Outlook Anywhere Client Outlook Anywhere Client Access to Exchange 2003 Access to Exchange 2003 over the Internetover the Internet
Kristian AndakerKristian AndakerLead Program ManagerLead Program ManagerMicrosoft CorporationMicrosoft Corporation
MSG304
Exchange 2003:Exchange 2003:Mobility In the BoxMobility In the Box
AgendaAgenda
Exchange Internet access technologiesExchange Internet access technologiesDesktopsDesktops
Outlook Web Access (OWA)Outlook Web Access (OWA)Outlook: RPC/HTTPOutlook: RPC/HTTPIMAP4 and POP3IMAP4 and POP3
Mobile devicesMobile devicesExchange ActiveSyncExchange ActiveSyncOutlook mobile accessOutlook mobile access
Deployment and topologiesDeployment and topologiesFrontFront--End/BackEnd/Back--end? Firewalls?end? Firewalls?
Security, security, securitySecurity, security, securityAdministrationAdministration
Scenarios and RisksScenarios and Risks
Internet access to Microsoft ExchangeInternet access to Microsoft ExchangeExtranetExtranetTelecommutersTelecommutersFrom home and Internet kiosksFrom home and Internet kiosksCoCo--workerworker’’s offices office
Understand risksUnderstand risksDeployment/Configuration mistakesDeployment/Configuration mistakesEE--mail contentmail content
Sent from Internet and opened InsideSent from Internet and opened InsideSent from Inside and opened from InternetSent from Inside and opened from Internet
EndEnd--user erroruser error
H1
Slide 3
H1 I'm not getting why Inside is cap'd. Heather, 27/05/2005
MailboxMailbox(a.k.a. Back(a.k.a. Back--End)End)
Firewall/DMZFirewall/DMZ
RPC/HTTP andRPC/HTTP andOutlook Web AccessOutlook Web AccessPOP3, IMAPPOP3, IMAP
ExchangeExchangeActiveSyncActiveSync
Outlook Mobile AccessOutlook Mobile Access
ActiveSyncActiveSyncClientsClients(e.g., PPC, SP)(e.g., PPC, SP)
Phone & PDAPhone & PDABrowsersBrowsers
LaptopsLaptops
FrontFront--EndEnd
Exchange 2003 Mobile ComponentsExchange 2003 Mobile ComponentsOverviewOverview
Outlook Web Access (OWA)Outlook Web Access (OWA)Exchange 2003 featuresExchange 2003 features
SpellcheckingSpellcheckingRulesRulesTasksTasksEverything we love inEverything we love inMicrosoft Office Microsoft Office Outlook 2003Outlook 2003
Quick flagsQuick flagsRight preview pane, two line viewRight preview pane, two line viewRight click Right click ‘‘mark as read/unreadmark as read/unread’’Search folders (e.g. for follow up, unread)Search folders (e.g. for follow up, unread)
Attachment drag & dropAttachment drag & dropImproved performance (>50% vs. Exchange 2000)Improved performance (>50% vs. Exchange 2000)SecuritySecurity
Forms based authentication, attachment blocking, external contenForms based authentication, attachment blocking, external content t blocking, S/MIME encryption/signingblocking, S/MIME encryption/signing
HTML HTML ‘‘formform’’ where user enters credentialswhere user enters credentialsUser chooses User chooses ‘‘PremiumPremium’’ or or ‘‘BasicBasic’’ OWAOWAUser chooses User chooses ‘‘PrivatePrivate’’ or or ‘‘PublicPublic’’machine machine (short versus long timeout)(short versus long timeout)
Timed logoff: Server usesTimed logoff: Server usesencrypted cookie for session authenticationencrypted cookie for session authentication
Logout and timeout invalidates cookieLogout and timeout invalidates cookieUser does not need to close browser to be logged outUser does not need to close browser to be logged out
DoesnDoesn’’t time out while composing mailt time out while composing mailDoes time out regardless of new incoming mail or Does time out regardless of new incoming mail or remindersreminders
Customizable logon pageCustomizable logon page
Outlook Web AccessOutlook Web AccessForms based authenticationForms based authentication
Outlook Web AccessOutlook Web AccessFormsForms--Based AuthenticationBased Authentication
Get your own OWA trial account todayGet your own OWA trial account todaySign Up: Sign Up: http://www.microsoft.com/exchange/evaluahttp://www.microsoft.com/exchange/evaluation/trial/tion/trial/online.asponline.asp
Access OWA: Access OWA: https://https://mail.exchangetrial.commail.exchangetrial.com/exchange/exchange
* Outlook configuration UI can* Outlook configuration UI canbe disabled with registry keybe disabled with registry key
RPC/HTTPRPC/HTTPOutlook from Internet without VPN/RASOutlook from Internet without VPN/RAS
RequirementsRequirementsOutlook 2003 (Outlook 11)Outlook 2003 (Outlook 11)
Configure in Exchange proxy settingsConfigure in Exchange proxy settingsMicrosoft Windows XP SP1 + Microsoft Windows XP SP1 + Q331320Q331320 or SP2or SP2Following servers need Following servers need Microsoft Windows Server 2003:Microsoft Windows Server 2003:
Mailbox, front end, global catalog, Mailbox, front end, global catalog, public folderpublic folder
OWA and Outlook can use same URLOWA and Outlook can use same URLOutlookOutlook’’s RPC (remote procedure call) s RPC (remote procedure call) traffic wrapped in HTTPStraffic wrapped in HTTPS
Outlook client requests are Outlook client requests are proxiedproxiedthrough Windowsthrough Windows’’ ““RPCProxyRPCProxy””RPCsRPCs are unwrapped on Exchange are unwrapped on Exchange FrontFront--End server and forwarded to appropriate serversEnd server and forwarded to appropriate servers
Switches intelligently between RPC/HTTP and RPC/TCPSwitches intelligently between RPC/HTTP and RPC/TCP
Exchange ActiveSync (EAS)Exchange ActiveSync (EAS)
Windows Mobile, Windows Mobile, PalmOnePalmOne, Motorola, , Motorola, Nokia, Nokia, ……
Protocol being licensed to third partiesProtocol being licensed to third partiesEE--mail, calendar and contacts mail, calendar and contacts synchronization (SP2: +tasks)synchronization (SP2: +tasks)
‘‘In the boxIn the box’’ with Exchange. No separate with Exchange. No separate sync server.sync server.Scheduled/Manual/UpScheduled/Manual/Up--ToTo--Date syncDate syncRich filtering and truncation optionsRich filtering and truncation options
Sync. Attachments? Sync. Attachments? Sync. how much of body? Sync. how much of body? ……
Smart reply and smart forwardSmart reply and smart forwardDelivers attachments and full message without Delivers attachments and full message without downloading to devicedownloading to device
‘‘Desktop ActiveSyncDesktop ActiveSync’’ integrationintegrationConfigure from device or desktopConfigure from device or desktop
‘‘UpUp--ToTo--DateDate’’ notificationsnotificationsE2003 RTM & SP1: SMTPE2003 RTM & SP1: SMTP-->SMS >SMS notifnotif..E2003 SP2: IP E2003 SP2: IP notifnotif..
Outlook Mobile Access (OMA)Outlook Mobile Access (OMA)OverviewOverview
OWA for mobile devicesOWA for mobile devicesTriage eTriage e--mail (e.g., Accept mail (e.g., Accept MtgMtg))Find people (Contacts/AB)Find people (Contacts/AB)See your calendar See your calendar (e.g., Create meetings)(e.g., Create meetings)
ExchangeExchange’’s s ““device reachdevice reach”” solutionsolutionGenerates WML, HTML, Generates WML, HTML, xHTMLxHTML and and cHTMLcHTMLmarkup for different devicesmarkup for different devicesMicrosoft .NET Framework Microsoft .NET Framework ‘‘Device UpdatesDevice Updates’’ add add device supportdevice support
Exchange 2003 RTM contains Exchange 2003 RTM contains ‘‘Device Update 2Device Update 2’’‘‘Device Update 4Device Update 4’’ available todayavailable today
1.1. Firewall lets through SSL Firewall lets through SSL (port 443) only(port 443) only
Add ports for POP3/IMAP with Add ports for POP3/IMAP with or without TLSor without TLS
2.2. IIS on FE authenticates userIIS on FE authenticates user3.3. FE looks up which BE serves userFE looks up which BE serves user4.4. FE handles data or proxies to BEFE handles data or proxies to BE5.5. BE returns data to FE, FE returns BE returns data to FE, FE returns
data to userdata to user
RPC/HTTP, OWA,RPC/HTTP, OWA,OMA, EAS,OMA, EAS,
POP3, IMAPPOP3, IMAPFrontFront--EndEnd
MailboxMailbox(a.k.a. Back(a.k.a. Back--End)End)
ServersServers
FirewallFirewall
Global CatalogGlobal Catalog(Active Directory)(Active Directory)
Deployment BasicsDeployment BasicsTopology exampleTopology example
Select Select ‘‘This is a FrontThis is a Front--End serverEnd server’’ checkboxcheckboxExchange System Manager Exchange System Manager Servers Servers RightRight--click menu click menu Properties Properties ‘‘GeneralGeneral’’ tabtab
Why use a FrontWhy use a Front--End (FE) server?End (FE) server?Offload work from Mailbox serverOffload work from Mailbox server
SSL, OWA compression, OWA SSL, OWA compression, OWA spellcheckspellcheckSingle namespace (same URL) for all client Single namespace (same URL) for all client accessaccess
E.g., E.g., mail.microsoft.commail.microsoft.com for all OWA, RPC/HTTP, EAS for all OWA, RPC/HTTP, EAS and OMA Microsoft usersand OMA Microsoft users
More secure and reliableMore secure and reliableNo user data on FENo user data on FENo unauthenticated requests to Mailbox serverNo unauthenticated requests to Mailbox serverClient access services run on FrontClient access services run on Front--EndEnd
MailboxMailboxFrontFront--EndEnd
Internet
Firewall
ClientClient
Deployment BasicsDeployment BasicsFrontFront--End serverEnd server
DeploymentDeployment““MustMust’’ss”” about Frontabout Front--End serversEnd servers
MustMust use Exchange 2000 Enterprise Edition use Exchange 2000 Enterprise Edition or Exchange 2003 Enterprise/Standardor Exchange 2003 Enterprise/StandardFrontFront--End End mustmust be upgraded before be upgraded before BackBack--EndEnd
E.g., Exchange 2003 FE works with E.g., Exchange 2003 FE works with Exchange 2000 BEExchange 2000 BE
FrontFront--End End must must be in same AD forest as be in same AD forest as BackBack--EndEndCommunication between FrontCommunication between Front--End and End and global catalogglobal catalog
IIS uses RPC for authentication. RPC ports IIS uses RPC for authentication. RPC ports must must be open between Frontbe open between Front--End and global catalogEnd and global catalogFrontFront--End End must must be member of domainbe member of domain
1.1. Firewall lets through SSL Firewall lets through SSL (port 443) only(port 443) only
2.2. ISA 2004 preISA 2004 pre--authenticates user authenticates user using ISA forms based authentication using ISA forms based authentication and RADIUSand RADIUS
ISA is not member of Intranet ISA is not member of Intranet domaindomainDoes not work with Outlook Web Does not work with Outlook Web Access GZIP compression. Need Access GZIP compression. Need thirdthird--party ISA compressionparty ISA compression--addadd--onon
3.3. IIS on FE authenticates userIIS on FE authenticates user4.4. ……
RPC/HTTP, OWA,RPC/HTTP, OWA,OMA, EASOMA, EAS
FrontFront--EndEndMailboxMailbox
(a.k.a. Back(a.k.a. Back--End)End)ServersServers
FirewallFirewall
Global CatalogGlobal Catalog(Active Directory)(Active Directory)
FirewallFirewall
ISA 2004ISA 2004
PerimeterPerimeter
Most Secure DeploymentMost Secure DeploymentPerimeter network with prePerimeter network with pre--authNauthN
Deploy OWADeploy OWA
SecuritySecurityBasic+NTLMBasic+NTLM by default, use with SSLby default, use with SSLOWA on FE: FormsOWA on FE: Forms--Based Based AuthNAuthN or Basic or Basic AuthNAuthNOWA on BE: Windows integrated OWA on BE: Windows integrated AuthNAuthN and Digest and Digest AuthNAuthNalso workalso workEE--mail messages donmail messages don’’t cache on the clientt cache on the clientMalicious content in HTML eMalicious content in HTML e--mail and attachments is filteredmail and attachments is filtered
This sometimes causes trouble for legitimate HTML eThis sometimes causes trouble for legitimate HTML e--mailmail
Advanced settingsAdvanced settingsMultiple virtual servers (web sites) / virtual directoriesMultiple virtual servers (web sites) / virtual directories
Create matching Create matching vservers/vdirsvservers/vdirs on FE and BEon FE and BE
OWA OWA ‘‘PublicPublic’’ virtual directories can specify root public foldervirtual directories can specify root public folderOWA OWA ‘‘ExchangeExchange’’ virtual directories specify SMTP domainvirtual directories specify SMTP domain
Before Exchange 2003 SP1: only users with eBefore Exchange 2003 SP1: only users with e--mail addresses in that SMTP mail addresses in that SMTP domain can use virtual directorydomain can use virtual directoryExchange 2003 SP1: SMTP domain is only used to identify users inExchange 2003 SP1: SMTP domain is only used to identify users in OWA OWA URL (explicit logon) (e.g. URL (explicit logon) (e.g. ……/exchange//exchange/billgbillg))
OWA AttachmentsOWA AttachmentsNew in Exchange Server 2003New in Exchange Server 2003
Attachment blocking by MIME type and file Attachment blocking by MIME type and file extensionextension
Level 1 Level 1 –– BlockedBlockedLevel 2 Level 2 –– Can save to disc, but not open in browserCan save to disc, but not open in browserControlled with registry keysControlled with registry keys
Block all attachments in OWABlock all attachments in OWAOr, be more specific:Or, be more specific:
Block all when going through a FEBlock all when going through a FEBlock all, except when going through an Block all, except when going through an ““acceptedaccepted”” FE server FE server namespacenamespaceSelect which Select which FQDNsFQDNs are are safesafe for opening attachments and for opening attachments and freedocsfreedocs
By default, freedocs are blocked in By default, freedocs are blocked in public folderspublic folders
OWA Administrative ToolOWA Administrative Tool
Deploy RPC/HTTPDeploy RPC/HTTP
SecuritySecurityNTLM by default (Configurable to basic)NTLM by default (Configurable to basic)SSL with certificate trusted by client is mandatorySSL with certificate trusted by client is mandatoryKeep only Port 443 (HTTPS) open in firewallKeep only Port 443 (HTTPS) open in firewallOnly Exchange servers (BackOnly Exchange servers (Back--End, public folder) and global catalog End, public folder) and global catalog can be accessedcan be accessed
Install Install RPCProxyRPCProxy on Exchange Fronton Exchange Front--End serverEnd serverOn Windows Install On Windows Install Network Services Network Services RPC over HTTP proxyRPC over HTTP proxy
Configure with Exchange 2003 SP1 Configure with Exchange 2003 SP1 ‘‘RPC/HTTP RPC/HTTP PublisherPublisher’’
Exchange System Manager Exchange System Manager Servers Servers RightRight--click menu click menu Properties Properties ‘‘RPCRPC--HTTPHTTP’’ tabtabManual Manual configconfig: IIS settings/permissions, Set FE/BE to be : IIS settings/permissions, Set FE/BE to be ‘‘RPC/HTTP RPC/HTTP publisherpublisher’’ , Set BE/DC Ports, Set , Set BE/DC Ports, Set ‘‘ValidPortsValidPorts’’ RegReg keys, keys, ……
Support Support webcastwebcast guidance for manual deploymentguidance for manual deploymenthttp://http://support.microsoft.com/default.aspx?scidsupport.microsoft.com/default.aspx?scid=kb;en=kb;en--us;829134us;829134
Deploy Exchange ActiveSync and Deploy Exchange ActiveSync and Outlook Mobile AccessOutlook Mobile Access
EAS and OMA access the Mailbox server through EAS and OMA access the Mailbox server through ““/Exchange/Exchange”” VDirVDir
OMA and EAS fail when OMA and EAS fail when ““/Exchange/Exchange”” uses FBA or SSLuses FBA or SSLWorkaround: Workaround: http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=817379=817379
Exchange ActiveSyncExchange ActiveSyncBasic authentication, use with SSLBasic authentication, use with SSLImplementation: ISAPI that runs as LOCAL_SYSTEMImplementation: ISAPI that runs as LOCAL_SYSTEM
Outlook Mobile AccessOutlook Mobile AccessBasic authentication, use with SSLBasic authentication, use with SSLSpecify SMTP domain for virtual directory: only users with eSpecify SMTP domain for virtual directory: only users with e--mail mail addresses in that SMTP domain can use virtual directoryaddresses in that SMTP domain can use virtual directoryOMA requires client OMA requires client server affinity for the duration of server affinity for the duration of sessionssessionsImplementation: run in separate process under ASP.NET Implementation: run in separate process under ASP.NET application worker accountapplication worker account
ActiveSyncActiveSyncClientsClients
Phone Phone & PDA& PDABrowsersBrowsers
LaptopsLaptops FrontFront--EndEnd MailboxMailbox
/Microsoft/Microsoft--ServerServer--ActiveSync (EAS)ActiveSync (EAS)
/Exchange (OWA)/Exchange (OWA)
/OMA (OMA)/OMA (OMA)
IIS S
SL
Forms Forms Based Based AuthNAuthN
IIS Basic/ IIS Basic/ IntegratedIntegrated
IIS BasicIIS Basic
IIS BasicIIS Basic
ISAPI ISAPI Proxies to Proxies to Mailbox Mailbox ServerServer
ActiveSync Protocol ActiveSync Protocol ISAPI ISAPI
.NET FW Mobile .NET FW Mobile Controls and Session Controls and Session
State State
ASP.NET pagesASP.NET pages
/Microsoft/Microsoft--ServerServer--ActiveSyncActiveSync
/Exchange/Exchange
/OMA/OMA
OWA/DAV OWA/DAV ISAPIISAPI
Store.exeStore.exe
DB…
…
…
… …
… …
ArchitectureArchitecture
Deploy IMAP4 and POP3Deploy IMAP4 and POP3
Services are off by defaultServices are off by defaultMMC MMC ‘‘ServicesServices’’ snapsnap--in: set to autoin: set to auto--startstart
‘‘Microsoft Exchange IMAP4Microsoft Exchange IMAP4’’‘‘Microsoft Exchange POP3Microsoft Exchange POP3’’
Open ports:Open ports:IMAP: 143IMAP: 143IMAP with TLS/SSL: 993IMAP with TLS/SSL: 993POP3: 110POP3: 110POP3 with TLS/SSL: 995POP3 with TLS/SSL: 995
FrontFront--End proxiesEnd proxiesUses users credentials to look up correct backUses users credentials to look up correct back--endend
BackBack--End authenticatesEnd authenticates
Topology ConsiderationsTopology ConsiderationsSSL processingSSL processing
SSL handshake is CPUSSL handshake is CPU--intensiveintensiveOffload to frontOffload to front--endendHardware acceleratorsHardware acceleratorsSeparate device may be better value than another FESeparate device may be better value than another FE
SSL termination before FrontSSL termination before Front--End: tell FE End: tell FE that SSL was usedthat SSL was used
FBA and RPCFBA and RPC--HTTP require registry keysHTTP require registry keysAdd Add ““FrontFront--EndEnd--HTTPS: onHTTPS: on”” request header for request header for nonnon--FBA OWAFBA OWAEAS just works. OMA does not support SSL offloading.EAS just works. OMA does not support SSL offloading.
SSL SSL Affinity = much better Affinity = much better perfperf terminating on FEterminating on FESSL performs handshake and uses keepSSL performs handshake and uses keep--alive connection for alive connection for better performance better performance
Topology ConsiderationsTopology ConsiderationsSimplify access URLSSimplify access URLS
Change OWA access URLChange OWA access URLFrom: From: ‘‘https://https://mail.microsoft.commail.microsoft.com/exchange/exchange’’To: To: ‘‘https://https://mail.microsoft.commail.microsoft.com’’IIS Manager IIS Manager Default Web side Default Web side right right click menu click menu Properties Properties ‘‘Home Home DirectoryDirectory’’ tabtabIn the In the ‘‘Redirect toRedirect to’’ field, type field, type ‘‘/exchange/exchange’’Click Click ‘‘A directory below URL enteredA directory below URL entered’’
Topology ConsiderationsTopology ConsiderationsLoad balancing and frontLoad balancing and front--endsends
FrontFront--ends can be load balancedends can be load balancedWindows network load balancingWindows network load balancingSeparate load balancing hardwareSeparate load balancing hardwareDNS roundDNS round--robinrobin
FormsForms--based authenticationbased authenticationClient Client Server affinity for duration of session Server affinity for duration of session is requiredis requiredCookie can only be decrypted by FE that issued itCookie can only be decrypted by FE that issued it
Proxies and firewalls may affect load Proxies and firewalls may affect load balancingbalancing
Topology ConsiderationsTopology ConsiderationsUse a perimeter networkUse a perimeter network
Perimeter networkPerimeter networkContains servers that acceptContains servers that acceptunauthenticated requests from Internetunauthenticated requests from InternetContain damage if perimeter server isContain damage if perimeter server ishackedhackedMinimize # of ports and communication between Intranet and DMZMinimize # of ports and communication between Intranet and DMZ
FirewallsFirewallsExternal: Port filtering, packet inspection, etc.External: Port filtering, packet inspection, etc.Internal: + IP filteringInternal: + IP filteringYour organizationYour organization’’s security requirementss security requirements
Use a reverse proxy in DMZUse a reverse proxy in DMZEven more secure: ISA2004 can preEven more secure: ISA2004 can pre--authNauthN in DMZ without being in DMZ without being domain member, using RADIUSdomain member, using RADIUSSSL Bridging (decrypt, inspect, reSSL Bridging (decrypt, inspect, re--encrypt) or SSL encrypt) or SSL PassthroughPassthrough(don(don’’t inspect)t inspect)
PerimeterPerimeter
FrontFront--EndEndReverseReverseProxy and/orProxy and/or
PrePre--AuthNAuthN
SecuritySecurityFirewall between FE and BEFirewall between FE and BE
Disable DSACCESS pings & Disable DSACCESS pings & NETLOGONNETLOGONDifficult to administer remotelyDifficult to administer remotely
ProtocolProtocol PortPort DestinationDestination
HTTPHTTP 80 TCP80 TCP
110 TCP110 TCP143 TCP143 TCP
RPCRPC--HTTPHTTP 6001 & 6004 TCP, 6002 (SP1)6001 & 6004 TCP, 6002 (SP1) BE ServersBE Servers
KerberosKerberos 88 TCP & UDP88 TCP & UDP Global CatalogsGlobal Catalogs
LDAPLDAP 389 TCP & UDP, 3268 TCP389 TCP & UDP, 3268 TCP Global CatalogsGlobal Catalogs
RPCRPC 135 TCP, 1024+ 135 TCP, 1024+ or fixed port or fixed port ☺☺ Global CatalogsGlobal CatalogsDNSDNS 53 TCP & UDP53 TCP & UDP DNS ServersDNS Servers
BE ServersBE Servers
POP3POP3IMAP4IMAP4 BE ServersBE Servers
BE ServersBE Servers
SecuritySecurity
FrontFront--End End Mailbox server Mailbox server communicationcommunication
Use a trusted physical/switched networkUse a trusted physical/switched networkOr Or IPSecIPSec everything or specific ports such as 80 (HTTP)everything or specific ports such as 80 (HTTP)Cannot use SSLCannot use SSLExchange 2000 Exchange 2000 –– Basic AuthBasic AuthExchange 2003 Exchange 2003 –– Integrated AuthIntegrated Auth
IIS: Disable nonIIS: Disable non--essential script mappings essential script mappings andand extensionsextensions
IIS5 use IIS5 use ““IIS LockdownIIS Lockdown”” tool to do thistool to do thisIIS6 more IIS6 more ““locked downlocked down”” by defaultby defaultURLScanURLScan KB 823175KB 823175
Stay upStay up--toto--date with Windows/IIS fixes!date with Windows/IIS fixes!
RSA RSA SecurIDSecurID
RSA provides RSA provides SecurIDSecurID filter for IISfilter for IISISA2000+ includes ISA2000+ includes SecurIDSecurID filterfilterOWA: IIS and ISA OWA: IIS and ISA SecurIDSecurID
‘‘SecurIDSecurID expirationexpiration’’ failsfailsWorkaround: use OWA FBA expirationWorkaround: use OWA FBA expiration
RPC/HTTP: No RPC/HTTP: No SecurIDSecurIDEAS: IIS EAS: IIS SecurIDSecurID compatible (not ISA)compatible (not ISA)OMA: IIS and ISA OMA: IIS and ISA SecurIDSecurID compatiblecompatible
For devices supported by both RSA and OMAFor devices supported by both RSA and OMANo No ‘‘singlesingle--signsign--onon’’ with only with only SecurIDSecurIDcredentialscredentials
Default:Enabled
Default:Disabled
Exchange System Exchange System ManagerManager
Turning Mobile Services On/OffTurning Mobile Services On/Off
Default:Enabled
Active Directory Active Directory Users&ComputersUsers&Computers
Client Access AdminClient Access Admin
ESMESM
OWA AdminOWA Admin
Compression is GZIPCompression is GZIPOnly with formsOnly with forms--based based authenticationauthentication
FBA pages detect browsers FBA pages detect browsers w/ malfunctioning GZIPw/ malfunctioning GZIPInternet Explorer 6 Internet Explorer 6 SP1+SP1+Q813489Q813489, Netscape 6+, Netscape 6+
Only with IIS6 (Win2003)Only with IIS6 (Win2003)Low: Static pagesLow: Static pagesHigh: Static and dynamic High: Static and dynamic pages (more server load)pages (more server load)
FBA is configured for FBA is configured for a virtual server a virtual server (Web site)(Web site)
Applies only to OWA virtual Applies only to OWA virtual directoriesdirectories
GotchaGotcha’’ss
Character setsCharacter setsHKLMHKLM\\SystemSystem\\CurrentControlSetCurrentControlSet\\ServicesServices\\MSExchangeWEBMSExchangeWEB\\OWOWAA\\UseRegionalCharsetUseRegionalCharset = = ‘‘11’’
Makes OMA, EAS and OWA use regional character sets to Makes OMA, EAS and OWA use regional character sets to send send ee--mailmail
UseGB18030 = UseGB18030 = ‘‘11’’ and UseISO8859_15 = and UseISO8859_15 = ‘‘11’’Makes OMA, EAS and OWA replace GB2312 with GB18030 and Makes OMA, EAS and OWA replace GB2312 with GB18030 and isoiso--88598859--1 with iso1 with iso--88598859--15 respectively15 respectively
Mobile devicesMobile devicesCan change name of Can change name of ‘‘/Exchange/Exchange’’ and and ‘‘/OMA/OMA’’ vdirsvdirs, but , but ActiveSync devices can access ActiveSync devices can access onlyonly ‘‘/Microsoft/Microsoft--ServerServer--ActiveSyncActiveSync’’EAS/OMA workaround when Mailbox server /Exchange EAS/OMA workaround when Mailbox server /Exchange vdirvdir uses uses FBA or SSLFBA or SSL
http://support.microsoft.com/?kbid=817379http://support.microsoft.com/?kbid=817379
OMA is disabled by defaultOMA is disabled by default
Your FeedbackYour Feedbackis Important!is Important!
Please write the number located in the bottom left Please write the number located in the bottom left hand corner of your name badge, on the top of the hand corner of your name badge, on the top of the Evaluation Form.Evaluation Form. This number links back to your This number links back to your registration details so that we can contact you after registration details so that we can contact you after TechEd.TechEd.
When completing the Evaluation Form, When completing the Evaluation Form, please tick the please tick the number that best corresponds to your experience at number that best corresponds to your experience at TechEd.TechEd. For additional comments, use the comments For additional comments, use the comments section at the end of each form.section at the end of each form.
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Top Related