Planning for Exchange Server 2007 Client

Access Servers


Microsoft Corporation
Published: June 2007
Author: Microsoft Exchange Documentation eam







Abstract
he purpose of this document is to help !ou plan !our Microsoft Exchange "er#er 2007 Client
Access ser#er deplo!ment$ he information and procedures included in this document focus
on the planning considerations for the design of an Exchange 2007 Client Access ser#er
infrastructure$
Important:
his document is a deplo!ment%specific compilation of se#eral Exchange 2007 &elp
topics and is pro#ided as a con#enience for customers 'ho 'ant to #ie' the topics in
print format$ o read the most up%to%date deplo!ment topics( #isit the Exchange
"er#er 2007 )ibrar!$
*nformation in this document( including +,) and other *nternet -eb site references( is sub.ect
to change 'ithout notice$ +nless other'ise noted( the companies( organi/ations( products(
domain names( e%mail addresses( logos( people( places( and e#ents depicted in examples
herein are fictitious$ 0o association 'ith an! real compan!( organi/ation( product( domain
name( e%mail address( logo( person( place( or e#ent is intended or should be inferred$
Compl!ing 'ith all applicable cop!right la's is the responsibilit! of the user$ -ithout limiting
the rights under cop!right( no part of this document ma! be reproduced( stored in or
introduced into a retrie#al s!stem( or transmitted in an! form or b! an! means 1electronic(
mechanical( photocop!ing( recording( or other'ise2( or for an! purpose( 'ithout the express
'ritten permission of Microsoft Corporation$
Microsoft ma! ha#e patents( patent applications( trademar3s( cop!rights( or other intellectual
propert! rights co#ering sub.ect matter in this document$ Except as expressl! pro#ided in an!
'ritten license agreement from Microsoft( the furnishing of this document does not gi#e !ou
an! license to these patents( trademar3s( cop!rights( or other intellectual propert!$
4 2007 Microsoft Corporation$ All rights reser#ed$
Microsoft( M"%D5"( -indo's( -indo's Media( -indo's Mobile( -indo's 0( -indo's
Po'er"hell( -indo's "er#er( -indo's 6ista( Acti#e Director!( Acti#e"!nc( Excel( 7orefront(
*nternet Explorer( 5utloo3( "harePoint( "mart"creen and 6isual 8asic are either registered
trademar3s or trademar3s of Microsoft Corporation in the +nited "tates and9or other
countries$
All other trademar3s are propert! of their respecti#e o'ners$
Contents
Planning for Exchange "er#er 2007 Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:
Contents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;
Planning for Exchange 2007 Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<
5#er#ie' of the Client Access "er#er ,ole 7eatures$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<
+nderstanding the Differences 8et'een a 7ront End "er#er and a Client Access "er#er$ $::
Planning Considerations for Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::
Planning Considerations for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:;
Planning Considerations for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:=
Planning Considerations for P5P; and *MAP=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:=
Planning Considerations for Exchange 2007 -eb "er#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:>
"ecurit! Planning for Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:>
"i/ing Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :?
@eneral "i/ing ,ecommendations$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :7
,eference Architecture Anal!sis$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :7
,ecommended Performance Counters$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$2?
Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2A
5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2A
Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2<
P5P; and *MAP$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2<
he A#ailabilit! "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 2<
he Autodisco#er "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0
0e' Client 7unctionalit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0
+nified Messaging$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;0
5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;:
Exchange Acti#e"!nc and Mobilit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;:
Calendaring$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;:
Cached Exchange Mode$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;:
Messaging ,ecords Management$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;2
5#er#ie' of Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;2
5#er#ie' of Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;;
0e' 7eatures in Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;;
Managing Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;=
+nderstanding Direct Push$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;>
5#er#ie'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;>
+nderstanding Exchange Acti#e"!nc Mailbox Policies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$;<
5#er#ie'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ;<
Exchange Acti#e"!nc Mailbox Polic! Examples$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=2
+nderstanding ,emote De#ice -ipe$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =;
5#er#ie'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =;
+nderstanding Exchange Acti#e"!nc Autodisco#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=>
5#er#ie' of Autodisco#er 'ith Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=>
+nderstanding Mobile De#ice Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =?
Cellular Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =?
-ireless Connecti#it!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =7
+nderstanding Mobile De#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =7
Exchange Acti#e"!nc Enabled De#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$=7
De#ices Enabled for Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ =A
Exchange Acti#e"!nc ,eporting "er#ices$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>:
@enerating Exchange Acti#e"!nc ,eports$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >:
A#ailable Exchange Acti#e"!nc ,eports$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >2
*nterpreting the *nternet *nformation "er#ices )og 7iles$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$>2
5#er#ie' of P5P; and *MAP=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ><
P5P; and *MAP= Protocols$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ><
Managing P5P;9*MAP= 7eatures$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?0
5#er#ie' of 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?0
5#er#ie' of 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?0
Managing 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?0
5#er#ie' of 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?:
5utloo3 An!'here and Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?:
8enefits of +sing 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?:
Deplo!ing 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?2
Managing 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?2
Coexistence$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?2
,ecommendations for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?;
+sing Bour 5'n Certification Authorit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?;
5#er#ie' of the Autodisco#er "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?=
5utloo3 2007 and Autodisco#er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ?>
&o' the Autodisco#er "er#ice -or3s$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?>
Deplo!ment 5ptions for the Autodisco#er "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?7
Deplo!ment Considerations for the Autodisco#er "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?A
Autodisco#er "er#ice opolog! ,eCuirements$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?A
Connecting to the Autodisco#er "er#ice from the *nternet$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$?A
Configuring the Autodisco#er "er#ice to +se "ite Affinit! for *nternal Communication$$$$$$$$70
Configuring the Autodisco#er "er#ice for Multiple 7orests$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$72
&osted En#ironments and the Autodisco#er "er#ice$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$7;
Autodisco#er "ecurit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7=
+nderstanding Prox!ing and ,edirection$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7>
5#er#ie' of Prox!ing$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 7?
5#er#ie' of ,edirection$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A0
Prox!ing 'ith 0et'or3 )oad 8alancing$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A;
"ummar! of Client Access Methods$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A?
Prox!ing Performance and "calabilit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A7
5#er#ie' of Client Access "er#er "ecurit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AA
5#er#ie' of "") for Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$AA
5#er#ie' of +sing *"A "er#er 200? for Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A<
Configuring *"A "er#er 200? for Exchange Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$A<
*"A "er#er 200? and Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ A<
8enefits of +sing *"A "er#er 200? 'ith Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<0
0e' Exchange Publishing ,ule -i/ard$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <2
+nderstanding "") for Client Access "er#ers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<2
5#er#ie' of Digital Certificates$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <;
!pes of Certificates$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <=
Choosing a Certificate !pe$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <?
"ecuring Exchange "er#er 2007 Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<?
Managing Authentication$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <?
Enhancing "ecure Communications 8et'een the Client Access "er#er and 5ther "er#ers
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ <7
0e' "ecurit! 7eatures for Exchange "er#er 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$<A
+nderstanding "") for Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :0;
5#er#ie' of Digital Certificates$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :0;
!pes of Certificates$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :0=
Choosing a Certificate !pe$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :0?
+nderstanding *"A "er#er 200? 'ith Exchange "er#er 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:0?
*"A "er#er 200? and Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :07
Earlier 6ersions of *"A "er#er and Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:0A
+nderstanding "ecurit! for Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:0<
Exchange Acti#e"!nc "er#er "ecurit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::0
De#ice "ecurit!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :::
Configuring Authentication 7or Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::2
Choosing an Authentication Method$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::2
8asic Authentication$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::2
Certificate%8ased Authentication$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::;
o3en%8ased Authentication "!stems$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::;
Configuring "") and Exchange Acti#e"!nc$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::=
Configuring Exchange Acti#e"!nc Policies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::>
5#er#ie' of Exchange Acti#e"!nc Mailbox Policies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::>
Managing Exchange Acti#e"!nc Mailbox Policies$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::>
+nderstanding "ecurit! for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::?
+sing an Ad#anced 7ire'all "er#er for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::?
+sing "") 'ith 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::?
Configuring Authentication for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::7
Configuring "") for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ ::7
"") Deplo!ment 5ptions for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::A
Configuring Authentication for 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::A
8asic Authentication and 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::<
0)M Authentication and 5utloo3 An!'here$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::<
+nderstanding "ecurit! for P5P; and *MAP=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::<
Configuring "") for P5P; and *MAP= Clients$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$::<
Configuring Authentication for P5P; and *MAP=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:20
+nderstanding "ecurit! for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:2:
Authentication$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2:
"egmentation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2:
-eb 8eacons$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :22
7ile and Data Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :22
"ecure "oc3ets )a!er$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2;
Configuring "egmentation for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:2;
Configuring "egmentation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2=
Configuring 7ile and Data Access for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:2=
-eb,ead! Document 6ie'ing$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2>
Direct 7ile Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2>
Data Access +sing 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2>
Configuring -eb 8eacon and &M) 7orm 7iltering in 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$:27
Controlling -eb 8eacon and &M) 7orm 7iltering$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:2A
Configuring Authentication for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:2<
7orms%8ased Authentication$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :2<
"tandard Authentication Methods$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :;0
Configuring "") for 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :;2
"") Encr!ption and 5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:;2
Exchange 2007 )anguage "upport$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :;;
"upported )anguages for Components and 7eatures of Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$:;;
)anguage "upport for Client Applications$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:;A
+nified Messaging$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :;A
5utloo3 -eb Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :;<
5utloo3 Client Access$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :=0
)anguage "upport for Administrators$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :=0
"upported Administrati#e )anguages$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:=:
5perating "!stem ,eCuirements for )ocali/ed Exchange "er#er 2007 Administrati#e
Experience$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :=:
$0E 7rame'or3 2$0 in Exchange 2007$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:=;
&elp Documents$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ :==
+nified Messaging )anguage Pac3 *nstallation$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$:==
Planning for Exchange 2007 Client Access
Servers
his document pro#ides an o#er#ie' of planning considerations for deplo!ing the Client
Access ser#er role on a computer that is running Microsoft Exchange "er#er 2007$ he Client
Access ser#er role supports the 5utloo3 -eb Access( 5utloo3 An!'here( and
Exchange Acti#e"!nc client applications( in addition to the Post 5ffice Protocol #ersion ;
1P5P;2 and *nternet Message Access Protocol #ersion =re#: 1*MAP=2 protocols$ he Client
Access ser#er role also hosts se#eral 3e! ser#ices( such as the Autodisco#er ser#ice and
Exchange -eb "er#ices$
Bou must ha#e the Client Access ser#er role installed in e#er! Acti#e Director! site 'ithin !our
organi/ation that contains an Exchange 2007 ser#er that has the Mailbox ser#er role
installed$ *f !our organi/ation has onl! one Acti#e Director! site( the Client Access ser#er role
must be installed on at least one computer 'ithin !our Exchange organi/ation$
Note:
Bou can install the Client Access ser#er role on an Exchange 2007 computer that is
running an! other ser#er roles except for the Edge ransport ser#er role$ Bou cannot
install the Client Access ser#er role on a computer that is installed in a cluster$
*nstallation of a Client Access ser#er in a perimeter net'or3 is not supported$
Overvie of the Client Access Server !ole
"eat#res
he Client Access ser#er role manages client access to !our Exchange 2007 ser#er$ he
follo'ing client applications reCuire the Client Access ser#er role:
Exchange ActiveS$nc +sers can establish a partnership bet'een their Exchange
ser#er and their mobile de#ice b! using Exchange Acti#e"!nc$ +sers can s!nchroni/e e%
mail messages( contacts( tas3s( and calendar data$
Note:
Exchange Acti#e"!nc can s!nchroni/e messages in all the mail folders that are
stored on the Exchange "er#er ser#er( except for the Drafts and 5utbox folders$
O#tloo% &eb Access +sers can access their Exchange mailbox data from a -eb
bro'ser b! using 5ffice 5utloo3 -eb Access$ he #irtual directories for
5utloo3 -eb Access are stored on the Client Access ser#er$
<
Note:
5utloo3 -eb Access is not supported 'ith Poc3et *nternet Explorer on a mobile
de#ice$
Note:
5utloo3 -eb Access in Exchange 2007 is accessed b! using the +,)
https:99ser#ername9o'a$ o access public folders through 5utloo3 -eb Access in
Exchange 2007( use the +,) https:99ser#ername9public$ 5utloo3 -eb Access for
earlier #ersions of Exchange is accessed through the +,)s
https:99ser#ername9exchange( https:99ser#ername9exch'eb( and
https:99ser#ername9public$ *f !our users ha#e mailboxes on an Exchange 2000 or
Exchange 200; ser#er( the! must use these legac! +,)s$
'icrosoft Office O#tloo% Although 5ffice 5utloo3 2007 accesses
Microsoft Exchange messaging data directl! on the Mailbox ser#er( it relies on the Client
Access ser#er role for such ser#ices as the Autodisco#er ser#ice and the A#ailabilit!
ser#ice$
O#tloo% An$here 5utloo3 can connect to !our Exchange mailbox o#er the
*nternet 'ithout using a 6P0 connection to !our internal net'or3 if !ou ha#e enabled
5utloo3 An!'here$ 5utloo3 An!'here 'as formerl! 3no'n as ,PC o#er &P$
POP( an) I'AP* Clients *f !our users connect to Exchange 2007 b! using a
P5P; or *MAP= client( their connections 'ill pass through the Client Access ser#er$
-hen Exchange 2007 is installed( all reCuired ser#ices for P5P; and *MAP= are
installed$ &o'e#er( the! are disabled$ o use P5P; or *MAP= to connect to
Exchange 2007( !ou must enable either the P5P; ser#ice or the *MAP= ser#ice$
*n addition to pro#iding a connection point for client applications( the Client Access ser#er role
pro#ides support for the follo'ing ser#ices:
A#to)iscover service Exchange 2007 includes a ne' Microsoft Exchange ser#ice
named the Autodisco#er ser#ice$ he Autodisco#er ser#ice configures client computers
that are running 5utloo3 2007$ he Autodisco#er ser#ice can also configure supported
mobile de#ices$ he Autodisco#er ser#ice pro#ides access to Microsoft Exchange
features for 5utloo3 2007 clients that are connected to !our Exchange messaging
en#ironment$ he Autodisco#er ser#ice must be deplo!ed and configured correctl! for
5utloo3 2007 clients to automaticall! connect to Microsoft Exchange features( such as
the offline address boo3( the A#ailabilit! ser#ice( and +nified Messaging 1+M2$
Additionall!( these Exchange features must be configured correctl! to pro#ide external
access for 5utloo3 2007 clients$ 7or more information( see &o' to Configure Exchange
"er#ices for the Autodisco#er "er#ice$
Exchange &eb Services Exchange -eb "er#ices pro#ides the functionalit! to
enable client applications to communicate 'ith the Exchange ser#er$ Exchange -eb
"er#ices pro#ides access to much of the same data made a#ailable through 5utloo3$
:0
Exchange -eb "er#ices clients can integrate 5utloo3 data into line%of%business 1)582
applications$ )58 applications that use Exchange -eb "er#ices can use the
Autodisco#er ser#ice to obtain profile settings for a particular client$
+n)erstan)ing the ,ifferences -eteen a "ront
En) Server an) a Client Access Server
Earlier #ersions of Microsoft Exchange supported a front%end ser#er 'ithin an organi/ation$ A
computer that is running the Exchange 2007 Client Access ser#er role is #er! different from
an Exchange 200; front%end ser#er$ *n earlier #ersions of Microsoft Exchange( the front%end
ser#er accepted reCuests from clients and sent them to the appropriate bac3%end ser#er for
processing$ his pro#ided increased capacit! for the number of concurrent client sessions
'ithin an organi/ation and decreased the load on the bac3%end ser#er that housed the
mailboxes$ A front%end ser#er 'as freCuentl! located in a perimeter net'or3 bet'een the
external and internal fire'alls$ 5ne of the primar! ad#antages to a front%end ser#er 'as the
abilit! to expose a single( consistent namespace 'hen multiple bac3%end ser#ers 'ere
present$ -ithout a front%end ser#er( 5utloo3 -eb Access users 'ould ha#e to 3no' the
name of the ser#er that stored their mailbox$ 8! including a front%end ser#er( users could
access a single +,) for 5utloo3 -eb Access$ he front%end ser#er 'ould prox! the userDs
reCuest to the appropriate bac3%end ser#er$
*n Exchange 2007( the Client Access ser#er role 'as designed specificall! to optimi/e the
performance of the Mailbox ser#er role b! handling much of the processing that pre#iousl!
occurred on bac3%end ser#ers$ 8usiness logic processes( such as
Exchange Acti#e"!nc mailbox policies and 5utloo3 -eb Access segmentation( are no'
performed on the Client Access ser#er instead of the Mailbox ser#er$ 8ecause the Mailbox
ser#er role relies on the Client Access ser#er role to handle incoming client connections( each
Acti#e Director! site that has a Mailbox ser#er must also ha#e a Client Access ser#er$ 8oth
roles can run on one ph!sical computer$ *f !ou ha#e multiple Acti#e Director! sites and 'ant a
single external +,) for 5utloo3 -eb Access or Exchange Acti#e"!nc( !ou must configure
!our Client Access ser#ers for prox!ing$
An Exchange 2007 computer that is running the Client Access ser#er role uses the
Exchange ,PC protocol to connect to the Mailbox ser#er that it ser#ices$ Bou must use a
high%band'idth and lo'%latenc! connection bet'een the Client Access ser#er and the
Mailbox ser#er$ he minimum recommended band'idth is :00 Mbps( but :%@pbs connections
should be considered for enterprise datacenters$
Planning Consi)erations for Exchange
ActiveS$nc
Exchange Acti#e"!nc is a Microsoft Exchange s!nchroni/ation protocol that is optimi/ed to
'or3 together 'ith high%latenc! and lo'%band'idth net'or3s$ Exchange Acti#e"!nc is based
::
on &P and EM) and lets de#ices such as bro'ser%enabled cellular telephones or Microsoft
-indo's Mobile po'ered de#ices access an organi/ationDs information on a ser#er that is
running Microsoft Exchange$ Exchange Acti#e"!nc enables mobile de#ice users to access
their e%mail( calendar( contacts( and tas3s( and to continue to be able to access this
information 'hile the! are 'or3ing offline$
Note:
Exchange Acti#e"!nc can s!nchroni/e e%mail messages( calendar items( contacts(
and tas3s$ Bou cannot use Exchange Acti#e"!nc to s!nchroni/e notes in 5utloo3$
-hen !ou deplo! Exchange Acti#e"!nc( consider the follo'ing issues:
Exchange ActiveS$nc )evices here are se#eral de#ices that support
Exchange Acti#e"!nc$ hese de#ices include -indo's Mobile po'ered de#ices and
other third%part! de#ices$ 7or more information about the de#ices that support
Exchange Acti#e"!nc( see Exchange Acti#e"!nc De#ices and Compatible 7eatures$
,evice )ata plans Exchange Acti#e"!nc uses a process that is 3no'n as Direct
Push to 3eep messaging data s!nchroni/ed 'ith mobile de#ices$ -ith Direct Push( data
is exchanged o#er cellular connections$ *f !our usersD data plans charge b! the minute or
the megab!te( the monthl! cost can Cuic3l! escalate$ o use Direct Push 'ith
Exchange Acti#e"!nc( !our users should ha#e an unlimited data plan 'ith their cellular
carrier$
Note:
Direct Push does not 'or3 o#er a -i%7i *nternet connection( such as an A02$::b
connection$ Direct Push 'or3s onl! o#er a cellular data connection$
Exchange ActiveS$nc sec#rit$ Bou should ha#e a securit! plan in place 'hen !ou
deplo! Exchange Acti#e"!nc$ -e strongl! recommend that !ou use "ecure "oc3ets
)a!er 1"")2 'ith Exchange Acti#e"!nc$ 8! default( 'hen !ou install Exchange 2007(
Exchange Acti#e"!nc is enabled for !our users$ he Exchange Acti#e"!nc #irtual
director! is configured to use 8asic authentication 'ith "")$ Bou can configure the
Exchange Acti#e"!nc #irtual director! to use *ntegrated -indo's authentication or
certificate%based authentication$
*n addition to configuring authentication( 'e recommend that !ou deplo!
Exchange Acti#e"!nc mailbox policies to control a #ariet! of settings for !our mobile
users and their de#ices$ Bou can reCuire a pass'ord( allo' or bloc3 attachment
do'nloads( reCuire de#ice encr!ption( specif! the maximum number of failed pass'ords(
and enable pass'ord reco#er!$ 7or more information about Exchange Acti#e"!nc
mailbox policies( see +nderstanding Exchange Acti#e"!nc Mailbox Policies$
'igrating from Exchange Server 200( to Exchange Server 2007 *f !ou are
migrating from Exchange "er#er 200; to Exchange 2007( 'e recommend that !ou first
upgrade !our front%end ser#ers to the Client Access ser#er role$ Bou must enable
*ntegrated -indo's authentication on the Exchange "er#er 200; bac3%end ser#er for
:2
Exchange Acti#e"!nc to function correctl!$ After !ou migrate all front%end ser#ers to
Exchange 2007( !ou can migrate !our bac3%end ser#ers to Exchange 2007 Mailbox
ser#ers$
Planning Consi)erations for O#tloo% &eb
Access
5utloo3 -eb Access uses an *nternet bro'ser to pro#ide access to Exchange information$
5utloo3 -eb Access has a po'erful( intuiti#e interface that resembles 5utloo3 2007 'ithout
the need to install 5utloo3 2007 on the computer$ -hen !ou deplo! !our Exchange
messaging infrastructure for *nternet%based external access( users can use an! computer in
an! location that has an *nternet bro'ser that supports &M) ;$2 and European Computer
Manufacturers Association 1ECMA2 formats$ "uch bro'sers include *nternet Explorer( Mo/illa
7irefox :$A( 5pera 7$>=( and "afari :$2( and others$
5utloo3 -eb Access supports most of the features found in 5utloo3 2007$ 8! default( all
client features are enabled$ 7or more information about the client features that are a#ailable
in 5utloo3 -eb Access( see Client 7eatures in 5utloo3 -eb Access$
Bou ma! 'ant to limit the features that are a#ailable to users through 5utloo3 -eb Access(
depending on !our organi/ationDs securit! and information management needs$ 7or
information about ho' to enable and disable features b! using the Exchange Management
Console and the Exchange Management "hell( see Managing 5utloo3 -eb Access$
5utloo3 -eb Access for Exchange 2007 offers se#eral enhancements in securit!$ Bou can
configure "") on the 5utloo3 -eb Access #irtual director! in addition to standard and forms%
based authentication$ Bou can configure the follo'ing authentication methods for
5utloo3 -eb Access b! using the Exchange Management Console or the Exchange
Management "hell:
Stan)ar) a#thentication metho)s "tandard authentication methods include
*ntegrated -indo's authentication( Digest authentication( and 8asic authentication$ 7or
more information about ho' to configure standard authentication methods for
5utloo3 -eb Access( see Configuring "tandard Authentication Methods for 5utloo3 -eb
Access$
"orms.base) a#thentication 7orms%based authentication creates a logon page for
5utloo3 -eb Access$ 7orms%based authentication uses coo3ies to store encr!pted user
logon credentials and pass'ord information$ 7or more information about forms%based
authentication( see Configuring 7orms%8ased Authentication for 5utloo3 -eb Access$
Note:
*f !ou configure multiple authentication methods( **" uses the most secure
method first$ **" then searches the list of a#ailable authentication protocols(
:;
starting 'ith the most secure( until it finds an authentication method that is
supported b! both the client and the ser#er$
8! default( 'hen !ou install the Client Access ser#er role on an Exchange 2007 ser#er( four
5utloo3 -eb Access #irtual directories are created in the default *nternet *nformation
"er#ices 1**"2 -eb site on the Exchange ser#er$ 8! default( these #irtual directories and the
default -eb site are configured to reCuire "")$ 7or more information about ho' to configure
"") for 5utloo3 -eb Access( see &o' to Configure 5utloo3 -eb Access 6irtual Directories
to use "")$
*f !ou 'ant to use "") to help secure additional 5utloo3 -eb Access #irtual directories or
-eb sites( !ou must do so manuall!$ o configure a site to use "")( !ou must obtain a
certificate and configure the -eb site or #irtual director! to reCuire "") b! using that
certificate$
Planning Consi)erations for O#tloo% An$here
5utloo3 An!'here enables users 'ho are running 5utloo3 2007 or 5utloo3 200; to connect
to !our Microsoft Exchange messaging infrastructure from the *nternet b! using the 5utloo3
An!'here net'or3ing technolog!$
After !ou install the Client Access ser#er role on a computer that is running
Exchange "er#er 2007( !ou can enable 5utloo3 An!'here for !our organi/ation b! using the
Enable 5utloo3 An!'here 'i/ard on an! Client Access ser#er in !our organi/ation$ -e
recommend that !ou enable at least one Client Access ser#er for 5utloo3 An!'here access
in each site that !ou manage$
8efore !ou plan !our 5utloo3 An!'here deplo!ment( ma3e sure that !ou ha#e read the
follo'ing:
5#er#ie' of 5utloo3 An!'here
,ecommendations for 5utloo3 An!'here
Planning Consi)erations for POP( an) I'AP*
Exchange 2007 pro#ides support for clients that use the P5P; and *MAP= protocols$
&o'e#er( b! default( the P5P; and *MAP= ser#ices are not started in Exchange 2007$ o use
these protocols( !ou must first start the P5P; and *MAP= ser#ices on the Client Access
ser#er$
Note:
here is no user interface in the Exchange Management Console for P5P; and
*MAP=$ o manage these protocols( !ou must use the Exchange Management "hell$
:=
-hen !ou deplo! Client Access ser#ers to support P5P; and *MAP= clients( there are
ph!sical limitations and securit! limitations if !ou use earlier #ersions of Microsoft Exchange(
such as Exchange "er#er 200;$ he main ph!sical limitation in deplo!ing P5P; and *MAP=
is that cross%site communication bet'een Client Access ser#ers and Mailbox ser#ers in
separate Acti#e Director! sites is not supported$ Bou must ma3e sure that clients are
connecting to the Client Access ser#er that is located in the same site as the Mailbox ser#er
that contains their mailbox$
Planning Consi)erations for Exchange 2007
&eb Services
An Exchange 2007 Client Access ser#er supports a t'o -eb ser#ices: Exchange -eb
"er#ices and the Autodisco#er ser#ice$
Exchange -eb "er#ices pro#ides access to:
7ree9bus! information( meeting suggestions( and 5ut of 5ffice functionalit!$
Calendar( e%mail( contact( folder( and tas3 items in a userDs mailbox$
0otifications about e#ents that occur in a userDs mailbox$
"!nchroni/ation features to s!nchroni/e clients 'ith the associated mailbox$
Ambiguous name resolution$
Distribution list expansion$
he Autodisco#er ser#ice enables clients such as 5utloo3( custom applications( and some
mobile de#ices to obtain settings for a #ariet! of ser#ices such as the A#ailabilit! ser#ice(
+nified Messaging( and the offline address boo3 15A82$ Clients tr! to connect to the
Autodisco#er ser#ice through t'o +,)s that are based on the userDs "MP address$ he t'o
+,)s are as follo's:
https:99autodisco#er$FdomainG9autodisco#er9autodisco#er$xml
https:99FdomainG9autodisco#er9autodisco#er$xml
5utloo3 submits an EM) reCuest that includes the userDs e%mail address$ he Autodisco#er
ser#ice returns configuration information about the user in addition to the +,)s and
settings that are used to connect to #arious ser#ices$ Exchange -eb "er#ices also pro#ides
a de#eloper AP* for customers and partners to 'rite their o'n custom applications$ hese
custom applications can then interact 'ith Exchange mailbox data$
Sec#rit$ Planning for Client Access Servers
here are man! factors to consider 'hen !ou plan a secure messaging en#ironment$ 7actors
such as e%mail attachments and access to internal and external corporate data ma3e it
:>
important to consider multiple securit! precautions before !ou deplo! !our messaging
en#ironment$ -e recommend that !ou use "") encr!ption for all Client Access features(
including 5utloo3 -eb Access and 5utloo3 An!'here$ Additionall!( 'e recommend that !ou
select an authentication method such as *ntegrated -indo's authentication( instead of 8asic
authentication$ 8asic authentication transmits user names and pass'ords in clear text$
Choosing an alternati#e authentication method increases the securit! of !our
communications$ Bou can customi/e each Client Access feature to use different securit!
mechanisms$
5ne method to help !ou ma3e !our messaging en#ironment more secure is to deplo! an
ad#anced fire'all ser#er solution such as Microsoft *nternet "ecurit! and Acceleration 1*"A2
"er#er 200?$ *"A "er#er 200? helps pro#ide an additional le#el of securit! and can also
enhance client functionalit! through ne' features that are designed for Exchange 2007 and
*"A "er#er 200?$ 7or more information about ho' to use *"A "er#er 200? together 'ith
Exchange 2007( see Configuring *"A "er#er 200? for Exchange Client Access$
Si/ing Client Access Servers
*n Microsoft Exchange "er#er 2007( the si/ing of Client Access ser#ers is performed
differentl! from the si/ing of front%end ser#ers in pre#ious #ersions of Exchange$ he
architecture changes in Exchange 2007 ha#e mo#ed most of the client%specific functions from
the Mailbox ser#er to the Client Access ser#er$ 7or more information about the functions and
features pro#ided b! the Client Access ser#er( see Client Access$
*n Exchange 2007( messages are con#erted on the Client Access ser#er 'hen the! are
accessed b! a non%MAP* client 1for example( *nternet Message Access Protocol = 1*MAP=2 or
Post 5ffice Protocol ; 1P5P;2 clients2$ *n addition( rendering for Microsoft
5utloo3 -eb Access is performed on the Client Access ser#er( as opposed to the
Microsoft Exchange *nformation "tore ser#ice( 'hich rendered 5utloo3 -eb Access in
pre#ious #ersions of Exchange$
he Client Access ser#er also offloads man! stateless tas3s from the Mailbox ser#er
1assuming the roles are installed on different ph!sical ser#ers2( and pro#ides a unified
namespace so that users need onl! point to a single name regardless of 'hich Mailbox
ser#er hosts their mailboxes$ *n addition to the *nternet protocols( such as *MAP=( P5P;( and
&P( the Client Access ser#er also pro#ides 5utloo3 An!'here 1formerl! 3no'n as ,PC
o#er &P2( Acti#e"!nc( Autodisco#er( A#ailabilit! ser#ice 1'hich includes all free9bus!
information in topologies that do not use public folders2( and -eb ser#ices$ hese
architectural changes allo' the Client Access ser#er to offload significant processing from the
Mailbox ser#er$
:?
0eneral Si/ing !ecommen)ations
*n general( memor! utili/ation on Client Access ser#ers has a linear relationship 'ith the
number of client connections and the transaction rate$ 8ased on the current
recommendations for processor and memor! configurations detailed in Planning Processor
and Memor! Configurations( a Client Access ser#er 'ill be balanced in terms of memor! and
processor utili/ation( and it 'ill become processor%bound at approximatel! the same time it
becomes memor!%bound$
he Client Access ser#er can be affected b! processor( memor!( and net'or3 bottlenec3s(
!et it has a small dis3 input9output 1*952 footprint$ "imple Mail ransfer Protocol 1"MP2
traffic( a potential dis3 *95 consideration in front%end ser#ers running Exchange "er#er 200;
and Exchange 2000 "er#er( is no' associated exclusi#el! 'ith the &ub ransport ser#ers
and Edge ransport ser#ers$
7or the ma.orit! of Exchange 2007 deplo!ments( = 1@82 of memor! 1: @8 per processor
core2 is sufficient and recommended for Client Access ser#ers$ )arge%scale deplo!ments(
especiall! those 'ith 5utloo3 An!'here as the primar! client access method( should consider
using a 2%@8 per processor core$ he recommended maximum amount of memor! for a
Client Access ser#er is A @8$ -e also recommend that in each Acti#e Director! director!
ser#ice site in 'hich !ou deplo! Mailbox ser#ers( !ou deplo! at least one Client Access
ser#er processor core for e#er! four Mailbox ser#er processor cores that !ou deplo!$ 7or
example( if !ou deplo! eight Mailbox ser#ers in an Acti#e Director! site( and each Mailbox
ser#er contains four processor cores 1for a total of ;2 Mailbox ser#er processor cores2( !ou
should deplo! at least eight Client Access ser#er processor cores( 'hich could be deplo!ed
as t'o Client Access ser#ers 'ith four processor cores each( or four Client Access ser#ers(
'ith t'o processor cores each$
!eference Architect#re Anal$sis
his reference architecture anal!sis is pro#ided for informational purposes onl!$ *t is based on
preliminar! testing of metrics in the en#ironment at Microsoft$ his section and this reference
architecture 'ill be updated after additional testing( modeling( and anal!sis has been
completed$
-hen see3ing best practices for Microsoft products and solutions( decision ma3ers freCuentl!
as3 about experiences in using them 'ithin Microsoft$ Microsoft information technolog! 1*2
not onl! pro#ides traditional * functions for the compan!( but also acts as the compan!Ds first
customer for each ne' ser#er and business producti#it! soft'are release$ 8ecause Microsoft
* reCuirements are among the most challenging in the 'orld( the methods Microsoft *
emplo!ed and the lessons it learned from the Microsoft reference architecture should pro#ide
highl! meaningful guidance for customers 'ho 'ill deplo! Exchange 2007 in their o'n
en#ironment$
:7
o de#elop a suitable Exchange 2007 architecture( Microsoft * needed to determine the
processor( memor!( and net'or3 usage using a client access%based methodolog!$ his
reference architecture section discusses ho' the data 'as collected b! Microsoft *( and the
underl!ing impact each client access method has on the Client Access ser#er role$
"pecificall!( the follo'ing Client Access ser#er ser#ices 'ere anal!/ed to de#elop the
Microsoft Client Access ser#er architecture:
5utloo3 -eb Access
Exchange Acti#e"!nc
5utloo3 An!'here
Exchange -eb "er#ices
Client Access Server Performance 'etrics 0athere) b$
'icrosoft I1
he follo'ing metrics for client access methods and client%related ser#ices that reside on the
Client Access ser#ers 'ere collected 'ithin the Microsoft * en#ironment:
Processor load per user and per protocol
Memor! load per user and per protocol
Dis3 utili/ation per ser#er and per protocol
0et'or3 utili/ation per ser#er and per protocol
he traffic measured reflected onl! traffic originating from the *nternet$ *nternal traffic and load
patterns 'ere not anal!/ed as part of the de#elopment of the Microsoft Client Access ser#er
architecture$
Client Access Server 'etho)ologies an) Services
Client deplo!ment at Microsoft is progressi#el! mo#ing to'ard a predominatel! 5utloo3 2007
user base$ 5utloo3 2007 is the primar! load generating client for a number of Exchange
ser#ices( including Autodisco#er and Exchange -eb "er#ices in particular$ 0o attempt 'as
made to model beha#iors for earlier clients such as 5utloo3 200; or to distinguish the load
generated bet'een different client #ersions$
O#tloo% An$here
5utloo3 An!'here is a critical component of the mobilit! deplo!ment and a commonl! used
mobile protocol at Microsoft$ he mo#e to a ?=%bit architecture enables greater scalabilit!
than ;2%bit #ersions of Exchange$ &igher ratios of 5utloo3 An!'here clients to Client Access
ser#ers can also be achie#ed than 'as possible on ;2%bit s!stems$ *n addition( because
5utloo3 2007 uses fe'er "ecure "oc3ets )a!er 1"")2 connections per client than
:A
5utloo3 200;( as Microsoft continues to deplo! 5utloo3 2007( the number of reCuired
connections per client 'ill decrease$
O#tloo% &eb Access
5utloo3 -eb Access generates a significant load on the Client Access ser#ers in production
toda!$ &o'e#er( because Microsoft is primaril! deplo!ed on Exchange 2007( little
interoperabilit! 'ith Exchange 200; occurs$ Microsoft has a small set of users remaining on
Exchange 200; 1approximatel! =00 users2$ herefore( the cost for interoperabilit! 'ith
Exchange 200; and costs for using proxies 'ith 5utloo3 -eb Access 'ere not e#aluated as
part of the Microsoft Client Access ser#er architecture$ *nternal testing sho's that prox!
scenarios are generall! lighter in load( and Microsoft t!picall! sees orders of magnitude
increases in the number of clients supported per Client Access ser#er$
Exchange ActiveS$nc
*nternal testing has sho'n that Exchange Acti#e"!nc is the hea#iest load generator on a
Client Access ser#er at Microsoft$ 5n each Client Access ser#er pro#iding
Exchange Acti#e"!nc( Microsoft monitored ser#er performance using se#eral tools( including
Performance Monitor 1also 3no'n as "!stem Monitor2( *nternet *nformation "er#ices 1**"2 log
files( and Microsoft Exchange "er#er +ser Monitor 1Exmon$msi2$ -hen anal!/ing
Exchange Acti#e"!nc performance in !our organi/ation( be a'are that net'or3 usage
patterns ma! #ar! substantiall! bet'een internal and external traffic$
Exchange &eb Services
Exchange -eb "er#ices is also a hea#! load generator on a Client Access ser#er$ Among
other functions( Exchange -eb "er#ices is used b! 5utloo3 2007 and 5utloo3 -eb Access
in Exchange 2007 to gather a#ailabilit! information and out%of%office information$
5n each Client Access ser#er pro#iding Exchange -eb "er#ices( Microsoft monitored ser#er
performance using se#eral tools( including Performance Monitor and the **" log files$
Offline A))ress -oo%s an) A#to)iscover
he performance impact of offline address boo3s 15A8s2 and the Autodisco#er ser#ice 'ere
not considered as part of the de#elopment of the Microsoft Client Access ser#er architecture$
&o'e#er( additional testing ma! be performed to anal!/e the performance impact of these
features$
:<
Client +sage Statistics
o ma3e predicti#e measurements based on the number of mailboxes in a specific
deplo!ment( an understanding of protocol usage is needed$ his ratio is called concurrency$
able : lists the concurrenc! data gathered from the Microsoft internal deplo!ment$
1able 2 Client conc#rrenc$ at 'icrosoft
Client protocol Six month average Protocol or mailbox
percentage
Exchange Acti#e"!nc ;;(?=; 27$2:H
5utloo3 -eb Access 70(<A; >7$=2H
5utloo3 An!'here ?>(=0= >2$<0H
otal number of mailboxes :2;(?2< :00H
As 'ith all large organi/ations( Microsoft needs to design its Client Access ser#er architecture
to be able to handle pea3 loads per protocol and an! additional pea3 scenarios$ rending
anal!sis of the Microsoft internal deplo!ment also sho's mobile de#ice usage rising o#er
time( 'ith especiall! rapid gro'th in 5utloo3 An!'here traffic$
S#mmar$ of "in)ings of the Anal$sis of the Environment at
'icrosoft
he general findings from the anal!sis of the Microsoft internal deplo!ment are described b!
client access method and protocol later in this section$ A select group of Client Access
ser#ers 'as used to anal!/e performance$ able 2 details the specifications of the selected
Client Access ser#ers that 'ere used for the tests described in this section$
1able 2 Client Access server specifications
'o)el CP+
information
CP+ co#nt
an) core per
CP+
Core co#nt 'emor$ Netor%
&P Pro)iant
D);A> @:
AMD 5pteron
Model 27>I
2$2 gigahert/
1@&/2(
: megab!te
1M82 )2 dual%
core
2 and 2 = = @8 &P 0C77A2
@igabit
"er#er
Adapter
20
"pecific performance ob.ects( counters( and instances 'ere collected during pea3 load and
other obser#ation times$ *n addition to the specific counters listed in tables in the follo'ing
sections( processor( memor!( net'or3( and dis3 performance counters 'ere also collected
and factored into the o#erall anal!sis$ 7or more information( see J,ecommended
Performance CountersJ later in this section$
able ; sho's the pea3 loads that 'ere obser#ed( measured in terms of reCuests per second
and number of concurrent users( and the number of users that each Client Access ser#er is
si/ed to support$
1able ( Pea% loa) an) #ser co#nt s#mmar$
Services #se) 3oa) at pea% S#pporte) #sers per Client
Access server
5utloo3 -eb Access onl! 70 reCuests per second
=(>00 concurrent users
:A(000
Multiple ser#ices:
2>H
Exchange Acti#e"!nc
>H
5utloo3 -eb Access
70H 5utloo3
An!'here
Exchange Acti#e"!nc:
> reCuests per
second
>00 concurrent users
5utloo3 -eb Access:
20 reCuests per
second
:00 concurrent users
5utloo3 An!'here:
=0 reCuests per
second
:(=00 concurrent
users
Exchange Acti#e"!nc: >00
5utloo3 -eb Access: 2(:=0
5utloo3 An!'here: :(<A0
Note:
All scenarios include an additional load resulting from the use of Exchange -eb
"er#ices( as 'ell as the use of the A#ailabilit! ser#ice b! clients$ *n the multiple
ser#ices scenario( four Exchange -eb "er#ices or A#ailabilit! ser#ice reCuests per
second 'ere obser#ed$ his load includes 5utloo3 clients on the internal net'or3$
2:
O#tloo% An$here
A select group of Client Access ser#ers 'as used to anal!/e 5utloo3 An!'here performance$
Microsoft measured the total number of -eb connections on each ser#er to determine pea3
loads( as 'ell as the number of connection attempts per second 1sec2$ able = lists the
performance ob.ect( counter( and instance used to measure these #alues$
1able * 4al#es to #se hen meas#ring O#tloo% An$here connections
Ob5ect Co#nter Instance ,escription
-eb ser#ice Current Connections Kotal he current number
of connections
established 'ith the
-eb ser#ice$
-eb ser#ice Connection
Attempts9sec
Kotal he rate at 'hich
connections to the
-eb ser#ice are
being attempted$
able > pro#ides details about the collected #alues for the preceding load%indicating
performance counters for three of the Client Access ser#ers used to anal!/e
5utloo3 An!'here performance$
1able 6 +ni7#e O#tloo% An$here #sers per server )#ring a pea% one.ho#r perio)
Server +ni7#e #sers Connection attempts
per secon)
C#rrent connections
CA": ;(<7A =;$7 2=(==;
CA"2 2(<AA ;?$: 2:(A2;
CA"; =(0?> ;>$2 22(0A;
After anal!/ing the collected data( it 'as found that processor utili/ation 'as not significantl!
affected b! user load for 5utloo3 An!'here$ 5#erall processor utili/ation 'as stable at
approximatel! 2= percent at pea3 load$ )sass$exe and the 'or3er process 1-;'p$exe2
hosting the ser#ice 'ere the primar! processor load generators and sho'ed good correlation
'ith total CP+ utili/ation$ )sass$exe and -;'p$exe also sho'ed the highest memor! load(
'ith )sass$exe sho'ing significantl! higher memor! usage than an! other process$ 0o
indications of net'or3 bottlenec3s 'ere detected( and no significant dis3 acti#it! be!ond
logging and paging 'as obser#ed$
22
O#tloo% &eb Access
A select group of Client Access ser#ers 'as used to anal!/e 5utloo3 -eb Access
performance$ 5n the test ser#ers( <0 percent of the users ran the Premium #ersion of
5utloo3 -eb Access( and :0 percent of the users ran the )ight #ersion$ -eb bro'ser
distribution 'as not examined( but that is not expected to significantl! affect usage patterns
be!ond determining 'hich clients can ma3e use of the Premium #ersion$ able ? details the
#alues of the load%indicating performance counters under the 'SExchange O&A
performance ob.ect that 'ere measured on the Client Access ser#ers$
1able 8 Performance )ata collecte) for O#tloo% &eb Access
Performance co#nter Average val#e
A#erage ,esponse ime :;; milliseconds 1ms2
)ogons9sec $><7
,eCuest9sec 2?$<
A#erage "earch time 27> ms
Message sent9sec $=
After anal!/ing the collected data( it 'as found that CP+ utili/ation a#eraged 2=$:?A percent(
'ith a maximum spi3e of ==$7 percent( indicating no CP+ bottlenec3s$ 5n a per%process
basis( the -;'p$exe process hosting the ser#ices 'as the primar! load generator( a#eraging
70$7 percent CP+ utili/ation$ 5ccasional spi3es 'ere seen in the transcoding ser#ice and
other peripherall! related processes$ &o'e#er( these increases 'ere limited in duration( and
did not appear to significantl! affect the ser#er$ An a#erage of :0$7 pages per second 'as
measured( 'ith an a#erage of A=2$7 page faults per second$ his indicates some paging
acti#it! to dis3$ &o'e#er( this is 'ell 'ithin normal operational parameters and does not
indicate abnormal memor! pressure$ As expected( the -;'p$exe process hosting the ser#er
had the highest memor! 'or3ing set$ 0o indications of an! net'or3 or dis3 bottlenec3s 'ere
found( and o#erall( no indication of an! dis3 *95 acti#it! be!ond normal operations 'as
obser#ed$ 7inall!( it 'as determined that a single Client Access ser#er 'as capable of
supporting the entire user load$
Exchange ActiveS$nc
A select group of Client Access ser#ers 'as used to anal!/e Exchange Acti#e"!nc
performance$ able 7 details the #alues of the load%indicating performance counters under the
'SExchange ActiveS$nc performance ob.ect that 'ere measured on the Client Access
ser#ers$
2;
Note:
he A#erage ,eCuest ime counter also includes Ping ,eCuest ime( 'hich
significantl! increases A#erage ,eCuest ime #alues$ As a result( the A#erage
,eCuest ime counter is not a good indicator of general response times$
1able 7 Performance )ata collecte) for Exchange ActiveS$nc
Performance co#nter 4al#e
A#erage ,eCuest ime :0=$7 sec
Ping Commands Pending 20;:$<
,eCuests9sec :A$A
"!nc Commands9sec 7$>
After anal!/ing the collected data( it 'as found that the pea3 load 'as 2(:2< concurrent users
a#eraging :A$A reCuests per second$ During pea3 loads( the Client Access ser#ers a#eraged
;?$: percent CP+ utili/ation( and had a pea3 #alue of ?A$A percent( indicating no significant
CP+ bottlenec3s$ he -;'p$exe process hosting the ser#ice 'as the primar! load generator$
An a#erage of ::0 pages per second 'as measured 'ith an a#erage of 7;0$; page faults per
second$ his indicates some paging acti#it! 'as occurring$ &o'e#er( this is 'ell 'ithin normal
operational parameters and does not indicate abnormal memor! pressure$ As expected( the
-;'p$exe process hosting the ser#ice had the highest memor! 'or3ing set$ 0o indications of
an! net'or3 or dis3 bottlenec3s 'ere found( and o#erall( no indication of an! dis3 *95 acti#it!
be!ond normal operations 'as obser#ed$
Exchange &eb Services
A select group of Client Access ser#ers 'as used to anal!/e Exchange -eb "er#ices
performance$ able A details the #alues of the load%indicating performance counters under the
'SExchange&S and 'SExchange Availabilit$ Service performance ob.ects that 'ere
measured on the Client Access ser#ers$
Note:
8ecause Exchange -eb "er#ices reCuests come from t'o sources( 5utloo3 2007
and the internal( automated processes that use -eb ser#ice AP*s( and because the
5utloo3 2007 -eb ser#ice load on the ser#er is a function of the amount of
calendaring reCuests being made( no attempt 'as made to isolate the load in terms
of number of users$ Most reCuests from 5utloo3 2007 come in the form of a#ailabilit!
2=
reCuests$ 8ecause there are fe' 'a!s to distinguish the load difference bet'een
these reCuests( the Exchange -eb "er#ices are examined as a 'hole( and onl!
limited attempts 'ere made to Cuantif! the load as a direct result of a#ailabilit!
reCuests$ 7inall!( it should be noted that an! a#ailabilit! reCuest that exceeds 2>
seconds is considered a failure$ *n all cases( the #alue of the A#erage ,esponse
ime counter of the 'SExchange Availabilit$ Service ob.ect must be significantl!
lo'er than 2> seconds( and an! transient pea3s exceeding 2> seconds should be
examined as a performance bottlenec3$
1able 9 Performance )ata collecte) for Exchange &eb Services
Performance ob5ect an) co#nter 4al#e
M"Exchange-" % ,eCuests9sec 0$2
M"Exchange-" % A#erage ,esponse ime 0$<
M"Exchange A#ailabilit! "er#ice % A#erage
ime to Process a 7ree 8us! ,eCuest
0$2
M"Exchange A#ailabilit! "er#ice % A#ailabilit!
,eCuests 1sec2
2$>
After anal!/ing the collected data( it 'as found that during pea3 loads( the Client Access
ser#ers a#eraged :0$7 percent total CP+ utili/ation( 'ith a pea3 #alue of ;:$7 percent(
indicating no significant CP+ bottlenec3s$ he -;'p$exe process hosting the ser#ice 'as the
ma.or load generator$ An a#erage of :<$< pages per second 'as measured 'ith an a#erage
of =:=$7 page faults per second$ his indicates some paging acti#it! 'as occurring$ &o'e#er(
this is 'ell 'ithin normal operational parameters and does not indicate abnormal memor!
pressure$ As a result of the light load applied to the -eb ser#ice( the 'or3ing set of the
-;'p$exe process hosting the ser#ice 'as not the largest #alue obser#ed$ &o'e#er(
because the memor! pressure on the computer 'as light( it is assumed that this is a #alid
representational #alue$ 0o indications of an! net'or3 or dis3 bottlenec3s 'ere found( and
o#erall( no indication of an! dis3 *95 acti#it! be!ond normal operations 'as obser#ed$
Overall !eference Architect#re !es#lts
able < details the o#erall results from the testing and anal!sis of the Client Access ser#er
reference architecture at Microsoft$
1able : Processor an) memor$ #tili/ation b$ client access protocol
2>
Client access SpecInt per #ser SpecInt per
re7#est per
secon)
'egab$tes per
#ser
'egab$tes per
re7#est per
secon)
5utloo3
An!'here
0$00>> 0ot applicable 0$> 0ot applicable
5utloo3 -eb Ac
cess
0$02 0$? 0$< ;?$A
Exchange Acti#e
"!nc
0$0: :$; 0$7 7<$;
Exchange -eb
"er#ices
0ot applicable ; 0ot applicable 20A$;
Note:
,atings a#ailable at "tandard Performance E#aluation Corporation ma! be used to
rationali/e unli3e processors or ser#er configurations$ he third%part! -eb site
information in this section is pro#ided to help !ou find the technical information !ou
need$ he +,)s are sub.ect to change 'ithout notice$
!ecommen)e) Performance Co#nters
-hen si/ing and monitoring Client Access ser#ers( 'e recommend using se#eral
performance counters$ able :0 lists the recommended performance ob.ects and counters$
1able 20 !ecommen)e) performance ob5ects; co#nters; an) instances for si/ing an)
monitoring Client Access servers
Performance ob5ect Performance co#nter Instance
)ogicalDis3 A#g$ Dis3 sec9,ead All dis3s and Kotal
A#g$ Dis3 sec9ransfer All dis3s and Kotal
A#g$ Dis3 sec9-rite All dis3s and Kotal
Dis3 ,eads9sec All dis3s and Kotal
Dis3 ransfers9sec All dis3s and Kotal
Dis3 -rites9sec All dis3s and Kotal
Memor! A#ailable M8!tes 0ot applicable
Pages9sec 0ot applicable
2?
Performance ob5ect Performance co#nter Instance
M"Exchange Acti#e"!nc Current ,eCuest 0ot applicable
P*D 0ot applicable
Ping Commands Pending 0ot applicable
A#erage ,eCuest ime 0ot applicable
,eCuest9sec 0ot applicable
"!nc Commands9sec 0ot applicable
M"Exchange 5-A M"Exchange5-ALA#erage
,esponse ime
0ot applicable
P*D 0ot applicable
M"Exchange5-ALA#erage
search ime
0ot applicable
Current +niCue +sers 0ot applicable
,eCuest9sec 0ot applicable
M"ExchangeAutodisco#er Process *D 0ot applicable
M"Exchange+MClientAcces
s
P*D 0ot applicable
A#erage ,esponse ime 0ot applicable
M"Exchange-" Process *D 0ot applicable
,eCuests9sec 0ot applicable
Process H Processor ime )sass$exe( -;'p$exe
*D Process 0ot applicable
Pool 0onpaged 8!tes 0ot applicable
Pool Paged 8!tes 0ot applicable
-or3ing "et 0ot applicable
Processor H Processor ime Kotal
-eb "er#ice Connection Attempts9sec Kotal
Current Connections 0ot applicable
5ther ,eCuest Methods9sec 0ot applicable
27
Performance ob5ect Performance co#nter Instance
M"Exchange A#ailabilit!
"er#ice
A#ailabilit! ,eCuests 1sec2 0ot applicable
A#erage ime to Process a
7ree 8us! ,eCuest
0ot applicable
Client Access
*n Microsoft Exchange "er#er 2007( there are fi#e ser#er roles that !ou can install and then
configure on a computer that is running Microsoft -indo's "er#er 200;$ his section
pro#ides an o#er#ie' of the Client Access ser#er role$ he Client Access ser#er role supports
the Microsoft 5ffice 5utloo3 -eb Access and Microsoft Exchange Acti#e"!nc client
applications( and the Post 5ffice Protocol #ersion ; 1P5P;2 and *nternet Message Access
Protocol #ersion =re#: 1*MAP=2 protocols$ he Client Access ser#er role also pro#ides access
to free9bus! data b! using the A#ailabilit! ser#ice and enables clients that are running
Microsoft 5utloo3 2007 and certain mobile operating s!stems to do'nload automatic
configuration settings from the Autodisco#er ser#ice$
he Client Access ser#er role accepts connections to !our Exchange 2007 ser#er from a
#ariet! of different clients$ "oft'are clients such as Microsoft 5utloo3 Express and Eudora
use P5P; or *MAP= connections to communicate 'ith the Exchange ser#er$ &ard'are
clients( such as mobile de#ices( use Acti#e"!nc( P5P;( or *MAP= to communicate 'ith the
Exchange ser#er$ Bou must install the Client Access ser#er role in e#er! Exchange
organi/ation$
7or more information about the ne' client features in Exchange "er#er 2007( see 0e' Client
7unctionalit!$
O#tloo% &eb Access
5utloo3 -eb Access in Exchange "er#er 2007 lets !ou access !our e%mail from an! -eb
bro'ser$ 5utloo3 -eb Access has been redesigned in Exchange 2007 to enhance the user
experience and producti#it! in man! 'a!s$ 0e' features( such as smart meeting boo3ing(
Microsoft -indo's "harePoint "er#ices and -indo's file share integration( and
impro#ements in reminders and the address boo3 gi#e !ou a rich user experience from an!
computer that has a -eb bro'ser$ here are t'o #ersions of 5utloo3 -eb Access included in
Exchange "er#er 2007: the full%featured 5utloo3 -eb Access Premium client and the ne'
5utloo3 -eb Access )ight client$ 5utloo3 -eb Access )ight is designed to optimi/e !our
5utloo3 -eb Access experience for mobile de#ices( slo'er connections( and bro'sers other
than *nternet Explorer$
2A
7or more information about 5utloo3 -eb Access( see the follo'ing:
Managing 5utloo3 -eb Access
5#er#ie' of 5utloo3 -eb Access
Exchange ActiveS$nc
Exchange Acti#e"!nc lets !ou s!nchroni/e data bet'een !our mobile de#ice and
Exchange 2007$ Bou can s!nchroni/e e%mail( contacts( calendar information( and tas3s$
De#ices that run Microsoft -indo's Mobile soft'are( including -indo's Mobile po'ered
Poc3et PC 2002( -indo's Mobile po'ered Poc3et PC 200;( and -indo's Mobile >$0( are all
supported$
*f !ou use a de#ice that has -indo's Mobile >$0 and the Messaging "ecurit! and 7eature
Pac3 1M"7P2 installed( !our mobile de#ice 'ill support Direct Push$ Direct Push is a
technolog! that is built into Exchange Acti#e"!nc that 3eeps a mobile de#ice continuousl!
s!nchroni/ed 'ith an Exchange mailbox$
7or more information about Exchange Acti#e"!nc( see the follo'ing:
5#er#ie' of Exchange Acti#e"!nc
Deplo!ing Exchange Acti#e"!nc
Managing Exchange Acti#e"!nc
POP( an) I'AP
*n addition to supporting MAP* and &P clients( Exchange "er#er 2007 also supports P5P;
and *MAP= clients$ 8! default( P5P; and *MAP= are installed but the ser#ices are disabled
'hen !ou install the Client Access ser#er role$
7or more information about P5P; and *MAP=( see the follo'ing:
&o' to "tart and "top the P5P; "er#ice
&o' to "tart and "top the *MAP= "er#ice
1he Availabilit$ Service
he Exchange 2007 A#ailabilit! ser#ice impro#es free9bus! data access for information
'or3ers b! pro#iding secure( consistent( and up%to%date free9bus! data to computers that are
running Microsoft 5ffice 5utloo3 2007$ 5utloo3 2007 uses the Autodisco#er ser#ice to obtain
the +,) of the A#ailabilit! ser#ice$ he Autodisco#er ser#ice resembles the Domain 0ame
"!stem 1D0"2 -eb ser#ice for 5utloo3 2007$ Essentiall!( the Autodisco#er ser#ice helps
5utloo3 2007 locate #arious -eb ser#ices( such as the Microsoft Exchange +nified
Messaging( 5ffline Address 8oo3( and A#ailabilit! ser#ices$
2<
7or more information about the A#ailabilit! ser#ice( see the follo'ing:
Managing the A#ailabilit! "er#ice
1he A#to)iscover Service
he Autodisco#er ser#ice enables 5utloo3 clients and some mobile de#ices to recei#e their
necessar! profile settings directl! from the Exchange ser#er b! using the clientDs domain
credentials$ hese settings automaticall! update the client 'ith the information that is needed
to create the userDs profile$
7or more information about the Autodisco#er ser#ice( see the follo'ing$
5#er#ie' of the Autodisco#er "er#ice
+nderstanding Exchange Acti#e"!nc Autodisco#er
Managing the Autodisco#er "er#ice
Ne Client "#nctionalit$
Man! client%side impro#ements in features and functionalit! are included in
Microsoft Exchange 2007 +nified Messaging$ he ne' features include the
5utloo3 -eb Access client that has +nified Messaging configuration pages( 5utloo3 6oice
Access for subscriber access( a #oice mail client for Microsoft 5ffice 5utloo3 2007( and an
impro#ed 5utloo3 experience on mobile de#ices$ his section pro#ides information about the
ne' and impro#ed client features that are included in Exchange 2007 +nified Messaging$
Microsoft Exchange 2007 also includes se#eral feature and functionalit! impro#ements for
the information 'or3er$ hese include impro#ements and enhancements to calendaring and
messaging records management$
+nifie) 'essaging
+nified Messaging is ne' to the Microsoft Exchange product famil!$ +nified Messaging
enables Exchange 2007 recipients to store e%mail( #oice mail( and fax messages in one
*nbox$ "e#eral client%side features are a#ailable to recipients 'ho are enabled for +nified
Messaging$ 7or more information about the ne' +nified Messaging client features( see Client
7eatures in +nified Messaging$
Note:
-hen !ou are using Microsoft Exchange Acti#e"!nc on a mobile de#ice( !ou can
open a #oice message in !our mailbox and listen to the attached $'ma file that
contains the #oice message$ he ad#anced +nified Messaging features found in the
;0
premium #ersion of 5utloo3 -eb Access( such as the #oice mail configuration
options( are una#ailable in 5utloo3 -eb Access )ight$
Ca#tion:
-hen !ou are using 5utloo3 -eb Access )ight and Poc3et *nternet Explorer on a
mobile de#ice( !ou ma! be able to listen to a #oice message b! using the $'ma
attachment that is described in Client 7eatures in +nified Messaging$ &o'e#er( this
configuration is not supported$
O#tloo% &eb Access
5utloo3 -eb Access in Exchange 2007 has been redesigned to enhance the end%user
experience and producti#it!$ 5utloo3 -eb Access includes man! ne' features and
impro#ements that are not found in earlier #ersions of Microsoft Exchange$ 7eatures such as
smart meeting boo3ing( -indo's "harePoint "er#ices and -indo's file shares integration(
and the abilit! to manage mobile de#ices are no' a#ailable$ 5utloo3 -eb Access also
includes impro#ements in search( reminders( the 5utloo3 -eb Access address boo3( and
other messaging options$
7or more information about the ne' client features found in 5utloo3 -eb Access( see Client
7eatures in 5utloo3 -eb Access$
Exchange ActiveS$nc an) 'obilit$
Exchange 2007 offers a significantl! impro#ed 5utloo3 user experience on mobile de#ices$ *t
also includes impro#ed securit! and better mobile de#ice management$ 0o additional
soft'are or outsourcing fees are necessar! to access data from a mobile de#ice b! using
Exchange Acti#e"!nc$ 7or more information about the ne' client features found in
Exchange Acti#e"!nc( see Client 7eatures *n Exchange Acti#e"!nc$
Calen)aring
he impro#ed calendaring feature in Exchange 2007 helps resol#e reliabilit! issues(
enhances the scheduling process( and encourages more sharing of calendar information$
5#erall( these impro#ements ma3e Microsoft Exchange and 5utloo3 calendaring a more
reliable and efficient tool for time management$
Cache) Exchange 'o)e
Bou can configure the clients on !our net'or3 that are using earlier #ersions of 5utloo3 and
5utloo3 2007 to use Cached Exchange Mode 'ith Exchange 2007$
&o'e#er( Exchange 2007 pro#ides a ne' notification mechanism for 5utloo3 2007 clients
;:
that enables the clients that are running in Cached Exchange Mode to start do'nloading ne'
messages more Cuic3l! than 'ith earlier #ersions of Microsoft Exchange$
'essaging !ecor)s 'anagement
o compl! 'ith legal( regulator!( or business process reCuirements( man! organi/ations must
process( filter( modif!( and journal 1for'ard2 e%mail messages that are transferred to and from
their organi/ation and the *nternet and bet'een people in the organi/ation$ Administrators
can use the messaging records management features in Exchange 2007 to help users and
organi/ations 3eep the messages the! need for business or legal reasons and to
discard messages that the! do not ha#e to 3eep$ his is done b! using managed folders$
Managed folders in the userDs mailbox to 'hich retention policies ha#e been applied$ he
administrator or the user puts these managed folders in the userMs mailbox( and then the user
sorts messages into the managed folders according to organi/ation polic!$ Messages
included in these managed folders are periodicall! processed according to the retention
policies$ -hen a message reaches a retention limit( it can be .ournaled( deleted( mo#ed to
another folder( or mar3ed as past its retention date$
"or 'ore Information
7or more information about Exchange 2007 +nified Messaging( see +nified
Messaging$
7or more information about Exchange 2007 5utloo3 -eb Access( see 5#er#ie' of
5utloo3 -eb Access$
7or more information about Exchange 2007 mobilit! and Exchange Acti#e"!nc( see
5#er#ie' of Exchange Acti#e"!nc$
7or more information about ne' and impro#ed information 'or3er functionalit!( see
0e' *nformation -or3er 7unctionalit!$
Overvie of Exchange ActiveS$nc
8! default( 'hen !ou install the Client Access ser#er role on a computer that is running
Microsoft Exchange "er#er 2007( !ou enable Microsoft Exchange Acti#e"!nc$
Exchange Acti#e"!nc lets !ou s!nchroni/e a mobile de#ice 'ith !our Exchange 2007
mailbox$
;2
Overvie of Exchange ActiveS$nc
Exchange Acti#e"!nc is an Microsoft Exchange s!nchroni/ation protocol that is optimi/ed to
'or3 together 'ith high%latenc! and lo'%band'idth net'or3s$ he protocol( based on &P
and EM)( lets de#ices such as bro'ser%enabled cellular telephones or Microsoft -indo's
MobileN po'ered de#ices access an organi/ationDs information on a ser#er that is running
Microsoft Exchange$ Exchange Acti#e"!nc enables mobile de#ice users to access their e%
mail( calendar( contacts( and tas3s and to continue to be able to access this information 'hile
the! are 'or3ing offline$
Note:
Exchange Acti#e"!nc can s!nchroni/e e%mail messages( calendar items( contacts(
and tas3s$ Bou cannot use Exchange Acti#e"!nc to s!nchroni/e notes in
Microsoft 5utloo3$
Ne "eat#res in Exchange ActiveS$nc
Exchange Acti#e"!nc has been enhanced in Exchange "er#er 2007$ he follo'ing are some
of the ne' and enhanced features:
"upport for &M) messages
"upport for follo'%up flags
"upport for fast message retrie#al
Meeting attendee information
Enhanced Exchange "earch
-indo's "harePoint "er#ices and +ni#ersal 0aming Con#ention 1+0C2 document
access
P*0 reset
Enhanced de#ice securit! through pass'ord policies
Autodisco#er for o#er the air pro#isioning
"upport for 5ut of 5ffice configuration
"upport for tas3s s!nchroni/ation
Direct Push
Note:
he abilit! to use Autodisco#er depends on the mobile de#ice operating s!stem that
!ou are using$ 0ot all mobile de#ice operating s!stems that support s!nchroni/ation
'ith Exchange "er#er 2007 also support Autodisco#er$ 7or more information about
;;
'hich operating s!stems support Autodisco#er( contact the manufacturer of !our
mobile de#ice$
Note:
Man! of these features reCuire the use of the latest #ersion of -indo's Mobile that is
currentl! in de#elopment$
7or more information about the ne' features in Exchange Acti#e"!nc( see Client 7eatures in
Exchange Acti#e"!nc$
'anaging Exchange ActiveS$nc
8! default( Exchange Acti#e"!nc is enabled$ All users 'ho ha#e an Exchange mailbox can
s!nchroni/e their mobile de#ice 'ith the Microsoft Exchange ser#er$
Bou can perform the follo'ing Exchange Acti#e"!nc tas3s:
Enable and disable Exchange Acti#e"!nc for users
"et policies such as minimum pass'ord length( de#ice loc3ing( and maximum failed
pass'ord attempts
*nitiate a remote 'ipe to clear all data off a lost or stolen de#ice
,un a #ariet! of reports for #ie'ing or exporting into a reporting solution
Sec#rit$ in Exchange ActiveS$nc
Bou can configure Exchange Acti#e"!nc to use "ecure "oc3ets )a!er 1"")2 encr!ption for
communications bet'een the Exchange ser#er and the mobile de#ice client$ Certificate%
based authentication 'or3s 'ith a self%signed certificate( a certificate from an existing public
3e! infrastructure( or a third%part! commercial certificate$ Bou can use certificate%based
authentication together 'ith other securit! features( such as local de#ice 'ipe and a de#ice
pass'ord( to turn the mobile de#ice into a smartcard$ he pri#ate 3e! and certificate for client
authentication are stored in memor! on the de#ice$ *f an unauthori/ed user tries to b!pass the
de#ice pass'ord( all user data is purged$ his includes the certificate and pri#ate 3e!$ 7or
more securit!( !ou can deplo! ,"A "ecur*D t'o%factor authentication on the Exchange
ser#er$
,evice Sec#rit$ "eat#res in Exchange ActiveS$nc
*n addition to the abilit! to configure securit! options for communications bet'een the
Exchange ser#er and !our mobile de#ices( Exchange Acti#e"!nc offers the follo'ing features
to enhance the securit! of mobile de#ices:
!emote ipe *f !our de#ice is lost( stolen( or other'ise compromised( !ou can
issue a remote 'ipe command from the Exchange "er#er computer or from an! -eb
;=
bro'ser b! using Microsoft 5ffice 5utloo3 -eb Access$ his command erases all data
from the mobile de#ice$
,evice passor) policies Exchange Acti#e"!nc lets !ou configure se#eral options
for !our de#ice pass'ord$ hese options include the follo'ing:
'inim#m passor) length <characters= his option specifies the length of the
pass'ord for the de#ice$ he default length is four characters( but can include as
man! as :A$
!e7#ire alphan#meric passor) his option determines pass'ord strength$
Bou can enforce the usage of a character or s!mbol in the pass'ord in addition to
numbers$
Inactivit$ time <secon)s= his option determines ho' long the de#ice must be
inacti#e before the user is prompted for a pass'ord to unloc3 the de#ice$
&ipe )evice after faile) <attempts= his option lets !ou specif! 'hether !ou
'ant the de#ice memor! 'iped after multiple failed pass'ord attempts$
"or 'ore Information
7or more information about Exchange Acti#e"!nc( see the follo'ing:
&o' to Enable Exchange Acti#e"!nc
&o' to Disable Exchange Acti#e"!nc
&o' to Enable Exchange Acti#e"!nc for a +ser
&o' to Disable Exchange Acti#e"!nc for a +ser
+nderstanding Exchange Acti#e"!nc Mailbox Policies
+n)erstan)ing ,irect P#sh
Direct Push is a feature that is built into Exchange "er#er 2007$ Direct Push is designed to
3eep a mobile de#ice up%to%date o#er a cellular net'or3 connection$ *ntroduced in
Exchange "er#er 200; "er#ice Pac3 2( Direct Push pro#ides notification to the mobile de#ice
'hen ne' content is read! to be s!nchroni/ed to the de#ice$
Overvie
7or Direct Push to 'or3( !ou must ha#e a de#ice that is Direct Push capable$ hese de#ices
include the follo'ing:
;>
Cellular telephones that ha#e -indo's MobileN >$0 and the Messaging O "ecurit!
7eature Pac3 1M"7P2 and later #ersions of -indo's Mobile soft'are$
Cellular telephones or mobile de#ices that are produced b! Exchange Acti#e"!nc
licensees and are designed specificall! to be Direct Push compatible$
8! default( Direct Push is enabled in Exchange 2007$ Mobile de#ices that support Direct
Push issue a long%li#ed &P" reCuest to the Exchange ser#er$ he Exchange ser#er
monitors acti#it! on the usersM mailbox and sends a response to the de#ice if there are an!
changes( such as ne' or changed e%mail messages or calendar or contact items$ *f changes
occur 'ithin the lifespan of the &P" reCuest( the Exchange ser#er issues a response to
the de#ice that states that changes ha#e occurred and the de#ice should initiate
s!nchroni/ation 'ith the Exchange ser#er$ he de#ice then issues a s!nchroni/ation reCuest
to the ser#er$ -hen s!nchroni/ation is complete( a ne' long%li#ed &P" reCuest is
generated to start the process o#er again$ his guarantees that e%mail( calendar( contact( and
tas3 items are deli#ered Cuic3l! to the mobile de#ice and the de#ice is al'a!s s!nchroni/ed
'ith the Exchange ser#er$
,irect P#sh 1opolog$
7igure : illustrates a t!pical Exchange "er#er 2007 topolog! that is configured for Direct
Push$ his figure assumes that !ou ha#e the Client Access ser#er role and the Mailbox ser#er
role installed on t'o separate Exchange "er#er computers$ Bou can also install both ser#er
roles on the same ph!sical Exchange 2007 computer$
"ig#re 2 ,irect P#sh Netor% ,esign
;?
Direct Push operates in the follo'ing 'a!:
:$ A mobile de#ice that is configured to s!nchroni/e 'ith an Exchange 2007 ser#er
issues an &P" reCuest to the ser#er$ his reCuest is 3no'n as a ping$ he reCuest
tells the ser#er to notif! the de#ice if an! items change in an! folder that is configured to
s!nchroni/e in the next :> minutes$ 5ther'ise( the ser#er should return an &P 200 5P
message$ he mobile de#ice 'ill then stand b!$ he :>%minute time span is 3no'n as a
heartbeat inter#al$
2$ *f no items change in :> minutes( the ser#er returns a response of &P 200 5P$
he mobile de#ice recei#es this response( resumes acti#it! 1called waking up2( and
issues its reCuest again$ his restarts the process$
;$ *f an! items change or ne' items are recei#ed 'ithin the :> minute heartbeat
inter#al( the ser#er sends a response that informs the mobile de#ice that there is a ne' or
changed item and the name of the folder in 'hich the ne' or changed item resides$ After
the mobile de#ice recei#es this response( it issues a s!nchroni/ation reCuest for the
folder that has the ne' or changed items$ -hen s!nchroni/ation is complete( the mobile
de#ice issues a ne' ping reCuest and the 'hole process starts o#er$
;7
Direct Push depends on net'or3 conditions that support a long%standing &P" reCuest$ *f
the carrier net'or3 for the mobile de#ice or the fire'all does not support long%standing
&P" reCuests( the &P" reCuest is stopped$ he follo'ing steps describe ho' Direct
Push operates 'hen a mobile de#iceDs carrier net'or3 has a time%out #alue of :; minutes$
:$ A mobile de#ice issues an &P" reCuest to the ser#er$ he reCuest tells the ser#er
to notif! the de#ice if an! items change in an! folder that is configured to s!nchroni/e in
the next :> minutes$ 5ther'ise( the ser#er should return an &P 200 5P message$ he
mobile de#ice then stands b!$
2$ *f the ser#er does not respond after :> minutes( the mobile de#ice 'a3es up and
concludes that the connection to the ser#er 'as timed out b! the net'or3$ he de#ice
reissues the &P" reCuest( but this time uses a heartbeat inter#al of eight minutes$
;$ After eight minutes( the ser#er sends an &P 200 5P message$ he de#ice 'ill
then tr! to gain a longer connection b! issuing a ne' &P" reCuest to the ser#er that
has a heartbeat inter#al of :2 minutes$
=$ After four minutes( a ne' e%mail message is recei#ed and the ser#er responds b!
sending an &P" reCuest that tells the de#ice to s!nchroni/e$ he de#ice s!nchroni/es
and reissues the &P" reCuest that has a heartbeat of :2 minutes$
>$ After :2 minutes( if there are no ne' or changed items( the ser#er responds b!
sending an &P 200 5P message$ he de#ice 'a3es up and concludes that net'or3
conditions 'ill support a heartbeat inter#al of :2 minutes$ he de#ice 'ill then tr! to gain
a longer connection b! reissuing an &P" reCuest that has a heartbeat inter#al of :?
minutes$
?$ After :? minutes( no response is recei#ed from the ser#er$ he de#ice 'a3es up and
concludes that net'or3 conditions cannot support a heartbeat inter#al of :? minutes$
8ecause this failure occurred directl! after the de#ice tried to increase the heartbeat
inter#al( it concludes that the heartbeat inter#al has reached its maximum limit$ he
de#ice then issues an &P" reCuest that has a heartbeat inter#al of :2 minutes
because this 'as the last successful heartbeat inter#al$
he mobile de#ice tries to use the longest heartbeat inter#al the net'or3 supports$ his
extends batter! life on the de#ice and minimi/es the amount of data that is transferred o#er
the net'or3$ Mobile carriers can specif! a maximum( minimum( and initial heartbeat #alue in
the registr! settings for the mobile de#ice$
Config#ring ,irect P#sh to &or% 1hro#gh >o#r "ireall
7or Direct Push to 'or3 through !our fire'all( !ou must open the follo'ing ports:
*f !ou ha#e the Client Access ser#er role and the Mailbox ser#er role installed on t'o
separate Exchange "er#er computers( !ou must open CP port :;> for the ,PC locator
ser#ice on an! internal fire'all that is bet'een the t'o Exchange "er#er computers$
;A
CP port ==; is reCuired for "ecure "oc3ets )a!er 1"")2 and must be opened
bet'een the *nternet and the Exchange "er#er computer that has the Client Access
ser#er role installed$
*n addition to opening ports on !our fire'all( for optimal Direct Push performance( !ou should
increase the time%out #alue on !our fire'all from the default to :> to ;0 minutes$ he
maximum length of the &P" reCuest is determined b! the follo'ing settings:
he maximum time%out that is set on the fire'alls that control the traffic from the
*nternet to the Exchange ser#er that has the Client Access ser#er role installed
he fire'all time%outs that are set b! the mobile carrier
A short time%out #alue causes the de#ice to initiate a ne' &P" reCuest more freCuentl!$
his can shorten batter! life on !our de#ice$ 7or more information about ho' to configure
!our fire'all( see the *"A "er#er Product Documentation$
"or 'ore Information
7or more information about Direct Push and ho' to s!nchroni/e mobile de#ices 'ith
Exchange 2007( see the follo'ing:
&o' to Configure Mobile De#ices to "!nchroni/e 'ith Exchange "er#er
+nderstanding Mobile De#ices
+nderstanding Mobile De#ice Connecti#it!
+n)erstan)ing Exchange ActiveS$nc
'ailbox Policies
his section discusses Exchange Acti#e"!nc mailbox policies and ho' the! can be used in
!our Microsoft Exchange "er#er 2007 en#ironment$
Overvie
Exchange Acti#e"!nc mailbox policies let !ou appl! a common set of polic! or securit!
settings to a user or group of users$ able :: summari/es the settings that !ou can specif! b!
using Exchange Acti#e"!nc mailbox policies$
1able 22 Exchange ActiveS$nc mailbox polic$ settings
;<
Setting ,escription
Allo' non%pro#isionable de#ices Allo's older de#ices 1those that do not
support Exchange Acti#e"!nc mailbox
policies2 to connect to Exchange 2007 b!
using Exchange Acti#e"!nc$
Allo' simple pass'ord Enables or disables the abilit! to use a simple
pass'ord such as :2;=$
Alphanumeric pass'ord reCuired ,eCuires that a pass'ord contains numeric
and non%numeric characters$
Attachments enabled Enables attachments to be do'nloaded to the
mobile de#ice$
De#ice encr!ption enabled Enables encr!ption on the de#ice$
Pass'ord enabled Enables the de#ice pass'ord$
Pass'ord expiration Enables the administrator to configure a
length of time after 'hich a de#ice pass'ord
must be changed$
Pass'ord histor! he number of past pass'ords stored in the
userDs mailbox$ A user cannot reuse a
pre#iousl! stored pass'ord$
Polic! refresh inter#al Defines ho' freCuentl! the de#ice updates
the Exchange Acti#e"!nc polic! from the
ser#er$
Maximum attachment si/e "pecifies the maximum si/e of attachments
that are automaticall! do'nloaded to the
de#ice$
Maximum failed pass'ord attempts "pecifies ho' man! times an incorrect
pass'ord can be entered before the de#ice
performs a 'ipe of all data$
Maximum inacti#it! time loc3 "pecifies the length of time a de#ice can go
'ithout user input before it loc3s$
Minimum pass'ord length "pecifies the minimum pass'ord length$
Pass'ord reco#er! Enables the de#ice pass'ord to be reco#ered
from the ser#er$
+0C file access Enables access to files stored on +ni#ersal
0aming Con#ention 1+0C2 shares$
=0
Setting ,escription
-"" file access Enables access to files stored on
Microsoft -indo's "harePoint "er#ices sites
7or example( !ou can create a polic! that !ou appl! to all users in !our Exchange
organi/ation$ able :2 lists the settings that this polic! could ha#e$
1able 22 Sample Exchange ActiveS$nc mailbox polic$ settings for all #sers
Setting 4al#e
Allo' non%pro#isionable de#ices 7alse
Allo' simple pass'ord 7alse
Alphanumeric pass'ord reCuired rue
Attachments enabled rue
De#ice encr!ption enabled rue
Pass'ord enabled rue
Pass'ord expiration :0 da!s
Pass'ord histor! A pass'ords stored
Maximum attachment si/e >00 3ilob!tes 1P82
Maximum failed pass'ord attempts =
Minimum pass'ord length =
+0C file access Disabled
-"" file access Disabled
Note:
Bou do not ha#e to specif! all polic! settings 'hen !ou create a ne'
Exchange Acti#e"!nc mailbox polic!$ An! polic! setting that !ou do not explicitl! set
'ill retain its default #alue$
Exchange Acti#e"!nc mailbox policies can be created in the Exchange Management Console
or the Exchange Management "hell$ *f !ou create a polic! in the Exchange Management
Console( !ou can configure onl! a subset of the a#ailable settings$ Bou can configure the rest
of the settings b! using the Exchange Management "hell$
Bou do not ha#e to assign a user to an Exchange Acti#e"!nc mailbox polic!$ able :;
summari/es the polic! settings that are used if !ou do not assign a user to a polic!$
=:
1able 2( ,efa#lt Exchange ActiveS$nc settings
Setting 4al#e
Allo' non%pro#isionable de#ices rue
Allo' simple pass'ord 7alse
Alphanumeric pass'ord reCuired 7alse
Attachments enabled rue
De#ice encr!ption enabled 7alse
Pass'ord enabled 7alse
Pass'ord expiration +nlimited
Pass'ord histor! 0
Polic! refresh inter#al +nlimited
Document bro'sing enabled rue
Maximum attachment si/e +nlimited
Maximum failed pass'ord attempts =
Maximum inacti#it! time loc3 :> minutes
Minimum pass'ord length =
Pass'ord reco#er! Disabled
+0C file access Enabled
-"" file access Enabled
Exchange ActiveS$nc 'ailbox Polic$ Examples
7igure 2 illustrates ho' Exchange Acti#e"!nc mailbox policies can be created to control a
#ariet! of settings for three different groups of users$
=2
"ig#re 2 Example of Exchange ActiveS$nc mailbox policies
"or 'ore Information
7or more information about ho' to manage Exchange Acti#e"!nc b! using policies( see
Managing Exchange Acti#e"!nc 'ith Policies$
+n)erstan)ing !emote ,evice &ipe
5ne of the enhanced features a#ailable in Microsoft Exchange "er#er 2007 is the abilit! to
perform a remote de#ice 'ipe of a mobile de#ice$ ,emote de#ice 'ipe is a feature that
enables the Exchange ser#er to set a mobile de#ice to delete all data the next time that the
de#ice connects to the Exchange ser#er$
A remote de#ice 'ipe returns a de#ice to its factor! default condition$ his can be useful
'hen a de#ice is lost( stolen( or other'ise compromised( or 'hen a de#ice has to be
reassigned from one user to another$
Overvie
Mobile de#ices can store sensiti#e corporate data and pro#ide access to man! corporate
resources$ *f a de#ice is lost or stolen( that data can be compromised$ hrough
=;
Exchange Acti#e"!nc policies( !ou can add a pass'ord reCuirement to !our mobile de#ices$
his reCuires that users enter a pass'ord to access their de#ice$ -e recommend that( in
addition to reCuiring a de#ice pass'ord( !ou configure !our de#ices to automaticall! prompt
for a pass'ord after a period of inacti#it!$ he combination of a de#ice pass'ord and
inacti#it! loc3ing pro#ides more securit! for !our corporate data$
*n addition to these features( Exchange 2007 pro#ides remote de#ice 'ipe$ Bou can issue a
remote 'ipe command from the Exchange Management "hell$ +sers can issue their o'n
remote 'ipe commands from the 5utloo3 -eb Access user interface$
he remote de#ice 'ipe feature also includes a confirmation function that 'rites a timestamp
in the s!nc state data of the userDs mailbox$ his timestamp is displa!ed in
5utloo3 -eb Access and in the userDs mobile de#ice properties dialog box in the Exchange
Management Console$
Important:
*n addition to resetting the de#ice to factor! default condition( a remote de#ice 'ipe
also deletes an! data on an! storage card that is inserted in the de#ice$ *f !ou are
performing a remote de#ice 'ipe on a de#ice in !our possession and 'ant to retain
the data on the storage card( remo#e the storage card before !ou initiate the remote
de#ice 'ipe$
!emote ,evice &ipe vs? 3ocal ,evice &ipe
)ocal de#ice 'ipe is the mechanism b! 'hich a de#ice 'ipes itself 'ithout the reCuest
coming from the ser#er$ *f !our organi/ation has implemented Exchange Acti#e"!nc policies
that specif! a maximum number of pass'ord attempts and that maximum is exceeded( the
de#ice 'ill perform a local de#ice 'ipe$ he result of a local de#ice 'ipe is the same as that
of a remote de#ice 'ipe$ he de#ice is returned to its factor! default condition$ -hen a de#ice
performs a local de#ice 'ipe( no confirmation is sent to the Exchange ser#er$
"or 'ore Information
7or more information about the remote de#ice 'ipe feature( see the follo'ing:
&o' to Perform a ,emote -ipe on a De#ice
Clear%Acti#e"!ncDe#ice
==
+n)erstan)ing Exchange ActiveS$nc
A#to)iscover
Microsoft Exchange "er#er 2007 introduces a ne' ser#ice that ma3es it easier to pro#ision
de#ices for end users$ he Autodisco#er ser#ice simplifies the pro#isioning of !our mobile
de#ice b! returning the reCuired s!stem settings after !ou enter !our e%mail address and
pass'ord$ 8! default( the Autodisco#er ser#ice is enabled in Exchange 2007$
Overvie of A#to)iscover ith Exchange
ActiveS$nc
*f !our mobile de#ice supports Autodisco#er( !ou can configure !our de#ice to s!nchroni/e
'ith Exchange 2007$ 7igure ; illustrates this s!nchroni/ation process$
"ig#re ( +sing A#to)iscover ith Exchange ActiveS$nc
:$ he user enters their e%mail address and pass'ord on the de#ice$
2$ he de#ice connects to a root D0" ser#er to retrie#e the +,) for the Autodisco#er
ser#ice and the *P address for the userDs domain$
;$ he de#ice uses a "ecure "oc3ets )a!er 1"")2 connection to connect through the
fire'all to the Autodisco#er ser#ice #irtual director!$ he Autodisco#er ser#ice assembles
the EM) response based on the ser#er s!nchroni/ation settings$
=$ he Autodisco#er ser#ice sends the EM) response through the fire'all o#er "")$
his EM) response is interpreted b! the de#ice and s!nchroni/ation settings are
configured automaticall! on the de#ice$
=>
Note:
he abilit! to use Autodisco#er depends on the operating s!stem of the mobile
de#ice that !ou are using$ 0ot all mobile de#ice operating s!stems that support
s!nchroni/ation 'ith Exchange "er#er 2007 support Autodisco#er$ 7or more
information about operating s!stems that support Autodisco#er( contact the
manufacturer of !our de#ice$
Note:
-indo's Mobile >$0 and -indo's Mobile ?$0 do not support Autodisco#er$
"or 'ore Information
7or more information about ho' to manage the Autodisco#er ser#ice( see Managing the
Autodisco#er "er#ice$
+n)erstan)ing 'obile ,evice Connectivit$
A 'ide #ariet! of mobile de#ices can s!nchroni/e 'ith Microsoft Exchange "er#er 2007$ Most
mobile de#ices that s!nchroni/e 'ith Exchange 2007 are cellular telephones$ hese
de#ices can run operating s!stems such as -indo's Mobile( "!mbian( Palm( and 0o3ia$ 7or
an o#er#ie' of the different mobile de#ices that are enabled for Exchange Acti#e"!nc( see
+nderstanding Mobile De#ices$
,egardless of the t!pe of de#ice that !ou select( there are t'o primar! 'a!s to connect to
Exchange 2007: b! using cellular connecti#it! and b! using 'ireless connecti#it!$ his section
pro#ides an o#er#ie' of the t'o connecti#it! options$
Cell#lar Connectivit$
All mobile de#ices that are enabled for Exchange Acti#e"!nc can use cellular connecti#it! to
s!nchroni/e 'ith Exchange 2007$ here are se#eral different t!pes of cellular data net'or3s$
,egardless of the t!pe of cellular data net'or3 that !our mobile de#ice uses( the method of
s!nchroni/ation is the same$ *f the operating s!stem of !our de#ice is -indo's Mobile >$0
'ith the Messaging O "ecurit! 7eature Pac3 or -indo's Mobile ?$0( s!nchroni/ation is
accomplished through Direct Push$ *f !our de#ice has another operating s!stem( manual
s!nchroni/ation is used$ -hen a de#ice uses Direct Push to s!nchroni/e 'ith
Exchange 2007( it establishes a long%standing &P" connection 'ith the Exchange ser#er$
-hen the connection is first established( the de#ice sets a 'hat is called a heartbeat inter#al$
he default heartbeat inter#al is :> minutes$ *f an! ne' messages are added to monitored
folders on the Exchange ser#er 'ithin this heartbeat inter#al( the ser#er informs the de#ice
and the de#ice initiates s!nchroni/ation$ -hen s!nchroni/ation is complete( a ne' &P"
=?
reCuest is initiated and the process is repeated$ 7or more information about Direct Push( see
+nderstanding Direct Push$
Cellular data plans can charge b! the minute( b! the megab!te( or offer unlimited data
transfer$ -hen !ou use a cellular data connection 'ith Exchange 2007 Direct Push( 'e
recommend purchasing an unlimited data plan$
&ireless Connectivit$
Man! of the mobile de#ices that are enabled for Exchange Acti#e"!nc can connect to a
'ireless )A0$ Connecting to a 'ireless )A0 can pro#ide faster net'or3 speeds and better
co#erage in areas 'here cellular co#erage is unreliable$ *n addition( 'ireless access is
sometimes offered at commercial locations such as coffee shops and boo3 stores$ he
primar! disad#antage to using 'ireless connecti#it! is that Direct Push 'ill not 'or3 o#er a
'ireless )A0$ +sers 'ho connect o#er a 'ireless )A0 can perform manual s!nchroni/ations
or configure scheduled s!nchroni/ations as freCuentl! as e#er! fi#e minutes$
"or 'ore Information
7or more information( see the follo'ing:
+nderstanding Mobile De#ices
+nderstanding Direct Push
+n)erstan)ing 'obile ,evices
Mobile de#ices that are enabled for Exchange Acti#e"!nc enable users to access most
of their Microsoft Exchange mailbox data an! time( an!'here$ here are a #ariet! of different
de#ices that are enabled for Exchange Acti#e"!nc$ hese include -indo's Mobile po'ered
de#ices( 0o3ia de#ices( and Palm de#ices$ his section pro#ides an o#er#ie' of these mobile
de#ices$
Exchange ActiveS$nc Enable) ,evices
Exchange Acti#e"!nc is a communications protocol that enables mobile access( o#er the air(
to e%mail messages( scheduling data( contacts( and tas3s$ Exchange Acti#e"!nc is a#ailable
on -indo's Mobile po'ered de#ices and third%part! de#ices that are enabled for
Exchange Acti#e"!nc$
Exchange Acti#e"!nc offers Direct Push technolog!$ Direct Push uses an encr!pted &P"
connection that is established and maintained bet'een the de#ice and the ser#er to push
ne' e%mail messages and other Exchange data to the de#ice$
=7
o use Direct Push 'ith Exchange 2007( !our users must ha#e a mobile de#ice that is
running -indo's Mobile >$0 'ith the Messaging O "ecurit! 7eature Pac3 or another mobile
operating s!stem that is designed to support Direct Push$
Note:
he Messaging O "ecurit! 7eature Pac3 includes support for Direct Push( ser#er%
based securit! policies( remote de#ice 'ipe( as3 s!nchroni/ation( global address
boo3 loo3up( and man! other features$
Exchange ActiveS$nc "eat#res
Exchange Acti#e"!nc pro#ides access to a #ariet! of features$ hese features enable !ou to
enforce de#ice securit! policies$ 8! using Exchange 2007( !ou can configure multiple
Exchange Acti#e"!nc policies and control 'hich de#ices can s!nchroni/e 'ith !our
Exchange ser#er$ Exchange Acti#e"!nc enables !ou to send a remote de#ice 'ipe command
that 'ipes all data from an existing de#ice in case that de#ice is lost or stolen$ +sers can also
initiate a remote de#ice 'ipe from Microsoft 5ffice 5utloo3 -eb Access$
7or more information about Exchange Acti#e"!nc( see 5#er#ie' of Exchange Acti#e"!nc$
Note:
Access to some of the features described in this section reCuire either -indo's
Mobile >$0 'ith the Messaging O "ecurit! 7eature Pac3 or the next #ersion
of -indo's Mobile soft'are that is currentl! in de#elopment$ 7or more information(
see !our de#ice documentation$
,evices Enable) for Exchange ActiveS$nc
+sers can ta3e ad#antage of Exchange Acti#e"!nc b! selecting mobile de#ices that are
compatible 'ith Exchange Acti#e"!nc$ hese de#ices are a#ailable from a #ariet! of
manufacturers$ Most of these de#ices do not support Direct Push$ &o'e#er( the! do support
s!nchroni/ation 'ith Microsoft Exchange$ 7or more information( see the de#ice
documentation$
"ome of the de#ices that are compatible 'ith Microsoft Exchange include the follo'ing:
No%ia 0o3ia offers Mail for Exchange on their Eseries mobile de#ices$ E%mail(
calendar( and contact data can be s!nchroni/ed o#er a cellular net'or3 or a 'ireless
)A0$
Son$ Ericsson "on! Ericsson offers Exchange Acti#e"!nc support on se#eral of
their ne'er smartphone de#ices$ he! also support Direct Push through a third%part!
program$
=A
Palm Palm offers t'o smartphones that ha#e the -indo's Mobile >$0 operating
s!stem$ hese de#ices support Direct Push$ Palm also supports Exchange Acti#e"!nc on
the reo ?>0 and ?A0 series smartphones$ hese de#ices do not support Direct Push$
'otorola Motorola has its o'n s!nchroni/ation frame'or3 that enables o#er%the%air
s!nchroni/ation through Exchange Acti#e"!nc on a #ariet! of its de#ices$
S$mbian "!mbian )imited licenses Exchange Acti#e"!nc for use in the "!mbian
operating s!stem$ his operating s!stem is an open standard operating s!stem for mobile
telephones$
&in)os 'obile Softare "eat#re 'atrix
Mobile de#ices that ha#e a #ersion of -indo's Mobile soft'are as their operating s!stem
offer the greatest functionalit! 'hen s!nchroni/ing 'ith Exchange 2007$ able := illustrates
some of the features that are a#ailable 'ith the different #ersions of
-indo's Mobile soft'are$
1able 2* &in)os 'obile softare feat#re matrix
=<
Operating S$stem Pro)#ctivit$
Enhancements
Sec#rit$
Enhancements
A)ministration
Enhancements
-indo's Mobile ?$0 Direct Push
&M) e%mail
support
Message
flags
Quic3
message retrie#al
Enhanced
calendar #ie's
Meeting
attendee
information
5ut of 5ffice
management
Exchange se
arch
-indo's "h
arePoint "er#ices
and -indo's file
share 1+0C2
document access
Enforcement
of
Exchange Acti#e
"!nc mailbox
policies
,emote
de#ice 'ipe
Certificate%
based
authentication
"9M*ME
support 1'ith
Exchange 2007 "
P:2
De#ice
storage card
encr!ption
,ights
management
support
Detailed
de#ice monitoring
Error
reporting
-indo's Mobile
po'ered de#ices 'ith
the Messaging O
"ecurit! 7eature
Pac3
Direct Push
@lobal
address boo3
loo3up
as3
s!nchroni/ation
Enforcement
of
Exchange Acti#e
"!nc mailbox
policies
,emote
de#ice 'ipe
Certificate%
based
authentication
"9M*ME
support 1'ith
Exchange 2007 "
P:2
Microsoft 5pe
rations Manager
integration and
reporting
Diagnostic
tas3s and health
monitoring
>0
Operating S$stem Pro)#ctivit$
Enhancements
Sec#rit$
Enhancements
A)ministration
Enhancements
All -indo's Mobile
po'ered de#ices

"!nchroni/ation
of e%mail
messages(
calendar( and
contact data
"ecure
"oc3ets )a!er
1"")2 encr!ption
8asic
authentication
*ntegration
'ith *nternet
"ecurit! and
Acceleration
1*"A2 "er#er
Microsoft 5pe
rations Manager
integration and
reporting
Diagnostic
tas3s and health
monitoring
7or more information about ho' to manage -indo's Mobile po'ered de#ices( #isit the
-indo's Mobile Center -eb site $
Exchange ActiveS$nc !eporting Services
Microsoft Exchange "er#er 2007 and Exchange Acti#e"!nc offer a 'ide #ariet! of features
for both users and administrators$ As an administrator( it is important that !ou 3no' the
#olume and usage patterns of !our deplo!ment$ his information can help !ou effecti#el!
manage !our Exchange Acti#e"!nc deplo!ment( better understand user producti#it!( and
plan for future needs$ ,eporting in Exchange Acti#e"!nc for Exchange "er#er 2007 is a
-indo's Po'er"hell tas3 that compiles a set of *nternet *nformation "er#ices 1**"2 logs and
processes to create a series of output files$ Each file is a separate report that can help !ou
understand !our Exchange Acti#e"!nc deplo!ment$ his section pro#ides an o#er#ie' of the
cmdlet !ou can use to generate these reports and information about the content of these
reports$
0enerating Exchange ActiveS$nc !eports
Bou can generate Exchange Acti#e"!nc reports b! using the Export.ActiveS$nc3og cmdlet$
his cmdlet lets !ou specif! a #ariet! of input parameters$ hese parameters include the
location of the **" log files( the start dates and the end dates for the reports( and the output
path for the reports$ o run this cmdlet( !ou must be delegated the permissions associated
'ith the Exchange "er#er Administrator or Exchange 5rgani/ation Administrator role$ Bou
must also ha#e read access to the director! 'here the **" logs are located$ 7or more
information about the s!ntax of the Export.ActiveS$nc3og cmdlet( see Export%
Acti#e"!nc)og$
>:
Available Exchange ActiveS$nc !eports
here are a #ariet! of Exchange Acti#e"!nc reports a#ailable$ hese reports include the
follo'ing:
Exchange ActiveS$nc +sage !eport his report includes a #ariet! of monitored
parameters$ hese include the total b!tes that ha#e been sent and recei#ed in addition to
a count of each t!pe of item that 'as sent and recei#ed$ *tem t!pes are e%mail messages(
calendar items( contact items( and tas3 items$
@its !eport his report lets !ou see the total number of s!nchroni/ation reCuests
that are processed per hour( in addition to the total number of uniCue de#ices that are
initiating s!nchroni/ation reCuests$
@11P Stat#s !eport his report pro#ides a general o#er#ie' of the performance of
the Client Access ser#er$ *t includes a summar! of the #arious error response codes and
the percentage of the time each code 'as encountered$
Polic$ Compliance !eport his report pro#ides information about the number of
full! compliant( partiall! compliant( and noncompliant de#ices$ A full! compliant de#ice is
one that has accepted the Exchange Acti#e"!nc polic! and can implement all aspects of
the polic!$ A partiall! compliant de#ice is one that has accepted the polic!( but has a
mobile de#ice operating s!stem that is unable to enforce all aspects of the polic!$ A
noncompliant de#ice is either unable to accept the polic! or has re.ected the polic!$
+ser Agent 3ist his report returns the total number of uniCue users( organi/ed b!
mobile de#ice operating s!stem$
Interpreting the Internet Information Services
3og "iles
able :> lists the #arious elements of the Exchange Acti#e"!nc **" logs$ *n the log file( each
element is separated b! an underscore character$
>2
1able 26 Elements of the Exchange ActiveS$nc protocol logs
3etter i)entifier Element name ,efinition Possible val#es
6 Protocol #ersion he protocol #ersion
that the de#ice is
using to s!nchroni/e
'ith the
Exchange ser#er$
4al#e 'eaning
:20 6ersion
:2
2> 6ersion
2$>
2: 6ersion
2$:
20 6ersion
2$0
:0 6ersion
:$0
! !pe he t!pe of folder
that is being
s!nchroni/ed$
4al#e 'eaning
Em E%mail
Co Contacts
Ca Calendar
a as3s
7id 7older *D he *D of the folder
that is being
s!nchroni/ed$
Positi#e *nteger
7c 7older count he number of
folders that are being
s!nchroni/ed$
Positi#e *nteger
>;
3etter i)entifier Element name ,efinition Possible val#es
7ilt 7ilter t!pe he data that the
user reCuested$ 4a
l#
e
'
ea
ni
n
g
E.
m
ail
A
C
al
e
n
)
ar
A
1a
s%
sA
0 0
o
filt
er
B
e
s
B
e
s
Be
s
: :
d
a
!
b
a
c3
B
e
s
0
o
0
o
2 ;
d
a
!s
b
a
c3
B
e
s
0
o
0
o
; :
'
e
e
3
b
a
c3
B
e
s
0
o
0
o
= 2
'
e
e
3s
b
B
e
s
B
e
s
0
o
>=
3etter i)entifier Element name ,efinition Possible val#es
"t "!nc t!pe he t!pe of
s!nchroni/ation that
is being performed$
4al#e 'eaning
7 7irst
s!nc
" "ubseCu
ent s!nc
, ,eco#er
! s!nc
* *n#alid
s!nc
"3 "!nc 3e! he actual s!nc 3e!
that is used bet'een
the mobile de#ice
and the
Exchange ser#er$
Positi#e integer
Cli: Client statistics "tores the count of
each t!pe of acti#it!
from the Client$
5utput is in the form
Cli: 0A0C3D1F0E$
I)entifier
val#e
'eaning
A Adds
C Changes
D Deletes
7 7etches
E Errors
>>
3etter i)entifier Element name ,efinition Possible val#es
"#r: "er#er statistics "tores the count of
each t!pe of acti#it!
from the ser#er$
5utput is in the form
Svr:2A0C2D1F1E$
I)entifier
val#e
'eaning
A Adds
C Changes
D Deletes
7 7etches
E Errors
E 0umber of errors his is the number of
errors encountered in
a reCuest$
Positi#e integer
*o *tems opened his is the number of
items that ha#e been
opened$ his feature
has not !et been
implemented$
Positi#e integer
&b &eartbeat inter#al his indicates the
&eartbeat inter#al
that is used for the
ping command$
Positi#e integer
"sp "harePoint
documents
his is the number of
files that ha#e been
accessed from
-indo's "harePoint
"er#ices$
Positi#e integer
"spb "harePoint b!tes his is the number of
b!tes that ha#e been
accessed from
-indo's "harePoint
"er#ices$
Positi#e integer
+nc +0C files his is the number of
files that ha#e been
accessed through
-indo's file shares$
Positi#e integer
>?
3etter i)entifier Element name ,efinition Possible val#es
+ncb +0C b!tes his is the number of
b!tes that ha#e been
accessed through
-indo's file shares$
Positi#e integer
Att Attachments his is the number of
attachments that
ha#e been retrie#ed$
Positi#e integer
Attb Attachment b!tes he number of b!tes
that ha#e been
retrie#ed for
attachments$
Positi#e integer
P3 Polic! 3e! recei#ed he element that is
used b! the client
and ser#er to
correlate
ac3no'ledgements to
a particular polic!
setting$
0ot applicable
Pa Polic! ac3no'ledge
status
he element that
indicates success if
all the polic! settings
'ere applied
correctl!$
4al#e 'eaning
: Polic!
'as
successf
ull!
applied
2 Polic!
'as
partiall!
applied
; Polic!
'as not
applied
>7
3etter i)entifier Element name ,efinition Possible val#es
5of 55f action he action that is
performed on the 5ut
of 5ffice status stored
on the
Exchange ser#er$
4al#e 'eaning
@et ,etrie#e
s the
557
status
and
message
"et "ets the
557
status
and
message
+ser*nfo +ser information
action
he parameter that
specifies retrie#al of
the user information
data$
@et
De#Model De#ice model he de#ice
information that is
supplied b! the
de#ice manufacturer$
Possible #alues
include manufacturer
name( model name(
and model number$
De#*ME* *ME* he *nternational
Mobile ECuipment
*dentit! 1*ME*2$ *t is a
:>%digit code that is
assigned to each
de#ice$
"tring
De#0ame De#ice friendl! name his element stores
the userDs description
of their de#ice$
"tring
De#5" De#ice 5" he operating s!stem
that is running on the
de#ice$
"tring
De#)ang De#ice 5" language he locali/ed
language of the
de#ice operating
s!stem$
"tring
>A
3etter i)entifier Element name ,efinition Possible val#es
Error Error he error section of
the reCuest$
"tring
" "tatus his element returns
the status of the
de#ice$
"tring
A sample log for a de#ice s!nchroni/ation might appear as follo's:
B3ogC422(D1$:EmD"i):(7D"c2D"ilt2DSt:SDSE:2906DSrv:2a0c0)0s0e0rDP%2280222(9(
DS2
"or 'ore Information
7or more information about reporting for Exchange Acti#e"!nc( see the follo'ing:
Export%Acti#e"!nc)og
&o' to @enerate Exchange Acti#e"!nc ,eports
Overvie of POP( an) I'AP*
his section describes the Post 5ffice Protocol #ersion ; 1P5P;2 and *nternet Message
Access Protocol 6ersion =re#: 1*MAP=2 functionalit! for Microsoft Exchange "er#er 2007$
8! default( P5P; and *MAP= are disabled in Exchange 2007$ o use these protocols( !ou
must first start the P5P; and *MAP= ser#ices on the computer that is running Exchange 2007
that has the Client Access ser#er role installed$
POP( an) I'AP* Protocols
Messaging s!stems that are based on P5P; and *MAP= are best suited for home and
personal use 'here reCuirements for data reco#erabilit! and securit! are lo'$ P5P; 'as
designed to support offline mail processing$ -ith P5P;( e%mail messages are remo#ed from
the ser#er and put on the local P5P; client$ his puts the data management and securit!
responsibilit! in the hands of the user$ *MAP= offers offline and online access( but li3e P5P;(
*MAP= does not offer ad#anced collaboration features such as scheduling and group
scheduling and tas3 and contact management$
><
'anaging POP(FI'AP* "eat#res
-ith Exchange 2007( !ou can manage all the ser#er settings for P5P; and *MAP= b! using
the Exchange Management "hell$ 7or more information about ho' to use the Exchange
Management "hell to manage P5P; and *MAP=( see Managing P5P; and *MAP=$
Note:
here is no user interface in the Exchange Management Console for P5P; and
*MAP=$ o manage these protocols( !ou must use the Exchange Management "hell$
"or 'ore Information
7or more information about ho' to enable P5P; and *MAP= for use 'ith
Exchange 2007( see Enabling P5P; and *MAP= on a Client Access "er#er$
7or more information about managing the client functionalit! a#ailable in
Exchange 2007 for P5P; and *MAP=( see Managing P5P; and *MAP=$
Overvie of O#tloo% &eb Access
8! default( 'hen !ou install the Client Access ser#er role on a computer that is running
Microsoft Exchange "er#er 2007( !ou enable
Microsoft 5ffice 5utloo3 -eb Access$ 5utloo3 -eb Access lets !ou access !our
Exchange 2007 mailbox from an! -eb bro'ser$
Overvie of O#tloo% &eb Access
5utloo3 -eb Access has been redesigned for Exchange "er#er 2007 to create a ne' loo3(
add ne' features( and impro#e usabilit!$ 7or more information about 5utloo3 -eb Access
features( see Client 7eatures in 5utloo3 -eb Access$
'anaging O#tloo% &eb Access
-hen !ou install the Client Access ser#er role( four default #irtual directories are created to
enable access to content that is stored on Exchange ser#ers b! using a -eb bro'ser$ 5f the
four #irtual directories( the #irtual director! named Jo'aJ is used most freCuentl!$ 7or more
information about 5utloo3 -eb Access #irtual directories( see Managing 5utloo3 -eb
Access 6irtual Directories in Exchange "er#er 2007$
*n Exchange 2007( the most common 5utloo3 -eb Access management tas3s can be
accomplished in the Exchange Management Console$ All these tas3s( and man! other tas3s(
can be accomplished b! using the Exchange Management "hell$ Bou 'ill still ha#e to use
?0
tools such as *nternet *nformation "er#ices 1**"2 Manager for some tas3s( such as configuring
"ecure "oc3ets )a!er 1"")2 or setting up simple +,)s for users$
7or more information about ho' to manage 5utloo3 -eb Access( see the follo'ing:
Managing 5utloo3 -eb Access
Managing 5utloo3 -eb Access "ecurit!
Overvie of O#tloo% An$here
he 5utloo3 An!'here feature for Microsoft Exchange "er#er 2007 lets !our
Microsoft 5ffice 5utloo3 2007 and 5utloo3 200; clients connect to their Exchange ser#ers
o#er the *nternet b! using the ,PC o#er &P -indo's net'or3ing component$ his section
describes the 5utloo3 An!'here feature and the benefits of using 5utloo3 An!'here$
O#tloo% An$here an) Exchange 2007
Exchange "er#er 200; enabled users to use the -indo's ,PC o#er &P Prox! component
to access their Exchange information from the *nternet$ his technolog! 'raps remote
procedure calls 1,PCs2 'ith an &P la!er$ his allo's the traffic to tra#erse net'or3
fire'alls 'ithout reCuiring ,PC ports to be opened$ Exchange 2007 builds on this
functionalit! and greatl! reduces the difficult! of deplo!ing and managing this feature$ o
deplo! 5utloo3 An!'here in !our Exchange messaging en#ironment( !ou .ust ha#e to enable
at least one Client Access ser#er b! using the Enable 5utloo3 An!'here -i/ard$
-enefits of +sing O#tloo% An$here
here are se#eral benefits to using 5utloo3 An!'here to enable 5utloo3 200; and
5utloo3 2007 clients to access !our Exchange messaging infrastructure$ he benefits are as
follo's:
,emote access to Exchange ser#ers from the *nternet$
Bou can use the same +,) and namespace that !ou use for
Microsoft Exchange Acti#e"!nc and 5utloo3 -eb Access$
Bou can use the same "ecure "oc3ets )a!er 1"")2 ser#er certificate that !ou use for
both 5utloo3 -eb Access and Exchange Acti#e"!nc$
+nauthenticated reCuests from 5utloo3 cannot access Exchange ser#ers$
Clients must trust the certification authorit! that issues the certificate$
Bou do not ha#e to use a #irtual pri#ate net'or3 16P02 to access Exchange ser#ers
across the *nternet$
?:
Bou must allo' onl! port ==; through !our fire'all( because 5utloo3 reCuests use &P o#er
"")$ *f !ou alread! use 5utloo3 -eb Access 'ith "") or Exchange Acti#e"!nc 'ith "")(
!ou do not ha#e to open an! additional ports from the *nternet$
,eplo$ing O#tloo% An$here
Deplo!ing 5utloo3 An!'here for !our organi/ation is no' a straightfor'ard process$ he
follo'ing recommendations should be follo'ed to successfull! deplo! 5utloo3 An!'here:
+se at least one Client Access server per site *n Exchange 2007( a site is a
net'or3 location 'ith high%band'idth connecti#it! bet'een all computers$ -e
recommend that !ou install at least one Client Access ser#er in each site that is
dedicated to pro#iding client access to the Exchange 2007 computer that has the Mailbox
ser#er role installed$ &o'e#er( !ou can ha#e multiple Client Access ser#ers in each site
for increased performance and reliabilit!$
Enable O#tloo% An$here on at least one Client Access server -e recommend
that !ou ha#e one Client Access ser#er in each site that has 5utloo3 An!'here enabled$
his lets 5utloo3 2007 clients connect to the Client Access ser#er that is closest to a
userDs mailbox$ +sers 'ill connect to the Client Access ser#er that is in the site together
'ith the Mailbox ser#er that contains their mailbox b! using &P"$ his minimi/es the
ris3 associated 'ith using remote procedure calls 1,PCs2 across the *nternet$ +sing
,PCs across the *nternet can ad#ersel! affect performance$
7or more information about ho' to enable 5utloo3 An!'here( see &o' to Enable 5utloo3
An!'here$
'anaging O#tloo% An$here
Bou can Manage 5utloo3 An!'here b! using the Exchange Management Console or the
Exchange Management "hell$ 8! default( 'hen !ou enable 5utloo3 An!'here on a Client
Access ser#er( all users 'ho ha#e mailboxes on Exchange 2007 Mailbox ser#ers are enabled
for 5utloo3 An!'here$ 7or more information about ho' to manage 5utloo3 An!'here( see
Managing 5utloo3 An!'here$
Coexistence
5utloo3 An!'here can be used in en#ironments 'here Exchange 200; is still being used$ *f
!ou ha#e users 'ho ha#e mailboxes located on Exchange 200; ser#ers( and these users are
using 5utloo3 2007 or 5utloo3 200;( !ou must configure these clients manuall!$ 7or more
information about 5utloo3 An!'here coexistence( see &o' to Configure 5utloo3 An!'here
'ith Exchange 200;$
?2
!ecommen)ations for O#tloo% An$here
his section pro#ides recommendations for using 5utloo3 An!'here in !our Exchange
infrastructure$
-e recommend that !ou use the follo'ing configuration 'hen !ou use Exchange 'ith
5utloo3 An!'here:
N13' a#thentication over Sec#re Soc%ets 3a$er <SS3= -e recommend that !ou
enable and reCuire "") on the Microsoft Exchange "er#er 2007 computer that has the
Client Access ser#er role installed for all client%to%ser#er communications$ -e also
recommend the use of 0)M Authentication$ he &P session should al'a!s be
established o#er "") 1port ==;2$ 7or information about ho' to configure 5utloo3
An!'here authentication that uses "")( see Managing 5utloo3 An!'here "ecurit!$
Important:
*f !ou are using a fire'all that does not handle 0)M( !ou 'ill ha#e to use
8asic authentication o#er "")$
+se an a)vance) fireall server on the perimeter netor% -e recommend that
!ou use a dedicated fire'all ser#er to help enhance the securit! of the
Exchange computer$ Microsoft *nternet "ecurit! and Acceleration 1*"A2 "er#er 200? is an
example of a dedicated fire'all ser#er product$ *"A "er#er 200? also lets !ou use 0)M
authentication instead of 8asic authentication because *"A "er#er understands 0)M
authentication information$ 5ther fire'all ser#ers ma! 3no' ho' to use 0)M
authentication$ o determine 'hether !our fire'all ser#er allo's for 0)M authentication(
see the product documentation for !our fire'all product$
Obtain a certificate from a thir).part$ certification a#thorit$ <CA= o enable and
reCuire "") for all communications bet'een the Client Access ser#er and the 5utloo3
clients( !ou must obtain and publish a certificate at the default -eb site le#el$ -e
recommend that !ou purchase !our certificate from a third%part! certification authorit!
'hose certificates are trusted b! a 'ide #ariet! of -eb bro'sers$
+sing >o#r On Certification A#thorit$
Alternati#el!( !ou can use the Certification Authorit! tool in Microsoft -indo's to install !our
o'n certification authorit!$ 8! default( applications and -eb bro'sers do not trust !our root
certification authorit! 'hen !ou install !our o'n certification authorit!$ -hen a user tries to
connect in Microsoft 5ffice 5utloo3 2007 or 5utloo3 200; b! using 5utloo3 An!'here( that
user loses the connection to Microsoft Exchange$ he user is not notified$ he user loses the
connection 'hen one of the follo'ing conditions is true:
he client does not trust the certificate$
he certificate does not match the name to 'hich the client tries to connect$
?;
he certificate date is incorrect$
herefore( !ou must ma3e sure that the client computers trust the certification authorit!$
Additionall!( if !ou use !our o'n certification authorit!( 'hen !ou issue a certificate to !our
Client Access ser#er( !ou must ma3e sure that the Common Name field or the Iss#e) to
field on that certificate contains the same name as the +,) of the Client Access ser#er that is
a#ailable on the *nternet$ 7or example( the Common Name field or the Iss#e) to field must
contain a name that resembles mail$contoso$com$ hese fields cannot contain the internal
full! Cualified domain name of the computer$ 7or example( the! cannot contain a name that
resembles m!computer$contoso$com$
"or 'ore Information
7or more information about 5utloo3 An!'here( see the follo'ing:
5#er#ie' of 5utloo3 An!'here
Managing 5utloo3 An!'here
Deplo!ing 5utloo3 An!'here
Overvie of the A#to)iscover Service
Microsoft Exchange "er#er 2007 includes a ne' Microsoft Exchange ser#ice named the
Autodisco#er ser#ice$ he Autodisco#er ser#ice configures client computers that are running
Microsoft 5ffice 5utloo3 2007$ he Autodisco#er ser#ice can also configure supported mobile
de#ices$ he Autodisco#er ser#ice pro#ides access to Microsoft Exchange features for
5utloo3 2007 clients that are connected to !our Microsoft Exchange messaging en#ironment$
he Autodisco#er ser#ice must be deplo!ed and configured correctl! for 5utloo3 2007 clients
to automaticall! connect to Microsoft Exchange features( such as the offline address boo3(
the A#ailabilit! ser#ice( and +nified Messaging 1+M2$ Additionall!( these Exchange features
must be configured correctl! to pro#ide external access for 5utloo3 2007 clients$ 7or more
information( see &o' to Configure Exchange "er#ices for the Autodisco#er "er#ice$
he Autodisco#er ser#ice uses a userDs e%mail address and pass'ord to pro#ide profile
settings to 5utloo3 2007 clients and supported mobile de#ices$ *f the 5utloo3 2007 client is
.oined to the domain( the userDs domain account is used$
Note:
he Autodisco#er ser#ice is a#ailable for 5utloo3 2007 clients and some mobile
de#ices$ Earlier #ersions of 5utloo3( including Microsoft 5utloo3 200;( cannot use
the Autodisco#er ser#ice$
?=
O#tloo% 2007 an) A#to)iscover
he Autodisco#er ser#ice ma3es it easier to configure 5utloo3 2007$ Earlier #ersions of
Exchange and 5utloo3 reCuired !ou to configure all user profiles manuall! to access
Microsoft Exchange$ Extra 'or3 'as reCuired to manage these profiles if changes occurred to
the messaging en#ironment$ 5ther'ise( the 5utloo3 clients 'ould stop functioning correctl!$
he Autodisco#er ser#ice uses a userDs e%mail address or domain account to automaticall!
configure a userDs profile$ 8! using the e%mail address or domain account( the Autodisco#er
ser#ice pro#ides the follo'ing information to the client:
he userMs displa! name
"eparate connection settings for internal and external connecti#it!
he location of the userMs Mailbox ser#er
he +,)s for #arious 5utloo3 features that go#ern such functionalit! as free9bus!
information( +nified Messaging( and the offline address boo3
5utloo3 An!'here ser#er settings
-hen a userDs Microsoft Exchange information is changed( 5utloo3 automaticall!
reconfigures the userDs profile b! using the Autodisco#er ser#ice$ 7or example( if a userDs
mailbox is mo#ed or the client is unable to connect to the userDs mailbox or to a#ailable
Exchange features( 5utloo3 'ill contact the Autodisco#er ser#ice and automaticall! update
the userDs profile to ha#e the information that is reCuired to connect to the mailbox and
Exchange features$
he follo'ing sections pro#ide information that !ou must ha#e to successfull! deplo! the
Autodisco#er ser#ice for !our organi/ation$
@o the A#to)iscover Service &or%s
-hen !ou install the Client Access ser#er role on a computer that is running
Exchange 2007( a ne' #irtual director! named Autodisco#er is created under the default -eb
site in *nternet *nformation "er#ices 1**"2$ his #irtual director! handles Autodisco#er ser#ice
reCuests from 5utloo3 2007 clients and supported mobile de#ices in the follo'ing
circumstances:
-hen a ne' user account is configured or updated$
-hen a user periodicall! chec3s for changes to the Exchange -eb "er#ices +,)s$
-hen underl!ing net'or3 connection changes occur in !our Exchange messaging
en#ironment$
Additionall!( a ne' Acti#e Director! ob.ect named the ser#ice connection point 1"CP2 is
created 'hen !ou install the Client Access ser#er role$
?>
he "CP ob.ect contains the authoritati#e list of Autodisco#er ser#ice +,)s for the forest$ Bou
can update the "CP ob.ect b! using the Set.ClientAccessServer cmdlet$ 7or more
information about the Set.ClientAccessServer cmdlet( see "et%ClientAccess"er#er$
Important:
8efore !ou sa#e the ne' Acti#e Director! ob.ect( ma3e sure that the Authenticated
+sers account has ,ead permissions for the "CP ob.ect$ *f users do not ha#e the
correct permissions( the! 'ill be unable to search for and read items$
7or more information about "CP ob.ects( see Publishing 'ith "er#ice Connection Points$
7igure = illustrates ho' a client connects to a Client Access ser#er the first time from inside
the internal net'or3$
"ig#re * 1he A#to)iscover service process for internal access
7or external access( the client locates the Autodisco#er ser#ice on the *nternet b! using the
primar! "MP domain address from the userDs e%mail address$ Depending on 'hether !ou
ha#e configured the Autodisco#er ser#ice on a separate site( the Autodisco#er ser#ice +,)
'ill be either https:99Fsmtp-address-domainG9autodisco#er9autodisco#er$xml or
https:99autodisco#er$Fsmtp-address-domainG9autodisco#er9autodisco#er$xml$ 7igure >
illustrates a simple topolog! 'ith a client connecting from the *nternet$
"ig#re 6 1he A#to)iscover service process for external access
??
-hen the client connects to the Acti#e Director! director! ser#ice( the client loo3s for the
"CP ob.ect that 'as created during "etup$ *n deplo!ments that include multiple Client Access
ser#ers( an Autodisco#er "CP ob.ect is created for each Client Access ser#er$ he "CP
ob.ect contains the ServiceBindingInfo attribute that has the 7QD0 of the Client Access
ser#er in the form of https:99CA"0:9autodisco#er9autodisco#er$xml( 'here CA"0: is the
7QD0 for the Client Access ser#er$ 8! using the user credentials( the 5utloo3 2007 client
authenticates to Acti#e Director! and searches for the Autodisco#er "CP ob.ects$ After the
client obtains and enumerates the instances of the Autodisco#er ser#ice( the client
connects to the first Client Access ser#er in the enumerated list and obtains the profile
information in the form of EM) data that is needed to connect to the userDs mailbox and
a#ailable Microsoft Exchange features$
,eplo$ment Options for the A#to)iscover
Service
Deplo!ing the Autodisco#er ser#ice is onl! one step in ma3ing sure that !our
Microsoft Exchange ser#ices( such as the A#ailabilit! ser#ice( can be accessed b!
5utloo3 2007 clients$ hese ser#ices must be deplo!ed and configured correctl! for clients to
recei#e the correct profile configuration information from the Autodisco#er ser#ice$ 7or more
information about ho' to deplo! !our Microsoft Exchange ser#ices( see &o' to Configure
Exchange "er#ices for the Autodisco#er "er#ice$
-e recommend that !ou consider ho' to deplo! the Autodisco#er ser#ice 'hen !ou plan the
Client Access ser#er infrastructure for !our Exchange messaging en#ironment$
?7
7or more information about ho' to deplo! the Autodisco#er ser#ice( see Deplo!ment
Considerations for the Autodisco#er "er#ice$
"or 'ore Information
7or more information about ho' to deplo! and manage the Autodisco#er ser#ice( see the
follo'ing:
Deplo!ment Considerations for the Autodisco#er "er#ice
&o' to Configure Exchange "er#ices for the Autodisco#er "er#ice
Managing the Autodisco#er "er#ice
,eplo$ment Consi)erations for the
A#to)iscover Service
he Autodisco#er ser#ice for Microsoft Exchange "er#er 2007 pro#ides automatic profile
configuration for Microsoft 5ffice 5utloo3 2007 clients that are connected to !our Exchange
messaging en#ironment$
A#to)iscover Service 1opolog$ !e7#irements
7or the Autodisco#er ser#ice to function correctl! for 5utloo3 2007( !ou must ma3e sure that
!our Exchange organi/ation meets the follo'ing reCuirements:
Bou must ha#e at least one Exchange 2007 Client Access ser#er installed in !our
Exchange deplo!ment$ 7or Exchange features such as the A#ailabilit! ser#ice and
+nified Messaging( !ou must also ha#e the +nified Messaging( Mailbox( and &ub
ransport ser#er roles installed on the Client Access ser#er or another ser#er$
he Exchange 2007 Acti#e Director! schema must be applied to the forest 'here the
Autodisco#er ser#ice 'ill be running$
Connecting to the A#to)iscover Service from
the Internet
*f !ou are pro#iding external access to Microsoft Exchange b! using 5utloo3 An!'here
1formerl! 3no'n as ,PC o#er &P2( and !ou 'ant !our 5utloo3 2007 clients to be
automaticall! configured b! using the Autodisco#er ser#ice( !ou must install a #alid "ecure
"oc3ets )a!er 1"")2 certificate on the Client Access ser#er that includes both the common
name 1for example( mail$contoso$com2 and a "ub.ect Alternati#e 0ame for
?A
autodisco#er$contoso$com$ 7or information about ho' to configure !our "") certificate to use
a "ub.ect Alternati#e 0ame( see &o' to Configure "") Certificates to +se Multiple Client
Access "er#er &ost 0ames$ Additionall!( !ou must correctl! configure !our Exchange
ser#ices( such as the A#ailabilit! ser#ice( before the Autodisco#er ser#ice can pro#ide the
correct external +,)s to clients$ 7or more information( see &o' to Configure Exchange
"er#ices for the Autodisco#er "er#ice$
-hen the client tries to connect to !our Microsoft Exchange deplo!ment( the client locates
the Autodisco#er ser#ice on the *nternet b! using the primar! "MP domain address from the
userDs e%mail address$ 8ased on 'hether !ou ha#e configured the Autodisco#er ser#ice to
ha#e a separate name from !our organi/ationDs existing D0" host name( the Autodisco#er
ser#ice +,) 'ill be either https:99Fsmtp-address-domainG9autodisco#er9autodisco#er$xml or
https:99autodisco#er$Fsmtp-address-domainG9autodisco#er9autodisco#er$xml$ 7or example( if
the userDs e%mail address is monicaRcontoso$com( the Autodisco#er ser#ice should be
located at either https:99contoso$com9autodisco#er$xml or
https:99autodisco#er$contoso$com9autodisco#er9autodisco#er$xml$ his means that !ou must
ha#e a host record for the Autodisco#er ser#ice added to !our external D0" /one$
7or more information( see &o' to Configure the Autodisco#er "er#ice for *nternet Access$
+sing '#ltiple Sites for Internet Access to the A#to)iscover
Service
-e recommend hosting the Autodisco#er ser#ice on a separate site if !ou manage a
freCuentl! #isited -eb site that also hosts !our e%mail traffic$ o host the Autodisco#er ser#ice
on a separate site on the same computer as other Exchange features( follo' these steps:
Note:
Bou must use one *P address per site$
:$ <Optional= Config#re a separate site on a Client Access comp#ter to host the
A#to)iscover service Bou can create a separate site to host Autodisco#er ser#ice
traffic b! using the Ne.A#to)iscover4irt#al,irector$ cmdlet$ his optional step is
recommended if the "MP address domain is the same as the corporate -eb site
address and !our corporate -eb site is freCuentl! #isited$ 7or example( if the compan!
-eb site is '''$contoso$com( the e%mail "MP domain is contoso$com( and the
compan! -eb site 1'''$contoso$com2 is freCuentl! #isited( 'e recommend that !ou
create a separate site and host the Autodisco#er ser#ice on autodisco#er$contoso$com$
2$ <!e7#ire)= Config#re a vali) SS3 certificate Configure a #alid "") certificate
from a certification authorit! 1CA2 that the client computer trusts$ *f !ou ha#e decided to
host the Autodisco#er ser#ice on a separate site( see &o' to Configure "") Certificates
to +se Multiple Client Access "er#er &ost 0ames$
?<
;$ <Optional= +p)ate the SCP Ob5ect Bou must update the ser#ice connection point
1"CP2 ob.ect in the Acti#e Director! director! ser#ice to specif! to 'hich Client Access
ser#er and Autodisco#er #irtual director! !ou 'ant clients to connect$
7or more information( see &o' to Configure the Autodisco#er "er#ice for *nternet Access$
7igure ? illustrates an en#ironment in 'hich the Autodisco#er ser#ice is deplo!ed in a
different Acti#e Director! site than the Acti#e Director! site 'here !our Exchange ser#ers
reside$
"ig#re 8 +sing m#ltiple sites ith the A#to)iscover service
*n 7igure ?( the *nternet "ecurit! and Acceleration 1*"A2 "er#er 200? fire'all is publishing t'o
sites b! using t'o -eb listeners$ he first site( autodisco#er$contoso$com( pro#ides access to
the Autodisco#er #irtual director! on the Client Access ser#er and is assigned to one *P
address$ 7or internal traffic on the Client Access ser#er( configure one -eb listener and
publish all #irtual directories on this site$ he second site( mail$contoso$com( pro#ides access
to the other Exchange features and has a uniCue second *P address$ Do not publish the
Autodisco#er #irtual director! on this site$
Config#ring the A#to)iscover Service to +se
Site Affinit$ for Internal Comm#nication
*f !ou manage a large( distributed organi/ation that has Acti#e Director! sites that are
separated b! lo'%band'idth net'or3 connecti#it!( 'e recommend that !ou use site affinit! for
the Autodisco#er ser#ice for intranet%based traffic$ o use site affinit!( !ou specif! 'hich
Acti#e Director! sites are preferred for clients to connect to a particular Autodisco#er ser#ice
instance$ "pecif!ing 'hich Acti#e Director! sites are preferred is also 3no'n as configuring
site scope$
Bou configure site affinit! b! using the Set.ClientAccessServer cmdlet$ his cmdlet lets !ou
specif! the preferred Acti#e Director! sites for connecting to the Autodisco#er ser#ice on a
70
specific Client Access ser#er$ After !ou configure site affinit! for the Autodisco#er ser#ice( the
client 'ill connect to the Autodisco#er ser#ice as !ou specified$ 7or more information about
the Set.ClientAccessServer cmdlet( see "et%ClientAccess"er#er$
Consider a topolog! that includes one forest 'ith three sites that ha#e the follo'ing names:
+S.contoso A contoso site that is located in 0orth America
E#rope.contoso A contoso site that is located in Europe
APAC.contoso A contoso site that is located in Asia
*n this example( the Autodisco#er ser#ice is enabled on each site and each site includes user
mailboxes$ he +"%contoso site is connected to the Europe%contoso site b! using a high%
speed connection$ he +"%contoso site is connected to the APAC%contoso site b! using a
lo'%speed connection$ he APAC%contoso site is connected to the Europe%contoso site b!
using a high%speed connection$
8ased on these connecti#it! factors( !ou might 'ant to allo' users in the +"%contoso and
Europe%contoso sites to use either the +"%contoso or the Europe%contoso site( users in
Europe%contoso site to use an! site to access the Autodisco#er ser#ice( and users in the
APAC%contoso site to use the APAC%contoso or the Europe%contoso site$ 7inall!( the Client
Access ser#ers can be reached b! using a common internal namespace across all sites$
Bou can configure site scope for Client Access ser#ers in the +"%contoso site( setting them to
prefer to use the +"%contoso and Europe%contoso Acti#e Director! sites to access the
Autodisco#er ser#ice b! using the follo'ing command$
Set-ClientAccessServer -Identity "us-cas"
-AutodiscoverServiceInternalURI
"tt!s:""internal#contoso#co$"autodiscover"autodiscover#%$l"
-AutodiscoverServiceSiteSco!e "us-contoso&'&euro!e-contoso&
Bou do not ha#e to specif! the Acti#e Director! sites to 'hich !our users should connect to
access the Autodisco#er ser#ice on Client Access ser#ers in the Europe%contoso site because
it connects 'ell to other sites$ he follo'ing command enables all users in the Europe%
Contoso site to access an! Client Access ser#er to use the Autodisco#er ser#ice:
Set-ClientAccessServer -Identity "euro!e-cas"
-AutodiscoverServiceInternalURI
"tt!s:""internal#contoso#co$"autodiscover"autodiscover#%$l"
7inall!( !ou can configure site scope for the Autodisco#er ser#ice on Client Access ser#ers in
the APAC%contoso site( setting them to prefer to use the APAC%contoso and Europe%contoso
sites because the! connect 'ell to these sites$ o do this( use the follo'ing command:
Set-ClientAccessServer -Identity "a!ac-cas"
-AutodiscoverServiceInternalURI
"tt!s:""internal#contoso#co$"autodiscover"autodiscover#%$l"
-AutodiscoverServiceSiteSco!e "a!ac-contoso&'&euro!e-contoso&
7:
herefore( if a client in the +"%contoso site has a mailbox located in the Europe%contoso site
and tries to locate the Autodisco#er ser#ice( the client can select the ser#ice instance that has
siteS+"%contoso or siteSEurope%contoso$
*f !ou do not specif! site scope for the Autodisco#er ser#ice( the client might return the
autodiscoverInternalUri parameter for the APAC%contoso site because of the slo' connection
to the +"%contoso site$
Note:
*f !ou do not configure a specific set of Acti#e Director! sites for clients to use(
5utloo3 2007 'ill randoml! select Client Access ser#ers to use to access the
Autodisco#er ser#ice$
7or more information about site affinit!( see &o' to Configure the Autodisco#er "er#ice to
+se "ite Affinit!$
Config#ring the A#to)iscover Service for
'#ltiple "orests
Bou can deplo! Microsoft Exchange b! using multiple forests$ 'o of the multiple forest
deplo!ment scenarios are the resource forest topolog! and the multiple trusted forest
topolog!$ he follo'ing sections describe ho' the Autodisco#er ser#ice is used in these t'o
deplo!ment scenarios$
Config#ring the A#to)iscover Service in a !eso#rce "orest
1opolog$
*f !ou are using a resource forest topolog!( user accounts reside in one forest 1referred to as
a user account forest2 and Microsoft Exchange is deplo!ed in a separate forest 1referred to as
a resource forest2$ *n this scenario( the client contacts Acti#e Director! in the user account
forest to locate the +,) for the Autodisco#er ser#ice$ 8ecause the ser#ice is hosted in the
resource forest( !ou must update Acti#e Director! in the user account forest to include the
information that Acti#e Director! reCuires to enable the client to access the resource forest$ o
do this( !ou must create an Autodisco#er "CP pointer record in Acti#e Director! in the user
account forest$ he Autodisco#er "CP pointer record includes the )ight'eight Director!
Access Protocol 1)DAP2 +,) of the resource forest that the client 'ill use to locate
the Autodisco#er ser#ice$
o create the Autodisco#er "CP pointer record in the user account forest( run the Export.
A#to,iscover$Config cmdlet from the resource forest that has the Autodisco#er ser#ice
against the user account forest$ 7or more information( see &o' to Configure the Autodisco#er
"er#ice for Multiple 7orests$
72
Config#ring the A#to)iscover Service in a '#ltiple 1r#ste)
"orest 1opolog$
*n the multiple trusted forest scenario( the user accounts and Microsoft Exchange are
deplo!ed in multiple forests$ Exchange 2007 features such as the A#ailabilit! ser#ice and
+nified Messaging rel! on the Autodisco#er ser#ice to access them across forests$ *n this
scenario( the Autodisco#er ser#ice must be a#ailable to users across multiple trusted forests$
his scenario resembles the resource forest scenario( except that the Autodisco#er "CP
ob.ect must be configured in all forests$ o configure the Autodisco#er "CP ob.ect in the
multiple forest topolog!( run the Export.A#to,iscover$Config cmdlet from each forest that
has the Autodisco#er ser#ice against each target forest 'here Microsoft Exchange is
deplo!ed$ 7or more information( see &o' to Configure the Autodisco#er "er#ice for Multiple
7orests$
@oste) Environments an) the A#to)iscover
Service
7or hosted en#ironments( the Autodisco#er ser#ice must be redirected for each hosted
domain b! using *nternet *nformation "er#ices 1**"2$ 7igure 7 illustrates the Autodisco#er
ser#ice in a hosted en#ironment$
"ig#re 7 1he A#to)iscover service in a hoste) Exchange environment
7;
7or each hosted e%mail domain( !ou should set up a site together 'ith its corresponding D0"
entries$ 7or example( the domain named for example contoso$no should be called
autodisco#er$contoso$no( and the domain named example$contoso$se should be called
autodisco#er$contoso$se$ *n the site in 7igure 7( there is no need for an! #irtual directories
and !ou do not ha#e to set up "") certificates$
*n **" Manager( configure redirection for each of !our sites to
https:99mail$contoso$com9autodisco#er9autodisco#er$xml$
Note:
hese sites should be configured onl! for &P 1port A02 traffic$
-hen !ou configure redirection on these sites( !ou must use anon!mous access and disable
authenticated access$ Also( ma3e sure that !ou do not configure other options such as 1he
exact +!3 entere) above( A )irector$ belo +!3 entere)( and A permanent re)irection
for this reso#rce$ Configuring redirection in this manner ensures that the 5utloo3 2007 client
recei#es an &P ;02 response$
After !ou configure redirection( 5utloo3 2007 clients 'ill tr! to connect
to https:99contoso$no9autodisco#er9 and https:99autodisco#er$contoso$no9autodisco#er9 b!
using an &P P5" reCuest$ 8ecause these sites are una#ailable( 5utloo3 'ill tr! an &P
@E reCuest to http:99autodisco#er$contoso$no9autodisco#er$
Note:
0o information( such as the userDs e%mail address and pass'ord( is sent in this
reCuest$
8ecause redirection is configured on this site( **" 'ill return a ;02 redirection response for
https:99mail$contoso$com9$ he client 'ill recei#e the response and prompt the user to accept
or re.ect the reCuest$ he user must accept this reCuest$ After this occurs( the client 'ill then
be redirected b! using an &P" P5" reCuest$ *n this example( there 'ill be no securit!
alert$ 7inall!( the client 'ill recei#e the necessar! Autodisco#er ser#ice response$
Note:
-hen !ou configure a redirector to redirect clients to a ne' site( as in the pre#ious
example( additional "") certificates are not reCuired$ &o'e#er( !ou must configure
additional **" sites$
A#to)iscover Sec#rit$
*f !ou use a separate site for the Autodisco#er ser#ice together 'ith an ad#anced fire'all
ser#er such as *"A "er#er 200?( !ou must configure *"A "er#er 200? to ha#e t'o -eb
listeners$ *"A "er#er -eb listeners are used to indicate the *P address and port for the client
to use$ he first -eb listener is used for the Autodisco#er ser#ice and the second -eb
listener is used for the other Microsoft Exchange features( such as
7=
Microsoft Exchange Acti#e"!nc and 5utloo3 An!'here$ Bou can configure the "") certificate
for a single site that uses both -eb listeners b! using the subject alternate name propert! of
the certificate$ 7or more information( see &o' to Configure "") Certificates to +se Multiple
Client Access "er#er &ost 0ames$
8! default( Exchange 2007 "etup offers the option to install a self%signed "") certificate$ *t is
best not to use self%signed certificates for external sites$ -e recommend that !ou use a
certificate from a trusted certification authorit!$ 7or more information about ho' to create and
use #alid "") certificates( see the follo'ing:
&o' to Create a Certificate or Certificate ,eCuest for )"
&o' to 5btain a "er#er Certificate from a Certification Authorit!
&o' to Add Certificate Manager to Microsoft Management Console
"or 'ore Information
7or more information about the Autodisco#er ser#ice( see the follo'ing:
5#er#ie' of the Autodisco#er "er#ice
Managing the Autodisco#er "er#ice
+n)erstan)ing Prox$ing an) !e)irection
*n a Microsoft Exchange "er#er 2007 organi/ation( a computer that is running
Exchange 2007 that has the Client Access ser#er role installed can act as a prox! for other
Client Access ser#ers 'ithin the organi/ation$ his is useful 'hen multiple Client Access
ser#ers are present in different Acti#e Director! sites in an organi/ation and onl! one is
exposed to the *nternet$
A Client Access ser#er can also perform redirection for Microsoft 5ffice 5utloo3 -eb Access
+,)s$ ,edirection is useful 'hen a user is connecting to a Client Access ser#er that is not in
their local Acti#e Director! site$
his section explains prox!ing and redirection( 'hen each is used( and ho' to configure !our
Client Access ser#ers for each scenario$
Note:
*f !ou do not ha#e multiple Acti#e Director! sites in !our organi/ation( !ou do not
ha#e to configure Exchange 2007 for prox!ing or redirection$
7>
Note:
Client Access ser#ers that are not exposed to the *nternet do not ha#e to ha#e
separate "ecure "oc3ets )a!er 1"")2 certificates$ he! can use the self%signed
certificate that is installed b! default 'ith Exchange 2007$
Overvie of Prox$ing
An Exchange 2007 Client Access ser#er can prox! reCuests in the follo'ing t'o situations:
-eteen Exchange 2007 Client Access servers Prox!ing reCuests bet'een t'o
Exchange 2007 Client Access ser#ers enables organi/ations that ha#e multiple
Acti#e Director! sites to designate one Client Access ser#er as an *nternet%facing ser#er
and ha#e that ser#er prox! reCuests to Client Access ser#ers in sites that ha#e no
*nternet presence$ he *nternet%facing Client Access ser#er then proxies the reCuest to
the Client Access ser#er that is closest to the userDs mailbox$ his is 3no'n as CA"%CA"
prox!ing$
-eteen an Exchange 2007 Client Access server an) an Exchange Server 200(
front.en) server Prox!ing reCuests bet'een an Exchange 2007 Client Access ser#er
and a Microsoft Exchange "er#er 200; front%end ser#er enables Exchange 2007 and
Exchange 200; to coexist in the same organi/ation$ External clients 'ho connect to
5utloo3 -eb Access b! using the LExchange #irtual director! or connect to
Exchange Acti#e"!nc b! using the LMicrosoft%"er#er%Acti#e"!nc #irtual director! 'ill
ha#e their reCuests proxied to the appropriate Exchange 200; bac3%end ser#er
Prox!ing is supported for clients that use 5utloo3 -eb Access( Exchange Acti#e"!nc(
Exchange -eb "er#ices( and the A#ailabilit! ser#ice$ 7igure A illustrates ho' prox!ing 'or3s
in an organi/ation that has multiple Client Access ser#ers and multiple mailbox ser#ers$
Note:
*n each Exchange organi/ation( onl! one Client Access ser#er must be *nternet%
facing$ A Client Access ser#er that has no *nternet presence does not ha#e to ha#e its
o'n *nternet host name$ *t relies on the *nternet%facing Client Access ser#er to prox!
all pertinent reCuests from external clients$
Note:
Prox!ing 'ill not 'or3 for Post 5ffice Protocol #ersion ; 1P5P;2 or *nternet Message
Access Protocol #ersion =re#: 1*MAP=2 clients$ A client 'ho is using P5P; or *MAP=
must connect to a Client Access ser#er in the same Acti#e Director! site as their
Mailbox ser#er$
7?
"ig#re 9 Client Access prox$ing
*n the pre#ious figure( the mailbox of +ser : is located on Mailbox ser#er 0:$ he mailbox of
+ser 2 is located on Mailbox ser#er 02( and the mailbox of +ser ; is located on Mailbox
ser#er 0;$ +ser : can access their mailbox through Client Access ser#er 0: 'ithout using
prox!ing$ *f +ser : tries to access Client Access ser#er 02 b! using Exchange Acti#e"!nc(
the! 'ill recei#e an error because Client Access ser#er 0: is the appropriate Client Access
ser#er for their mailbox$ *f the! tr! to access Client Access ser#er 02 b! using
5utloo3 -eb Access( their bro'ser 'ill displa! a message that includes the correct +,) for
their Client Access ser#er$ his process is 3no'n as redirection$ *f +ser ; tries to access
Client Access ser#er 02( that ser#er 'ill prox! their reCuest to Client Access ser#er 0;$ Client
Access ser#er 0; is not *nternet%facing but can recei#e reCuests from other ser#ers inside the
fire'all$ Prox!ing is not #isible to the user$
Note:
Communications bet'een Client Access ser#ers in different sites occur o#er "ecure
&P 1&P"2$
Prox$ing for Exchange ActiveS$nc
he follo'ing scenario illustrates ho' incoming reCuests are handled for a user 'ho connects
to an Exchange 2007 Client Access ser#er named CA"%0: b! using a mobile de#ice$
:$ he Client Access ser#er Cueries the Acti#e Director! director! ser#ice to determine
the location of the userDs mailbox and the #ersion of Microsoft Exchange that is installed
on the Mailbox ser#er$ *f the userDs mailbox is on an Exchange 2007 computer that has
the Mailbox ser#er role installed( go to "tep ;$
77
2$ *f the userDs mailbox is on an Exchange 200; ser#er( the incoming reCuest is proxied
to the Exchange 200; ser#er that hosts the userDs mailbox and the Exchange Acti#e"!nc
#irtual director!$ 8! default( in Exchange 200;( the Exchange Acti#e"!nc #irtual director!
'as installed on all mailbox ser#ers$ *f the incoming reCuest is to an
Exchange 2007 Client Access ser#er that is in a different Acti#e Director! site than the
destination bac3%end ser#er( the reCuest 'ill be proxied directl! to the destination bac3%
end ser#er( e#en if there is an Exchange 2007 Client Access ser#er 'ithin the destination
Acti#e Director! site$ *f the incoming reCuest is to an Exchange 2007 Client Access ser#er
'ithin the same Acti#e Director! site as the destination bac3%end ser#er( the reCuest 'ill
be proxied directl! to the destination bac3%end ser#er$
;$ *f the userDs mailbox is on an Exchange 2007 Mailbox ser#er( CA"%0: locates a Client
Access ser#er in the same Acti#e Director! site as the userDs Mailbox ser#er$ *f there is a
Client Access ser#er that is closer to the userDs Mailbox ser#er( Exchange 2007
determines 'hether the Client Access ser#er has the Internal+!3 propert! configured
and if the authentication method is *ntegrated -indo's authentication$ *f so( the user is
proxied to the Client Access ser#er specified b! the Internal+!3 propert!$ 5ther'ise( the
reCuest is re.ected$ An error code is returned to the mobile de#ice if the reCuest is
re.ected$
Important:
Prox!ing is not supported bet'een #irtual directories that use 8asic
authentication$ 7or client communications to be proxied bet'een #irtual
directories on different ser#ers( the #irtual directories must use *ntegrated
-indo's authentication$
Prox$ing for O#tloo% &eb Access
he follo'ing scenario illustrates ho' incoming reCuests are handled for a user 'ho connects
to an Exchange 2007 Client Access ser#er named CA"%0: b! using 5utloo3 -eb Access$
:$ he Client Access ser#er Cueries Acti#e Director! to determine the location of the
userDs mailbox and the #ersion of Microsoft Exchange that is installed on the Mailbox
ser#er$ *f the userDs mailbox is on an Exchange 2007 Mailbox ser#er( go to "tep ;$
2$ *f the userDs mailbox is on an Exchange 200; ser#er and the user tried to access
5utloo3 -eb Access b! using https:99domain name9o'a( the! 'ill recei#e an error$ *f the
user tries to access https:99domain name9exchange or https:99domain name9public( the
incoming reCuest is proxied to the Exchange 200; ser#er that hosts the userDs mailbox
and the 5utloo3 -eb Access #irtual director!$ *f the incoming reCuest is to an
Exchange 2007 Client Access ser#er in a different Acti#e Director! site than the
destination bac3%end ser#er( the reCuest 'ill be proxied to the destination bac3%end
ser#er directl!( e#en if there is an Exchange 2007 Client Access ser#er 'ithin the
destination Acti#e Director! site$ *f the incoming reCuest is to an Exchange 2007 Client
7A
Access ser#er 'ithin the same Acti#e Director! site as the destination bac3%end ser#er(
the reCuest 'ill be proxied directl! to the destination bac3%end ser#er$
;$ *f the userDs mailbox is on an Exchange 2007 mailbox ser#er( CA"%0: locates a Client
Access ser#er that is in the same Acti#e Director! site as the userDs mailbox ser#er$ -hen
one is found( Exchange 2007 determines 'hether the Client Access ser#er has the
Internal+!3 propert! configured and if the authentication method on the #irtual director!
is set to *ntegrated -indo's authentication$ CA"%0: then determines 'hether an
external +,) is specified$ *f so( the user is redirected to the ser#er that is specified b! the
External+!3 propert!$ *f an external +,) is not specified( CA"%0: 'ill prox! the userDs
reCuest to the Client Access ser#er that is specified b! the Internal+!3 propert!$
Note:
An internal +,) is configured automaticall! during Exchange 2007 "etup$ 7or
Client Access ser#ers that do not ha#e an *nternet presence( the
External+!3 propert! should be set to (null$
Prox$ing Config#ration
*f !our Client Access ser#er is *nternet%facing( set the External+!3 propert! on the
Exchange Acti#e"!nc and 5utloo3 -eb Access #irtual directories b! using the Exchange
Management Console or the Exchange Management "hell$ he Internal+!3 propert! is
configured automaticall! during the initial setup of Exchange 2007 and should rarel! ha#e to
be changed$ he External+!3 propert! should contain the domain name that is registered
for !our Exchange organi/ation in D0"$ able :? contains the appropriate #alues for
the External+!3 and Internal+!3 properties for an *nternet%facing Client Access ser#er for
the Exchange organi/ation that is named '''$contoso$com$ able :7 contains the
appropriate External+!3 and Internal+!3 propert! #alues for a non%*nternet%facing Client
Access ser#er in a second Acti#e Director! site for '''$contoso$com$ Bou must configure the
authentication method on all these #irtual directories to be *ntegrated -indo's
authentication$ Prox!ing is not supported for #irtual directories that use other authentication
methods$
Note:
*f ne' 5utloo3 -eb Access #irtual directories are created b! using the Exchange
Management "hell( !ou must manuall! configure the Internal+!3 propert! on those
#irtual directories$
1able 28 Prox$ing Internal+!3 an) External+!3 settings for an Internet.facing Client
Access server
7<
Exchange 2007 service Internal+!3 setting External+!3 setting
5utloo3 -eb Access https:99computername95-A https:99'''$contoso$com95-
A
Exchange Acti#e"!nc https://computername9Micros
oft%"er#er%Acti#e"!nc
https:99'''$contoso$com9Micr
osoft%"er#er%Acti#e"!nc
Exchange -eb "er#ices https:99computername9E-" https:99'''$contoso$com9E-
"
A#ailabilit! ser#ice https:99computername9A" https:99'''$contoso$com9A"
1able 27 Prox$ing Internal+!3 an) External+!3 settings for a non.Internet.facing
Client Access server
Exchange 2007 service Internal+!3 setting External+!3 setting
5utloo3 -eb Access https:99computername95-A ()()ull
Exchange Acti#e"!nc https:99computername9Micros
oft%"er#er%Acti#e"!nc
()()ull
Exchange -eb "er#ices https:99computername9E-" ()ull
A#ailabilit! ser#ice https:99computername9A" ()ull
7or more information about ho' to configure #irtual directories( see the follo'ing:
Managing the Exchange Acti#e"!nc 6irtual Director!
Managing 5utloo3 -eb Access 6irtual Directories in Exchange "er#er 2007
Overvie of !e)irection
5utloo3 -eb Access users 'ho access an *nternet%facing Client Access ser#er that is in a
different Acti#e Director! site than the site that contains their mailbox can be redirected to the
Client Access ser#er that is in the same site as their Mailbox ser#er if that Client Access
ser#er is *nternet%facing$ -hen an 5utloo3 -eb Access user tries to connect to a Client
Access ser#er that is outside the Acti#e Director! site that contains their Mailbox ser#er( the!
'ill see a -eb page that contains a lin3 to the correct Client Access ser#er for their mailbox$
7igure < illustrates ho' redirection 'or3s in an organi/ation that has multiple Client Access
ser#ers in multiple Acti#e Director! sites$
A0
"ig#re : !e)irection for O#tloo% &eb Access in Exchange 2007
*n the pre#ious figure( the mailbox of +ser : is located on Mailbox ser#er 0:$ he mailbox of
+ser 2 is located on Mailbox ser#er 02( and the mailbox of +ser ; is located on Mailbox
ser#er 0;$ +ser : can access their mailbox through Client Access ser#er 0: 'ithout using
redirection$ *f +ser : tries to access Client Access ser#er 02( their bro'ser 'ill displa! a
message that includes the correct +,) for their Client Access ser#er$ he user 'ill be
prompted to clic3 the 5utloo3 -eb Access +,) for their Client Access ser#er$ he! 'ill not
be redirected automaticall!$ *f +ser ; tries to access Client Access ser#er 02( that ser#er 'ill
prox! their reCuest to Client Access ser#er 0;$ Client Access ser#er 0; is not *nternet%facing(
but can recei#e reCuests from other ser#ers 'ithin the fire'all$ Prox!ing is not #isible to the
user$
Note:
,edirection is supported onl! for clients that use 5utloo3 -eb Access$ Clients that
use Exchange Acti#e"!nc( Exchange -eb "er#ices( P5P;( and *MAP= cannot use
redirection$
Note:
-hen !ou install Exchange 2007( four #irtual directories are created for
5utloo3 -eb Access: o'a( Exchange( Public( and Exch-eb$ he o'a #irtual
director! pro#ides access to Exchange 2007 mailboxes$ he Exchange and Public
#irtual directories pro#ide Exchange 200; mailbox access$ *f a user 'ho has a
mailbox on an Exchange 200; ser#er logs on b! using https:99server name9o'a( the!
'ill recei#e an error telling them that their mailbox is on an Exchange 200; ser#er$
he! must use the Exchange #irtual director!$ *f the! log on b! using https:99server
A:
name9Exchange( the Exchange 2007 Client Access ser#er 'ill prox! their reCuest to
the Exchange 200; mailbox ser#er$ *f a user 'ho has a mailbox on
Exchange 2007 accesses 5utloo3 -eb Access b! using https:99server name9o'a(
the! 'ill be able to access their mailbox directl!$ *f the! log on to
5utloo3 -eb Access b! using https:99server name9Exchange( the! 'ill be redirected
to https:99server name9o'a$
Config#ring !e)irection
*f !our Client Access ser#er is *nternet%facing( set the External+!3 propert! on the
5utloo3 -eb Access #irtual directories b! using the Exchange Management Console or the
Exchange Management "hell$ he Internal+!3 propert! is configured automaticall! during
the initial setup of Exchange 2007 and should rarel! ha#e to be changed$ Bou must also
configure the authentication method on these #irtual directories to be *ntegrated -indo's
authentication$ ,edirection is not supported for #irtual directories that use other authentication
methods$ ables :A and :< list the External+,) and *nternal+,) settings for Client Access
ser#ers in t'o Acti#e Director! sites for Contoso$ he t'o sites are '''$usa$contoso$com
and '''$europe$contoso$com$
Note:
*f ne' 5utloo3 -eb Access #irtual directories are created b! using the Exchange
Management "hell( !ou must manuall! configure the Internal+!3 propert! on those
#irtual directories$
7or more information about ho' to manage 5utloo3 -eb Access #irtual directories( see
Managing 5utloo3 -eb Access 6irtual Directories in Exchange "er#er 2007$
1able 29 !e)irection Internal+!3 an) External+!3 settings for an Internet.facing
Client Access server in the #sa?contoso?com site
Exchange 2007 service Internal+!3 setting External+!3 setting
5utloo3 -eb Access https:99computername95-A https:99'''$usa$contoso$com9
5-A
1able 2: !e)irection Internal+!3 an) External+!3 settings for an Internet.facing
Client Access server in the e#rope?contoso?com site
Exchange 2007 service Internal+!3 setting External+!3 setting
5utloo3 -eb Access https:99computername95-A https:99'''$europe$contoso$c
om95-A
A2
,isabling !e)irection
*f !our organi/ation has multiple *nternet%facing Acti#e Director! sites and the *nternet
connection to one of those sites is disabled( !ou can temporaril! disable redirection and
configure 5utloo3 -eb Access to use prox!ing instead$ After the *nternet connection in the
site that has the problem is restored( !ou can reinstate redirection$ Bou can disable
redirection b! using the Set.O&A4irt#al,irector$ cmdlet 'ith the follo'ing s!ntax:
set-o*avirtualdirectory "o*a +de,ault *e- site."
-Redirect/o0!ti$al01AServer (,alse
o restore redirection( use the same cmdlet and change the edirect!o"ptimal"#$Server
parameter to (true$
Prox$ing ith Netor% 3oa) -alancing
*n an organi/ation that has multiple Acti#e Director! sites and multiple Client Access ser#ers
in each site( !ou can use 0et'or3 )oad 8alancing 10)82 to optimi/e traffic among the Client
Access ser#ers in each site$ -e recommend that !ou include onl! Client Access ser#ers
'ithin the same Acti#e Director! site in a load%balancing arra!$ Bou can deplo! 0)8 in an
*nternet%facing Acti#e Director! site and in a non%*nternet%facing Acti#e Director! site$
7igure :0 illustrates t'o Acti#e Director! sites that implement 0)8$
"ig#re 20 Prox$ing in an organi/ation that #ses N3-
able 20 lists the settings for the #irtual directories that are on the Client Access ser#ers CA"%
0: and CA"%02 for the *nternet%facing Acti#e Director! site '''$contoso$com$
A;
1able 20 4irt#al )irector$ settings for Internet.facing Client Access servers in an
organi/ation that #ses N3-
4irt#al )irector$ Internal+!3 setting External+!3 setting A#thentication metho)
95-A https:99computernam
e95-A
https:99'''$contoso$c
om95-A
7orms%based
authentication if the
*nternet "ecurit! and
Acceleration 1*"A2
"er#er computer is
using forms%based
authentication$ *f the
*"A "er#er computer
is not using forms%
based authentication(
use *ntegrated
-indo's
authentication$
95A8 https:99computernam
e95A8
https:99'''$contoso$c
om 95A8
*ntegrated -indo's
authentication
9+nifiedMessaging https:99computernam
e9+nifiedMessaging
https:99'''$contoso$c
om
9+nifiedMessaging
*ntegrated -indo's
authentication
9Microsoft%"er#er%
Acti#e"!nc
https:99computernam
e9Microsoft%"er#er%
Acti#e"!nc
https:99'''$contoso$c
om 9Microsoft%"er#er%
Acti#e"!nc
*ntegrated -indo's
authentication
9E-" https:99computernam
e9E-"
https:99'''$contoso$c
om 9E-"
*ntegrated -indo's
authentication
he non%*nternet%facing Acti#e Director! site has three ser#ers: CA"%0;( CA"%0=( and CA"%
0>$ able 2: lists the settings for the #irtual directories for all three ser#ers$
1able 22 4irt#al )irector$ settings for non.Internet.facing Client Access servers in an
organi/ation that #ses N3-
4irt#al )irector$ Internal+!3 setting External+!3 setting A#thentication metho)
95-A https:99computernam
e95-A
()ull *ntegrated -indo's
authentication
9A" https:990)8name9A" ()ull *ntegrated -indo's
authentication
A=
4irt#al )irector$ Internal+!3 setting External+!3 setting A#thentication metho)
95A8 https:990)8name95A
8
()ull *ntegrated -indo's
authentication
9+nifiedMessaging https:990)8name9+nif
iedMessaging
()ull *ntegrated -indo's
authentication
9Microsoft%"er#er%
Acti#e"!nc
https:990)8name9Micr
osoft%"er#er%
Acti#e"!nc
()ull *ntegrated -indo's
authentication
9E-" https:99computernam
e9E-"
()ull *ntegrated -indo's
authentication
he External+!3 propert! for all the #irtual directories should be set to ()ull$ *f the
External+!3 propert! is set to an!thing other than ()ull( the non%*nternet%facing Client
Access ser#ers 'ill operate as if the! are exposed to the *nternet( and 'ill pre#ent clients
from successfull! connecting to these ser#ers$
5utloo3 -eb Access and Exchange -eb "er#ices handle load balancing differentl! than the
A#ailabilit! ser#ice and Exchange Acti#e"!nc$ 5utloo3 -eb Access and Exchange -eb
"er#ices implement their o'n load balancing 'hen the! are deplo!ed on multiple Client
Access ser#ers 'ithin the same Acti#e Director! site$ *f a user tries to access
5utloo3 -eb Access through https:99'''$contoso$com95-A and is proxied to CA"%0:( the
next time that user tries to access 5utloo3 -eb Access( the! 'ill again be proxied to CA"%0:(
e#en if CA"%02 has fe'er concurrent connections$ his occurs because of coo3ie%based load
balancing$ *f CA"%0: is una#ailable( the user 'ill be proxied to CA"%02$
he process is different for Exchange Acti#e"!nc$ -hen an *nternet%facing Client Access
ser#er proxies a reCuest to a non%*nternet%facing Client Access ser#er( the connection is
maintained b! using information that is stored in the local Administrator account$ his
connection can then be used b! other user reCuests$ *n a 0et'or3 )oad 8alancing situation(
the Client Access ser#ers in the *nternet%facing 0)8 'ill establish connections to the Client
Access ser#ers in the non%*nternet%facing 0)8$ he number of connections 'ill be eCual to
the number of Client Access ser#ers in the destination Acti#e Director! site$ -e recommend
implementing round robin load balancing 'ithin the 0)8 arra!$
7or the A#ailabilit! ser#ice( 'e also recommend round robin load balancing$ A#ailabilit!
ser#ice reCuests do not ha#e to maintain their connection state$ *n other 'ords( t'o
consecuti#e A#ailabilit! ser#ice reCuests from the same client can be proxied to different
Client Access ser#ers in the destination Acti#e Director! site 'ithout affecting performance$
7or more information about 0et'or3 )oad 8alancing( see the -indo's "er#er 200;
documentation$
A>
S#mmar$ of Client Access 'etho)s
able 22 summari/es the protocols that are used to access Exchange 2007 and ho' the! are
used for prox!ing and redirection$
1able 22 Client Access protocols for re)irection an) prox$ing
Protocol Client Access
server to 'ailbox
server
comm#nication
s#pporte)
beteen
Active ,irector$
sites
!e)irection
s#pporte)
beteen Client
Access servers
Prox$ing
s#pporte)
beteen Client
Access servers
Comments
5utloo3 -eb Ac
cess
0o Bes Bes Must ha#e a
Client Access
ser#er in each
Acti#e Director!
site to use
5utloo3 -eb Acc
ess$
Exchange Acti#e
"!nc
0o 0o
1unnecessar!2
Bes Must ha#e a
Client Access
ser#er in each
Acti#e Director!
site to use
Exchange Acti#e
"!nc$
Exchange -eb
"er#ices
0o 0o Bes Must ha#e a
Client Access
ser#er in each
Acti#e Director!
site to use
Exchange -eb
"er#ices$
A?
Protocol Client Access
server to 'ailbox
server
comm#nication
s#pporte)
beteen
Active ,irector$
sites
!e)irection
s#pporte)
beteen Client
Access servers
Prox$ing
s#pporte)
beteen Client
Access servers
Comments
A#ailabilit!
ser#ice 1used b!
5ffice 5utloo3 2
0072
0o 0o
1unnecessar!2
Bes Must ha#e a
Client Access
ser#er in each
Acti#e Director!
site to use the
A#ailabilit!
ser#ice$
5utloo3
An!'here 1,PC
o#er &P2
Bes( 'ith ,PC 0o 0ot applicable 0ot applicable
-ebDA6 and
Exchange 2000
"er#er or
Exchange 200;
Bes( o#er &P 0o 0ot applicable 0ot applicable
P5P; and
*MAP=
0o 0o 0o P5P; and
*MAP= clients
must access a
Client Access
ser#er in the
same
Acti#e Director!
site as their
mailbox$
Prox$ing Performance an) Scalabilit$
*n an Exchange 2007 prox!ing en#ironment( poor performance can freCuentl! result 'hen the
Client Access ser#ers recei#e lots of concurrent reCuests$ his problem is freCuentl! caused
b! the exhaustion of threads and a#ailable connections due to -eb ser#ice reCuests from
A"P$0E$ his can cause the Client Access ser#er to den! reCuests or exhibit high latenc!
'hen the reCuests are being processed$
A7
o resol#e these issues( !ou can configure se#eral A"P$0E parameters b! editing the
Machine$config file on the Client Access ser#er computers$ 7or more information about ho'
to configure these parameters( see Microsoft Pno'ledge 8ase article A2:2?A( Contention(
poor performance( and deadloc3s 'hen !ou ma3e -eb ser#ice reCuests from A"P$0E
applications$
'o of the parameters that are explained in the pre#ious Pno'ledge 8ase article must be set
differentl! in an Exchange 2007 prox!ing en#ironment$ -e recommend that !ou allo' for ;?
threads per processor and that !ou set the ma%connections #alue to 2000$
7or more information about ser#er performance( see the follo'ing:
Managing the $0E 7rame'or3 on -indo's "er#er 200;
"or 'ore Information
7or more information( see the follo'ing:
Planning for Client Access "er#ers
Managing 5utloo3 -eb Access
Managing Exchange Acti#e"!nc
Managing the A#ailabilit! "er#ice
Managing 5utloo3 -eb Access 6irtual Directories in Exchange 2007
Managing the Exchange Acti#e"!nc 6irtual Director!
Overvie of Client Access Server Sec#rit$
Microsoft Exchange "er#er 2007 incorporates se#eral features to enhance the securit! of
!our Exchange 2007 organi/ation$ 8! default( communication bet'een
Exchange 2007 computers is encr!pted$ Also b! default( "ecure "oc3ets )a!er 1"")2 is
reCuired on all #irtual directories( and a self%signed certificate is installed$
Overvie of SS3 for Client Access Servers
-hen !ou install Exchange 2007( a self%signed "") certificate is installed$ Bou can use this
self%signed "") certificate to encr!pt communication bet'een clients and the Client Access
ser#er( or !ou can replace the self%signed certificate 'ith another certificate$ here are t'o
sources for "") certificates: a Microsoft -indo's public 3e! infrastructure 1PP*2 and a
commercial third part!$ 7or more information about "") certificates( see +nderstanding "")
for Client Access "er#ers$
AA
Overvie of +sing ISA Server 2008 for Client
Access
Microsoft *nternet "ecurit! and Acceleration 1*"A2 "er#er 200? and Exchange "er#er 2007
are designed to 'or3 together to pro#ide a more secure messaging en#ironment$ *"A "er#er
acts as an ad#anced fire'all that controls *nternet%based traffic bet'een multiple net'or3s
that are connected to it through its multi%net'or3ing feature$ -hen !ou deplo! *"A "er#er
200? for Exchange 2007( *"A "er#er handles all client reCuests for Exchange information$
his includes incoming and outgoing *nternet communication$ 7or more information about *"A
"er#er 200?( see the follo'ing:
Configuring *"A "er#er 200? for Exchange Client Access
+sing *"A "er#er 200? 'ith Exchange 2007
"or 'ore Information
7or more information about Client Access "er#er securit!( see the follo'ing:
Managing Client Access "ecurit!
Managing "") 7or a Client Access "er#er
+sing *"A "er#er 200? 'ith Exchange 2007
Config#ring ISA Server 2008 for Exchange
Client Access
Microsoft *nternet "ecurit! and Acceleration 1*"A2 "er#er 200? and
Microsoft Exchange "er#er 2007 are designed to 'or3 together to pro#ide a more secure
messaging en#ironment$
ISA Server 2008 an) Exchange 2007
*"A "er#er acts as an ad#anced fire'all that controls *nternet%based traffic bet'een multiple
net'or3s that are connected to it through its multi%net'or3ing feature$ -hen !ou deplo! *"A
"er#er 200? for Exchange 2007( *"A "er#er handles all client reCuests for
Exchange information$ his includes incoming and outgoing *nternet communication$
A<
-enefits of +sing ISA Server 2008 ith
Exchange 2007
0e' features for *"A "er#er 200? are designed specificall! to enhance functionalit! for
Exchange 2007$ able 2; describes these features$
1able 2( Ne feat#res for ISA Server 2008 an) Exchange 2007
"eat#re ,escription @o 1o
-eb Publishing )oad
8alancing
*"A "er#er 200? balances the
reCuest from the client to an
arra! of published ser#ers$
his eliminates the need to
deplo! 0et'or3 )oad
8alancing 10)82 on the
published arra!$
-eb load balancing features
are automaticall!
implemented 'hen !ou
publish 5utloo3 -eb Access
and 5utloo3 An!'here$
5utloo3 -eb Access automat
icall! selects a rule b! using
coo3ie%based load
balancing$ -ith coo3ie%based
load balancing( all reCuests
related to the same session
1the same uniCue coo3ie
pro#ided b! the ser#er in
each response2 are for'arded
to the same ser#er$ 5utloo3
An!'here uses source%
*P based load balancing$ -ith
source%*P based load
balancing( all reCuests from
the same client 1source2 *P
address are for'arded to the
same ser#er$
<0
"eat#re ,escription @o 1o
)in3 ranslation "ome published -eb sites
ma! include references to
internal names of computers$
8ecause onl! the *"A
"er#er 200? fire'all and
external namespaces are
a#ailable to external clients(
these references appear as
bro3en lin3s$ *"A "er#er 200?
includes a lin3 translation
feature that !ou can use to
create a dictionar! of
definitions for internal
computer names that map to
publicl! 3no'n names$
*"A "er#er 200? implements
lin3 translation automaticall!
'hen !ou configure -eb
publishing for
5utloo3 -eb Access$
"ecure "oc3ets )a!er 1"")2
8ridging "upport
7or authenticated and
encr!pted client access( *"A
"er#er 200? pro#ides end%to%
end securit! and application
la!er filtering b! using "")%
to%"") bridging$ his means
that encr!pted data is
inspected before it reaches
the Exchange ser#er$ he *"A
"er#er 200? fire'all decr!pts
the "") stream( performs
stateful inspection( and then
re%encr!pts the data and
for'ards it to the published
-eb ser#er$ "tateful
inspection is a fire'all
architecture that 'or3s at the
net'or3 la!er$ +nli3e static
pac3et filtering( 'hich
examines a pac3et based on
the information in its header(
stateful inspection trac3s
each connection tra#ersing
all interfaces of the fire'all
and ma3es sure the! are
#alid$
*"A "er#er 200? implements
"") 8ridging "upport
automaticall! 'hen !ou
configure -eb publishing for
5utloo3 -eb Access$
<:
*n addition to the features listed in able 2;( *"A "er#er 200? is designed to 'or3 specificall!
'ith the client access methods that !ou can use 'ith Exchange 2007$
Ne Exchange P#blishing !#le &i/ar)
-hen !ou deplo! *"A "er#er 200?( !ou use the 0e' Publishing ,ule -i/ard on the fire'all
polic! tas3s to help !ou 'ith the settings that must be configured to allo' access for the
follo'ing features:
O#tloo% &eb Access -hen !ou deplo! *"A "er#er 200? for 5utloo3 -eb Access(
!ou use the 0e' Exchange Publishing ,ule -i/ard that is on the 7ire'all Polic! tas3s$
his ne' 'i/ard sho's the specific settings that must be configured to allo' for client
access b! using 5utloo3 -eb Access$ 7or more information about ho' to configure *"A
"er#er 200? to use 5utloo3 -eb Access( see +sing *"A "er#er 200? 'ith 5utloo3 -eb
Access$
Exchange ActiveS$nc -hen !ou deplo! *"A "er#er 200? for
Exchange Acti#e"!nc( !ou use the 0e' Exchange Publishing ,ule -i/ard on the
7ire'all Polic! tas3s$ his ne' 'i/ard sho's !ou the specific settings that must be
configured to allo' for Exchange Acti#e"!nc access$ 7ollo' the instructions in the 0e'
Exchange Publishing ,ule -i/ard for *"A "er#er 200? to configure !our Exchange
deplo!ment to use Exchange Acti#e"!nc$
O#tloo% An$here -hen !ou deplo! *"A "er#er 200? for 5utloo3 An!'here( !ou
use the 0e' Exchange Publishing ,ule -i/ard on the 7ire'all Polic! tas3s$ his ne'
'i/ard sho's !ou the specific settings that must be configured to allo' for 5utloo3
An!'here access$ 7ollo' the instructions in the 0e' Exchange Publishing ,ule -i/ard
for *"A "er#er 200? to configure !our Exchange deplo!ment to use 5utloo3 An!'here$
POP( an) I'AP* Access -hen !ou deplo! *"A "er#er 200? for P5P; and *MAP=
access to Exchange 2007( !ou use the 0e' Exchange Publishing ,ule -i/ard on the
7ire'all Polic! tas3s$ his ne' 'i/ard sho's !ou the specific settings that must be
configured to allo' for P5P; and *MAP= access$ 7ollo' the instructions in the 0e'
Exchange Publishing ,ule -i/ard for *"A "er#er 200? to configure !our Exchange
deplo!ment to use P5P; and *MAP=$
+n)erstan)ing SS3 for Client Access
Servers
"ecure "oc3ets )a!er 1"")2 is a method for securing communications bet'een a client and a
ser#er$ 7or a computer that is running Microsoft Exchange "er#er 2007 that has the Client
Access ser#er role installed( "") is used to help secure communications bet'een the ser#er
<2
and the clients$ Clients include mobile de#ices( computers inside an organi/ationDs net'or3(
and computers outside an organi/ationDs net'or3$ hese include clients 'ith and 'ithout
#irtual pri#ate net'or3 16P02 connections$
8! default( 'hen !ou install Exchange 2007( client communications are encr!pted b! using
"") 'hen !ou use 5utloo3 -eb Access( Exchange Acti#e"!nc( and 5utloo3 An!'here$ 8!
default( Post 5ffice Protocol #ersion ; 1P5P;2 and *nternet Message Access Protocol 6ersion
= re#: 1*MAP=2 are not configured to communicate o#er "")$
"") reCuires that !ou use digital certificates$ his section pro#ides an o#er#ie' of the #arious
t!pes of digital certificates and information about ho' to configure the Client Access ser#er to
use these t!pes of digital certificates$
Overvie of ,igital Certificates
Digital certificates are electronic files that 'or3 li3e an online pass'ord to #erif! the identit! of
a user or a computer$ he! are used to create the "") encr!pted channel that is used for
client communications$ A certificate is a digital statement that is issued b! a certification
authorit! 1CA2 that #ouches for the identit! of the certificate holder and enables the parties to
communicate in a secure manner b! using encr!ption$
Digital certificates do the follo'ing:
he! authenticate that their holdersTpeople( -eb sites( and e#en net'or3 resources
such as routersTare trul! 'ho or 'hat the! claim to be$
he! protect data that is exchanged online from theft or tampering$
Digital certificates can be issued b! a trusted third%part! CA or a Microsoft -indo's public
3e! infrastructure 1PP*2 b! using Certificate "er#ices( or the! can be self%signed$ Each t!pe of
certificate has ad#antages and disad#antages$ Each t!pe of digital certificate is tamper%proof
and cannot be forged$
Certificates can be issued for se#eral uses$ hese uses include -eb user authentication(
-eb ser#er authentication( "ecure9Multipurpose *nternet Mail Extensions 1"9M*ME2( *nternet
Protocol securit! 1*Psec2( ransport )a!er "ecurit! 1)"2( and code signing$
A certificate contains a public 3e! and attaches that public 3e! to the identit! of a person(
computer( or ser#ice that holds the corresponding pri#ate 3e!$ he public and pri#ate 3e!s are
used b! the client and the ser#er to encr!pt the data before it is transmitted$ 7or
Microsoft -indo's%based users( computers( and ser#ices( trust in a CA is established 'hen
there is a cop! of the root certificate in the trusted root certificate store and the certificate
contains a #alid certification path$ 7or the certificate to be #alid( the certificate must not ha#e
been re#o3ed and the #alidit! period must not ha#e expired$
<;
1$pes of Certificates
here are three primar! t!pes of digital certificates: self%signed certificates( -indo's PP*%
generated certificates( and third%part! certificates$
Self.Signe) Certificates
-hen !ou install Exchange 2007( a self%signed certificate is automaticall! configured$ A self%
signed certificate is signed b! the application that created it$ he sub.ect and the name of the
certificate match$ he issuer and the sub.ect are defined on the certificate$ A self%signed
certificate 'ill allo' some client protocols to use "") for their communications$
Microsoft Exchange Acti#e"!nc and 5ffice 5utloo3 -eb Access can establish an "")
connection b! using a self%signed certificate$ 5utloo3 An!'here 'ill not 'or3 'ith a self%
signed certificate$ "elf%signed certificates must be manuall! copied to the trusted root
certificate store on the client computer or mobile de#ice$ -hen a client connects to a ser#er
o#er "") and the ser#er presents a self%signed certificate( the client 'ill be prompted to #erif!
that the certificate 'as issued b! a trusted authorit!$ he client must explicitl! trust the issuing
authorit!$ *f the client continues( "") communications can continue$
7reCuentl!( small organi/ations decide not to use a third%part! certificate or not to install their
o'n PP* to issue their o'n certificates because of the expense( because their administrators
lac3 the experience and 3no'ledge to create their o'n certificate hierarch!( or for both
reasons$ he cost is minimal and the setup is simple 'hen !ou use self%signed certificates$
&o'e#er( it is much more difficult to establish an infrastructure for certificate life%c!cle
management( rene'al( trust management( and re#ocation 'hen !ou use self%signed
certificates$
&in)os P#blic Ee$ Infrastr#ct#re Certificates
he second t!pe of certificate is a -indo's PP*%generated certificate$ A PP* is a s!stem of
digital certificates( certification authorities( and registration authorities 1,As2 that #erif! and
authenticate the #alidit! of each part! that is in#ol#ed in an electronic transaction b! using
public 3e! cr!ptograph!$ -hen !ou implement a CA in an organi/ation that uses
Acti#e Director!( !ou pro#ide an infrastructure for certificate life%c!cle management( rene'al(
trust management( and re#ocation$ &o'e#er( there is some additional cost in#ol#ed in
deplo!ing ser#ers and infrastructure to create and manage -indo's PP*%generated
certificates$
Certificate "er#ices are reCuired to deplo! a -indo's PP* and can be installed through Add
5r ,emo#e Programs in Control Panel$ Bou can install Certificate "er#ices on an! ser#er in
the domain$
*f !ou obtain certificates from a domain%.oined -indo's CA( !ou can use the CA to reCuest or
sign certificates to issue to !our o'n ser#ers or computers on !our net'or3$ his enables !ou
to use a PP* that resembles a third%part! certificate #endor( but is less expensi#e$ Although
<=
these PP* certificates cannot be deplo!ed publicl!( as other t!pes of certificates can be( 'hen
a PP* CA signs the reCuestorDs certificate b! using the pri#ate 3e!( the reCuestor is #erified$
he public 3e! of this CA is part of the certificate$ A ser#er that has this certificate in the
trusted root certificate store can use that public 3e! to decr!pt the reCuestorDs certificate and
authenticate the reCuestor$
he steps for deplo!ing a PP*%generated certificate resemble those reCuired for deplo!ing a
self%signed certificate$ Bou must still install a cop! of the trusted root certificate from the PP*
to the trusted root certificate store of the computers or mobile de#ices that !ou 'ant to be
able to establish an "") connection to Microsoft Exchange$
A -indo's PP* enables organi/ations to publish their o'n certificates$ Clients can reCuest
and recei#e certificates from a -indo's PP* on the internal net'or3$ he -indo's PP* can
rene' or re#o3e certificates$
7or more information( see the follo'ing:
7or more information about certificates( see Public Pe! *nfrastructure for -indo's
"er#er 200;$
7or more information about best practices for implementing a -indo's PP*( see 8est
Practices for *mplementing a Microsoft -indo's "er#er 200; Public Pe! *nfrastructure$
7or more information about ho' to deplo! a -indo's%based PP*( see the -indo's
"er#er 200; PP* 5perations @uide$
1r#ste) 1hir).Part$ Certificates
hird%part! or commercial certificates are certificates that are generated b! a third%part! or
commercial CA and then purchased for !ou to use on !our net'or3 ser#ers$ 5ne problem
'ith self%signed and PP*%based certificates is that( because the certificate is not automaticall!
trusted b! the client computer or mobile de#ice( !ou must ma3e sure that !ou import the
certificate into the trusted root certificate store on client computers and de#ices$ hird%part! or
commercial certificates do not ha#e this problem$ Most commercial CA certificates are
alread! trusted because the certificate alread! resides in the trusted root certificate store$
8ecause the issuer is trusted( the certificate is also trusted$ +sing third%part! certificates
greatl! simplifies deplo!ment$
7or larger organi/ations or organi/ations that must publicl! deplo! certificates( the best
solution is to use a third%part! or commercial certificate( e#en though there is a cost
associated 'ith the certificate$ Commercial certificates ma! not be the best solution for small
and medium%si/e organi/ations( and !ou might decide to use one of the other certificate
options that are a#ailable$
<>
Choosing a Certificate 1$pe
-hen !ou choose the t!pe of certificate to install( there are se#eral factors to consider$ A
certificate must be signed to be #alid$ *t can be self%signed or signed b! a CA$ A self%signed
certificate has limitations$ 7or example( not all mobile de#ices let a user install a digital
certificate in the trusted root certificate store$ he abilit! to install certificates on a mobile
de#ice depends on the mobile de#ice manufacturer and the mobile operator$ "ome
manufacturers and mobile operators disable access to the trusted root certificate store$ *n this
case( neither a self%signed certificate nor a certificate from a -indo's PP* CA can be
installed on the mobile de#ice$
Most mobile de#ices ha#e se#eral trusted third%part! commercial certificates preinstalled$ 7or
the optimal user experience( implement certificate%based authentication for
Exchange Acti#e"!nc b! using de#ices that are running -indo's Mobile ?$0 and a digital
certificate from a trusted third%part! CA$
"or 'ore Information
7or more information( see the follo'ing:
Managing "") 7or a Client Access "er#er
&o' to Configure "") Certificates to +se Multiple Client Access "er#er &ost 0ames
&o' to *nstall Certificates on a -indo's Mobile Po'ered De#ice
Sec#ring Exchange Server 2007 Client
Access
his section pro#ides an o#er#ie' of the securit! and authentication related options that are
a#ailable for a Microsoft Exchange "er#er 2007 computer that has the Client Access ser#er
role installed$ he Client Access ser#er role pro#ides access to
Microsoft 5ffice 5utloo3 -eb Access( Microsoft Exchange Acti#e"!nc( 5utloo3 An!'here(
Post 5ffice Protocol #ersion ; 1P5P;2( and *nternet Message Access Protocol #ersion =re#:
1*MAP=2$ *n addition( it supports the Autodisco#er ser#ice and the A#ailabilit! ser#ice$ Each of
these protocols and ser#ices has uniCue securit! needs$
'anaging A#thentication
5ne of the most important securit!%related tas3s that !ou can perform for the Client Access
ser#er role is to configure an authentication method$ he Client Access ser#er role is installed
'ith a default self%signed digital certificate$ A digital certificate does t'o things:
<?
*t authenticates that its holder is 'ho or 'hat the! claim to be$
*t helps protect data exchanged online from theft or tampering$
Although the default( self%signed certificate is supported for Exchange Acti#e"!nc and
5utloo3 -eb Access( it is not the most secure method of authentication$ *n addition( it is not
supported for 5utloo3 An!'here$ 7or additional securit!( consider configuring !our
Exchange 2007 Client Access ser#er to use a trusted certificate from a third%part! commercial
certification authorit! 1CA2 or a trusted -indo's public 3e! infrastructure 1PP*2 CA$ Bou can
configure authentication separatel! for Exchange Acti#e"!nc( 5utloo3 -eb Access( 5utloo3
An!'here( P5P;( and *MAP=$
7or more information about ho' to configure authentication( see the follo'ing:
Choosing an Authentication Method for Bour Exchange Acti#e"!nc "er#er
Configuring "tandard Authentication Methods for 5utloo3 -eb Access
Enhancing Sec#re Comm#nications -eteen
the Client Access Server an) Other Servers
After !ou optimi/e the securit! of communications bet'een clients and the
Exchange 2007 Client Access ser#er( !ou must optimi/e the securit! of the communications
bet'een the Exchange 2007 Client Access ser#er and other ser#ers in !our organi/ation$ 8!
default( &P( Exchange Acti#e"!nc( P5P;( and *MAP= communication bet'een the Client
Access ser#er and other ser#ers( such as Exchange 2007 ser#ers that ha#e the Mailbox
ser#er role installed( domain controllers( and global catalog ser#ers( is encr!pted$
"or 'ore Information
7or more information about ho' to manage securit! for the #arious components of !our Client
Access ser#er( see the follo'ing:
+nderstanding "ecurit! for Exchange Acti#e"!nc
+nderstanding "ecurit! for 5utloo3 -eb Access
+nderstanding "ecurit! for 5utloo3 An!'here
+nderstanding "ecurit! for P5P; and *MAP=
<7
Ne Sec#rit$ "eat#res for Exchange
Server 2007
Microsoft Exchange "er#er 2007 builds on earlier #ersions of Microsoft Exchange to pro#ide
a high le#el of messaging securit!$ his includes integration 'ith *nternet "ecurit! and
Acceleration 1*"A2 "er#er 200? in addition to ne' features for client access b!
using Microsoft Exchange Acti#e"!nc and Microsoft 5ffice 5utloo3 -eb Access$ his section
describes the ne' securit! features that are a#ailable for Exchange 2007$ able 2= describes
each feature and pro#ides lin3s to more information about each feature$
1able 2* Ne sec#rit$ feat#res in Exchange 2007
7eature name Description 7or more information
*"A "er#er 200? integration Microsoft *"A "er#er 200?
and Exchange 2007 are
designed to 'or3 closel!
together in !our net'or3 to
pro#ide a more secure
messaging en#ironment$
+nderstanding *"A
"er#er 200? 'ith
Exchange "er#er 2007
<A
7eature name Description 7or more information
,emote de#ice 'ipe *f a userDs mobile de#ice is
lost( stolen( or other'ise
compromised( !ou can issue
a remote de#ice 'ipe
command from the
Exchange ser#er or from an!
-eb bro'ser b! using
5utloo3 -eb Access$ his
command erases all data
from the mobile de#ice$
+nderstanding
,emote De#ice -ipe
&o' to Perform a
,emote -ipe on a
De#ice
Exchange Acti#e"!nc pol
icies
Exchange Acti#e"!nc
mailbox policies let !ou appl!
a common set of polic! or
securit! settings to a user or
group of
users$Exchange Acti#e"!nc
mailbox policies can be
created in the Exchange
Management Console or the
Exchange Management
"hell$ Bou can use
Exchange Acti#e"!nc
mailbox policies to manage a
#ariet! of settings$ hese
include the follo'ing settings:
,eCuire a pass'ord
"pecif! the minimum
pass'ord length
,eCuire a number or
special character in the
pass'ord
Designate ho' long a
de#ice can be inacti#e
before the user is
reCuired to reenter a
pass'ord
-ipe a de#ice after a
specific number of failed
pass'ord attempts
Managing Exchange
Acti#e"!nc 'ith Policies
+nderstanding
Exchange Acti#e"!nc
Mailbox Policies
<<
7eature name Description 7or more information
-eb,ead!
Document 6ie'ing
-eb,ead! Document
6ie'ing lets users access file
attachments in
5utloo3 -eb Access$ +sers
can access common file
t!pes such as
Microsoft 5ffice -ord
documents 'ithout ha#ing the
application installed$
&o' to Manage
-eb,ead! Document
6ie'ing
Managing 7ile and
Data Access for 5utloo3
-eb Access
Access to
-indo's "harePoint "er
#ices document libraries
and -indo's file shares
8! using
5utloo3 -eb Access( !ou
can access remote files that
are stored on
-indo's "harePoint "er#ice
s and -indo's file share
1also 3no'n as +0C2
ser#ers$ Bou can configure
ho' users interact 'ith files
on these ser#ers b! using the
Allo' and 8loc3 options in
the Exchange Management
Console$ his means that !ou
can specif! 'hich ser#ers
!our users can access$ Bou
can also specif! the beha#ior
for
-indo's "harePoint "er#ice
s and -indo's file share
ser#ers that ha#e not been
specificall! allo'ed or
bloc3ed 'hen users tr! to
access them b! using
5utloo3 -eb Access$
Configuring -indo's
"harePoint "er#ices and
-indo's 7ile "hare
*nt egration for 5utloo3
-eb Access
:00
7eature name Description 7or more information
Direct file access *n addition to file access
'ithin 5utloo3 -eb Access(
!ou can also configure ho'
users interact 'ith files b!
using the Allo'( 8loc3( or
7orce "a#e options for direct
file access in the
Exchange Management
Console$ his means that !ou
can specif! the t!pes of files
that users can access$ More
important( !ou can directl!
specif! 'hich t!pes of files
are prohibited$
&o' to Manag e
Public and Pri#ate
Computer 7ile Access
"egmentation of
features in
5utloo3 -eb Access
"egmentation lets !ou enable
and disable features that are
a#ailable to users in
Exchange 2007 5utloo3 -eb
Access$ 8! default( an! mail%
enabled user in !our
Exchange 2007 organi/ation
can access their mailbox b!
using 5utloo3 -eb Access$
Depending on the needs of
!our organi/ation( !ou can
use segmentation to
configure the follo'ing
restrictions for user access:
,estrict access to
5utloo3 -eb Access for
specific users$
Control access to
certain
5utloo3 -eb Access
features for specific
users$
Disable an
5utloo3 -eb Access
feature completel!$
&o' to Manage
"egmentation in 5utloo3
-eb Access
:0:
7eature name Description 7or more information
Controlling -eb beacons and
&M) forms in messages
*n 5utloo3 -eb Access( an
incoming e%mail message
that has an! content that can
be used as a -eb
beacon prompts
5utloo3 -eb Access to
displa! a 'arning message to
the user to inform them that
the content has been
bloc3ed$ his occurs
regardless of 'hether the
message actuall! contains a
-eb beacon( *f a user 3no's
that a message is legitimate(
the! can enable the bloc3ed
content$ *f a user does not
recogni/e the sender or the
message( the! can open the
message 'ithout unbloc3ing
the content and then delete
the message 'ithout
triggering beacons$ *f !our
organi/ation does not 'ant to
use this feature( !ou can
disable the bloc3ing option
for 5utloo3 -eb Access$
&o' to Control -eb
8eacon and &M) 7orm
7iltering for 5utloo3 -eb
Access
"or 'ore Information
7or more information about 5utloo3 -eb Access securit! features( see +nderstanding
"ecurit! for 5utloo3 -eb Access$
7or more information about Exchange Acti#e"!nc securit! features( see +nderstanding
"ecurit! for Exchange Acti#e"!nc$
:02
+n)erstan)ing SS3 for Client Access
"ecure "oc3ets )a!er 1"")2 is a method for securing communications bet'een a client and a
ser#er$ 7or a computer that is running Microsoft Exchange "er#er 2007 that has the Client
Access ser#er role installed( "") is used to help secure communications bet'een the ser#er
and the clients$ Clients include mobile de#ices( computers inside an organi/ationDs net'or3(
and computers outside an organi/ationDs net'or3$ hese include clients that ha#e #irtual
pri#ate net'or3 16P02 connections and clients that do not$
8! default( 'hen !ou install Exchange 2007( client communications are encr!pted b! using
"") 'hen !ou use Microsoft 5ffice 5utloo3 -eb Access Microsoft Exchange Acti#e"!nc(
and 5utloo3 An!'here$ 8! default( Post 5ffice Protocol #ersion ; 1P5P;2 and *nternet
Message Access Protocol 6ersion = re#: 1*MAP=2 are not configured to communicate o#er
"")$
"") reCuires that !ou use digital certificates$ his section pro#ides an o#er#ie' of the #arious
t!pes of digital certificates and information about ho' to configure the Client Access ser#er to
use these t!pes of digital certificates$
Overvie of ,igital Certificates
Digital certificates are electronic files that 'or3 li3e an online pass'ord to #erif! the identit! of
a user or a computer$ he! are used to create the "")%encr!pted channel that is used for
client communications$ A certificate is a digital statement that is issued b! a certification
authorit! 1CA2 that #ouches for the identit! of the certificate holder and enables the parties to
communicate in a secure manner b! using encr!ption$
Digital certificates do the follo'ing:
he! authenticate that their holdersTpeople( -eb sites( and e#en net'or3 resources
such as routersTare trul! 'ho or 'hat the! claim to be$
he! help protect data that is exchanged online from theft or tampering$
Digital certificates can be issued b! a trusted third%part! CA or a Microsoft -indo's public
3e! infrastructure 1PP*2 b! using Certificate "er#ices( or the! can be self%signed$ Each t!pe of
certificate has ad#antages and disad#antages$ Each t!pe of digital certificate is tamper%proof
and cannot be forged$
Certificates can be issued for se#eral uses$ hese uses include -eb user authentication(
-eb ser#er authentication( "ecure9Multipurpose *nternet Mail Extensions 1"9M*ME2( *nternet
Protocol securit! 1*Psec2( ransport )a!er "ecurit! 1)"2( and code signing$
A certificate contains a public 3e! and attaches that public 3e! to the identit! of a person(
computer( or ser#ice that holds the corresponding pri#ate 3e!$ he public and pri#ate 3e!s are
used b! the client and the ser#er to encr!pt the data before it is transmitted$ 7or
Microsoft -indo's%based users( computers( and ser#ices( trust in a CA is established 'hen
:0;
there is a cop! of the root certificate in the trusted root certificate store and the certificate
contains a #alid certification path$ 7or the certificate to be #alid( the certificate must not ha#e
been re#o3ed and the #alidit! period must not ha#e expired$
1$pes of Certificates
here are three primar! t!pes of digital certificates: self%signed certificates( -indo's PP*%
generated certificates( and third%part! certificates$
Self.Signe) Certificates
-hen !ou install Exchange 2007( a self%signed certificate is automaticall! configured$ A self%
signed certificate is signed b! the application that created it$ he sub.ect and the name of the
certificate match$ he issuer and the sub.ect are defined on the certificate$ A self%signed
certificate 'ill allo' some client protocols to use "") for their communications$
Exchange Acti#e"!nc and 5utloo3 -eb Access can establish an "") connection b! using a
self%signed certificate$ 5utloo3 An!'here 'ill not 'or3 'ith a self%signed certificate$ "elf%
signed certificates must be manuall! copied to the trusted root certificate store on the client
computer or mobile de#ice$ -hen a client connects to a ser#er o#er "") and the ser#er
presents a self%signed certificate( the client 'ill be prompted to #erif! that the certificate 'as
issued b! a trusted authorit!$ he client must explicitl! trust the issuing authorit!$ *f the client
continues( "") communications can continue$
7reCuentl!( small organi/ations decide not to use a third%part! certificate or not to install their
o'n PP* to issue their o'n certificates because of the expense( because their administrators
lac3 the experience and 3no'ledge to create their o'n certificate hierarch!( or for both
reasons$ he cost is minimal and the setup is simple 'hen !ou use self%signed certificates$
&o'e#er( it is much more difficult to establish an infrastructure for certificate life%c!cle
management( rene'al( trust management( and re#ocation 'hen !ou use self%signed
certificates$
&in)os P#blic Ee$ Infrastr#ct#re Certificates
he second t!pe of certificate is a -indo's PP*%generated certificate$ A PP* is a s!stem of
digital certificates( certification authorities( and registration authorities 1,As2 that #erif! and
authenticate the #alidit! of each part! that is in#ol#ed in an electronic transaction b! using
public 3e! cr!ptograph!$ -hen !ou implement a CA in an organi/ation that uses
the Acti#e Director! director! ser#ice( !ou pro#ide an infrastructure for certificate life%c!cle
management( rene'al( trust management( and re#ocation$ &o'e#er( there is some additional
cost in#ol#ed in deplo!ing ser#ers and infrastructure to create and manage -indo's PP*%
generated certificates$
:0=
Certificate "er#ices are reCuired to deplo! a -indo's PP* and can be installed through Add
or ,emo#e Programs in Control Panel$ Bou can install Certificate "er#ices on an! ser#er in
the domain$
*f !ou obtain certificates from a domain%.oined -indo's CA( !ou can use the CA to reCuest or
sign certificates to issue to !our o'n ser#ers or computers on !our net'or3$ his enables !ou
to use a PP* that resembles a third%part! certificate #endor( but is less expensi#e$ Although
these PP* certificates cannot be deplo!ed publicl!( as other t!pes of certificates can be( 'hen
a PP* CA signs the reCuestorDs certificate b! using the pri#ate 3e!( the reCuestor is #erified$
he public 3e! of this CA is part of the certificate$ A ser#er that has this certificate in the
trusted root certificate store can use that public 3e! to decr!pt the reCuestorDs certificate and
authenticate the reCuestor$
he steps to deplo! a PP*%generated certificate resemble those reCuired to deplo! a self%
signed certificate$ Bou must still install a cop! of the trusted root certificate from the PP* to the
trusted root certificate store of the computers or mobile de#ices that !ou 'ant to be able to
establish an "") connection to Microsoft Exchange$
A -indo's PP* enables organi/ations to publish their o'n certificates$ Clients can reCuest
and recei#e certificates from a -indo's PP* on the internal net'or3$ he -indo's PP* can
rene' or re#o3e certificates$
7or more information( see the follo'ing:
7or more information about certificates( see Public Pe! *nfrastructure for -indo's
"er#er 200;$
7or more information about best practices for implementing a -indo's PP*( see 8est
Practices for *mplementing a Microsoft -indo's "er#er 200; Public Pe! *nfrastructure$
7or more information about ho' to deplo! a -indo's%based PP*( see the -indo's
"er#er 200; PP* 5perations @uide$
1r#ste) 1hir).Part$ Certificates
hird%part! or commercial certificates are certificates that are generated b! a third%part! or
commercial CA and then purchased for !ou to use on !our net'or3 ser#ers$ 5ne problem
'ith self%signed and PP*%based certificates is that( because the certificate is not automaticall!
trusted b! the client computer or mobile de#ice( !ou must ma3e sure that !ou import the
certificate into the trusted root certificate store on client computers and de#ices$ hird%part! or
commercial certificates do not ha#e this problem$ Most commercial CA certificates are
alread! trusted because the certificate alread! resides in the trusted root certificate store$
8ecause the issuer is trusted( the certificate is also trusted$ +sing third%part! certificates
greatl! simplifies deplo!ment$
7or larger organi/ations or organi/ations that must publicl! deplo! certificates( the best
solution is to use a third%part! or commercial certificate( e#en though there is a cost
associated 'ith the certificate$ Commercial certificates ma! not be the best solution for small
:0>
and medium%si/e organi/ations( and !ou might decide to use one of the other certificate
options that are a#ailable$
Choosing a Certificate 1$pe
-hen !ou choose the t!pe of certificate to install( there are se#eral factors to consider$ A
certificate must be signed to be #alid$ *t can be self%signed or signed b! a CA$ A self%signed
certificate has limitations$ 7or example( not all mobile de#ices let a user install a digital
certificate in the trusted root certificate store$ he abilit! to install certificates on a mobile
de#ice depends on the mobile de#ice manufacturer and the mobile operator$ "ome
manufacturers and mobile operators disable access to the trusted root certificate store$ *n this
case( neither a self%signed certificate nor a certificate from a -indo's PP* CA can be
installed on the mobile de#ice$
Most mobile de#ices ha#e se#eral trusted third%part! commercial certificates preinstalled$ 7or
the optimal user experience( implement certificate%based authentication for
Exchange Acti#e"!nc b! using de#ices that are running -indo's Mobile ?$0 and a digital
certificate from a trusted third%part! CA$
"or 'ore Information
7or more information( see the follo'ing:
Managing "") 7or a Client Access "er#er
&o' to Configure "") Certificates to +se Multiple Client Access "er#er &ost 0ames
&o' to *nstall Certificates on a -indo's Mobile Po'ered De#ice
&o' to Configure 5utloo3 -eb Access 6irtual Directories to use "")
+n)erstan)ing ISA Server 2008 ith
Exchange Server 2007
his section pro#ides an o#er#ie' of ho' to configure Microsoft *nternet "ecurit! and
Acceleration 1*"A2 "er#er 200? on a computer that is running
Microsoft Exchange "er#er 2007 that has the Client Access ser#er role installed$ o help
secure !our Exchange 2007 deplo!ment( !ou can use soft'are and hard'are fire'all
solutions$ -e recommend that !ou use an ad#anced fire'all ser#er such as *"A "er#er 200?
'ith Exchange 2007 because these t'o products 'ere designed to 'or3 together to help
secure and enhance the client access experience$
:0?
ISA Server 2008 an) Exchange 2007
-hen !ou use the 0e' Exchange Publishing ,ule -i/ard to configure !our *"A "er#er
computer to allo' client access( !ou automaticall! configure *"A "er#er settings that are
reCuired for the ne' features that are in both Exchange 2007 and *"A "er#er 200? to 'or3
correctl!$ 7or more information about ho' to install a ser#er certificate on *"A "er#er 200?(
see Publishing Exchange "er#er 2007 'ith *"A "er#er 200?$
ISA Server 2008 an) O#tloo% &eb Access
Microsoft 5ffice 5utloo3 2007 for Exchange "er#er 2007 is designed to ta3e full ad#antage of
the ne' features that are a#ailable in *"A "er#er 200?$ -hen !ou deplo! Exchange 2007 in
an en#ironment 'here *"A "er#er 200? is being used to help secure !our corporate net'or3(
the full set of features for Exchange Client Access is a#ailable$ 7or more information( see
+sing *"A "er#er 200? 'ith 5utloo3 -eb Access$
ISA Server 2008 an) O#tloo% An$here
*n man! organi/ations( users must ha#e mailbox access 'hen the! are not in the office$
5utloo3 An!'here ensures that users can interact 'ith their Microsoft Exchange information
from an! location$ o support this client access method( specific paths must be published on
the *"A "er#er computer$ 7or more information( see +sing *"A "er#er 200? 'ith 5utloo3
An!'here$
ISA Server 2008 an) Exchange ActiveS$nc
-e recommend that !ou use *"A "er#er 200? to enhance the securit! of all a#ailable client
access methods in !our Exchange "er#er 2007 deplo!ment$ -hen !ou configure
Exchange Acti#e"!nc client access together 'ith *"A "er#er 200?( communications bet'een
the Exchange Acti#e"!nc clients and the Exchange ser#er pass through an *"A "er#er
computer to add an additional la!er of "ecure "oc3ets )a!er 1"")2 encr!ption$ 7or more
information( see +sing *"A "er#er 200? 'ith Exchange Acti#e"!nc$
ISA Server 2008 an) POP( an) I'AP*
-e recommend that !ou use *"A "er#er 200? for all a#ailable client access methods in
Exchange 2007$ -hen !ou publish Post 5ffice Protocol #ersion ; 1P5P;2 and *nternet
Message Access Protocol #ersion =re#: 1*MAP=2 client access together 'ith *"A "er#er
200?( communications from the P5P; or *MAP= clients that are located on the *nternet to the
*"A "er#er computer and from the *"A "er#er computer to the Client Access ser#er are
encr!pted b! using "")$ 7or more information( see +sing *"A "er#er 200? 'ith P5P; and
*MAP=$
:07
Earlier 4ersions of ISA Server an) Exchange
2007
-hen !ou deplo! Exchange 2007( 'e recommend that !ou upgrade an! earlier #ersions of
*"A "er#er that !ou are using$
Deplo!ing Exchange 2007 in an en#ironment that has been configured to use an earlier
#ersion of *"A "er#er( such as *"A "er#er 200=( 'ill reCuire changes to the *"A "er#er rules
that !ou might ha#e configured for client access$ *f !ou decide to use *"A "er#er 200= or *"A
"er#er 2000 'ith Exchange 2007( !ou must create ne' ser#er or -eb publishing rules for the
ne' Client Access ser#ers that !ou 'ant !our users to access$
able 2> describes the #irtual directories to use as paths for the -eb and ser#er publishing
rules that !ou must create for client access to Exchange 'hen !ou use a #ersion of *"A
"er#er that is earlier than *"A "er#er 200?$ Ma3e sure that !ou use onl! the paths for the
client applications that !ou plan to use$ 7or example( if !ou do not plan to use
Microsoft Exchange Acti#e"!nc( !ou do not ha#e to publish the Microsoft%"er#er%Acti#e"!nc
#irtual director!$
1able 26 Exchange 2007 virt#al )irectories that are #se) as paths in ISA Server
p#blishing r#les for earlier versions of ISA Server
Path name Description
9o'a his #irtual director! is used b!
5utloo3 -eb Access to access mailboxes on
Exchange 2007 computers that ha#e the
Mailbox ser#er role installed$
9public his #irtual director! enables users to access
public folders for mailboxes that are located
on computers that are running
Exchange 2007(
Microsoft Exchange "er#er 200;( or
Microsoft Exchange 2000 "er#er$
9exch'eb his #irtual director! is used b!
5utloo3 -eb Access to access mailboxes on
computers that are running Exchange 200; or
Exchange 2000$
9exchange his #irtual director! is used b!
5utloo3 -eb Access to access mailboxes on
computers that are running Exchange 200; or
Exchange 2000$
:0A
Path name Description
9+nifiedMessaging his #irtual director! is used for +nified
Message access$
9Microsoft%"er#er%Acti#e"!nc his #irtual director! is used b!
Exchange Acti#e"!nc$
9E-" his #irtual director! is used for Exchange
-eb "er#ices$
9Autodisco#er his #irtual director! is used b! the
Autodisco#er ser#ice for the
Exchange Acti#e"!nc and 5utloo3 clients$
9rpc his #irtual director! is used b! 5utloo3
An!'here in 5utloo3 2007$
"or 'ore Information
7or more information about ho' to configure client access to Microsoft Exchange together
'ith *"A "er#er 200?( see the follo'ing:
Managing 5utloo3 An!'here
Managing 5utloo3 -eb Access
Managing the Autodisco#er "er#ice
Managing P5P; and *MAP=
Managing Exchange Acti#e"!nc
7or more information about the ne' enhancements to *"A "er#er 200? 'hen it is used 'ith
Exchange 2007( see -hatDs 0e' and *mpro#ed in *"A "er#er 200?$ 7or more information
about *"A "er#er 200?( see the Microsoft *nternet "ecurit! and Acceleration "er#er
200? -eb site$ 7or more information about *"A "er#er 200? features( see *"A "er#er 200?
7eatures at a @lance$
+n)erstan)ing Sec#rit$ for Exchange
ActiveS$nc
Microsoft Exchange Acti#e"!nc enables users to s!nchroni/e mobile de#ices 'ith
Microsoft Exchange "er#er 2007$ his gi#es users access to a 'ide #ariet! of Exchange
data$ his data includes e%mail messages( calendar and contact data( tas3s( and +nified
Messaging data such as fax messages and #oice mail messages$
:0<
Note:
o #ie' fax messages on a mobile de#ice( users ma! ha#e to install additional third%
part! soft'are$
here are se#eral securit! concerns that !ou must consider 'hen !ou deplo!
Exchange Acti#e"!nc$ his section pro#ides an o#er#ie' of securit! options for the
deplo!ment of Exchange Acti#e"!nc$
Exchange ActiveS$nc Server Sec#rit$
here are se#eral securit!%related tas3s that !ou can perform on a ser#er that is running
Exchange Acti#e"!nc$ 5ne of the most important tas3s is to configure an authentication
method$ Exchange Acti#e"!nc runs on an Exchange 2007 computer that has the Client
Access ser#er role installed$ his ser#er role is installed 'ith a default self%signed digital
certificate$ Although the self%signed certificate is supported for Exchange Acti#e"!nc( it is not
the most secure method of authentication$ 7or additional securit!( consider deplo!ing a
trusted certificate from a third%part! commercial certification authorit! 1CA2 or a trusted
-indo's public 3e! infrastructure 1PP*2 certification authorit!$ 7or more information about
ho' to configure a trusted digital certificate( see &o' to Configure "") for Exchange
Acti#e"!nc$
Selecting an A#thentication 'etho) for Exchange ActiveS$nc
*n addition to deplo!ing a trusted digital certificate( !ou should consider the #arious
authentication methods that are a#ailable for Exchange Acti#e"!nc$ 8! default( 'hen the
Client Access ser#er role is installed( Exchange Acti#e"!nc is configured to use 8asic
authentication 'ith "ecure "oc3ets )a!er 1"")2$ o pro#ide increased securit!( consider
changing !our authentication method to Digest authentication or *ntegrated -indo's
authentication$
+sing ISA Server ith Exchange ActiveS$nc
Microsoft *nternet "ecurit! and Acceleration 1*"A2 "er#er 200? and Exchange 2007 ha#e
been designed to pro#ide increased securit! for client access to Microsoft Exchange 'hen
!ou use Exchange Acti#e"!nc$
*"A "er#er 200? enables !ou to configure authentication methods for Exchange Acti#e"!nc
'hen !ou run the 0e' Exchange Publishing ,ule -i/ard$ 7or more information about ho' to
use *"A "er#er 200? 'ith Exchange Acti#e"!nc( see +sing *"A "er#er 200? 'ith Exchange
2007$
::0
,evice Sec#rit$
*n addition to enhancing the securit! of the Exchange Acti#e"!nc ser#er( !ou should also
consider enhancing the securit! of !our usersD mobile de#ices$ here are se#eral methods
that !ou can use to enhance the securit! of mobile de#ices$
Exchange ActiveS$nc 'ailbox Policies
Exchange Acti#e"!nc for Exchange 2007 enables !ou to create Exchange Acti#e"!nc
mailbox policies to appl! a common set of securit! settings to a collection of users$ "ome of
these settings include the follo'ing:
,eCuiring a pass'ord
"pecif!ing the minimum pass'ord length
,eCuiring numbers or special characters in the pass'ord
Designating ho' long a de#ice can be inacti#e before the user is reCuired to reenter
their pass'ord
"pecif!ing that the de#ice be 'iped if an incorrect pass'ord is entered more than a
specific number of times
7or more information about Exchange Acti#e"!nc mailbox policies( see Managing Exchange
Acti#e"!nc 'ith Policies$
!emote ,evice &ipe
Mobile de#ices can store sensiti#e data that belongs to !our organi/ation and pro#ide access
to man! of !our organi/ationDs resources$ *f a de#ice is lost or stolen( that data can be
compromised$ ,emote de#ice 'ipe is a feature that enables the Exchange ser#er to set a
mobile de#ice to delete all data the next time that the de#ice connects to the Exchange
ser#er$ A remote de#ice 'ipe effecti#el! remo#es all s!nchroni/ed information and personal
settings from a mobile de#ice$ his can be useful 'hen a de#ice is lost( stolen( or other'ise
compromised$
Ca#tion:
After a remote de#ice 'ipe has occurred( data reco#er! 'ill be #er! difficult$
&o'e#er( no data remo#al process lea#es a de#ice as free from residual data as it is
'hen it is ne'$ ,eco#er! of data from a de#ice ma! still be possible b! using
sophisticated tools$
7or more information about remote de#ice 'ipe( see +nderstanding ,emote De#ice -ipe$
:::
"or 'ore Information
7or more information about securit! for Exchange Acti#e"!nc( see 5#er#ie' of Exchange
Acti#e"!nc$
Config#ring A#thentication "or Exchange
ActiveS$nc
Authentication is the process b! 'hich a client and a ser#er #erif! their identities for
transmitting data$ *n Microsoft Exchange "er#er 2007( authentication is used to determine
'hether a user or client that 'ants to communicate 'ith the Exchange ser#er is 'ho or 'hat
it sa!s it is$ Bou can use authentication to #erif! that a de#ice belongs to a particular indi#idual
or that a particular indi#idual is tr!ing to log on to Microsoft 5ffice 5utloo3 -eb Access$
-hen !ou install Exchange 2007 and the Client Access ser#er role( #irtual directories are
configured for se#eral ser#ices$ hese include 5utloo3 -eb Access( the A#ailabilit! ser#ice(
+nified Messaging( and Microsoft Exchange Acti#e"!nc$ 8! default( each #irtual director! is
configured to use an authentication method$ 7or Exchange Acti#e"!nc( the #irtual director! is
configured to use 8asic authentication and "ecure "oc3ets )a!er 1"")2$ Bou can change the
authentication method for !our Exchange Acti#e"!nc ser#er b! changing the authentication
method on the Exchange Acti#e"!nc #irtual director!$
his section pro#ides an o#er#ie' of the authentication methods that are a#ailable for !our
Exchange Acti#e"!nc ser#er$ 7or Exchange Acti#e"!nc( the client is the ph!sical de#ice that
is used to s!nchroni/e 'ith the Exchange 2007 ser#er$
Choosing an A#thentication 'etho)
here are three primar! t!pes of authentication !ou can choose for Exchange Acti#e"!nc:
8asic authentication( certificate%based authentication( and to3en%based authentication$ -hen
!ou install the Client Access ser#er role on a computer that is running Exchange 2007(
Exchange Acti#e"!nc is configured to use 8asic authentication 'ith "ecure "oc3ets )a!er
1"")2$ o establish the "") connection( certificate%based authentication reCuires the mobile
de#ice to ha#e a #alid client certificate that 'as created for user authentication installed$ *n
addition( the mobile de#ice must ha#e a cop! of the trusted root certificate from the ser#er$ *f
!ou choose to3en%based authentication( !ou 'ill ha#e to 'or3 'ith the to3en #endor for
configuration$
-asic A#thentication
8asic authentication is the simplest method of authentication$ -ith 8asic authentication( the
ser#er reCuests that the client submit a user name and a pass'ord$ hat user name and
::2
pass'ord are sent in clear text o#er the *nternet to the ser#er$ he ser#er #erifies that the
supplied user name and pass'ord are #alid and grants access to the client$ 8! default( this
3ind of authentication is enabled for Exchange Acti#e"!nc$ &o'e#er( 'e recommend that !ou
disable 8asic authentication unless !ou are also deplo!ing "ecure "oc3ets )a!er 1"")2$
-hen !ou are using 8asic authentication o#er "")( the user name and pass'ord are still
sent in plain text( but the communication channel is encr!pted$
Certificate.-ase) A#thentication
Certificate%based authentication uses a digital certificate to #erif! an identit!$ Certificate%based
authentication pro#ides other credentials( in addition to the user name and pass'ord( 'hich
pro#e the identit! of the user 'ho is tr!ing to access the mailbox resources that are stored on
the Exchange 2007 ser#er$ A digital certificate consists of t'o components: the pri#ate 3e!
that is stored on the de#ice and the public 3e! that is installed on the ser#er$ *f !ou configure
Exchange 2007 to reCuire certificate%based authentication for Exchange Acti#e"!nc( onl!
de#ices that meet the follo'ing criteria can s!nchroni/e 'ith Exchange 2007:
he de#ice has a #alid client certificate installed that 'as created for user
authentication$
he de#ice has a trusted root certificate for the ser#er to 'hich the! are connecting to
establish the "") connection$
Deplo!ing certificate%based authentication pre#ents users 'ho ha#e onl! a user name and
pass'ord from s!nchroni/ing 'ith Exchange 2007$ As an additional le#el of securit!( the
client certificate for authentication can be installed onl! 'hen the de#ice is connected to a
domain%.oined computer through either Des3top Acti#e"!nc =$> or a later #ersion in
Microsoft -indo's EP or the -indo's Mobile De#ice Center in Microsoft -indo's 6ista$
1o%en.-ase) A#thentication S$stems
A to3en%based authentication s!stem is a t'o%factor authentication s!stem$ 'o%factor
authentication is based on a piece of information the user 3no's( such as their pass'ord(
and an external de#ice that is usuall! in the form of a credit card or a 3e! fob that a user can
carr! 'ith them$ Each de#ice has a uniCue serial number$ *n addition to hard'are to3ens(
some #endors offer soft'are%based to3ens that can run on mobile de#ices$
o3ens 'or3 b! displa!ing a uniCue number( t!picall! six digits long( that changes e#er! ?0
seconds$ -hen a to3en is issued to a user( it is s!nchroni/ed 'ith the ser#er soft'are$ o
authenticate( the user enters their user name( pass'ord( and the number that is currentl!
displa!ed on the to3en$ "ome to3en%based authentication s!stems also reCuire the user to
enter a P*0$
o3en%based authentication is a strong form of authentication$ he disad#antage to to3en%
based authentication is that !ou must install authentication ser#er soft'are and deplo! the
::;
authentication soft'are on e#er! userDs computer or mobile de#ice$ here is also the ris3 that
the user can lose the external de#ice$ his can be financiall! costl! because of the need to
replace lost external de#ices$ &o'e#er( the de#ice is useless to a third part! 'ithout the
original userDs authentication information$
here are se#eral companies that issue to3en%based authentication s!stems$ 5ne compan!
is ,"A$ heir product( "ecur*D( comes in a #ariet! of forms( including a 3e! fob and a credit
card$ A one%time authentication code is issued through the to3en$ Each authentication code is
#alid for ?0 seconds$ Most to3ens also ha#e an expiration indicator on the de#ice( for
example( a series of dots that disappear as the length of time that the code has left
decreases$ his helps pre#ent a user from entering the correct code( onl! to ha#e it expire
before the authentication process is complete$ After authentication has finished( the user
does not ha#e to authenticate 'ith a ne' code unless the! are logged off( either b! choice or
because the de#ice times out because of inacti#it!$ 7or more information about ho' to
configure a to3en%based authentication s!stem( see the documentation for the particular
s!stem$
"or 'ore Information
7or more information about ho' to configure authentication for Exchange Acti#e"!nc( see the
follo'ing:
&o' to Configure 8asic Authentication for Exchange Acti#e"!nc
&o' to Configure Certificate%8ased Authentication for Exchange Acti#e"!nc
&o' to *nstall Certificates on a -indo's Mobile Po'ered De#ice
Managing Exchange Acti#e"!nc "ecurit!
Config#ring SS3 an) Exchange ActiveS$nc
8! default( 'hen !ou install the Client Access ser#er role on a computer that is running
Microsoft Exchange "er#er 2007( an Exchange Acti#e"!nc #irtual director! is created on the
default *nternet *nformation "er#ices 1**"2 -eb site on the Exchange ser#er$
After !ou obtain a "ecure "oc3ets )a!er 1"")2 certificate to use together 'ith the Client
Access ser#er on the default -eb site or on the -eb site 'here !ou host !our
Exchange Acti#e"!nc #irtual director!( !ou can configure the -eb site to reCuire "")$ Bou
can enable "") for all -eb sites that are hosted b! the Client Access ser#er or enable "")
onl! for Exchange Acti#e"!nc$
Configuring an Exchange Acti#e"!nc #irtual director! to use "") is .ust one step in managing
securit! for Exchange Acti#e"!nc$ 7or more information about ho' to manage securit! for
Exchange Acti#e"!nc( see Managing Exchange Acti#e"!nc "ecurit!$
::=
"or 'ore Information
7or more information about ho' to use "") 'ith Exchange Acti#e"!nc( see &o' to
Configure "") for Exchange Acti#e"!nc$
Config#ring Exchange ActiveS$nc Policies
*n Microsoft Exchange "er#er 2007 !ou can create Exchange Acti#e"!nc mailbox policies to
appl! a common set of policies or securit! settings to a collection of users$ After !ou deplo!
Exchange Acti#e"!nc in !our Exchange 2007 organi/ation( !ou can create ne'
Exchange Acti#e"!nc mailbox policies or modif! existing policies$ his section discusses
Exchange Acti#e"!nc mailbox policies and ho' the! can be managed in !our
Exchange 2007 organi/ation$
Overvie of Exchange ActiveS$nc 'ailbox
Policies
Bou can use Exchange Acti#e"!nc mailbox policies to manage a #ariet! of settings$ hese
include the follo'ing settings:
,eCuire a pass'ord
"pecif! the minimum pass'ord length
,eCuire a number or special character in the pass'ord
Designate ho' long a de#ice can be inacti#e before reCuiring the user to reenter a
pass'ord
-ipe a de#ice after a specific number of failed pass'ord attempts
7or more information about all the settings that !ou can configure( see "et%
Acti#e"!ncMailboxPolic!$
'anaging Exchange ActiveS$nc 'ailbox
Policies
After !ou install the Client Access ser#er role on a computer that is running
Exchange "er#er 2007( !ou can create( configure( and manage Exchange Acti#e"!nc
mailbox policies$ After !ou create an Exchange Acti#e"!nc mailbox polic!( !ou can add users
indi#iduall! or add a filtered list of users to the polic! b! using the Exchange Management
"hell$
::>
Bou can use the Exchange Management Console to manage some Exchange Acti#e"!nc
mailbox polic! settings and the Exchange Management "hell to manage all the
Exchange Acti#e"!nc mailbox polic! settings$
"or 'ore Information
7or more information about Exchange Acti#e"!nc mailbox policies( see
+nderstanding Exchange Acti#e"!nc Mailbox Policies$
7or more information about ho' to deplo! Exchange Acti#e"!nc( see Deplo!ing
Exchange Acti#e"!nc$
7or more information about ho' to manage an Exchange Acti#e"!nc ser#er( see
Managing an Exchange Acti#e"!nc "er#er$
+n)erstan)ing Sec#rit$ for O#tloo%
An$here
his section describes the 5utloo3 An!'here securit! options for !our
Microsoft Exchange "er#er 2007 deplo!ment$ 5utloo3 An!'here lets users access
Microsoft Exchange from the *nternet$ 8ecause traffic on the *nternet is #ulnerable to
interception and attac3( 'e recommend that !ou consider a securit! strateg! that in#ol#es as
man! securit! options as possible$
+sing an A)vance) "ireall Server for O#tloo%
An$here
+sing an ad#anced fire'all ser#er such as Microsoft *nternet "ecurit! and Acceleration 1*"A2
"er#er 200? impro#es securit! for !our 5utloo3 An!'here deplo!ment$ *"A "er#er 200?
pro#ides a setup 'i/ard that lets !ou configure *"A "er#er 200? for Exchange 2007 b! using
5utloo3 An!'here$ 7or more information( see +nderstanding *"A "er#er 200? 'ith Exchange
"er#er 2007$
+sing SS3 ith O#tloo% An$here
-hen !ou use 5utloo3 An!'here to access Microsoft Exchange information from the
*nternet( !ou must install a #alid "ecure "oc3ets )a!er 1"")2 certificate issued b! a
certification authorit! 1CA2 that is trusted b! the client computerDs operating s!stem$ 7or more
information about ho' to use "") certificates for client access( see +nderstanding "") for
Client Access$ 7or more information about ho' to use "") 'ith 5utloo3 An!'here(
see Configuring "") for 5utloo3 An!'here$
::?
Config#ring A#thentication for O#tloo%
An$here
-hen !ou use the Enable 5utloo3 An!'here -i/ard to configure !our Client Access ser#er to
pro#ide 5utloo3 An!'here access( !ou must select an authentication method to use$ -e
recommend that !ou use 0)M authentication for !our 5utloo3 An!'here deplo!ment$ 0)M
authentication for 5utloo3 An!'here is supported b! *"A "er#er 200?$ 7or more information(
see Configuring Authentication for 5utloo3 An!'here$
"or 'ore Information
7or more information about ho' to manage 5utloo3 An!'here( see Managing
5utloo3 An!'here$
7or more information about 5utloo3 An!'here deplo!ment options( see 5#er#ie' of
5utloo3 An!'here$
Config#ring SS3 for O#tloo% An$here
Microsoft 5ffice 5utloo3 2007 uses the Autodisco#er ser#ice to pro#ide and manage profile
information for !our users$ he Autodisco#er ser#ice 3eeps a userDs profile information up%to%
date e#en if their mailbox information changes$ 7or 5utloo3 2007 clients that are located
outside the organi/ation( 5utloo3 An!'here 1formerl! 3no'n as ,PC o#er &P2 pro#ides
connecti#it! to the Exchange organi/ation$ *n this situation( 5utloo3 2007 uses Domain 0ame
"!stem 1D0"2 to locate information about ho' to connect to the Autodisco#er ser#ice$
8ecause D0" is open to se#eral 3inds of malicious attac3s( 5utloo3 2007 is designed to
reCuest Autodisco#er ser#ice information from onl! t'o +,) combinations$
7or an organi/ation that is named '''$contoso$com that has e%mail addresses that are
deri#ed from the main site name( for example( 3'e3uaRcontoso$com( the t'o +,)
combinations 'ould be formed as follo's:
:$ 5utloo3 'ill first tr! the +,) https:99contoso$com9autodisco#er9autodisco#er$xml$
2$ *f the pre#ious +,) cannot locate the Autodisco#er ser#ice( 5utloo3 'ill then tr!
https:99autodisco#er$contoso$com9autodisco#er9autodisco#er$xml$
::7
SS3 ,eplo$ment Options for O#tloo% An$here
here are se#eral 'a!s to use "ecure "oc3ets )a!er 1"")2 to help secure communication
bet'een 5utloo3 2007 clients and the Autodisco#er ser#ice$ he first thing that 'e
recommend is to use the "ub.ect Alternati#e 0ame field on !our "") certificate$ 7or more
information about ho' to configure the "ub.ect Alternati#e 0ame for an "") certificate( see
&o' to Configure "") Certificates to +se Multiple Client Access "er#er &ost 0ames$
Alternati#el!( !ou can use multiple "") certificates$ 7or more information( see Configuring
5utloo3 An!'here to +se Multiple "") Certificates$
Another option is to use an "") certificate together 'ith redirection$ 7or more information(
see Configuring 5utloo3 An!'here to +se an "") Certificate 'ith ,edirection$
+sing SS3 Offloa)ing for O#tloo% An$here
*f !ou ha#e a hard'are solution that is offloading the "") encr!ption for traffic that is destined
for !our Client Access ser#er( !ou must configure "") offloading for 5utloo3 An!'here$ 7or
more information( see &o' to Configure "") 5ffloading for 5utloo3 An!'here$
"or 'ore Information
7or more information about 5utloo3 An!'here( see the follo'ing:
5#er#ie' of 5utloo3 An!'here
Managing 5utloo3 An!'here
Managing 5utloo3 An!'here "ecurit!
Config#ring A#thentication for O#tloo%
An$here
-hen !ou use the Enable 5utloo3 An!'here -i/ard to configure !our Client Access ser#er to
pro#ide 5utloo3 An!'here access( !ou must select an authentication method to use$ After
!ou select an authentication method( !ou can change this method b! using the Set.
O#tloo%An$here cmdlet in the Exchange Management "hell$
::A
-asic A#thentication an) O#tloo% An$here
Bou can use 8asic authentication 'ith 5utloo3 An!'here$ 8asic authentication reCuires a
user name and pass'ord( and then sends the user name and pass'ord o#er the *nternet in
plain text$ As long as !ou use "ecure "oc3ets )a!er 1"")2 to help secure the connection
bet'een the Microsoft 5ffice 5utloo3 -eb Access client and the
Microsoft Exchange messaging infrastructure( using 8asic authentication 'ith 5utloo3
An!'here is supported$ 7or more information( see &o' to Configure Authentication for
5utloo3 An!'here$
N13' A#thentication an) O#tloo% An$here
0)M is a method of authentication based on *ntegrated -indo's Authentication$ -e
recommend the use of 0)M Authentication$ &o'e#er( if !ou are using a fire'all that does
not handle 0)M( !ou 'ill ha#e to use 8asic authentication o#er "")$ 7or more information(
see &o' to Configure Authentication for 5utloo3 An!'here$
"or 'ore Information
7or more information about 5utloo3 An!'here( see the follo'ing:
5#er#ie' of 5utloo3 An!'here
,ecommendations for 5utloo3 An!'here
Managing 5utloo3 An!'here
+n)erstan)ing Sec#rit$ for POP( an)
I'AP*
his section explains securit! settings that !ou can use on the
Microsoft Exchange "er#er 2007 computer that has the Post 5ffice Protocol #ersion ;
1P5P;2 and *nternet Message Access Protocol #ersion =re#: 1*MAP=2 ser#ices installed$
Config#ring SS3 for POP( an) I'AP* Clients
o help secure communications bet'een !our P5P; and *MAP= clients and the
Exchange 2007 ser#er that has the Client Access ser#er role installed( 'e strongl!
recommend that !ou use "ecure "oc3ets )a!er 1"")2$ 8! default Exchange "etup pro#ides a
self%signed "") certificate for test en#ironments$ &o'e#er( 'e recommend that !ou install a
trusted "") certificate from a certification authorit! 1CA2 that is trusted b! the clientDs
operating s!stem$ 7or more information( see +nderstanding "") for Client Access$
::<
Bou can use the Exchange Management "hell to configure "") for P5P; and *MAP= on an
Exchange 2007 ser#er$
7or more information about ho' to use the Exchange Management Console to configure "")
for P5P; and *MAP=( see the follo'ing:
&o' to Configure P5P; to +se )" or "")
&o' to Configure *MAP= to +se )" or "")
Config#ring A#thentication for POP( an) I'AP*
-hen !ou use P5P; and *MAP= clients( !ou can set authentication options such as the
abilit! to use ransport )a!er "ecurit! 1)"2 encr!ption and the abilit! to configure ports to
communicate 'ith clients$ -hen !ou use )" and "") for P5P; and *MAP= access( the
Exchange ser#er uses the ports listed in able 2? to communicate 'ith clients$
1able 28 Ports for POP( an) I'AP* access hen #sing SS3
Protocol ,efa#lt port
*MAP= 'ith "") <<; 1CP2
*MAP= 'ith or 'ithout )" :=; 1CP2
P5P; 'ith "") <<> 1CP2
P5P; 'ith or 'ithout )" ::0 1CP2
8! default( the #alues in able 2? are used for communicating 'ith clients$ Bou can specif!
other ports to use 'ith P5P; and *MAP= clients if !ou 'ant to disable communication through
the default ports$
7or more information about ho' to configure authentication for P5P;( see the follo'ing:
&o' to Configure Authentication for P5P;
&o' to Configure Ports for P5P; Authentication
7or more information about ho' to configure authentication for *MAP=( see the follo'ing:
&o' to Configure Authentication for *MAP=
&o' to Configure Ports for *MAP= Authentication
"or 'ore Information
7or more information about ho' to manage P5P; and *MAP=( see Managing P5P; and
*MAP=$
:20
+n)erstan)ing Sec#rit$ for O#tloo% &eb
Access
Microsoft 5utloo3 -eb Access for Microsoft Exchange "er#er 2007 offers a #ariet! of
securit! features that !ou can configure to suit !our organi/ationDs securit! reCuirements$
8ecause 5utloo3 -eb Access ma! be used to pro#ide users access to their mailboxes from
'or3stations that are not secure( securit! is a priorit!$ 8! default( 'hen !ou install the Client
Access ser#er role on an Exchange 2007 ser#er( 5utloo3 -eb Access is configured to
use "ecure "oc3ets )a!er 1"")2 and forms%based authentication$
A#thentication
Client Access ser#ers in Exchange 2007 support more authentication methods than front%end
ser#ers in Microsoft Exchange "er#er 200;$ Bou can configure the follo'ing t!pes of
authentication methods on the Exchange 2007 Client Access ser#er:
"tandard authentication methods such as the follo'ing:
8asic authentication
*ntegrated -indo's authentication
Digest authentication
7orms%based authentication
7or more information about authentication methods for 5utloo3 -eb Access( see Configuring
Authentication for 5utloo3 -eb Access$
Segmentation
"egmentation lets !ou enable and disable features that are a#ailable to users in
Exchange 2007 5utloo3 -eb Access$ 8! default( an! mail%enabled user in !our
Exchange 2007 organi/ation can access their mailbox b! using 5utloo3 -eb Access$
Depending on the needs of !our organi/ation( !ou can use segmentation to configure the
follo'ing for user access:
,estrict access to 5utloo3 -eb Access for specific users$
Control access to certain 5utloo3 -eb Access features for specific users$
Disable an 5utloo3 -eb Access feature completel!$
7or more information about segmentation in 5utloo3 -eb Access( see Configuring
"egmentation for 5utloo3 -eb Access$
:2:
&eb -eacons
A -eb beacon is a file ob.ect( such as a transparent graphic or an image( 'hich is put on a
-eb site or in an e%mail message$ -eb beacons are t!picall! used together 'ith &M)
coo3ies to monitor user beha#ior on a -eb site or to #alidate a recipientDs e%mail address
'hen an e%mail that contains a -eb beacon is opened$
Note:
8! default( 5utloo3 -eb Access disables all potential -eb beacon content in e%mail
messages$
7or more information about ho' to deal 'ith -eb beacons in 5utloo3 -eb Access( see
Configuring -eb 8eacon and &M) 7orm 7iltering in 5utloo3 -eb Access$
"ile an) ,ata Access
here are a #ariet! of features that enable users to access files and data in
5utloo3 -eb Access$ Each of these features includes options for controlling access to files
and data from 5utloo3 -eb Access$
&eb!ea)$ ,oc#ment 4ieing
Microsoft Exchange "er#er 2007 includes a ne' feature named -eb,ead! Document
6ie'ing$ -eb,ead! Document 6ie'ing lets users #ie' common file t!pes in the
5utloo3 -eb Access -eb bro'ser 'ithout ha#ing the applications that are associated 'ith
those file t!pes installed on the computer the! are using$ Allo'ing files that are accessed
through 5utloo3 -eb Access to be #ie'ed onl! b! using -eb,ead! Document 6ie'ing
protects against the potential securit! ris3 that is caused 'hen files that are opened from
'ithin 5utloo3 -eb Access are cached on the client computer$ 7or more information about
ho' to configure file and data access for 5utloo3 -eb Access( see Configuring 7ile and Data
Access for 5utloo3 -eb Access$
,irect "ile Access
Direct file access enables users to open attached files directl! from inside
5utloo3 -eb Access$ Bou can also configure ho' users interact 'ith files b! using the Allo'(
8loc3( or 7orce "a#e options for direct file access in the Exchange Management Console$
his means that !ou can specif! the t!pes of files that users can access$ More important( !ou
can specif! 'hich t!pes of files are prohibited$
7or more information about ho' to configure file and data access for 5utloo3 -eb Access(
see Configuring 7ile and Data Access for 5utloo3 -eb Access$
:22
&in)os SharePoint Services an) &in)os "ile Share
Integration
8! using 5utloo3 -eb Access( users can access remote files that are stored on
-indo's "harePoint "er#ices and -indo's file share 1also 3no'n as +0C2 ser#ers$ Bou can
configure ho' users interact 'ith files on these ser#ers b! using the Allo' and 8loc3 options
in the Exchange Management Console$ his means that !ou can specif! 'hich ser#ers !our
users can access$ Bou can also specif! the beha#ior for -indo's "harePoint "er#ices and
-indo's file share ser#ers that ha#e not been specificall! allo'ed or bloc3ed 'hen users tr!
to access them b! using 5utloo3 -eb Access$
7or more information about ho' to configure file and data access for 5utloo3 -eb Access(
see Configuring 7ile and Data Access for 5utloo3 -eb Access$
Sec#re Soc%ets 3a$er
"") is a method for securing communications bet'een a client and a ser#er$ 7or a computer
that is running Exchange 2007 that has the Client Access ser#er role installed( "") is used to
help secure communications bet'een the ser#er and the clients$ Clients include mobile
de#ices( computers inside an organi/ationDs net'or3( and computers outside an
organi/ationDs net'or3$ hese include clients that ha#e and do not ha#e #irtual pri#ate
net'or3 16P02 connections$
7or more information about "")( see the follo'ing:
+nderstanding "") for Client Access
Configuring "") for 5utloo3 -eb Access
Config#ring Segmentation for O#tloo% &eb
Access
"egmentation lets !ou enable and disable features that are a#ailable to users in the #ersion
of 5ffice 5utloo3 -eb Access that 'as released to mar3et 'ith
Microsoft Exchange "er#er 2007$ 8! default( an! mail%enabled user in !our Exchange 2007
organi/ation can access their mailbox b! using 5utloo3 -eb Access$ Depending on the
needs of !our organi/ation( !ou can use segmentation to configure the follo'ing for user
access:
,estrict access to 5utloo3 -eb Access for specific users$
:2;
Control access to certain 5utloo3 -eb Access features for specific users$
Disable an 5utloo3 -eb Access feature completel!$
Config#ring Segmentation
Man! features can be set for an 5utloo3 -eb Access #irtual director! b! using the Exchange
Management Console$ Bou can also use the Set.Oa4irt#al,irector$ cmdlet in the
Exchange Management "hell to enable or disable the same features that !ou can enable and
disable b! using the Exchange Management Console$
he Set.Oa4irt#al,irector$ cmdlet can also be used to configure man! other
5utloo3 -eb Access features for an 5utloo3 -eb Access #irtual director!$ 7or example( to
disable the ,eminders feature in 5utloo3 -eb Access( !ou can use the
emindersand&otifications'nabled parameter$ he ,eminders feature enables users to
recei#e ne' mail notifications$ Bou can also modif! other 5utloo3 -eb Access features( such
as as3s( Contacts( and hemes$
7or more information about the parameters that !ou can use to configure segmentation for all
users( see "et%5'a6irtualDirector!$
7or more information about the features that !ou can configure b! using the Exchange
Management Console and ho' to configure them( see &o' to Manage "egmentation in
5utloo3 -eb Access$
7or more information about ho' to enable and disable features for specific users( see "et%
CA"Mailbox$
"or 'ore Information
7or more information about ho' to use segmentation to control 5utloo3 -eb Access
features( see Managing 5utloo3 -eb Access Ad#anced 7eatures$
Config#ring "ile an) ,ata Access for
O#tloo% &eb Access
here are three methods for accessing files and data from inside 5utloo3 -eb Access$ Bou
can allo' or bloc3 these features as needed to meet the reCuirements of !our organi/ation$
hese data access methods include -eb,ead! Document 6ie'ing( direct file access( and
access to -indo's "harePoint "er#ices document libraries and -indo's file shares$ Bou
can allo' or bloc3 these features as needed to meet the reCuirements of !our organi/ation$
:2=
&eb!ea)$ ,oc#ment 4ieing
Microsoft Exchange "er#er 2007 includes a ne' feature named -eb,ead! Document
6ie'ing$ -eb,ead! Document 6ie'ing lets users #ie' common file t!pes in the
5utloo3 -eb Access -eb bro'ser 'ithout ha#ing the applications associated 'ith those file
t!pes installed on the computer the! are using$ +sers can #ie' the follo'ing 3inds of files b!
using -eb,ead! Document 6ie'ing:
$doc
$pdf
$ppt
$xls
Additionall!( the supported M*ME t!pes are as follo's:
application9pdf
application9#nd$ms%excel
application9#nd$ms%po'erpoint
application9'ord
application9x%mspo'erpoint
application9x%msexcel
7or more information about ho' to manage -eb,ead! Document 6ie'ing for users( see
&o' to Manage -eb,ead! Document 6ie'ing$
,irect "ile Access
Bou can control direct file access through 5utloo3 -eb Access b! specif!ing the t!pes of files
that users can access and ho' the files can be accessed$ Bou do this b! using the Allo'(
8loc3( and 7orce "a#e options for direct file access in the Exchange Management Console(
or b! using the file access parameters a#ailable in the Set.O&A4irt#al,irector$ cmdlet$ *n
addition to being able to specif! Allo'( 8loc3( or 7orce "a#e for different file t!pes( !ou can
configure the file access options depending on 'hether the user clic3s 1his is a p#blic
comp#ter or 1his is a private comp#ter 'hen the! log on to 5utloo3 -eb Access$ 7or
more information about ho' to manage file access( see &o' to Manage Public and Pri#ate
Computer 7ile Access and "et%5'a6irtualDirector!$
,ata Access +sing O#tloo% &eb Access
Access to data that is stored in Microsoft -indo's "harePoint "er#ices and -indo's file
shares is a ne' feature in 5utloo3 -eb Access for Exchange 2007$ -indo's file shares are
:2>
also 3no'n as +ni#ersal 0aming Con#ention 1+0C2 file shares$ he integration of
-indo's "harePoint "er#ices and -indo's file shares in 5utloo3 -eb Access gi#es users
read%onl! access to documents on centrali/ed or personal -indo's "harePoint "er#ices
document libraries or -indo's file shares$ +sers cannot change files that are stored on
-indo's "harePoint "er#ices document libraries or -indo's file shares 'hen the! retrie#e
them b! using 5utloo3 -eb Access$
-indo's "harePoint "er#ices is the engine that lets an administrator create -eb sites for
information%sharing and document collaboration$ -indo's "harePoint "er#ices document
libraries offer file storage capabilities for sa#ing files and sharing information$ his
functionalit! helps users collaborate on documents$
Important:
he -indo's "harePoint "er#ices and -indo's file share integration feature is
a#ailable onl! in Exchange 2007 5utloo3 -eb Access Premium and 'hen either
8asic or forms%based authentication is used$
Bou can use the Exchange Management Console and the Exchange Management "hell to
perform the follo'ing administrati#e tas3s related to -indo's "harePoint "er#ices and
-indo's file share integration:
Allo' or bloc3 access to -indo's "harePoint "er#ices and -indo's file share
documents on specific ser#ers$
Allo' or bloc3 access to -indo's "harePoint "er#ices and -indo's file share
documents from public and pri#ate computers$
Create a list of host names to be treated as internal$ 5nl! documents on internal
hosts can be accessed from 5utloo3 -eb Access$
Enable or disable document access to -indo's "harePoint "er#ices and
-indo's file shares b! using segmentation$ Bou can do this on indi#idual
5utloo3 -eb Access #irtual directories b! using the Set.Oa4irt#al,irector$ cmdlet or
on a per%user basis b! using the Set.CAS'ailbox cmdlet$ 7or more information( see "et%
5'a6irtualDirector! or "et%CA"Mailbox$
Note:
8! default( segmentation changes ta3e effect after ?0 minutes of inacti#it! for
users 'ho are logged on to 5utloo3 -eb Access or 'hen a user logs on to
5utloo3 -eb Access$ o force the changes to ta3e effect immediatel!( restart
*nternet *nformation "er#ices 1**"2 b! running the command
iisreset"no,orce on the Client Access ser#er$
-indo's "harePoint "er#ices and -indo's file share integration is configured separatel! for
public and pri#ate computer logons$
:2?
,efa#lt Settings
able 27 describes the default settings for the -indo's "harePoint "er#ices and
-indo's file share integration feature in 5utloo3 -eb Access$
1able 27 ,efa#lt settings for the &in)os SharePoint Services an) &in)os file
share integration feat#re in O#tloo% &eb Access
"eat#re ,efa#lt setting
-indo's "harePoint "er#ices and -indo's
file share integration features
Enabled
8loc3 lists 0one
Allo' lists 0one
Document access to
-indo's "harePoint "er#ices and -indo's
file shares on un3no'n ser#ers
Enabled
-indo's "harePoint "er#ices and -indo's
file share document access from public
computers
Enabled
7or more information about ho' to configure access to -indo's "harePoint "er#ices
document libraries and -indo's files shares( see the follo'ing:
&o' to Configure -indo's "harePoint "er#ices and -indo's 7ile "hare *ntegration
for 5utloo3 -eb Access
&o' to Allo' or 8loc3 Access to Documents in -indo's "harePoint "er#ices and
-indo's 7ile "hares from "pecific "er#ers
&o' to Enable or 8loc3 Access from Public and Pri#ate Computers
&o' to Configure *nternal &ost 0ames
Config#ring &eb -eacon an) @1'3 "orm
"iltering in O#tloo% &eb Access
-eb beacons freCuentl! come in the form of images that are do'nloaded onto a userDs
computer 'hen the user opens a .un3 e%mail message$ After the images are do'nloaded( a
-eb beacon notification is sent to the sender of the .un3 e%mail message that informs the
sender that the recipient e%mail address is #alid$ After a user opens a message that sends a
-eb beacon notification bac3 to the .un3 e%mail sender( the user ma! recei#e .un3 e%mail
more freCuentl! because the .un3 e%mail sender has #erified that the userDs e%mail address is
:27
#alid$ -eb beacons can also contain harmful code and can be used to circum#ent e%mail
filters to deli#er an e%mail message from someone 'ho is sending unsolicited commercial e%
mail$
Note:
8! default( Microsoft 5ffice 5utloo3 -eb Access enables users to choose to allo' or
disable potential -eb beacon content in indi#idual e%mail messages$
Controlling &eb -eacon an) @1'3 "orm
"iltering
*n 5utloo3 -eb Access( an incoming e%mail message that contains content that can be used
as a -eb beacon prompts 5utloo3 -eb Access to displa! a 'arning message to the user to
inform the user that the content has been bloc3ed$ his occurs regardless of 'hether the
message actuall! contains a -eb beacon$ *f a user 3no's that a message is legitimate( the!
can enable the bloc3ed content$ *f a user does not recogni/e the sender of the message( the!
can open the message 'ithout unbloc3ing the content( and then delete the message 'ithout
triggering beacons$ *f !our organi/ation does not 'ant to use this feature( !ou can disable the
bloc3ing option for 5utloo3 -eb Access$
he settings for filtering -eb beacons are stored in the Acti#e Director! director! ser#ice$ Bou
can configure ho' potential -eb beacon content is filtered b! using the Set.
Oa4irt#al,irector$ cmdlet in the Exchange Management "hell$ 7or more information
about s!ntax and parameters( see "et%5'a6irtualDirector!$
he follo'ing list describes the parameters in the (ilter#ebBeacons propert! for -eb beacon
filtering in 5utloo3 -eb Access:
+ser"ilterChoice 8! using the User(ilter)hoice parameter( !ou can let users
decide 'hether the! 'ant to enable or continue to disable the bloc3ed -eb beacon
content$ 5utloo3 -eb Access bloc3s all potential -eb beacon content in an e%mail
message and displa!s the follo'ing message in the information bar 'hen a user recei#es
an e%mail message that contains potential -eb beacon content: Jo protect !our pri#ac!(
5utloo3 -eb Access has bloc3ed some images( sounds( or other external content$ o
restore( Clic3 &ere$J o #ie' the bloc3ed content( the user can clic3 the Clic% @ere
option$
Note:
8! default( the User(ilter)hoice parameter is enabled in 5utloo3 -eb Access$
"orce"ilter 8! using the (orce(ilter parameter( !ou can bloc3 all potential -eb
beacon content$ +sers cannot o#erride the (orce(ilter parameter to #ie' the bloc3ed
-eb beacon content$
:2A
,isable"ilter 8! using the *isable(ilter parameter setting( !ou can enable all
potential -eb beacon content in 5utloo3 -eb Access$
"or 'ore Information
7or more information about ho' to control -eb beacons( see &o' to Control -eb 8eacon
and &M) 7orm 7iltering for 5utloo3 -eb Access$
Config#ring A#thentication for O#tloo%
&eb Access
his section explains the t!pes of authentication that are a#ailable for
Microsoft 5ffice 5utloo3 -eb Access in Microsoft Exchange "er#er 2007$ he authentication
method that is best for !our organi/ation depends on !our organi/ationDs securit! needs$ 8!
default( 5utloo3 -eb Access uses forms%based authentication and is configured to use
"ecure "oc3ets )a!er 1"")2 encr!ption$
Note:
Microsoft Exchange "er#er 200; bac3%end ser#ers support forms%based( 8asic(
*ntegrated -indo's( and Digest authentication$ Exchange "er#er 200; front%end
ser#ers do not support *ntegrated -indo's or Digest authentication$
"orms.-ase) A#thentication
7orms%based authentication enables a logon page for 5utloo3 -eb Access that uses a
coo3ie to store a userDs encr!pted logon credentials in the *nternet bro'ser$ rac3ing the use
of this coo3ie enables the Exchange ser#er to monitor the acti#it! of 5utloo3 -eb Access
sessions on public and pri#ate computers$ *f a session is inacti#e for too long( the ser#er
bloc3s access until the user re%authenticates$
he first time that the user name and pass'ord are sent to the Client Access ser#er to
authenticate an 5utloo3 -eb Access session( an encr!pted coo3ie is created that is used to
trac3 user acti#it!$ -hen the user closes the *nternet bro'ser or clic3s 3og Off to log off from
their 5utloo3 -eb Access session( the coo3ie is cleared$ he user name and pass'ord are
sent to the Client Access ser#er onl! for the initial user logon$ After the initial logon is
complete( onl! the coo3ie is used for authentication bet'een the client computer and the
Client Access ser#er$
7or more information about forms%based authentication and ho' to configure it( see:
Configuring 7orms%8ased Authentication for 5utloo3 -eb Access
&o' to Configure 7orms%based Authentication for 5utloo3 -eb Access
:2<
Setting the 4al#e for Coo%ie 1ime.O#t
he coo3ie time%out is set based on the userDs choice of either the 1his is a p#blic or
share) comp#ter option or the 1his is a private comp#ter option on the
5utloo3 -eb Access logon page$ 8! default( the coo3ie on the computer expires
automaticall! and the user is logged off after the! ha#e not used 5utloo3 -eb Access for :>
minutes if the! ha#e selected the public computer option( and after the! ha#e not used
5utloo3 -eb Access for eight hours if the! ha#e selected the pri#ate computer option$
Automatic time%out is #aluable because it helps protect usersD accounts from unauthori/ed
access$ o match the securit! reCuirements of !our organi/ation( !ou can configure the
inacti#it! time%out #alues on the Exchange Client Access ser#er$
Although automatic time%out greatl! reduces the ris3 of unauthori/ed access( it does not
completel! eliminate the possibilit! that an unauthori/ed user might access an
5utloo3 -eb Access account if a session is left running on a public computer$ herefore(
ma3e sure that !ou 'arn users to ta3e precautions to a#oid ris3s( such as b! telling them to
log off from 5utloo3 -eb Access and close the -eb bro'ser after the! ha#e finished using
5utloo3 -eb Access$
7or more information about ho' to configure the coo3ie time%out #alues for public and pri#ate
computers( see:
&o' to "et the 7orms%8ased Authentication Public Computer Coo3ie ime%5ut 6alue
&o' to "et the 7orms%8ased Authentication rusted Computer Coo3ie ime%5ut
6alue
Stan)ar) A#thentication 'etho)s
his section describes standard authentication methods that help secure !our
Exchange 2007 Client Access ser#ers for 5utloo3 -eb Access$
*n Exchange 2007( Client Access ser#ers support *ntegrated -indo's authentication and
&P :$: Digest authentication for Exchange 2007 #irtual directories$ Exchange 2000 and
Exchange 200; #irtual directories on a ser#er that is running onl! the Client Access ser#er
role support onl! 8asic and forms%based authentication$
7or more information about standard authentication methods( see Configuring "tandard
Authentication Methods for 5utloo3 -eb Access$
-asic A#thentication
8asic authentication is a simple authentication mechanism that is defined b! the &P
specification that encodes a userDs logon name and pass'ord before the userDs credentials
are sent to the ser#er$
:;0
8asic authentication does not support single sign%on$ -indo's "er#er 200; authentication
enables single sign%on to all net'or3 resources$ -ith single sign%on( a user can log on to the
domain one time b! using a single pass'ord or smart card and authenticate to an! computer
in the domain$
8asic authentication is supported b! all -eb bro'sers( but is not secure unless !ou reCuire
"ecure "oc3ets )a!er 1"")2 encr!ption$
7or more information about ho' to configure 8asic authentication on an 5utloo3 -eb Access
#irtual director!( see &o' to Configure 8asic Authentication$
,igest A#thentication
Digest authentication transmits pass'ords o#er the net'or3 as a hash #alue for additional
securit!$ Digest authentication can be used onl! in Microsoft -indo's "er#er 200; and
Microsoft -indo's 2000 "er#er domains for users 'ho ha#e an account that is stored in the
Acti#e Director! director! ser#ice$ 7or more information about Digest authentication( see the
-indo's "er#er 200; and *nternet *nformation "er#ices 1**"2 Manager documentation$
Digest authentication is a#ailable onl! on Exchange 2007 #irtual directories$
Important:
*f !ou are using Digest or 8asic authentication( 'hen a user uses a 3ios3( caching
credentials can pose a securit! ris3 if the user does not close the bro'ser and end
the bro'ser process bet'een sessions$ his ris3 occurs because a userDs credentials
remain in the cache 'hen the next user accesses the 3ios3$ o enable
5utloo3 -eb Access on a 3ios3( ma3e sure that the user can close the bro'ser
bet'een sessions and end the bro'ser processes$ 5ther'ise( consider using a third%
part! product that incorporates t'o%factor authentication( in 'hich the user must
present a ph!sical to3en together 'ith a pass'ord to use 5utloo3 -eb Access on a
3ios3$
7or more information about ho' to configure Digest authentication on an
5utloo3 -eb Access #irtual director!( see &o' to Configure Digest Authentication$
Integrate) &in)os A#thentication
*ntegrated -indo's authentication reCuires that users ha#e a #alid -indo's 2000 "er#er or
-indo's "er#er 200; user account name and pass'ord to access information$ +sers logged
on to the local net'or3 are not prompted for their user names and pass'ords$ *nstead( the
ser#er negotiates 'ith the -indo's securit! pac3ages that are installed on the client
computer$ his method enables the ser#er to authenticate users 'ithout prompting them for
logon information$ he authentication credentials are protected( but all other communication
'ill be sent in clear text unless "") is used$
:;:
Microsoft *nternet Explorer allo's single sign%on for -eb applications that include
5utloo3 -eb Access -eb Parts if the ser#er that is being accessed has *ntegrated -indo's
authentication enabled$ +sers must enter credentials onl! one time for each bro'ser session$
&o'e#er( their credentials are cached in the bro'ser process$
5n an Exchange 2007 ser#er on 'hich onl! the Client Access ser#er role is installed(
*ntegrated -indo's authentication can be used onl! 'ith Exchange 2007 #irtual directories$
5n a ser#er that has both the Client Access and Mailbox roles installed( *ntegrated -indo's
authentication can be used 'ith an! #irtual director!$ 7or more information about *ntegrated
-indo's authentication( see the -indo's "er#er 200; documentation$
Note:
*ntegrated -indo's authentication is supported onl! on computers that are running a
-indo's operating s!stem and *nternet Explorer$ *ntegrated -indo's authentication
ma! 'or3 'ith other -eb bro'sers if the! ha#e been configured to pass the userDs
logon credentials to the ser#er that is reCuesting authentication$
7or more information about ho' to configure *ntegrated -indo's authentication on an
5utloo3 -eb Access #irtual director!( see &o' to Configure *ntegrated -indo's
Authentication$
"or 'ore Information
7or more information about ho' to help secure 5utloo3 -eb Access( see Managing
5utloo3 -eb Access "ecurit!$
Config#ring SS3 for O#tloo% &eb Access
"ecure "oc3ets )a!er 1"")2 encr!ption is used in Microsoft 5ffice 5utloo3 -eb Access to
help secure the connection bet'een the computer that is running
Microsoft Exchange "er#er 2007 that has the Client Access ser#er role installed and the
client$ 8! default( 5utloo3 -eb Access uses forms%based authentication and reCuires "")
encr!ption$
SS3 Encr$ption an) O#tloo% &eb Access
-hen !ou install the Client Access ser#er role( four 5utloo3 -eb Access #irtual directories
are created in the default *nternet *nformation "er#ices 1**"2 -eb site on the Exchange
ser#er$ he four #irtual directories are named Lo'a( Lexchange( Lpublic( and Lexch'eb$ 8!
default( these #irtual directories and the default -eb site are configured to reCuire "")$
*f !ou 'ant to use "") to help secure additional 5utloo3 -eb Access #irtual directories or
-eb sites that !ou ha#e created( !ou must do so manuall!$ o configure a site to use "")(
:;2
!ou must obtain a certificate and configure the -eb site or #irtual director! to reCuire "") b!
using that certificate$
7or more information( see &o' to Configure 5utloo3 -eb Access 6irtual Directories to +se
"")$
Exchange 2007 3ang#age S#pport
Microsoft Exchange "er#er 2007 has more language support for its components and features
than in an! earlier #ersions of Microsoft Exchange$ his section gi#es !ou information about
the specific languages that are supported for each feature and component in Exchange 2007$
S#pporte) 3ang#ages for Components an)
"eat#res of Exchange 2007
able 2A includes information about the a#ailabilit! and language support for the client and
administrati#e features in Exchange 2007$
1able 29 S#pporte) lang#ages for Exchange Server 2007
3ang#ag
e
Co#ntr$F
!egion
Exchang
e
'anage
ment
Console
Exchang
e
'anage
ment
Shell
O#tloo%
&eb
Access .
#ser
interface
O#tloo%
&eb
Access .
spelling
chec%er
O#tloo%
client
s#pport
+nifie)
'essagi
ng <+'=
. 1ext.to.
Speech
<11S=
+nifie)
'essagi
ng .
speech
recogniti
on
Arabic "audi
Arabia
A#ailabl
e
A#ailabl
e
A#ailabl
e

8asCue "pain A#ailabl
e
A#ailabl
e

8ulgaria
n
8ulgaria A#ailabl
e
A#ailabl
e

:;;
3ang#ag
e
Co#ntr$F
!egion
Exchang
e
'anage
ment
Console
Exchang
e
'anage
ment
Shell
O#tloo%
&eb
Access .
#ser
interface
O#tloo%
&eb
Access .
spelling
chec%er
O#tloo%
client
s#pport
+nifie)
'essagi
ng <+'=
. 1ext.to.
Speech
<11S=
+nifie)
'essagi
ng .
speech
recogniti
on
Catalan "pain A#ailabl
e
A#ailabl
e

Chinese
1Canton
ese2
China +M
languag
e onl!

Chinese
1&ong
Pong2
China A#ailabl
e
A#ailabl
e

Chinese
1Mandar
in2
China +M
languag
e onl!
A#ailabl
e

Chinese
1"implifi
ed2
China A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

Chinese
1raditio
nal2
ai'an A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

Croatian Croatia A#ailabl
e
A#ailabl
e

C/ech C/ech
,epubli
c
A#ailabl
e
A#ailabl
e

Danish Denmar
3
A#ailabl
e
A#ailabl
e
A#ailabl
e

Dutch 0etherla
nds
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

English Australi
a
+M
languag
e onl!
A#ailabl
e
+M
languag
e onl!
A#ailabl
e
A#ailabl
e
:;=
3ang#ag
e
Co#ntr$F
!egion
Exchang
e
'anage
ment
Console
Exchang
e
'anage
ment
Shell
O#tloo%
&eb
Access .
#ser
interface
O#tloo%
&eb
Access .
spelling
chec%er
O#tloo%
client
s#pport
+nifie)
'essagi
ng <+'=
. 1ext.to.
Speech
<11S=
+nifie)
'essagi
ng .
speech
recogniti
on
English +nited
Pingdo
m
A#ailabl
e
+M
languag
e onl!
A#ailabl
e
A#ailabl
e
English +nited
"tates
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
Estonia
n
Estonia A#ailabl
e
A#ailabl
e

7ilipino
1agalog
2
Philippin
es
A#ailabl
e

7innish 7inland A#ailabl
e
A#ailabl
e
A#ailabl
e

7rench Canada +M
languag
e onl!
A#ailabl
e
+M
languag
e onl!
A#ailabl
e

7rench 7rance A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

@alician "pain A#ailabl
e

@erman @erman
!
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

@ree3 @reece A#ailabl
e
A#ailabl
e

&ebre' *srael A#ailabl
e
A#ailabl
e
A#ailabl
e

&indi *ndia A#ailabl
e
A#ailabl
e

&ungari
an
&ungar! A#ailabl
e
A#ailabl
e

:;>
3ang#ag
e
Co#ntr$F
!egion
Exchang
e
'anage
ment
Console
Exchang
e
'anage
ment
Shell
O#tloo%
&eb
Access .
#ser
interface
O#tloo%
&eb
Access .
spelling
chec%er
O#tloo%
client
s#pport
+nifie)
'essagi
ng <+'=
. 1ext.to.
Speech
<11S=
+nifie)
'essagi
ng .
speech
recogniti
on
*celandi
c
*celand A#ailabl
e
A#ailabl
e

*ndonesi
an
18ahasa
2
*ndonesi
a
A#ailabl
e
A#ailabl
e

*talian *tal! A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

Japanes
e
Japan A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

Pa/a3h Pa/a3hs
tan
A#ailabl
e
A#ailabl
e

Porean Porea A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

)at#ian )at#ia A#ailabl
e
A#ailabl
e

)ithuani
an
)ithuani
a
A#ailabl
e
A#ailabl
e

Mala! Mala!si
a
A#ailabl
e
A#ailabl
e

0or'egi
an
18o3mal
2
0or'a! A#ailabl
e
A#ailabl
e
A#ailabl
e

Persian
17arsi2
*ran A#ailabl
e
A#ailabl
e

Polish Poland A#ailabl
e
A#ailabl
e

Portugu
ese
8ra/il A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

:;?
3ang#ag
e
Co#ntr$F
!egion
Exchang
e
'anage
ment
Console
Exchang
e
'anage
ment
Shell
O#tloo%
&eb
Access .
#ser
interface
O#tloo%
&eb
Access .
spelling
chec%er
O#tloo%
client
s#pport
+nifie)
'essagi
ng <+'=
. 1ext.to.
Speech
<11S=
+nifie)
'essagi
ng .
speech
recogniti
on
Portugu
ese
Portugal A#ailabl
e
A#ailabl
e
A#ailabl
e

,omani
an
,omani
a
A#ailabl
e
A#ailabl
e

,ussian ,ussia A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

"erbian
1C!rillic2
"erbia A#ailabl
e
A#ailabl
e

"lo#a3 "lo#a3ia A#ailabl
e
A#ailabl
e

"lo#enia
n
"lo#enia A#ailabl
e
A#ailabl
e

"panish "pain A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

"panish Mexico +M
languag
e onl!
A#ailabl
e

"'edish "'eden A#ailabl
e
A#ailabl
e
A#ailabl
e
A#ailabl
e

hai hailan
d
A#ailabl
e
A#ailabl
e

ur3ish ur3e! A#ailabl
e
A#ailabl
e

+3rainia
n
+3raine A#ailabl
e
A#ailabl
e

+rdu Pa3istan A#ailabl
e
A#ailabl
e

6ietnam
ese
6ietnam A#ailabl
e
A#ailabl
e

:;7
"or 'ore Information
7or more information about the client language experience in Exchange 2007( see )anguage
"upport for Client Applications$
7or more information about the language support that is a#ailable in Exchange 2007 for
s!stem administrators( see )anguage "upport for Administrators$
3ang#age S#pport for Client Applications
)ocali/ation is the process of adapting a document or a product for use in a locale other than
the countr! of origin$ here are three Microsoft Exchange "er#er 2007 client applications or
features that are locali/ed to include support for man! languages: +nified Messaging( 5ffice
5utloo3 -eb Access( and 5utloo3$ his section discusses the language support for these
client features$
+nifie) 'essaging
+nified Messaging 1+M2 is one of the ne' features in Exchange 2007$ +nified Messaging lets
users recei#e #oice and fax messages into their *nbox and access their Exchange 2007
mailbox from a telephone b! using 5utloo3 6oice Access$ -hen users use 5utloo3 6oice
Access from a telephone( the! can interact 'ith the s!stem b! using touchtone 1also 3no'n
as DM72 or speech recognition$
+nified Messaging relies on the ext%to%"peech 1"2 engine and Automatic "peech
,ecognition 1A",2( for 'hich functionalit! is pro#ided through the Microsoft "peech "er#er
ser#ice$ he " engine and the pre%recorded prompts for a gi#en language for +nified
Messaging are pac3aged as Jlanguage pac3sJ$ he +nified Messaging language pac3s are
offered in :? different languages and all :? language pac3s are included on the product D6D$
&o'e#er( not all the +M language pac3s contain support for A",$
8! default( Exchange "er#er 2007 +nified Messaging includes Automatic "peech
,ecognition support onl! for +$"$ English$ here are plans to include A", support in the +M
language pac3s for other languages after Exchange 2007 is released$ After !ou do'nload
and install the appropriate language pac3 and install the language pac3 that includes A",
support for non%+$"$ English languages( users can use the language that has been installed
to interact 'ith the +nified Messaging s!stem b! using speech%enabled input$ 7or more
information about the languages that are supported in +nified Messaging( see Exchange
2007 )anguage "upport$
8! default( 'hen !ou install either the +$"$ English #ersion of Exchange 2007 or a locali/ed
#ersion of Exchange 2007( the +$"$ English language is installed$ *t cannot be remo#ed
unless !ou remo#e the +nified Messaging ser#er role from the computer$ Bou can ho'e#er(
add or remo#e other language pac3s for +nified Messaging b! using the Set#p?com
:;A
FA))+'3ang#agePac% or Set#p?com F!emove+'3ang#agePac% commands$ here is no
Exchange Management "hell cmdlet that enables !ou to add or remo#e language pac3s from
+nified Messaging ser#ers$
7or more information about ho' to add and remo#e languages from +nified Messaging
ser#ers and +M dial plans( see &o' to add a +nified Messaging )anguage to a +nified
Messaging "er#er or &o' to ,emo#e a +nified Messaging )anguage from a +nified
Messaging "er#er$
Ca#tion:
Bou cannot use an $msi file to install +nified Messaging language pac3s$
O#tloo% &eb Access
Exchange 2007 5utloo3 -eb Access is offered in significantl! more languages than earlier
#ersions of Microsoft Exchange$ he Exchange 2007 5utloo3 -eb Access user interface is
a#ailable in =7 languages$
7or more information about the languages that are supported in 5utloo3 -eb Access( see
Exchange 2007 )anguage "upport$
O#tloo% &eb Access an) the ?NE1 "rameor%
8efore !ou add ne' languages to 5utloo3 -eb Access( !ou must ha#e #ersion 2$0 of
the Microsoft $0E 7rame'or3 installed on the client computer$ All the
5utloo3 -eb Access languages that are listed in Exchange 2007 )anguage "upport are
supported through $0E 7rame'or3 2$0$
8ecause the user interface text for an 5utloo3 -eb Access client is generated b! the ser#er(
the $0E 7rame'or3 2$0 must be installed on the Exchange 2007 ser#er to full! support all
=7 5utloo3 -eb Access client languages$
Note:
he $0E 7rame'or3 2$0 is reCuired to install Exchange "er#er 2007$
3ang#age an) 3ocale
Although the user is prompted to select a language 'hen the! first log on to
5utloo3 -eb Access( the locale setting in the userMs *nternet bro'ser can also be set to use a
specific language$ 7or example( if a userMs locale setting is Jes%ME 1"panishU Mexico2J(
Exchange "er#er 2007 'ill select a #ersion of "panish that is not associated 'ith an! specific
culture 'here "panish is spo3en( for example( "pain$ 5ther culture%specific locales 'ill also
use appropriate neutral #ersions of languages and displa! the user interface for the
appropriate neutral language$ &o'e#er( Exchange 2007 includes three culture%specific
languages: Chinese 1&ong Pong2( Portuguese 18ra/il2( and "erbian 1)atin2$
:;<
O#tloo% &eb Access Spelling Chec%er
*n Exchange 2007 5utloo3 -eb Access( users can chec3 spelling in :? languages$
Exchange 2007 5utloo3 -eb Access uses the same spelling chec3er engines that are used
b! Microsoft 5ffice$ &o'e#er( the spelling chec3er engines included 'ith
Microsoft 5ffice ha#e been customi/ed to be used in a multi%thread processing en#ironment
on ser#ers$ he languages a#ailable in the spelling chec3ers in
Exchange 2007 5utloo3 -eb Access are the same spelling chec3er languages that are
supported in the #ersion of 5utloo3 -eb Access that are included 'ith
Microsoft Exchange "er#er 200; "er#ice Pac3 2$
O#tloo% Client Access
he number of languages that Microsoft 5utloo3 users can use to access their
Microsoft Exchange mailbox has increased to =< in Exchange 2007$ -hen users access their
mailboxes b! using 5utloo3 and other client applications and both the client application and
Exchange 2007 support the language the user has specified( the user 'ill see all messages
and Exchange%generated mailbox components( for example the *nbox( in a full! locali/ed
user interface$ -hen a user accesses an Exchange 2007 mailbox b! using an e%mail client
application( and the client application does contain support for the language( the user 'ill be
presented 'ith a user interface in the chosen language$
7or more information about the languages that are supported in the
5ffice 5utloo3 2007 client( see Exchange 2007 )anguage "upport$
Note:
o enable ambiguous name resolution 1A0,2 and profile creation to 'or3 correctl!
'ith an 5utloo3 client( !ou must install the correct code pages on each domain
controller in an Acti#e Director! site that contains 5utloo3 client computers$
"or 'ore Information
7or more information about the language support that is a#ailable for s!stem administrators in
Exchange 2007( see )anguage "upport for Administrators$
3ang#age S#pport for A)ministrators
Microsoft Exchange "er#er 2007 offers a full! locali/ed administrati#e experience in man!
languages$ Administrators can use the full! locali/ed user interface to set up and administer
Exchange 2007 in their chosen language$ his section discusses the language support that is
a#ailable to administrators in Exchange 2007$
:=0
S#pporte) A)ministrative 3ang#ages
able 2< sho's the administrati#e languages that are a#ailable for Exchange "er#er 2007
release to manufacturing 1,M2$
1able 2: S#pporte) a)ministrative <server= lang#ages for the !1' version of
Exchange Server 2007
Exchange Server 2007
a)ministrative lang#age
!1' availabilit$ <(2.bit= !1' availabilit$ <8*.bit=
English A#ailable A#ailable
@erman A#ailable A#ailable
7rench A#ailable A#ailable
*talian A#ailable A#ailable
"panish A#ailable A#ailable
Porean A#ailable A#ailable
Chinese%raditional A#ailable A#ailable
Chinese%"implified A#ailable A#ailable
Japanese A#ailable A#ailable
8ra/ilian Portuguese A#ailable A#ailable
,ussian A#ailable A#ailable
Note:
Exchange "er#er 2007 is adding t'o ne' languages that 'ere not included in
Microsoft Exchange "er#er 200;: 8ra/ilian Portuguese and ,ussian$
Operating S$stem !e7#irements for 3ocali/e)
Exchange Server 2007 A)ministrative
Experience
o achie#e a full! locali/ed experience 'ith Exchange "er#er 2007( !ou must install the
language%specific #ersion of Microsoft -indo's "er#er 200;( and then install the same
:=:
language #ersion of Exchange 2007$ 7or example( if 7rench is the selected language for
Exchange "er#er 2007( a 7rench #ersion of -indo's "er#er 200; must be installed as the
operating s!stem$
-indo's "er#er 200; x?= Edition plans to release additional languages in "er#ice Pac3 2$ At
that time( all Exchange "er#er 2007 languages 'ill be supported for a full! locali/ed
experience$ his includes ,ussian and 8ra/ilian Portuguese$
*t is possible to install a Multilingual +ser *nterface Pac3 1M+*2 in the language of choice for
-indo's "er#er 200; o#er the English #ersion of -indo's "er#er 200; before installing
Exchange "er#er 2007$ &o'e#er( this 'ill onl! pro#ide a partiall! locali/ed experience and is
not recommended$ 7or more information about the Multilingual +ser *nterface Pac3 1M+*2 in
-indo's "er#er 200;( see 7reCuentl! As3ed Questions About M+*$
he follo'ing sections contain guidance for customers 'ho 'ant a locali/ed
Exchange "er#er 2007 experience$ Although !ou must deplo! the ?=%bit #ersion of
Exchange "er#er 2007 in a production en#ironment( a ;2%bit #ersion is a#ailable$ he ;2%bit
#ersion is not supported in a production en#ironment$ &o'e#er( !ou can install the Exchange
Management oolsTthis includes the Exchange Management Console( the Exchange
Management "hell( and the Exchange &elp fileTon a computer that has a ;2%bit processor
that is running -indo's "er#er 200; or Microsoft -indo's EP Professional$
8*.bit 3ocali/e) Exchange Server 2007 Experience
5perating s!stem reCuired: -indo's "er#er 200; x?= or -indo's "er#er 200; ,2
x?= Edition
A#ailable operating s!stem languages: ?=%bit Editions of -indo's "er#er 200; x?=
and -indo's "er#er 200; ,2 x?= are a#ailable in English and Japanese$ All remaining
Exchange 2007 administrati#e languages( except for ,ussian and 8ra/ilian Portuguese(
are a#ailable through the Multilingual +ser *nterface Pac3 1M+*2$ M+* ma! be a#ailable to
customers 'ho ha#e existing license rights to -indo's "er#er 200; x?= or
-indo's "er#er 200; ,2 x?= in compliance 'ith the polic! that is contained in the most
recent 6olume )icense Product )ist document$ After !ou access the 6olume )icense
Product )ist document( see the section titled -indo's "er#er 200; x?= Editions Media
Election$
Customers 'ho ha#e existing license rights to -indo's "er#er 200; x?= or
-indo's "er#er 200; ,2 x?= ma! be able to acCuire a M+* pac3 for trial purposes in
compliance 'ith the polic! that is contained in the most recent 6olume )icense Product
)ist document$ After !ou access the 6olume )icense Product )ist document( see the
section titled -indo's "er#er 200; x?= Editions Media Election$ o use a M+* language(
!ou must first install the English trial #ersion of -indo's "er#er 200; ,2 x?=( and then
install the M+* pac3$ *nstalling the M+* pac3 onto the -indo's "er#er 200; operating
s!stem pro#ides a partiall! locali/ed experience in ?=%bit for the follo'ing Exchange 2007
:=2
administrati#e languages: @erman( 7rench( *talian( Porean( Chinese%"implified( Chinese%
raditional( and "panish$
Note:
?=%bit M+* for 8ra/ilian Portuguese and ,ussian are not currentl! a#ailable$ he! 'ill
be a#ailable 'ith the release of -indo's "er#er 200; "er#ice Pac3 2$ +ntil "er#ice
Pac3 2 is released( no locali/ed experience is a#ailable for Exchange "er#er 2007
?=%bit in these t'o languages$
Note:
A partiall! locali/ed experience ma! cause certain components of the Exchange 2007
user interface to appear in English and not in the language of the M+*$ his includes
certain dialog boxes( errors( and e#ents$
able ;0 lists the location of the language files that are a#ailable for installation for customers
'ho ha#e -indo's "er#er 200; "er#ice Pac3 : and the M+*$
1able (0 3ang#age pac%s available for &in)os Server 200( Service Pac% 2
Exchange Server 2007
lang#age
Compact )is% 2 Compact )is% 2 Compact )is% (
English
@erman E
Japanese E
7rench E
"panish E
Porean E
*talian E
Chinese%"implified E
Chinese%raditional E
7or more information about the languages that are supported in Exchange 2007( see
Exchange 2007 )anguage "upport$
?NE1 "rameor% 2?0 in Exchange 2007
6ersion 2$0 of the $0E 7rame'or3 is reCuired to install Exchange "er#er 2007 and must be
installed for the same language #ersion of the ser#er$ All :: Microsoft Exchange
:=;
administrati#e languages that are listed in Exchange 2007 )anguage "upport are supported
through $0E 7rame'or3 2$0$
@elp ,oc#ments
Exchange "er#er 2007 "etup 'ill cop! the &elp documentation files onto the computer that is
running Exchange "er#er 2007$ he language of the &elp documentation that is installed b!
"etup is the same as the language of the Exchange "er#er 2007 D6D from 'hich "etup is
run$ 7or example( if a customer installs Exchange 2007 b! using a @erman D6D( the &elp
files targeted for administrators 'ill be installed in @erman and the &elp files targeted for
5utloo3 -eb Access end%users 'ill be installed in all 5utloo3 -eb Access languages$
he &elp documentation includes 5utloo3 -eb Access &elp documents in all
5utloo3 -eb Access languages and can be accessed from the "tart menu$
+nifie) 'essaging 3ang#age Pac% Installation
-hen !ou install the +nified Messaging ser#er role in Exchange 2007( one or more default
+nified Messaging language pac3s are installed( depending on the administrati#e language
of the ser#er$ Bou can then add and remo#e other language pac3s for +nified Messaging b!
using the Set#p?com Fa))+'lang#agepac% or Set#p?com Fremove+'lang#agepac%
comman)s$
7or example( Set#p?com FA))+m3ang#agePac%:)e.,E
Fs:):G,onloa)sG+m3ang#agePac%s adds the @erman +nified Messaging language pac3
from the specified source location( and Set#p?com F!emove+m3ang#agePac%:)e.,E;fr.
"! remo#es the @erman and 7rench +nified Messaging language pac3s$
he +$"$ English 1en%+"2 +nified Messaging language pac3 cannot be remo#ed$ *t is
installed and uninstalled automaticall! together 'ith the +nified Messaging ser#er role$
here is no Exchange Management "hell cmdlet that !ou can run to add or remo#e language
pac3s for +nified Messaging$
Note:
All of the +M language pac3s that are a#ailable are located on the Exchange "er#er
2007 D6D$ &o'e#er( if !ou ha#e do'nloaded Exchange 2007 from the -eb and !ou
reCuire additional +M language pac3s( !ou must do'nload them from the Exchange
"er#er echCenter$
"or 'ore Information
7or more information about the languages that are supported in Exchange 2007( see
Exchange 2007 )anguage "upport$
:==
:=>