Email Configuration with Outlook Web Access

Exchange Server 2003 is different from the Exchange Server 2000.In Exchange

Server 2000 you had to use Enterprise Edition to  provide Web Access with a Front-end

Server.But it is a different case with the  Exchange Server 2003.With the  Exchange

Server 2003 it is possible for you to use Standard Edition or Enterprise Edition of Exchange

Server to provide Web Access with a Front-end Server.Considering a network infrastructure

is very important before thinking of implementing a Front-end Dedicated Server.You have to look for

all these.What kind of firewall(s) do you have? Do you have a DMZ (also known as perimeter

network)?Are you using an ISA Server 2000 or any other application layer firewall? Especially

using ISA Server 2000 you have some tricky functions providing a good way to securely

configure OWA Access over the ISA Server.

Preparing Exchange server 2003 for Outlook Web Access

Every user has HTTP as an allowed protocol and the Exchange server 20003 you have

will generally behave like a Backend Server. If you do not want some of your users from

accessing their mailbox using Outlook Web Access then only you have to configure on

Backend Dedicated Servers or else it is not necessary. Via Active Directory Users and Computers

in the user properties this can be done quite easily.

Figure A :- Enabling Outlook Web Access for a user

Now installing and configuring your Frontend Server will be the next task for you.

Installing it as a second Exchange Server in your organization is the easiest way to do this.

After that we should enable it to act as a Front-end Server.

In the properties of your Exchange Server in Exchange System Manager this can be

generally done.

Figure B :- Configuring a Frontend Server

Server changes from using the DAVEx process (to act as Backend Server) to the

ExProx process (acting as Frontend Server) If we choose this configuration.

To make the changes take effect rebooting the server is the next step.

To make the Frontend Server a genuine Frontend we should follow the following steps

and disable all unnecessary services.You must have the following services running

on your Frontend Server , every other service may be stopped without any trouble.

  • HTTP-Service
  • SMTP-Service
  • Exchange System Attendant
  • Exchange Routing Engine

As there should not be any public folders or mailboxes on your Frontend Server

you do not need to run the Exchange Information Store.Dismount and delete all

databases on your server and then disable the Exchange Information Store Service

will be the best option for you.We now have to configure the appropriate ports on

the firewall(s) to make our server run that is after you have successfully placed this

server in the perimeter network (also known as DMZ).

We have to open the following ports on the intranet firewall (which connects the DMZ

and the internal network).

  • For Exchange Communication:
    • Port 80 for HTTP
    • Port 691 for Link State Algorithm routing protocol
  • For Active Directory communication:
    • Port 389 for LDAP (TCP and UDP)
    • Port 3268 for Global Catalog Server LDAP (TCP)
    • Port 88 for Kerberos Authentication (TCP and UDP)

Important :- You should now configure the DSAccess service for perimeter networks

on your Frontend Server. At first you should disable the check for available disk

space at netlogon by using RPC. This can be done by changing the following registry

key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1

In addition to this you should prevent DSAccess from pinging domain controllers.

This can be done by creating the following key on your Frontend Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0

Then you should configure your Exchange Frontend Server to connect to the DC and

GC you want by editing the server properties in Exchange System Manager.

  • For DNS communication:
    • Port 53 for DNS (TCP and UDP)
  • For RPC communication:
    • Port 135 – RPC endpoint mapper (TCP)
    • Ports 1024 and higher for RPC services

Important :- You can limit RPCs across the firewall by editing the registry of

all your DCs. You should now change the registry setting of the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)

If you are using IPSec between Frontend- and Backend Servers you have to open:

  • Port 500 for IKE (UDP)
  • Port 51 for Authentication Header (AH)
  • Port 50 for Encapsulation Protocol (ESP)

By configuring the Network Load Balancing Service (NBL) to act as a virtual cluster

you can provide high availability for your Frontend Server.Users connect to a running

Frontend Server will be made sure by NLB.Then every user connecting to Outlook Web Access

will connect to the virtual cluster and will then be redirected to one of your Frontend

Server nodes.

Implementing Security for Outlook Web Access

You may be concerned about security matters If you have successfully implemented your

Exchange Front-End Server constellation for providing Outlook Web Access for your users.

HTTP connectivity is not very secure and authentication information is always on the net

as clear text.In addition to this, Outlook Web Access authentication is generally session based.

This means you remain logged in if you do not logoff and close your browser.It becomes quite

easy for other users to read and send emails in the name of a company user in public web

access areas where users are unable to close the browser window.

Providing a secure HTTPS connection with an SSL server certificate is quite easy to implement.

The most interesting decision is whether to buy web server certificate from a well-known

trust center like Verisign or anyone else or to use a web server certificate from an internal

certificate authority.This certificate must then be installed on your Outlook Web Access server.

Figure C :- Installing a Web Server Certificate on an OWA Box

Now you can choose between a non-secure or a secure channel.Just check the appropriate box and

it runs if you would require 128-bit encryption.Some countries have laws that only allow 40-bit

encryption (e.g. France) so it is better that you do not forget that.You can make your OWA

connections more secure with a new feature in Exchange Server 2003.“Form-based Authentication”

this is the feature and it means you can configure a cookie timed-out session connection.

As shown in the following picture below this can be quite easily implemented.

Figure D :- Enabling Form-based Authentication

You have a default setting of 10 minutes as the timeout value for a client session

after you enable this feature.Ater this you must re-logon to get a new cookie and

new Outlook Web Access access.

Important :- You can change the default timeout by changing the following registry setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
Registry Value: PublicClientTimeout
Value Type: REG_DWORD
Value Data: (possible setting decimal)

and

Registry Value: TrustedClientTimeout
Value Type: REG_DWORD
Value Data: (possible setting decimal)

On both registry values the possible settings will vary from 1 – 4320 (minutes).

You have to restart your W3SVC service after changing these settings you have to restart

your W3SVC service.

With the setting of compression you have the possibility of speeding up your connections,

if you can make sure that your OWA clients are aware of the following requirements:

  • Windows 2000 or later
  • Internet Explorer 6.0 with the cumulative of November 2002 or Netscape Navigator 6.0 or higher.
September 30th, 2009 in dedicated server hosting | tags: ,

Leave a comment

Your comment