Information

• You may also want to configure the level at which a server will block attachments. For
specific steps, see How to Modify Attachment Handling Settings.

• For information about managing and configuring Outlook Web Access, see the
following topics:

• Configuring Outlook Web Access

• Managing Outlook Web Access

 94

Filtering Junk E-Mail Messages

You can control how Exchange 2003 manages junk e-mail for your organization. To do this,
you need to enable filtering, and then configure sender, recipient, and connection filtering. For
more information about controlling junk e-mail with Exchange 2003, see "Configuring Filtering
and Controlling Spam" in the Exchange Server 2003 Transport and Routing Guide.

Managing Mobile Services

This section includes information about managing mobile services for Exchange. For
procedures that relate to mobile services, see Configuring Mobile Device Support.

Managing Exchange ActiveSync

By using Exchange ActiveSync, users with a mobile device that is powered by Windows with
the desktop ActiveSync software can synchronize their devices with their Exchange servers
over the Internet. Users connect across the Internet to their Exchange front-end server and
request information from their Exchange mailbox server. When you enable access to
Exchange using Exchange ActiveSync, follow these steps.

1. Use the front-end and back-end server architecture to provide a single namespace
for users to connect to your network (recommended). For more information, see Planning
an Exchange Server 2003 Messaging System.

2. Install an SSL certificate on the front-end server. For more information, see the
Exchange Server 2003 Deployment Guide.

3. Inform users how to connect to the Internet from their device and use ActiveSync on
their device to connect to their Exchange server. For more information, see the Exchange
Server 2003 Deployment Guide.

The following sections provide information about how to manage Exchange ActiveSync for
your organization, including how to enable and disable the Exchange ActiveSync application,
and how to enable ActiveSync for your users.

Enabling Exchange ActiveSync for Your Organization

By default, Exchange ActiveSync is enabled for all the users in your organization. If your
users have mobile devices that are powered by Windows, you can inform them how to
configure their devices to use Exchange ActiveSync. To enable and disable Exchange
ActiveSync for your organization, use Exchange System Manager. However, when you add
new users to your organization and you want to enable them to use Exchange ActiveSync to
 95

access Exchange with a mobile device that is powered by Windows, use Active Directory
Users and Computers to modify the settings for a user or groups of users.

Important:
• Exchange ActiveSync must use the default virtual directory created by Exchange
Server 2003 Setup. Deleting, renaming, and creating additional virtual directories on
the same virtual server will prevent Exchange ActiveSync from functioning properly.
Additionally, if you attempt to re-create the Exchange ActiveSync virtual directory in
Exchange System Manager, Exchange ActiveSync will not function.

• For detailed steps about enabling and disabling Exchange ActiveSync features at the
organizational level, see How to Enable or Disable Exchange ActiveSync for Your
Organization.
• For detailed steps about how to modify ActiveSync settings for a user or groups of
users, see How to Enable and Disable Exchange ActiveSync Features at the User Level.

• How to Configure the Exchange ActiveSync Up-to-Date Notifications Feature

• The following are the server-side procedures you use to enable AUTD notifications:

• For detailed steps about enabling AUTD at the organizational level, see How to
Enable Up-to-Date Notifications for Your Organization.

• For detailed steps on how to modify AUTD settings for a user or groups of users,
see How to Enable and Disable Up-to-Date Notifications at the User Level.

Enabling Up-to-Date Notifications for Your

Organization
After you configure your organization to use Exchange ActiveSync, you can configure your
Exchange 2003 servers so that users can receive up-to-date notifications to keep their
devices current with the changes that occur when a new item arrives in their Exchange
mailbox. This notification prompts the user's device to synchronize the device with the
Exchange mailbox automatically.

• The following are the server-side procedures you use to enable AUTD notifications:

• For detailed steps about enabling AUTD at the organizational level, see How to
Enable Up-to-Date Notifications for Your Organization.

• For detailed steps about how to modify AUTD settings for a user or groups of
users, see How to Enable and Disable Up-to-Date Notifications at the User Level.
 96

Enabling Users to Use a Mobile Operator to Receive

Notifications
If you enable the Exchange ActiveSync up-to-date notifications feature, your users use a
mobile operator to deliver messages from the corporate network to their devices. You can
enable your users to receive notification in two ways.

Option 1: Specify a mobile operator for your users

To specify a mobile operator for your users, disable the Enable notifications to user
specified SMTP addresses on the Exchange server that has the mailboxes for these
users. If you select this option, you need to inform your users how to set their devices to
use the mobile operator that you specify for up-to-date notifications.

Option 2: Allow users to use their own mobile operators

If your users have their own mobile devices that are powered by Windows, you can allow
them to use their own mobile operators to deliver notifications to their devices. If you select
this option, you need to inform your users how to set their devices to use the mobile
operators that they want to use for up-to-date notifications.

Use the following procedures to configure devices for AUTD:

• For detailed steps on how to specify a mobile operator for an up-to-date notifications
on a device, see How to Specify a Mobile Operator for Up-to-Date Notifications on a
Device.

How to Enable or Disable Exchange

ActiveSync for Your Organization
The following procedure describes how to enable or disable user-initiated synchronization for
your organization.

Before You Begin

This procedure does not explain other Microsoft® Exchange ActiveSync® options such as
up-to-date notifications. For a procedure that explains how to enable all Exchange ActiveSync
features (including up-to-date notifications) at the organizational level, see How to Enable and
Disable Exchange ActiveSync Features at the Organizational Level.
 97

Procedure
To enable or disable Exchange ActiveSync for your organization
1. On the Exchange front-end server that is running Exchange ActiveSync, log on
with the Exchange administrator account, and then start Exchange System Manager.

2. Expand Global Settings, right-click Mobile Services, and then click Properties.

3. On the Mobile Services Properties page, in the Exchange ActiveSync pane,

select or clear the check box next to Enable user initiated synchronization.

4. Click OK.

For More Information

For detailed steps for enabling ActiveSync features at the user level, see How to Enable and
Disable Exchange ActiveSync Features at the User Level.

For detailed steps for how to configure a mobile device to use Exchange ActiveSync, see
How to Configure a Mobile Device to Use Exchange ActiveSync.

How to Configure the Exchange

ActiveSync Up-to-Date Notifications
Feature
After you configure your organization to use Microsoft® Exchange ActiveSync, you can
configure your Exchange Server 2003 servers so that users can receive up-to-date
notifications to keep their devices current with the changes that occur when a new item
arrives in their Exchange mailbox. This notification prompts the user's device to synchronize
the device with the Exchange mailbox automatically.

Procedure
To configure the Exchange ActiveSync up-to-date notifications feature
1. Ensure that Exchange is configured to support the always up-to-date notification
feature. For detailed steps, see the following procedures:

• How to Enable and Disable Exchange ActiveSync Features at the

Organizational Level.

• "How to Enable and Disable Up-to-Date Notifications at the User Level" in

 98

the Exchange Server 2003 Client Access Guide.

2. Configure any mobile carriers that you need to support your deployment. For
detailed steps, see "How to Configure a Mobile Carrier When Using Up-to-Date
Notifications" in the Exchange Server 2003 Client Access Guide.

3. Configure your user devices to use the up-to-date notification feature. For
detailed steps, see How to Specify a Mobile Operator for Up-to-Date Notifications on
a Device.

For More Information

For conceptual information about the Exchange ActiveSync up-to-date notifications feature,
see "Enabling Up-to-Date Notifications for Your Organization" in "Managing Mobile Services"
in the Exchange Server 2003 Client Access Guide.

How to Enable Up-to-Date Notifications for

Your Organization
After you configure your organization to use Microsoft® Exchange ActiveSync, you can
configure your Exchange Server 2003 servers so that users can receive up-to-date
notifications to keep their devices current with the changes that occur when a new item
arrives in their Exchange mailbox. This notification prompts the user's device to synchronize
with the Exchange mailbox automatically.

Procedure
To enable up-to-date notifications for your organization
1. On the Exchange front-end server running Exchange ActiveSync, log on with the
Exchange administrator account, and then start Exchange System Manager.

2. Expand Global Settings, right-click Mobile Services, and then click Properties.

3. On the Mobile Services Properties page, in the Exchange ActiveSync pane,

select Enable up-to-date notifications.

4. Click OK.
 99

For More Information

• For detailed steps for how to specify a list of mobile carriers from which your users
can choose, see How to Configure a Mobile Carrier When Using Up-to-Date Notifications.
After you specify a list of carriers, your users will be able to choose a mobile operator
using a drop-down menu on their mobile device.

• For detailed steps for how to configure up-to-date notifications so that users in your
organization can specify their own mobile operator, see How to Set the Enable
Notifications to User-Specified SMTP Address Option for Your Organization.

• For detailed steps for how to modify up-to-date notification settings for a user or
groups of users, see How to Enable and Disable Up-to-Date Notifications at the User
Level.

• For conceptual information about the up-to-date notification feature, see "Enabling
Up-to-Date Notifications for Your Organization" in Managing Mobile Services.

How to Enable and Disable Up-to-Date

Notifications at the User Level
If you enable the Microsoft® Exchange ActiveSync always up-to-date notifications feature,
your users use a mobile operator to deliver messages from the corporate network to their
devices. You can enable individual users or groups of users to use up-to-date notifications.

Procedure
To enable and disable always up-to-date notifications at the user level
1. On the Exchange server on which the user's mailbox resides, log on with the
Exchange administrator account, and then start Active Directory Users and
Computers.

2. Expand the domain, and then open the location for the users whose settings you
want to modify.

3. Right-click the user or users whose up-to-date notifications settings you want to
modify, and then select Exchange Tasks.

4. In Exchange Task Wizard, on the Available Tasks page, select Configure

Exchange Features, and then click Next.

5. On the Configure Exchange Features page, select Up-to-date notifications,

and then select one of the following:
 100

• To allow users to use up-to-date notifications, select Enable.

• To prevent users from using up-to-date notifications, select Disable.

6. To prevent the users' settings from being modified when you have selected more
than one user, select Do not modify.

For More Information

• For detailed steps for enabling AUTD at the organizational level, see How to Enable
Up-to-Date Notifications for Your Organization.

• For an overview of the steps that you need to consider when deploying AUTD
notifications, see How to Configure the Exchange ActiveSync Up-to-Date Notifications
Feature.

• For conceptual information about the AUTD feature, see "Enabling Up-to-Date
Notifications for Your Organization" in Managing Mobile Services.

How to Configure a Mobile Carrier When

Using Up-to-Date Notifications
You specify the mobile carriers that you want your users to use for up-to-date notifications.
Specifying mobile carriers can make it easier for your users to configure up-to-date
notifications. Additionally, when used in conjunction with clearing the Enable notification to
user specified SMTP addresses option, you can control the carriers to which your users
connect.

Note:
After you configure your mobile carriers, your users will be able to select a mobile
carrier from the Service Provider Name drop-down list when configuring their
devices for up-to-date notifications.

If you do not configure mobile carriers for your users, users who are configured with the
Enable notification to user specified SMTP addresses option can specify a mobile carrier
by entering the SMS address of their device. This address uses the same format as an SMTP
address (for example, <PhoneNumber>@<MobileCarrier>).

Important:
Not all mobile carriers and devices support up-to-date notifications. One reason is
because the mobile carrier and the device must specifically support the conversion of
SMTP e-mail messages into SMS messages.
 101

Procedure
To configure a mobile carrier when using always up-to-date notifications
1. In Exchange System Manager, right-click Mobile Services, select New,and then
select Mobile Carrier.

2. In the Properties dialog box, in the Name field, type a display name for the
carrier. The name you use here will be the name displayed on the mobile device.

3. In SMTP domain, type the SMTP domain being served by the carrier, for
example, type tmomail.net if your carrier is T-Mobile.

For More Information

For detailed steps for configuring AUTD, see How to Configure the Exchange ActiveSync Up-
to-Date Notifications Feature.

How to Set the Enable Notifications to

User-Specified SMTP Address Option for
Your Organization
After you configure your organization to use Microsoft® Exchange ActiveSync, you can
configure your Exchange Server 2003 servers so that users can receive up-to-date
notifications to keep their devices current with the changes that occur when a new item
arrives in their Exchange mailbox. This notification prompts the user's device to synchronize
the device with the Exchange mailbox automatically.

Procedure
To set the Enable notifications to user-specified SMTP address option for your
organization
1. On the Exchange front-end server that is running Exchange ActiveSync, log on
with the Exchange administrator account, and then start Exchange System Manager.

2. Expand Global Settings, right-click Mobile Services, and then click Properties.

3. On the Mobile Services Properties page, in the Exchange ActiveSync pane, set
the Enable notifications to user specified SMTP address option as follows:

• If you want to specify a mobile operator for your user, clear Enable
 102

notifications to user specified SMTP address.

• If you want to allow your users to specify their own mobile operators, select
Enable notifications to user specified SMTP address.

4. Click OK.

For More Information

• For detailed steps for how to specify a mobile operator for up-to-date notifications on
a device, see How to Specify a Mobile Operator for Up-to-Date Notifications on a Device.

• For detailed steps for how to modify up-to-date notification settings for a user or
groups of users, see How to Enable and Disable Up-to-Date Notifications at the User
Level.

• For conceptual information about up-to-date notifications, see "Enabling Up-to-Date

Notifications for Your Organization" in Managing Mobile Services.

Managing Outlook Mobile Access

By using Outlook Mobile Access, users can browse their Exchange mailbox using a device
such as a Smartphone that is powered by Microsoft Windows or a cHTML-capable device.
You can also enable users to use devices that are not officially supported by Microsoft, but
which are likely to function correctly with only minor compatibility issues by enabling
unsupported devices to use Outlook Mobile Access.

The following sections provide information about how to manage Outlook Mobile Access for
your organization, including how to enable the Outlook Mobile Access application for your
organization and how to enable users for Outlook Mobile Access.

Configuring Exchange to Use Outlook Mobile

Access
By default, Outlook Mobile Access is disabled when you install Exchange 2003. For users to
use Outlook Mobile Access, you must first enable it. When you enable access to Exchange
by using Outlook Mobile Access, you should do the following:

1. Use the front-end and back-end server architecture to provide a single namespace
for users to connect to your network. For more information, see Exchange Server 2003
and Exchange 2000 Server Front-End and Back-End Topologies.

2. Install an SSL certificate on the front-end server. For more information, see the
Exchange Server 2003 Deployment Guide.
 103

3. Inform users how to connect to the Internet from their devices and how to use
Outlook Mobile Access to access their Exchange information. For detailed steps for how
to use Outlook Web Access to access Exchange data, see How to Access Exchange
Data Using Outlook Mobile Access.

Enabling Outlook Mobile Access for Your

Organization
To enable Outlook Mobile Access for your organization, use Exchange System Manager. After
you enable Outlook Mobile Access, you can use Active Directory Users and Computers to
modify the Outlook Mobile Access settings for users or groups of users.

• For detailed steps for enabling Outlook Mobile Access for your organization, see How
to Enable or Disable Outlook Mobile Access at the Organizational Level.

• For detailed steps for modifying Outlook Mobile Access settings, see How to Enable
or Disable Outlook Mobile Access at the User Level.

Copyright
The information contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on
the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting
the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
 104

association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred.

© 2006 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, ActiveSync,
ActiveX, Entourage, Excel, FrontPage, Hotmail, JScript, Microsoft Press, MSDN, MSN,
Outlook, SharePoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows Mobile,
Windows NT, and Windows Server System are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.