W09 Outlook Web Access

Contents

Overview 1

Lesson 1: Summary of Features 2

Lesson 2: Outlook Web Access Basic 3

Lesson 3: Outlook Web Access Premium 10

Lesson 4: Outlook Web Access and the Browser 31

Lesson 5: Outlook Web Access and Forms Based Authentication 35

Lesson 6: Outlook Web Access S/MIME Control 38

Lesson 7: Outlook Web Access Attachment Blocking 42

Lesson 8: Other Features 45

Lesson 9: Outlook Web Access Spell Check 51

Lesson 10: Outlook Web Access and Gzip Compression 62

Lab A: Outlook Web Access 78

Review 87

Appendix A 88

Appendix B 93

Appendix C 98

Appendix D 103

Appendix E 110

Module 9: Outlook Web Access

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. © 2005 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows 2000, Active Directory, ActiveX, BackOffice, FrontPage, Hotmail, Jscript, MSN, NetMeeting, Outlook, PowerPoint, SQL Server, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States, and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Module 9: Outlook Web Access 1

Overview

*****************************illegal for non-trainer use******************************

Welcome to Microsoft Outlook Web Access provided by Microsoft® Exchange Server 2003. There are a host of major new features in the product and nearly as many improvements in existing features:

Faster performance

Better logon/logoff experience

Spell check

Rules for managing mail

E-mail Signatures

Encrypted and Signed mail

Personal Tasks

Meeting Request enhancements

And a whole lot more…

What follows is a guided tour of the additions and changes in this release of Outlook Web Access.

After completing this module, you will be able to:

Describe the new features in Microsoft® Outlook® Web Access Premium.

Describe the new features in Microsoft® Outlook® Web Access Basic.

Compare Public versus Private connection.

Configure Forms Based Authentication (cookie auth).

Describe GZip compression as it relates to Outlook Web Access.

Configure Outlook Web Access Attachment Blocking.

Describe the capabilities of the Outlook Web Access Secure/Multipurpose Internet Mil Extensions (S/MIME) Control.racts with other components.

Introduction

Objectives

2 Module 9: Outlook Web Access

Lesson 1: Summary of Features


Outlook Web Access in Exchange 2003 actually comes in two versions:

Outlook Web Access Premium, which can be used by Microsoft®

Internet Explorer 5.01 or higher.

Outlook Web Access Basic, which can be used by all types of Internet browse.

For a complete listing of Outlook Web Access Improvements see Module 9 Appendix A.


Lesson 2: Outlook Web Access Basic

The Outlook Web Access Basic client is designed to run in most common browsers (compliance with the HTML 3.2 and European Computer Manufacturers Association [ECMA] Script standards is required). Outlook Web Access Basic has a different user interface than the Premium client and only a subset of the Premium client’s functionality. Outlook Web Access Basic, however, is the preferred client for users with accessibility needs.

This document provides a quick overview of what was added to Outlook Web Access Basic in Exchange 2003.

It is necessary to first read about the enhancements to Outlook Web Access Premium to understand the changes in the Basic client.

Unlike the Premium experience, Outlook Web Access Basic does not support right-to-left layouts for languages such as Arabic and Hebrew. Toolbars and view headers are not fixed to the top of the window, so when the user scrolls down in the view, the toolbars and view headers scroll off screen.

When you access your e-mail account through Outlook Web Access, you will be directed to a logon page if you are logging on via a front-end server like https://mail.northwindtraders.com/exchange.

If you are using Internet Explorer 5.01 – Internet Explorer 6.0 or greater for Windows as your browser, you will get the Outlook Web Access Premium version of the logon page, where you can choose the Premium or Basic client. If you are using any other browser, you will not have this choice.

The security-level feature functions exactly the same as described for Outlook Web Access Premium and has the same effect on how long your session can be inactive before expiring.

Introduction

Important

Logon Page


UI Revamp


Once you log in to Outlook Web Access Basic, you will notice that the user interface (UI) has been refreshed from battleship gray to the same true-blue color scheme as in the Premium version. However, this is the only color scheme available for the Basic client. Also, the Basic client still uses the browser’s default font for displaying UI text.

The enhancements to the e-mail view include:

An option to set the number of items that display per page in the message list — now you are not just stuck at 25 (see the “Messaging Options” section of the Outlook Web Access options page).

Icons in your mail folders show the types of messages you have received and whether the messages are read or unread.

The “By Conversation Topic” view has been improved to put the newest conversation at the top of the messages list.

Outlook Web Access Basic does not have a Reading Pane, context menus, the ability mark as read/unread, Quick Flagging, keyboard shortcuts, or deferred refresh after delete.

Outlook Web Access Basic does allow you to manage your junk e-mail settings, but you cannot add new senders to the block or safe lists directly from the view. Instead, you must manage these settings completely from the “Privacy and Junk E-mail Prevention” section of the Outlook Web Access options page. Just choose the “Manage Junk E-mail Lists” button, and you will be taken to an interface where you can add, modify, or remove members in your block and safe lists.

The contents of the block and safe lists will be the same whether you manage them from Outlook, Outlook Web Access Basic, or Outlook Web Access Premium.

There have been cosmetic changes to the Outlook Web Access Basic Navigation Pane. There is now a link there for quick access to your Junk Mail

Options - Junk Mail Filtering

Navigation


folder, and the Public Folders link is now in the Navigation Pane, too. But otherwise the Navigation Pane functions as it always has.

Outlook Web Access Basic provides no access to Search Folders or rules. There are no commands for updating folders or for making it easier to drag items into folders, because Outlook Web Access Basic does not show folders in the Navigation Pane. And there are no notifications in the Outlook Web Access Basic Navigation Pane for new mail or pending reminders. In fact, Outlook Web Access Basic does not display reminders at all.


Improved E-mail Experience (1)


Outlook Web Access Basic does not have a spell checker, and the functionality of adding/removing the addresses in the recipient wells has not been changed.

If a name in an e-mail message or meeting form has been resolved against the Global Address List (GAL), in the properties dialog you now will see some of the key GAL properties for that address — not just the display name and SMTP address of the recipient. Just click any resolved name in an e-mail you are writing or reading to see its properties sheet.

Outlook Web Access does not show the full range of GAL properties that Outlook shows, just the main address and phone information that is listed in the GAL for the address.

Simple SMTP addresses or addresses that come from your Contacts folder still show the same information as was available before: display name and SMTP address.

Unlike in Outlook Web Access Premium, Outlook Web Access Basic does not have buttons for invoking e-mail properties from Find Names or Check Names.

Outlook Web Access Basic does not have the “Add to Contacts” feature on properties sheets or anywhere else in the client.

You now can add names found in a GAL search directly to a message or a meeting request you’re composing. Just click on any of the address book icons in the mail or meeting compose forms to launch Find Names.

Find Names now appears in its own window, and the results of your query are sorted alphabetically.

You cannot search Contacts in the Outlook Web Access Basic Address Book — only the GAL.

You can create a plain-text auto signature in basic Outlook Web Access in the editor under “Messaging Options” on the Outlook Web Access options page.

GAL Properties Sheets

Find Names Enhancements

Auto Signature


If you already have created a signature in Outlook Web Access Premium, then a plain-text representation of that signature will exist in Outlook Web Access Basic. If you make any edits to the signature in Outlook Web Access Basic, however, you will overwrite all custom formatting in your Outlook Web Access Premium signature.

You cannot insert a signature on demand in Outlook Web Access Basic — you either enable it to be inserted automatically or not at all.

Outlook Web Access Basic does not have special options for where to go after deleting an open message. You always return to the message list.

By default, Outlook Web Access for Exchange 2003 will not send read receipts automatically

If you change the setting to always send read receipts, then Outlook Web Access will fall back to the old behavior of automatically filling all read-receipt requests without notifying you about those requests.

Please note that how you set this option in the Premium client will affect the behavior in the Basic client and vice versa.

This is the same in Outlook Web Access Basic as it is in Outlook Web Access Premium. If you enable or disable the feature in the Premium client, it will affect behavior in the Basic client and vice versa.

This feature is the same in Outlook Web Access Basic as Outlook Web Access Premium.

This administrative setting affects Outlook Web Access Basic the same way it affects Outlook Web Access Premium.


Because Outlook Web Access Basic uses a plain-text mail editor, Outlook Web Access Basic has never indented old message content on reply or forward.

Because items in Outlook Web Access Basic do not display in their own windows, the window-size feature does not apply to Outlook Web Access Basic. Furthermore, because Outlook Web Access Basic runs in the full browser window and does not open individual item windows, the status bar always has been available when items are open.

Navigate After Delete

Read Receipt Settings

“Web Beacon” Blocking

Privacy Protection When Following a Link in E-Mail

Attachment Blocking

Sensitivity and Reply/Forward Infobar

Reply Header and Body Not Indented

Item Window Size and Status Bar





There is no S/MIME mail in Outlook Web Access Basic. However, Outlook Web Access Basic now lets you open attached e-mail within a clear-signed message. Furthermore, Outlook Web Access Basic preserves the message body contents (but not attachments) when you reply to or forward a clear-signed message.

There is no rules interface in Outlook Web Access Basic. However, your e-mail still is processed according to the server-side rules you set from Outlook or Outlook Web Access Premium.

All of the task-related features available in Outlook Web Access Premium also are available in Outlook Web Access Basic except for reminders. (You can set a reminder date and time, but no reminder will ever appear in Outlook Web Access Basic.) Of course, because of UI differences, the way to complete certain actions may be different.

For example, in the task view, to mark an item as complete, you cannot just click a “Mark Complete” checkbox as in Outlook Web Access Premium. Instead, you must select the task to mark complete and then choose the “Mark Complete” button on the toolbar.

Or when composing a task, the user interface for choosing a task start date, due date, or reminder date is very different in the Basic client from the Premium client.

Several popular Outlook Meeting Request features now have been added to Outlook Web Access Basic Meeting Requests.

1. You now can forward Meeting Requests to people not originally on the organizer’s invite list (even if you’re the organizer). You also can create an e-mail reply to a meeting organizer (and optionally all the attendees) directly from a Meeting Request.

Mail in Public Folders

Signed and Encrypted Mail

Rules

Personal Tasks

Meeting Request Enhancements


2. When canceling meetings, you now can edit the meeting cancellation notice before it is sent to explain the reason for the cancellation.

3. Invitees can open the Calendar from a Meeting Request so that they can view their schedules while evaluating the Meeting Request.

However, attendees cannot set reminders on accepted Meeting Requests in Outlook Web Access Basic.


Lesson 3: Outlook Web Access Premium


The Outlook Web Access team has made great efforts to improve the product’s speed by reducing the bytes of code that must travel from the server to the browser in response to common user actions. By sending fewer bytes, you have to wait less time to see the results of your actions. Plus, if your Exchange administrator enables Outlook Web Access compression and you are using Internet Explorer 6 SP1 for Windows with patch Q328970 or higher, the byte reduction — and resulting speed gains — are even greater.

Outlook Web Access also downloads necessary client-side files to your browser while you are entering your credentials on the logon page. By the time you are logged in, essential scripts and controls already should be on your computer and ready for Outlook Web Access to use, thus making your Inbox appear more quickly.

Overall, even with the enhanced interface and multitude of new features about which you will read in the following pages, Outlook Web Access should seem faster — especially over slow connections — and respond more quickly to your commands.

Outlook Web Access now offers a new look logon page. This page requires SSL and is called Forms Based Authentication.

You are still required to type your DOMAIN\username and network password to enter your account.

This logon page is more than a cosmetic change — it offers several elements of new functionality.

You can choose which version of the Outlook Web Access client to load — the Premium client, which is designed specifically for Internet Explorer 5.01 – Internet Explorer 6.0 or greater for Windows, or the Basic client, which runs in most browsers.

Performance

Logon Page

Choose Your Outlook Web Access Version


You might wonder why you would ever want to load up the Basic client if you are running Internet Explorer 5.01 or higher. There are two reasons: speed and accessibility.

Because Outlook Web Access Basic must work in any browser (or at least those browsers that support HTML3.2 and ECMA Script), it is designed to be a simple user experience that loads quickly. On a slow link, the Basic client may be the best option if you just need to quickly check your Inbox or look up the time of an appointment on your Calendar.

But Outlook Web Access Basic lacks some useful features available in the Premium client, and it also has a less familiar user interface (UI) that bears little in common with Microsoft Outlook. (Improvements in the Basic client are covered later in this document.) For longer Outlook Web Access sessions, the workflow enhancements in the Premium client may prove more beneficial than the raw download speed of Outlook Web Access Basic.

If you are a user with accessibility needs, however, you are likely to prefer the Basic client. The simple HTML 3.2 in which the Basic client is written interacts well with common screen readers and other accessibility aids.

Besides choosing which version of Outlook Web Access to use, you also must choose a security level that’s appropriate for the computer from which you are logging in. The security level determines how long your Outlook Web Access session will remain open if you leave the computer unattended.

If you are connecting from a public Internet kiosk, you should choose the “Public or Shared Computer” option. You will remain logged in to Outlook Web Access as long as your session is not inactive for more than 15 minutes.

If you are logging in from your computer at home or work, you should choose the “Private” option. You will remain logged in to Outlook Web Access as long as your session is not inactive for more than 24 hours. (The period of inactivity required before automatic logoff on public and private computers can be shortened or lengthened for all users by an Outlook Web Access administrator.) Each has a specific registry setting that controls the time out value.

This new feature is designed to safeguard access to your account. Outlook Web Access’ power resides in the fact that you can use it to view your corporate mail, appointments, contacts, and tasks from any computer that is connected to the Internet. But this convenience opens up a security risk.

In the past, it has been possible for you to open an Outlook Web Access session on a public Internet terminal and then leave the terminal with your Outlook Web Access session available to future terminal users. That was because Outlook Web Access relied on the browser to store your Outlook Web Access username and password. To clear the browser’s credentials cache, you had to close the browser.

If you were using Outlook Web Access at an Internet terminal where it was impossible to close the browser when you were done with the terminal, your Outlook Web Access credentials would remain stored in the terminal’s browser. Thus the next terminal user may have been able go through the browser’s history log to gain unfettered access to your Outlook Web Access account.

Now when you log on to Outlook Web Access using the new logon page, your credentials are stored in a session cookie. Instead of needing to close the browser to log off, you merely need to click the “Log Off” button in Outlook

Choose Your Security Level

Public or Shared Computer

Private


Web Access (closing the browser will also still log you off). The session cookie is expired, and access to your account is closed. Thus at a public Internet terminal, now you can log off from Outlook Web Access with confidence that your account will not be open to future users.

And if you accidentally leave the terminal without logging off from Outlook Web Access, automatic logoff reduces the risk of unauthorized access to your account by causing the session cookie to expire after a period of inactivity. By choosing the “Public” option when you log on to Outlook Web Access from an Internet terminal or shared computer, you do your part in keeping your data secure by shortening the period of inactivity that is required for automatic logoff to occur.

Because you are going to be logged off from Outlook Web Access after a certain amount of inactivity, it is important to understand what constitutes activity.

In general, any interaction between the client and the server is considered activity: opening, sending, or saving an item; switching folders or modules; refreshing the view or the browser. Outlook Web Access Premium also has special code so that typing in a message body is counted as activity. However, typing in any other type of item (appointment, meeting request, post, contact, task, etc.) is not considered activity.

There is no warning before automatic logoff occurs. If you have any concern that you are going to be logged off automatically, the best thing to do is every so often perform one of the actions that causes interaction with the server.

If you do get automatically logged off while working in Outlook Web Access Premium, the effects are not catastrophic. When you try to perform some action — for example, sending a meeting request after logoff has occurred — you will be prompted to log in again. Once you are reconnected, you can perform the action that previously resulted in the prompt to log in.

If your mailbox is on a Microsoft® Exchange 2000 Service Pack 3 (SP3) server instead of an Exchange 2003 server, you may find the experience of reconnecting after automatic logoff a bit more cumbersome. That is because you may not be prompted to log in again in some circumstances. You will perform an action, and Outlook Web Access will appear unresponsive.

Do not fret! Leave your item windows open. All you need to do in this circumstance is go to the browser window that contains the main Outlook Web Access view (such as your inbox or calendar), refresh the browser, and you will see the log on screen again. Once you are reconnected, you can perform the action that previously was unresponsive.

Later this document will cover how the automatic logoff experience applies to Outlook Web Access Basic.

If you do not access Outlook Web Access through the new logon page, Outlook Web Access logoff is still more secure for users of Internet Explorer 6 SP1 for Windows. With Internet Explorer 6 SP1, the browser’s credentials cache is cleared upon logoff from Outlook Web Access. Closing the browser window is no longer necessary to clear the credentials cache.

Activity versus Inactivity

Clearing the Credentials Cache


UI Revamp (1)


Once you log in to Outlook Web Access, you always start in your Inbox, so that is the next stop on this tour.

Besides the new blue color scheme and cleaned-up toolbar, you will immediately notice the new “Two-Line View” of messages in your inbox with the Reading Pane (previously known as the Preview Pane) to the right.

The new layout provides more content in the Reading Pane without diminishing the number of visible items in the message list.

One size does not fit all when it comes to the amount of screen space to allocate between the message list and the Reading Pane. So now you can divide up the space as you prefer for every mail folder in your mailbox. And Outlook Web Access will remember your preferences even after you log off.

Just put your mouse pointer in the boundary between the list and the preview pane. When you see the pointer change to , hold the primary mouse button and drag to resize.

If you prefer the classic layout with the Reading Pane at the bottom, you can move it back there — or turn it off all together with the Reading Pane toggle on the toolbar.

You also can return to the traditional layout of your message list or switch into any of the other Outlook Web Access views you have come to rely on. The view menu now is located just above the message list.

There also are new options for determining whether to automatically mark a message as read when you view it in the Reading Pane. These options are available in the “Reading Pane Options” section of the Outlook Web Access Options Page.

The mail view has not just been reoriented — it has new commands, too.

New Mail View and Reading Pane

Mark as Read/Unread


The features “Mark as Read” for unread messages and “Mark as Unread” for previously read messages are available in two ways:

As keyboard shortcuts.

As part of a new context menu in the mail view.

The keyboard shortcuts for the feature are as follows:

1. Mark selected message as read - Ctrl+Q.

2. Mark selected message as unread - Ctrl+U.

The context menu, available by right-clicking on items in the message list, contains mark as read/unread, as well as several other common commands.

You will notice there are flagging commands on the context menu. With them, you can quickly flag a message for follow-up or mark complete an item that was previously flagged for follow-up. You also can completely clear the flag status.

These follow-up flags are different from the flags you could set in past versions of Outlook, because they do not have an associated reminder that you can set to pop up at a desired time. And you cannot use them as a means to flag items you send to other users. Quick Flags simply provide a visual indicator for letting you see which items in your mail you marked as needing further action.

It is not necessary to use the context menu to flag an item; you can click the blank flag icon next to the message that you want to flag. If the flag already has been turned on, you can mark the flag as complete by clicking it again. To clear the flag completely, though, you must use the context menu.

And, finally, if you get tired of farmhouse red for your flag color, you can right-click the flag icon to bring up a context menu of six choices ranging from harvest yellow to aquamarine blue.

Outlook Web Access now has tools to help you keep unwanted junk mail out of your inbox.

Once you enable the option to filter junk e-mail under the “Privacy and Junk E-mail Prevention” section of the Outlook Web Access options page, you will be able to quickly add specific senders to your block list.

When you get mail that is from a junk-mail sender, right-click on the message in the message list and choose “Add Sender to Blocked Senders List.” All future mail from that sender will go straight to your Junk Mail folder. Note: You will still have to delete the original message to get it out of your inbox.

If your Exchange administrator has enabled the server-side junk-mail filter (not shipping on the Exchange 2003 CD), then all incoming messages will be scanned, and those that are judged as likely to be spam will be moved automatically to the Junk Mail folder. If mail from some senders is falsely judged as spam, you will have the ability to ensure that nothing else from that sender gets moved automatically to the junk mail folder. Just right-click the message and choose “Add Sender to Safe Senders List.”

Context Menu

Quick Flagging

Junk Mail Filtering


If you receive mail from distribution lists, you also can add these distribution lists to the “Safe Recipients” list so that these messages will not be filtered to your junk mail. To manage your safe recipients, you need to open the e-mail, right-click on the name of the distribution list, and then choose the “Add to Safe Recipients” option.

If you want to see who is in your safe or block lists or make changes to those lists, you can do so by choosing the “Manage Junk E-mail Lists” button on the Outlook Web Access options page. From this dialog, you can see the contents of your safe and block lists. You also can add, delete, or modify members of the lists from here.

Outlook 2003 also will have its own junk-mail filter. Any additions or changes you make to your block or safe lists in Outlook Web Access will be made in Outlook 2003. The reverse also is true: Outlook Web Access will pick up any additions or changes you make to your block or safe lists in Outlook.

There are several other new features in the mail view:

You can set the number of items that display per page in the message list — now you are not stuck at 25 (see the “Messaging Options” section of Outlook Web Access’ options page). This option also will affect the number of contacts and tasks that display per page in those modules.

It can be great to view 100 items per page on a LAN or broadband connection but painfully slow on a dial-up connection. The scenario in which you most commonly will use Outlook Web Access should determine how you set this option.

You can open or save attachments directly from the Reading Pane.

You can view sender or recipient properties directly from the Reading Pane.

When your focus is in the mail view, you have several new keyboard shortcuts for common commands:

• Refresh view - F9 (also works for refreshing items in other views).

• New message - Ctrl+N (also works for creating new items in other views).

• Reply to selected message - Ctrl+R

• Reply all to selected message - Ctrl+Shift+R

• Forward selected message- Ctrl+Shift+F

• The reply and forward shortcuts also work in the item window for a received mail message.

Icons in your mail folders show the types of messages you have received, if they are read or unread, and whether you have replied to or forwarded them. These icons can make scanning your mail folders a much quicker task.

The “By Conversation Topic” view has been improved so that the conversation topic containing the most recent e-mail is at the top of the view.

In past versions of Outlook Web Access, after you deleted an item in a message list, Outlook Web Access would re-retrieve the entire contents of the list, thus showing you any new messages that had been delivered to the folder. This

Other New View Features

Note

Deferred Refresh after Delete


made deleting messages a slow process, because you had to wait for the entire list to refresh after every delete.

Now Outlook Web Access will not refresh the message list after a delete until more than 20 percent of the messages on a page in the list have been deleted. The percentage is based on the total number of items set to display per page (as set by the user in the Outlook Web Access options page) — not the actual count of messages on a page.

For example, if you request 100 messages to display per page, your message list will not automatically refresh until you have deleted 21 messages from a page.

Do not be alarmed if you are worried that now you will never automatically see your new mail. You still can set an option to be notified when new mail has arrived.

The Outlook Web Access UI has been changed from gray to a bright blue to match the appearance of Microsoft® Office 2003 applications. You also can set the client's hue to one that better suits your mood.

Just go to the “Appearance” section of the Outlook Web Access options page and pick a different color scheme from the dropdown. The current options are blue, dark blue, burgundy, olive and silver.

Along with the new color schemes, the Outlook Web Access user interface looks more stylish because the font used on all the UI text is the same one that is found in most Microsoft applications. Say goodbye to seeing the Outlook Web Access interface in Times New Roman just because that is the browser’s default font.

And when you read e-mail messages, if the sender was using a “plain text” mail editor that did not set a font preference on the message body, Outlook Web Access selects a proper font in which to display the message content instead of relying on the browser’s default font.

Color Schemes

Standard Fonts


UI Revamp (2)


One of the biggest changes in Outlook Web Access is the merger of the shortcuts bar and folder bar into one unit — no more switching between folders and shortcuts. They are all in one place now on the new Navigation Pane. You can make the shortcuts large or small, as shown in the following pictures.

You also can set the width of the Navigation Pane by dragging its border to the left or the right, and Outlook Web Access will remember the custom size from session to session.

If you drag and drop an e-mail message from the message list into a folder in the Navigation Pane, the destination folder where you position your mouse pointer is highlighted — no more guessing which folder is the target of your move or copy.

Even better, if you want to move an e-mail message into a subfolder that is not visible, just drag the message to the parent folder but do not release the mouse button. Keep your mouse pointer positioned over the parent folder until the subfolders automatically expand. Then continue your drag to the now-visible subfolders and release the mouse button when the desired folder is highlighted.

One of the most common complaints from Outlook Web Access users is that the number of unread messages in their folders does not stay updated in real time. The problem with providing such functionality is that it would use significant server and network resources to continually poll your Exchange server to keep the folder information accurate. But now you have an easier option than refreshing the entire browser to get updated counts of unread messages in your folders.

Along with a couple of new navigation options such as Tasks and Rules, there may be a new section in your folder tree called Search Folders.

Tasks and Rules will be covered later in this document. Search Folders are a new addition to Outlook 2003.

New Navigation

Easier Moving or Copying to Folders

Update Folders

Search Folders


They will only show up in Outlook Web Access if you have created or activated them while running Outlook in “online mode,” where Outlook has a constant connection to the Exchange server.

Search Folders cannot be created or modified in Outlook Web Access. And if you only use Outlook in “cached Exchange” mode, you will never see any Search Folders in Outlook Web Access.

Search Folders are very powerful because they let you find all the mail in your account that has been sent from a particular person or that has been flagged for follow-up or that meets some other set of criteria important to you. If you use Search Folders in Outlook 2003, now you can use them in Outlook Web Access, too!

If you have enabled the setting to be notified of new mail and/or reminders, the Navigation Pane now tells you when you have new items in your inbox and/or active reminders that you have neither dismissed nor snoozed.

Public Folders now display in their own window. If you click the Public Folders button on the Navigation Pane, it launches a new browser window containing only Public Folders.

This feature has been moved from the Navigation Pane to the far end of the toolbar.

Note

Notifications

Public Folders

Log Off



E-mail is the heart of Outlook Web Access, and new features have been added to make it easier than ever to compose messages or get the information you need from received messages.

It is time to find a better excuse for typos in your messages other than “Outlook Web Access doesn’t have a spelling checker.” In Outlook Web Access for Exchange 2003, you can check your spelling in English, French, German, Italian, Korean, or Spanish. Just click the familiar spelling check icon in a draft e-mail message’s toolbar.

If you have ever sent a message and then immediately wished you had checked your spelling first, Outlook Web Access also lets you set an option to always check your spelling check on Send.

One warning: Remember that checking your spelling in Outlook Web Access is a server-side process, which means the contents of your message must be sent back to the server for examination. On a slower link, you may find the process of automatically checking every outgoing message to be time-consuming. Keep this in mind when deciding whether to enable the feature to always check your spelling on Send.

The “Spelling Options” section in the Outlook Web Access options page is the place to configure your spelling checker settings. But there is nothing to download to enable it.

Here is a familiar scenario: You type an alias in an Outlook Web Access e-mail message and then learn when you try to send the message that the address was unrecognized. When this happens, how easy is it to get rid of that bad e-mail address from your message?

If you were smart enough to realize from the beginning that you had to click the unrecognized name to bring up its properties and then delete the address from that properties dialog — good for you! But for anyone who found the process tedious at best and confusing at worst, help is here.

Spell Check

New Addressing Wells


Outlook Web Access for Exchange 2003 makes it easy to delete ambiguous or recognized addresses from an e-mail message you are composing. All you have to do is click the address to highlight it, and press the delete key to remove it. You also can right-click the address and choose “Remove” from the context menu.

When you right-click a recognized or ambiguous address, you will also notice “Properties” as a menu choice. But the properties dialog in Outlook Web Access now shows a lot more useful information.

If a name in an e-mail message has been resolved against the global address list (GAL), in the properties dialog you now will see some of the key GAL properties for that address — not just the display name and SMTP address of the recipient.

Outlook Web Access does not show the full range of GAL properties that Outlook shows, just the main address and phone information that is listed in the GAL for the address.

Simple SMTP addresses or addresses that come from your Contacts folder still show the same information as was available in old versions of Outlook Web Access: display name and SMTP address.

Properties sheets are now available from more locations than e-mail messages or meeting requests. They also can be invoked by double-clicking (or right-clicking and choosing “Properties”) on the sender or recipients in received e-mail messages. Or as noted earlier, in the Reading Pane you can double-click senders or recipients to see their properties.

There also are buttons for invoking properties from Find Names and from the Check Names.

The “Add to Contacts” command makes it easy to quickly add any address — whether it is on a message you are composing or on a message you have received — into your main Contacts folder.

You will find the command conveniently located on the context menu that appears when you right-click a resolved name in an e-mail message or meeting request. (This context menu is not available in the Reading Pane.) There is also an “Add to Contacts” button in the properties dialog for resolved e-mail addresses.

Adding the ability to invoke properties sheets from Find Names is just one of several enhancements that have been made there.

Now you can choose whether to search the GAL or your Contacts folder when you are looking up an address.

And if you call up Find Names from a view instead of an e-mail message, there is a new feature for creating a message to any one of the addresses in your search results.

You will also notice that the search results in Find Names or Check Names now are sorted alphabetically

How many times have you typed your name, title, extension, and other bits of info at the end of every message you send in Outlook Web Access? If your answer is, "Too many," your days of needless typing are over.

GAL Properties Sheets

Add to Contacts

Find Names Enhancements

Auto Signature


Create an Outlook Web Access signature by clicking the "Edit Signature" button under “Messaging Options” on the options page, and then give your fingers a rest.

You can set the signature to be automatically included in every message you create. Or you can just create the signature and insert it on demand via the "Insert Signature" toolbar button in the message compose form.

Another new setting under “Messaging Options” is the default font for the e-mail editor. Now your Outlook Web Access e-mail editor font no longer has to be the same as the browser’s default font. Choose any font face, size, and color available on your computer or stick with the choice that Outlook Web Access makes for you.

Outlook Web Access now has a long-requested feature to allow you to choose where you navigate after deleting an open message. You can choose to automatically open the next message in the folder, open the previous message, or go back to the message list in the view.

The default behavior is to automatically open the next message. You can change your preference in the “Messaging Options” on the Outlook Web Access options page.

It is important to note that regardless of your setting, if you open a message from Folder A, switch to Folder B, and then delete the open message, you will navigate to the message list for Folder B. Outlook Web Access will not open a new message from Folder A.

Finally, if you delete a message directly from the message list — not one that you had opened into its own window — the highlight will move down in the message list after the delete if you have chosen either the “open the next message” setting or the “return to the view” setting. The highlight will move up if you’ve chosen “open the previous message.”

In previous versions of Outlook Web Access, if you read a message where the sender had requested a read receipt, Outlook Web Access sent the receipt automatically. You did not have a choice to block the sending of read receipts. Now you do with Outlook Web Access for Exchange 2003.

In the “Privacy and Junk E-mail Prevention” section of the Outlook Web Access options page, there is a setting to determine whether Outlook Web Access sends read receipts.

By default, Outlook Web Access will no longer send read receipts automatically. In the Premium client, you will see an infobar in a received e-mail message any time a user requests a read receipt. There will be a link in the infobar that you can activate if you wish to honor the request for a receipt.

If you change the setting to always send read receipts, then Outlook Web Access will fall back to the old behavior of automatically filling all read-receipt requests without notifying you of those requests.

When a junk-mail sender distributes junk e-mail, he often does not know whether he is sending messages to valid e-mail recipients. But with old versions of Outlook Web Access, if you were to open a junk e-mail — or even just read it in the preview pane — the sender had the potential to know your address was

Default Mail Font

Navigate After Delete

Read Receipt Settings

“Web Beacon” Blocking


real and active because of something called a “Web beacon.” Now Outlook Web Access blocks potential “Web beacons” by default.

Here’s how a “Web beacon” works. When you receive an HTML-based e-mail message, it can contain pictures, video, or other types of content other than just text. Sometimes those pictures, videos, etc. come as attachments, which actually reside in the message body. But other times this content is located on an external Web server on the Internet rather than actually being part of the e-mail message. And it is in messages that contain references to external content where trouble with “Web beacons” can begin.

Say that instead of referencing a picture or video, the sender references a program on his Web server that is designed to catalog your e-mail address as valid once you open the message. That is a “Web beacon.” And if the sender was a junk e-mailer, once he knows your address is legit, it is open season on your account.

But Outlook Web Access for Exchange 2003 has made it tougher for junk senders to use “Web beacons” to retrieve your e-mail address. Now if you receive a message with references to external content

Outlook Web Access cannot tell you whether the message actually contains “Web beacons.” The references to external content may be harmless. If you believe the message is legitimate, you can just choose to see the message with all its pictures and other external content. But if you suspect the message contains beacons for nefarious purposes, you now can just delete the message without triggering anything that tells the sender, “Hey, I’m here. Send me more junk mail.”

When a user clicks a hyperlink in the body of an e-mail message, Outlook Web Access helps protect private information from being revealed to the visited Web site. Past versions of Outlook Web Access revealed the user’s account name, server name, and the subject of the message that contained the link. Now only the user’s server name is revealed to the visited site.

There are a host of new attachment-blocking features in Outlook Web Access.

By default, attachments with the following extensions are blocked in Outlook Web Access for Exchange 2003: ade, adp, app, asx, bas, at, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct, shb, shs, url, vb, vbe, vbs, wsc, wsf, and wsh.

Administrators also can block access to attachments in specific scenarios. At the most restrictive, an administrator can block access to all attachments. Or it is possible for an administrator to block access to attachments when users connect to Outlook Web Access through the Internet but to allow access when users connect through the corporate intranet. This is particularly useful for keeping users from potentially compromising corporate security by opening attachments when using Outlook Web Access at public Internet terminals while still providing full access to employees in the office.

Similar to attached files are documents and other types of files stored in Public Folders. By default, Outlook Web Access now blocks users from opening these documents. But an administrator has the same flexibility of permitting or denying access to these files that the admin has to permitting or denying access to attachments.

Privacy Protection When Following a Link in E-Mail

Attachment Blocking


The infobar now will indicate the date and time you replied to or forwarded a received message.

The infobar in a received e-mail now shows the message’s sensitivity setting, if one was set, such as Confidential.

Infobar Improvements




Here is a common scenario: You get added to a message that other people already have sent back and forth many times over. You want to understand the history of the issue being discussed, so you scroll through the old contents of the message, working your way through all the replies back to the original message. But before you reach the beginning, you get to a point where it is impossible to read any more. The old contents have been indented into illegibility because of the Outlook Web Access feature of indenting the old message body on reply.

Well, Outlook Web Access is not going to indent the message on reply any more. It cannot be guaranteed what other e-mail clients will do. But from now on, with Outlook Web Access for Exchange 2003 (or Outlook 2003), the reply header and body will stay at the same alignment as the original content. Instead of an indent, a horizontal rule offsets the reply header and body from the new content.

Outlook Web Access used to always launch any window, either to read an item or create an item, at the set size of 500 pixels wide by 700 pixels high. If you resized an item window, it did not matter. The next time you opened an item, it still would be 500x700.

Now, during an Outlook Web Access session, Outlook Web Access will remember if you resize the item window and will open all future item windows at that size. The new window size is not persisted to future Outlook Web Access sessions.

This works for all item windows — mail, calendar, contacts, and tasks. It is one size for all item windows, not one size for messages and another for tasks.

All Outlook Web Access item windows now show a status bar at the bottom. If you receive a message that contains a hyperlink, you can position your mouse pointer over the link and look in the status bar to see the target Web address (a/k/a the URL) for the link.

Reply Header and Body Not Indented

Item Window Size

Window Status Bar


You have always been able to post to Public Folders from Outlook Web Access, but in Outlook Web Access for Exchange 2000 you could not send e-mail from Public Folders.

For example, if you wanted either to reply privately by e-mail to a post or e-mail in a public folder or to forward that post or e-mail to another person, you could not do it. Now you can so long as you connect to your Outlook Web Access account through a front-end server. (If you are reaching your account through an address like https://mail.northwindtraders.com/exchange, you are going through a front-end server.)

Several popular Outlook Meeting Request features now have been added to Outlook Web Access Meeting Requests.

You now can forward Meeting Requests to people not originally on the organizer’s invite list (even if you are the organizer). You also can create an e-mail reply to a meeting organizer (and optionally all the attendees) directly from a Meeting Request.

When canceling meetings, you now can edit the meeting cancellation notice before it is sent to explain the reason for the cancellation.

Attendees now can set reminders on the Meeting Requests they accept in Outlook Web Access.

Invitees can open the Calendar from a Meeting Request so that they can view their schedules while evaluating the Meeting Request.

Outlook Web Access now supports right-to-left layouts in the Arabic and Hebrew versions of the client.

You will also notice two new buttons on the formatting toolbar in the e-mail editor:

These buttons are for setting the individual direction of each paragraph in your e-mail message. If you are composing a message in a left-to-right language like English but need to add a paragraph containing right-to-left content — say some Arabic or Hebrew — you can start a new paragraph and switch into right-to-left mode.

The reverse is true, too: If you are composing in a right-to-left language like Arabic or Hebrew but need to add a left-to-right paragraph in English, for example, you can switch into left-to-right mode.

Internet Explorer 6.0 and greater for Windows is required for bidirectional support.

The toolbar now stays put when you scroll through the Outlook Web Access options page, which means as soon as you have made your changes in Options, you can save them without having to scroll back to the toolbar.

A major addition to the Outlook Web Access e-mail experience is the ability to send and receive signed and/or encrypted mail, also known as S/MIME mail.

Signed mail is verified to be sent by the possessor of a specific digital ID. When you receive an e-mail with a valid digital signature, you can have more

Mail in Public Folders

Meeting Request Enhancements

Right to Left Language Support

Note

Options Page Toolbar

SMIME


assurance that the message came from the listed sender than you would with either an unsigned e-mail or an e-mail with an invalid digital signature.

Encrypted mail is mail that can be opened only by a user with a specific digital ID. The holder of that digital ID has a special key for decrypting the message you sent.


Improved E-mail Experience: Rules


You now can create server-based mail-handling rules in Outlook Web Access or use it to manage the server-based rules you created in Outlook. The link for entering the rules interface is near the bottom of the Navigation Pane.

Any rule created in Outlook that cannot be modified in Outlook Web Access is unavailable in the Outlook Web Access rules interface. Outlook Web Access has a simple rule editor that is not designed to handle the full gamut of conditions and criteria available in creating rules in Outlook. Rather, as shown below, Outlook Web Access focuses on using rules for the most common mail-management scenarios like moving mail from a particular sender or with a particular subject to a specific folder.

The most common mail-handling actions are supported:

1. Automatically move/copy message to a folder.

2. Automatically delete message.

3. Automatically forward a message (with the option to keep a copy).

There are several criteria that Outlook Web Access rules can evaluate before acting on messages:

1. From field contains ______.

2. Subject contains ______.

3. Sent to (user names and/or distribution list).

4. Sent only to me.

5. Level of importance.

The rule editor also can be invoked directly via a toolbar button in a received message or from the context menu in the mail view.

Actions and Criteria


Because of interoperability limitations with Outlook, Outlook Web Access will need to delete all rules disabled from Outlook before letting you modify any active rules.

Some people create many rules in Outlook that they enable and disable based on their schedules. For example, a traveling salesperson may enable a rule while they are out of the office to forward all mail with a particular subject to a specific coworker. When the salesperson returns to the office, they disable the rule.

But if this salesperson were to go to Outlook Web Access to create or modify another rule while this forwarding rule was disabled, Outlook Web Access would need to delete the disabled rule before saving the Outlook Web Access-created/modified rule.

This deletion of disabled rules will not happen automatically. When you go to modify a rule, you will receive a warning indicating that your disabled rules will be deleted if you proceed.

If you do modify rules from Outlook Web Access, the next time you launch Outlook or attempt to modify rules there, you may be asked via a dialog whether you want to keep client or server-side rules. If you want to retain the rules you created in Outlook Web Access, you will need to choose server-side rules.

Handling Disabled Rules


Improved E-mail Experience: Personal Tasks


You might be asking yourself, “Haven’t I always been able to see Tasks in Outlook Web Access?” The old version of Outlook Web Access let you see the tasks you created in Outlook, but you could not edit these tasks or create new ones.

Outlook Web Access for Exchange 2003 lets you create and manage personal tasks or manage those personal tasks you already created in Outlook.

Outlook has a feature for delegating tasks to other users via Task Requests. Outlook Web Access does not have this functionality. Furthermore, in Outlook Web Access you cannot process Task Requests sent from Outlook or update any delegated tasks you have already accepted in Outlook.

Outlook Web Access does allow users to delete Task Requests or previously accepted delegated tasks, but the assignor will receive no feedback that the delete took place.

In Outlook, when a user attempts to delete a recurring task, the user receives a choice: delete a single occurrence or the entire recurring series.

In Outlook Web Access, the delete command ALWAYS deletes the entire task series. If a user wants to skip an individual occurrence, there is a command on the task edit form for skipping a single occurrence:

Outlook allows users to input decimal values in the “% Complete” field, but Outlook Web Access always will round this values to the nearest whole number. If an Outlook user inputs a decimal value in this field and then later looks at the task in Outlook Web Access, the value will appear to have changed to the nearest whole number. However, the change will not be permanent unless the user actively saves the task in Outlook Web Access.

In Outlook, when a task reminder appears, it is listed as being due at that moment. But this is not necessarily accurate. For example, if the task’s due date

No Task Requests

Delete versus Skip Occurrence

Setting Completion Percentage

Task Reminder Differences


was set to be a day later than the reminder date, the task is not due when the reminder appears.

In Outlook Web Access, when a task reminder appears, Outlook Web Access calculates how much time remains between the reminder date/time and the task due date. Because tasks have no due time, the “Day start time” as set in “Calendar Options” on the Outlook Web Access options page is used as the task due time.

For example, say a task reminder was set to appear on January 1, 2004 at 12:00 P.M. for a task that is due on January 2, 2004. And the “Day start time” is set for 8:00 A.M. When the reminder for the task appears, it would be listed as being due in 20 hours.

If a task has no due date, Outlook Web Access will display a due-in value of “None” in a reminder for that task.


Lesson 4: Outlook Web Access and the Browser

Internet Explorer 5.01 browser will present the rich experience with the exception of the ability to resize the message list/message pane; Internet Explorer 5.5 is the first browser to support the full rich experience.

Paste the following script into the browser address field and press enter to see what version the browser is passing to the server.

javascript:alert(window.navigator.userAgent);

The user experience is based on this value. If the value is 5.00 or less, the user receives a basic experience. If 5.01 or above, the user receives the rich experience, with two exceptions. The one noted above, and Internet Explorer 5.01 for UNIX which receives the basic experience.

Internet Explorer 6.0 is required for this additional functionality as well.

Function Requirement

Outlook Web Access S/MIME Internet Explorer 6.0 (or later)

Outlook Web Access Compression Internet Explorer 6.0 + Q328970 (or later)

Outlook Web Access logout Internet Explorer 6.0 SP1* (or later)

*Forms-based authentication not required

Outlook Web Access and Internet Explorer

Internet Explorer 6.x


Internet Explorer 5.0115, Mac Internet Explorer 5+

Internet Explorer 5.5 SP2

Internet Explorer 6

Internet Explorer 6 SP1

Mars v811,13

**

MS Only

Netscape Navigator 4.8

Netscape Navigator 7

Windows 98 SE*,2,14

Windows 2000*,3

Windows Me*,3,14

Windows XP*,4

Windows Server 200312

Mac OS9*

Mac OS X 1.0*

Sun Solaris*, HP/UX*,10

,9

◊ Supported means that the Outlook Web Access team has tested the majority of user scenarios with these browsers, on these operating systems, and are reasonably sure that things will work as expected. In some cases, Microsoft will try to code around browser defects. If a customer reports a problem encountered with a browser not on the list, the first question support will ask is if the problem is reproducible with a browser on the "supported" browser list. If it does not reproduce, then Microsoft would turn the support question over to the browser vendor. *Supported platforms include all supported localized versions of the operating system.

** Microsoft Confidential

Not supported

Basic version only

Both basic and premium

versions

1. Microsoft® Internet Explorer 45

2. Microsoft® Internet Explorer 5 on Windows platforms (was improved by Internet Explorer 5.01)

3. Microsoft® Internet Explorer 5 for UNIX6

4. Microsoft® Internet Explorer 4.5 for the Macintosh7

5. Microsoft® Windows® 958

Exchange Server 2003 Outlook Web Access Supported Browser/Operating Systems

Browsers or Operating Systems supported by Exchange 2000, but Cut1 for Exchange 2003:


6. Microsoft® Windows® 988

7. Microsoft® Windows NT® 48

8. Mac OS 8.17

1. There should not be any major problems running Outlook Web Access Exchange 2003 on these platforms. However there may still be browser bugs that cannot be addressed. These platforms will not be actively tested.

2. Internet Explorer 5.0b shipped with Microsoft® Windows® 98 Second Edition and was updated to Internet Explorer 5.01 by service packs and updates.

3. Internet Explorer 5.01 shipped with Microsoft® Windows® 2000 and Internet Explorer 5.5 with Microsoft® Windows® Millennium Edition.

4. Internet Explorer 6 shipped with Microsoft® Windows® XP.

5. Internet Explorer 4 install base is less than 5%.

6. Internet Explorer 5.0 for UNIX has been dropped due to the large adoption of Internet Explorer 5.0 SP1 which fixed several problems.

7. Install base is small due to rapid adoption of Internet Explorer 5 on MacOS 9 and greater.

8. Support for these operating systems is discontinued by Microsoft Windows.

9. Netscape 6.2 and greater is only available from the HP and Sun Web sites at the time of this printing.

10. Netscape 6.2 is only available for HP/UX 11.0 and is expected to function properly, however, Microsoft has not yet upgraded to HP/UX 11.0 for complete testing.

11. MSN® Internet Access (MSN) versions older than v8 do not support MSXML3, which is required for Outlook Web Access Exchange 2003

12. With Microsoft® Windows Server™ 2003, Internet Explorer is locked down (Internet Explorer high security settings are enabled). The Internet Explorer Hardening Pack is installed. The first time Internet Explorer is launched, a page loads to educate the user about the Internet Explorer Hardening Pack.

13. Several Hotkeys do not work in MSN Internet Access 8– check the Microsoft Knowledge Base for further information

14. Japanese on Windows 98 SE and Windows Me requires Internet Explorer 6 SP1.

15. Internet Explorer 5.01SP2 (and older Internet Explorer 5.01) support is dropped on June 30, 2003 by Microsoft, however the Outlook Web Access team has tested this browser and to the best of this team’s knowledge, all features of the Premium and Basic client work as expected.

With no additional configuration changes to the browser:

Accessing Outlook Web Access through a cookie enabled server will keep the user at the logon.asp.

Accessing Outlook Web Access through http will throw a privacy dialog informing the user that a cookie is restricted and a script error will occur in

Reasons for cuts, or support issues

Default Browser Behavior


“ctrl view.htc”. Outlook Web Access does load Navigation Bar and Viewer frames, but no messages load in the viewer pane.

The browser must be set to trust the Outlook Web Access front-end URL in order to use Outlook Web Access on Windows Server 2003. Even with front-end trust, until the warning of the presence of the hardening pack is approved, there will still be issues in Outlook Web Access, such as hotkeys not working and cursor focus problems.

It is not sufficient to simply upgrade front-end servers to Exchange 2003 for users to get the new interface. You must upgrade back-end servers to Exchange 2003 as well.

The Outlook Web Access experience depends on the combination of front-end and back-end servers and is as follows.

Exchange 2000 Front-end + Exchange 2000 Back-end = Exchange 2000 Outlook Web Access



Exchange 2000 Front-end + Exchange 2003 Back-end = Not supported (administrative group protected)

Forms-Based Authentication is functional for deployments where the front-end is Exchange 2003 and the back-end is Exchange 2000. However, session timeouts are handled much better when the back-end is Exchange 2003.

Outlook Web Access and Exchange Version Combinations


Lesson 5: Outlook Web Access and Forms Based Authentication


The requirement to have Forms Based Authentication before you can enable compression is due to a couple of issues.

First, there were several bugs in the behavior of GZip, the Microsoft® Internet Information Services (IIS) compression that Outlook Web Access enables, with different browsers. Some of these bugs were corruption of data, others were security related; Internet Explorer had been leaving user data in the server cache that it should not have. The Internet Explorer issues were fixed in a QFE (Q328970) that is now rolled into all of the critical security patches for Internet Explorer on Windows XP Pro and Windows 2000 since last November.

Unfortunately IIS is unaware of these fixes and only looks for an Accept-Encoding header = “GZip” from the client; if present, GZip content is sent to the client. Exchange 2003 server implements logic in logon.asp to determine whether or not a client is “GZip” friendly and based on that, the Forms-based-auth filter is used to re-write the accept-encoding header such that clients that are not secure do not get GZip data from the server.

When you enable forms based authentication, you may receive the following message about Secure Sockets Layer (SSL) connection requirements:

Forms based authentication requires clients to use a SSL connection. If SSL encryption is not offloaded to another source, complete the following steps:

1. Configure SSL.

2. Restart the IIS service.

Overview


To enable forms based authentication, follow these steps:

1. Start Exchange System Manager, and then expand the Servers container.

2. Expand Protocols under the Exchange 2003 computer where you want to enable forms based authentication.

3. Expand HTTP, right-click Exchange Virtual Server, and then click Properties.

4. On the Exchange Virtual Server properties page, click the Settings tab, and then click to select the Enable Forms Based Authentication for Outlook Web Access check box.

5. Click Apply, and then click OK.

Outlook Web Access generates absolute URLs based on the Host: header that reaches the back-end or standalone server. If you are terminating SSL on the ISA box, you will need to ensure that the AddFrontEndHttpsHeader registry key is set on the ISA box. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307347.

In addition, if you are using Exchange 2003 Outlook Web Access Forms Based Authentication with offloaded SSL, SSL is terminated at the Microsoft Internet Security and Acceleration Server (ISA) port. You must make the following registry change on the front-end to support the configuration.

Windows Registry Editor Version 5.00 [Hkey_Local_Server\system\CurrentControlSet\Services\MSExchangeWeb\OWA] “SSLOffloaded”=dword:00000001

Outlook Web Access with Forms Based Authentication needs this key so that it can determine that it should listen to HTTP traffic versus HTTPS, and to ensure that it adds the HTTP header “Front-End-HTTPS: On” to all inbound traffic. This header ensures that the returned URLs are in the correct HTTPS:// form. This applies to Exchange configurations using front-end or stand-alone servers with forms based authentication where SSL is terminated at the firewall or proxy server.

Configuring Forms Based Authentication to require users to enter only their alias and password is a simple task. Replace this line in the logon page:

<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm" autocomplete="off" onsubmit="logonForm_onsubmit()">

Which can be found here:

…\exchsrvr\exchweb\bin\auth\<country>logon.asp

with the following code.

ISA and Outlook Web Access with and without Forms Based Authentication

How to Change Forms Based Logon to require only user alias and password


<script Language=javascript> function logonForm_onsubmit() { if (logonForm.username.value.indexOf("@") !=-1) { return true; } logonForm.username.value = "<netbiosDomainName>\\" + logonForm.username.value; return false; } </script> <FORM action="/exchweb/bin/auth/owaauth.dll" method="POST" name="logonForm" autocomplete="off" onsubmit="logonForm_onsubmit()">

This method supports logging in using their domain alias and user principal name (UPN). Users that continue to use domain\alias will not be able to log in. The <netbiosDomainName> below must be replaced with the NetBIOS name of the domain to which users authenticate.

Adding the following registry key to a front-end of a front-end/back-end configuration or to a standalone server will configure Forms Based Authentication to accept and HTTP connection. HTTP, port 80, is not encrypted by SSL and a network trace will provide data that can be analyzed using Network Monitor or another compatible network analyzer.

HKLM\system\CurrentControlSet\Services\MSExchangeWeb\OWA

“AllowRetailHTTPAuth”=dword:00000001

This key is intended for use by Microsoft support and the development team to help customers troubleshoot problems with Forms Based Authentication. This key should not be distributed without careful consideration.

You must restart IIS for the change to take effect.

For more information on Forms Based Authentication Metabase Parameters and Values see Module 9 Appendix B.

Configuring Forms Based Authentication to accept HTTP connection

Note


Lesson 6: Outlook Web Access S/MIME Control

In Exchange 2003, Outlook Web Access includes a downloadable control for S/MIME functionality. However, even if you have no intention of digitally signing/encrypting messages, it can be beneficial to download the control anyway. For example, the control provides a much better message handling experience:

While composing a message, click on the Attachment (paperclip) icon in the toolbar and attach files directly (no need to go through the separate attach and post dialog window).

Drag and drop messages from one folder (such as the Inbox) to another folder (this includes the Move and Copy accelerator keys).

Drag and drop existing messages into new messages under composition.

Drag and drop files from Explorer directly into a message under composition.

With the message under composition, right-click on attachment names to Open/Remove/Save As.

All installed fonts are available for use instead of the built-in five.

Image files, when dropped from Explorer into a message body, will show up as inline images.

Image files pasted, dragged to or shown in the body are automatically included as attachments to the message (as MHTML).

When you launch attachments from signed and encrypted message with the S/MIME control installed, the control will do a best-effort clean up of any temp files left behind for that message, unless the user actually saved the file to another directory or the 'helper app' keeps a handle on the temp attachment data that prevents the S/MIME control from deleting the file.

There are four requirements that you must meet to use S/MIME mail in Outlook Web Access:

Outlook Web Access S/MIME Downloadable Control

Requirements


1. You must be using Internet Explorer 6.0 greater for Windows. This feature will not work on any other browser — including other versions of Internet Explorer.

2. You must be working on a computer where you can download the S/MIME control.

3. You must have a valid digital ID for sending signed mail and/or receiving encrypted mail.

4. You must be using Windows 2000 or above.

5. Power User or Administrator is necessary to install any ActiveX® control – there is a bug, in that the user should be getting an alert warning about insufficient permissions, but the requirement is enforced by Windows.

Although it is possible to drag and drop a message from the Inbox to the Calendar folder, this will not invoke a new appointment. The object will be created in the calendar as a message object and will not be visible in the normal calendar view.

1. In a “very locked down environment”, customers will need to do the same thing as with any application rollout:

a. Extract the files in <drive:>\program files\exchsrvr\exchweb\6.5.6944.0\cabs\MIMECLNT.CAB to a location accessible by the client.

b. Ensure the client is Windows 2000 or later, running Internet Explorer 6.0 or later.

c. From the machine where the control is to be installed, run “RunDll32 advpack.dll,LaunchINFSection <path to extracted files>MimeClnt.inf”

2. In Exchange Server 2003 SP1, the OWA S/MIME installer has been moved to be a simple .EXE that uses Windows Installer. The same requirements exist to install from the browser, but rolling out through script will be easier.

Even if you do not intend to send signed or encrypted mail, there are several reasons to download the control.

First, with the S/MIME control, you can just drag and drop files and even other e-mails into the body of a message you’re composing. If the files you drag and drop are graphics, they will show up inline in the message body. All other types of attachments, including other e-mail messages, will show up in the attachment well.

Second, if you do not find it easy to drag and drop items into a message, the S/MIME control’s Add Attachment dialog is far easier to use than it is in the normal e-mail editor. You do not need to use one dialog to find the items and another to attach them. And you can attach multiple files at one time so long as the files all are stored in the same location.

Third, no matter how files or items are added to the attachment well, if you realize you want to remove them from your message, all you need to do is right-click the items and choose “Remove” from the context menu.

Fourth, even if you do not intend to send signed or encrypted mail, the S/MIME control will better handle the signed mail you receive. If you do not have the S/MIME control, at best, you will be able to read the signed messages, but any attachments will get stripped out if you try to forward the messages. At worst, you may not be able to read the signed messages at all. Past Outlook Web Access users may view this as an improvement. Previously, the attachments and

Limitations

Locked Down Environment

Why You Should Download the S/MIME Control


the entire body of a signed message were dropped on reply or forward, and you also could not open e-mail attachments in signed messages you received.

But if you download the S/MIME control, you will be able to read all these signed messages and forward them in their full fidelity!

The button for downloading the S/MIME control is available in the “E-mail Security” section of the Outlook Web Access options page.

After you click download, you will see the following file download dialog:

Once the control is installed on your computer, you will notice that there are two new buttons on the toolbar of the e-mail message editor: These are the buttons that you will use to encrypt and/or sign messages on demand. The first button is for encrypting messages. The second is for digitally signing messages.

The “E-mail Security” section of your options page also will have new features for setting all your messages to be encrypted and/or signed by default.

Finally, every e-mail you receive that is signed now will display additional information about the signature of the sender.

It is important to note that this control needs to be installed on any computer where you want to use S/MIME mail in Outlook Web Access. There may be some computers, such as Internet kiosks, where you are unable to download the control. In these locations, you will not be able to send signed mail or read encrypted mail from Outlook Web Access. And remember, it only works in Internet Explorer 6.0 or later on Windows 2000 or higher.

Even after you have downloaded the control, you are still only halfway toward using S/MIME mail. You still need a digital ID for signing your mail and receiving encrypted mail

When an S/MIME message is handled by Microsoft Outlook Web Access, any number of public certificates must be retrieved from Microsoft Active Directory or from the Personal Contacts on the Exchange server.

After they are retrieved from Active Directory, they are parsed and verified against the certificate revocation list (CRL) and the trust chain.

This involves to a lot of back-and-forth traffic between the Outlook Web Access client and the Public Key Infrastructure (PKI).

To reduce the traffic overhead between the PKI and Outlook Web Access, the public key parsing, CRL look up, and trust chain verification are all done from the Exchange server.

Processing certificate validity on the server makes Internet-based access faster and more reliable, and can greatly reduce bandwidth requirements.

Before rolling out S/MIME support with Exchange Server 2003 Outlook Web Access, you should have a good understanding of cryptography and PKI, for example Windows 2000 or Windows Server 2003 PKI.

For a good overview of cryptography and Windows PKI, as well as links to some other resources, see the following white paper: http://www.microsoft.com/windows2000/docs/cryptPKI.doc.

How to Download the S/MIME Control

How does it work?


When you create a Digitally Signed (S/MIME) message and send it to another person on a Microsoft Exchange Server, if you have not checked the box, on the message store the recipient has will have no Digital ID when the message is opened.

Every organization has a different process for assigning digital IDs to users. You should check with your Exchange administrator about how to obtain a digital ID.

If you want to send encrypted mail to another user, that recipient also will need to have a digital ID that Outlook Web Access understands. If you try to send an encrypted message to a user who is not enabled to receive encrypted mail, the send will not proceed.

If you are sending an encrypted message to multiple recipients and some of these recipients are not enabled to receive encrypted mail, you will be told which recipients do not have the necessary digital IDs to receive encrypted mail.

If you continue with the send, any recipients without digital IDs will not be able to read the message.

It is easy to preemptively check whether a user can receive encrypted mail. Just look up their e-mail properties (by any of the methods described earlier in this primer).

If the user has the following icon on their properties sheet, they can receive encrypted mail.

But if they have the plain envelope icon, shown below, they are not enabled to receive encrypted mail.

Of course, this information is only displayed in e-mail properties sheets if you have first installed the S/MIME control.

If you decide not to use the S/MIME control, you can remove it from the Add or Remove Programs feature in the Windows Control Panel. Just choose to remove the program called “Microsoft Outlook Web Access S/MIME.” Please make sure to close any open messages in Outlook Web Access before removing the S/MIME control.

Getting Your Digital ID

Removing the S/MIME Control


Lesson 7: Outlook Web Access Attachment Blocking

Outlook Web Access blocks a superset of both attachments and MIME types. Some are totally blocked (Level 1) while others must be saved locally (Level 2). If an entry is in both lists, the Level 1 behavior takes precedence. As the Outlook list gets updated, the list is updated. The default parameters and their values are found in HKLM\system\currentcontrolset\services\msexchangeweb\owa.

Description: Allows an administrator to specify which file types are off limits to view, download, or attach. This is a comma delimited list of file extensions.

Example: “exe,com,bat”

The current default set of Level1FileTypes is:

"ade,adp,app,asx,bas,bat,chm,cmd,com,cpl,crt,csh,exe,fxp,hlp,hta,inf,ins,isp,js,jse,ksh,lnk,mda,mdb,mde,mdt,mdw,mdz,msc,msi,msp,mst,ops,pcd,pif,prf,prg,reg,scf,scr,sct,shb,shs,url,vb,vbe,vbs,wsc,wsf,wsh"

Also see the related RAID bug (applies to: Back-end servers, and stand-alone servers): http://bugcheck/bugs/exchange/220853.asp

Description: Allows an administrator to specify which MIME types are off limits to view, download, or attach. This is a comma-delimitated list of MIME types.

Example: "text/xml,text/html"

The current default set of Level1MIMETypes (applies to: Back-end servers, and stand-alone servers) is:

Level1FileTypes (REG_SZ)

Level1MIMETypes (REG_SZ)


“application/hta,x-internet-signup,application/javascript,application/x-javascript,text/javascript,application/msaccess,application/prg,text/scriptlet”

Description: Specifies a set of file extensions that are potentially dangerous as attachments. Attachments matching this type will not be opened automatically, but rather a dialog will be presented to the user asking them to save the attachment locally on their server.

Example: “exe,com,bat”

The set of Level2FileTypes (applies to: Back-end servers, and stand-alone servers) are:

“ade,adp,asx,bas,bat,chm,cmd,com,cpl,crt,dcr,dir,exe,hlp,hta,htm,html,htc,inf,ins,isp,js,jse,lnk,mda,mdb,mde,mdz,mht,mhtml,msc,msi,msp,mst,pcd,pif,plg,prf,reg,scf,scr,sct,shb,shs,shtm,shtml,spl,stm,swf,url,vb,vbe,vbs,wsc,wsf,wsh,xml”

Description: Specifies a set of MIME types that are potentially dangerous as attachments. Attachments matching this type will not be opened automatically, but rather a dialog will be presented to the user asking them to save the attachment locally on their server.

Example: "text/xml,text/html"

The current default set of Level2MIMETypes (applies to: Back-end servers, and stand-alone servers) is:

“text/xml,application/xml,application/hta,text/html,application/octet-stream,application/x-shockwave-flash,application/futuresplash,application/x-director”

1. Click Start, click Run, type "Regedit" (without the quotation marks) in the Open box, and then click OK.

2. Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\Owa

3. On the Edit menu, point to New, and then click DWORD Value.

4. Type "Disable Attachments" (without the quotation marks).

5. Right-click the "Disable Attachments" DWORD value, and then click Modify.

6. In the Base window, click the button next to "Decimal".

7. In the Value Data field, type one of the following numbers:

a. To permit all attachments, type "0" (without the quotation marks).

Level2FileTypes (REG_SZ)

Level2MIMETypes (REG_SZ)

To enable attachment blocking, follow these steps:


b. To permit no attachments, type "1" (without the quotation marks).

c. To permit attachments from back-end servers only, type "2" (without the quotation marks).

8. Click OK.

9. Open a command prompt, type "net stop w3svc" (without the quotation marks), and then press ENTER.

10. After the services stop, type "net start w3svc" (without the quotation marks), and then press ENTER.


Lesson 8: Other Features

The behavior in Exchange 2003 is the same as that of Exchange 2000. Due to the complex interoperability scenarios required to make Outlook Web Access consistent with Outlook for delegate access to calendars, copying items from one user's mailbox to another's, Exchange 2003 and Exchange 2000 Outlook Web Access support read-only access to another's calendar, regardless of what the manager granted to the delegate.

The only exception is to this rule is if a "delegate" is given Owner rights to a mailbox through active Directory Users and Computers; they then have full access to read and write all data in that mailbox through Outlook Web Access.

Outlook Web Access Change Password is installed, but is disabled by default in a new install by setting the value to 0x00000001. However, the value will not be changed during an upgrade. This value may not exist on an Exchange 2000 server that was upgraded since it did not exist in a default installation of Exchange 2000 server.

The feature is disabled because the feature does not work correctly unless you add the iisadmpwd vdir and set the correct value for the Passwordchangeflags in the metabase.

Password configuration consists of two changes: adding the registry value to the back-end and the iisadmpwd virtual directory to the front-end server of a front-end/back-end configuration. Both changes are made to a standalone server.

Changing the password requires SSL and the addition of the iisadmpwd virtual directory and setting the following key to 0 or deleting the key.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA] “DisablePassword”=00000000

Calendaring and Delegates

Outlook Web Access and Changing User Passwords


267596 XWEB: How to Change Outlook Web Access Passwords Through IIS

To enable users to change Outlook Web Access passwords through IIS, use the following steps on each IIS server to which Exchange users are redirected:

1. Install and configure Secure Socket Layer (SSL) on the server.

2. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

3. Right-click the default Web site, point to New, and then click Virtual Directory.

4. In the Virtual Directory Creation Wizard, type "IISADMPWD" (without the quotation marks) in the Alias box, and then click Next.

5. In the Directory box, type "<systemroot> \system32\inetsrv\iisadmpwd" (without the quotation marks), and then click Next.

6. Verify that only the read and run script check boxes are selected (such as the ASP check box), click Next, and then click Finish.

7. Verify that the Iisadmpwd folder has the Anonymous Access authentication method enabled.

You can select other authentication types, but you must also select the Anonymous Access authentication method.

If you do not enable the Anonymous Access option, the client and server go into an endless loop when you attempt to authenticate users who are prompted to change an expired password.

For example, if a user navigates to the site and is prompted for a password but their password has expired, the first page that they tried to access redirects them to the password expiry page. The password expiry page challenges the user, but because the user is not authenticated on the first page, the second page refuses the connection because the password has expired. When this occurs, the user is redirected back to first page, the first page redirects the user to the second page, and so on.

For additional information about a fix for this looping behavior, check this article number 275457 IIS 5.0 May Loop Infinitely When a User Is Forced to Change Their Password.

1. Zero is the default value for the PasswordChangeFlags setting, but the following steps can be used to change or confirm the setting. To change the Metabase PasswordChangeFlags setting to zero (0), you must first change it to the \inetpub\adminscriptsfolder on your hard drive:

a. At a command prompt, type "cd <drive>\:inetpub\AdminScripts" (without the quotation marks).

For example: "cd c:\inetpub\AdminScripts" (without the

quotation marks)

b. At the <drive>\:inetpub\adminscripts> prompt, type the following command:

iisadmpwd virtual directory

Note

Note


"adsutil.vbs set w3svc/passwordchangeflags <value>"

(without the quotation marks)

The following values are options for the PasswordChangeFlags setting:

1. 0: Requires password change by SSL

2. 1: Allows password change by non-secure ports

3. 2: Disables password changes

4. 4: Disables advance notification of expiration

After creating iisadmpwd and the reg key, you see the password change button under options in Outlook Web Access:

In a front-end/back-end topology with Exchange 2000 and/or Exchange 2003 back-end servers running on both Windows 2000 servers, it is necessary to add Windows 2000 compatible Web pages to the Windows 2003 front-end server.

1. Open a command prompt in the %windir%\system32\inetsrv\iisadmpwd directory and execute “copy *.asp *.htr. (Copy, DO NOT DELETE the .ASP files as they are required for Windows 2003 backend servers.)

2. Add a script map for *.htr to the Configuration of the iisadmpwd virtual directory to map these to ASP.DLL with GET,HEAD,POST,TRACE verbs and select Script Engine.

Apart from selecting between the Premium (uplevel) and Basic (downlevel) clients, you can also choose your security setting:

1. Public or shared computer

2. Trusted computer

If you choose the "Public or shared computer" option, the expiration time-out will be set at 15 minutes. If you choose "Trusted computer", the time-out will be 1440 minutes (24 hours). Both of these can be over-ridden by server-side registry parameters to the front-end server in a front-end/back-end configuration or make both on the standalone server.

Location: HKEY_LOCAL_SERVER\System\ CurrentControlSet\Services\MSExchangeWEB\OWA Parameter: TrustedClientTimeout Type: REG_DWORD Value: Number of minutes for timeout. If this is not set, 1440 is assumed. Minimum value is 1; maximum value is 43200 (30 days).

Location: HKEY_LOCAL_SERVER\System\ CurrentControlSet\Services\MSExchangeWEB\OWA Parameter: PublicClientTimeout Type: REG_DWORD Value: Number of minutes for timeout. If this is not set, 15 is assumed. Minimum value is 1; maximum value is 43200 (30 days).

It is important to understand that the cookie does not timeout at exactly the time set. It actually expires somewhere between <setting> and <setting * 1.5>. Additionally, if you attempt to set these keys the 'wrong way around', the following will occur:

Note

OWA Client Timeout Settings


If the admin sets the TrustedClientTimeout value to one that is lower than PublicClientTimeout, then the TrustedClientTimeout value will default to be equal to the PublicClientTimeout.

If the admin sets the PublicClientTimeout to a value that is greater than the TrustedClientTimeout, then the TrustedClientTimeout value will default to be equal to the PublicClientTimeout.

IIS must be restarted for the changes to take effect


DS2MB

DS2MB update cycle has been changed in Exchange 2003 and affects all Exchange web based applications; Outlook Web Access, Outlook Mobile Access, and ActiveSync®.

IIS picks up its configuration from the local metabase. Because of the need to manage Exchange servers remotely, IIS-related information is stored in the Active Directory, and then replicated in one-direction from the Active Directory into the metabase. The process responsible for the replication is called DS2MB which runs as part of the System Attendant on each Exchange 200x server. DS2MB receives notifications of changes in the Active Directory and replicates them to the metabase.

In Exchange 2000, upon start-up of the System Attendant, DS2MB would perform a full replication of Active Directory information into the metabase. This had the side-effect of slowing down Exchange service start-up, especially for hosters who had large numbers of virtual directories or SMTP domains.

In Exchange 2003, full replication is not performed on start-up of the System Attendant; so Exchange service start-up will be faster. However, if you believe that the local metabase has become out-of-sync with the Active Directory, such as a manual change to the virtual directories and need to rectify the problem, you will need to adjust the 'HighWaterMarks' node in the metabase:

LM\DS2MB\HighWaterMarks\{056BE186-E73F-4EBD-A92D-2D985BC97C63}\61472

The guid after the HighWaterMarks\ is going to be different for each machine -

Changing the data for this ID to 0 (zero) or deleting the key and then restarting the Exchange System Attendant will cause DS2MB to perform a full replication

Outlook Web Access and DS2MB


of the Active Directory information into the metabase. The key will be added to the Metabase with the default value above when the System Attendant starts.

The metabase can be manipulated through a variety of tools. The best option is to install the IIS 6 resource kit, and use Metabase Explorer.


Lesson 9: Outlook Web Access Spell Check

It is now possible to spell check emails through Outlook Web Access in Exchange 2003. In order for users to take advantage of the new feature the following has to occur:

Successfully login to Outlook Web Access selecting the Premium option.

Click on the Options Button.

Configure their personal preferences as illustrated in the graphic above.

If a client clicks the spell check icon and no preferences have been set, then the following dialogue box is displayed, and it will continue to do so until preferences have been set.

The following languages are currently available:

English (Australia)

English (Canada)

English (United Kingdom)

English (United States)

French

German

Italian

Korean

Spanish

Overview


Client The client must be running Outlook Web Access in the Premium mode.

Spell check is not available in Basic mode.

Server In a Front-end/Back-end scenario, the Exchange Front-end and Back-end

servers must be running Exchange 2003.

This is what happens when the client spell check button is pressed:

1. Client sends body of item (or the currently highlighted text, if applicable) that needs to be checked: See “Content” below for questions about interspersing content.

a. Since the options are in the Exchange store and the ISAPI does not have access to that, need to send them up in the request URL, like POST ?cmd=spellcheck with the options of “lang=en,options=IgnoreCaps,IgnoreMixedNums” etc. in the request headers.

2. While client waits for server to return data, client displays progress dialog (see below).

3. Server returns data:

a. If no spelling errors were found:

i. Server will indicate in the XML body response that there were no errors.

ii. The normal spell checking dialog will not show up.

iii. The client will display to the user a dialog with the following text:

No spelling errors were found.

b. If spelling errors were found, the server will return the marked words, the offset into the body, the suggestions and the type of error that was found (duplicate word versus spelling error).

Dependencies for Outlook Web Access Spell check

General Overview


Outlook Web Access Spell Check: Initial Troubleshooting

Through Microsoft® Windows® Explorer, check the following:

%SystemDrive%\Program Files\Exchsrvr\exchweb\bin\Spell This should correlate in IIS Admin: Exchweb/bin/spell

If Forms Based authentication is enabled, spell check has to run in the same application pool as Exchange or you'll have auth problems.

owaspell.dll runs inside dllhost.exe on Windows 2000.

It is possible the following events could be logged in the system event log:

Checking the paths

Note

Possible Events in the System Log


Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 36 Date: 3/18/2003 Time: 9:18:01 AM User: N/A Computer: ComputerName Description: The description for Event ID ( 36 ) in Source ( W3SVC ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: /LM/W3SVC/1/root/ExchWeb/bin, The server process could not be started because the configured identity is incorrect. Check the username and password. . Event Type: Error Event Source: DCOM Event Category: None Event ID: 10004 Date: 3/18/2003 Time: 9:18:01 AM User: N/A Computer: ComputerName Description: DCOM got error "The referenced account is currently locked out and may not be logged on to. " and was unable to logon .\IWAM_ComputerName in order to run the server:{3D14228D-FBE1-11D0-995D-00C04FD919C1}

If these errors are apparent then follow the following Knowledge Base (KB) article: 297989 : Configured Identity Is Incorrect for IWAM Account.


Outlook Web Access Spell Check: Tasklist/Permissions

Run: tasklist -m owaspell.dll

Then IIS is having problems loading the ISAPI. Check the file system permissions on:

%SystemDrive%\Program Files\exchsrvr\exchweb\bin\spell\owaspell.dll

Authenticated Users need Read access to the owaspell.DLL

In IIS admin, check the Authentication Methods under Directory Security tab on the virtual directory: Exchweb\bin\spell.

The default settings are Integrated and Basic.

Anonymous should absolutely NOT be on the spell directory.

It may be necessary to try and spell check in a different language. If the same problem is persistent in German, French and others then it is the ISAPI filter. If the problem is only persistent for English languages and does not exist in German, French, then it is just the English DLL that is the problem.

Using tasklist

Checking Permissions

Checking in different languages


Outlook Web Access Spell Check: Netmon

It may be necessary to capture a Netmon trace between the client and the server in order to troubleshoot spell check issues.

In order to troubleshoot issues it is recommended that Netmon is installed on the Front-End server and all traffic is captured. This way, the requests to and from the client and also the Back-End Server (where the user’s mailbox resides) can be caught.

Prior to capturing any network traffic it is necessary to add the following registry key to the Exchange 2003 Front-End server. This key does not exist by default.

Location: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services\ MSExchangeWEB \ OWA Parameter: AllowRetailHTTPAuth Type: DWORD Value: 1

Remember to remove the registry key after the Netmon Capture has been taken.

This registry entry allows Cookie-Auth to be configured so it can accept incoming HTTP traffic.

In virtually all normal circumstances, clients will be accessing their Exchange Server 2003 mailbox over port 443 (HTTPS). The registry key is to be used by support and the development team to help customers troubleshoot problems with Outlook Web Access and / or Cookie-Auth.

Once the key has been implemented you will then be able to logon to Outlook Web Access through HTTP://ExchangeServer/Exchange rather than HTTPS://ExchangeServer/Exchange and still be able to use Cookie-Auth.

Netmon Trace from the client to Server

Note


When a mail does contain incorrect spelling it is possible to see the network traffic being sent from the server to the client. This is a good test to see whether the OWASpell.DLL is being called and the Exchange 2003 Server Front-end server is working as it should.

The test mail that was sent in this example had the following text string in the main body of the message:

“This ia a test message with incrorrect spelling”

For more detailed steps on using NETMON to trace spell check see Module 9 Appendix C.

Netmon tracing when there are errors in the spelling


Outlook Web Access Spell Check: Registry Keys

Performance and scalability are very important with Outlook Web Access spell check. The following registry keys can be used to help configure and troubleshoot any issues occurring on an Exchange 2003 Front-End server.

All registry keys are configured under the following hive:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\OWA

Description: Number of kilobytes.

Default: This key will not exist by default.

Behavior: If the user requests spell check for a document larger than the number of kilobytes specified by this key, the server will return a unique error to the client indicating that the document is too large.

Description: Number of errors per item, duplicates.


Behavior: The maximum number of errors to process on a single item. If this is set to 5 and an item comes with 6 errors, when the ISAPI receives notification of the sixth error, it will send the corrections of the first 5 to the client, along with an error code. The user will see a dialog indication that only part of the document could be checked. They can make corrections and spell check again.

Description: Number of unique errors per item.


Behavior: The maximum number of unique errors to process on a single item (versus duplicates.) If this is set to 5 and an item comes in

MaxSpellDocumentSize (DWord)

MaxSpellErrors (Dword)

MaxUniqueSpellErrors (DWord)


with 6 errors but they are all the same misspelling, the ISAPI will process it as normal. If this is set to 5 and an item comes in with 10 errors of different words, the ISAPI will send the corrections of the first 5 to the client, along with an error code. The user will see a dialog indication that only part of the document could be checked, and they can make corrections and spell check again.

Description: Number of client requests to process at a time.


Behavior: If a request comes in and there is already a maximum number of requests being processed, the client will receive an error and the user will see a dialog telling them that the spell check server is busy and they should try again later.

Description: Provides a way for administrators to disable the automatic spell check on send feature.


Behavior: If the value is non-existent or zero (0) the feature is not disabled. If the value is 1 or any other value, the feature is disabled.

Description: Provides a mechanism for administrators to add or remove spell check languages between Exchange releases.


Behavior: When this key is added or incremented, it triggers the server to scan for new language files and increment the list of choices displayed in the spell check UI.

Whenever an administrator adds or removes a spell check DLL and its corresponding LEX file in the Exchange 2003 server’s /exchweb/bin/spell directory, they should increment this value after the file change. When creating this value, it is suggested that the administrator initialize it with a value of zero (0).

MaxSpellRequests (DWord)

DisableSpellCheckOnSend (DWord)

ChangeSpellerList (DWord)


Outlook Web Access Spell Check: Other Information required

1. Detailed Repro steps of the problem.

2. Topology configuration (Front-ends, Back-Ends, ISA servers, firewalls, perimeter networks, IPSec, URLScan, Virus Scanning?).

3. User load / server state (Event logs).

4. Operating System versions for each machine involved (WinMSD).

5. Exchange versions for each machine involved

a. exprox.dll

b. davex.dll

c. exoledb.dll

6. Internet Explorer version - if Internet Explorer is involved.

7. Full user dump from debugger if this is a crash / hang / AV situation.

8. Does this reproduce with Outlook Web Access only?

9. Does this reproduce only with a specific message? (If so, get the message)

10. Does this reproduce only with a specific user? (If so, what is special about this user)

11. IIS protocol log located at:

a. Windows Server 2003: ..\Windows\System32\Logfiles\W3SVC1

b. Windows 2000: ..\WINNT\system32\LogFiles\W3SVC1

<drive_letter>\Winnt\System32\Logfiles\W3svc(<x>) (where <drive_letter> is the letter of the hard disk and <x> is the number of the Web site (for example, 1 = default, 2 = administration Web site, 3 = first manually created Web site, and so on).

Note


12. Metabase Dump of the following:

a. w3svc/1/ root/exchange

b. w3svc/1/ root/exchweb

c. w3svc/1/ root/exchweb/bin

d. enum w3svc/1/ root/exchweb/bin/spell

This can be run from the following path:\inetpub\adminscripts\adsutil.vbs.

321448 FP: Error Messages When You Try to Open Webs While IUSR Account or IWAM

297989 PRB: Configured Identity Is Incorrect for IWAM Account

326086 HOW TO: Isolate Web Applications into Their Own Process

309051 HOW TO: Troubleshoot ASP in IIS 5.0

Useful KB Articles:


Lesson 10: Outlook Web Access and Gzip Compression

GZip compression is a component of Windows Server 2003 that can be enabled to allow users to experience a richer Outlook Web Access experience because data from an Exchange 2003 Server is compressed and sent to the client which subsequently decompresses the stream.

The core value of GZip compression is that dial-up users will be able to use Outlook Web Access much more effectively. It will boost performance on the order of 50% for most common operations.

The primary reason for enabling GZip is for dial-up users or users on a slow network link who access their mailbox through Outlook Web Access. This is only valid with Secure Sockets Layer (SSL) enabled. Without SSL the modem’s hardware compression typically offers a similar performance improvement. With SSL, modems can’t compress the encrypted content, but the GZip filter in IIS actually compresses prior to SSL encryption.

Enabling GZip compression will increase the load on an Exchange 2003 server(s). Thus enabling GZip for users on a fast network link or are on a corporate network will not necessarily provide any improvement. There could be instances where the user experience is impacted as the server is heavily utilized by performing compression when it is not really necessary as all users have a fast network link.

Only files over 1 K will get compressed while other files, such as GIFs, will not get compressed at all.

The following statement was taken from OTG Deployment internal to Microsoft:

“The result is that Exchange 2003 Outlook Web Access's dialup experience starts 50% faster than what you're used to with Exchange 2000.

If you use Outlook Web Access's "Basic" client you will be able to load your Inbox over 80% faster than Exchange 2000, and even more than 50% faster

Overview


than Hotmail (It takes almost 57 seconds to log on and get the Hotmail Inbox view.)

Most Outlook Web Access users briefly log on, read and move a few messages. This is what we've optimized for in Exchange 2003.”


GZip: Client Requirements

In general, any HTTP 1.1 compatible client that sends the “Accept-encoding” header to the server.

Operating System: Windows 2000 or later

Internet Explorer 6.0 + Q328970

Netscape Navigator V 6.0 or greater

http://support.microsoft.com/default.aspx?scid=kb;en-us;328970

Specifically, URLMON.DLL needs to be version 6.0.2800.1126 or higher – This can be located in %\Windows\System32

Compression is disabled for the Windows Server 2003 server browser client. This is due to an URLMon bug that existed in the Windows Server 2003 server builds that existed when the GZip support was checked in. It was unclear that it was going to get fixed, so compression was specifically disabled for this client rather than introduce the risk. Also see MS03-004: ID: 810847.KB.EN-US.

The client must be Internet Explorer 6 with 328970 MS02-066: November, 2002, Cumulative Patch for Internet Explorer for GZip functionality.

If the browser does not meet this requirement, then the Forms Based Authentication Microsoft® Internet Server Application Programming Interface (ISAPI) filter will strip the client’s accept-encoding header. For non-Internet Explorer clients, it leaves this header alone. For Navigator 6 clients and greater, it leaves the header alone. For Navigator clients < version 6, it strips the Accept-Encoding header.

If both points one and two have been checked and verified, it is then necessary to check to see what is being processed on the server (once a client request has been received) and subsequently what is sent back to the client.

Note


GZip: Server Requirements

Forms Based Authentication needs to be enabled (Cookie-Auth):

Front-End: Exchange 2003 on Windows Server 2003

Back-End: Exchange 2003 on minimum Windows 2000 SP4

Exchange 2003 installed on Windows Server 2003 server

If you use Exchange 2003 Front-Ends to access Exchange 2000 Back-Ends, then you should disable GZip compression support on the Front-End Servers. GZip will not work as it is a requirement for all mailbox servers to be on Exchange 2003.

GZip should not be enabled on a back-end server that is part of a front-end/back-end topology. Although this may work, it is unnecessary, untested, and will add an extra processing burden to the back-end server.

If a customer has both Exchange 2000 and Exchange 2003 back-end servers, then it is possible to roll out GZip either on a different Exchange Virtual Servers, or a different Front-End server for users whose mailboxes reside on Exchange 2003 back-end servers.

Forms Based Authentication

Front-End / Back-End Deployment:

Standalone Deployment

Note


GZip: Configuring and Troubleshooting

Enable Forms Based Authentication on Exchange 2003 that will be configured to process GZip requests. When Forms Based Authentication is enabled, the Compression settings will be available for selection.

The following screenshot (Properties of the HTTP Exchange Virtual Server) illustrates this.

There are three compression options available:

1. None: No data is compressed.

2. Low: This is for static content - the generic files that are required on the client in order for Outlook Web Access to work These are: JS, CSS, HTM, XSL and HTC files

3. High: This is for static and dynamic content such as messages, attachments, etc.

When a selection has been made and Apply has been pressed, the following warning message is displayed:

These are the only Exchange System Manager settings that need to be checked in order to ascertain whether Gzip has been configured correctly.

IIS provides no Performance monitor counters or application event log messages explicitly for Gzip compression. There are a number of troubleshooting steps that can be taken to check for any Gzip issues.

When the compression level is changed via the Settings of the Properties of the Exchange Virtual Server in Exchange System manager a warning is displayed advising that it will be necessary to restart the IIS Virtual Server before the change will take effect. Highlight the server object in Internet Services Manager. Right-click and select Tasks. Select restart the IIS virtual server.

Forms Based Authentication

Compression settings

Important


GZip: IIS Temporary Files Directory

If you navigate to %\Windows\IIS Temporary Compressed Files and GZip Compression has been enabled either Low or High, you should see a number of files similar to the following:

$^_GZip_C^^EXCHSRVR^EXCHWEB^6.5.6895.0^CONTROLS^CTRL_VIEW.HTC

You can also check the metabase settings under w3svc/Filters/Compression/Parameters and look for the HcCompressionDirectory key as this should also be %windir%\IIS Temporary Compressed Files.

There should be a number of different files such as:

HTML Document

XSL Stylesheet

HTC File

Jscript Script File

Cascading Style Sheet

The IIS Temporary Compressed Files directory is where all compressed (GZip) files are located.

Static content gets compressed and stored in the <%\Windows\IIS Temporary Compressed Files> the first user to access Forms Based Authentication (with compression enabled) will not receive compressed data. However, all subsequent users will receive the data compressed if it resides in the <%\Windows\ IIS Temporary Compressed Files directory.

Remember that when high compression is enabled, all dynamic content such as messages and attachments are compressed as the client requests them.

There is a known problem with the interaction of IIS and some server anti-virus software. Specifically, if the ant-virus software is scanning the Temporary Compression Files directory, it may corrupt the compressed file content. You

Anti-Virus Software Interaction


should disable file or directory scanning of the Temporary Compression Files.

Whether low or high, static or static + dynamic respectively, compression is enabled and is configurable per virtual server. If there is more than one HTTP virtual server with GZip compression enabled, all of the virtual servers must inherit the same global settings for the compression level.


GZip: Checking the Content Encoding Sent From Client to Server

In order to troubleshoot potential problems, it may be necessary to make sure that the client is advertising to the server that it supports GZip compression. The client indicates that it supports GZip compression via the Accept-Encoding header. The Accept-Encoding request header restricts the content-coding values that are considered acceptable to the client. An example of the header generated when a browser issues a request to the server is:

Only HTTP version 1.1 or greater compatible browsers will issue the above accept-encoding header.

Some proxy servers may offer no support for HTTP 1.1 and may strip some of the headers. ISA offers limited support and although it strips the Protocol version = 1.1 header, it passes the Accept-Encoding header.

An empty Accept-Encoding request header indicates to the server that the client will not accept any content coding.

If completing a Netmon capture is required as a troubleshooting step, then it is recommended that the capture is run on the Exchange 2003 Front-End Server, this will capture the incoming client GET request and also communication to the Exchange 2003 Back-End servers. However, if this is not an option, capturing the network traffic from the client is fine; the GET request will be captured.

Prior to capturing any network traffic it is necessary to add the following registry key to the Exchange 2003 Front-End server. This key does not exist by default.

Netmon

Note

Note

AllowRetailHTTPAuth


Location: HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\ MSExchangeWEB\OWA Parameter: AllowRetailHTTPAuth Type: DWORD Value: 1

Remember to remove the registry key after the Netmon Capture has been taken.

This registry entry allows Cookie-Auth to be configured so it can accept incoming HTTP traffic.

In virtually all normal circumstances, clients will be accessing their Exchange Server 2003 mailbox over port 443 (HTTPS). The registry key is to be used by support and the development team to help customers troubleshoot problems with Forms Based Authentication and / or Cookie-Auth.

Once the key has been implemented you will then be able to logon to Forms Based Authentication through HTTP://ExchangeServer/Exchange rather than HTTPS://ExchangeServer/Exchange and still be able to use Cookie-Auth and capture the GET request(s) from the client and then check the content coding values to confirm that GZip compression is being advertised to the server by the client browser.

If it is a requirement to undertake a Netmon trace the following has to occur:

1. Decide with customer which server to run Netmon on.

2. Explain that we need to disable SSL so the correct information is captured.

3. Add the AllowRetailHTTPAuth registry key.

4. On the Exchange Virtual Directory remove the setting “Require Secure Channel (SSL)”.

5. Restart the Exchange Virtual Server.

6. Start the Netmon Capture.

7. From the Internet Explorer Client Browser navigate to HTTP://ExchangeServer/Exchange.

8. Carry out some mail activity.

9. Log off.

10. Stop the Netmon Capture.

11. Re-set the registry key.

For more information on GZip Settings and Metabase see Module 9 Appendix D and E.

Note


DAV Debug Tracing

In some case it may be necessary to gather debug data from the Outlook Web Access components. In order to enable DAV Tracing the following steps need to be followed:

1. Stop the W3SVC and MSExchangeIS Services

2. Run the following three Registry updates on the Front-End Server:

a. davex-traces.reg

The following keys are added to the registry: davex-traces.reg


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\TracingCategories] "Debug"=dword:00000001 "Davex"=dword:00000001 "DavexDbgHeaders"=dword:00000000 "Epoxy"=dword:00000001 "Repl"=dword:00000001 "Ifs"=dword:00000001 "IfsCache"=dword:00000001 "WebClient"=dword:00000001 "FileStream"=dword:00000001 "Nmspc"=dword:00000001 "StringBlock"=dword:00000001 "Schema"=dword:00000001 "Sql"=dword:00000001 "DBCommandTree"=dword:00000001 "Unpack"=dword:00000001 "Xml"=dword:00000001 "Search"=dword:00000001 "Actv"=dword:00000001 "BodyStream"=dword:00000001 "Content"=dword:00000001 "Ecb"=dword:00000001 "ECBLogging"=dword:00000001 "EcbStream"=dword:00000001 "Event"=dword:00000001 "Lock"=dword:00000001 "Method"=dword:00000001 "Persist"=dword:00000001 "Request"=dword:00000001 "Response"=dword:00000001 "ScriptMap"=dword:00000001 "Transmit"=dword:00000001 "Url"=dword:00000001 "DavprsDbgHeaders"=dword:00000001 "Metabase"=dword:00000001 "DsaMgr":00000001 "IdleThrd"=dword:00000001

b. exoledb-traces.reg

The following keys are added to the registry:

exoledb-traces.reg


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\TracingCategories] "Debug"=dword:00000001 "Epoxy"=dword:00000001 "Exdav"=dword:00000001 "Notif"=dword:00000001 "Props"=dword:00000001 "Repl"=dword:00000001 "Search"=dword:00000001 "SessMgr"=dword:00000001 "Locks"=dword:00000001 "WebClient"=dword:00000001 "EnumAtts"=dword:00000001 "FileStream"=dword:00000001 "PropFind"=dword:00000001 "ExOleDb"=dword:00000001 "ExOleDb_Errors"=dword:00000001 "ExOleDb_Events"=dword:00000001 "ExOleDb_ThreadPool"=dword:00000001 "ExOleDb_Transactions"=dword:00000001 "ExOleDb_SystemEvents"=dword:00000001 "ExOleDb_ClientControl"=dword:00000001 "ExOleDb_EntryExit"=dword:00000001 "ExOleDb_Impersonation"=dword:00000001 "ExOleDb_Hsots"=dword:00000001 "XProcCache"=dword:00000001 "Nmspc"=dword:00000001 "StringBlock"=dword:00000001 "Schema"=dword:00000001 "DBCommandTree"=dword:00000001 "Sql"=dword:00000001 "Unpack"=dword:00000001 "Xml"=dword:00000001 "Search"=dword:00000001 "DsaMgr"=dword:00000001 "IdleThrd"=dword:00000001 "LinkFix"=dword:00000001 "CalcProps"=dword:00000001 "MDBInst"=dword:00000001 "LogCallback"=dword:00000001 "AdminLogon"=dword:00000001 "Exoledbesh_Errors"=dword:00000001 "SchemaPop"=dword:00000001

c. exprox-traces.reg

The following keys are added to the registry:

exprox-traces.reg


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\TracingCategories] "Debug"=dword:00000001 "Prx"=dword:00000001 "PrxConn"=dword:00000001 "PrxParser"=dword:00000001 "PrxReplMgr"=dword:00000001 "PrxRequest"=dword:00000001 "PrxSrv"=dword:00000001 "Url"=dword:00000001 "StringBlock"=dword:00000000 "DsaMgr"=dword:00000001 "IdleThrd"=dword:00000001

The above files have all of DAV's tracing categories turned on.

You can also use the reg files located at:

\\exsrc\sources\LATEST\TITANIUM\CAL\src\davex\davex-traces.reg \\exsrc\sources\LATEST\TITANIUM\CAL\src\exoledb\exoledb-traces.reg \\exsrc\sources\LATEST\TITANIUM\CAL\src\exprox\exprox-traces.reg

3. Create the following registry key (or verify that it exists) of type REG_MULTI_SZ called "Modules" under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersi

on\DebugAsyncTrace

Make sure that this contains the string "DAV-EXOLEDB-OWA" as one of its values.

4. Run Regtrace:

a. On the Traces tab check the checkbox for Debug Statements.

b. On the Output tab select File, and choose a file name.

c. Make the max file size something reasonable, at least 50 MB.

5. Start the W3SVC and MSExchangeIS Services.

6. Reproduce the problem.

7. Run regtrace and turn off traces ("No Tracing" option on the Output tab), and select Apply.

8. Copy tracevwr.exe and rockall.dll from \\jackfree0\public\traces or run it from the share to view the output of the trace file that was just saved.

Note


Customizing the Theme


Outlook Web Access in Exchange 2003 supports the concept of 'Themes'. You can change your default color scheme out of the box; however, it is also possible to create your own Outlook Web Access themes.

1. On the front-end(s) and back-end(s), create a directory in …\exchweb\themes, e.g. called "foo".

2. Copy or create new versions of the following images (gradients for buttons, backgrounds, etc) to \foo:

• logo2.gif– branding logo, can replace with own company logo

• nb-bkgd.gif – navbar background

• nb-hide-ql.gif– nav bar hide icon ("slider")

• nb-ql-tgl.gif – nav bar slider background

• nb-sel-bkgd.gif – navbar selection gradient

• nb-show-ql.gif – nav bar show icon

• nin-bg.gif – toast image for new e-mail notification

• OWAColors.css – colors used in themes

• resize-dot.gif

• tool-bkgd.gif – toolbar background, also used for folder button

9. You can then edit the Cascading Style Sheet (CSS) to come up with your own colors and styles. Note, public folders and the calendar viewer are not affected.

10. On the back-end(s), add a reg key under HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ MSExchangeWEB \ OWA \ Themes on the server (e.g. mytheme) with properties:

• This is the registry structure:


...MSExchangeWEB \ OWA | ---- Themes | ---- Theme1 (RG_SZ) | ---- ThemeN (RG_SZ)

• Each theme value is a string (RG_SZ) that contains a semi-colon separated list of name-value pairs (name=value)

• These name-pairs are:

• ID: Custom theme ID

• Restrictions:

• First bit (0x80000000) can not be set

• Can be a hexadecimal (starts by '0x' or decimal number)

• Must fit on a DWORD

• Cannot collide with an existing custom theme ID

• path: Custom theme path

• Restrictions:

• Must be shorter than 256 characters

• Cannot be an empty string

• title: Custom theme title

• Restrictions:

• Must be shorter than 512 characters

• Cannot be an empty string

• bgcolor: Custom theme background color

• Restrictions:

• Must be 7 characters long

• '#' must be the first character

• The rest of the six characters must be a valid hex digit (basically, this has to be a valid HTML color '#rrggbb')

• All of the name-value pairs are required

• If a theme does not meet comply with these restrictions then it will be ignored

• Example:

*id=0x1;path=mytheme;title=My Custom Theme;bgcolor=#12ACD3

*


The name-value pairs can be listed in any order.

11. In the path section of the registry entries, just put in the path relative to the exchweb\themes directory (such as "foo"), mentioned above.

12. Just wait 30 seconds after implementing the registry parameter, and the new theme will be available in 'Options'. No need to restart services!

Note


Lab A: Outlook Web Access


Lab A: Outlook Web Access

After completing this lab, you will be able to:

Setup Forms based authentication on Exchange 2003.

Change Forms based authentication to require only user alias and password.

Enable Outlook Web Access Password change.

Perform Dav Tracing.

Before working on this lab, you must have:

An Exchange server with IIS installed.

Knowledge about the difference between a workgroup and a domain.

Experience logging on and off Microsoft Windows® 2000.

The knowledge and skills to create user accounts by using User Manager for Domains.

Objectives

Estimated time to complete this lab: 30 minutes


Exercise 1 Setting up Forms Based Authentication

Scenario Contoso Pharmaceuticals would like a custom logon page for Microsoft Outlook Web Access. In this exercise you will configure Forms Based Authentication.

Forms based authentication requires clients to use a SSL connection. If SSL encryption is not offloaded to another source, complete the following steps:

• Configure SSL

• Restart the IIS service

Tasks Detailed Steps

Note: All steps are to be completed on the Exchange VPC.

1. Enable SSL Requirement for Exchange Virtual Directory.

a. Log into Exchange as Administrator with password Passw0rd1.

Note: If you already have a valid certificate installed, proceed to Task 2.

b. From the task bar click, Start | All Programs | Administrative Tools | Internet Information Services (IIS) Manager.

c. Expand EX2 (local computer) | Web Sites.

d. Right click Default Web Site, select Properties, and then click the Directory Security tab.

e. Select the Server Certificate button under Secure Communications.

f. Click the Next button when the Welcome Wizard appears.

g. Create a new certificate| Click Next

h. Select Send the request immediately to an online certificate authority| Click next.

i. Click Next on Name and Security Settings window.

j. Type Contoso in Organization

k. Type Redmond in Organizational Unit

l. Click Next.

m. Type mail.contoso.com in Your Site’s Common Name.

In order to prevent users from getting prompted when using SSL, the common name of the certificate MUST be the fully qualified domain name (FQDN) of the Front-End server

• [e.g. mail.contoso.com] n. Click Next.

o. Type Washington in State/Province

p. Type Redmond in City/locality.

q. Click Next.

r. Click Next on SSL Port.

s. Click Next on Choose a Certificate Authority.


t. Click Next on Certificate Request Submission.

u. Click Finish.

v. Click OK.

w. Expand EX2 (local computer) | Web Sites| Default Web Site|

x. Right Click on Exchange| Click Properties.

y. Click on Directory Security Tab.

z. Click on Edit under Secure Communications.

aa. Check off Require secure channel (SSL) and Require 128-bit encryption.

bb. Click OK.

cc. Click OK.

2. Configure Form-Based Authentication.

a. Click on Start| All Programs| Microsoft Exchange| System Manager.

b. Expand Administrative Groups| First Administrative Group| HQ| Servers| EX2| Protocols| HTTP.

c. Right Click on Exchange Virtual Server| Click Properties.

d. On the Settings Tab select Enable Forms Based Authentication.

e. Select Compression – High.

f. Click OK.

g. Click OK on the Warning.

Outlook Web Access will now only work on HTTPS and will display the login screen, rather than a pop-up message prompting for credentials.

h. Switch to XP-Client. If necessary, log in as Administrator with the Password of Passw0rd1.

i. Start Internet Explorer and type the following url: https://mail.contoso.com/exchange

This should display the new forms based authentication Web page.

j. Login using Contoso\administrator with a password of Passw0rd1.

k. Close Internet Explorer.

l. Switch back to Exchange virtual machine.


Exercise 2 Change Forms Based Authentication to require only User Alias and Password

Scenario The CIO of Contoso Pharmaceuticals does not like having to enter his Domainname\Username in the Outlook Web Access Logon Page. In this exercise you will change the logon to only require User Alias and Password.

Tasks Detailed Steps

1. Configuring Forms Based Authentication to require users to enter only their alias and password.

a. On Exchange, Open the C:\Program Files\Exchsrvr\exchweb\bin\auth\<country>\logon.asp file with Notepad.

Note: We have a completed version of this file with the code listed below already entered. You can either copy this file over or copy and paste from that file into the file above. The file is located in C:\LabFiles\Lab 9.

b. Add the following directly under the following:

Note: Bolded Text is what needs to be added. The following text is CaSE SEnSiTiVE.

<HEAD>

<script Language=javascript>

function logonForm_onsubmit() {

if (logonForm.username.value.indexOf("@") !=-1) {

return true;

}

logonForm.username.value = "CONTOSO\\" + logonForm.username.value;

return false;

}

</script>

c. Append onsubmit="logonForm_onsubmit()” just after name=”logonForm” to the two POST lines in the logon.asp. (Approximately lines 546 & 549).

d. Click File | Save.

2. Test your login. a. Switch back to XP-Client and open Internet Explorer.

b. Type https://mail.contoso.com/exchange in the Address bar.

c. Log into Outlook Web Access. Log in with the username Administrator and the password Passw0rd1.

d. If Step c is unsuccessful or JavaScript errors are triggered, fix and check for typos in Task 1.


Exercise 3 Enable Outlook Web Access Password Change In this exercise, you will allow users to change their passwords while using Outlook Web Access. By default the settings to allow this is disabled. Empowering users to be able to change their passwords can reduce support calls and allow roaming (sales) users to abide by corporate security policies.

Changing the password requires SSL and the addition of the iisadmpwd virtual directory and setting the following key to 0 or deleting the key.

Tasks Detailed steps

<The following steps are to be performed on Exchange>

1. To enable users to change Outlook Web Access passwords through IIS, use the following steps on each IIS server to which Exchange users are redirected:

a. From the task bar click, Start | All Programs | Administrative Tools |Internet Information Services (IIS) Manager.

b. Expand EX2 (local computer) | Web Sites.

c. Right-click the Default Web Site | New | Virtual Directory.

d. Click Next when the Welcome Wizard dialog box appears.

e. In the Virtual Directory Creation Wizard, type IISAdmPwd in the Alias box, and then click the Next button.

f. In the Path field type C:\Windows\system32\inetsrv\iisadmpwd and then click the Next button.

g. Verify that only the Read and Run scripts (such as ASP) check boxes are selected and then click the Next button.

h. Click the Finish button.

2. Verify that the IISAdmPwd folder has the Anonymous Access authentication method enabled.

a. Right click on IISAdmPwd and click Properties.

b. Click the Directory Security tab.

c. Click the Edit button in the Authentication and access control section.

d. Verify that Enable anonymous access is selected.

e. Click OK and OK again.

3. Enable Password Change Options in the Registry.

a. Click Start| Run| Regedit

b. Set Disable Password Registry Key to 0

Expand HKey_Local_Machine\System\Current Control Set\Services\MSExchangeWEB\OWA

DisablePassword=00000000

Note: You can select other authentication types, but you must also select the Anonymous Access authentication method.

Note: If you do not enable the Anonymous Access option, the client and server go into an endless loop when you attempt to authenticate users who are prompted to change an expired password.

For example, if a user navigates to the site and is prompted for a password but their password has expired, the first page that they tried to access redirects them to the password expiry page. The password expiry page challenges the user, but because the user is not authenticated on the first page, the second page refuses the connection because the password has expired. When this occurs, the user is redirected back to first page; the first page redirects the user to the second page, and so on.


For additional information about a fix for this looping behavior, check the article number 275457 IIS 5.0 May Loop Infinitely When a User Is Forced to Change Their Password.

4. Zero is the default value for the PasswordChangeFlags setting, but the following steps can be used to change or confirm the setting. To change the Metabase PasswordChangeFlags setting to zero (0), you must first change it to the \inetpub\adminscripts folder on your hard drive.

a. From the task bar type Start | Run | type cmd | click the OK button.

b. At the command prompt type CD C:\Inetpub\AdminScripts and then press Enter.

c. Type cscript adsutil.vbs set ”w3svc/PasswordChangeFlags” 1 then press Enter.

Note: The following values are options for the PasswordChangeFlags setting:

0: Requires password change by SSL

1: Allows password change by non-secure ports

2: Disables password changes

4: Disables advance notification of expiration

5. After creating iisadmpwd and the reg key, you see the password change button under options in Outlook Web Access:

a. Switch to XP-Client and open Internet Explorer.

b. Type https://mail.contoso.com/exchange.

c. Log into Outlook Web Access (OWA) with the Administrator account and password Passw0rd1.

d. Click the Options link in the bottom left navigation bar.

e. Scroll all the way down and verify the Change Password button is visible.

f. Close Internet Explorer.

Note: In a front-end/back-end topology with Exchange 2000 and/or Exchange 2003 back-end servers running on both Windows 2000 servers, it is necessary to add Windows 2000 compatible Web pages to the Windows 2003 front-end server.


Exercise 4 DAV Tracing In this exercise, you will modify the registry and use the debugging tool regtrace.exe to watch the internals of exchange server. This utility is used for debugging purposes only. Regtrace.exe adds about 30% processing to the system – therefore for debugging only!

For more information visit http://support.microsoft.com/default.aspx?scid=KB;EN-US;238614

Tasks Detailed steps

Note: All tasks are to be performed on Exchange VPC.

1. Stop services for debugging on the Exchange server.

a. On Exchange, from the taskbar click, Start | All Programs | Administrative Tools | Services.

b. Stop the W3SVC (World Wide Web Publishing Service) and MSExchangeIS (Microsoft Exchange Information Store) services.

2. Add some registry keys into the registry on the Exchange Server.

a. Open Explorer and navigate to C:\LabFiles\Lab 9\ folder and double-click each of the following files and click Yes and OK to the Registry Editor prompts:

• davex-traces.reg

• exoledb-traces.reg

• exprox-traces.reg

b. Close Explorer window.

c. Open the registry editor from the task bar click, Start | Run | type regedit | click the OK button.

d. Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersion\DebugAsyncTrace

e. Create the Modules registry key (or verify that it exists) of type REG_MULTI_SZ. Right click DebugAsyncTrace and click New, Multi-String Value. Name it Modules.

f. Create a value contains DAV-EXOLEDB-OWA as one of its values. Double-click Modules and enter DAV-EXOLEDB-OWA and then click OK.

3. Configure the Regtrace utility, execute an exchange task and examine the regtrace output.

a. From the task bar click, Start | Run | type Regtrace | click the OK button.

b. On the Traces tab check the checkbox for Debug Statements.

c. On the Output tab select File, and choose C:\DavTrace.atf.

d. Make the Max Trace File Size at least 50 MB. Click Apply.

e. Return to the Services window. Start the W3SVC and MSExchangeIS services.

f. Switch to XP-Client and log into OWA https://mail.contoso.com/exchange as Administrator with password Passw0rd1 and send Administrator and email.

g. Switch back to Exchange.

h. Run Regtrace, click the Output tab and click No Tracing.


i. Click the Apply button.

j. From the task bar click, Start | Run | type C:\Tools\Labs\Tools\Other Tools\Tracevwr\tracevwr.exe | click the OK button.

k. From the menu bar click, File | Open | type C:\DavTrace.atf | click the Open button.

l. View the trace info.

m. Close all open windows and log off each of the Virtual machines (DC-1, Exchange, and XP-Client).

4. Save the State of the Virtual PCs.

a. You will need the Virtual PCs for the next Lab. Follow these steps closely so you do not lose any information.

b. On each of the Virtual PC 2004 menus, click Action, Close.

c. For the drop down list under What do you want the virtual machine to do? select Save state and save changes.

d. On the Close window, uncheck the Commit changes to the Virtual hard disk box.

e. Click OK. This will save the state of the image so you can resume tomorrow without losing any work.

Note: Other Possible values/combinations for the Modules registry key:

• AQ

• CAT

• DS2MB

• dsevntwrap

• EXSINK

• IMAP4SVC

• REAPI

• RESVC

• Routing

• SMTP

• StoreDrv

• TranMsg

• DSACCESS

• MTA

Reproduce the problem that you are troubleshooting. For example, if you are reproducing a problem where mail is being returned undeliverable, send some e-mail to an address that will cause Exchange 2000 Server to return the message undelivered.

When you have reproduced the problem several times, stop tracing by clicking No Tracing from the Output menu in Regtrace. Also, on the Trace tab, make sure that the All tracing type option is not selected.


Review

1. What does Outlook Web Access Premium look like?

2. What is the deferred delete refresh percentage?

3. What version of Internet Explorer is required for all the nice new stuff?

4. What is the spell check dll?

5. What should you NOT do to the IIS Temporary Compressed Files directory?

6. What is the regkey that can turn off SSL to enable a clear netmon trace?

88 Appendix A

Appendix A

This session will have a brief look at some of the new features and compare versions

Feature Description Outlook Web Access Premium

Outlook Web Access Basic

Logon/Logoff Improvements

Logon page New customized form for logging on to Outlook Web Access; includes cookie-based validation where the Outlook Web Access cookie is invalid after user logs out or is inactive for predefined amount time.

Yes, with choice of using Outlook Web Access Basic.

Yes, but only allows use of Outlook Web Access Basic.

Clear credentials cache on logoff

After logoff all credentials in Microsoft® Internet Explorer 6 Service Pack 1 (SP1) credentials cache are cleared automatically.

Yes, in Internet Explorer 6 SP1.

No

Public or shared computer and Private computer logon options

To provide organizations with more protection, two logon page security options can be used. The private option can be set to provide a longer period before user is logged off because of inactivity.

Yes Yes

General User Interface Improvements

User interface updates New color schemes, reorganized toolbars.

Yes, plus new view menu, default user interface font, and bidirectional support.

Yes, but only one color scheme available.

Item window sizing During an Outlook Web Access session, item windows open at the last window size set by the user instead of always opening at 500x700 pixels.

Yes No

Item window status bar A status bar is now available on item windows where a user can see the destination URL of a hyperlink in an e-mail message when the mouse pointer is positioned over the link.

Yes No. Items do not open in separate windows, but the status bar is still available.

Appendix A 89



View Improvements

Two-line mail view New view orients message list vertically instead of horizontally; works well with Reading Pane.

Yes No

Reading Pane (called the Preview Pane in previous versions of Outlook Web Access)

Resizable Reading Pane now appears to right of message list by default; attachments can be opened directly from Pane. Additionally, user has option to determine if items are marked items as read when viewed in Reading Pane.

Yes No

Mark as read/unread Command enables users to mark unread messages as read or vice versa.

Yes No

Quick Flagging Command enables users to assign follow-up flag to messages.

Yes No

Context Menu Context Menu available in mail view; special context menu also available on quick flag.

Yes No

Keyboard shortcuts Common actions such as new message, mark as read/unread, and reply and forward are available when focus is in message list.

Yes No

Items per page Users can determine how many items appear per page in e-mail, contact, and task views.

Yes Yes

Mail icons Icons display state and type of messages.

Yes Yes

Deferred view update The view is auto-refreshed only after 20 percent of messages are moved or deleted from a page, not after each deletion. This results in increased performance.

Yes No

Navigation Improvements

New Navigation Pane Unified user interface contains module shortcuts, full folder tree, refresh item count button, customizable width.

Yes Shortcuts only

Search folders Outlook-created search folders are displayed in folder tree. These must be created in the Outlook Online mode.

Yes No

90 Appendix A



Notifications New e-mail and reminder notifications are displayed in Navigation Pane.

Yes No

Public folders Public folders are displayed in new window.

Yes No

Log Off option on toolbar

Log Off option is now on the view toolbar, not in the Navigation pane.

Yes No

Mail Workflow Improvements

Spelling checker Spelling checker is provided for e-mail messages.

Yes No

New addressing wells New integrated look; easier deletion of recipients.

Yes No

Global Address List Properties sheets

Property sheets now display name, address, and phone information for resolved Global Address List (GAL) users.

Yes; available in received items, draft items, Check Names dialog box, and Find Names dialog box.

Yes; only available in received items and draft items.

Add to Contacts Users can add resolved recipients in received mail or drafts to main contacts folder.

Yes, feature in Properties sheets or context menu on resolved names.

No

Send mail from Find Names

Users can send new messages to addresses found in the Find Names dialog box when it is opened from an e-mail view.

Yes No

Open Find Names from message

Users can open Find Names from a message and use it to add new recipients to a draft message; also used to add recipients to a contact distribution list.

Already available in previous versions of Outlook.

Yes

Contacts in Find Names

Users can search main contacts folder in Find Names.

Yes No

Sorted results in Find Names and Check Names

The results in Find Names and Check Names now are sorted in alphabetical order.

Yes Yes

Auto signature Users can create a signature that is automatically included in e-mail messages.

Yes, HTML-based formatting; also on-demand insertion.

Yes, plain-text formatting; no on-demand insertion.

Default mail editor font User-customizable default font is provided for e-mail editor.

Yes No

Appendix A 91



Navigate after delete Users can open the next or previous item after deleting an item.

Yes No

Read receipts Users can use or ignore read-receipt requests.

Yes; users also can send receipts even when the option is set to ignore requests.

Yes; users are not able to send receipts when option is set to ignore requests.

“Web Beacon” blocking

Users can control options for blocking external content in e-mail.

Yes Yes

Privacy protection when navigating links in e-mail.

Destination site only receives server name where e-mail message with link was located — not server name, account name, and subject of e-mail message.

Yes Yes

Attachment blocking Administrator options restrict access to some or all attachments in messages.

Yes Yes

Junk mail filtering Options to set up safe- and blocked-sender lists.

Yes Yes

Sensitivity infobar Sensitivity information is displayed in infobar.

Yes Yes

Reply/Forward infobar Reply/Forward information is displayed in infobar.

Yes Yes

No indenting replies The reply header and reply body are no longer indented.

Yes Yes; Outlook Web Access Basic never indented.

Reply to messages/posts in Public Folders

Users now can reply by e-mail to messages or posts in public folders when accessing public folders through a front-end server.

Yes Yes

Encrypted/signed mail Sending and receiving encrypted and/or signed e-mail is supported.

Yes, Internet Explorer 6 on Microsoft for Microsoft® Windows® 2000 or higher.

No

Rules Improvements

Rules Users can create and manage server-based e-mail-handling rules.

Yes No

92 Appendix A



Task Improvements

Personal tasks Users can create and manage personal tasks and receive reminders for these items.

Yes Yes, but no reminders.

Calendar Improvements

Reply/Forward Meeting Requests

Users can now reply to senders of Meeting Requests and/or forward Meeting Requests to other users.

Yes Yes

Attendee reminder Attendees can set own reminder times from received meeting requests.

Yes No

View Calendar from a meeting request

Attendees can open the calendar from a meeting request.

Yes No

Custom meeting cancellation notice

Users can now provide a response in a meeting cancellation notice.

Yes Yes

Attendee reminder Meeting attendees can set their own reminder times from a meeting request.

Yes No

View Calendar from Meeting Request

Meeting attendees can open their Calendar from a meeting request.

Yes Yes

Performance Improvements

Bytes over the wire Fewer bytes sent over the wire from server to browser. Additionally, when data is sent from the server to browser during initial logon has been reorganized to speed up rendering the Inbox.

Yes Yes

Compression support Administrators can configure compression support for Outlook Web Access and provide a performance improvement of nearly 50 percent for most actions on slow network connections.

Yes, when accessed with Internet Explorer 6 SP1 + Q328970 or higher.

Depends on the browser.

Appendix B 93

Appendix B

The following chart depicts the default settings for IIS when you select Use Forms Based Authentication. There is no user configuration required. Configuration of UPN support also is handled by Exchange System Manager.

Path Property Type Value Description

w3svc/{VS}/root IisWebDir Root of Exchange System Manager-created Exchange virtual server

45054 Integer 1 Private attribute to indicate cookie auth is enabled

IisWebDir “Exchange” virtual directory pointing to private mailbox store

AuthFlags Integer 2 Basic authentication only

LogonMethod

3 A value of 3 should correspond to MD_NETWORK_LOGON_CLEARTEXT

ScriptMaps String Inherited from parent and adds "*,{PATH}\Exchsrvr\bin\exprox.dll,1"

Path String "\\.\BackOfficeStorage\ {RHS domain of Default Recipient Policy’s Default

94 Appendix B


SMTP proxy} \MBX"

DefaultLogonDomain

String "\" Backslash necessary for UPN use


w3svc/{VS}/root/public

IisWebDir “Exchange” virtual directory pointing to root of public folders store


LogonMethod



Path String "\\.\BackOfficeStorage\ {RHS domain of Default Recipient Policy’s Default SMTP proxy}\Public Folders "

Appendix B 95


DefaultLogonDomain

String “\” Backslash necessary for UPN use


w3svc/{VS}/root/ {Any other Exchange vdir}

IisWebDir Any user-created “Exchange” virtual directory pointing to private mailbox store or public folders


LogonMethod



Path String "\\.\BackOfficeStorage\ {RHS domain selected by user }\{ MBX or path selected by user }"

DefaultLogonDomain



96 Appendix B


w3svc/{VS}/root/exchweb

IisWebDir This virtual directory is the root of Outlook Web Access static files, ASP pages and non-scriptmapped ISAPI extensions.

HttpExpires String "D, 0x278d00"

Content expires in 30 days.

AuthFlags Integer 1 Only anonymous ‘authentication’ is enabled.

AccessFlags Integer 1 Read access only

Path String "{Install path}\exchsrvr\exchweb”


w3svc/{VS}/root/ exchweb/bin


LogonMethod

Integer 3 A value of 3 should correspond to MD_NETWORK_LOGON_CLEARTEXT

AuthFlags Integer 2 Basic authentication

DefaultLogonDomain


AccessFlags Integer 517 Read access, scripts + executables can run

Path String "{Install path}\exchsrvr\exchweb\bin”

w3svc/{VS}/root/exchweb/bin/spell


Appendix B 97


LogonMethod

Integer 3 A value of 3 should correspond to MD_NETWORK_LOGON_CLEARTEXT

AuthFlags Integer 2 Basic authentication

DefaultLogonDomain



Path String "{Install path}\exchsrvr\exchweb\bin\spell”

DirBrowseFlags

Integer 62 Implies enabledirbrowsing = FALSE

w3svc/{VS}/root/exchweb/bin/auth

IisWebDir VDir which contains cookie auth ISAPI extension and related ASP pages

AuthFlags Integer 1 Anonymous authentication only


Path String "{Install path}\exchsrvr\exchweb\bin\auth”

DefaultDoc String “owalogon.asp”

EnableDefaultDoc

Boolean TRUE

98 Appendix C

Appendix C

Spellcheck tracing using NETMON

When looking at the netmon trace, it will be possible to see the client submit the text to be spell checked and also the response made by the Front-End Server.

Packet 201 – You can see here that the client has initiated a Spellcheck request through the URI = /Exchange/TiUser1/?cmd=spellcheck

1 : Packet 201

Packet 270 – This is the POST request that initiates the OWASPELL.DLL on the Front-End Server. It is also evident in this packet some of the settings configured by the client.

2 : Packet 270

For example:

Step by Step through Netmon

Appendix C 99

• IgnoreMixedDigits is set to False

• The Language (Spelllang) is set to English (United Kingdom)

• Ignore all words in Capital letters (ignoreallcaps) is set to False

These can be changed through the Options button in Outlook Web Access:

Packet 271 – This packet is immediately after the POST Packet, and this packet contains the data to be spell checked:

The data that is sent to the Front-End server is illustrated below:

3 : Packet 271

Packet 276 – This is what the Front-End sends back to the Client, as to what actually gets sent back i.e. the number of suggestions can be configured through the registry.

Within the data section of the packet, it is possible to see the Front-End Server send the Spell check results, and this is for all the words that are spelled incorrectly.

In the data portion it will read UnknownWord and then the words that are misspelled; in this example “ia” and “incrorrect”

Reading through the data portion of the packet all the suggested words will be prefixed with <sug>.

100 Appendix C

4 : Packet 276

The client will be presented the following on the screen:

And for the second word:

Appendix C 101

With this information it is possible to conclude that the ISAPI Spell-check filter on the Front-End server is working as expected.

In the example used, the client had the setting “Always check spelling before sending” checked, so even if the client initiates a manual spell check, the body of the text will get checked again.

Packet 1252 is the same as packet 270 by initiating the spell check, but this time the body of the text that is sent to the Front-End Server is as follows:

In the data section of packet 1257, there are no corrections to be made, as the following illustrates:

Note: By default, only 90 kb of data will be spellchecked. This can be amended by setting the MaxSpellDocumentSize registry key.

When replying to a message and spell checking the mail, only the text that has been added will be spell checked. If the Reply Line was deleted by the user then all of the text in the mail body will be spell checked.

The following screenshot illustrates this:

Netmon tracing when there are no errors in the spelling

To be aware of

102 Appendix C

When a message is sent with the encrypt button selected, the following dialog boxes are displayed: the first if the user clicks manual spell check. The second when the client has Always check spelling before sending configured in their options.

Appendix D 103

Appendix D

Default Metabase Settings for Gzip

The default Metabase settings for Gzip Compression are as follows:

All keys under LM\W3SVC\Filters\Compression\deflate are the same irrespective of compression level, they are as follows:

All keys under LM\W3SVC\Filters\Compression\Parameters are the same irrespective of compression level, they are as follows:

104 Appendix D

The difference in compression level is apparent on the following three keys:

W3SVC/Filters/Compression/GZip/HCDoStaticCompression

W3SVC/Filters/Compression/GZip/HCDoDynamicCompression

W3SVC/Filters/Compression/GZip/HCDoOnDemandCompression

When the compression level is set to None (False / 0), the Global Gzip Metabase settings are as follows:

The per-directory metabase settings are also toggled off, since another application could re-enable these global values (although Microsoft does not ship any others that use it yet.)

Configuring the Global Compressions settings: W3SVC/Filters/Compression/GZip/

Configuring the Exchange VRoot compression Settings: LM\W3SVC\1\ROOT\Exchange

Compression Level: None

Appendix D 105

When the compression level is set to Low (true / 1), the Metabase settings are as follows:

Configuring the Global Compressions settings: W3SVC/Filters/Compression/GZip/

Configuring the Exchange VRoot compression Settings:LM\W3SVC\1\ROOT\Exchange

Compression Level: Low

106 Appendix D

When the compression level is set to High, the Metabase settings are as follows:

Configuring the Global Gzip settings: W3SVC/Filters/Compression/GZip/

Configuring the Exchange VRoot Gzip settings: LM\W3SVC\1\ROOT\Exchange

Compression Level: High

Appendix D 107

It is possible to tweak the high compression level so that the compression level can be adjusted and not automatically overwritten when the server DS2MB process updates settings.

The registry key that needs to be set to allow this is

HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ MSExchangeWEB \ OWA Parameter: HcDynamicCompressionLevel Type: REG_DWORD Value: 0 through 10

Note: This key does not exist by default.

Possible Values: Only the integer values of 0 through 10 are valid.

By default, the high compression value is set to 3, but this can be adjusted if required, but This key mirrors the IIS metabase key

/W3SVC/Filters/Compression/Gzip/HcDynamicCompressionLevel

and actually sets its value. The Exchange attendant process (DS2MB) will pick up changes to this key while it is running but the value is only used when compression is enabled on the server via the Exchange System Administrator. When compression is disabled on the server via Exchange System Administrator, then whatever the last value was for the IIS metabase key will be left alone.

The following example is where the HcDynamicCompressionLevel has been set to 5 through the registry:

GZip Dynamic (High) Compression Level Over-ride

108 Appendix D

To implement the over-ride value for dynamic compression you must first set the Outlook Web Access\HCDynamicCompressionLevel value apply the setting and then enable or re-enable all Exchange virtual servers that use compression.

1. Set the registry key: HcDynamicCompressionLevel

2. Set the value 0 through to 10 (In the above example, 5 was used).

3. On ALL Exchange Virtual Server set the compression level to None.

4. Stop and Start the Virtual Server.

5. Set the compression level to either Low.

You may have to wait for DS2MB to run before Exchange picks up the registry value and replicates it correctly. The following will be set on the Exchange Virtual root:

Appendix D 109

If you set the Outlook Web Access\HCDynamicCompressionLevel key after you have previously enabled compression on any virtual server, it will be ignored. The Exchange system attendant will replicate the value in this key when compression is enabled or disabled for all Exchange virtual servers on the server. The same is true when removing the registry entry. It is necessary to set the Compression to None and then set compression to either be Low or High, the DS2MB process will then replicate the change to the Metabase. If you do not set the compression level back to none and recycle the virtual server the custom compression level value will not get over-written.

110 Appendix E

Appendix E

Global GZip Settings

Global GZip settings that are configured for static (low) and dynamic (high):

This scenario assumes GZip is not already configured on the server.

Path ID Value

W3svc/filters/compression/GZip/HCDoDynamicCompression

2213 True

W3svc/filters/compression/GZip/HCDoStaticCompression

2214 True

W3svc/filters/compression/GZip/HCDoOnDemandCompression

2215 True

The default settings are overwritten to reflect the values below:

Path ID Value

W3svc/filters/compression/parameters/HCDoDynamicCompression

2213 False (unless already True)

W3svc/filters/compression/parameters/HCDoStaticCompression


W3svc/filters/compression/parameters/HCDoOnDemandCompression


W3svc/filters/compression/parameters/HCSendCacheHeaders

2220 False

W3svc/filters/compression/parameters/HCNoCompressionForHTTP10

2217 False

W3svc/filters/compression/GZip/HCFileExtensions 2238 “htm html txt htc css

Overview

Appendix E 111

js xsl”

W3svc/filters/compression/GZip/HCScriptFileExtensions

2244 “”

W3svc/filters/compression/GZip/HCOnDemandCompLevel

2242 10

W3svc/filters/compression/GZip/HCDynamicCompressionLevel

2241 10

W3svc/filters/compression/parameters/HCNoCompressionForProxies

2218 False

Now that you have configured the server-wide settings so they do not affect other apps, you need to add the keys that enable GZip for the Outlook Web Access virtual roots and directories.

The following table includes the settings that you need to set:

VS/VDir/Directory ID GZip metabase entries

W3svc/{VS}/root/Exchange/ 2255 DoDynamicCompression = True

W3svc/{VS}/root/Exchange/ 2256 DoStaticCompression = True

W3svc/{VS}/root/public/ 2255 DoDynamicCompression = True

W3svc/{VS}/root/public/ 2256 DoStaticCompression = True

W3svc/{VS}/root/exchweb/ 2255 DoDynamicCompression = True

W3svc/{VS}/root/exchweb/ 2256 DoStaticCompression = True

W3svc/{VS}/root/exchweb/bin/auth/ 2255 DoDynamicCompression = False

You want to disable GZip for the logon page.

W3svc/{VS}/root/exchweb/bin/auth/ 2256 DoStaticCompression = False

W3svc/{VS}/root/exchweb/img/ Note: img reflects a directory that has been added as a new IISWebDirectory property in the parent vroot.

1002 Create a new node (keytype) under W3svc/{VS}/root/exchweb of type “IISWebDirectory” named “img”. Then set the following metabase entries on the new node:

W3svc/{VS}/root/exchweb/img/ 2255 DoDynamicCompression = False

Outlook Web Access Specific settings that must be configured for static and dynamic compression

112 Appendix E

W3svc/{VS}/root/exchweb/img/ 2256 DoStaticCompression = True

W3svc/{VS}/root/exchweb/themes/

Note: themes reflect a directory that has been added as a new IISWebDirectory property for in the parent vroot.

1002 W3svc/{VS}/root/exchweb of type “IISWebDirectory” named “themes”. Then set the following metabase entries on the new node:

W3svc/{VS}/root/exchweb/themes/ 2255 DoDynamicCompression = False

W3svc/{VS}/root/exchweb/themes/ 2256 DoStaticCompression = True

In general you can iterate over all vroots on the virtual server that have the Cookie-Auth metabase key enabled (ID = 45054, value = 1) and apply the above settings except for the root, auth, and the img directory (they need special handling).

Path ID Value

W3svc/filters/compression/GZip/HCDoDynamicCompression

2213 False (unless already true)

W3svc/filters/compression/GZip/HCDoStaticCompression

2214 True

W3svc/filters/compression/GZip/HCDoOnDemandCompression

2215 True

Then you will override these global settings with:

Path ID Value

W3svc/filters/compression/parameters/HCDoDynamicCompression


W3svc/filters/compression/parameters/HCDoStaticCompression


W3svc/filters/compression/parameters/HCDoOnDemandCompression


W3svc/filters/compression/parameters/HCSendCacheHeaders

2220 False

W3svc/filters/compression/GZip/HCFileExtensions

2238 “htm html txt htc css js xsl”

W3svc/filters/compression/GZip/HCOnDemandCompLevel

2242 10

W3svc/filters/compression/parameters/HCNoCompressionForHTTP10

2217 False

Global GZip settings that are configured for static (low) compression

Appendix E 113

W3svc/filters/compression/parameters/HCNoCompressionForProxies

2218 False

Once server-wide settings are configured so as not to interfere with other applications, the keys that enable GZip for the Outlook Web Access virtual roots and directories may be set.

VS/VDir/Directory ID GZip metabase entries

W3svc/{VS}/root/Exchange/ 2255 DoDynamicCompression = False

W3svc/{VS}/root/Exchange/ 2256 DoStaticCompression = True

W3svc/{VS}/root/public/ 2255 DoDynamicCompression = False

W3svc/{VS}/root/public/ 2256 DoStaticCompression = True

W3svc/{VS}/root/exchweb/ 2255 DoDynamicCompression = False

W3svc/{VS}/root/exchweb/ 2256 DoStaticCompression = True

W3svc/{VS}/root/exchweb/bin/auth/ 2255 DoDynamicCompression = False

You want to disable GZip for the logon page.

W3svc/{VS}/root/exchweb/bin/auth/ 2256 DoStaticCompression = False

Additional required settings

Documents

W09 Outlook Web Access