Académique Documents
Professionnel Documents
Culture Documents
Access
Contents
Overview 1
Lesson 1: Summary of Features 2
Lesson 2: Outlook Web Access Basic 3
Lesson 3: Outlook Web Access Premium 10
Lesson 4: Outlook Web Access and the
Browser 31
Lesson 5: Outlook Web Access and Forms
Based Authentication 35
Lesson 6: Outlook Web Access S/MIME
Control 38
Lesson 7: Outlook Web Access Attachment
Blocking 42
Lesson 8: Other Features 45
Lesson 9: Outlook Web Access Spell Check 51
Lesson 10: Outlook Web Access and Gzip
Compression 62
Lab A: Outlook Web Access 78
Review 87
Appendix A 88
Appendix B 93
Appendix C 98
Appendix D 103
Appendix E 110
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 9: Outlook Web Access 1
Overview
Introduction The Outlook Web Access Basic client is designed to run in most common
browsers (compliance with the HTML 3.2 and European Computer
Manufacturers Association [ECMA] Script standards is required). Outlook Web
Access Basic has a different user interface than the Premium client and only a
subset of the Premium client’s functionality. Outlook Web Access Basic,
however, is the preferred client for users with accessibility needs.
This document provides a quick overview of what was added to Outlook Web
Access Basic in Exchange 2003.
Unlike the Premium experience, Outlook Web Access Basic does not support
right-to-left layouts for languages such as Arabic and Hebrew. Toolbars and
view headers are not fixed to the top of the window, so when the user scrolls
down in the view, the toolbars and view headers scroll off screen.
Logon Page When you access your e-mail account through Outlook Web Access, you will
be directed to a logon page if you are logging on via a front-end server like
https://mail.northwindtraders.com/exchange.
If you are using Internet Explorer 5.01 – Internet Explorer 6.0 or greater for
Windows as your browser, you will get the Outlook Web Access Premium
version of the logon page, where you can choose the Premium or Basic client. If
you are using any other browser, you will not have this choice.
The security-level feature functions exactly the same as described for Outlook
Web Access Premium and has the same effect on how long your session can be
inactive before expiring.
4 Module 9: Outlook Web Access
UI Revamp
Once you log in to Outlook Web Access Basic, you will notice that the user
interface (UI) has been refreshed from battleship gray to the same true-blue
color scheme as in the Premium version. However, this is the only color scheme
available for the Basic client. Also, the Basic client still uses the browser’s
default font for displaying UI text.
The enhancements to the e-mail view include:
An option to set the number of items that display per page in the message
list — now you are not just stuck at 25 (see the “Messaging Options”
section of the Outlook Web Access options page).
Icons in your mail folders show the types of messages you have received
and whether the messages are read or unread.
The “By Conversation Topic” view has been improved to put the newest
conversation at the top of the messages list.
Outlook Web Access Basic does not have a Reading Pane, context menus, the
ability mark as read/unread, Quick Flagging, keyboard shortcuts, or deferred
refresh after delete.
Options - Junk Mail Outlook Web Access Basic does allow you to manage your junk e-mail
Filtering settings, but you cannot add new senders to the block or safe lists directly from
the view. Instead, you must manage these settings completely from the “Privacy
and Junk E-mail Prevention” section of the Outlook Web Access options page.
Just choose the “Manage Junk E-mail Lists” button, and you will be taken to an
interface where you can add, modify, or remove members in your block and
safe lists.
The contents of the block and safe lists will be the same whether you manage
them from Outlook, Outlook Web Access Basic, or Outlook Web Access
Premium.
Navigation There have been cosmetic changes to the Outlook Web Access Basic
Navigation Pane. There is now a link there for quick access to your Junk Mail
Module 9: Outlook Web Access 5
folder, and the Public Folders link is now in the Navigation Pane, too. But
otherwise the Navigation Pane functions as it always has.
Outlook Web Access Basic provides no access to Search Folders or rules. There
are no commands for updating folders or for making it easier to drag items into
folders, because Outlook Web Access Basic does not show folders in the
Navigation Pane. And there are no notifications in the Outlook Web Access
Basic Navigation Pane for new mail or pending reminders. In fact, Outlook
Web Access Basic does not display reminders at all.
6 Module 9: Outlook Web Access
Outlook Web Access Basic does not have a spell checker, and the functionality
of adding/removing the addresses in the recipient wells has not been changed.
GAL Properties Sheets If a name in an e-mail message or meeting form has been resolved against the
Global Address List (GAL), in the properties dialog you now will see some of
the key GAL properties for that address — not just the display name and SMTP
address of the recipient. Just click any resolved name in an e-mail you are
writing or reading to see its properties sheet.
Outlook Web Access does not show the full range of GAL properties that
Outlook shows, just the main address and phone information that is listed in the
GAL for the address.
Simple SMTP addresses or addresses that come from your Contacts folder still
show the same information as was available before: display name and SMTP
address.
Unlike in Outlook Web Access Premium, Outlook Web Access Basic does not
have buttons for invoking e-mail properties from Find Names or Check Names.
Outlook Web Access Basic does not have the “Add to Contacts” feature on
properties sheets or anywhere else in the client.
Find Names
Enhancements You now can add names found in a GAL search directly to a message or a
meeting request you’re composing. Just click on any of the address book icons
in the mail or meeting compose forms to launch Find Names.
Find Names now appears in its own window, and the results of your query are
sorted alphabetically.
You cannot search Contacts in the Outlook Web Access Basic Address Book —
only the GAL.
Auto Signature You can create a plain-text auto signature in basic Outlook Web Access in the
editor under “Messaging Options” on the Outlook Web Access options page.
Module 9: Outlook Web Access 7
If you already have created a signature in Outlook Web Access Premium, then a
plain-text representation of that signature will exist in Outlook Web Access
Basic. If you make any edits to the signature in Outlook Web Access Basic,
however, you will overwrite all custom formatting in your Outlook Web Access
Premium signature.
You cannot insert a signature on demand in Outlook Web Access Basic — you
either enable it to be inserted automatically or not at all.
Navigate After Delete Outlook Web Access Basic does not have special options for where to go after
deleting an open message. You always return to the message list.
Read Receipt Settings By default, Outlook Web Access for Exchange 2003 will not send read receipts
automatically
If you change the setting to always send read receipts, then Outlook Web
Access will fall back to the old behavior of automatically filling all read-receipt
requests without notifying you about those requests.
Please note that how you set this option in the Premium client will affect the
behavior in the Basic client and vice versa.
“Web Beacon” Blocking This is the same in Outlook Web Access Basic as it is in Outlook Web Access
Premium. If you enable or disable the feature in the Premium client, it will
affect behavior in the Basic client and vice versa.
Privacy Protection When This feature is the same in Outlook Web Access Basic as Outlook Web Access
Following a Link in E- Premium.
Mail
Attachment Blocking This administrative setting affects Outlook Web Access Basic the same way it
affects Outlook Web Access Premium.
Sensitivity and This feature is the same in Outlook Web Access Basic as Outlook Web Access
Reply/Forward Infobar Premium.
Reply Header and Body Because Outlook Web Access Basic uses a plain-text mail editor, Outlook Web
Not Indented Access Basic has never indented old message content on reply or forward.
Item Window Size and Because items in Outlook Web Access Basic do not display in their own
Status Bar windows, the window-size feature does not apply to Outlook Web Access
Basic. Furthermore, because Outlook Web Access Basic runs in the full
browser window and does not open individual item windows, the status bar
always has been available when items are open.
8 Module 9: Outlook Web Access
Mail in Public Folders This feature is the same in Outlook Web Access Basic as Outlook Web Access
Premium.
Signed and Encrypted There is no S/MIME mail in Outlook Web Access Basic. However, Outlook
Mail Web Access Basic now lets you open attached e-mail within a clear-signed
message. Furthermore, Outlook Web Access Basic preserves the message body
contents (but not attachments) when you reply to or forward a clear-signed
message.
Rules There is no rules interface in Outlook Web Access Basic. However, your e-mail
still is processed according to the server-side rules you set from Outlook or
Outlook Web Access Premium.
Personal Tasks All of the task-related features available in Outlook Web Access Premium also
are available in Outlook Web Access Basic except for reminders. (You can set a
reminder date and time, but no reminder will ever appear in Outlook Web
Access Basic.) Of course, because of UI differences, the way to complete
certain actions may be different.
For example, in the task view, to mark an item as complete, you cannot just
click a “Mark Complete” checkbox as in Outlook Web Access Premium.
Instead, you must select the task to mark complete and then choose the “Mark
Complete” button on the toolbar.
Or when composing a task, the user interface for choosing a task start date, due
date, or reminder date is very different in the Basic client from the Premium
client.
Meeting Request Several popular Outlook Meeting Request features now have been added to
Enhancements Outlook Web Access Basic Meeting Requests.
1. You now can forward Meeting Requests to people not originally on the
organizer’s invite list (even if you’re the organizer). You also can create an
e-mail reply to a meeting organizer (and optionally all the attendees)
directly from a Meeting Request.
Module 9: Outlook Web Access 9
2. When canceling meetings, you now can edit the meeting cancellation notice
before it is sent to explain the reason for the cancellation.
3. Invitees can open the Calendar from a Meeting Request so that they can
view their schedules while evaluating the Meeting Request.
However, attendees cannot set reminders on accepted Meeting Requests in
Outlook Web Access Basic.
10 Module 9: Outlook Web Access
Performance The Outlook Web Access team has made great efforts to improve the product’s
speed by reducing the bytes of code that must travel from the server to the
browser in response to common user actions. By sending fewer bytes, you have
to wait less time to see the results of your actions. Plus, if your Exchange
administrator enables Outlook Web Access compression and you are using
Internet Explorer 6 SP1 for Windows with patch Q328970 or higher, the byte
reduction — and resulting speed gains — are even greater.
Outlook Web Access also downloads necessary client-side files to your browser
while you are entering your credentials on the logon page. By the time you are
logged in, essential scripts and controls already should be on your computer and
ready for Outlook Web Access to use, thus making your Inbox appear more
quickly.
Overall, even with the enhanced interface and multitude of new features about
which you will read in the following pages, Outlook Web Access should seem
faster — especially over slow connections — and respond more quickly to your
commands.
Logon Page Outlook Web Access now offers a new look logon page. This page requires
SSL and is called Forms Based Authentication.
You are still required to type your DOMAIN\username and network password
to enter your account.
This logon page is more than a cosmetic change — it offers several elements of
new functionality.
Choose Your Outlook You can choose which version of the Outlook Web Access client to load — the
Web Access Version Premium client, which is designed specifically for Internet Explorer 5.01 –
Internet Explorer 6.0 or greater for Windows, or the Basic client, which runs in
most browsers.
Module 9: Outlook Web Access 11
You might wonder why you would ever want to load up the Basic client if you
are running Internet Explorer 5.01 or higher. There are two reasons: speed and
accessibility.
Because Outlook Web Access Basic must work in any browser (or at least those
browsers that support HTML3.2 and ECMA Script), it is designed to be a
simple user experience that loads quickly. On a slow link, the Basic client may
be the best option if you just need to quickly check your Inbox or look up the
time of an appointment on your Calendar.
But Outlook Web Access Basic lacks some useful features available in the
Premium client, and it also has a less familiar user interface (UI) that bears little
in common with Microsoft Outlook. (Improvements in the Basic client are
covered later in this document.) For longer Outlook Web Access sessions, the
workflow enhancements in the Premium client may prove more beneficial than
the raw download speed of Outlook Web Access Basic.
If you are a user with accessibility needs, however, you are likely to prefer the
Basic client. The simple HTML 3.2 in which the Basic client is written interacts
well with common screen readers and other accessibility aids.
Choose Your Security Besides choosing which version of Outlook Web Access to use, you also must
Level choose a security level that’s appropriate for the computer from which you are
logging in. The security level determines how long your Outlook Web Access
session will remain open if you leave the computer unattended.
Public or Shared If you are connecting from a public Internet kiosk, you should choose the
Computer “Public or Shared Computer” option. You will remain logged in to Outlook
Web Access as long as your session is not inactive for more than 15 minutes.
Private If you are logging in from your computer at home or work, you should choose
the “Private” option. You will remain logged in to Outlook Web Access as
long as your session is not inactive for more than 24 hours. (The period of
inactivity required before automatic logoff on public and private computers can
be shortened or lengthened for all users by an Outlook Web Access
administrator.) Each has a specific registry setting that controls the time out
value.
This new feature is designed to safeguard access to your account. Outlook Web
Access’ power resides in the fact that you can use it to view your corporate
mail, appointments, contacts, and tasks from any computer that is connected to
the Internet. But this convenience opens up a security risk.
In the past, it has been possible for you to open an Outlook Web Access session
on a public Internet terminal and then leave the terminal with your Outlook
Web Access session available to future terminal users. That was because
Outlook Web Access relied on the browser to store your Outlook Web Access
username and password. To clear the browser’s credentials cache, you had to
close the browser.
If you were using Outlook Web Access at an Internet terminal where it was
impossible to close the browser when you were done with the terminal, your
Outlook Web Access credentials would remain stored in the terminal’s browser.
Thus the next terminal user may have been able go through the browser’s
history log to gain unfettered access to your Outlook Web Access account.
Now when you log on to Outlook Web Access using the new logon page, your
credentials are stored in a session cookie. Instead of needing to close the
browser to log off, you merely need to click the “Log Off” button in Outlook
12 Module 9: Outlook Web Access
Web Access (closing the browser will also still log you off). The session cookie
is expired, and access to your account is closed. Thus at a public Internet
terminal, now you can log off from Outlook Web Access with confidence that
your account will not be open to future users.
And if you accidentally leave the terminal without logging off from Outlook
Web Access, automatic logoff reduces the risk of unauthorized access to your
account by causing the session cookie to expire after a period of inactivity. By
choosing the “Public” option when you log on to Outlook Web Access from an
Internet terminal or shared computer, you do your part in keeping your data
secure by shortening the period of inactivity that is required for automatic
logoff to occur.
Activity versus Inactivity Because you are going to be logged off from Outlook Web Access after a
certain amount of inactivity, it is important to understand what constitutes
activity.
In general, any interaction between the client and the server is considered
activity: opening, sending, or saving an item; switching folders or modules;
refreshing the view or the browser. Outlook Web Access Premium also has
special code so that typing in a message body is counted as activity. However,
typing in any other type of item (appointment, meeting request, post, contact,
task, etc.) is not considered activity.
There is no warning before automatic logoff occurs. If you have any concern
that you are going to be logged off automatically, the best thing to do is every
so often perform one of the actions that causes interaction with the server.
If you do get automatically logged off while working in Outlook Web Access
Premium, the effects are not catastrophic. When you try to perform some action
— for example, sending a meeting request after logoff has occurred — you will
be prompted to log in again. Once you are reconnected, you can perform the
action that previously resulted in the prompt to log in.
If your mailbox is on a Microsoft® Exchange 2000 Service Pack 3 (SP3) server
instead of an Exchange 2003 server, you may find the experience of
reconnecting after automatic logoff a bit more cumbersome. That is because
you may not be prompted to log in again in some circumstances. You will
perform an action, and Outlook Web Access will appear unresponsive.
Do not fret! Leave your item windows open. All you need to do in this
circumstance is go to the browser window that contains the main Outlook Web
Access view (such as your inbox or calendar), refresh the browser, and you will
see the log on screen again. Once you are reconnected, you can perform the
action that previously was unresponsive.
Later this document will cover how the automatic logoff experience applies to
Outlook Web Access Basic.
Clearing the Credentials If you do not access Outlook Web Access through the new logon page, Outlook
Cache Web Access logoff is still more secure for users of Internet Explorer 6 SP1 for
Windows. With Internet Explorer 6 SP1, the browser’s credentials cache is
cleared upon logoff from Outlook Web Access. Closing the browser window is
no longer necessary to clear the credentials cache.
Module 9: Outlook Web Access 13
UI Revamp (1)
Once you log in to Outlook Web Access, you always start in your Inbox, so that
is the next stop on this tour.
New Mail View and Besides the new blue color scheme and cleaned-up toolbar, you will
Reading Pane immediately notice the new “Two-Line View” of messages in your inbox with
the Reading Pane (previously known as the Preview Pane) to the right.
The new layout provides more content in the Reading Pane without diminishing
the number of visible items in the message list.
One size does not fit all when it comes to the amount of screen space to allocate
between the message list and the Reading Pane. So now you can divide up the
space as you prefer for every mail folder in your mailbox. And Outlook Web
Access will remember your preferences even after you log off.
Just put your mouse pointer in the boundary between the list and the preview
pane. When you see the pointer change to , hold the primary mouse button
and drag to resize.
If you prefer the classic layout with the Reading Pane at the bottom, you can
move it back there — or turn it off all together with the Reading Pane toggle on
the toolbar.
You also can return to the traditional layout of your message list or switch into
any of the other Outlook Web Access views you have come to rely on. The
view menu now is located just above the message list.
There also are new options for determining whether to automatically mark a
message as read when you view it in the Reading Pane. These options are
available in the “Reading Pane Options” section of the Outlook Web Access
Options Page.
Mark as Read/Unread The mail view has not just been reoriented — it has new commands, too.
14 Module 9: Outlook Web Access
The features “Mark as Read” for unread messages and “Mark as Unread” for
previously read messages are available in two ways:
As keyboard shortcuts.
As part of a new context menu in the mail view.
Quick Flagging You will notice there are flagging commands on the context menu. With them,
you can quickly flag a message for follow-up or mark complete an item that
was previously flagged for follow-up. You also can completely clear the flag
status.
These follow-up flags are different from the flags you could set in past versions
of Outlook, because they do not have an associated reminder that you can set to
pop up at a desired time. And you cannot use them as a means to flag items you
send to other users. Quick Flags simply provide a visual indicator for letting
you see which items in your mail you marked as needing further action.
It is not necessary to use the context menu to flag an item; you can click the
blank flag icon next to the message that you want to flag. If the flag already has
been turned on, you can mark the flag as complete by clicking it again. To clear
the flag completely, though, you must use the context menu.
And, finally, if you get tired of farmhouse red for your flag color, you can right-
click the flag icon to bring up a context menu of six choices ranging from
harvest yellow to aquamarine blue.
Junk Mail Filtering Outlook Web Access now has tools to help you keep unwanted junk mail out of
your inbox.
Once you enable the option to filter junk e-mail under the “Privacy and Junk E-
mail Prevention” section of the Outlook Web Access options page, you will be
able to quickly add specific senders to your block list.
When you get mail that is from a junk-mail sender, right-click on the message
in the message list and choose “Add Sender to Blocked Senders List.” All
future mail from that sender will go straight to your Junk Mail folder. Note:
You will still have to delete the original message to get it out of your inbox.
If your Exchange administrator has enabled the server-side junk-mail filter (not
shipping on the Exchange 2003 CD), then all incoming messages will be
scanned, and those that are judged as likely to be spam will be moved
automatically to the Junk Mail folder. If mail from some senders is falsely
judged as spam, you will have the ability to ensure that nothing else from that
sender gets moved automatically to the junk mail folder. Just right-click the
message and choose “Add Sender to Safe Senders List.”
Module 9: Outlook Web Access 15
If you receive mail from distribution lists, you also can add these distribution
lists to the “Safe Recipients” list so that these messages will not be filtered to
your junk mail. To manage your safe recipients, you need to open the e-mail,
right-click on the name of the distribution list, and then choose the “Add to Safe
Recipients” option.
If you want to see who is in your safe or block lists or make changes to those
lists, you can do so by choosing the “Manage Junk E-mail Lists” button on the
Outlook Web Access options page. From this dialog, you can see the contents
of your safe and block lists. You also can add, delete, or modify members of the
lists from here.
Outlook 2003 also will have its own junk-mail filter. Any additions or changes
you make to your block or safe lists in Outlook Web Access will be made in
Outlook 2003. The reverse also is true: Outlook Web Access will pick up any
additions or changes you make to your block or safe lists in Outlook.
Other New View There are several other new features in the mail view:
Features
You can set the number of items that display per page in the message list —
now you are not stuck at 25 (see the “Messaging Options” section of
Outlook Web Access’ options page). This option also will affect the number
of contacts and tasks that display per page in those modules.
Note It can be great to view 100 items per page on a LAN or broadband
connection but painfully slow on a dial-up connection. The scenario in
which you most commonly will use Outlook Web Access should determine
how you set this option.
You can open or save attachments directly from the Reading Pane.
You can view sender or recipient properties directly from the Reading Pane.
When your focus is in the mail view, you have several new keyboard
shortcuts for common commands:
• Refresh view - F9 (also works for refreshing items in other views).
• New message - Ctrl+N (also works for creating new items in other
views).
• Reply to selected message - Ctrl+R
• Reply all to selected message - Ctrl+Shift+R
• Forward selected message- Ctrl+Shift+F
• The reply and forward shortcuts also work in the item window for a
received mail message.
Icons in your mail folders show the types of messages you have received, if
they are read or unread, and whether you have replied to or forwarded them.
These icons can make scanning your mail folders a much quicker task.
The “By Conversation Topic” view has been improved so that the
conversation topic containing the most recent e-mail is at the top of the
view.
Deferred Refresh after In past versions of Outlook Web Access, after you deleted an item in a message
Delete list, Outlook Web Access would re-retrieve the entire contents of the list, thus
showing you any new messages that had been delivered to the folder. This
16 Module 9: Outlook Web Access
made deleting messages a slow process, because you had to wait for the entire
list to refresh after every delete.
Now Outlook Web Access will not refresh the message list after a delete until
more than 20 percent of the messages on a page in the list have been deleted.
The percentage is based on the total number of items set to display per page (as
set by the user in the Outlook Web Access options page) — not the actual count
of messages on a page.
For example, if you request 100 messages to display per page, your message list
will not automatically refresh until you have deleted 21 messages from a page.
Do not be alarmed if you are worried that now you will never automatically see
your new mail. You still can set an option to be notified when new mail has
arrived.
Color Schemes The Outlook Web Access UI has been changed from gray to a bright blue to
match the appearance of Microsoft® Office 2003 applications. You also can set
the client's hue to one that better suits your mood.
Just go to the “Appearance” section of the Outlook Web Access options page
and pick a different color scheme from the dropdown. The current options are
blue, dark blue, burgundy, olive and silver.
Standard Fonts Along with the new color schemes, the Outlook Web Access user interface
looks more stylish because the font used on all the UI text is the same one that
is found in most Microsoft applications. Say goodbye to seeing the Outlook
Web Access interface in Times New Roman just because that is the browser’s
default font.
And when you read e-mail messages, if the sender was using a “plain text” mail
editor that did not set a font preference on the message body, Outlook Web
Access selects a proper font in which to display the message content instead of
relying on the browser’s default font.
Module 9: Outlook Web Access 17
UI Revamp (2)
New Navigation One of the biggest changes in Outlook Web Access is the merger of the
shortcuts bar and folder bar into one unit — no more switching between folders
and shortcuts. They are all in one place now on the new Navigation Pane. You
can make the shortcuts large or small, as shown in the following pictures.
You also can set the width of the Navigation Pane by dragging its border to the
left or the right, and Outlook Web Access will remember the custom size from
session to session.
Easier Moving or If you drag and drop an e-mail message from the message list into a folder in
Copying to Folders the Navigation Pane, the destination folder where you position your mouse
pointer is highlighted — no more guessing which folder is the target of your
move or copy.
Even better, if you want to move an e-mail message into a subfolder that is not
visible, just drag the message to the parent folder but do not release the mouse
button. Keep your mouse pointer positioned over the parent folder until the
subfolders automatically expand. Then continue your drag to the now-visible
subfolders and release the mouse button when the desired folder is highlighted.
Update Folders One of the most common complaints from Outlook Web Access users is that
the number of unread messages in their folders does not stay updated in real
time. The problem with providing such functionality is that it would use
significant server and network resources to continually poll your Exchange
server to keep the folder information accurate. But now you have an easier
option than refreshing the entire browser to get updated counts of unread
messages in your folders.
Search Folders Along with a couple of new navigation options such as Tasks and Rules, there
may be a new section in your folder tree called Search Folders.
Tasks and Rules will be covered later in this document. Search Folders are a
new addition to Outlook 2003.
18 Module 9: Outlook Web Access
Note They will only show up in Outlook Web Access if you have created or
activated them while running Outlook in “online mode,” where Outlook has a
constant connection to the Exchange server.
Public Folders Public Folders now display in their own window. If you click the Public Folders
button on the Navigation Pane, it launches a new browser window containing
only Public Folders.
Log Off This feature has been moved from the Navigation Pane to the far end of the
toolbar.
Module 9: Outlook Web Access 19
E-mail is the heart of Outlook Web Access, and new features have been added
to make it easier than ever to compose messages or get the information you
need from received messages.
Spell Check It is time to find a better excuse for typos in your messages other than “Outlook
Web Access doesn’t have a spelling checker.” In Outlook Web Access for
Exchange 2003, you can check your spelling in English, French, German,
Italian, Korean, or Spanish. Just click the familiar spelling check icon in a draft
e-mail message’s toolbar.
If you have ever sent a message and then immediately wished you had checked
your spelling first, Outlook Web Access also lets you set an option to always
check your spelling check on Send.
One warning: Remember that checking your spelling in Outlook Web Access is
a server-side process, which means the contents of your message must be sent
back to the server for examination. On a slower link, you may find the process
of automatically checking every outgoing message to be time-consuming. Keep
this in mind when deciding whether to enable the feature to always check your
spelling on Send.
The “Spelling Options” section in the Outlook Web Access options page is the
place to configure your spelling checker settings. But there is nothing to
download to enable it.
New Addressing Wells Here is a familiar scenario: You type an alias in an Outlook Web Access e-mail
message and then learn when you try to send the message that the address was
unrecognized. When this happens, how easy is it to get rid of that bad e-mail
address from your message?
If you were smart enough to realize from the beginning that you had to click the
unrecognized name to bring up its properties and then delete the address from
that properties dialog — good for you! But for anyone who found the process
tedious at best and confusing at worst, help is here.
20 Module 9: Outlook Web Access
Outlook Web Access for Exchange 2003 makes it easy to delete ambiguous or
recognized addresses from an e-mail message you are composing. All you have
to do is click the address to highlight it, and press the delete key to remove it.
You also can right-click the address and choose “Remove” from the context
menu.
GAL Properties Sheets When you right-click a recognized or ambiguous address, you will also notice
“Properties” as a menu choice. But the properties dialog in Outlook Web
Access now shows a lot more useful information.
If a name in an e-mail message has been resolved against the global address list
(GAL), in the properties dialog you now will see some of the key GAL
properties for that address — not just the display name and SMTP address of
the recipient.
Outlook Web Access does not show the full range of GAL properties that
Outlook shows, just the main address and phone information that is listed in the
GAL for the address.
Simple SMTP addresses or addresses that come from your Contacts folder still
show the same information as was available in old versions of Outlook Web
Access: display name and SMTP address.
Properties sheets are now available from more locations than e-mail messages
or meeting requests. They also can be invoked by double-clicking (or right-
clicking and choosing “Properties”) on the sender or recipients in received e-
mail messages. Or as noted earlier, in the Reading Pane you can double-click
senders or recipients to see their properties.
There also are buttons for invoking properties from Find Names and from the
Check Names.
Add to Contacts The “Add to Contacts” command makes it easy to quickly add any address —
whether it is on a message you are composing or on a message you have
received — into your main Contacts folder.
You will find the command conveniently located on the context menu that
appears when you right-click a resolved name in an e-mail message or meeting
request. (This context menu is not available in the Reading Pane.) There is also
an “Add to Contacts” button in the properties dialog for resolved e-mail
addresses.
Find Names Adding the ability to invoke properties sheets from Find Names is just one of
Enhancements several enhancements that have been made there.
Now you can choose whether to search the GAL or your Contacts folder when
you are looking up an address.
And if you call up Find Names from a view instead of an e-mail message, there
is a new feature for creating a message to any one of the addresses in your
search results.
You will also notice that the search results in Find Names or Check Names now
are sorted alphabetically
Auto Signature How many times have you typed your name, title, extension, and other bits of
info at the end of every message you send in Outlook Web Access? If your
answer is, "Too many," your days of needless typing are over.
Module 9: Outlook Web Access 21
Navigate After Delete Outlook Web Access now has a long-requested feature to allow you to choose
where you navigate after deleting an open message. You can choose to
automatically open the next message in the folder, open the previous message,
or go back to the message list in the view.
The default behavior is to automatically open the next message. You can
change your preference in the “Messaging Options” on the Outlook Web
Access options page.
It is important to note that regardless of your setting, if you open a message
from Folder A, switch to Folder B, and then delete the open message, you will
navigate to the message list for Folder B. Outlook Web Access will not open a
new message from Folder A.
Finally, if you delete a message directly from the message list — not one that
you had opened into its own window — the highlight will move down in the
message list after the delete if you have chosen either the “open the next
message” setting or the “return to the view” setting. The highlight will move up
if you’ve chosen “open the previous message.”
Read Receipt Settings In previous versions of Outlook Web Access, if you read a message where the
sender had requested a read receipt, Outlook Web Access sent the receipt
automatically. You did not have a choice to block the sending of read receipts.
Now you do with Outlook Web Access for Exchange 2003.
In the “Privacy and Junk E-mail Prevention” section of the Outlook Web
Access options page, there is a setting to determine whether Outlook Web
Access sends read receipts.
By default, Outlook Web Access will no longer send read receipts
automatically. In the Premium client, you will see an infobar in a received e-
mail message any time a user requests a read receipt. There will be a link in the
infobar that you can activate if you wish to honor the request for a receipt.
“Web Beacon” Blocking If you change the setting to always send read receipts, then Outlook Web
Access will fall back to the old behavior of automatically filling all read-receipt
requests without notifying you of those requests.
When a junk-mail sender distributes junk e-mail, he often does not know
whether he is sending messages to valid e-mail recipients. But with old versions
of Outlook Web Access, if you were to open a junk e-mail — or even just read
it in the preview pane — the sender had the potential to know your address was
22 Module 9: Outlook Web Access
real and active because of something called a “Web beacon.” Now Outlook
Web Access blocks potential “Web beacons” by default.
Here’s how a “Web beacon” works. When you receive an HTML-based e-mail
message, it can contain pictures, video, or other types of content other than just
text. Sometimes those pictures, videos, etc. come as attachments, which
actually reside in the message body. But other times this content is located on
an external Web server on the Internet rather than actually being part of the e-
mail message. And it is in messages that contain references to external content
where trouble with “Web beacons” can begin.
Say that instead of referencing a picture or video, the sender references a
program on his Web server that is designed to catalog your e-mail address as
valid once you open the message. That is a “Web beacon.” And if the sender
was a junk e-mailer, once he knows your address is legit, it is open season on
your account.
But Outlook Web Access for Exchange 2003 has made it tougher for junk
senders to use “Web beacons” to retrieve your e-mail address. Now if you
receive a message with references to external content
Outlook Web Access cannot tell you whether the message actually contains
“Web beacons.” The references to external content may be harmless. If you
believe the message is legitimate, you can just choose to see the message with
all its pictures and other external content. But if you suspect the message
contains beacons for nefarious purposes, you now can just delete the message
without triggering anything that tells the sender, “Hey, I’m here. Send me more
junk mail.”
Privacy Protection When When a user clicks a hyperlink in the body of an e-mail message, Outlook Web
Following a Link in E- Access helps protect private information from being revealed to the visited Web
Mail site. Past versions of Outlook Web Access revealed the user’s account name,
server name, and the subject of the message that contained the link. Now only
the user’s server name is revealed to the visited site.
Attachment Blocking There are a host of new attachment-blocking features in Outlook Web Access.
By default, attachments with the following extensions are blocked in Outlook
Web Access for Exchange 2003: ade, adp, app, asx, bas, at, chm, cmd, com,
cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde,
mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct,
shb, shs, url, vb, vbe, vbs, wsc, wsf, and wsh.
Administrators also can block access to attachments in specific scenarios. At
the most restrictive, an administrator can block access to all attachments. Or it
is possible for an administrator to block access to attachments when users
connect to Outlook Web Access through the Internet but to allow access when
users connect through the corporate intranet. This is particularly useful for
keeping users from potentially compromising corporate security by opening
attachments when using Outlook Web Access at public Internet terminals while
still providing full access to employees in the office.
Similar to attached files are documents and other types of files stored in Public
Folders. By default, Outlook Web Access now blocks users from opening these
documents. But an administrator has the same flexibility of permitting or
denying access to these files that the admin has to permitting or denying access
to attachments.
Module 9: Outlook Web Access 23
Infobar Improvements The infobar now will indicate the date and time you replied to or forwarded a
received message.
The infobar in a received e-mail now shows the message’s sensitivity setting, if
one was set, such as Confidential.
24 Module 9: Outlook Web Access
Reply Header and Body Here is a common scenario: You get added to a message that other people
Not Indented already have sent back and forth many times over. You want to understand the
history of the issue being discussed, so you scroll through the old contents of
the message, working your way through all the replies back to the original
message. But before you reach the beginning, you get to a point where it is
impossible to read any more. The old contents have been indented into
illegibility because of the Outlook Web Access feature of indenting the old
message body on reply.
Well, Outlook Web Access is not going to indent the message on reply any
more. It cannot be guaranteed what other e-mail clients will do. But from now
on, with Outlook Web Access for Exchange 2003 (or Outlook 2003), the reply
header and body will stay at the same alignment as the original content. Instead
of an indent, a horizontal rule offsets the reply header and body from the new
content.
Item Window Size Outlook Web Access used to always launch any window, either to read an item
or create an item, at the set size of 500 pixels wide by 700 pixels high. If you
resized an item window, it did not matter. The next time you opened an item, it
still would be 500x700.
Now, during an Outlook Web Access session, Outlook Web Access will
remember if you resize the item window and will open all future item windows
at that size. The new window size is not persisted to future Outlook Web
Access sessions.
This works for all item windows — mail, calendar, contacts, and tasks. It is one
size for all item windows, not one size for messages and another for tasks.
Window Status Bar All Outlook Web Access item windows now show a status bar at the bottom. If
you receive a message that contains a hyperlink, you can position your mouse
pointer over the link and look in the status bar to see the target Web address
(a/k/a the URL) for the link.
Module 9: Outlook Web Access 25
Mail in Public Folders You have always been able to post to Public Folders from Outlook Web
Access, but in Outlook Web Access for Exchange 2000 you could not send e-
mail from Public Folders.
For example, if you wanted either to reply privately by e-mail to a post or e-
mail in a public folder or to forward that post or e-mail to another person, you
could not do it. Now you can so long as you connect to your Outlook Web
Access account through a front-end server. (If you are reaching your account
through an address like https://mail.northwindtraders.com/exchange, you are
going through a front-end server.)
Meeting Request Several popular Outlook Meeting Request features now have been added to
Enhancements Outlook Web Access Meeting Requests.
You now can forward Meeting Requests to people not originally on the
organizer’s invite list (even if you are the organizer). You also can create an
e-mail reply to a meeting organizer (and optionally all the attendees)
directly from a Meeting Request.
When canceling meetings, you now can edit the meeting cancellation notice
before it is sent to explain the reason for the cancellation.
Attendees now can set reminders on the Meeting Requests they accept in
Outlook Web Access.
Invitees can open the Calendar from a Meeting Request so that they can
view their schedules while evaluating the Meeting Request.
Right to Left Language Outlook Web Access now supports right-to-left layouts in the Arabic and
Support Hebrew versions of the client.
You will also notice two new buttons on the formatting toolbar in the e-mail
editor:
These buttons are for setting the individual direction of each paragraph in your
e-mail message. If you are composing a message in a left-to-right language like
English but need to add a paragraph containing right-to-left content — say
some Arabic or Hebrew — you can start a new paragraph and switch into right-
to-left mode.
The reverse is true, too: If you are composing in a right-to-left language like
Arabic or Hebrew but need to add a left-to-right paragraph in English, for
example, you can switch into left-to-right mode.
Note Internet Explorer 6.0 and greater for Windows is required for
bidirectional support.
Options Page Toolbar The toolbar now stays put when you scroll through the Outlook Web Access
options page, which means as soon as you have made your changes in Options,
you can save them without having to scroll back to the toolbar.
SMIME A major addition to the Outlook Web Access e-mail experience is the ability to
send and receive signed and/or encrypted mail, also known as S/MIME mail.
Signed mail is verified to be sent by the possessor of a specific digital ID. When
you receive an e-mail with a valid digital signature, you can have more
26 Module 9: Outlook Web Access
assurance that the message came from the listed sender than you would with
either an unsigned e-mail or an e-mail with an invalid digital signature.
Encrypted mail is mail that can be opened only by a user with a specific digital
ID. The holder of that digital ID has a special key for decrypting the message
you sent.
Module 9: Outlook Web Access 27
You now can create server-based mail-handling rules in Outlook Web Access
or use it to manage the server-based rules you created in Outlook. The link for
entering the rules interface is near the bottom of the Navigation Pane.
Actions and Criteria Any rule created in Outlook that cannot be modified in Outlook Web Access is
unavailable in the Outlook Web Access rules interface. Outlook Web Access
has a simple rule editor that is not designed to handle the full gamut of
conditions and criteria available in creating rules in Outlook. Rather, as shown
below, Outlook Web Access focuses on using rules for the most common mail-
management scenarios like moving mail from a particular sender or with a
particular subject to a specific folder.
The most common mail-handling actions are supported:
1. Automatically move/copy message to a folder.
2. Automatically delete message.
3. Automatically forward a message (with the option to keep a copy).
There are several criteria that Outlook Web Access rules can evaluate before
acting on messages:
1. From field contains ______.
2. Subject contains ______.
3. Sent to (user names and/or distribution list).
4. Sent only to me.
5. Level of importance.
The rule editor also can be invoked directly via a toolbar button in a received
message or from the context menu in the mail view.
28 Module 9: Outlook Web Access
Handling Disabled Rules Because of interoperability limitations with Outlook, Outlook Web Access will
need to delete all rules disabled from Outlook before letting you modify any
active rules.
Some people create many rules in Outlook that they enable and disable based
on their schedules. For example, a traveling salesperson may enable a rule
while they are out of the office to forward all mail with a particular subject to a
specific coworker. When the salesperson returns to the office, they disable the
rule.
But if this salesperson were to go to Outlook Web Access to create or modify
another rule while this forwarding rule was disabled, Outlook Web Access
would need to delete the disabled rule before saving the Outlook Web Access-
created/modified rule.
This deletion of disabled rules will not happen automatically. When you go to
modify a rule, you will receive a warning indicating that your disabled rules
will be deleted if you proceed.
If you do modify rules from Outlook Web Access, the next time you launch
Outlook or attempt to modify rules there, you may be asked via a dialog
whether you want to keep client or server-side rules. If you want to retain the
rules you created in Outlook Web Access, you will need to choose server-side
rules.
Module 9: Outlook Web Access 29
You might be asking yourself, “Haven’t I always been able to see Tasks in
Outlook Web Access?” The old version of Outlook Web Access let you see the
tasks you created in Outlook, but you could not edit these tasks or create new
ones.
Outlook Web Access for Exchange 2003 lets you create and manage personal
tasks or manage those personal tasks you already created in Outlook.
No Task Requests Outlook has a feature for delegating tasks to other users via Task Requests.
Outlook Web Access does not have this functionality. Furthermore, in Outlook
Web Access you cannot process Task Requests sent from Outlook or update
any delegated tasks you have already accepted in Outlook.
Outlook Web Access does allow users to delete Task Requests or previously
accepted delegated tasks, but the assignor will receive no feedback that the
delete took place.
Delete versus Skip In Outlook, when a user attempts to delete a recurring task, the user receives a
Occurrence choice: delete a single occurrence or the entire recurring series.
In Outlook Web Access, the delete command ALWAYS deletes the entire task
series. If a user wants to skip an individual occurrence, there is a command on
the task edit form for skipping a single occurrence:
Setting Completion Outlook allows users to input decimal values in the “% Complete” field, but
Percentage Outlook Web Access always will round this values to the nearest whole
number. If an Outlook user inputs a decimal value in this field and then later
looks at the task in Outlook Web Access, the value will appear to have changed
to the nearest whole number. However, the change will not be permanent unless
the user actively saves the task in Outlook Web Access.
Task Reminder In Outlook, when a task reminder appears, it is listed as being due at that
Differences moment. But this is not necessarily accurate. For example, if the task’s due date
30 Module 9: Outlook Web Access
was set to be a day later than the reminder date, the task is not due when the
reminder appears.
In Outlook Web Access, when a task reminder appears, Outlook Web Access
calculates how much time remains between the reminder date/time and the task
due date. Because tasks have no due time, the “Day start time” as set in
“Calendar Options” on the Outlook Web Access options page is used as the
task due time.
For example, say a task reminder was set to appear on January 1, 2004 at 12:00
P.M. for a task that is due on January 2, 2004. And the “Day start time” is set
for 8:00 A.M. When the reminder for the task appears, it would be listed as
being due in 20 hours.
If a task has no due date, Outlook Web Access will display a due-in value of
“None” in a reminder for that task.
Module 9: Outlook Web Access 31
Outlook Web Access Internet Explorer 5.01 browser will present the rich experience with the
and Internet Explorer exception of the ability to resize the message list/message pane; Internet
Explorer 5.5 is the first browser to support the full rich experience.
Paste the following script into the browser address field and press enter to see
what version the browser is passing to the server.
javascript:alert(window.navigator.userAgent);
The user experience is based on this value. If the value is 5.00 or less, the user
receives a basic experience. If 5.01 or above, the user receives the rich
experience, with two exceptions. The one noted above, and Internet Explorer
5.01 for UNIX which receives the basic experience.
Internet Explorer 6.x Internet Explorer 6.0 is required for this additional functionality as well.
Function Requirement
Exchange Server 2003 Internet Internet Internet Internet Mars Netscape Netscape
Outlook Web Access Explorer Explorer Explorer Explorer v811,13 Navigator Navigator 7
Supported 5.0115, 5.5 SP2 6 6 SP1 ** 4.8
Browser/Operating Mac MS Only
Systems Internet
Explorer
5+
Windows 98
SE*,2,14
Windows
2000*,3
Windows
Me*,3,14
Windows
XP*,4
Windows
Server
200312
Mac OS9*
Mac OS X
1.0*
Sun Solaris*, ,9
HP/UX*,10
◊
Supported means that the Outlook Web Access team has tested the majority of
user scenarios with these browsers, on these operating systems, and are
reasonably sure that things will work as expected. In some cases, Microsoft will
try to code around browser defects. If a customer reports a problem encountered
with a browser not on the list, the first question support will ask is if the
problem is reproducible with a browser on the "supported" browser list. If it
does not reproduce, then Microsoft would turn the support question over to the
browser vendor.
*
Supported platforms include all supported localized versions of the operating
system.
** Microsoft Confidential
Both basic
Not Basic
and premium
supported version only
versions
Reasons for cuts, or 1. There should not be any major problems running Outlook Web Access
support issues Exchange 2003 on these platforms. However there may still be browser
bugs that cannot be addressed. These platforms will not be actively tested.
2. Internet Explorer 5.0b shipped with Microsoft® Windows® 98 Second
Edition and was updated to Internet Explorer 5.01 by service packs and
updates.
3. Internet Explorer 5.01 shipped with Microsoft® Windows® 2000 and
Internet Explorer 5.5 with Microsoft® Windows® Millennium Edition.
4. Internet Explorer 6 shipped with Microsoft® Windows® XP.
5. Internet Explorer 4 install base is less than 5%.
6. Internet Explorer 5.0 for UNIX has been dropped due to the large adoption
of Internet Explorer 5.0 SP1 which fixed several problems.
7. Install base is small due to rapid adoption of Internet Explorer 5 on MacOS
9 and greater.
8. Support for these operating systems is discontinued by Microsoft Windows.
9. Netscape 6.2 and greater is only available from the HP and Sun Web sites at
the time of this printing.
10. Netscape 6.2 is only available for HP/UX 11.0 and is expected to function
properly, however, Microsoft has not yet upgraded to HP/UX 11.0 for
complete testing.
11. MSN® Internet Access (MSN) versions older than v8 do not support
MSXML3, which is required for Outlook Web Access Exchange 2003
12. With Microsoft® Windows Server™ 2003, Internet Explorer is locked down
(Internet Explorer high security settings are enabled). The Internet Explorer
Hardening Pack is installed. The first time Internet Explorer is launched, a
page loads to educate the user about the Internet Explorer Hardening Pack.
13. Several Hotkeys do not work in MSN Internet Access 8– check the
Microsoft Knowledge Base for further information
14. Japanese on Windows 98 SE and Windows Me requires Internet Explorer 6
SP1.
15. Internet Explorer 5.01SP2 (and older Internet Explorer 5.01) support is
dropped on June 30, 2003 by Microsoft, however the Outlook Web Access
team has tested this browser and to the best of this team’s knowledge, all
features of the Premium and Basic client work as expected.
“ctrl view.htc”. Outlook Web Access does load Navigation Bar and Viewer
frames, but no messages load in the viewer pane.
The browser must be set to trust the Outlook Web Access front-end URL in
order to use Outlook Web Access on Windows Server 2003. Even with front-
end trust, until the warning of the presence of the hardening pack is approved,
there will still be issues in Outlook Web Access, such as hotkeys not working
and cursor focus problems.
Outlook Web Access It is not sufficient to simply upgrade front-end servers to Exchange 2003 for
and Exchange Version users to get the new interface. You must upgrade back-end servers to Exchange
Combinations 2003 as well.
The Outlook Web Access experience depends on the combination of front-end
and back-end servers and is as follows.
Exchange 2000 Front-end + Exchange 2000 Back-end = Exchange 2000
Outlook Web Access
Exchange 2003 Front-end + Exchange 2000 Back-end = Exchange 2000
Outlook Web Access
Exchange 2003 Front-end + Exchange 2003 Back-end = Exchange 2003
Outlook Web Access
Exchange 2000 Front-end + Exchange 2003 Back-end = Not supported
(administrative group protected)
Forms-Based Authentication is functional for deployments where the front-end
is Exchange 2003 and the back-end is Exchange 2000. However, session
timeouts are handled much better when the back-end is Exchange 2003.
Module 9: Outlook Web Access 35
Overview The requirement to have Forms Based Authentication before you can enable
compression is due to a couple of issues.
First, there were several bugs in the behavior of GZip, the Microsoft®
Internet Information Services (IIS) compression that Outlook Web Access
enables, with different browsers. Some of these bugs were corruption of
data, others were security related; Internet Explorer had been leaving user
data in the server cache that it should not have. The Internet Explorer issues
were fixed in a QFE (Q328970) that is now rolled into all of the critical
security patches for Internet Explorer on Windows XP Pro and Windows
2000 since last November.
Unfortunately IIS is unaware of these fixes and only looks for an Accept-
Encoding header = “GZip” from the client; if present, GZip content is sent
to the client. Exchange 2003 server implements logic in logon.asp to
determine whether or not a client is “GZip” friendly and based on that, the
Forms-based-auth filter is used to re-write the accept-encoding header such
that clients that are not secure do not get GZip data from the server.
When you enable forms based authentication, you may receive the following
message about Secure Sockets Layer (SSL) connection requirements:
Forms based authentication requires clients to use a SSL connection. If SSL
encryption is not offloaded to another source, complete the following steps:
1. Configure SSL.
2. Restart the IIS service.
36 Module 9: Outlook Web Access
Outlook Web Access with Forms Based Authentication needs this key so that it
can determine that it should listen to HTTP traffic versus HTTPS, and to ensure
that it adds the HTTP header “Front-End-HTTPS: On” to all inbound traffic.
This header ensures that the returned URLs are in the correct HTTPS:// form.
This applies to Exchange configurations using front-end or stand-alone servers
with forms based authentication where SSL is terminated at the firewall or
proxy server.
How to Change Forms Configuring Forms Based Authentication to require users to enter only their
Based Logon to require alias and password is a simple task. Replace this line in the logon page:
only user alias and
password <FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"
name="logonForm" autocomplete="off"
onsubmit="logonForm_onsubmit()">
<script Language=javascript>
function logonForm_onsubmit()
{
if (logonForm.username.value.indexOf("@") !=-1)
{
return true;
}
logonForm.username.value = "<netbiosDomainName>\\" +
logonForm.username.value;
return false;
}
</script>
<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"
name="logonForm" autocomplete="off"
onsubmit="logonForm_onsubmit()">
This method supports logging in using their domain alias and user principal
name (UPN). Users that continue to use domain\alias will not be able to log in.
The <netbiosDomainName> below must be replaced with the NetBIOS name of
the domain to which users authenticate.
This key is intended for use by Microsoft support and the development team to
help customers troubleshoot problems with Forms Based Authentication.
This key should not be distributed without careful consideration.
Note You must restart IIS for the change to take effect.
Outlook Web Access In Exchange 2003, Outlook Web Access includes a downloadable control for
S/MIME Downloadable S/MIME functionality. However, even if you have no intention of digitally
Control signing/encrypting messages, it can be beneficial to download the control
anyway. For example, the control provides a much better message handling
experience:
While composing a message, click on the Attachment (paperclip) icon in the
toolbar and attach files directly (no need to go through the separate attach
and post dialog window).
Drag and drop messages from one folder (such as the Inbox) to another
folder (this includes the Move and Copy accelerator keys).
Drag and drop existing messages into new messages under composition.
Drag and drop files from Explorer directly into a message under
composition.
With the message under composition, right-click on attachment names to
Open/Remove/Save As.
All installed fonts are available for use instead of the built-in five.
Image files, when dropped from Explorer into a message body, will show up
as inline images.
Image files pasted, dragged to or shown in the body are automatically
included as attachments to the message (as MHTML).
When you launch attachments from signed and encrypted message with the
S/MIME control installed, the control will do a best-effort clean up of any
temp files left behind for that message, unless the user actually saved the
file to another directory or the 'helper app' keeps a handle on the temp
attachment data that prevents the S/MIME control from deleting the file.
Requirements There are four requirements that you must meet to use S/MIME mail in Outlook
Web Access:
Module 9: Outlook Web Access 39
1. You must be using Internet Explorer 6.0 greater for Windows. This feature
will not work on any other browser — including other versions of Internet
Explorer.
2. You must be working on a computer where you can download the S/MIME
control.
3. You must have a valid digital ID for sending signed mail and/or receiving
encrypted mail.
4. You must be using Windows 2000 or above.
5. Power User or Administrator is necessary to install any ActiveX® control –
there is a bug, in that the user should be getting an alert warning about
insufficient permissions, but the requirement is enforced by Windows.
Limitations Although it is possible to drag and drop a message from the Inbox to the
Calendar folder, this will not invoke a new appointment. The object will be
created in the calendar as a message object and will not be visible in the normal
calendar view.
Locked Down 1. In a “very locked down environment”, customers will need to do the same
Environment thing as with any application rollout:
a. Extract the files in <drive:>\program
files\exchsrvr\exchweb\6.5.6944.0\cabs\MIMECLNT.CAB to a location
accessible by the client.
b. Ensure the client is Windows 2000 or later, running Internet Explorer
6.0 or later.
c. From the machine where the control is to be installed, run “RunDll32
advpack.dll,LaunchINFSection <path to extracted files>MimeClnt.inf”
2. In Exchange Server 2003 SP1, the OWA S/MIME installer has been moved
to be a simple .EXE that uses Windows Installer. The same requirements exist
to install from the browser, but rolling out through script will be easier.
Why You Should Even if you do not intend to send signed or encrypted mail, there are several
Download the S/MIME reasons to download the control.
Control
First, with the S/MIME control, you can just drag and drop files and even other
e-mails into the body of a message you’re composing. If the files you drag and
drop are graphics, they will show up inline in the message body. All other types
of attachments, including other e-mail messages, will show up in the attachment
well.
Second, if you do not find it easy to drag and drop items into a message, the
S/MIME control’s Add Attachment dialog is far easier to use than it is in the
normal e-mail editor. You do not need to use one dialog to find the items and
another to attach them. And you can attach multiple files at one time so long as
the files all are stored in the same location.
Third, no matter how files or items are added to the attachment well, if you
realize you want to remove them from your message, all you need to do is right-
click the items and choose “Remove” from the context menu.
Fourth, even if you do not intend to send signed or encrypted mail, the S/MIME
control will better handle the signed mail you receive. If you do not have the
S/MIME control, at best, you will be able to read the signed messages, but any
attachments will get stripped out if you try to forward the messages. At worst,
you may not be able to read the signed messages at all. Past Outlook Web
Access users may view this as an improvement. Previously, the attachments and
40 Module 9: Outlook Web Access
the entire body of a signed message were dropped on reply or forward, and you
also could not open e-mail attachments in signed messages you received.
But if you download the S/MIME control, you will be able to read all these
signed messages and forward them in their full fidelity!
How to Download the The button for downloading the S/MIME control is available in the “E-mail
S/MIME Control Security” section of the Outlook Web Access options page.
After you click download, you will see the following file download dialog:
Once the control is installed on your computer, you will notice that there are
two new buttons on the toolbar of the e-mail message editor:
These are the buttons that you will use to encrypt and/or sign messages on
demand. The first button is for encrypting messages. The second is for digitally
signing messages.
The “E-mail Security” section of your options page also will have new features
for setting all your messages to be encrypted and/or signed by default.
Finally, every e-mail you receive that is signed now will display additional
information about the signature of the sender.
It is important to note that this control needs to be installed on any computer
where you want to use S/MIME mail in Outlook Web Access. There may be
some computers, such as Internet kiosks, where you are unable to download the
control. In these locations, you will not be able to send signed mail or read
encrypted mail from Outlook Web Access. And remember, it only works in
Internet Explorer 6.0 or later on Windows 2000 or higher.
Even after you have downloaded the control, you are still only halfway toward
using S/MIME mail. You still need a digital ID for signing your mail and
receiving encrypted mail
How does it work?
When an S/MIME message is handled by Microsoft Outlook Web Access, any
number of public certificates must be retrieved from Microsoft Active Directory
or from the Personal Contacts on the Exchange server.
After they are retrieved from Active Directory, they are parsed and verified
against the certificate revocation list (CRL) and the trust chain.
This involves to a lot of back-and-forth traffic between the Outlook Web
Access client and the Public Key Infrastructure (PKI).
To reduce the traffic overhead between the PKI and Outlook Web Access, the
public key parsing, CRL look up, and trust chain verification are all done from
the Exchange server.
Processing certificate validity on the server makes Internet-based access faster
and more reliable, and can greatly reduce bandwidth requirements.
Before rolling out S/MIME support with Exchange Server 2003 Outlook Web
Access, you should have a good understanding of cryptography and PKI, for
example Windows 2000 or Windows Server 2003 PKI.
For a good overview of cryptography and Windows PKI, as well as links to
some other resources, see the following white paper:
http://www.microsoft.com/windows2000/docs/cryptPKI.doc.
Module 9: Outlook Web Access 41
When you create a Digitally Signed (S/MIME) message and send it to another
person on a Microsoft Exchange Server, if you have not checked the box, on the
message store the recipient has will have no Digital ID when the message is
opened.
Getting Your Digital ID Every organization has a different process for assigning digital IDs to users.
You should check with your Exchange administrator about how to obtain a
digital ID.
If you want to send encrypted mail to another user, that recipient also will need
to have a digital ID that Outlook Web Access understands. If you try to send an
encrypted message to a user who is not enabled to receive encrypted mail, the
send will not proceed.
If you are sending an encrypted message to multiple recipients and some of
these recipients are not enabled to receive encrypted mail, you will be told
which recipients do not have the necessary digital IDs to receive encrypted
mail.
If you continue with the send, any recipients without digital IDs will not be able
to read the message.
It is easy to preemptively check whether a user can receive encrypted mail. Just
look up their e-mail properties (by any of the methods described earlier in this
primer).
If the user has the following icon on their properties sheet, they can receive
encrypted mail.
But if they have the plain envelope icon, shown below, they are not enabled to
receive encrypted mail.
Of course, this information is only displayed in e-mail properties sheets if you
have first installed the S/MIME control.
Removing the S/MIME If you decide not to use the S/MIME control, you can remove it from the Add
Control or Remove Programs feature in the Windows Control Panel. Just choose to
remove the program called “Microsoft Outlook Web Access S/MIME.” Please
make sure to close any open messages in Outlook Web Access before removing
the S/MIME control.
42 Module 9: Outlook Web Access
Outlook Web Access blocks a superset of both attachments and MIME types.
Some are totally blocked (Level 1) while others must be saved locally (Level
2). If an entry is in both lists, the Level 1 behavior takes precedence. As the
Outlook list gets updated, the list is updated. The default parameters and their
values are found in
HKLM\system\currentcontrolset\services\msexchangeweb\owa.
Level1FileTypes Description: Allows an administrator to specify which file types are off limits
(REG_SZ) to view, download, or attach. This is a comma delimited list of file extensions.
Example: “exe,com,bat”
Also see the related RAID bug (applies to: Back-end servers, and stand-alone
servers): http://bugcheck/bugs/exchange/220853.asp
Level1MIMETypes Description: Allows an administrator to specify which MIME types are
(REG_SZ) off limits to view, download, or attach. This is a comma-delimitated list of
MIME types.
Example: "text/xml,text/html"
The current default set of Level1MIMETypes (applies to: Back-end servers, and
stand-alone servers) is:
Module 9: Outlook Web Access 43
“application/hta,x-internet-
signup,application/javascript,application/x-
javascript,text/javascript,application/msaccess,application/pr
g,text/scriptlet”
Level2FileTypes Description: Specifies a set of file extensions that are potentially dangerous as
(REG_SZ) attachments. Attachments matching this type will not be opened automatically,
but rather a dialog will be presented to the user asking them to save the
attachment locally on their server.
Example: “exe,com,bat”
Level2MIMETypes Description: Specifies a set of MIME types that are potentially dangerous as
(REG_SZ) attachments. Attachments matching this type will not be opened automatically,
but rather a dialog will be presented to the user asking them to save the
attachment locally on their server.
Example: "text/xml,text/html"
The current default set of Level2MIMETypes (applies to: Back-end servers, and
stand-alone servers) is:
“text/xml,application/xml,application/hta,text/html,applicatio
n/octet-stream,application/x-shockwave-
flash,application/futuresplash,application/x-director”
To enable attachment
blocking, follow these 1. Click Start, click Run, type "Regedit" (without the quotation marks) in the
steps: Open box, and then click OK.
2. Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExch
angeWeb\Owa
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type "Disable Attachments" (without the quotation marks).
5. Right-click the "Disable Attachments" DWORD value, and then click
Modify.
6. In the Base window, click the button next to "Decimal".
7. In the Value Data field, type one of the following numbers:
a. To permit all attachments, type "0" (without the quotation marks).
44 Module 9: Outlook Web Access
Calendaring and The behavior in Exchange 2003 is the same as that of Exchange 2000. Due to
Delegates the complex interoperability scenarios required to make Outlook Web Access
consistent with Outlook for delegate access to calendars, copying items from
one user's mailbox to another's, Exchange 2003 and Exchange 2000 Outlook
Web Access support read-only access to another's calendar, regardless of what
the manager granted to the delegate.
The only exception is to this rule is if a "delegate" is given Owner rights to a
mailbox through active Directory Users and Computers; they then have full
access to read and write all data in that mailbox through Outlook Web
Access.
Outlook Web Access Outlook Web Access Change Password is installed, but is disabled by default in
and Changing User a new install by setting the value to 0x00000001. However, the value will not
Passwords be changed during an upgrade. This value may not exist on an Exchange 2000
server that was upgraded since it did not exist in a default installation of
Exchange 2000 server.
The feature is disabled because the feature does not work correctly unless you
add the iisadmpwd vdir and set the correct value for the Passwordchangeflags
in the metabase.
Password configuration consists of two changes: adding the registry value to
the back-end and the iisadmpwd virtual directory to the front-end server of a
front-end/back-end configuration. Both changes are made to a standalone
server.
Changing the password requires SSL and the addition of the iisadmpwd virtual
directory and setting the following key to 0 or deleting the key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\MSExchang
eWEB\OWA]
“DisablePassword”=00000000
46 Module 9: Outlook Web Access
iisadmpwd virtual 267596 XWEB: How to Change Outlook Web Access Passwords Through IIS
directory
To enable users to change Outlook Web Access passwords through IIS, use the
following steps on each IIS server to which Exchange users are redirected:
1. Install and configure Secure Socket Layer (SSL) on the server.
2. Click Start, point to Programs, point to Administrative Tools, and then
click Internet Services Manager.
3. Right-click the default Web site, point to New, and then click Virtual
Directory.
4. In the Virtual Directory Creation Wizard, type "IISADMPWD" (without
the quotation marks) in the Alias box, and then click Next.
5. In the Directory box, type "<systemroot> \system32\inetsrv\iisadmpwd"
(without the quotation marks), and then click Next.
6. Verify that only the read and run script check boxes are selected (such as the
ASP check box), click Next, and then click Finish.
7. Verify that the Iisadmpwd folder has the Anonymous Access authentication
method enabled.
Note You can select other authentication types, but you must also select the
Anonymous Access authentication method.
Note If you do not enable the Anonymous Access option, the client and server
go into an endless loop when you attempt to authenticate users who are
prompted to change an expired password.
For example, if a user navigates to the site and is prompted for a password but
their password has expired, the first page that they tried to access redirects them
to the password expiry page. The password expiry page challenges the user, but
because the user is not authenticated on the first page, the second page refuses
the connection because the password has expired. When this occurs, the user is
redirected back to first page, the first page redirects the user to the second page,
and so on.
For additional information about a fix for this looping behavior, check this
article number 275457 IIS 5.0 May Loop Infinitely When a User Is Forced to
Change Their Password.
1. Zero is the default value for the PasswordChangeFlags setting, but the
following steps can be used to change or confirm the setting. To change the
Metabase PasswordChangeFlags setting to zero (0), you must first change it
to the \inetpub\adminscriptsfolder on your hard drive:
a. At a command prompt, type "cd <drive>\:inetpub\AdminScripts"
(without the quotation marks).
For example: "cd c:\inetpub\AdminScripts" (without the
quotation marks)
b. At the <drive>\:inetpub\adminscripts> prompt, type the following
command:
Module 9: Outlook Web Access 47
Note The following values are options for the PasswordChangeFlags setting:
1. 0: Requires password change by SSL
2. 1: Allows password change by non-secure ports
3. 2: Disables password changes
4. 4: Disables advance notification of expiration
After creating iisadmpwd and the reg key, you see the password change
button under options in Outlook Web Access:
If the admin sets the TrustedClientTimeout value to one that is lower than
PublicClientTimeout, then the TrustedClientTimeout value will default to be
equal to the PublicClientTimeout.
If the admin sets the PublicClientTimeout to a value that is greater than the
TrustedClientTimeout, then the TrustedClientTimeout value will default to be
equal to the PublicClientTimeout.
IIS must be restarted for the changes to take effect
Module 9: Outlook Web Access 49
DS2MB
Outlook Web Access DS2MB update cycle has been changed in Exchange 2003 and affects all
and DS2MB Exchange web based applications; Outlook Web Access, Outlook Mobile
Access, and ActiveSync®.
IIS picks up its configuration from the local metabase. Because of the need to
manage Exchange servers remotely, IIS-related information is stored in the
Active Directory, and then replicated in one-direction from the Active Directory
into the metabase. The process responsible for the replication is called DS2MB
which runs as part of the System Attendant on each Exchange 200x server.
DS2MB receives notifications of changes in the Active Directory and replicates
them to the metabase.
The guid after the HighWaterMarks\ is going to be different for each machine -
Changing the data for this ID to 0 (zero) or deleting the key and then restarting
the Exchange System Attendant will cause DS2MB to perform a full replication
50 Module 9: Outlook Web Access
of the Active Directory information into the metabase. The key will be added to
the Metabase with the default value above when the System Attendant starts.
The metabase can be manipulated through a variety of tools. The best option is
to install the IIS 6 resource kit, and use Metabase Explorer.
Module 9: Outlook Web Access 51
Overview It is now possible to spell check emails through Outlook Web Access in
Exchange 2003. In order for users to take advantage of the new feature the
following has to occur:
Successfully login to Outlook Web Access selecting the Premium option.
Click on the Options Button.
Configure their personal preferences as illustrated in the graphic above.
If a client clicks the spell check icon and no preferences have been set, then the
following dialogue box is displayed, and it will continue to do so until
preferences have been set.
Server
In a Front-end/Back-end scenario, the Exchange Front-end and Back-end
servers must be running Exchange 2003.
General Overview This is what happens when the client spell check button is pressed:
1. Client sends body of item (or the currently highlighted text, if applicable)
that needs to be checked: See “Content” below for questions about
interspersing content.
a. Since the options are in the Exchange store and the ISAPI does not have
access to that, need to send them up in the request URL, like POST
?cmd=spellcheck with the options of
“lang=en,options=IgnoreCaps,IgnoreMixedNums” etc. in the request
headers.
2. While client waits for server to return data, client displays progress dialog
(see below).
3. Server returns data:
a. If no spelling errors were found:
i. Server will indicate in the XML body response that there were no
errors.
ii. The normal spell checking dialog will not show up.
iii. The client will display to the user a dialog with the following text:
No spelling errors were found.
b. If spelling errors were found, the server will return the marked words,
the offset into the body, the suggestions and the type of error that was
found (duplicate word versus spelling error).
Module 9: Outlook Web Access 53
Checking the paths Through Microsoft® Windows® Explorer, check the following:
%SystemDrive%\Program Files\Exchsrvr\exchweb\bin\Spell
Possible Events in the It is possible the following events could be logged in the system event log:
System Log
54 Module 9: Outlook Web Access
If these errors are apparent then follow the following Knowledge Base (KB)
article: 297989 : Configured Identity Is Incorrect for IWAM Account.
Module 9: Outlook Web Access 55
Checking Permissions In IIS admin, check the Authentication Methods under Directory Security tab
on the virtual directory: Exchweb\bin\spell.
The default settings are Integrated and Basic.
Anonymous should absolutely NOT be on the spell directory.
Checking in different It may be necessary to try and spell check in a different language. If the same
languages problem is persistent in German, French and others then it is the ISAPI filter. If
the problem is only persistent for English languages and does not exist in
German, French, then it is just the English DLL that is the problem.
56 Module 9: Outlook Web Access
Netmon Trace from the It may be necessary to capture a Netmon trace between the client and the server
client to Server in order to troubleshoot spell check issues.
In order to troubleshoot issues it is recommended that Netmon is installed on
the Front-End server and all traffic is captured. This way, the requests to and
from the client and also the Back-End Server (where the user’s mailbox resides)
can be caught.
Prior to capturing any network traffic it is necessary to add the following
registry key to the Exchange 2003 Front-End server. This key does not exist by
default.
Location: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \
Services\ MSExchangeWEB \ OWA
Parameter: AllowRetailHTTPAuth
Type: DWORD
Value: 1
Note Remember to remove the registry key after the Netmon Capture has been
taken.
Netmon tracing when When a mail does contain incorrect spelling it is possible to see the network
there are errors in the traffic being sent from the server to the client. This is a good test to see whether
spelling the OWASpell.DLL is being called and the Exchange 2003 Server Front-end
server is working as it should.
The test mail that was sent in this example had the following text string in the
main body of the message:
“This ia a test message with incrorrect spelling”
For more detailed steps on using NETMON to trace spell check see
Module 9 Appendix C.
58 Module 9: Outlook Web Access
Performance and scalability are very important with Outlook Web Access spell
check. The following registry keys can be used to help configure and
troubleshoot any issues occurring on an Exchange 2003 Front-End server.
All registry keys are configured under the following hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\OWA
MaxSpellDocumentSize Description: Number of kilobytes.
(DWord)
Default: This key will not exist by default.
Behavior: If the user requests spell check for a document larger than the
number of kilobytes specified by this key, the server will return
a unique error to the client indicating that the document is too
large.
MaxSpellErrors (Dword) Description: Number of errors per item, duplicates.
Default: This key will not exist by default.
Behavior: The maximum number of errors to process on a single item. If
this is set to 5 and an item comes with 6 errors, when the ISAPI
receives notification of the sixth error, it will send the
corrections of the first 5 to the client, along with an error code.
The user will see a dialog indication that only part of the
document could be checked. They can make corrections and
spell check again.
MaxUniqueSpellErrors Description: Number of unique errors per item.
(DWord)
Default: This key will not exist by default.
Behavior: The maximum number of unique errors to process on a single
item (versus duplicates.) If this is set to 5 and an item comes in
Module 9: Outlook Web Access 59
with 6 errors but they are all the same misspelling, the ISAPI
will process it as normal. If this is set to 5 and an item comes in
with 10 errors of different words, the ISAPI will send the
corrections of the first 5 to the client, along with an error code.
The user will see a dialog indication that only part of the
document could be checked, and they can make corrections and
spell check again.
MaxSpellRequests Description: Number of client requests to process at a time.
(DWord)
Default: This key will not exist by default.
Behavior: If a request comes in and there is already a maximum number
of requests being processed, the client will receive an error and
the user will see a dialog telling them that the spell check server
is busy and they should try again later.
DisableSpellCheckOnSe Description: Provides a way for administrators to disable the automatic spell
nd (DWord) check on send feature.
Default: This key will not exist by default.
Behavior: If the value is non-existent or zero (0) the feature is not
disabled. If the value is 1 or any other value, the feature is
disabled.
ChangeSpellerList Description: Provides a mechanism for administrators to add or remove spell
(DWord) check languages between Exchange releases.
Default: This key will not exist by default.
Behavior: When this key is added or incremented, it triggers the server to
scan for new language files and increment the list of choices
displayed in the spell check UI.
Whenever an administrator adds or removes a spell check DLL and its
corresponding LEX file in the Exchange 2003 server’s /exchweb/bin/spell
directory, they should increment this value after the file change. When creating
this value, it is suggested that the administrator initialize it with a value of zero
(0).
60 Module 9: Outlook Web Access
Overview GZip compression is a component of Windows Server 2003 that can be enabled
to allow users to experience a richer Outlook Web Access experience because
data from an Exchange 2003 Server is compressed and sent to the client which
subsequently decompresses the stream.
The core value of GZip compression is that dial-up users will be able to use
Outlook Web Access much more effectively. It will boost performance on the
order of 50% for most common operations.
The primary reason for enabling GZip is for dial-up users or users on a slow
network link who access their mailbox through Outlook Web Access. This is
only valid with Secure Sockets Layer (SSL) enabled. Without SSL the
modem’s hardware compression typically offers a similar performance
improvement. With SSL, modems can’t compress the encrypted content, but the
GZip filter in IIS actually compresses prior to SSL encryption.
Enabling GZip compression will increase the load on an Exchange 2003
server(s). Thus enabling GZip for users on a fast network link or are on a
corporate network will not necessarily provide any improvement. There could
be instances where the user experience is impacted as the server is heavily
utilized by performing compression when it is not really necessary as all users
have a fast network link.
Only files over 1 K will get compressed while other files, such as GIFs, will not
get compressed at all.
The following statement was taken from OTG Deployment internal to
Microsoft:
“The result is that Exchange 2003 Outlook Web Access's dialup experience
starts 50% faster than what you're used to with Exchange 2000.
If you use Outlook Web Access's "Basic" client you will be able to load your
Inbox over 80% faster than Exchange 2000, and even more than 50% faster
Module 9: Outlook Web Access 63
than Hotmail (It takes almost 57 seconds to log on and get the Hotmail Inbox
view.)
Most Outlook Web Access users briefly log on, read and move a few messages.
This is what we've optimized for in Exchange 2003.”
64 Module 9: Outlook Web Access
In general, any HTTP 1.1 compatible client that sends the “Accept-
encoding” header to the server.
Operating System: Windows 2000 or later
Internet Explorer 6.0 + Q328970
Netscape Navigator V 6.0 or greater
http://support.microsoft.com/default.aspx?scid=kb;en-us;328970
Specifically, URLMON.DLL needs to be version 6.0.2800.1126 or higher –
This can be located in %\Windows\System32
Note Compression is disabled for the Windows Server 2003 server browser
client. This is due to an URLMon bug that existed in the Windows Server 2003
server builds that existed when the GZip support was checked in. It was unclear
that it was going to get fixed, so compression was specifically disabled for this
client rather than introduce the risk. Also see MS03-004: ID: 810847.KB.EN-
US.
Forms Based
Authentication Forms Based Authentication needs to be enabled (Cookie-Auth):
Front-End / Back-End Front-End: Exchange 2003 on Windows Server 2003
Deployment:
Back-End: Exchange 2003 on minimum Windows 2000 SP4
Standalone Deployment Exchange 2003 installed on Windows Server 2003 server
Note If you use Exchange 2003 Front-Ends to access Exchange 2000 Back-
Ends, then you should disable GZip compression support on the Front-End
Servers. GZip will not work as it is a requirement for all mailbox servers to be
on Exchange 2003.
Forms Based Enable Forms Based Authentication on Exchange 2003 that will be configured
Authentication to process GZip requests. When Forms Based Authentication is enabled, the
Compression settings will be available for selection.
Compression settings The following screenshot (Properties of the HTTP Exchange Virtual Server)
illustrates this.
There are three compression options available:
1. None: No data is compressed.
2. Low: This is for static content - the generic files that are required on the
client in order for Outlook Web Access to work These are: JS, CSS, HTM,
XSL and HTC files
3. High: This is for static and dynamic content such as messages, attachments,
etc.
When a selection has been made and Apply has been pressed, the following
warning message is displayed:
These are the only Exchange System Manager settings that need to be checked
in order to ascertain whether Gzip has been configured correctly.
IIS provides no Performance monitor counters or application event log
messages explicitly for Gzip compression. There are a number of
troubleshooting steps that can be taken to check for any Gzip issues.
Important When the compression level is changed via the Settings of the
Properties of the Exchange Virtual Server in Exchange System manager a
warning is displayed advising that it will be necessary to restart the IIS Virtual
Server before the change will take effect. Highlight the server object in Internet
Services Manager. Right-click and select Tasks. Select restart the IIS virtual
server.
Module 9: Outlook Web Access 67
Note Only HTTP version 1.1 or greater compatible browsers will issue the
above accept-encoding header.
Note Some proxy servers may offer no support for HTTP 1.1 and may strip
some of the headers. ISA offers limited support and although it strips the
Protocol version = 1.1 header, it passes the Accept-Encoding header.
An empty Accept-Encoding request header indicates to the server that the client
will not accept any content coding.
If completing a Netmon capture is required as a troubleshooting step, then it is
recommended that the capture is run on the Exchange 2003 Front-End Server,
this will capture the incoming client GET request and also communication to
the Exchange 2003 Back-End servers. However, if this is not an option,
capturing the network traffic from the client is fine; the GET request will be
captured.
AllowRetailHTTPAuth Prior to capturing any network traffic it is necessary to add the following
registry key to the Exchange 2003 Front-End server. This key does not exist by
default.
70 Module 9: Outlook Web Access
Location:
HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\
MSExchangeWEB\OWA
Parameter: AllowRetailHTTPAuth
Type: DWORD
Value: 1
Note Remember to remove the registry key after the Netmon Capture has been
taken.
For more information on GZip Settings and Metabase see Module 9 Appendix
D and E.
Module 9: Outlook Web Access 71
In some case it may be necessary to gather debug data from the Outlook Web
Access components. In order to enable DAV Tracing the following steps need
to be followed:
1. Stop the W3SVC and MSExchangeIS Services
2. Run the following three Registry updates on the Front-End Server:
a. davex-traces.reg
davex-traces.reg The following keys are added to the registry:
72 Module 9: Outlook Web Access
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\TracingCategories]
"Debug"=dword:00000001
"Davex"=dword:00000001
"DavexDbgHeaders"=dword:00000000
"Epoxy"=dword:00000001
"Repl"=dword:00000001
"Ifs"=dword:00000001
"IfsCache"=dword:00000001
"WebClient"=dword:00000001
"FileStream"=dword:00000001
"Nmspc"=dword:00000001
"StringBlock"=dword:00000001
"Schema"=dword:00000001
"Sql"=dword:00000001
"DBCommandTree"=dword:00000001
"Unpack"=dword:00000001
"Xml"=dword:00000001
"Search"=dword:00000001
"Actv"=dword:00000001
"BodyStream"=dword:00000001
"Content"=dword:00000001
"Ecb"=dword:00000001
"ECBLogging"=dword:00000001
"EcbStream"=dword:00000001
"Event"=dword:00000001
"Lock"=dword:00000001
"Method"=dword:00000001
"Persist"=dword:00000001
"Request"=dword:00000001
"Response"=dword:00000001
"ScriptMap"=dword:00000001
"Transmit"=dword:00000001
"Url"=dword:00000001
"DavprsDbgHeaders"=dword:00000001
"Metabase"=dword:00000001
"DsaMgr":00000001
"IdleThrd"=dword:00000001
exoledb-traces.reg b. exoledb-traces.reg
The following keys are added to the registry:
Module 9: Outlook Web Access 73
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\TracingCategories]
"Debug"=dword:00000001
"Epoxy"=dword:00000001
"Exdav"=dword:00000001
"Notif"=dword:00000001
"Props"=dword:00000001
"Repl"=dword:00000001
"Search"=dword:00000001
"SessMgr"=dword:00000001
"Locks"=dword:00000001
"WebClient"=dword:00000001
"EnumAtts"=dword:00000001
"FileStream"=dword:00000001
"PropFind"=dword:00000001
"ExOleDb"=dword:00000001
"ExOleDb_Errors"=dword:00000001
"ExOleDb_Events"=dword:00000001
"ExOleDb_ThreadPool"=dword:00000001
"ExOleDb_Transactions"=dword:00000001
"ExOleDb_SystemEvents"=dword:00000001
"ExOleDb_ClientControl"=dword:00000001
"ExOleDb_EntryExit"=dword:00000001
"ExOleDb_Impersonation"=dword:00000001
"ExOleDb_Hsots"=dword:00000001
"XProcCache"=dword:00000001
"Nmspc"=dword:00000001
"StringBlock"=dword:00000001
"Schema"=dword:00000001
"DBCommandTree"=dword:00000001
"Sql"=dword:00000001
"Unpack"=dword:00000001
"Xml"=dword:00000001
"Search"=dword:00000001
"DsaMgr"=dword:00000001
"IdleThrd"=dword:00000001
"LinkFix"=dword:00000001
"CalcProps"=dword:00000001
"MDBInst"=dword:00000001
"LogCallback"=dword:00000001
"AdminLogon"=dword:00000001
"Exoledbesh_Errors"=dword:00000001
"SchemaPop"=dword:00000001
exprox-traces.reg c. exprox-traces.reg
The following keys are added to the registry:
74 Module 9: Outlook Web Access
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\TracingCategories]
"Debug"=dword:00000001
"Prx"=dword:00000001
"PrxConn"=dword:00000001
"PrxParser"=dword:00000001
"PrxReplMgr"=dword:00000001
"PrxRequest"=dword:00000001
"PrxSrv"=dword:00000001
"Url"=dword:00000001
"StringBlock"=dword:00000000
"DsaMgr"=dword:00000001
"IdleThrd"=dword:00000001
Note The above files have all of DAV's tracing categories turned on.
3. Create the following registry key (or verify that it exists) of type
REG_MULTI_SZ called "Modules" under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersi
on\DebugAsyncTrace
Outlook Web Access in Exchange 2003 supports the concept of 'Themes'. You
can change your default color scheme out of the box; however, it is also
possible to create your own Outlook Web Access themes.
1. On the front-end(s) and back-end(s), create a directory in
…\exchweb\themes, e.g. called "foo".
2. Copy or create new versions of the following images (gradients for buttons,
backgrounds, etc) to \foo:
• logo2.gif– branding logo, can replace with own company logo
• nb-bkgd.gif – navbar background
• nb-hide-ql.gif– nav bar hide icon ("slider")
• nb-ql-tgl.gif – nav bar slider background
• nb-sel-bkgd.gif – navbar selection gradient
• nb-show-ql.gif – nav bar show icon
• nin-bg.gif – toast image for new e-mail notification
• OWAColors.css – colors used in themes
• resize-dot.gif
• tool-bkgd.gif – toolbar background, also used for folder button
9. You can then edit the Cascading Style Sheet (CSS) to come up with your
own colors and styles. Note, public folders and the calendar viewer are not
affected.
10. On the back-end(s), add a reg key under HKEY_LOCAL_MACHINE \
System \ CurrentControlSet \ Services \ MSExchangeWEB \ OWA \
Themes on the server (e.g. mytheme) with properties:
• This is the registry structure:
76 Module 9: Outlook Web Access
...MSExchangeWEB \ OWA
|
---- Themes
|
---- Theme1 (RG_SZ)
|
---- ThemeN (RG_SZ)
11. In the path section of the registry entries, just put in the path relative to the
exchweb\themes directory (such as "foo"), mentioned above.
12. Just wait 30 seconds after implementing the registry parameter, and the new
theme will be available in 'Options'. No need to restart services!
78 Module 9: Outlook Web Access
Exercise 1
Setting up Forms Based Authentication
Scenario
Contoso Pharmaceuticals would like a custom logon page for Microsoft Outlook Web Access. In
this exercise you will configure Forms Based Authentication.
Forms based authentication requires clients to use a SSL connection. If SSL encryption is not
offloaded to another source, complete the following steps:
• Configure SSL
• Restart the IIS service
1. Enable SSL Requirement for a. Log into Exchange as Administrator with password Passw0rd1.
Exchange Virtual Directory. Note: If you already have a valid certificate installed, proceed to Task 2.
b. From the task bar click, Start | All Programs | Administrative Tools |
Internet Information Services (IIS) Manager.
c. Expand EX2 (local computer) | Web Sites.
d. Right click Default Web Site, select Properties, and then click the
Directory Security tab.
e. Select the Server Certificate button under Secure Communications.
f. Click the Next button when the Welcome Wizard appears.
g. Create a new certificate| Click Next
h. Select Send the request immediately to an online certificate
authority| Click next.
i. Click Next on Name and Security Settings window.
j. Type Contoso in Organization
k. Type Redmond in Organizational Unit
l. Click Next.
m. Type mail.contoso.com in Your Site’s Common Name.
In order to prevent users from getting prompted when using SSL,
the common name of the certificate MUST be the fully qualified
domain name (FQDN) of the Front-End server
• [e.g. mail.contoso.com]
n. Click Next.
o. Type Washington in State/Province
p. Type Redmond in City/locality.
q. Click Next.
r. Click Next on SSL Port.
s. Click Next on Choose a Certificate Authority.
Module 9: Outlook Web Access 81
Exercise 2
Change Forms Based Authentication to require only User Alias
and Password
Scenario
The CIO of Contoso Pharmaceuticals does not like having to enter his Domainname\Username in
the Outlook Web Access Logon Page. In this exercise you will change the logon to only require
User Alias and Password.
Exercise 3
Enable Outlook Web Access Password Change
In this exercise, you will allow users to change their passwords while using Outlook Web Access.
By default the settings to allow this is disabled. Empowering users to be able to change their
passwords can reduce support calls and allow roaming (sales) users to abide by corporate security
policies.
Changing the password requires SSL and the addition of the iisadmpwd virtual directory and
setting the following key to 0 or deleting the key.
Note: You can select other authentication types, but you must also select the Anonymous Access
authentication method.
Note: If you do not enable the Anonymous Access option, the client and server go into an endless loop when
you attempt to authenticate users who are prompted to change an expired password.
For example, if a user navigates to the site and is prompted for a password but their password has expired, the first
page that they tried to access redirects them to the password expiry page. The password expiry page challenges the
user, but because the user is not authenticated on the first page, the second page refuses the connection because the
password has expired. When this occurs, the user is redirected back to first page; the first page redirects the user to
the second page, and so on.
84 Module 9: Outlook Web Access
For additional information about a fix for this looping behavior, check the article number 275457 IIS 5.0 May Loop
Infinitely When a User Is Forced to Change Their Password.
4. Zero is the default value for a. From the task bar type Start | Run | type cmd | click the OK button.
the PasswordChangeFlags b. At the command prompt type CD C:\Inetpub\AdminScripts and then
setting, but the following press Enter.
steps can be used to change
or confirm the setting. To c. Type cscript adsutil.vbs set ”w3svc/PasswordChangeFlags” 1 then
change the Metabase press Enter.
PasswordChangeFlags
setting to zero (0), you must
first change it to the
\inetpub\adminscripts folder
on your hard drive.
Note: The following values are options for the PasswordChangeFlags setting:
0: Requires password change by SSL
1: Allows password change by non-secure ports
2: Disables password changes
4: Disables advance notification of expiration
5. After creating iisadmpwd a. Switch to XP-Client and open Internet Explorer.
and the reg key, you see the b. Type https://mail.contoso.com/exchange.
password change button
under options in Outlook c. Log into Outlook Web Access (OWA) with the Administrator
Web Access: account and password Passw0rd1.
d. Click the Options link in the bottom left navigation bar.
e. Scroll all the way down and verify the Change Password button is
visible.
f. Close Internet Explorer.
Note: In a front-end/back-end topology with Exchange 2000 and/or Exchange 2003 back-end servers running
on both Windows 2000 servers, it is necessary to add Windows 2000 compatible Web pages to the Windows
2003 front-end server.
Module 9: Outlook Web Access 85
Exercise 4
DAV Tracing
In this exercise, you will modify the registry and use the debugging tool regtrace.exe to watch the
internals of exchange server. This utility is used for debugging purposes only. Regtrace.exe adds
about 30% processing to the system – therefore for debugging only!
For more information visit http://support.microsoft.com/default.aspx?scid=KB;EN-US;238614
1. Stop services for debugging a. On Exchange, from the taskbar click, Start | All Programs |
on the Exchange server. Administrative Tools | Services.
b. Stop the W3SVC (World Wide Web Publishing Service) and
MSExchangeIS (Microsoft Exchange Information Store) services.
2. Add some registry keys into a. Open Explorer and navigate to C:\LabFiles\Lab 9\ folder and double-
the registry on the Exchange click each of the following files and click Yes and OK to the Registry
Server. Editor prompts:
• davex-traces.reg
• exoledb-traces.reg
• exprox-traces.reg
b. Close Explorer window.
c. Open the registry editor from the task bar click, Start | Run | type
regedit | click the OK button.
d. Expand
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\C
urrentVersion\DebugAsyncTrace
e. Create the Modules registry key (or verify that it exists) of type
REG_MULTI_SZ. Right click DebugAsyncTrace and click New,
Multi-String Value. Name it Modules.
f. Create a value contains DAV-EXOLEDB-OWA as one of its values.
Double-click Modules and enter DAV-EXOLEDB-OWA and then
click OK.
3. Configure the Regtrace a. From the task bar click, Start | Run | type Regtrace | click the OK
utility, execute an exchange button.
task and examine the b. On the Traces tab check the checkbox for Debug Statements.
regtrace output.
c. On the Output tab select File, and choose C:\DavTrace.atf.
d. Make the Max Trace File Size at least 50 MB. Click Apply.
e. Return to the Services window. Start the W3SVC and MSExchangeIS
services.
f. Switch to XP-Client and log into OWA
https://mail.contoso.com/exchange as Administrator with password
Passw0rd1 and send Administrator and email.
g. Switch back to Exchange.
h. Run Regtrace, click the Output tab and click No Tracing.
86 Module 9: Outlook Web Access
4. Save the State of the Virtual a. You will need the Virtual PCs for the next Lab. Follow these steps
PCs. closely so you do not lose any information.
b. On each of the Virtual PC 2004 menus, click Action, Close.
c. For the drop down list under What do you want the virtual machine
to do? select Save state and save changes.
d. On the Close window, uncheck the Commit changes to the Virtual
hard disk box.
e. Click OK. This will save the state of the image so you can resume
tomorrow without losing any work.
Reproduce the problem that you are troubleshooting. For example, if you are reproducing a problem where mail is
being returned undeliverable, send some e-mail to an address that will cause Exchange 2000 Server to return the
message undelivered.
When you have reproduced the problem several times, stop tracing by clicking No Tracing from the Output menu in
Regtrace. Also, on the Trace tab, make sure that the All tracing type option is not selected.
Module 9: Outlook Web Access 87
Review
3. What version of Internet Explorer is required for all the nice new stuff?
6. What is the regkey that can turn off SSL to enable a clear netmon trace?
88 Appendix A
Appendix A
This session will have a brief look at some of the new features and compare
versions
Logon/Logoff Improvements
Logon page New customized form for logging on Yes, with choice of Yes, but only
to Outlook Web Access; includes using Outlook Web allows use of
cookie-based validation where the Access Basic. Outlook Web
Outlook Web Access cookie is Access Basic.
invalid after user logs out or is
inactive for predefined amount time.
User interface updates New color schemes, reorganized Yes, plus new view Yes, but only
toolbars. menu, default user one color
interface font, and scheme
bidirectional support. available.
Item window status bar A status bar is now available on item Yes No. Items do
windows where a user can see the not open in
destination URL of a hyperlink in an separate
e-mail message when the mouse windows, but
pointer is positioned over the link. the status bar is
still available.
Appendix A 89
View Improvements
Items per page Users can determine how many Yes Yes
items appear per page in e-mail,
contact, and task views.
Navigation Improvements
New Navigation Pane Unified user interface contains Yes Shortcuts only
module shortcuts, full folder tree,
refresh item count button,
customizable width.
Log Off option on Log Off option is now on the view Yes No
toolbar toolbar, not in the Navigation pane.
Global Address List Property sheets now display name, Yes; available in Yes; only
Properties sheets address, and phone information for received items, draft available in
resolved Global Address List (GAL) items, Check Names received items
users. dialog box, and Find and draft items.
Names dialog box.
Send mail from Find Users can send new messages to Yes No
Names addresses found in the Find Names
dialog box when it is opened from an
e-mail view.
Open Find Names from Users can open Find Names from a Already available in Yes
message message and use it to add new previous versions of
recipients to a draft message; also Outlook.
used to add recipients to a contact
distribution list.
Sorted results in Find The results in Find Names and Yes Yes
Names and Check Check Names now are sorted in
Names alphabetical order.
Auto signature Users can create a signature that is Yes, HTML-based Yes, plain-text
automatically included in e-mail formatting; also on- formatting; no
messages. demand insertion. on-demand
insertion.
Navigate after delete Users can open the next or previous Yes No
item after deleting an item.
Read receipts Users can use or ignore read-receipt Yes; users also can Yes; users are
requests. send receipts even not able to send
when the option is receipts when
set to ignore option is set to
requests. ignore requests.
Junk mail filtering Options to set up safe- and blocked- Yes Yes
sender lists.
No indenting replies The reply header and reply body are Yes Yes; Outlook
no longer indented. Web Access
Basic never
indented.
Rules Improvements
Task Improvements
Personal tasks Users can create and manage Yes Yes, but no
personal tasks and receive reminders reminders.
for these items.
Calendar Improvements
View Calendar from Meeting attendees can open their Yes Yes
Meeting Request Calendar from a meeting request.
Performance Improvements
Bytes over the wire Fewer bytes sent over the wire from Yes Yes
server to browser. Additionally,
when data is sent from the server to
browser during initial logon has been
reorganized to speed up rendering
the Inbox.
Compression support Administrators can configure Yes, when accessed Depends on the
compression support for Outlook with Internet browser.
Web Access and provide a Explorer 6 SP1 +
performance improvement of nearly Q328970 or higher.
50 percent for most actions on slow
network connections.
Appendix B 93
Appendix B
The following chart depicts the default settings for IIS when you select Use
Forms Based Authentication. There is no user configuration required.
Configuration of UPN support also is handled by Exchange System Manager.
Appendix C
1 : Packet 201
Packet 270 – This is the POST request that initiates the OWASPELL.DLL on
the Front-End Server. It is also evident in this packet some of the settings
configured by the client.
2 : Packet 270
For example:
Appendix C 99
These can be changed through the Options button in Outlook Web Access:
Packet 271 – This packet is immediately after the POST Packet, and this packet
contains the data to be spell checked:
3 : Packet 271
Packet 276 – This is what the Front-End sends back to the Client, as to what
actually gets sent back i.e. the number of suggestions can be configured through
the registry.
Within the data section of the packet, it is possible to see the Front-End Server
send the Spell check results, and this is for all the words that are spelled
incorrectly.
In the data portion it will read UnknownWord and then the words that are
misspelled; in this example “ia” and “incrorrect”
Reading through the data portion of the packet all the suggested words will be
prefixed with <sug>.
100 Appendix C
4 : Packet 276
The client will be presented the following on the screen:
With this information it is possible to conclude that the ISAPI Spell-check filter
on the Front-End server is working as expected.
Netmon tracing when In the example used, the client had the setting “Always check spelling before
there are no errors in the sending” checked, so even if the client initiates a manual spell check, the body
spelling of the text will get checked again.
Packet 1252 is the same as packet 270 by initiating the spell check, but this time
the body of the text that is sent to the Front-End Server is as follows:
In the data section of packet 1257, there are no corrections to be made, as the
following illustrates:
To be aware of
Note: By default, only 90 kb of data will be spellchecked. This can be
amended by setting the MaxSpellDocumentSize registry key.
When replying to a message and spell checking the mail, only the text that
has been added will be spell checked. If the Reply Line was deleted by the
user then all of the text in the mail body will be spell checked.
The following screenshot illustrates this:
102 Appendix C
When a message is sent with the encrypt button selected, the following dialog
boxes are displayed: the first if the user clicks manual spell check. The second
when the client has Always check spelling before sending configured in their
options.
Appendix D 103
Appendix D
Compression Level: When the compression level is set to None (False / 0), the Global Gzip
None Metabase settings are as follows:
The per-directory metabase settings are also toggled off, since another
application could re-enable these global values (although Microsoft does not
ship any others that use it yet.)
Configuring the Global Compressions settings:
W3SVC/Filters/Compression/GZip/
Compression Level: Low When the compression level is set to Low (true / 1), the Metabase settings are
as follows:
Configuring the Global Compressions settings:
W3SVC/Filters/Compression/GZip/
Compression Level: When the compression level is set to High, the Metabase settings are as
High follows:
Configuring the Global Gzip settings: W3SVC/Filters/Compression/GZip/
GZip Dynamic (High) It is possible to tweak the high compression level so that the compression level
Compression Level can be adjusted and not automatically overwritten when the server DS2MB
Over-ride process updates settings.
The registry key that needs to be set to allow this is
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \
MSExchangeWEB \ OWA
Parameter: HcDynamicCompressionLevel
Type: REG_DWORD
Value: 0 through 10
and actually sets its value. The Exchange attendant process (DS2MB) will pick
up changes to this key while it is running but the value is only used when
compression is enabled on the server via the Exchange System Administrator.
When compression is disabled on the server via Exchange System
Administrator, then whatever the last value was for the IIS metabase key will be
left alone.
The following example is where the HcDynamicCompressionLevel has been
set to 5 through the registry:
108 Appendix D
To implement the over-ride value for dynamic compression you must first set
the Outlook Web Access\HCDynamicCompressionLevel value apply the
setting and then enable or re-enable all Exchange virtual servers that use
compression.
You may have to wait for DS2MB to run before Exchange picks up the registry
value and replicates it correctly. The following will be set on the Exchange
Virtual root:
Appendix D 109
Appendix E
Path ID Value
Path ID Value
js xsl”
W3svc/filters/compression/GZip/HCScriptFileExtensio 2244 “”
ns
W3svc/filters/compression/GZip/HCOnDemandComp 2242 10
Level
W3svc/filters/compression/GZip/HCDynamicCompres 2241 10
sionLevel
Outlook Web Access Now that you have configured the server-wide settings so they do not affect
Specific settings that other apps, you need to add the keys that enable GZip for the Outlook Web
must be configured for Access virtual roots and directories.
static and dynamic
compression The following table includes the settings that you need to set:
In general you can iterate over all vroots on the virtual server that have the
Cookie-Auth metabase key enabled (ID = 45054, value = 1) and apply the
above settings except for the root, auth, and the img directory (they need special
handling).
Global GZip settings Path ID Value
that are configured for
static (low) compression W3svc/filters/compression/GZip/HCDoDynami 2213 False (unless
cCompression already true)
Path ID Value
W3svc/filters/compression/GZip/HCOnDeman 2242 10
dCompLevel