Outlook Anywhere Client Outlook Anywhere Client Access to Exchange 2003 Access to Exchange 2003 over the Internetover the Internet

Kristian AndakerKristian AndakerLead Program ManagerLead Program ManagerMicrosoft CorporationMicrosoft Corporation

MSG304

Exchange 2003:Exchange 2003:Mobility In the BoxMobility In the Box

AgendaAgenda

Exchange Internet access technologiesExchange Internet access technologiesDesktopsDesktops

Outlook Web Access (OWA)Outlook Web Access (OWA)Outlook: RPC/HTTPOutlook: RPC/HTTPIMAP4 and POP3IMAP4 and POP3

Mobile devicesMobile devicesExchange ActiveSyncExchange ActiveSyncOutlook mobile accessOutlook mobile access

Deployment and topologiesDeployment and topologiesFrontFront--End/BackEnd/Back--end? Firewalls?end? Firewalls?

Security, security, securitySecurity, security, securityAdministrationAdministration

Scenarios and RisksScenarios and Risks

Internet access to Microsoft ExchangeInternet access to Microsoft ExchangeExtranetExtranetTelecommutersTelecommutersFrom home and Internet kiosksFrom home and Internet kiosksCoCo--workerworker’’s offices office

Understand risksUnderstand risksDeployment/Configuration mistakesDeployment/Configuration mistakesEE--mail contentmail content

Sent from Internet and opened InsideSent from Internet and opened InsideSent from Inside and opened from InternetSent from Inside and opened from Internet

EndEnd--user erroruser error

H1

Slide 3

H1 I'm not getting why Inside is cap'd. Heather, 27/05/2005

MailboxMailbox(a.k.a. Back(a.k.a. Back--End)End)

Firewall/DMZFirewall/DMZ

RPC/HTTP andRPC/HTTP andOutlook Web AccessOutlook Web AccessPOP3, IMAPPOP3, IMAP

ExchangeExchangeActiveSyncActiveSync

Outlook Mobile AccessOutlook Mobile Access

ActiveSyncActiveSyncClientsClients(e.g., PPC, SP)(e.g., PPC, SP)

Phone & PDAPhone & PDABrowsersBrowsers

LaptopsLaptops

FrontFront--EndEnd

Exchange 2003 Mobile ComponentsExchange 2003 Mobile ComponentsOverviewOverview

Outlook Web Access (OWA)Outlook Web Access (OWA)Exchange 2003 featuresExchange 2003 features

SpellcheckingSpellcheckingRulesRulesTasksTasksEverything we love inEverything we love inMicrosoft Office Microsoft Office Outlook 2003Outlook 2003

Quick flagsQuick flagsRight preview pane, two line viewRight preview pane, two line viewRight click Right click ‘‘mark as read/unreadmark as read/unread’’Search folders (e.g. for follow up, unread)Search folders (e.g. for follow up, unread)

Attachment drag & dropAttachment drag & dropImproved performance (>50% vs. Exchange 2000)Improved performance (>50% vs. Exchange 2000)SecuritySecurity

Forms based authentication, attachment blocking, external contenForms based authentication, attachment blocking, external content t blocking, S/MIME encryption/signingblocking, S/MIME encryption/signing

HTML HTML ‘‘formform’’ where user enters credentialswhere user enters credentialsUser chooses User chooses ‘‘PremiumPremium’’ or or ‘‘BasicBasic’’ OWAOWAUser chooses User chooses ‘‘PrivatePrivate’’ or or ‘‘PublicPublic’’machine machine (short versus long timeout)(short versus long timeout)

Timed logoff: Server usesTimed logoff: Server usesencrypted cookie for session authenticationencrypted cookie for session authentication

Logout and timeout invalidates cookieLogout and timeout invalidates cookieUser does not need to close browser to be logged outUser does not need to close browser to be logged out

DoesnDoesn’’t time out while composing mailt time out while composing mailDoes time out regardless of new incoming mail or Does time out regardless of new incoming mail or remindersreminders

Customizable logon pageCustomizable logon page

Outlook Web AccessOutlook Web AccessForms based authenticationForms based authentication

Outlook Web AccessOutlook Web AccessFormsForms--Based AuthenticationBased Authentication

Get your own OWA trial account todayGet your own OWA trial account todaySign Up: Sign Up: http://www.microsoft.com/exchange/evaluahttp://www.microsoft.com/exchange/evaluation/trial/tion/trial/online.asponline.asp

Access OWA: Access OWA: https://https://mail.exchangetrial.commail.exchangetrial.com/exchange/exchange

* Outlook configuration UI can* Outlook configuration UI canbe disabled with registry keybe disabled with registry key

RPC/HTTPRPC/HTTPOutlook from Internet without VPN/RASOutlook from Internet without VPN/RAS

RequirementsRequirementsOutlook 2003 (Outlook 11)Outlook 2003 (Outlook 11)

Configure in Exchange proxy settingsConfigure in Exchange proxy settingsMicrosoft Windows XP SP1 + Microsoft Windows XP SP1 + Q331320Q331320 or SP2or SP2Following servers need Following servers need Microsoft Windows Server 2003:Microsoft Windows Server 2003:

Mailbox, front end, global catalog, Mailbox, front end, global catalog, public folderpublic folder

OWA and Outlook can use same URLOWA and Outlook can use same URLOutlookOutlook’’s RPC (remote procedure call) s RPC (remote procedure call) traffic wrapped in HTTPStraffic wrapped in HTTPS

Outlook client requests are Outlook client requests are proxiedproxiedthrough Windowsthrough Windows’’ ““RPCProxyRPCProxy””RPCsRPCs are unwrapped on Exchange are unwrapped on Exchange FrontFront--End server and forwarded to appropriate serversEnd server and forwarded to appropriate servers

Switches intelligently between RPC/HTTP and RPC/TCPSwitches intelligently between RPC/HTTP and RPC/TCP

Exchange ActiveSync (EAS)Exchange ActiveSync (EAS)

Windows Mobile, Windows Mobile, PalmOnePalmOne, Motorola, , Motorola, Nokia, Nokia, ……

Protocol being licensed to third partiesProtocol being licensed to third partiesEE--mail, calendar and contacts mail, calendar and contacts synchronization (SP2: +tasks)synchronization (SP2: +tasks)

‘‘In the boxIn the box’’ with Exchange. No separate with Exchange. No separate sync server.sync server.Scheduled/Manual/UpScheduled/Manual/Up--ToTo--Date syncDate syncRich filtering and truncation optionsRich filtering and truncation options

Sync. Attachments? Sync. Attachments? Sync. how much of body? Sync. how much of body? ……

Smart reply and smart forwardSmart reply and smart forwardDelivers attachments and full message without Delivers attachments and full message without downloading to devicedownloading to device

‘‘Desktop ActiveSyncDesktop ActiveSync’’ integrationintegrationConfigure from device or desktopConfigure from device or desktop

‘‘UpUp--ToTo--DateDate’’ notificationsnotificationsE2003 RTM & SP1: SMTPE2003 RTM & SP1: SMTP-->SMS >SMS notifnotif..E2003 SP2: IP E2003 SP2: IP notifnotif..

Outlook Mobile Access (OMA)Outlook Mobile Access (OMA)OverviewOverview

OWA for mobile devicesOWA for mobile devicesTriage eTriage e--mail (e.g., Accept mail (e.g., Accept MtgMtg))Find people (Contacts/AB)Find people (Contacts/AB)See your calendar See your calendar (e.g., Create meetings)(e.g., Create meetings)

ExchangeExchange’’s s ““device reachdevice reach”” solutionsolutionGenerates WML, HTML, Generates WML, HTML, xHTMLxHTML and and cHTMLcHTMLmarkup for different devicesmarkup for different devicesMicrosoft .NET Framework Microsoft .NET Framework ‘‘Device UpdatesDevice Updates’’ add add device supportdevice support

Exchange 2003 RTM contains Exchange 2003 RTM contains ‘‘Device Update 2Device Update 2’’‘‘Device Update 4Device Update 4’’ available todayavailable today

1.1. Firewall lets through SSL Firewall lets through SSL (port 443) only(port 443) only

Add ports for POP3/IMAP with Add ports for POP3/IMAP with or without TLSor without TLS

2.2. IIS on FE authenticates userIIS on FE authenticates user3.3. FE looks up which BE serves userFE looks up which BE serves user4.4. FE handles data or proxies to BEFE handles data or proxies to BE5.5. BE returns data to FE, FE returns BE returns data to FE, FE returns

data to userdata to user

RPC/HTTP, OWA,RPC/HTTP, OWA,OMA, EAS,OMA, EAS,

POP3, IMAPPOP3, IMAPFrontFront--EndEnd

MailboxMailbox(a.k.a. Back(a.k.a. Back--End)End)

ServersServers

FirewallFirewall

Global CatalogGlobal Catalog(Active Directory)(Active Directory)

Deployment BasicsDeployment BasicsTopology exampleTopology example

Select Select ‘‘This is a FrontThis is a Front--End serverEnd server’’ checkboxcheckboxExchange System Manager Exchange System Manager Servers Servers RightRight--click menu click menu Properties Properties ‘‘GeneralGeneral’’ tabtab

Why use a FrontWhy use a Front--End (FE) server?End (FE) server?Offload work from Mailbox serverOffload work from Mailbox server

SSL, OWA compression, OWA SSL, OWA compression, OWA spellcheckspellcheckSingle namespace (same URL) for all client Single namespace (same URL) for all client accessaccess

E.g., E.g., mail.microsoft.commail.microsoft.com for all OWA, RPC/HTTP, EAS for all OWA, RPC/HTTP, EAS and OMA Microsoft usersand OMA Microsoft users

More secure and reliableMore secure and reliableNo user data on FENo user data on FENo unauthenticated requests to Mailbox serverNo unauthenticated requests to Mailbox serverClient access services run on FrontClient access services run on Front--EndEnd

MailboxMailboxFrontFront--EndEnd

Internet

Firewall

ClientClient

Deployment BasicsDeployment BasicsFrontFront--End serverEnd server

DeploymentDeployment““MustMust’’ss”” about Frontabout Front--End serversEnd servers

MustMust use Exchange 2000 Enterprise Edition use Exchange 2000 Enterprise Edition or Exchange 2003 Enterprise/Standardor Exchange 2003 Enterprise/StandardFrontFront--End End mustmust be upgraded before be upgraded before BackBack--EndEnd

E.g., Exchange 2003 FE works with E.g., Exchange 2003 FE works with Exchange 2000 BEExchange 2000 BE

FrontFront--End End must must be in same AD forest as be in same AD forest as BackBack--EndEndCommunication between FrontCommunication between Front--End and End and global catalogglobal catalog

IIS uses RPC for authentication. RPC ports IIS uses RPC for authentication. RPC ports must must be open between Frontbe open between Front--End and global catalogEnd and global catalogFrontFront--End End must must be member of domainbe member of domain

1.1. Firewall lets through SSL Firewall lets through SSL (port 443) only(port 443) only

2.2. ISA 2004 preISA 2004 pre--authenticates user authenticates user using ISA forms based authentication using ISA forms based authentication and RADIUSand RADIUS

ISA is not member of Intranet ISA is not member of Intranet domaindomainDoes not work with Outlook Web Does not work with Outlook Web Access GZIP compression. Need Access GZIP compression. Need thirdthird--party ISA compressionparty ISA compression--addadd--onon

3.3. IIS on FE authenticates userIIS on FE authenticates user4.4. ……

RPC/HTTP, OWA,RPC/HTTP, OWA,OMA, EASOMA, EAS

FrontFront--EndEndMailboxMailbox

(a.k.a. Back(a.k.a. Back--End)End)ServersServers

FirewallFirewall

Global CatalogGlobal Catalog(Active Directory)(Active Directory)

FirewallFirewall

ISA 2004ISA 2004

PerimeterPerimeter

Most Secure DeploymentMost Secure DeploymentPerimeter network with prePerimeter network with pre--authNauthN

Deploy OWADeploy OWA

SecuritySecurityBasic+NTLMBasic+NTLM by default, use with SSLby default, use with SSLOWA on FE: FormsOWA on FE: Forms--Based Based AuthNAuthN or Basic or Basic AuthNAuthNOWA on BE: Windows integrated OWA on BE: Windows integrated AuthNAuthN and Digest and Digest AuthNAuthNalso workalso workEE--mail messages donmail messages don’’t cache on the clientt cache on the clientMalicious content in HTML eMalicious content in HTML e--mail and attachments is filteredmail and attachments is filtered

This sometimes causes trouble for legitimate HTML eThis sometimes causes trouble for legitimate HTML e--mailmail

Advanced settingsAdvanced settingsMultiple virtual servers (web sites) / virtual directoriesMultiple virtual servers (web sites) / virtual directories

Create matching Create matching vservers/vdirsvservers/vdirs on FE and BEon FE and BE

OWA OWA ‘‘PublicPublic’’ virtual directories can specify root public foldervirtual directories can specify root public folderOWA OWA ‘‘ExchangeExchange’’ virtual directories specify SMTP domainvirtual directories specify SMTP domain

Before Exchange 2003 SP1: only users with eBefore Exchange 2003 SP1: only users with e--mail addresses in that SMTP mail addresses in that SMTP domain can use virtual directorydomain can use virtual directoryExchange 2003 SP1: SMTP domain is only used to identify users inExchange 2003 SP1: SMTP domain is only used to identify users in OWA OWA URL (explicit logon) (e.g. URL (explicit logon) (e.g. ……/exchange//exchange/billgbillg))

OWA AttachmentsOWA AttachmentsNew in Exchange Server 2003New in Exchange Server 2003

Attachment blocking by MIME type and file Attachment blocking by MIME type and file extensionextension

Level 1 Level 1 –– BlockedBlockedLevel 2 Level 2 –– Can save to disc, but not open in browserCan save to disc, but not open in browserControlled with registry keysControlled with registry keys

Block all attachments in OWABlock all attachments in OWAOr, be more specific:Or, be more specific:

Block all when going through a FEBlock all when going through a FEBlock all, except when going through an Block all, except when going through an ““acceptedaccepted”” FE server FE server namespacenamespaceSelect which Select which FQDNsFQDNs are are safesafe for opening attachments and for opening attachments and freedocsfreedocs

By default, freedocs are blocked in By default, freedocs are blocked in public folderspublic folders

OWA Administrative ToolOWA Administrative Tool

Deploy RPC/HTTPDeploy RPC/HTTP

SecuritySecurityNTLM by default (Configurable to basic)NTLM by default (Configurable to basic)SSL with certificate trusted by client is mandatorySSL with certificate trusted by client is mandatoryKeep only Port 443 (HTTPS) open in firewallKeep only Port 443 (HTTPS) open in firewallOnly Exchange servers (BackOnly Exchange servers (Back--End, public folder) and global catalog End, public folder) and global catalog can be accessedcan be accessed

Install Install RPCProxyRPCProxy on Exchange Fronton Exchange Front--End serverEnd serverOn Windows Install On Windows Install Network Services Network Services RPC over HTTP proxyRPC over HTTP proxy

Configure with Exchange 2003 SP1 Configure with Exchange 2003 SP1 ‘‘RPC/HTTP RPC/HTTP PublisherPublisher’’

Exchange System Manager Exchange System Manager Servers Servers RightRight--click menu click menu Properties Properties ‘‘RPCRPC--HTTPHTTP’’ tabtabManual Manual configconfig: IIS settings/permissions, Set FE/BE to be : IIS settings/permissions, Set FE/BE to be ‘‘RPC/HTTP RPC/HTTP publisherpublisher’’ , Set BE/DC Ports, Set , Set BE/DC Ports, Set ‘‘ValidPortsValidPorts’’ RegReg keys, keys, ……

Support Support webcastwebcast guidance for manual deploymentguidance for manual deploymenthttp://http://support.microsoft.com/default.aspx?scidsupport.microsoft.com/default.aspx?scid=kb;en=kb;en--us;829134us;829134

Deploy Exchange ActiveSync and Deploy Exchange ActiveSync and Outlook Mobile AccessOutlook Mobile Access

EAS and OMA access the Mailbox server through EAS and OMA access the Mailbox server through ““/Exchange/Exchange”” VDirVDir

OMA and EAS fail when OMA and EAS fail when ““/Exchange/Exchange”” uses FBA or SSLuses FBA or SSLWorkaround: Workaround: http://http://support.microsoft.com/?kbidsupport.microsoft.com/?kbid=817379=817379

Exchange ActiveSyncExchange ActiveSyncBasic authentication, use with SSLBasic authentication, use with SSLImplementation: ISAPI that runs as LOCAL_SYSTEMImplementation: ISAPI that runs as LOCAL_SYSTEM

Outlook Mobile AccessOutlook Mobile AccessBasic authentication, use with SSLBasic authentication, use with SSLSpecify SMTP domain for virtual directory: only users with eSpecify SMTP domain for virtual directory: only users with e--mail mail addresses in that SMTP domain can use virtual directoryaddresses in that SMTP domain can use virtual directoryOMA requires client OMA requires client server affinity for the duration of server affinity for the duration of sessionssessionsImplementation: run in separate process under ASP.NET Implementation: run in separate process under ASP.NET application worker accountapplication worker account

ActiveSyncActiveSyncClientsClients

Phone Phone & PDA& PDABrowsersBrowsers

LaptopsLaptops FrontFront--EndEnd MailboxMailbox

/Microsoft/Microsoft--ServerServer--ActiveSync (EAS)ActiveSync (EAS)

/Exchange (OWA)/Exchange (OWA)

/OMA (OMA)/OMA (OMA)

IIS S

SL

Forms Forms Based Based AuthNAuthN

IIS Basic/ IIS Basic/ IntegratedIntegrated

IIS BasicIIS Basic

IIS BasicIIS Basic

ISAPI ISAPI Proxies to Proxies to Mailbox Mailbox ServerServer

ActiveSync Protocol ActiveSync Protocol ISAPI ISAPI

.NET FW Mobile .NET FW Mobile Controls and Session Controls and Session

State State

ASP.NET pagesASP.NET pages

/Microsoft/Microsoft--ServerServer--ActiveSyncActiveSync

/Exchange/Exchange

/OMA/OMA

OWA/DAV OWA/DAV ISAPIISAPI

Store.exeStore.exe

DB…

…

…

… …

… …

ArchitectureArchitecture

Deploy IMAP4 and POP3Deploy IMAP4 and POP3

Services are off by defaultServices are off by defaultMMC MMC ‘‘ServicesServices’’ snapsnap--in: set to autoin: set to auto--startstart

‘‘Microsoft Exchange IMAP4Microsoft Exchange IMAP4’’‘‘Microsoft Exchange POP3Microsoft Exchange POP3’’

Open ports:Open ports:IMAP: 143IMAP: 143IMAP with TLS/SSL: 993IMAP with TLS/SSL: 993POP3: 110POP3: 110POP3 with TLS/SSL: 995POP3 with TLS/SSL: 995

FrontFront--End proxiesEnd proxiesUses users credentials to look up correct backUses users credentials to look up correct back--endend

BackBack--End authenticatesEnd authenticates

Topology ConsiderationsTopology ConsiderationsSSL processingSSL processing

SSL handshake is CPUSSL handshake is CPU--intensiveintensiveOffload to frontOffload to front--endendHardware acceleratorsHardware acceleratorsSeparate device may be better value than another FESeparate device may be better value than another FE

SSL termination before FrontSSL termination before Front--End: tell FE End: tell FE that SSL was usedthat SSL was used

FBA and RPCFBA and RPC--HTTP require registry keysHTTP require registry keysAdd Add ““FrontFront--EndEnd--HTTPS: onHTTPS: on”” request header for request header for nonnon--FBA OWAFBA OWAEAS just works. OMA does not support SSL offloading.EAS just works. OMA does not support SSL offloading.

SSL SSL Affinity = much better Affinity = much better perfperf terminating on FEterminating on FESSL performs handshake and uses keepSSL performs handshake and uses keep--alive connection for alive connection for better performance better performance

Topology ConsiderationsTopology ConsiderationsSimplify access URLSSimplify access URLS

Change OWA access URLChange OWA access URLFrom: From: ‘‘https://https://mail.microsoft.commail.microsoft.com/exchange/exchange’’To: To: ‘‘https://https://mail.microsoft.commail.microsoft.com’’IIS Manager IIS Manager Default Web side Default Web side right right click menu click menu Properties Properties ‘‘Home Home DirectoryDirectory’’ tabtabIn the In the ‘‘Redirect toRedirect to’’ field, type field, type ‘‘/exchange/exchange’’Click Click ‘‘A directory below URL enteredA directory below URL entered’’

Topology ConsiderationsTopology ConsiderationsLoad balancing and frontLoad balancing and front--endsends

FrontFront--ends can be load balancedends can be load balancedWindows network load balancingWindows network load balancingSeparate load balancing hardwareSeparate load balancing hardwareDNS roundDNS round--robinrobin

FormsForms--based authenticationbased authenticationClient Client Server affinity for duration of session Server affinity for duration of session is requiredis requiredCookie can only be decrypted by FE that issued itCookie can only be decrypted by FE that issued it

Proxies and firewalls may affect load Proxies and firewalls may affect load balancingbalancing

Topology ConsiderationsTopology ConsiderationsUse a perimeter networkUse a perimeter network

Perimeter networkPerimeter networkContains servers that acceptContains servers that acceptunauthenticated requests from Internetunauthenticated requests from InternetContain damage if perimeter server isContain damage if perimeter server ishackedhackedMinimize # of ports and communication between Intranet and DMZMinimize # of ports and communication between Intranet and DMZ

FirewallsFirewallsExternal: Port filtering, packet inspection, etc.External: Port filtering, packet inspection, etc.Internal: + IP filteringInternal: + IP filteringYour organizationYour organization’’s security requirementss security requirements

Use a reverse proxy in DMZUse a reverse proxy in DMZEven more secure: ISA2004 can preEven more secure: ISA2004 can pre--authNauthN in DMZ without being in DMZ without being domain member, using RADIUSdomain member, using RADIUSSSL Bridging (decrypt, inspect, reSSL Bridging (decrypt, inspect, re--encrypt) or SSL encrypt) or SSL PassthroughPassthrough(don(don’’t inspect)t inspect)

PerimeterPerimeter

FrontFront--EndEndReverseReverseProxy and/orProxy and/or

PrePre--AuthNAuthN

SecuritySecurityFirewall between FE and BEFirewall between FE and BE

Disable DSACCESS pings & Disable DSACCESS pings & NETLOGONNETLOGONDifficult to administer remotelyDifficult to administer remotely

ProtocolProtocol PortPort DestinationDestination

HTTPHTTP 80 TCP80 TCP

110 TCP110 TCP143 TCP143 TCP

RPCRPC--HTTPHTTP 6001 & 6004 TCP, 6002 (SP1)6001 & 6004 TCP, 6002 (SP1) BE ServersBE Servers

KerberosKerberos 88 TCP & UDP88 TCP & UDP Global CatalogsGlobal Catalogs

LDAPLDAP 389 TCP & UDP, 3268 TCP389 TCP & UDP, 3268 TCP Global CatalogsGlobal Catalogs

RPCRPC 135 TCP, 1024+ 135 TCP, 1024+ or fixed port or fixed port ☺☺ Global CatalogsGlobal CatalogsDNSDNS 53 TCP & UDP53 TCP & UDP DNS ServersDNS Servers

BE ServersBE Servers

POP3POP3IMAP4IMAP4 BE ServersBE Servers

BE ServersBE Servers

SecuritySecurity

FrontFront--End End Mailbox server Mailbox server communicationcommunication

Use a trusted physical/switched networkUse a trusted physical/switched networkOr Or IPSecIPSec everything or specific ports such as 80 (HTTP)everything or specific ports such as 80 (HTTP)Cannot use SSLCannot use SSLExchange 2000 Exchange 2000 –– Basic AuthBasic AuthExchange 2003 Exchange 2003 –– Integrated AuthIntegrated Auth

IIS: Disable nonIIS: Disable non--essential script mappings essential script mappings andand extensionsextensions

IIS5 use IIS5 use ““IIS LockdownIIS Lockdown”” tool to do thistool to do thisIIS6 more IIS6 more ““locked downlocked down”” by defaultby defaultURLScanURLScan KB 823175KB 823175

Stay upStay up--toto--date with Windows/IIS fixes!date with Windows/IIS fixes!

RSA RSA SecurIDSecurID

RSA provides RSA provides SecurIDSecurID filter for IISfilter for IISISA2000+ includes ISA2000+ includes SecurIDSecurID filterfilterOWA: IIS and ISA OWA: IIS and ISA SecurIDSecurID

‘‘SecurIDSecurID expirationexpiration’’ failsfailsWorkaround: use OWA FBA expirationWorkaround: use OWA FBA expiration

RPC/HTTP: No RPC/HTTP: No SecurIDSecurIDEAS: IIS EAS: IIS SecurIDSecurID compatible (not ISA)compatible (not ISA)OMA: IIS and ISA OMA: IIS and ISA SecurIDSecurID compatiblecompatible

For devices supported by both RSA and OMAFor devices supported by both RSA and OMANo No ‘‘singlesingle--signsign--onon’’ with only with only SecurIDSecurIDcredentialscredentials

Default:Enabled

Default:Disabled

Exchange System Exchange System ManagerManager

Turning Mobile Services On/OffTurning Mobile Services On/Off

Default:Enabled

Active Directory Active Directory Users&ComputersUsers&Computers

Client Access AdminClient Access Admin

ESMESM

OWA AdminOWA Admin

Compression is GZIPCompression is GZIPOnly with formsOnly with forms--based based authenticationauthentication

FBA pages detect browsers FBA pages detect browsers w/ malfunctioning GZIPw/ malfunctioning GZIPInternet Explorer 6 Internet Explorer 6 SP1+SP1+Q813489Q813489, Netscape 6+, Netscape 6+

Only with IIS6 (Win2003)Only with IIS6 (Win2003)Low: Static pagesLow: Static pagesHigh: Static and dynamic High: Static and dynamic pages (more server load)pages (more server load)

FBA is configured for FBA is configured for a virtual server a virtual server (Web site)(Web site)

Applies only to OWA virtual Applies only to OWA virtual directoriesdirectories

GotchaGotcha’’ss

Character setsCharacter setsHKLMHKLM\\SystemSystem\\CurrentControlSetCurrentControlSet\\ServicesServices\\MSExchangeWEBMSExchangeWEB\\OWOWAA\\UseRegionalCharsetUseRegionalCharset = = ‘‘11’’

Makes OMA, EAS and OWA use regional character sets to Makes OMA, EAS and OWA use regional character sets to send send ee--mailmail

UseGB18030 = UseGB18030 = ‘‘11’’ and UseISO8859_15 = and UseISO8859_15 = ‘‘11’’Makes OMA, EAS and OWA replace GB2312 with GB18030 and Makes OMA, EAS and OWA replace GB2312 with GB18030 and isoiso--88598859--1 with iso1 with iso--88598859--15 respectively15 respectively

Mobile devicesMobile devicesCan change name of Can change name of ‘‘/Exchange/Exchange’’ and and ‘‘/OMA/OMA’’ vdirsvdirs, but , but ActiveSync devices can access ActiveSync devices can access onlyonly ‘‘/Microsoft/Microsoft--ServerServer--ActiveSyncActiveSync’’EAS/OMA workaround when Mailbox server /Exchange EAS/OMA workaround when Mailbox server /Exchange vdirvdir uses uses FBA or SSLFBA or SSL

http://support.microsoft.com/?kbid=817379http://support.microsoft.com/?kbid=817379

OMA is disabled by defaultOMA is disabled by default

Your FeedbackYour Feedbackis Important!is Important!

Please write the number located in the bottom left Please write the number located in the bottom left hand corner of your name badge, on the top of the hand corner of your name badge, on the top of the Evaluation Form.Evaluation Form. This number links back to your This number links back to your registration details so that we can contact you after registration details so that we can contact you after TechEd.TechEd.

When completing the Evaluation Form, When completing the Evaluation Form, please tick the please tick the number that best corresponds to your experience at number that best corresponds to your experience at TechEd.TechEd. For additional comments, use the comments For additional comments, use the comments section at the end of each form.section at the end of each form.

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.