W09 Outlook Web Access

Module 9: Outlook Web
Access
Contents
Overview 1
Lesson 1: Summary of Features 2
Lesson 2: Outlook Web Access Basic 3
Lesson 3: Outlook Web Access Premium 10
Lesson 4: Outlook Web Access and the
Browser 31
Lesson 5: Outlook Web Access and Forms
Based Authentication 35
Lesson 6: Outlook Web Access S/MIME
Control 38
Lesson 7: Outlook Web Access Attachment
Blocking 42
Lesson 8: Other Features 45
Lesson 9: Outlook Web Access Spell Check 51
Lesson 10: Outlook Web Access and Gzip
Compression 62
Lab A: Outlook Web Access 78
Review 87
Appendix A 88
Appendix B 93
Appendix C 98
Appendix D 103
Appendix E 110
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows 2000, Active Directory, ActiveX, BackOffice,

FrontPage, Hotmail, Jscript, MSN, NetMeeting, Outlook, PowerPoint, SQL Server, Visual Studio,
and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in
the United States, and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 9: Outlook Web Access 1
Overview
*****************************illegal for non-trainer use******************************
Introduction Welcome to Microsoft Outlook Web Access provided by Microsoft® Exchange

Server 2003. There are a host of major new features in the product and nearly as
many improvements in existing features:
Faster performance
Better logon/logoff experience
Spell check
Rules for managing mail
E-mail Signatures
Encrypted and Signed mail
Personal Tasks
Meeting Request enhancements
And a whole lot more…
What follows is a guided tour of the additions and changes in this release of
Outlook Web Access.
Objectives After completing this module, you will be able to:
Describe the new features in Microsoft® Outlook® Web Access Premium.
Describe the new features in Microsoft® Outlook® Web Access Basic.
Compare Public versus Private connection.
Configure Forms Based Authentication (cookie auth).
Describe GZip compression as it relates to Outlook Web Access.
Configure Outlook Web Access Attachment Blocking.
Describe the capabilities of the Outlook Web Access Secure/Multipurpose
Internet Mil Extensions (S/MIME) Control.racts with other components.
2 Module 9: Outlook Web Access
Lesson 1: Summary of Features
Outlook Web Access in Exchange 2003 actually comes in two versions:

Outlook Web Access Premium, which can be used by Microsoft®
Internet Explorer 5.01 or higher.
Outlook Web Access Basic, which can be used by all types of Internet
browse.
For a complete listing of Outlook Web Access Improvements see Module 9
Appendix A.
Lesson 2: Outlook Web Access Basic
Introduction The Outlook Web Access Basic client is designed to run in most common
browsers (compliance with the HTML 3.2 and European Computer
Manufacturers Association [ECMA] Script standards is required). Outlook Web
Access Basic has a different user interface than the Premium client and only a
subset of the Premium client’s functionality. Outlook Web Access Basic,
however, is the preferred client for users with accessibility needs.
This document provides a quick overview of what was added to Outlook Web
Access Basic in Exchange 2003.
Important It is necessary to first read about the enhancements to Outlook Web

Access Premium to understand the changes in the Basic client.
Unlike the Premium experience, Outlook Web Access Basic does not support
right-to-left layouts for languages such as Arabic and Hebrew. Toolbars and
view headers are not fixed to the top of the window, so when the user scrolls
down in the view, the toolbars and view headers scroll off screen.
Logon Page When you access your e-mail account through Outlook Web Access, you will
be directed to a logon page if you are logging on via a front-end server like
https://mail.northwindtraders.com/exchange.
If you are using Internet Explorer 5.01 – Internet Explorer 6.0 or greater for
Windows as your browser, you will get the Outlook Web Access Premium
version of the logon page, where you can choose the Premium or Basic client. If
you are using any other browser, you will not have this choice.
The security-level feature functions exactly the same as described for Outlook
Web Access Premium and has the same effect on how long your session can be
inactive before expiring.
UI Revamp
Once you log in to Outlook Web Access Basic, you will notice that the user
interface (UI) has been refreshed from battleship gray to the same true-blue
color scheme as in the Premium version. However, this is the only color scheme
available for the Basic client. Also, the Basic client still uses the browser’s
default font for displaying UI text.
The enhancements to the e-mail view include:
An option to set the number of items that display per page in the message
list — now you are not just stuck at 25 (see the “Messaging Options”
section of the Outlook Web Access options page).
Icons in your mail folders show the types of messages you have received
and whether the messages are read or unread.
The “By Conversation Topic” view has been improved to put the newest
conversation at the top of the messages list.
Outlook Web Access Basic does not have a Reading Pane, context menus, the
ability mark as read/unread, Quick Flagging, keyboard shortcuts, or deferred
refresh after delete.
Options - Junk Mail Outlook Web Access Basic does allow you to manage your junk e-mail
Filtering settings, but you cannot add new senders to the block or safe lists directly from
the view. Instead, you must manage these settings completely from the “Privacy
and Junk E-mail Prevention” section of the Outlook Web Access options page.
Just choose the “Manage Junk E-mail Lists” button, and you will be taken to an
interface where you can add, modify, or remove members in your block and
safe lists.
The contents of the block and safe lists will be the same whether you manage
them from Outlook, Outlook Web Access Basic, or Outlook Web Access
Premium.
Navigation There have been cosmetic changes to the Outlook Web Access Basic
Navigation Pane. There is now a link there for quick access to your Junk Mail
folder, and the Public Folders link is now in the Navigation Pane, too. But
otherwise the Navigation Pane functions as it always has.
Outlook Web Access Basic provides no access to Search Folders or rules. There
are no commands for updating folders or for making it easier to drag items into
folders, because Outlook Web Access Basic does not show folders in the
Navigation Pane. And there are no notifications in the Outlook Web Access
Basic Navigation Pane for new mail or pending reminders. In fact, Outlook
Web Access Basic does not display reminders at all.
Improved E-mail Experience (1)
Outlook Web Access Basic does not have a spell checker, and the functionality
of adding/removing the addresses in the recipient wells has not been changed.
GAL Properties Sheets If a name in an e-mail message or meeting form has been resolved against the
Global Address List (GAL), in the properties dialog you now will see some of
the key GAL properties for that address — not just the display name and SMTP
address of the recipient. Just click any resolved name in an e-mail you are
writing or reading to see its properties sheet.
Outlook Web Access does not show the full range of GAL properties that
Outlook shows, just the main address and phone information that is listed in the
GAL for the address.
Simple SMTP addresses or addresses that come from your Contacts folder still
show the same information as was available before: display name and SMTP
address.
Unlike in Outlook Web Access Premium, Outlook Web Access Basic does not
have buttons for invoking e-mail properties from Find Names or Check Names.
Outlook Web Access Basic does not have the “Add to Contacts” feature on
properties sheets or anywhere else in the client.
Find Names
Enhancements You now can add names found in a GAL search directly to a message or a
meeting request you’re composing. Just click on any of the address book icons
in the mail or meeting compose forms to launch Find Names.
Find Names now appears in its own window, and the results of your query are
sorted alphabetically.
You cannot search Contacts in the Outlook Web Access Basic Address Book —
only the GAL.
Auto Signature You can create a plain-text auto signature in basic Outlook Web Access in the
editor under “Messaging Options” on the Outlook Web Access options page.
If you already have created a signature in Outlook Web Access Premium, then a
plain-text representation of that signature will exist in Outlook Web Access
Basic. If you make any edits to the signature in Outlook Web Access Basic,
however, you will overwrite all custom formatting in your Outlook Web Access
Premium signature.
You cannot insert a signature on demand in Outlook Web Access Basic — you
either enable it to be inserted automatically or not at all.
Navigate After Delete Outlook Web Access Basic does not have special options for where to go after
deleting an open message. You always return to the message list.
Read Receipt Settings By default, Outlook Web Access for Exchange 2003 will not send read receipts
automatically
If you change the setting to always send read receipts, then Outlook Web
Access will fall back to the old behavior of automatically filling all read-receipt
requests without notifying you about those requests.
Please note that how you set this option in the Premium client will affect the
behavior in the Basic client and vice versa.
“Web Beacon” Blocking This is the same in Outlook Web Access Basic as it is in Outlook Web Access
Premium. If you enable or disable the feature in the Premium client, it will
affect behavior in the Basic client and vice versa.
Privacy Protection When This feature is the same in Outlook Web Access Basic as Outlook Web Access
Following a Link in E- Premium.
Mail
Attachment Blocking This administrative setting affects Outlook Web Access Basic the same way it
affects Outlook Web Access Premium.
Sensitivity and This feature is the same in Outlook Web Access Basic as Outlook Web Access
Reply/Forward Infobar Premium.
Reply Header and Body Because Outlook Web Access Basic uses a plain-text mail editor, Outlook Web
Not Indented Access Basic has never indented old message content on reply or forward.
Item Window Size and Because items in Outlook Web Access Basic do not display in their own
Status Bar windows, the window-size feature does not apply to Outlook Web Access
Basic. Furthermore, because Outlook Web Access Basic runs in the full
browser window and does not open individual item windows, the status bar
always has been available when items are open.
Mail in Public Folders This feature is the same in Outlook Web Access Basic as Outlook Web Access
Premium.
Signed and Encrypted There is no S/MIME mail in Outlook Web Access Basic. However, Outlook
Mail Web Access Basic now lets you open attached e-mail within a clear-signed
message. Furthermore, Outlook Web Access Basic preserves the message body
contents (but not attachments) when you reply to or forward a clear-signed
message.
Rules There is no rules interface in Outlook Web Access Basic. However, your e-mail
still is processed according to the server-side rules you set from Outlook or
Outlook Web Access Premium.
Personal Tasks All of the task-related features available in Outlook Web Access Premium also
are available in Outlook Web Access Basic except for reminders. (You can set a
reminder date and time, but no reminder will ever appear in Outlook Web
Access Basic.) Of course, because of UI differences, the way to complete
certain actions may be different.
For example, in the task view, to mark an item as complete, you cannot just
click a “Mark Complete” checkbox as in Outlook Web Access Premium.
Instead, you must select the task to mark complete and then choose the “Mark
Complete” button on the toolbar.
Or when composing a task, the user interface for choosing a task start date, due
date, or reminder date is very different in the Basic client from the Premium
client.
Meeting Request Several popular Outlook Meeting Request features now have been added to
Enhancements Outlook Web Access Basic Meeting Requests.
1. You now can forward Meeting Requests to people not originally on the
organizer’s invite list (even if you’re the organizer). You also can create an
e-mail reply to a meeting organizer (and optionally all the attendees)
directly from a Meeting Request.
2. When canceling meetings, you now can edit the meeting cancellation notice
before it is sent to explain the reason for the cancellation.
3. Invitees can open the Calendar from a Meeting Request so that they can
view their schedules while evaluating the Meeting Request.
However, attendees cannot set reminders on accepted Meeting Requests in
Outlook Web Access Basic.
Lesson 3: Outlook Web Access Premium
Performance The Outlook Web Access team has made great efforts to improve the product’s
speed by reducing the bytes of code that must travel from the server to the
browser in response to common user actions. By sending fewer bytes, you have
to wait less time to see the results of your actions. Plus, if your Exchange
administrator enables Outlook Web Access compression and you are using
Internet Explorer 6 SP1 for Windows with patch Q328970 or higher, the byte
reduction — and resulting speed gains — are even greater.
Outlook Web Access also downloads necessary client-side files to your browser
while you are entering your credentials on the logon page. By the time you are
logged in, essential scripts and controls already should be on your computer and
ready for Outlook Web Access to use, thus making your Inbox appear more
quickly.
Overall, even with the enhanced interface and multitude of new features about
which you will read in the following pages, Outlook Web Access should seem
faster — especially over slow connections — and respond more quickly to your
commands.
Logon Page Outlook Web Access now offers a new look logon page. This page requires
SSL and is called Forms Based Authentication.
You are still required to type your DOMAIN\username and network password
to enter your account.
This logon page is more than a cosmetic change — it offers several elements of
new functionality.
Choose Your Outlook You can choose which version of the Outlook Web Access client to load — the
Web Access Version Premium client, which is designed specifically for Internet Explorer 5.01 –
Internet Explorer 6.0 or greater for Windows, or the Basic client, which runs in
most browsers.
You might wonder why you would ever want to load up the Basic client if you
are running Internet Explorer 5.01 or higher. There are two reasons: speed and
accessibility.
Because Outlook Web Access Basic must work in any browser (or at least those
browsers that support HTML3.2 and ECMA Script), it is designed to be a
simple user experience that loads quickly. On a slow link, the Basic client may
be the best option if you just need to quickly check your Inbox or look up the
time of an appointment on your Calendar.
But Outlook Web Access Basic lacks some useful features available in the
Premium client, and it also has a less familiar user interface (UI) that bears little
in common with Microsoft Outlook. (Improvements in the Basic client are
covered later in this document.) For longer Outlook Web Access sessions, the
workflow enhancements in the Premium client may prove more beneficial than
the raw download speed of Outlook Web Access Basic.
If you are a user with accessibility needs, however, you are likely to prefer the
Basic client. The simple HTML 3.2 in which the Basic client is written interacts
well with common screen readers and other accessibility aids.
Choose Your Security Besides choosing which version of Outlook Web Access to use, you also must
Level choose a security level that’s appropriate for the computer from which you are
logging in. The security level determines how long your Outlook Web Access
session will remain open if you leave the computer unattended.
Public or Shared If you are connecting from a public Internet kiosk, you should choose the
Computer “Public or Shared Computer” option. You will remain logged in to Outlook
Web Access as long as your session is not inactive for more than 15 minutes.
Private If you are logging in from your computer at home or work, you should choose
the “Private” option. You will remain logged in to Outlook Web Access as
long as your session is not inactive for more than 24 hours. (The period of
inactivity required before automatic logoff on public and private computers can
be shortened or lengthened for all users by an Outlook Web Access
administrator.) Each has a specific registry setting that controls the time out
value.
This new feature is designed to safeguard access to your account. Outlook Web
Access’ power resides in the fact that you can use it to view your corporate
mail, appointments, contacts, and tasks from any computer that is connected to
the Internet. But this convenience opens up a security risk.
In the past, it has been possible for you to open an Outlook Web Access session
on a public Internet terminal and then leave the terminal with your Outlook
Web Access session available to future terminal users. That was because
Outlook Web Access relied on the browser to store your Outlook Web Access
username and password. To clear the browser’s credentials cache, you had to
close the browser.
If you were using Outlook Web Access at an Internet terminal where it was
impossible to close the browser when you were done with the terminal, your
Outlook Web Access credentials would remain stored in the terminal’s browser.
Thus the next terminal user may have been able go through the browser’s
history log to gain unfettered access to your Outlook Web Access account.
Now when you log on to Outlook Web Access using the new logon page, your
credentials are stored in a session cookie. Instead of needing to close the
browser to log off, you merely need to click the “Log Off” button in Outlook
Web Access (closing the browser will also still log you off). The session cookie
is expired, and access to your account is closed. Thus at a public Internet
terminal, now you can log off from Outlook Web Access with confidence that
your account will not be open to future users.
And if you accidentally leave the terminal without logging off from Outlook
Web Access, automatic logoff reduces the risk of unauthorized access to your
account by causing the session cookie to expire after a period of inactivity. By
choosing the “Public” option when you log on to Outlook Web Access from an
Internet terminal or shared computer, you do your part in keeping your data
secure by shortening the period of inactivity that is required for automatic
logoff to occur.
Activity versus Inactivity Because you are going to be logged off from Outlook Web Access after a
certain amount of inactivity, it is important to understand what constitutes
activity.
In general, any interaction between the client and the server is considered
activity: opening, sending, or saving an item; switching folders or modules;
refreshing the view or the browser. Outlook Web Access Premium also has
special code so that typing in a message body is counted as activity. However,
typing in any other type of item (appointment, meeting request, post, contact,
task, etc.) is not considered activity.
There is no warning before automatic logoff occurs. If you have any concern
that you are going to be logged off automatically, the best thing to do is every
so often perform one of the actions that causes interaction with the server.
If you do get automatically logged off while working in Outlook Web Access
Premium, the effects are not catastrophic. When you try to perform some action
— for example, sending a meeting request after logoff has occurred — you will
be prompted to log in again. Once you are reconnected, you can perform the
action that previously resulted in the prompt to log in.
If your mailbox is on a Microsoft® Exchange 2000 Service Pack 3 (SP3) server
instead of an Exchange 2003 server, you may find the experience of
reconnecting after automatic logoff a bit more cumbersome. That is because
you may not be prompted to log in again in some circumstances. You will
perform an action, and Outlook Web Access will appear unresponsive.
Do not fret! Leave your item windows open. All you need to do in this
circumstance is go to the browser window that contains the main Outlook Web
Access view (such as your inbox or calendar), refresh the browser, and you will
see the log on screen again. Once you are reconnected, you can perform the
action that previously was unresponsive.
Later this document will cover how the automatic logoff experience applies to
Outlook Web Access Basic.
Clearing the Credentials If you do not access Outlook Web Access through the new logon page, Outlook
Cache Web Access logoff is still more secure for users of Internet Explorer 6 SP1 for
Windows. With Internet Explorer 6 SP1, the browser’s credentials cache is
cleared upon logoff from Outlook Web Access. Closing the browser window is
no longer necessary to clear the credentials cache.
UI Revamp (1)
Once you log in to Outlook Web Access, you always start in your Inbox, so that
is the next stop on this tour.
New Mail View and Besides the new blue color scheme and cleaned-up toolbar, you will
Reading Pane immediately notice the new “Two-Line View” of messages in your inbox with
the Reading Pane (previously known as the Preview Pane) to the right.
The new layout provides more content in the Reading Pane without diminishing
the number of visible items in the message list.
One size does not fit all when it comes to the amount of screen space to allocate
between the message list and the Reading Pane. So now you can divide up the
space as you prefer for every mail folder in your mailbox. And Outlook Web
Access will remember your preferences even after you log off.
Just put your mouse pointer in the boundary between the list and the preview
pane. When you see the pointer change to , hold the primary mouse button
and drag to resize.
If you prefer the classic layout with the Reading Pane at the bottom, you can
move it back there — or turn it off all together with the Reading Pane toggle on
the toolbar.
You also can return to the traditional layout of your message list or switch into
any of the other Outlook Web Access views you have come to rely on. The
view menu now is located just above the message list.
There also are new options for determining whether to automatically mark a
message as read when you view it in the Reading Pane. These options are
available in the “Reading Pane Options” section of the Outlook Web Access
Options Page.
Mark as Read/Unread The mail view has not just been reoriented — it has new commands, too.
The features “Mark as Read” for unread messages and “Mark as Unread” for
previously read messages are available in two ways:
As keyboard shortcuts.
As part of a new context menu in the mail view.
The keyboard shortcuts for the feature are as follows:

1. Mark selected message as read - Ctrl+Q.
2. Mark selected message as unread - Ctrl+U.
Context Menu The context menu, available by right-clicking on items in the message list,
contains mark as read/unread, as well as several other common commands.
Quick Flagging You will notice there are flagging commands on the context menu. With them,
you can quickly flag a message for follow-up or mark complete an item that
was previously flagged for follow-up. You also can completely clear the flag
status.
These follow-up flags are different from the flags you could set in past versions
of Outlook, because they do not have an associated reminder that you can set to
pop up at a desired time. And you cannot use them as a means to flag items you
send to other users. Quick Flags simply provide a visual indicator for letting
you see which items in your mail you marked as needing further action.
It is not necessary to use the context menu to flag an item; you can click the
blank flag icon next to the message that you want to flag. If the flag already has
been turned on, you can mark the flag as complete by clicking it again. To clear
the flag completely, though, you must use the context menu.
And, finally, if you get tired of farmhouse red for your flag color, you can right-
click the flag icon to bring up a context menu of six choices ranging from
harvest yellow to aquamarine blue.
Junk Mail Filtering Outlook Web Access now has tools to help you keep unwanted junk mail out of
your inbox.
Once you enable the option to filter junk e-mail under the “Privacy and Junk E-
mail Prevention” section of the Outlook Web Access options page, you will be
able to quickly add specific senders to your block list.
When you get mail that is from a junk-mail sender, right-click on the message
in the message list and choose “Add Sender to Blocked Senders List.” All
future mail from that sender will go straight to your Junk Mail folder. Note:
You will still have to delete the original message to get it out of your inbox.
If your Exchange administrator has enabled the server-side junk-mail filter (not
shipping on the Exchange 2003 CD), then all incoming messages will be
scanned, and those that are judged as likely to be spam will be moved
automatically to the Junk Mail folder. If mail from some senders is falsely
judged as spam, you will have the ability to ensure that nothing else from that
sender gets moved automatically to the junk mail folder. Just right-click the
message and choose “Add Sender to Safe Senders List.”
If you receive mail from distribution lists, you also can add these distribution
lists to the “Safe Recipients” list so that these messages will not be filtered to
your junk mail. To manage your safe recipients, you need to open the e-mail,
right-click on the name of the distribution list, and then choose the “Add to Safe
Recipients” option.
If you want to see who is in your safe or block lists or make changes to those
lists, you can do so by choosing the “Manage Junk E-mail Lists” button on the
Outlook Web Access options page. From this dialog, you can see the contents
of your safe and block lists. You also can add, delete, or modify members of the
lists from here.
Outlook 2003 also will have its own junk-mail filter. Any additions or changes
you make to your block or safe lists in Outlook Web Access will be made in
Outlook 2003. The reverse also is true: Outlook Web Access will pick up any
additions or changes you make to your block or safe lists in Outlook.
Other New View There are several other new features in the mail view:
Features
You can set the number of items that display per page in the message list —
now you are not stuck at 25 (see the “Messaging Options” section of
Outlook Web Access’ options page). This option also will affect the number
of contacts and tasks that display per page in those modules.
Note It can be great to view 100 items per page on a LAN or broadband
connection but painfully slow on a dial-up connection. The scenario in
which you most commonly will use Outlook Web Access should determine
how you set this option.
You can open or save attachments directly from the Reading Pane.
You can view sender or recipient properties directly from the Reading Pane.
When your focus is in the mail view, you have several new keyboard
shortcuts for common commands:
• Refresh view - F9 (also works for refreshing items in other views).
• New message - Ctrl+N (also works for creating new items in other
views).
• Reply to selected message - Ctrl+R
• Reply all to selected message - Ctrl+Shift+R
• Forward selected message- Ctrl+Shift+F
• The reply and forward shortcuts also work in the item window for a
received mail message.
Icons in your mail folders show the types of messages you have received, if
they are read or unread, and whether you have replied to or forwarded them.
These icons can make scanning your mail folders a much quicker task.
The “By Conversation Topic” view has been improved so that the
conversation topic containing the most recent e-mail is at the top of the
view.
Deferred Refresh after In past versions of Outlook Web Access, after you deleted an item in a message
Delete list, Outlook Web Access would re-retrieve the entire contents of the list, thus
showing you any new messages that had been delivered to the folder. This
made deleting messages a slow process, because you had to wait for the entire
list to refresh after every delete.
Now Outlook Web Access will not refresh the message list after a delete until
more than 20 percent of the messages on a page in the list have been deleted.
The percentage is based on the total number of items set to display per page (as
set by the user in the Outlook Web Access options page) — not the actual count
of messages on a page.
For example, if you request 100 messages to display per page, your message list
will not automatically refresh until you have deleted 21 messages from a page.
Do not be alarmed if you are worried that now you will never automatically see
your new mail. You still can set an option to be notified when new mail has
arrived.
Color Schemes The Outlook Web Access UI has been changed from gray to a bright blue to
match the appearance of Microsoft® Office 2003 applications. You also can set
the client's hue to one that better suits your mood.
Just go to the “Appearance” section of the Outlook Web Access options page
and pick a different color scheme from the dropdown. The current options are
blue, dark blue, burgundy, olive and silver.
Standard Fonts Along with the new color schemes, the Outlook Web Access user interface
looks more stylish because the font used on all the UI text is the same one that
is found in most Microsoft applications. Say goodbye to seeing the Outlook
Web Access interface in Times New Roman just because that is the browser’s
default font.
And when you read e-mail messages, if the sender was using a “plain text” mail
editor that did not set a font preference on the message body, Outlook Web
Access selects a proper font in which to display the message content instead of
relying on the browser’s default font.
UI Revamp (2)
New Navigation One of the biggest changes in Outlook Web Access is the merger of the
shortcuts bar and folder bar into one unit — no more switching between folders
and shortcuts. They are all in one place now on the new Navigation Pane. You
can make the shortcuts large or small, as shown in the following pictures.
You also can set the width of the Navigation Pane by dragging its border to the
left or the right, and Outlook Web Access will remember the custom size from
session to session.
Easier Moving or If you drag and drop an e-mail message from the message list into a folder in
Copying to Folders the Navigation Pane, the destination folder where you position your mouse
pointer is highlighted — no more guessing which folder is the target of your
move or copy.
Even better, if you want to move an e-mail message into a subfolder that is not
visible, just drag the message to the parent folder but do not release the mouse
button. Keep your mouse pointer positioned over the parent folder until the
subfolders automatically expand. Then continue your drag to the now-visible
subfolders and release the mouse button when the desired folder is highlighted.
Update Folders One of the most common complaints from Outlook Web Access users is that
the number of unread messages in their folders does not stay updated in real
time. The problem with providing such functionality is that it would use
significant server and network resources to continually poll your Exchange
server to keep the folder information accurate. But now you have an easier
option than refreshing the entire browser to get updated counts of unread
messages in your folders.
Search Folders Along with a couple of new navigation options such as Tasks and Rules, there
may be a new section in your folder tree called Search Folders.
Tasks and Rules will be covered later in this document. Search Folders are a
new addition to Outlook 2003.
Note They will only show up in Outlook Web Access if you have created or
activated them while running Outlook in “online mode,” where Outlook has a
constant connection to the Exchange server.
Search Folders cannot be created or modified in Outlook Web Access. And if

you only use Outlook in “cached Exchange” mode, you will never see any
Search Folders in Outlook Web Access.
Search Folders are very powerful because they let you find all the mail in your
account that has been sent from a particular person or that has been flagged for
follow-up or that meets some other set of criteria important to you. If you use
Search Folders in Outlook 2003, now you can use them in Outlook Web
Access, too!
Notifications If you have enabled the setting to be notified of new mail and/or reminders, the
Navigation Pane now tells you when you have new items in your inbox and/or
active reminders that you have neither dismissed nor snoozed.
Public Folders Public Folders now display in their own window. If you click the Public Folders
button on the Navigation Pane, it launches a new browser window containing
only Public Folders.
Log Off This feature has been moved from the Navigation Pane to the far end of the
toolbar.
E-mail is the heart of Outlook Web Access, and new features have been added
to make it easier than ever to compose messages or get the information you
need from received messages.
Spell Check It is time to find a better excuse for typos in your messages other than “Outlook
Web Access doesn’t have a spelling checker.” In Outlook Web Access for
Exchange 2003, you can check your spelling in English, French, German,
Italian, Korean, or Spanish. Just click the familiar spelling check icon in a draft
e-mail message’s toolbar.
If you have ever sent a message and then immediately wished you had checked
your spelling first, Outlook Web Access also lets you set an option to always
check your spelling check on Send.
One warning: Remember that checking your spelling in Outlook Web Access is
a server-side process, which means the contents of your message must be sent
back to the server for examination. On a slower link, you may find the process
of automatically checking every outgoing message to be time-consuming. Keep
this in mind when deciding whether to enable the feature to always check your
spelling on Send.
The “Spelling Options” section in the Outlook Web Access options page is the
place to configure your spelling checker settings. But there is nothing to
download to enable it.
New Addressing Wells Here is a familiar scenario: You type an alias in an Outlook Web Access e-mail
message and then learn when you try to send the message that the address was
unrecognized. When this happens, how easy is it to get rid of that bad e-mail
address from your message?
If you were smart enough to realize from the beginning that you had to click the
unrecognized name to bring up its properties and then delete the address from
that properties dialog — good for you! But for anyone who found the process
tedious at best and confusing at worst, help is here.
Outlook Web Access for Exchange 2003 makes it easy to delete ambiguous or
recognized addresses from an e-mail message you are composing. All you have
to do is click the address to highlight it, and press the delete key to remove it.
You also can right-click the address and choose “Remove” from the context
menu.
GAL Properties Sheets When you right-click a recognized or ambiguous address, you will also notice
“Properties” as a menu choice. But the properties dialog in Outlook Web
Access now shows a lot more useful information.
If a name in an e-mail message has been resolved against the global address list
(GAL), in the properties dialog you now will see some of the key GAL
properties for that address — not just the display name and SMTP address of
the recipient.
Outlook Web Access does not show the full range of GAL properties that
Outlook shows, just the main address and phone information that is listed in the
GAL for the address.
Simple SMTP addresses or addresses that come from your Contacts folder still
show the same information as was available in old versions of Outlook Web
Access: display name and SMTP address.
Properties sheets are now available from more locations than e-mail messages
or meeting requests. They also can be invoked by double-clicking (or right-
clicking and choosing “Properties”) on the sender or recipients in received e-
mail messages. Or as noted earlier, in the Reading Pane you can double-click
senders or recipients to see their properties.
There also are buttons for invoking properties from Find Names and from the
Check Names.
Add to Contacts The “Add to Contacts” command makes it easy to quickly add any address —
whether it is on a message you are composing or on a message you have
received — into your main Contacts folder.
You will find the command conveniently located on the context menu that
appears when you right-click a resolved name in an e-mail message or meeting
request. (This context menu is not available in the Reading Pane.) There is also
an “Add to Contacts” button in the properties dialog for resolved e-mail
addresses.
Find Names Adding the ability to invoke properties sheets from Find Names is just one of
Enhancements several enhancements that have been made there.
Now you can choose whether to search the GAL or your Contacts folder when
you are looking up an address.
And if you call up Find Names from a view instead of an e-mail message, there
is a new feature for creating a message to any one of the addresses in your
search results.
You will also notice that the search results in Find Names or Check Names now
are sorted alphabetically
Auto Signature How many times have you typed your name, title, extension, and other bits of
info at the end of every message you send in Outlook Web Access? If your
answer is, "Too many," your days of needless typing are over.
Create an Outlook Web Access signature by clicking the "Edit Signature"

button under “Messaging Options” on the options page, and then give your
fingers a rest.
You can set the signature to be automatically included in every message you
create. Or you can just create the signature and insert it on demand via the
"Insert Signature" toolbar button in the message compose form.
Default Mail Font Another new setting under “Messaging Options” is the default font for the e-
mail editor. Now your Outlook Web Access e-mail editor font no longer has to
be the same as the browser’s default font. Choose any font face, size, and color
available on your computer or stick with the choice that Outlook Web Access
makes for you.
Navigate After Delete Outlook Web Access now has a long-requested feature to allow you to choose
where you navigate after deleting an open message. You can choose to
automatically open the next message in the folder, open the previous message,
or go back to the message list in the view.
The default behavior is to automatically open the next message. You can
change your preference in the “Messaging Options” on the Outlook Web
Access options page.
It is important to note that regardless of your setting, if you open a message
from Folder A, switch to Folder B, and then delete the open message, you will
navigate to the message list for Folder B. Outlook Web Access will not open a
new message from Folder A.
Finally, if you delete a message directly from the message list — not one that
you had opened into its own window — the highlight will move down in the
message list after the delete if you have chosen either the “open the next
message” setting or the “return to the view” setting. The highlight will move up
if you’ve chosen “open the previous message.”
Read Receipt Settings In previous versions of Outlook Web Access, if you read a message where the
sender had requested a read receipt, Outlook Web Access sent the receipt
automatically. You did not have a choice to block the sending of read receipts.
Now you do with Outlook Web Access for Exchange 2003.
In the “Privacy and Junk E-mail Prevention” section of the Outlook Web
Access options page, there is a setting to determine whether Outlook Web
Access sends read receipts.
By default, Outlook Web Access will no longer send read receipts
automatically. In the Premium client, you will see an infobar in a received e-
mail message any time a user requests a read receipt. There will be a link in the
infobar that you can activate if you wish to honor the request for a receipt.
“Web Beacon” Blocking If you change the setting to always send read receipts, then Outlook Web
Access will fall back to the old behavior of automatically filling all read-receipt
requests without notifying you of those requests.
When a junk-mail sender distributes junk e-mail, he often does not know
whether he is sending messages to valid e-mail recipients. But with old versions
of Outlook Web Access, if you were to open a junk e-mail — or even just read
it in the preview pane — the sender had the potential to know your address was
real and active because of something called a “Web beacon.” Now Outlook
Web Access blocks potential “Web beacons” by default.
Here’s how a “Web beacon” works. When you receive an HTML-based e-mail
message, it can contain pictures, video, or other types of content other than just
text. Sometimes those pictures, videos, etc. come as attachments, which
actually reside in the message body. But other times this content is located on
an external Web server on the Internet rather than actually being part of the e-
mail message. And it is in messages that contain references to external content
where trouble with “Web beacons” can begin.
Say that instead of referencing a picture or video, the sender references a
program on his Web server that is designed to catalog your e-mail address as
valid once you open the message. That is a “Web beacon.” And if the sender
was a junk e-mailer, once he knows your address is legit, it is open season on
your account.
But Outlook Web Access for Exchange 2003 has made it tougher for junk
senders to use “Web beacons” to retrieve your e-mail address. Now if you
receive a message with references to external content
Outlook Web Access cannot tell you whether the message actually contains
“Web beacons.” The references to external content may be harmless. If you
believe the message is legitimate, you can just choose to see the message with
all its pictures and other external content. But if you suspect the message
contains beacons for nefarious purposes, you now can just delete the message
without triggering anything that tells the sender, “Hey, I’m here. Send me more
junk mail.”
Privacy Protection When When a user clicks a hyperlink in the body of an e-mail message, Outlook Web
Following a Link in E- Access helps protect private information from being revealed to the visited Web
Mail site. Past versions of Outlook Web Access revealed the user’s account name,
server name, and the subject of the message that contained the link. Now only
the user’s server name is revealed to the visited site.
Attachment Blocking There are a host of new attachment-blocking features in Outlook Web Access.
By default, attachments with the following extensions are blocked in Outlook
Web Access for Exchange 2003: ade, adp, app, asx, bas, at, chm, cmd, com,
cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde,
mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct,
shb, shs, url, vb, vbe, vbs, wsc, wsf, and wsh.
Administrators also can block access to attachments in specific scenarios. At
the most restrictive, an administrator can block access to all attachments. Or it
is possible for an administrator to block access to attachments when users
connect to Outlook Web Access through the Internet but to allow access when
users connect through the corporate intranet. This is particularly useful for
keeping users from potentially compromising corporate security by opening
attachments when using Outlook Web Access at public Internet terminals while
still providing full access to employees in the office.
Similar to attached files are documents and other types of files stored in Public
Folders. By default, Outlook Web Access now blocks users from opening these
documents. But an administrator has the same flexibility of permitting or
denying access to these files that the admin has to permitting or denying access
to attachments.
Infobar Improvements The infobar now will indicate the date and time you replied to or forwarded a
received message.
The infobar in a received e-mail now shows the message’s sensitivity setting, if
one was set, such as Confidential.
Reply Header and Body Here is a common scenario: You get added to a message that other people
Not Indented already have sent back and forth many times over. You want to understand the
history of the issue being discussed, so you scroll through the old contents of
the message, working your way through all the replies back to the original
message. But before you reach the beginning, you get to a point where it is
impossible to read any more. The old contents have been indented into
illegibility because of the Outlook Web Access feature of indenting the old
message body on reply.
Well, Outlook Web Access is not going to indent the message on reply any
more. It cannot be guaranteed what other e-mail clients will do. But from now
on, with Outlook Web Access for Exchange 2003 (or Outlook 2003), the reply
header and body will stay at the same alignment as the original content. Instead
of an indent, a horizontal rule offsets the reply header and body from the new
content.
Item Window Size Outlook Web Access used to always launch any window, either to read an item
or create an item, at the set size of 500 pixels wide by 700 pixels high. If you
resized an item window, it did not matter. The next time you opened an item, it
still would be 500x700.
Now, during an Outlook Web Access session, Outlook Web Access will
remember if you resize the item window and will open all future item windows
at that size. The new window size is not persisted to future Outlook Web
Access sessions.
This works for all item windows — mail, calendar, contacts, and tasks. It is one
size for all item windows, not one size for messages and another for tasks.
Window Status Bar All Outlook Web Access item windows now show a status bar at the bottom. If
you receive a message that contains a hyperlink, you can position your mouse
pointer over the link and look in the status bar to see the target Web address
(a/k/a the URL) for the link.
Mail in Public Folders You have always been able to post to Public Folders from Outlook Web
Access, but in Outlook Web Access for Exchange 2000 you could not send e-
mail from Public Folders.
For example, if you wanted either to reply privately by e-mail to a post or e-
mail in a public folder or to forward that post or e-mail to another person, you
could not do it. Now you can so long as you connect to your Outlook Web
Access account through a front-end server. (If you are reaching your account
through an address like https://mail.northwindtraders.com/exchange, you are
going through a front-end server.)
Meeting Request Several popular Outlook Meeting Request features now have been added to
Enhancements Outlook Web Access Meeting Requests.
You now can forward Meeting Requests to people not originally on the
organizer’s invite list (even if you are the organizer). You also can create an
e-mail reply to a meeting organizer (and optionally all the attendees)
directly from a Meeting Request.
When canceling meetings, you now can edit the meeting cancellation notice
before it is sent to explain the reason for the cancellation.
Attendees now can set reminders on the Meeting Requests they accept in
Outlook Web Access.
Invitees can open the Calendar from a Meeting Request so that they can
view their schedules while evaluating the Meeting Request.
Right to Left Language Outlook Web Access now supports right-to-left layouts in the Arabic and
Support Hebrew versions of the client.
You will also notice two new buttons on the formatting toolbar in the e-mail
editor:
These buttons are for setting the individual direction of each paragraph in your
e-mail message. If you are composing a message in a left-to-right language like
English but need to add a paragraph containing right-to-left content — say
some Arabic or Hebrew — you can start a new paragraph and switch into right-
to-left mode.
The reverse is true, too: If you are composing in a right-to-left language like
Arabic or Hebrew but need to add a left-to-right paragraph in English, for
example, you can switch into left-to-right mode.
Note Internet Explorer 6.0 and greater for Windows is required for
bidirectional support.
Options Page Toolbar The toolbar now stays put when you scroll through the Outlook Web Access
options page, which means as soon as you have made your changes in Options,
you can save them without having to scroll back to the toolbar.
SMIME A major addition to the Outlook Web Access e-mail experience is the ability to
send and receive signed and/or encrypted mail, also known as S/MIME mail.
Signed mail is verified to be sent by the possessor of a specific digital ID. When
you receive an e-mail with a valid digital signature, you can have more
assurance that the message came from the listed sender than you would with
either an unsigned e-mail or an e-mail with an invalid digital signature.
Encrypted mail is mail that can be opened only by a user with a specific digital
ID. The holder of that digital ID has a special key for decrypting the message
you sent.
Improved E-mail Experience: Rules
You now can create server-based mail-handling rules in Outlook Web Access
or use it to manage the server-based rules you created in Outlook. The link for
entering the rules interface is near the bottom of the Navigation Pane.
Actions and Criteria Any rule created in Outlook that cannot be modified in Outlook Web Access is
unavailable in the Outlook Web Access rules interface. Outlook Web Access
has a simple rule editor that is not designed to handle the full gamut of
conditions and criteria available in creating rules in Outlook. Rather, as shown
below, Outlook Web Access focuses on using rules for the most common mail-
management scenarios like moving mail from a particular sender or with a
particular subject to a specific folder.
The most common mail-handling actions are supported:
1. Automatically move/copy message to a folder.
2. Automatically delete message.
3. Automatically forward a message (with the option to keep a copy).
There are several criteria that Outlook Web Access rules can evaluate before
acting on messages:
1. From field contains ______.
2. Subject contains ______.
3. Sent to (user names and/or distribution list).
4. Sent only to me.
5. Level of importance.
The rule editor also can be invoked directly via a toolbar button in a received
message or from the context menu in the mail view.
Handling Disabled Rules Because of interoperability limitations with Outlook, Outlook Web Access will
need to delete all rules disabled from Outlook before letting you modify any
active rules.
Some people create many rules in Outlook that they enable and disable based
on their schedules. For example, a traveling salesperson may enable a rule
while they are out of the office to forward all mail with a particular subject to a
specific coworker. When the salesperson returns to the office, they disable the
rule.
But if this salesperson were to go to Outlook Web Access to create or modify
another rule while this forwarding rule was disabled, Outlook Web Access
would need to delete the disabled rule before saving the Outlook Web Access-
created/modified rule.
This deletion of disabled rules will not happen automatically. When you go to
modify a rule, you will receive a warning indicating that your disabled rules
will be deleted if you proceed.
If you do modify rules from Outlook Web Access, the next time you launch
Outlook or attempt to modify rules there, you may be asked via a dialog
whether you want to keep client or server-side rules. If you want to retain the
rules you created in Outlook Web Access, you will need to choose server-side
rules.
Improved E-mail Experience: Personal Tasks
You might be asking yourself, “Haven’t I always been able to see Tasks in
Outlook Web Access?” The old version of Outlook Web Access let you see the
tasks you created in Outlook, but you could not edit these tasks or create new
ones.
Outlook Web Access for Exchange 2003 lets you create and manage personal
tasks or manage those personal tasks you already created in Outlook.
No Task Requests Outlook has a feature for delegating tasks to other users via Task Requests.
Outlook Web Access does not have this functionality. Furthermore, in Outlook
Web Access you cannot process Task Requests sent from Outlook or update
any delegated tasks you have already accepted in Outlook.
Outlook Web Access does allow users to delete Task Requests or previously
accepted delegated tasks, but the assignor will receive no feedback that the
delete took place.
Delete versus Skip In Outlook, when a user attempts to delete a recurring task, the user receives a
Occurrence choice: delete a single occurrence or the entire recurring series.
In Outlook Web Access, the delete command ALWAYS deletes the entire task
series. If a user wants to skip an individual occurrence, there is a command on
the task edit form for skipping a single occurrence:
Setting Completion Outlook allows users to input decimal values in the “% Complete” field, but
Percentage Outlook Web Access always will round this values to the nearest whole
number. If an Outlook user inputs a decimal value in this field and then later
looks at the task in Outlook Web Access, the value will appear to have changed
to the nearest whole number. However, the change will not be permanent unless
the user actively saves the task in Outlook Web Access.
Task Reminder In Outlook, when a task reminder appears, it is listed as being due at that
Differences moment. But this is not necessarily accurate. For example, if the task’s due date
was set to be a day later than the reminder date, the task is not due when the
reminder appears.
In Outlook Web Access, when a task reminder appears, Outlook Web Access
calculates how much time remains between the reminder date/time and the task
due date. Because tasks have no due time, the “Day start time” as set in
“Calendar Options” on the Outlook Web Access options page is used as the
task due time.
For example, say a task reminder was set to appear on January 1, 2004 at 12:00
P.M. for a task that is due on January 2, 2004. And the “Day start time” is set
for 8:00 A.M. When the reminder for the task appears, it would be listed as
being due in 20 hours.
If a task has no due date, Outlook Web Access will display a due-in value of
“None” in a reminder for that task.
Lesson 4: Outlook Web Access and the Browser
Outlook Web Access Internet Explorer 5.01 browser will present the rich experience with the
and Internet Explorer exception of the ability to resize the message list/message pane; Internet
Explorer 5.5 is the first browser to support the full rich experience.
Paste the following script into the browser address field and press enter to see
what version the browser is passing to the server.
javascript:alert(window.navigator.userAgent);
The user experience is based on this value. If the value is 5.00 or less, the user
receives a basic experience. If 5.01 or above, the user receives the rich
experience, with two exceptions. The one noted above, and Internet Explorer
5.01 for UNIX which receives the basic experience.
Internet Explorer 6.x Internet Explorer 6.0 is required for this additional functionality as well.
Function Requirement
Outlook Web Access S/MIME Internet Explorer 6.0 (or later)

Outlook Web Access Compression Internet Explorer 6.0 + Q328970 (or later)
Outlook Web Access logout Internet Explorer 6.0 SP1* (or later)
*Forms-based authentication not required
Exchange Server 2003 Internet Internet Internet Internet Mars Netscape Netscape
Outlook Web Access Explorer Explorer Explorer Explorer v811,13 Navigator Navigator 7
Supported 5.0115, 5.5 SP2 6 6 SP1 ** 4.8
Browser/Operating Mac MS Only
Systems Internet
Explorer
5+
Windows 98
SE*,2,14
Windows
2000*,3
Windows
Me*,3,14
Windows
XP*,4
Windows
Server
200312
Mac OS9*
Mac OS X
1.0*
Sun Solaris*, ,9
HP/UX*,10
◊
Supported means that the Outlook Web Access team has tested the majority of
user scenarios with these browsers, on these operating systems, and are
reasonably sure that things will work as expected. In some cases, Microsoft will
try to code around browser defects. If a customer reports a problem encountered
with a browser not on the list, the first question support will ask is if the
problem is reproducible with a browser on the "supported" browser list. If it
does not reproduce, then Microsoft would turn the support question over to the
browser vendor.
*
Supported platforms include all supported localized versions of the operating
system.
** Microsoft Confidential
Both basic
Not Basic
and premium
supported version only
versions
Browsers or Operating 1. Microsoft® Internet Explorer 45

Systems supported by
Exchange 2000, but Cut1 2. Microsoft® Internet Explorer 5 on Windows platforms (was improved by
for Exchange 2003: Internet Explorer 5.01)
3. Microsoft® Internet Explorer 5 for UNIX6
4. Microsoft® Internet Explorer 4.5 for the Macintosh7
5. Microsoft® Windows® 958
6. Microsoft® Windows® 988

7. Microsoft® Windows NT® 48
8. Mac OS 8.17
Reasons for cuts, or 1. There should not be any major problems running Outlook Web Access
support issues Exchange 2003 on these platforms. However there may still be browser
bugs that cannot be addressed. These platforms will not be actively tested.
2. Internet Explorer 5.0b shipped with Microsoft® Windows® 98 Second
Edition and was updated to Internet Explorer 5.01 by service packs and
updates.
3. Internet Explorer 5.01 shipped with Microsoft® Windows® 2000 and
Internet Explorer 5.5 with Microsoft® Windows® Millennium Edition.
4. Internet Explorer 6 shipped with Microsoft® Windows® XP.
5. Internet Explorer 4 install base is less than 5%.
6. Internet Explorer 5.0 for UNIX has been dropped due to the large adoption
of Internet Explorer 5.0 SP1 which fixed several problems.
7. Install base is small due to rapid adoption of Internet Explorer 5 on MacOS
9 and greater.
8. Support for these operating systems is discontinued by Microsoft Windows.
9. Netscape 6.2 and greater is only available from the HP and Sun Web sites at
the time of this printing.
10. Netscape 6.2 is only available for HP/UX 11.0 and is expected to function
properly, however, Microsoft has not yet upgraded to HP/UX 11.0 for
complete testing.
11. MSN® Internet Access (MSN) versions older than v8 do not support
MSXML3, which is required for Outlook Web Access Exchange 2003
12. With Microsoft® Windows Server™ 2003, Internet Explorer is locked down
(Internet Explorer high security settings are enabled). The Internet Explorer
Hardening Pack is installed. The first time Internet Explorer is launched, a
page loads to educate the user about the Internet Explorer Hardening Pack.
13. Several Hotkeys do not work in MSN Internet Access 8– check the
Microsoft Knowledge Base for further information
14. Japanese on Windows 98 SE and Windows Me requires Internet Explorer 6
SP1.
15. Internet Explorer 5.01SP2 (and older Internet Explorer 5.01) support is
dropped on June 30, 2003 by Microsoft, however the Outlook Web Access
team has tested this browser and to the best of this team’s knowledge, all
features of the Premium and Basic client work as expected.
Default Browser With no additional configuration changes to the browser:

Behavior
Accessing Outlook Web Access through a cookie enabled server will keep
the user at the logon.asp.
Accessing Outlook Web Access through http will throw a privacy dialog
informing the user that a cookie is restricted and a script error will occur in
“ctrl view.htc”. Outlook Web Access does load Navigation Bar and Viewer
frames, but no messages load in the viewer pane.
The browser must be set to trust the Outlook Web Access front-end URL in
order to use Outlook Web Access on Windows Server 2003. Even with front-
end trust, until the warning of the presence of the hardening pack is approved,
there will still be issues in Outlook Web Access, such as hotkeys not working
and cursor focus problems.
Outlook Web Access It is not sufficient to simply upgrade front-end servers to Exchange 2003 for
and Exchange Version users to get the new interface. You must upgrade back-end servers to Exchange
Combinations 2003 as well.
The Outlook Web Access experience depends on the combination of front-end
and back-end servers and is as follows.
Exchange 2000 Front-end + Exchange 2000 Back-end = Exchange 2000
Outlook Web Access
Outlook Web Access
Outlook Web Access
Exchange 2000 Front-end + Exchange 2003 Back-end = Not supported
(administrative group protected)
Forms-Based Authentication is functional for deployments where the front-end
is Exchange 2003 and the back-end is Exchange 2000. However, session
timeouts are handled much better when the back-end is Exchange 2003.
Lesson 5: Outlook Web Access and Forms Based

Authentication
Overview The requirement to have Forms Based Authentication before you can enable
compression is due to a couple of issues.
First, there were several bugs in the behavior of GZip, the Microsoft®
Internet Information Services (IIS) compression that Outlook Web Access
enables, with different browsers. Some of these bugs were corruption of
data, others were security related; Internet Explorer had been leaving user
data in the server cache that it should not have. The Internet Explorer issues
were fixed in a QFE (Q328970) that is now rolled into all of the critical
security patches for Internet Explorer on Windows XP Pro and Windows
2000 since last November.
Unfortunately IIS is unaware of these fixes and only looks for an Accept-
Encoding header = “GZip” from the client; if present, GZip content is sent
to the client. Exchange 2003 server implements logic in logon.asp to
determine whether or not a client is “GZip” friendly and based on that, the
Forms-based-auth filter is used to re-write the accept-encoding header such
that clients that are not secure do not get GZip data from the server.
When you enable forms based authentication, you may receive the following
message about Secure Sockets Layer (SSL) connection requirements:
Forms based authentication requires clients to use a SSL connection. If SSL
encryption is not offloaded to another source, complete the following steps:
1. Configure SSL.
2. Restart the IIS service.
To enable forms based authentication, follow these steps:

1. Start Exchange System Manager, and then expand the Servers container.
2. Expand Protocols under the Exchange 2003 computer where you want to
enable forms based authentication.
3. Expand HTTP, right-click Exchange Virtual Server, and then click
Properties.
4. On the Exchange Virtual Server properties page, click the Settings tab,
and then click to select the Enable Forms Based Authentication for
Outlook Web Access check box.
5. Click Apply, and then click OK.
ISA and Outlook Web Outlook Web Access generates absolute URLs based on the Host: header that
Access with and without reaches the back-end or standalone server. If you are terminating SSL on the
Forms Based ISA box, you will need to ensure that the AddFrontEndHttpsHeader registry
Authentication key is set on the ISA box. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;307347.
In addition, if you are using Exchange 2003 Outlook Web Access Forms Based
Authentication with offloaded SSL, SSL is terminated at the Microsoft Internet
Security and Acceleration Server (ISA) port. You must make the following
registry change on the front-end to support the configuration.
Windows Registry Editor Version 5.00
[Hkey_Local_Server\system\CurrentControlSet\Services\MSExchang
eWeb\OWA]
“SSLOffloaded”=dword:00000001
Outlook Web Access with Forms Based Authentication needs this key so that it
can determine that it should listen to HTTP traffic versus HTTPS, and to ensure
that it adds the HTTP header “Front-End-HTTPS: On” to all inbound traffic.
This header ensures that the returned URLs are in the correct HTTPS:// form.
This applies to Exchange configurations using front-end or stand-alone servers
with forms based authentication where SSL is terminated at the firewall or
proxy server.
How to Change Forms Configuring Forms Based Authentication to require users to enter only their
Based Logon to require alias and password is a simple task. Replace this line in the logon page:
only user alias and
password <FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"
name="logonForm" autocomplete="off"
onsubmit="logonForm_onsubmit()">
Which can be found here:

…\exchsrvr\exchweb\bin\auth\<country>logon.asp
with the following code.

<script Language=javascript>
function logonForm_onsubmit()
{
if (logonForm.username.value.indexOf("@") !=-1)
{
return true;
}
logonForm.username.value = "<netbiosDomainName>\\" +
logonForm.username.value;
return false;
}
</script>
<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"
name="logonForm" autocomplete="off"
onsubmit="logonForm_onsubmit()">
This method supports logging in using their domain alias and user principal
name (UPN). Users that continue to use domain\alias will not be able to log in.
The <netbiosDomainName> below must be replaced with the NetBIOS name of
the domain to which users authenticate.
Configuring Forms Adding the following registry key to a front-end of a front-end/back-end

Based Authentication to configuration or to a standalone server will configure Forms Based
accept HTTP connection Authentication to accept and HTTP connection. HTTP, port 80, is not
encrypted by SSL and a network trace will provide data that can be analyzed
using Network Monitor or another compatible network analyzer.
HKLM\system\CurrentControlSet\Services\MSExchangeWeb\OWA
“AllowRetailHTTPAuth”=dword:00000001
This key is intended for use by Microsoft support and the development team to
help customers troubleshoot problems with Forms Based Authentication.
This key should not be distributed without careful consideration.
Note You must restart IIS for the change to take effect.
For more information on Forms Based Authentication Metabase Parameters and

Values see Module 9 Appendix B.
Lesson 6: Outlook Web Access S/MIME Control
Outlook Web Access In Exchange 2003, Outlook Web Access includes a downloadable control for
S/MIME Downloadable S/MIME functionality. However, even if you have no intention of digitally
Control signing/encrypting messages, it can be beneficial to download the control
anyway. For example, the control provides a much better message handling
experience:
While composing a message, click on the Attachment (paperclip) icon in the
toolbar and attach files directly (no need to go through the separate attach
and post dialog window).
Drag and drop messages from one folder (such as the Inbox) to another
folder (this includes the Move and Copy accelerator keys).
Drag and drop existing messages into new messages under composition.
Drag and drop files from Explorer directly into a message under
composition.
With the message under composition, right-click on attachment names to
Open/Remove/Save As.
All installed fonts are available for use instead of the built-in five.
Image files, when dropped from Explorer into a message body, will show up
as inline images.
Image files pasted, dragged to or shown in the body are automatically
included as attachments to the message (as MHTML).
When you launch attachments from signed and encrypted message with the
S/MIME control installed, the control will do a best-effort clean up of any
temp files left behind for that message, unless the user actually saved the
file to another directory or the 'helper app' keeps a handle on the temp
attachment data that prevents the S/MIME control from deleting the file.
Requirements There are four requirements that you must meet to use S/MIME mail in Outlook
Web Access:
1. You must be using Internet Explorer 6.0 greater for Windows. This feature
will not work on any other browser — including other versions of Internet
Explorer.
2. You must be working on a computer where you can download the S/MIME
control.
3. You must have a valid digital ID for sending signed mail and/or receiving
encrypted mail.
4. You must be using Windows 2000 or above.
5. Power User or Administrator is necessary to install any ActiveX® control –
there is a bug, in that the user should be getting an alert warning about
insufficient permissions, but the requirement is enforced by Windows.
Limitations Although it is possible to drag and drop a message from the Inbox to the
Calendar folder, this will not invoke a new appointment. The object will be
created in the calendar as a message object and will not be visible in the normal
calendar view.
Locked Down 1. In a “very locked down environment”, customers will need to do the same
Environment thing as with any application rollout:
a. Extract the files in <drive:>\program
files\exchsrvr\exchweb\6.5.6944.0\cabs\MIMECLNT.CAB to a location
accessible by the client.
b. Ensure the client is Windows 2000 or later, running Internet Explorer
6.0 or later.
c. From the machine where the control is to be installed, run “RunDll32
advpack.dll,LaunchINFSection <path to extracted files>MimeClnt.inf”
2. In Exchange Server 2003 SP1, the OWA S/MIME installer has been moved
to be a simple .EXE that uses Windows Installer. The same requirements exist
to install from the browser, but rolling out through script will be easier.
Why You Should Even if you do not intend to send signed or encrypted mail, there are several
Download the S/MIME reasons to download the control.
Control
First, with the S/MIME control, you can just drag and drop files and even other
e-mails into the body of a message you’re composing. If the files you drag and
drop are graphics, they will show up inline in the message body. All other types
of attachments, including other e-mail messages, will show up in the attachment
well.
Second, if you do not find it easy to drag and drop items into a message, the
S/MIME control’s Add Attachment dialog is far easier to use than it is in the
normal e-mail editor. You do not need to use one dialog to find the items and
another to attach them. And you can attach multiple files at one time so long as
the files all are stored in the same location.
Third, no matter how files or items are added to the attachment well, if you
realize you want to remove them from your message, all you need to do is right-
click the items and choose “Remove” from the context menu.
Fourth, even if you do not intend to send signed or encrypted mail, the S/MIME
control will better handle the signed mail you receive. If you do not have the
S/MIME control, at best, you will be able to read the signed messages, but any
attachments will get stripped out if you try to forward the messages. At worst,
you may not be able to read the signed messages at all. Past Outlook Web
Access users may view this as an improvement. Previously, the attachments and
the entire body of a signed message were dropped on reply or forward, and you
also could not open e-mail attachments in signed messages you received.
But if you download the S/MIME control, you will be able to read all these
signed messages and forward them in their full fidelity!
How to Download the The button for downloading the S/MIME control is available in the “E-mail
S/MIME Control Security” section of the Outlook Web Access options page.
After you click download, you will see the following file download dialog:
Once the control is installed on your computer, you will notice that there are
two new buttons on the toolbar of the e-mail message editor:
These are the buttons that you will use to encrypt and/or sign messages on
demand. The first button is for encrypting messages. The second is for digitally
signing messages.
The “E-mail Security” section of your options page also will have new features
for setting all your messages to be encrypted and/or signed by default.
Finally, every e-mail you receive that is signed now will display additional
information about the signature of the sender.
It is important to note that this control needs to be installed on any computer
where you want to use S/MIME mail in Outlook Web Access. There may be
some computers, such as Internet kiosks, where you are unable to download the
control. In these locations, you will not be able to send signed mail or read
encrypted mail from Outlook Web Access. And remember, it only works in
Internet Explorer 6.0 or later on Windows 2000 or higher.
Even after you have downloaded the control, you are still only halfway toward
using S/MIME mail. You still need a digital ID for signing your mail and
receiving encrypted mail
How does it work?
When an S/MIME message is handled by Microsoft Outlook Web Access, any
number of public certificates must be retrieved from Microsoft Active Directory
or from the Personal Contacts on the Exchange server.
After they are retrieved from Active Directory, they are parsed and verified
against the certificate revocation list (CRL) and the trust chain.
This involves to a lot of back-and-forth traffic between the Outlook Web
Access client and the Public Key Infrastructure (PKI).
To reduce the traffic overhead between the PKI and Outlook Web Access, the
public key parsing, CRL look up, and trust chain verification are all done from
the Exchange server.
Processing certificate validity on the server makes Internet-based access faster
and more reliable, and can greatly reduce bandwidth requirements.
Before rolling out S/MIME support with Exchange Server 2003 Outlook Web
Access, you should have a good understanding of cryptography and PKI, for
example Windows 2000 or Windows Server 2003 PKI.
For a good overview of cryptography and Windows PKI, as well as links to
some other resources, see the following white paper:
http://www.microsoft.com/windows2000/docs/cryptPKI.doc.
When you create a Digitally Signed (S/MIME) message and send it to another
person on a Microsoft Exchange Server, if you have not checked the box, on the
message store the recipient has will have no Digital ID when the message is
opened.
Getting Your Digital ID Every organization has a different process for assigning digital IDs to users.
You should check with your Exchange administrator about how to obtain a
digital ID.
If you want to send encrypted mail to another user, that recipient also will need
to have a digital ID that Outlook Web Access understands. If you try to send an
encrypted message to a user who is not enabled to receive encrypted mail, the
send will not proceed.
If you are sending an encrypted message to multiple recipients and some of
these recipients are not enabled to receive encrypted mail, you will be told
which recipients do not have the necessary digital IDs to receive encrypted
mail.
If you continue with the send, any recipients without digital IDs will not be able
to read the message.
It is easy to preemptively check whether a user can receive encrypted mail. Just
look up their e-mail properties (by any of the methods described earlier in this
primer).
If the user has the following icon on their properties sheet, they can receive
encrypted mail.
But if they have the plain envelope icon, shown below, they are not enabled to
receive encrypted mail.
Of course, this information is only displayed in e-mail properties sheets if you
have first installed the S/MIME control.
Removing the S/MIME If you decide not to use the S/MIME control, you can remove it from the Add
Control or Remove Programs feature in the Windows Control Panel. Just choose to
remove the program called “Microsoft Outlook Web Access S/MIME.” Please
make sure to close any open messages in Outlook Web Access before removing
the S/MIME control.
Lesson 7: Outlook Web Access Attachment Blocking
Outlook Web Access blocks a superset of both attachments and MIME types.
Some are totally blocked (Level 1) while others must be saved locally (Level
2). If an entry is in both lists, the Level 1 behavior takes precedence. As the
Outlook list gets updated, the list is updated. The default parameters and their
values are found in
HKLM\system\currentcontrolset\services\msexchangeweb\owa.
Level1FileTypes Description: Allows an administrator to specify which file types are off limits
(REG_SZ) to view, download, or attach. This is a comma delimited list of file extensions.
Example: “exe,com,bat”
The current default set of Level1FileTypes is:

"ade,adp,app,asx,bas,bat,chm,cmd,com,cpl,crt,csh,exe,fxp,hlp,h
ta,inf,ins,isp,js,jse,ksh,lnk,mda,mdb,mde,mdt,mdw,mdz,msc,msi,
msp,mst,ops,pcd,pif,prf,prg,reg,scf,scr,sct,shb,shs,url,vb,vbe
,vbs,wsc,wsf,wsh"
Also see the related RAID bug (applies to: Back-end servers, and stand-alone
servers): http://bugcheck/bugs/exchange/220853.asp
Level1MIMETypes Description: Allows an administrator to specify which MIME types are
(REG_SZ) off limits to view, download, or attach. This is a comma-delimitated list of
MIME types.
Example: "text/xml,text/html"
The current default set of Level1MIMETypes (applies to: Back-end servers, and
stand-alone servers) is:
“application/hta,x-internet-
signup,application/javascript,application/x-
javascript,text/javascript,application/msaccess,application/pr
g,text/scriptlet”
Level2FileTypes Description: Specifies a set of file extensions that are potentially dangerous as
(REG_SZ) attachments. Attachments matching this type will not be opened automatically,
but rather a dialog will be presented to the user asking them to save the
attachment locally on their server.
Example: “exe,com,bat”
The set of Level2FileTypes (applies to: Back-end servers, and stand-alone

servers) are:
“ade,adp,asx,bas,bat,chm,cmd,com,cpl,crt,dcr,dir,exe,hlp,hta,h
tm,html,htc,inf,ins,isp,js,jse,lnk,mda,mdb,mde,mdz,mht,mhtml,m
sc,msi,msp,mst,pcd,pif,plg,prf,reg,scf,scr,sct,shb,shs,shtm,sh
tml,spl,stm,swf,url,vb,vbe,vbs,wsc,wsf,wsh,xml”
Level2MIMETypes Description: Specifies a set of MIME types that are potentially dangerous as
(REG_SZ) attachments. Attachments matching this type will not be opened automatically,
but rather a dialog will be presented to the user asking them to save the
attachment locally on their server.
Example: "text/xml,text/html"
The current default set of Level2MIMETypes (applies to: Back-end servers, and
stand-alone servers) is:
“text/xml,application/xml,application/hta,text/html,applicatio
n/octet-stream,application/x-shockwave-
flash,application/futuresplash,application/x-director”
To enable attachment
blocking, follow these 1. Click Start, click Run, type "Regedit" (without the quotation marks) in the
steps: Open box, and then click OK.
2. Locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExch
angeWeb\Owa
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type "Disable Attachments" (without the quotation marks).
5. Right-click the "Disable Attachments" DWORD value, and then click
Modify.
6. In the Base window, click the button next to "Decimal".
7. In the Value Data field, type one of the following numbers:
a. To permit all attachments, type "0" (without the quotation marks).
b. To permit no attachments, type "1" (without the quotation marks).

c. To permit attachments from back-end servers only, type "2" (without the
quotation marks).
8. Click OK.
9. Open a command prompt, type "net stop w3svc" (without the quotation
marks), and then press ENTER.
10. After the services stop, type "net start w3svc" (without the quotation
marks), and then press ENTER.
Lesson 8: Other Features
Calendaring and The behavior in Exchange 2003 is the same as that of Exchange 2000. Due to
Delegates the complex interoperability scenarios required to make Outlook Web Access
consistent with Outlook for delegate access to calendars, copying items from
one user's mailbox to another's, Exchange 2003 and Exchange 2000 Outlook
Web Access support read-only access to another's calendar, regardless of what
the manager granted to the delegate.
The only exception is to this rule is if a "delegate" is given Owner rights to a
mailbox through active Directory Users and Computers; they then have full
access to read and write all data in that mailbox through Outlook Web
Access.
Outlook Web Access Outlook Web Access Change Password is installed, but is disabled by default in
and Changing User a new install by setting the value to 0x00000001. However, the value will not
Passwords be changed during an upgrade. This value may not exist on an Exchange 2000
server that was upgraded since it did not exist in a default installation of
Exchange 2000 server.
The feature is disabled because the feature does not work correctly unless you
add the iisadmpwd vdir and set the correct value for the Passwordchangeflags
in the metabase.
Password configuration consists of two changes: adding the registry value to
the back-end and the iisadmpwd virtual directory to the front-end server of a
front-end/back-end configuration. Both changes are made to a standalone
server.
Changing the password requires SSL and the addition of the iisadmpwd virtual
directory and setting the following key to 0 or deleting the key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\MSExchang
eWEB\OWA]
“DisablePassword”=00000000
iisadmpwd virtual 267596 XWEB: How to Change Outlook Web Access Passwords Through IIS
directory
To enable users to change Outlook Web Access passwords through IIS, use the
following steps on each IIS server to which Exchange users are redirected:
1. Install and configure Secure Socket Layer (SSL) on the server.
2. Click Start, point to Programs, point to Administrative Tools, and then
click Internet Services Manager.
3. Right-click the default Web site, point to New, and then click Virtual
Directory.
4. In the Virtual Directory Creation Wizard, type "IISADMPWD" (without
the quotation marks) in the Alias box, and then click Next.
5. In the Directory box, type "<systemroot> \system32\inetsrv\iisadmpwd"
(without the quotation marks), and then click Next.
6. Verify that only the read and run script check boxes are selected (such as the
ASP check box), click Next, and then click Finish.
7. Verify that the Iisadmpwd folder has the Anonymous Access authentication
method enabled.
Note You can select other authentication types, but you must also select the
Anonymous Access authentication method.
Note If you do not enable the Anonymous Access option, the client and server
go into an endless loop when you attempt to authenticate users who are
prompted to change an expired password.
For example, if a user navigates to the site and is prompted for a password but
their password has expired, the first page that they tried to access redirects them
to the password expiry page. The password expiry page challenges the user, but
because the user is not authenticated on the first page, the second page refuses
the connection because the password has expired. When this occurs, the user is
redirected back to first page, the first page redirects the user to the second page,
and so on.
For additional information about a fix for this looping behavior, check this
article number 275457 IIS 5.0 May Loop Infinitely When a User Is Forced to
Change Their Password.
1. Zero is the default value for the PasswordChangeFlags setting, but the
following steps can be used to change or confirm the setting. To change the
Metabase PasswordChangeFlags setting to zero (0), you must first change it
to the \inetpub\adminscriptsfolder on your hard drive:
a. At a command prompt, type "cd <drive>\:inetpub\AdminScripts"
(without the quotation marks).
For example: "cd c:\inetpub\AdminScripts" (without the
quotation marks)
b. At the <drive>\:inetpub\adminscripts> prompt, type the following
command:
"adsutil.vbs set w3svc/passwordchangeflags <value>"

(without the quotation marks)
Note The following values are options for the PasswordChangeFlags setting:
1. 0: Requires password change by SSL
2. 1: Allows password change by non-secure ports
3. 2: Disables password changes
4. 4: Disables advance notification of expiration
After creating iisadmpwd and the reg key, you see the password change
button under options in Outlook Web Access:
In a front-end/back-end topology with Exchange 2000 and/or Exchange

2003 back-end servers running on both Windows 2000 servers, it is
necessary to add Windows 2000 compatible Web pages to the Windows
2003 front-end server.
1. Open a command prompt in the %windir%\system32\inetsrv\iisadmpwd

directory and execute “copy *.asp *.htr. (Copy, DO NOT DELETE the
.ASP files as they are required for Windows 2003 backend servers.)
2. Add a script map for *.htr to the Configuration of the iisadmpwd virtual
directory to map these to ASP.DLL with GET,HEAD,POST,TRACE verbs
and select Script Engine.
OWA Client Timeout Apart from selecting between the Premium (uplevel) and Basic (downlevel)
Settings clients, you can also choose your security setting:
1. Public or shared computer
2. Trusted computer
If you choose the "Public or shared computer" option, the expiration time-out
will be set at 15 minutes. If you choose "Trusted computer", the time-out will
be 1440 minutes (24 hours). Both of these can be over-ridden by server-side
registry parameters to the front-end server in a front-end/back-end configuration
or make both on the standalone server.
Location: HKEY_LOCAL_SERVER\System\
CurrentControlSet\Services\MSExchangeWEB\OWA
Parameter: TrustedClientTimeout
Type: REG_DWORD
Value: Number of minutes for timeout. If this is not set, 1440 is assumed.
Minimum value is 1; maximum value is 43200 (30 days).
Location: HKEY_LOCAL_SERVER\System\
CurrentControlSet\Services\MSExchangeWEB\OWA
Parameter: PublicClientTimeout
Type: REG_DWORD
Value: Number of minutes for timeout. If this is not set, 15 is assumed.
Minimum value is 1; maximum value is 43200 (30 days).
It is important to understand that the cookie does not timeout at exactly the time
set. It actually expires somewhere between <setting> and <setting * 1.5>.
Additionally, if you attempt to set these keys the 'wrong way around', the
following will occur:
If the admin sets the TrustedClientTimeout value to one that is lower than
PublicClientTimeout, then the TrustedClientTimeout value will default to be
equal to the PublicClientTimeout.
If the admin sets the PublicClientTimeout to a value that is greater than the
TrustedClientTimeout, then the TrustedClientTimeout value will default to be
equal to the PublicClientTimeout.
IIS must be restarted for the changes to take effect
DS2MB
Outlook Web Access DS2MB update cycle has been changed in Exchange 2003 and affects all
and DS2MB Exchange web based applications; Outlook Web Access, Outlook Mobile
Access, and ActiveSync®.
IIS picks up its configuration from the local metabase. Because of the need to
manage Exchange servers remotely, IIS-related information is stored in the
Active Directory, and then replicated in one-direction from the Active Directory
into the metabase. The process responsible for the replication is called DS2MB
which runs as part of the System Attendant on each Exchange 200x server.
DS2MB receives notifications of changes in the Active Directory and replicates
them to the metabase.
In Exchange 2000, upon start-up of the System Attendant, DS2MB would

perform a full replication of Active Directory information into the metabase.
This had the side-effect of slowing down Exchange service start-up, especially
for hosters who had large numbers of virtual directories or SMTP domains.
In Exchange 2003, full replication is not performed on start-up of the System

Attendant; so Exchange service start-up will be faster. However, if you believe
that the local metabase has become out-of-sync with the Active Directory, such
as a manual change to the virtual directories and need to rectify the problem,
you will need to adjust the 'HighWaterMarks' node in the metabase:
LM\DS2MB\HighWaterMarks\{056BE186-E73F-4EBD-A92D-
2D985BC97C63}\61472
The guid after the HighWaterMarks\ is going to be different for each machine -
Changing the data for this ID to 0 (zero) or deleting the key and then restarting
the Exchange System Attendant will cause DS2MB to perform a full replication
of the Active Directory information into the metabase. The key will be added to
the Metabase with the default value above when the System Attendant starts.
The metabase can be manipulated through a variety of tools. The best option is
to install the IIS 6 resource kit, and use Metabase Explorer.
Lesson 9: Outlook Web Access Spell Check
Overview It is now possible to spell check emails through Outlook Web Access in
Exchange 2003. In order for users to take advantage of the new feature the
following has to occur:
Successfully login to Outlook Web Access selecting the Premium option.
Click on the Options Button.
Configure their personal preferences as illustrated in the graphic above.
If a client clicks the spell check icon and no preferences have been set, then the
following dialogue box is displayed, and it will continue to do so until
preferences have been set.
The following languages are currently available:

English (Australia)
English (Canada)
English (United Kingdom)
English (United States)
French
German
Italian
Korean
Spanish
Dependencies for Client

Outlook Web Access
The client must be running Outlook Web Access in the Premium mode.
Spell check
Spell check is not available in Basic mode.
Server
In a Front-end/Back-end scenario, the Exchange Front-end and Back-end
servers must be running Exchange 2003.
General Overview This is what happens when the client spell check button is pressed:
1. Client sends body of item (or the currently highlighted text, if applicable)
that needs to be checked: See “Content” below for questions about
interspersing content.
a. Since the options are in the Exchange store and the ISAPI does not have
access to that, need to send them up in the request URL, like POST
?cmd=spellcheck with the options of
“lang=en,options=IgnoreCaps,IgnoreMixedNums” etc. in the request
headers.
2. While client waits for server to return data, client displays progress dialog
(see below).
3. Server returns data:
a. If no spelling errors were found:
i. Server will indicate in the XML body response that there were no
errors.
ii. The normal spell checking dialog will not show up.
iii. The client will display to the user a dialog with the following text:
No spelling errors were found.
b. If spelling errors were found, the server will return the marked words,
the offset into the body, the suggestions and the type of error that was
found (duplicate word versus spelling error).
Outlook Web Access Spell Check: Initial Troubleshooting
Checking the paths Through Microsoft® Windows® Explorer, check the following:
%SystemDrive%\Program Files\Exchsrvr\exchweb\bin\Spell
This should correlate in IIS Admin: Exchweb/bin/spell

If Forms Based authentication is enabled, spell check has to run in the same
application pool as Exchange or you'll have auth problems.
Note owaspell.dll runs inside dllhost.exe on Windows 2000.
Possible Events in the It is possible the following events could be logged in the system event log:
System Log
Event Type: Warning

Event Source: W3SVC
Event Category: None
Event ID: 36
Date: 3/18/2003
Time: 9:18:01 AM
User: N/A
Computer: ComputerName
Description:
The description for Event ID ( 36 ) in Source ( W3SVC ) cannot
be found. The local
computer may not have the necessary registry information or
message DLL files to
display messages from a remote computer. The following
information is part of the
event: /LM/W3SVC/1/root/ExchWeb/bin, The server process could
not be started
because the configured identity is incorrect. Check the
username and password.
.
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10004
Date: 3/18/2003
Time: 9:18:01 AM
User: N/A
Computer: ComputerName
Description:
DCOM got error "The referenced account is currently locked out
and may not be
logged on to. " and was unable to logon .\IWAM_ComputerName in
order to run the
server:{3D14228D-FBE1-11D0-995D-00C04FD919C1}
If these errors are apparent then follow the following Knowledge Base (KB)
article: 297989 : Configured Identity Is Incorrect for IWAM Account.
Outlook Web Access Spell Check: Tasklist/Permissions
Using tasklist Run: tasklist -m owaspell.dll

Then IIS is having problems loading the ISAPI. Check the file system
permissions on:
%SystemDrive%\Program
Files\exchsrvr\exchweb\bin\spell\owaspell.dll
Authenticated Users need Read access to the owaspell.DLL
Checking Permissions In IIS admin, check the Authentication Methods under Directory Security tab
on the virtual directory: Exchweb\bin\spell.
The default settings are Integrated and Basic.
Anonymous should absolutely NOT be on the spell directory.
Checking in different It may be necessary to try and spell check in a different language. If the same
languages problem is persistent in German, French and others then it is the ISAPI filter. If
the problem is only persistent for English languages and does not exist in
German, French, then it is just the English DLL that is the problem.
Outlook Web Access Spell Check: Netmon
Netmon Trace from the It may be necessary to capture a Netmon trace between the client and the server
client to Server in order to troubleshoot spell check issues.
In order to troubleshoot issues it is recommended that Netmon is installed on
the Front-End server and all traffic is captured. This way, the requests to and
from the client and also the Back-End Server (where the user’s mailbox resides)
can be caught.
Prior to capturing any network traffic it is necessary to add the following
registry key to the Exchange 2003 Front-End server. This key does not exist by
default.
Location: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \
Services\ MSExchangeWEB \ OWA
Parameter: AllowRetailHTTPAuth
Type: DWORD
Value: 1
Note Remember to remove the registry key after the Netmon Capture has been
taken.
This registry entry allows Cookie-Auth to be configured so it can accept

incoming HTTP traffic.
In virtually all normal circumstances, clients will be accessing their Exchange
Server 2003 mailbox over port 443 (HTTPS). The registry key is to be used by
support and the development team to help customers troubleshoot problems
with Outlook Web Access and / or Cookie-Auth.
Once the key has been implemented you will then be able to logon to Outlook
Web Access through HTTP://ExchangeServer/Exchange rather than
HTTPS://ExchangeServer/Exchange and still be able to use Cookie-Auth.
Netmon tracing when When a mail does contain incorrect spelling it is possible to see the network
there are errors in the traffic being sent from the server to the client. This is a good test to see whether
spelling the OWASpell.DLL is being called and the Exchange 2003 Server Front-end
server is working as it should.
The test mail that was sent in this example had the following text string in the
main body of the message:
“This ia a test message with incrorrect spelling”
For more detailed steps on using NETMON to trace spell check see
Module 9 Appendix C.
Outlook Web Access Spell Check: Registry Keys
Performance and scalability are very important with Outlook Web Access spell
check. The following registry keys can be used to help configure and
troubleshoot any issues occurring on an Exchange 2003 Front-End server.
All registry keys are configured under the following hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\OWA
MaxSpellDocumentSize Description: Number of kilobytes.
(DWord)
Default: This key will not exist by default.
Behavior: If the user requests spell check for a document larger than the
number of kilobytes specified by this key, the server will return
a unique error to the client indicating that the document is too
large.
MaxSpellErrors (Dword) Description: Number of errors per item, duplicates.
Behavior: The maximum number of errors to process on a single item. If
this is set to 5 and an item comes with 6 errors, when the ISAPI
receives notification of the sixth error, it will send the
corrections of the first 5 to the client, along with an error code.
The user will see a dialog indication that only part of the
document could be checked. They can make corrections and
spell check again.
MaxUniqueSpellErrors Description: Number of unique errors per item.
(DWord)
Behavior: The maximum number of unique errors to process on a single
item (versus duplicates.) If this is set to 5 and an item comes in
with 6 errors but they are all the same misspelling, the ISAPI
will process it as normal. If this is set to 5 and an item comes in
with 10 errors of different words, the ISAPI will send the
corrections of the first 5 to the client, along with an error code.
The user will see a dialog indication that only part of the
document could be checked, and they can make corrections and
spell check again.
MaxSpellRequests Description: Number of client requests to process at a time.
(DWord)
Behavior: If a request comes in and there is already a maximum number
of requests being processed, the client will receive an error and
the user will see a dialog telling them that the spell check server
is busy and they should try again later.
DisableSpellCheckOnSe Description: Provides a way for administrators to disable the automatic spell
nd (DWord) check on send feature.
Behavior: If the value is non-existent or zero (0) the feature is not
disabled. If the value is 1 or any other value, the feature is
disabled.
ChangeSpellerList Description: Provides a mechanism for administrators to add or remove spell
(DWord) check languages between Exchange releases.
Behavior: When this key is added or incremented, it triggers the server to
scan for new language files and increment the list of choices
displayed in the spell check UI.
Whenever an administrator adds or removes a spell check DLL and its
corresponding LEX file in the Exchange 2003 server’s /exchweb/bin/spell
directory, they should increment this value after the file change. When creating
this value, it is suggested that the administrator initialize it with a value of zero
(0).
Outlook Web Access Spell Check: Other Information

required
1. Detailed Repro steps of the problem.

2. Topology configuration (Front-ends, Back-Ends, ISA servers, firewalls,
perimeter networks, IPSec, URLScan, Virus Scanning?).
3. User load / server state (Event logs).
4. Operating System versions for each machine involved (WinMSD).
5. Exchange versions for each machine involved
a. exprox.dll
b. davex.dll
c. exoledb.dll
6. Internet Explorer version - if Internet Explorer is involved.
7. Full user dump from debugger if this is a crash / hang / AV situation.
8. Does this reproduce with Outlook Web Access only?
9. Does this reproduce only with a specific message? (If so, get the message)
10. Does this reproduce only with a specific user? (If so, what is special about
this user)
11. IIS protocol log located at:
a. Windows Server 2003: ..\Windows\System32\Logfiles\W3SVC1
b. Windows 2000: ..\WINNT\system32\LogFiles\W3SVC1
Note <drive_letter>\Winnt\System32\Logfiles\W3svc(<x>) (where

<drive_letter> is the letter of the hard disk and <x> is the number of the Web
site (for example, 1 = default, 2 = administration Web site, 3 = first manually
created Web site, and so on).
12. Metabase Dump of the following:

a. w3svc/1/ root/exchange
b. w3svc/1/ root/exchweb
c. w3svc/1/ root/exchweb/bin
d. enum w3svc/1/ root/exchweb/bin/spell
This can be run from the following path:\inetpub\adminscripts\adsutil.vbs.
Useful KB Articles: 321448 FP: Error Messages When You Try to Open Webs While IUSR
Account or IWAM
297989 PRB: Configured Identity Is Incorrect for IWAM Account
326086 HOW TO: Isolate Web Applications into Their Own Process
309051 HOW TO: Troubleshoot ASP in IIS 5.0
Lesson 10: Outlook Web Access and Gzip Compression
Overview GZip compression is a component of Windows Server 2003 that can be enabled
to allow users to experience a richer Outlook Web Access experience because
data from an Exchange 2003 Server is compressed and sent to the client which
subsequently decompresses the stream.
The core value of GZip compression is that dial-up users will be able to use
Outlook Web Access much more effectively. It will boost performance on the
order of 50% for most common operations.
The primary reason for enabling GZip is for dial-up users or users on a slow
network link who access their mailbox through Outlook Web Access. This is
only valid with Secure Sockets Layer (SSL) enabled. Without SSL the
modem’s hardware compression typically offers a similar performance
improvement. With SSL, modems can’t compress the encrypted content, but the
GZip filter in IIS actually compresses prior to SSL encryption.
Enabling GZip compression will increase the load on an Exchange 2003
server(s). Thus enabling GZip for users on a fast network link or are on a
corporate network will not necessarily provide any improvement. There could
be instances where the user experience is impacted as the server is heavily
utilized by performing compression when it is not really necessary as all users
have a fast network link.
Only files over 1 K will get compressed while other files, such as GIFs, will not
get compressed at all.
The following statement was taken from OTG Deployment internal to
Microsoft:
“The result is that Exchange 2003 Outlook Web Access's dialup experience
starts 50% faster than what you're used to with Exchange 2000.
If you use Outlook Web Access's "Basic" client you will be able to load your
Inbox over 80% faster than Exchange 2000, and even more than 50% faster
than Hotmail (It takes almost 57 seconds to log on and get the Hotmail Inbox
view.)
Most Outlook Web Access users briefly log on, read and move a few messages.
This is what we've optimized for in Exchange 2003.”
GZip: Client Requirements
In general, any HTTP 1.1 compatible client that sends the “Accept-
encoding” header to the server.
Operating System: Windows 2000 or later
Internet Explorer 6.0 + Q328970
Netscape Navigator V 6.0 or greater
http://support.microsoft.com/default.aspx?scid=kb;en-us;328970
Specifically, URLMON.DLL needs to be version 6.0.2800.1126 or higher –
This can be located in %\Windows\System32
Note Compression is disabled for the Windows Server 2003 server browser
client. This is due to an URLMon bug that existed in the Windows Server 2003
server builds that existed when the GZip support was checked in. It was unclear
that it was going to get fixed, so compression was specifically disabled for this
client rather than introduce the risk. Also see MS03-004: ID: 810847.KB.EN-
US.
The client must be Internet Explorer 6 with 328970 MS02-066: November,

2002, Cumulative Patch for Internet Explorer for GZip functionality.
If the browser does not meet this requirement, then the Forms Based
Authentication Microsoft® Internet Server Application Programming Interface
(ISAPI) filter will strip the client’s accept-encoding header. For non-Internet
Explorer clients, it leaves this header alone. For Navigator 6 clients and greater,
it leaves the header alone. For Navigator clients < version 6, it strips the
Accept-Encoding header.
If both points one and two have been checked and verified, it is then necessary
to check to see what is being processed on the server (once a client request has
been received) and subsequently what is sent back to the client.
GZip: Server Requirements
Forms Based
Authentication Forms Based Authentication needs to be enabled (Cookie-Auth):
Front-End / Back-End Front-End: Exchange 2003 on Windows Server 2003
Deployment:
Back-End: Exchange 2003 on minimum Windows 2000 SP4
Standalone Deployment Exchange 2003 installed on Windows Server 2003 server
Note If you use Exchange 2003 Front-Ends to access Exchange 2000 Back-
Ends, then you should disable GZip compression support on the Front-End
Servers. GZip will not work as it is a requirement for all mailbox servers to be
on Exchange 2003.
GZip should not be enabled on a back-end server that is part of a front-

end/back-end topology. Although this may work, it is unnecessary, untested,
and will add an extra processing burden to the back-end server.
If a customer has both Exchange 2000 and Exchange 2003 back-end servers,
then it is possible to roll out GZip either on a different Exchange Virtual
Servers, or a different Front-End server for users whose mailboxes reside on
Exchange 2003 back-end servers.
GZip: Configuring and Troubleshooting
Forms Based Enable Forms Based Authentication on Exchange 2003 that will be configured
Authentication to process GZip requests. When Forms Based Authentication is enabled, the
Compression settings will be available for selection.
Compression settings The following screenshot (Properties of the HTTP Exchange Virtual Server)
illustrates this.
There are three compression options available:
1. None: No data is compressed.
2. Low: This is for static content - the generic files that are required on the
client in order for Outlook Web Access to work These are: JS, CSS, HTM,
XSL and HTC files
3. High: This is for static and dynamic content such as messages, attachments,
etc.
When a selection has been made and Apply has been pressed, the following
warning message is displayed:
These are the only Exchange System Manager settings that need to be checked
in order to ascertain whether Gzip has been configured correctly.
IIS provides no Performance monitor counters or application event log
messages explicitly for Gzip compression. There are a number of
troubleshooting steps that can be taken to check for any Gzip issues.
Important When the compression level is changed via the Settings of the
Properties of the Exchange Virtual Server in Exchange System manager a
warning is displayed advising that it will be necessary to restart the IIS Virtual
Server before the change will take effect. Highlight the server object in Internet
Services Manager. Right-click and select Tasks. Select restart the IIS virtual
server.
GZip: IIS Temporary Files Directory
If you navigate to %\Windows\IIS Temporary Compressed Files and GZip

Compression has been enabled either Low or High, you should see a number of
files similar to the following:
$^_GZip_C^^EXCHSRVR^EXCHWEB^6.5.6895.0^CONTROLS^CTRL_VIEW.HTC
You can also check the metabase settings under

w3svc/Filters/Compression/Parameters and look for the
HcCompressionDirectory key as this should also be %windir%\IIS Temporary
Compressed Files.
There should be a number of different files such as:
HTML Document
XSL Stylesheet
HTC File
Jscript Script File
Cascading Style Sheet
The IIS Temporary Compressed Files directory is where all compressed (GZip)
files are located.
Static content gets compressed and stored in the <%\Windows\IIS Temporary
Compressed Files> the first user to access Forms Based Authentication (with
compression enabled) will not receive compressed data. However, all
subsequent users will receive the data compressed if it resides in the
<%\Windows\ IIS Temporary Compressed Files directory.
Remember that when high compression is enabled, all dynamic content such as
messages and attachments are compressed as the client requests them.
Anti-Virus Software There is a known problem with the interaction of IIS and some server anti-virus
Interaction software. Specifically, if the ant-virus software is scanning the Temporary
Compression Files directory, it may corrupt the compressed file content. You
should disable file or directory scanning of the Temporary Compression

Files.
Whether low or high, static or static + dynamic respectively, compression is
enabled and is configurable per virtual server. If there is more than one HTTP
virtual server with GZip compression enabled, all of the virtual servers must
inherit the same global settings for the compression level.
GZip: Checking the Content Encoding Sent From Client

to Server
Netmon In order to troubleshoot potential problems, it may be necessary to make sure

that the client is advertising to the server that it supports GZip compression.
The client indicates that it supports GZip compression via the Accept-Encoding
header. The Accept-Encoding request header restricts the content-coding values
that are considered acceptable to the client. An example of the header generated
when a browser issues a request to the server is:
Note Only HTTP version 1.1 or greater compatible browsers will issue the
above accept-encoding header.
Note Some proxy servers may offer no support for HTTP 1.1 and may strip
some of the headers. ISA offers limited support and although it strips the
Protocol version = 1.1 header, it passes the Accept-Encoding header.
An empty Accept-Encoding request header indicates to the server that the client
will not accept any content coding.
If completing a Netmon capture is required as a troubleshooting step, then it is
recommended that the capture is run on the Exchange 2003 Front-End Server,
this will capture the incoming client GET request and also communication to
the Exchange 2003 Back-End servers. However, if this is not an option,
capturing the network traffic from the client is fine; the GET request will be
captured.
AllowRetailHTTPAuth Prior to capturing any network traffic it is necessary to add the following
registry key to the Exchange 2003 Front-End server. This key does not exist by
default.
Location:
HKEY_LOCAL_SERVER\SYSTEM\CurrentControlSet\Services\
MSExchangeWEB\OWA
Parameter: AllowRetailHTTPAuth
Type: DWORD
Value: 1
Note Remember to remove the registry key after the Netmon Capture has been
taken.
This registry entry allows Cookie-Auth to be configured so it can accept

incoming HTTP traffic.
In virtually all normal circumstances, clients will be accessing their Exchange
Server 2003 mailbox over port 443 (HTTPS). The registry key is to be used by
support and the development team to help customers troubleshoot problems
with Forms Based Authentication and / or Cookie-Auth.
Once the key has been implemented you will then be able to logon to Forms
Based Authentication through HTTP://ExchangeServer/Exchange rather than
HTTPS://ExchangeServer/Exchange and still be able to use Cookie-Auth and
capture the GET request(s) from the client and then check the content coding
values to confirm that GZip compression is being advertised to the server by the
client browser.
If it is a requirement to undertake a Netmon trace the following has to occur:
1. Decide with customer which server to run Netmon on.
2. Explain that we need to disable SSL so the correct information is captured.
3. Add the AllowRetailHTTPAuth registry key.
4. On the Exchange Virtual Directory remove the setting “Require Secure
Channel (SSL)”.
5. Restart the Exchange Virtual Server.
6. Start the Netmon Capture.
7. From the Internet Explorer Client Browser navigate to
HTTP://ExchangeServer/Exchange.
8. Carry out some mail activity.
9. Log off.
10. Stop the Netmon Capture.
11. Re-set the registry key.
For more information on GZip Settings and Metabase see Module 9 Appendix
D and E.
DAV Debug Tracing
In some case it may be necessary to gather debug data from the Outlook Web
Access components. In order to enable DAV Tracing the following steps need
to be followed:
1. Stop the W3SVC and MSExchangeIS Services
2. Run the following three Registry updates on the Front-End Server:
a. davex-traces.reg
davex-traces.reg The following keys are added to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchan
geWEB\TracingCategories]
"Debug"=dword:00000001
"Davex"=dword:00000001
"DavexDbgHeaders"=dword:00000000
"Epoxy"=dword:00000001
"Repl"=dword:00000001
"Ifs"=dword:00000001
"IfsCache"=dword:00000001
"WebClient"=dword:00000001
"FileStream"=dword:00000001
"Nmspc"=dword:00000001
"StringBlock"=dword:00000001
"Schema"=dword:00000001
"Sql"=dword:00000001
"DBCommandTree"=dword:00000001
"Unpack"=dword:00000001
"Xml"=dword:00000001
"Search"=dword:00000001
"Actv"=dword:00000001
"BodyStream"=dword:00000001
"Content"=dword:00000001
"Ecb"=dword:00000001
"ECBLogging"=dword:00000001
"EcbStream"=dword:00000001
"Event"=dword:00000001
"Lock"=dword:00000001
"Method"=dword:00000001
"Persist"=dword:00000001
"Request"=dword:00000001
"Response"=dword:00000001
"ScriptMap"=dword:00000001
"Transmit"=dword:00000001
"Url"=dword:00000001
"DavprsDbgHeaders"=dword:00000001
"Metabase"=dword:00000001
"DsaMgr":00000001
"IdleThrd"=dword:00000001
exoledb-traces.reg b. exoledb-traces.reg
The following keys are added to the registry:
"Epoxy"=dword:00000001
"Exdav"=dword:00000001
"Notif"=dword:00000001
"Props"=dword:00000001
"Repl"=dword:00000001
"SessMgr"=dword:00000001
"Locks"=dword:00000001
"WebClient"=dword:00000001
"EnumAtts"=dword:00000001
"FileStream"=dword:00000001
"PropFind"=dword:00000001
"ExOleDb"=dword:00000001
"ExOleDb_Errors"=dword:00000001
"ExOleDb_Events"=dword:00000001
"ExOleDb_ThreadPool"=dword:00000001
"ExOleDb_Transactions"=dword:00000001
"ExOleDb_SystemEvents"=dword:00000001
"ExOleDb_ClientControl"=dword:00000001
"ExOleDb_EntryExit"=dword:00000001
"ExOleDb_Impersonation"=dword:00000001
"ExOleDb_Hsots"=dword:00000001
"XProcCache"=dword:00000001
"Nmspc"=dword:00000001
"Schema"=dword:00000001
"DBCommandTree"=dword:00000001
"Sql"=dword:00000001
"Unpack"=dword:00000001
"Xml"=dword:00000001
"DsaMgr"=dword:00000001
"LinkFix"=dword:00000001
"CalcProps"=dword:00000001
"MDBInst"=dword:00000001
"LogCallback"=dword:00000001
"AdminLogon"=dword:00000001
"Exoledbesh_Errors"=dword:00000001
"SchemaPop"=dword:00000001
exprox-traces.reg c. exprox-traces.reg
The following keys are added to the registry:
"Prx"=dword:00000001
"PrxConn"=dword:00000001
"PrxParser"=dword:00000001
"PrxReplMgr"=dword:00000001
"PrxRequest"=dword:00000001
"PrxSrv"=dword:00000001
"Url"=dword:00000001
"DsaMgr"=dword:00000001
Note The above files have all of DAV's tracing categories turned on.
You can also use the reg files located at:

\\exsrc\sources\LATEST\TITANIUM\CAL\src\davex\davex-traces.reg
\\exsrc\sources\LATEST\TITANIUM\CAL\src\exoledb\exoledb-traces.reg
\\exsrc\sources\LATEST\TITANIUM\CAL\src\exprox\exprox-traces.reg
3. Create the following registry key (or verify that it exists) of type
REG_MULTI_SZ called "Modules" under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\CurrentVersi
on\DebugAsyncTrace
Make sure that this contains the string "DAV-EXOLEDB-OWA" as one of

its values.
4. Run Regtrace:
a. On the Traces tab check the checkbox for Debug Statements.
b. On the Output tab select File, and choose a file name.
c. Make the max file size something reasonable, at least 50 MB.
5. Start the W3SVC and MSExchangeIS Services.
6. Reproduce the problem.
7. Run regtrace and turn off traces ("No Tracing" option on the Output tab),
and select Apply.
8. Copy tracevwr.exe and rockall.dll from \\jackfree0\public\traces or run it
from the share to view the output of the trace file that was just saved.
Customizing the Theme
Outlook Web Access in Exchange 2003 supports the concept of 'Themes'. You
can change your default color scheme out of the box; however, it is also
possible to create your own Outlook Web Access themes.
1. On the front-end(s) and back-end(s), create a directory in
…\exchweb\themes, e.g. called "foo".
2. Copy or create new versions of the following images (gradients for buttons,
backgrounds, etc) to \foo:
• logo2.gif– branding logo, can replace with own company logo
• nb-bkgd.gif – navbar background
• nb-hide-ql.gif– nav bar hide icon ("slider")
• nb-ql-tgl.gif – nav bar slider background
• nb-sel-bkgd.gif – navbar selection gradient
• nb-show-ql.gif – nav bar show icon
• nin-bg.gif – toast image for new e-mail notification
• OWAColors.css – colors used in themes
• resize-dot.gif
• tool-bkgd.gif – toolbar background, also used for folder button
9. You can then edit the Cascading Style Sheet (CSS) to come up with your
own colors and styles. Note, public folders and the calendar viewer are not
affected.
10. On the back-end(s), add a reg key under HKEY_LOCAL_MACHINE \
System \ CurrentControlSet \ Services \ MSExchangeWEB \ OWA \
Themes on the server (e.g. mytheme) with properties:
• This is the registry structure:
...MSExchangeWEB \ OWA
|
---- Themes
|
---- Theme1 (RG_SZ)
|
---- ThemeN (RG_SZ)
• Each theme value is a string (RG_SZ) that contains a semi-colon

separated list of name-value pairs (name=value)
• These name-pairs are:
• ID: Custom theme ID
• Restrictions:
• First bit (0x80000000) can not be set
• Can be a hexadecimal (starts by '0x' or decimal number)
• Must fit on a DWORD
• Cannot collide with an existing custom theme ID
• path: Custom theme path
• Restrictions:
• Must be shorter than 256 characters
• Cannot be an empty string
• title: Custom theme title
• Restrictions:
• Must be shorter than 512 characters
• Cannot be an empty string
• bgcolor: Custom theme background color
• Restrictions:
• Must be 7 characters long
• '#' must be the first character
• The rest of the six characters must be a valid hex digit (basically, this
has to be a valid HTML color '#rrggbb')
• All of the name-value pairs are required
• If a theme does not meet comply with these restrictions then it will
be ignored
• Example:
*id=0x1;path=mytheme;title=My Custom
Theme;bgcolor=#12ACD3
*
Note The name-value pairs can be listed in any order.
11. In the path section of the registry entries, just put in the path relative to the
exchweb\themes directory (such as "foo"), mentioned above.
12. Just wait 30 seconds after implementing the registry parameter, and the new
theme will be available in 'Options'. No need to restart services!
Lab A: Outlook Web Access

Lab A: Outlook Web Access
Objectives After completing this lab, you will be able to:

Setup Forms based authentication on Exchange 2003.
Change Forms based authentication to require only user alias and password.
Enable Outlook Web Access Password change.
Perform Dav Tracing.
Before working on this lab, you must have:

An Exchange server with IIS installed.
Knowledge about the difference between a workgroup and a domain.
Experience logging on and off Microsoft Windows® 2000.
The knowledge and skills to create user accounts by using User Manager for
Domains.
Estimated time to complete this lab: 30 minutes

Exercise 1
Setting up Forms Based Authentication
Scenario
Contoso Pharmaceuticals would like a custom logon page for Microsoft Outlook Web Access. In
this exercise you will configure Forms Based Authentication.
Forms based authentication requires clients to use a SSL connection. If SSL encryption is not
offloaded to another source, complete the following steps:
• Configure SSL
• Restart the IIS service
Tasks Detailed Steps
Note: All steps are to be completed on the Exchange VPC.
1. Enable SSL Requirement for a. Log into Exchange as Administrator with password Passw0rd1.
Exchange Virtual Directory. Note: If you already have a valid certificate installed, proceed to Task 2.
b. From the task bar click, Start | All Programs | Administrative Tools |
Internet Information Services (IIS) Manager.
c. Expand EX2 (local computer) | Web Sites.
d. Right click Default Web Site, select Properties, and then click the
Directory Security tab.
e. Select the Server Certificate button under Secure Communications.
f. Click the Next button when the Welcome Wizard appears.
g. Create a new certificate| Click Next
h. Select Send the request immediately to an online certificate
authority| Click next.
i. Click Next on Name and Security Settings window.
j. Type Contoso in Organization
k. Type Redmond in Organizational Unit
l. Click Next.
m. Type mail.contoso.com in Your Site’s Common Name.
In order to prevent users from getting prompted when using SSL,
the common name of the certificate MUST be the fully qualified
domain name (FQDN) of the Front-End server
• [e.g. mail.contoso.com]
n. Click Next.
o. Type Washington in State/Province
p. Type Redmond in City/locality.
q. Click Next.
r. Click Next on SSL Port.
s. Click Next on Choose a Certificate Authority.
t. Click Next on Certificate Request Submission.

u. Click Finish.
v. Click OK.
w. Expand EX2 (local computer) | Web Sites| Default Web Site|
x. Right Click on Exchange| Click Properties.
y. Click on Directory Security Tab.
z. Click on Edit under Secure Communications.
aa. Check off Require secure channel (SSL) and Require 128-bit
encryption.
bb. Click OK.
cc. Click OK.
2. Configure Form-Based a. Click on Start| All Programs| Microsoft Exchange| System

Authentication. Manager.
b. Expand Administrative Groups| First Administrative Group| HQ|
Servers| EX2| Protocols| HTTP.
c. Right Click on Exchange Virtual Server| Click Properties.
d. On the Settings Tab select Enable Forms Based Authentication.
e. Select Compression – High.
f. Click OK.
g. Click OK on the Warning.
Outlook Web Access will now only work on HTTPS and will
display the login screen, rather than a pop-up message prompting
for credentials.
h. Switch to XP-Client. If necessary, log in as Administrator with the
Password of Passw0rd1.
i. Start Internet Explorer and type the following url:
https://mail.contoso.com/exchange
This should display the new forms based authentication Web
page.
j. Login using Contoso\administrator with a password of Passw0rd1.
k. Close Internet Explorer.
l. Switch back to Exchange virtual machine.
Exercise 2
Change Forms Based Authentication to require only User Alias
and Password
Scenario
The CIO of Contoso Pharmaceuticals does not like having to enter his Domainname\Username in
the Outlook Web Access Logon Page. In this exercise you will change the logon to only require
User Alias and Password.
Tasks Detailed Steps
1. Configuring a. On Exchange, Open the C:\Program

Forms Based Files\Exchsrvr\exchweb\bin\auth\<country>\logon.asp file with Notepad.
Authentication to Note: We have a completed version of this file with the code listed below already
require users to entered. You can either copy this file over or copy and paste from that file into the file
enter only their above. The file is located in C:\LabFiles\Lab 9.
alias and
password. b. Add the following directly under the following:
Note: Bolded Text is what needs to be added. The following text is CaSE
SEnSiTiVE.
<HEAD>
<script Language=javascript>
function logonForm_onsubmit() {
if (logonForm.username.value.indexOf("@") !=-1) {
return true;
}
logonForm.username.value = "CONTOSO\\" +
logonForm.username.value;
return false;
}
</script>
c. Append onsubmit="logonForm_onsubmit()” just after name=”logonForm” to
the two POST lines in the logon.asp. (Approximately lines 546 & 549).
d. Click File | Save.
2. Test your login. a. Switch back to XP-Client and open Internet Explorer.
b. Type https://mail.contoso.com/exchange in the Address bar.
c. Log into Outlook Web Access. Log in with the username Administrator and the
password Passw0rd1.
d. If Step c is unsuccessful or JavaScript errors are triggered, fix and check for typos
in Task 1.
Exercise 3
Enable Outlook Web Access Password Change
In this exercise, you will allow users to change their passwords while using Outlook Web Access.
By default the settings to allow this is disabled. Empowering users to be able to change their
passwords can reduce support calls and allow roaming (sales) users to abide by corporate security
policies.
Changing the password requires SSL and the addition of the iisadmpwd virtual directory and
setting the following key to 0 or deleting the key.
Tasks Detailed steps
<The following steps are to be performed on Exchange>

1. To enable users to change a. From the task bar click, Start | All Programs | Administrative Tools
Outlook Web Access |Internet Information Services (IIS) Manager.
passwords through IIS, use b. Expand EX2 (local computer) | Web Sites.
the following steps on each
IIS server to which c. Right-click the Default Web Site | New | Virtual Directory.
Exchange users are d. Click Next when the Welcome Wizard dialog box appears.
redirected: e. In the Virtual Directory Creation Wizard, type IISAdmPwd in the
Alias box, and then click the Next button.
f. In the Path field type C:\Windows\system32\inetsrv\iisadmpwd and
then click the Next button.
g. Verify that only the Read and Run scripts (such as ASP) check boxes
are selected and then click the Next button.
h. Click the Finish button.
2. Verify that the IISAdmPwd a. Right click on IISAdmPwd and click Properties.
folder has the Anonymous b. Click the Directory Security tab.
Access authentication
method enabled. c. Click the Edit button in the Authentication and access control
section.
d. Verify that Enable anonymous access is selected.
e. Click OK and OK again.
3. Enable Password Change a. Click Start| Run| Regedit
Options in the Registry. b. Set Disable Password Registry Key to 0
Expand HKey_Local_Machine\System\Current Control
Set\Services\MSExchangeWEB\OWA
DisablePassword=00000000
Note: You can select other authentication types, but you must also select the Anonymous Access
authentication method.
Note: If you do not enable the Anonymous Access option, the client and server go into an endless loop when
you attempt to authenticate users who are prompted to change an expired password.
For example, if a user navigates to the site and is prompted for a password but their password has expired, the first
page that they tried to access redirects them to the password expiry page. The password expiry page challenges the
user, but because the user is not authenticated on the first page, the second page refuses the connection because the
password has expired. When this occurs, the user is redirected back to first page; the first page redirects the user to
the second page, and so on.
For additional information about a fix for this looping behavior, check the article number 275457 IIS 5.0 May Loop
Infinitely When a User Is Forced to Change Their Password.
4. Zero is the default value for a. From the task bar type Start | Run | type cmd | click the OK button.
the PasswordChangeFlags b. At the command prompt type CD C:\Inetpub\AdminScripts and then
setting, but the following press Enter.
steps can be used to change
or confirm the setting. To c. Type cscript adsutil.vbs set ”w3svc/PasswordChangeFlags” 1 then
change the Metabase press Enter.
PasswordChangeFlags
setting to zero (0), you must
first change it to the
\inetpub\adminscripts folder
on your hard drive.
Note: The following values are options for the PasswordChangeFlags setting:
0: Requires password change by SSL
1: Allows password change by non-secure ports
2: Disables password changes
4: Disables advance notification of expiration
5. After creating iisadmpwd a. Switch to XP-Client and open Internet Explorer.
and the reg key, you see the b. Type https://mail.contoso.com/exchange.
password change button
under options in Outlook c. Log into Outlook Web Access (OWA) with the Administrator
Web Access: account and password Passw0rd1.
d. Click the Options link in the bottom left navigation bar.
e. Scroll all the way down and verify the Change Password button is
visible.
f. Close Internet Explorer.
Note: In a front-end/back-end topology with Exchange 2000 and/or Exchange 2003 back-end servers running
on both Windows 2000 servers, it is necessary to add Windows 2000 compatible Web pages to the Windows
2003 front-end server.
Exercise 4
DAV Tracing
In this exercise, you will modify the registry and use the debugging tool regtrace.exe to watch the
internals of exchange server. This utility is used for debugging purposes only. Regtrace.exe adds
about 30% processing to the system – therefore for debugging only!
For more information visit http://support.microsoft.com/default.aspx?scid=KB;EN-US;238614
Tasks Detailed steps
Note: All tasks are to be performed on Exchange VPC.
1. Stop services for debugging a. On Exchange, from the taskbar click, Start | All Programs |
on the Exchange server. Administrative Tools | Services.
b. Stop the W3SVC (World Wide Web Publishing Service) and
MSExchangeIS (Microsoft Exchange Information Store) services.
2. Add some registry keys into a. Open Explorer and navigate to C:\LabFiles\Lab 9\ folder and double-
the registry on the Exchange click each of the following files and click Yes and OK to the Registry
Server. Editor prompts:
• davex-traces.reg
• exoledb-traces.reg
• exprox-traces.reg
b. Close Explorer window.
c. Open the registry editor from the task bar click, Start | Run | type
regedit | click the OK button.
d. Expand
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MosTrace\C
urrentVersion\DebugAsyncTrace
e. Create the Modules registry key (or verify that it exists) of type
REG_MULTI_SZ. Right click DebugAsyncTrace and click New,
Multi-String Value. Name it Modules.
f. Create a value contains DAV-EXOLEDB-OWA as one of its values.
Double-click Modules and enter DAV-EXOLEDB-OWA and then
click OK.
3. Configure the Regtrace a. From the task bar click, Start | Run | type Regtrace | click the OK
utility, execute an exchange button.
task and examine the b. On the Traces tab check the checkbox for Debug Statements.
regtrace output.
c. On the Output tab select File, and choose C:\DavTrace.atf.
d. Make the Max Trace File Size at least 50 MB. Click Apply.
e. Return to the Services window. Start the W3SVC and MSExchangeIS
services.
f. Switch to XP-Client and log into OWA
https://mail.contoso.com/exchange as Administrator with password
Passw0rd1 and send Administrator and email.
g. Switch back to Exchange.
h. Run Regtrace, click the Output tab and click No Tracing.
i. Click the Apply button.

j. From the task bar click, Start | Run | type C:\Tools\Labs\Tools\Other
Tools\Tracevwr\tracevwr.exe | click the OK button.
k. From the menu bar click, File | Open | type C:\DavTrace.atf | click
the Open button.
l. View the trace info.
m. Close all open windows and log off each of the Virtual machines (DC-
1, Exchange, and XP-Client).
4. Save the State of the Virtual a. You will need the Virtual PCs for the next Lab. Follow these steps
PCs. closely so you do not lose any information.
b. On each of the Virtual PC 2004 menus, click Action, Close.
c. For the drop down list under What do you want the virtual machine
to do? select Save state and save changes.
d. On the Close window, uncheck the Commit changes to the Virtual
hard disk box.
e. Click OK. This will save the state of the image so you can resume
tomorrow without losing any work.
Note: Other Possible values/combinations for the Modules registry key:

• AQ
• CAT
• DS2MB
• dsevntwrap
• EXSINK
• IMAP4SVC
• REAPI
• RESVC
• Routing
• SMTP
• StoreDrv
• TranMsg
• DSACCESS
• MTA
Reproduce the problem that you are troubleshooting. For example, if you are reproducing a problem where mail is
being returned undeliverable, send some e-mail to an address that will cause Exchange 2000 Server to return the
message undelivered.
When you have reproduced the problem several times, stop tracing by clicking No Tracing from the Output menu in
Regtrace. Also, on the Trace tab, make sure that the All tracing type option is not selected.
Review
1. What does Outlook Web Access Premium look like?
2. What is the deferred delete refresh percentage?
3. What version of Internet Explorer is required for all the nice new stuff?
4. What is the spell check dll?
5. What should you NOT do to the IIS Temporary Compressed Files

directory?
6. What is the regkey that can turn off SSL to enable a clear netmon trace?
88 Appendix A
Appendix A
This session will have a brief look at some of the new features and compare
versions
Feature Description Outlook Web Outlook Web

Access Premium Access Basic
Logon/Logoff Improvements
Logon page New customized form for logging on Yes, with choice of Yes, but only
to Outlook Web Access; includes using Outlook Web allows use of
cookie-based validation where the Access Basic. Outlook Web
Outlook Web Access cookie is Access Basic.
invalid after user logs out or is
inactive for predefined amount time.
Clear credentials cache After logoff all credentials in Yes, in Internet No

on logoff Microsoft® Internet Explorer 6 Explorer 6 SP1.
Service Pack 1 (SP1) credentials
cache are cleared automatically.
Public or shared To provide organizations with more Yes Yes

computer and Private protection, two logon page security
computer logon options options can be used. The private
option can be set to provide a longer
period before user is logged off
because of inactivity.
General User Interface Improvements
User interface updates New color schemes, reorganized Yes, plus new view Yes, but only
toolbars. menu, default user one color
interface font, and scheme
bidirectional support. available.
Item window sizing During an Outlook Web Access Yes No

session, item windows open at the
last window size set by the user
instead of always opening at
500x700 pixels.
Item window status bar A status bar is now available on item Yes No. Items do
windows where a user can see the not open in
destination URL of a hyperlink in an separate
e-mail message when the mouse windows, but
pointer is positioned over the link. the status bar is
still available.
Appendix A 89

View Improvements
Two-line mail view New view orients message list Yes No

vertically instead of horizontally;
works well with Reading Pane.
Reading Pane (called Resizable Reading Pane now appears Yes No

the Preview Pane in to right of message list by default;
previous versions of attachments can be opened directly
Outlook Web Access) from Pane. Additionally, user has
option to determine if items are
marked items as read when viewed
in Reading Pane.
Mark as read/unread Command enables users to mark Yes No

unread messages as read or vice
versa.
Quick Flagging Command enables users to assign Yes No

follow-up flag to messages.
Context Menu Context Menu available in mail Yes No

view; special context menu also
available on quick flag.
Keyboard shortcuts Common actions such as new Yes No

message, mark as read/unread, and
reply and forward are available when
focus is in message list.
Items per page Users can determine how many Yes Yes
items appear per page in e-mail,
contact, and task views.
Mail icons Icons display state and type of Yes Yes

messages.
Deferred view update The view is auto-refreshed only after Yes No

20 percent of messages are moved or
deleted from a page, not after each
deletion. This results in increased
performance.
Navigation Improvements
New Navigation Pane Unified user interface contains Yes Shortcuts only
module shortcuts, full folder tree,
refresh item count button,
customizable width.
Search folders Outlook-created search folders are Yes No

displayed in folder tree. These must
be created in the Outlook Online
mode.
90 Appendix A

Notifications New e-mail and reminder Yes No

notifications are displayed in
Navigation Pane.
Public folders Public folders are displayed in new Yes No

window.
Log Off option on Log Off option is now on the view Yes No
toolbar toolbar, not in the Navigation pane.
Mail Workflow Improvements
Spelling checker Spelling checker is provided for e- Yes No

mail messages.
New addressing wells New integrated look; easier deletion Yes No

of recipients.
Global Address List Property sheets now display name, Yes; available in Yes; only
Properties sheets address, and phone information for received items, draft available in
resolved Global Address List (GAL) items, Check Names received items
users. dialog box, and Find and draft items.
Names dialog box.
Add to Contacts Users can add resolved recipients in Yes, feature in No

received mail or drafts to main Properties sheets or
contacts folder. context menu on
resolved names.
Send mail from Find Users can send new messages to Yes No
Names addresses found in the Find Names
dialog box when it is opened from an
e-mail view.
Open Find Names from Users can open Find Names from a Already available in Yes
message message and use it to add new previous versions of
recipients to a draft message; also Outlook.
used to add recipients to a contact
distribution list.
Contacts in Find Users can search main contacts Yes No

Names folder in Find Names.
Sorted results in Find The results in Find Names and Yes Yes
Names and Check Check Names now are sorted in
Names alphabetical order.
Auto signature Users can create a signature that is Yes, HTML-based Yes, plain-text
automatically included in e-mail formatting; also on- formatting; no
messages. demand insertion. on-demand
insertion.
Default mail editor font User-customizable default font is Yes No

provided for e-mail editor.
Appendix A 91

Navigate after delete Users can open the next or previous Yes No
item after deleting an item.
Read receipts Users can use or ignore read-receipt Yes; users also can Yes; users are
requests. send receipts even not able to send
when the option is receipts when
set to ignore option is set to
requests. ignore requests.
“Web Beacon” Users can control options for Yes Yes

blocking blocking external content in e-mail.
Privacy protection Destination site only receives server Yes Yes

when navigating links name where e-mail message with
in e-mail. link was located — not server name,
account name, and subject of e-mail
message.
Attachment blocking Administrator options restrict access Yes Yes

to some or all attachments in
messages.
Junk mail filtering Options to set up safe- and blocked- Yes Yes
sender lists.
Sensitivity infobar Sensitivity information is displayed Yes Yes

in infobar.
Reply/Forward infobar Reply/Forward information is Yes Yes

displayed in infobar.
No indenting replies The reply header and reply body are Yes Yes; Outlook
no longer indented. Web Access
Basic never
indented.
Reply to Users now can reply by e-mail to Yes Yes

messages/posts in messages or posts in public folders
Public Folders when accessing public folders
through a front-end server.
Encrypted/signed mail Sending and receiving encrypted Yes, Internet No

and/or signed e-mail is supported. Explorer 6 on
Microsoft for
Microsoft®
Windows® 2000 or
higher.
Rules Improvements
Rules Users can create and manage server- Yes No

based e-mail-handling rules.
92 Appendix A

Task Improvements
Personal tasks Users can create and manage Yes Yes, but no
personal tasks and receive reminders reminders.
for these items.
Calendar Improvements
Reply/Forward Users can now reply to senders of Yes Yes

Meeting Requests Meeting Requests and/or forward
Meeting Requests to other users.
Attendee reminder Attendees can set own reminder Yes No

times from received meeting
requests.
View Calendar from a Attendees can open the calendar Yes No

meeting request from a meeting request.
Custom meeting Users can now provide a response in Yes Yes

cancellation notice a meeting cancellation notice.
Attendee reminder Meeting attendees can set their own Yes No

reminder times from a meeting
request.
View Calendar from Meeting attendees can open their Yes Yes
Meeting Request Calendar from a meeting request.
Performance Improvements
Bytes over the wire Fewer bytes sent over the wire from Yes Yes
server to browser. Additionally,
when data is sent from the server to
browser during initial logon has been
reorganized to speed up rendering
the Inbox.
Compression support Administrators can configure Yes, when accessed Depends on the
compression support for Outlook with Internet browser.
Web Access and provide a Explorer 6 SP1 +
performance improvement of nearly Q328970 or higher.
50 percent for most actions on slow
network connections.
Appendix B 93
Appendix B
The following chart depicts the default settings for IIS when you select Use
Forms Based Authentication. There is no user configuration required.
Configuration of UPN support also is handled by Exchange System Manager.
Path Property Type Value Description
w3svc/{VS}/root IisWebDir Root of Exchange System Manager-

created Exchange virtual server
45054 Integer 1 Private attribute to indicate cookie

auth is enabled
IisWebDir “Exchange” virtual directory

pointing to private mailbox store
AuthFlags Integer 2 Basic authentication only
LogonMetho 3 A value of 3 should correspond to

d MD_NETWORK_LOGON_CLEARTEX
T
ScriptMaps String Inherited

from
parent and
adds
"*,{PATH}
\Exchsrvr\
bin\exprox
.dll,1"
Path String "\\.\BackOf

ficeStorage
\ {RHS
domain of
Default
Recipient
Policy’s
Default
94 Appendix B

SMTP
proxy}
\MBX"
DefaultLogo String "\" Backslash necessary for UPN use

nDomain

auth is enabled
w3svc/{VS}/root/pu IisWebDir “Exchange” virtual directory

blic pointing to root of public folders
store

T

from
parent and
adds
"*,{PATH}
\Exchsrvr\
bin\exprox
.dll,1"

ficeStorage
\ {RHS
domain of
Default
Recipient
Policy’s
Default
SMTP
proxy}\Pu
blic Folders
"
Appendix B 95
DefaultLogo String “\” Backslash necessary for UPN use

nDomain

auth is enabled
w3svc/{VS}/root/ IisWebDir Any user-created “Exchange”

{Any other virtual directory pointing to private
Exchange vdir} mailbox store or public folders

T

from
parent and
adds
"*,{PATH}
\Exchsrvr\
bin\exprox
.dll,1"

ficeStorage
\ {RHS
domain
selected by
user }\{
MBX or
path
selected by
user }"

nDomain

auth is enabled
96 Appendix B
w3svc/{VS}/root/ex IisWebDir This virtual directory is the root of

chweb Outlook Web Access static files,
ASP pages and non-scriptmapped
ISAPI extensions.
HttpExpires String "D, Content expires in 30 days.

0x278d00"
AuthFlags Integer 1 Only anonymous ‘authentication’ is

enabled.
AccessFlags Integer 1 Read access only
Path String "{Install

path}\exch
srvr\exchw
eb”

auth is enabled
w3svc/{VS}/root/ IisWebDir This virtual directory is the root of

exchweb/bin Outlook Web Access static files,
ISAPI extensions.
LogonMetho Integer 3 A value of 3 should correspond to

T
AuthFlags Integer 2 Basic authentication

nDomain
AccessFlags Integer 517 Read access, scripts + executables

can run

path}\exch
srvr\exchw
eb\bin”
w3svc/{VS}/root/ex IisWebDir This virtual directory is the root of

chweb/bin/spell Outlook Web Access static files,
ISAPI extensions.
Appendix B 97
LogonMetho Integer 3 A value of 3 should correspond to

T
AuthFlags Integer 2 Basic authentication

nDomain

can run

path}
\exch
srvr\e
xchwe
b\bin\
spell”
DirBrowseFla Integer 62 Implies enabledirbrowsing = FALSE

gs
w3svc/{VS}/root/ex IisWebDir VDir which contains cookie auth

chweb/bin/auth ISAPI extension and related ASP
pages
AuthFlags Integer 1 Anonymous authentication only

can run

path}
\exch
srvr\e
xchwe
b\bin\
auth”
DefaultDoc String “owalogon.

asp”
EnableDefau Boolean TRUE

ltDoc
98 Appendix C
Appendix C
Spellcheck tracing using NETMON

Step by Step through When looking at the netmon trace, it will be possible to see the client submit the
Netmon text to be spell checked and also the response made by the Front-End Server.
Packet 201 – You can see here that the client has initiated a Spellcheck request
through the URI = /Exchange/TiUser1/?cmd=spellcheck
1 : Packet 201
Packet 270 – This is the POST request that initiates the OWASPELL.DLL on
the Front-End Server. It is also evident in this packet some of the settings
configured by the client.
2 : Packet 270
For example:
Appendix C 99
• IgnoreMixedDigits is set to False

• The Language (Spelllang) is set to English (United Kingdom)
• Ignore all words in Capital letters (ignoreallcaps) is set to False
These can be changed through the Options button in Outlook Web Access:
Packet 271 – This packet is immediately after the POST Packet, and this packet
contains the data to be spell checked:
The data that is sent to the Front-End server is illustrated below:
3 : Packet 271
Packet 276 – This is what the Front-End sends back to the Client, as to what
actually gets sent back i.e. the number of suggestions can be configured through
the registry.
Within the data section of the packet, it is possible to see the Front-End Server
send the Spell check results, and this is for all the words that are spelled
incorrectly.
In the data portion it will read UnknownWord and then the words that are
misspelled; in this example “ia” and “incrorrect”
Reading through the data portion of the packet all the suggested words will be
prefixed with <sug>.
100 Appendix C
4 : Packet 276
The client will be presented the following on the screen:
And for the second word:

Appendix C 101
With this information it is possible to conclude that the ISAPI Spell-check filter
on the Front-End server is working as expected.
Netmon tracing when In the example used, the client had the setting “Always check spelling before
there are no errors in the sending” checked, so even if the client initiates a manual spell check, the body
spelling of the text will get checked again.
Packet 1252 is the same as packet 270 by initiating the spell check, but this time
the body of the text that is sent to the Front-End Server is as follows:
In the data section of packet 1257, there are no corrections to be made, as the
following illustrates:
To be aware of
Note: By default, only 90 kb of data will be spellchecked. This can be
amended by setting the MaxSpellDocumentSize registry key.
When replying to a message and spell checking the mail, only the text that
has been added will be spell checked. If the Reply Line was deleted by the
user then all of the text in the mail body will be spell checked.
The following screenshot illustrates this:
102 Appendix C
When a message is sent with the encrypt button selected, the following dialog
boxes are displayed: the first if the user clicks manual spell check. The second
when the client has Always check spelling before sending configured in their
options.
Appendix D 103
Appendix D
Default Metabase Settings for Gzip

The default Metabase settings for Gzip Compression are as follows:
All keys under LM\W3SVC\Filters\Compression\deflate are the same
irrespective of compression level, they are as follows:
All keys under LM\W3SVC\Filters\Compression\Parameters are the same

irrespective of compression level, they are as follows:
104 Appendix D
The difference in compression level is apparent on the following three keys:

W3SVC/Filters/Compression/GZip/HCDoStaticCompression
W3SVC/Filters/Compression/GZip/HCDoDynamicCompression
W3SVC/Filters/Compression/GZip/HCDoOnDemandCompression
Compression Level: When the compression level is set to None (False / 0), the Global Gzip
None Metabase settings are as follows:
The per-directory metabase settings are also toggled off, since another
application could re-enable these global values (although Microsoft does not
ship any others that use it yet.)
Configuring the Global Compressions settings:
W3SVC/Filters/Compression/GZip/
Configuring the Exchange VRoot compression Settings:

LM\W3SVC\1\ROOT\Exchange
Appendix D 105
Compression Level: Low When the compression level is set to Low (true / 1), the Metabase settings are
as follows:
Configuring the Global Compressions settings:
W3SVC/Filters/Compression/GZip/
Configuring the Exchange VRoot compression

Settings:LM\W3SVC\1\ROOT\Exchange
106 Appendix D
Compression Level: When the compression level is set to High, the Metabase settings are as
High follows:
Configuring the Global Gzip settings: W3SVC/Filters/Compression/GZip/
Configuring the Exchange VRoot Gzip settings:

LM\W3SVC\1\ROOT\Exchange
Appendix D 107
GZip Dynamic (High) It is possible to tweak the high compression level so that the compression level
Compression Level can be adjusted and not automatically overwritten when the server DS2MB
Over-ride process updates settings.
The registry key that needs to be set to allow this is
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \
MSExchangeWEB \ OWA
Parameter: HcDynamicCompressionLevel
Type: REG_DWORD
Value: 0 through 10
Note: This key does not exist by default.
Possible Values: Only the integer values of 0 through 10 are valid.

By default, the high compression value is set to 3, but this can be adjusted if
required, but This key mirrors the IIS metabase key
/W3SVC/Filters/Compression/Gzip/HcDynamicCompressionLevel
and actually sets its value. The Exchange attendant process (DS2MB) will pick
up changes to this key while it is running but the value is only used when
compression is enabled on the server via the Exchange System Administrator.
When compression is disabled on the server via Exchange System
Administrator, then whatever the last value was for the IIS metabase key will be
left alone.
The following example is where the HcDynamicCompressionLevel has been
set to 5 through the registry:
108 Appendix D
To implement the over-ride value for dynamic compression you must first set
the Outlook Web Access\HCDynamicCompressionLevel value apply the
setting and then enable or re-enable all Exchange virtual servers that use
compression.
1. Set the registry key: HcDynamicCompressionLevel

2. Set the value 0 through to 10 (In the above example, 5 was used).
3. On ALL Exchange Virtual Server set the compression level to None.
4. Stop and Start the Virtual Server.
5. Set the compression level to either Low.
You may have to wait for DS2MB to run before Exchange picks up the registry
value and replicates it correctly. The following will be set on the Exchange
Virtual root:
Appendix D 109
If you set the Outlook Web Access\HCDynamicCompressionLevel key after

you have previously enabled compression on any virtual server, it will be
ignored. The Exchange system attendant will replicate the value in this key
when compression is enabled or disabled for all Exchange virtual servers on the
server. The same is true when removing the registry entry. It is necessary to set
the Compression to None and then set compression to either be Low or High,
the DS2MB process will then replicate the change to the Metabase. If you do
not set the compression level back to none and recycle the virtual server the
custom compression level value will not get over-written.
110 Appendix E
Appendix E
Global GZip Settings

Overview Global GZip settings that are configured for static (low) and dynamic (high):
This scenario assumes GZip is not already configured on the server.
Path ID Value
W3svc/filters/compression/GZip/HCDoDynamicCompr 2213 True

ession
W3svc/filters/compression/GZip/HCDoStaticCompres 2214 True

sion
W3svc/filters/compression/GZip/HCDoOnDemandCo 2215 True

mpression
The default settings are overwritten to reflect the values below:
Path ID Value
W3svc/filters/compression/parameters/HCDoDynamic 2213 False

Compression (unless
already
True)
W3svc/filters/compression/parameters/HCDoStaticCo 2214 False

mpression (unless
already
True)
W3svc/filters/compression/parameters/HCDoOnDema 2215 False

ndCompression (unless
already
True)
W3svc/filters/compression/parameters/HCSendCache 2220 False

Headers
W3svc/filters/compression/parameters/HCNoCompres 2217 False

sionForHTTP10
W3svc/filters/compression/GZip/HCFileExtensions 2238 “htm

html txt
htc css
Appendix E 111
js xsl”
W3svc/filters/compression/GZip/HCScriptFileExtensio 2244 “”
ns
W3svc/filters/compression/GZip/HCOnDemandComp 2242 10
Level
W3svc/filters/compression/GZip/HCDynamicCompres 2241 10
sionLevel
W3svc/filters/compression/parameters/HCNoCompres 2218 False

sionForProxies
Outlook Web Access Now that you have configured the server-wide settings so they do not affect
Specific settings that other apps, you need to add the keys that enable GZip for the Outlook Web
must be configured for Access virtual roots and directories.
static and dynamic
compression The following table includes the settings that you need to set:
VS/VDir/Directory ID GZip metabase entries
W3svc/{VS}/root/Exchange/ 2255 DoDynamicCompression =

True
W3svc/{VS}/root/Exchange/ 2256 DoStaticCompression = True
W3svc/{VS}/root/public/ 2255 DoDynamicCompression =

True
W3svc/{VS}/root/public/ 2256 DoStaticCompression = True
W3svc/{VS}/root/exchweb/ 2255 DoDynamicCompression =

True
W3svc/{VS}/root/exchweb/ 2256 DoStaticCompression = True
W3svc/{VS}/root/exchweb/bin/auth/ 2255 DoDynamicCompression =

False
You want to disable GZip for

the logon page.
W3svc/{VS}/root/exchweb/bin/auth/ 2256 DoStaticCompression =

False
W3svc/{VS}/root/exchweb/img/ 1002 Create a new node (keytype)

under
Note: img reflects a directory that W3svc/{VS}/root/exchweb of
has been added as a new type “IISWebDirectory”
IISWebDirectory property in the named “img”. Then set the
parent vroot. following metabase entries
on the new node:
W3svc/{VS}/root/exchweb/img/ 2255 DoDynamicCompression =

False
112 Appendix E
W3svc/{VS}/root/exchweb/img/ 2256 DoStaticCompression = True
W3svc/{VS}/root/exchweb/themes/ 1002 W3svc/{VS}/root/exchweb of

type “IISWebDirectory”
named “themes”. Then set
Note: themes reflect a directory the following metabase
that has been added as a new entries on the new node:
IISWebDirectory property for in the
parent vroot.
W3svc/{VS}/root/exchweb/themes/ 2255 DoDynamicCompression =

False
W3svc/{VS}/root/exchweb/themes/ 2256 DoStaticCompression = True
In general you can iterate over all vroots on the virtual server that have the
Cookie-Auth metabase key enabled (ID = 45054, value = 1) and apply the
above settings except for the root, auth, and the img directory (they need special
handling).
Global GZip settings Path ID Value
that are configured for
static (low) compression W3svc/filters/compression/GZip/HCDoDynami 2213 False (unless
cCompression already true)
W3svc/filters/compression/GZip/HCDoStaticC 2214 True

ompression
W3svc/filters/compression/GZip/HCDoOnDe 2215 True

mandCompression
Then you will override these global settings with:
Path ID Value
W3svc/filters/compression/parameters/HCDo 2213 False (unless

DynamicCompression already True)

StaticCompression already True)

OnDemandCompression already True)
W3svc/filters/compression/parameters/HCSe 2220 False

ndCacheHeaders
W3svc/filters/compression/GZip/HCFileExten 2238 “htm html txt htc

sions css js xsl”
W3svc/filters/compression/GZip/HCOnDeman 2242 10
dCompLevel
W3svc/filters/compression/parameters/HCNo 2217 False

CompressionForHTTP10
Appendix E 113
W3svc/filters/compression/parameters/HCNo 2218 False

CompressionForProxies
Once server-wide settings are configured so as not to interfere with other

applications, the keys that enable GZip for the Outlook Web Access virtual
roots and directories may be set.
Additional required VS/VDir/Directory ID GZip metabase entries
settings
W3svc/{VS}/root/Exchange/ 2255 DoDynamicCompression = False
W3svc/{VS}/root/Exchange/ 2256 DoStaticCompression = True
W3svc/{VS}/root/public/ 2255 DoDynamicCompression = False
W3svc/{VS}/root/public/ 2256 DoStaticCompression = True
W3svc/{VS}/root/exchweb/ 2255 DoDynamicCompression = False
W3svc/{VS}/root/exchweb/ 2256 DoStaticCompression = True
W3svc/{VS}/root/exchweb/bin/auth/ 2255 DoDynamicCompression = False
You want to disable GZip for the

logon page.
W3svc/{VS}/root/exchweb/bin/auth/ 2256 DoStaticCompression = False

W09 Outlook Web Access

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

W09 Outlook Web Access

Transféré par

Droits d'auteur :

Formats disponibles

Module 9: Outlook Web

© 2005 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows 2000, Active Directory, ActiveX, BackOffice,

*****************************illegal for non-trainer use******************************

Introduction Welcome to Microsoft Outlook Web Access provided by Microsoft® Exchange

Lesson 1: Summary of Features

*****************************illegal for non-trainer use******************************

Outlook Web Access in Exchange 2003 actually comes in two versions:

Lesson 2: Outlook Web Access Basic

Important It is necessary to first read about the enhancements to Outlook Web

*****************************illegal for non-trainer use******************************

Improved E-mail Experience (1)

*****************************illegal for non-trainer use******************************

Improved E-mail Experience (2)

*****************************illegal for non-trainer use******************************

Lesson 3: Outlook Web Access Premium

*****************************illegal for non-trainer use******************************

*****************************illegal for non-trainer use******************************

The keyboard shortcuts for the feature are as follows:

*****************************illegal for non-trainer use******************************

Search Folders cannot be created or modified in Outlook Web Access. And if

Improved E-mail Experience (1)

Create an Outlook Web Access signature by clicking the "Edit Signature"

Improved E-mail Experience (2)

*****************************illegal for non-trainer use******************************

Improved E-mail Experience: Rules

*****************************illegal for non-trainer use******************************

Improved E-mail Experience: Personal Tasks

*****************************illegal for non-trainer use******************************

Lesson 4: Outlook Web Access and the Browser

Outlook Web Access S/MIME Internet Explorer 6.0 (or later)

Browsers or Operating 1. Microsoft® Internet Explorer 45

6. Microsoft® Windows® 988

Default Browser With no additional configuration changes to the browser:

Lesson 5: Outlook Web Access and Forms Based

*****************************illegal for non-trainer use******************************

To enable forms based authentication, follow these steps:

Which can be found here:

with the following code.

Configuring Forms Adding the following registry key to a front-end of a front-end/back-end

For more information on Forms Based Authentication Metabase Parameters and

Lesson 6: Outlook Web Access S/MIME Control

Lesson 7: Outlook Web Access Attachment Blocking

The current default set of Level1FileTypes is:

The set of Level2FileTypes (applies to: Back-end servers, and stand-alone

b. To permit no attachments, type "1" (without the quotation marks).

Lesson 8: Other Features

"adsutil.vbs set w3svc/passwordchangeflags <value>"

In a front-end/back-end topology with Exchange 2000 and/or Exchange

1. Open a command prompt in the %windir%\system32\inetsrv\iisadmpwd

In Exchange 2000, upon start-up of the System Attendant, DS2MB would

In Exchange 2003, full replication is not performed on start-up of the System

Lesson 9: Outlook Web Access Spell Check

The following languages are currently available:

Dependencies for Client

Outlook Web Access Spell Check: Initial Troubleshooting

This should correlate in IIS Admin: Exchweb/bin/spell

Note owaspell.dll runs inside dllhost.exe on Windows 2000.

Event Type: Warning

Outlook Web Access Spell Check: Tasklist/Permissions

Using tasklist Run: tasklist -m owaspell.dll

 Authenticated Users need Read access to the owaspell.DLL

Outlook Web Access Spell Check: Netmon

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

*illegal for non-trainer use**

Authenticated Users need Read access to the owaspell.DLL

*illegal for non-trainer use**