Do you find the Support WebCast transcripts helpful?
Let us know!

Note This document is based on the original spoken Support WebCast transcript. It has been edited for clarity.

Judy MacCallum: Hi, this is Judy MacCallum. I have with me today Brad Wilson and also Jacqui Williford. We'll be talking today about Microsoft® Outlook® Web Access for Microsoft Exchange 2000 Server.

Our agenda for this WebCast is on slide 2. We'll be talking about what Outlook Web Access is, and also some of the new features and some of the limitations. We'll be discussing different authentication methods, such as basic authentication, integrated Windows®, anonymous, and Basic with SSL.

The remaining portion of this WebCast will be about administration of Outlook Web Access, support issues, firewalls, and troubleshooting. Outlook Web Access is not an installation option, as it was in earlier versions. It is installed automatically when you install Exchange 2000. If you do not want to run Outlook Web Access on your Exchange Server you need to stop the HTTP virtual server, which will disable HTTP services on the computer hosting Outlook Web Access.

Due to the complexity of this topic, we've added more of the text of the talk in the slides of this WebCast for your reference. We hope this additional text will be helpful for you.

Moving to the next slide (slide 3). Outlook Web Access is a way of accessing mail and scheduling information from an Exchange server, just as you would from Outlook through a standard Web browser, such as Microsoft Internet Explorer 3.0 or later and Netscape Navigator. The version 3.0 or later browsers are necessary to support the functionality required by HTML 3.2, such as frames, advanced scripting, secure sockets layer (SSL), and Java.

Microsoft Outlook Web Access is essentially a third-generation product. The first versions were installed as Active Server Pages in Exchange 5.0. It was called Outlook Web Access in Exchange 5.5, and now Outlook Web Access for Exchange 2000.

Outlook Web Access 2000 has been redesigned to make it easier to use and more reliable. The universality of the browser client makes OWA an attractive choice in environments that have a diverse mixture of clients, such as Windows, Macintosh, and UNIX, and that require a shared messaging client.

OWA is extremely beneficial for users such as information systems staff who move around to different workstations frequently during the day. They can simply check their mail using OWA instead of creating a mail profile on each of the workstations. It was designed to closely match the current Outlook functionality.

Moving to slide 4, we'll be talking about features and limitations. The chart shown compares the full-featured products, Outlook 2000, with Outlook Web Access 2000, and Outlook Web Access 5.5. Outlook Web Access for Exchange 2000 has new features, including the ability to have imbedded objects, drag-and-drop editing, and shortcut menus with Internet Explorer 5.0 or higher. Offline use, journaling tasks, and printing templates are not included in Outlook Web Access. You would need to use the full-featured client (Microsoft Outlook), to use these features.

Moving to the next slide (slide 5), this is a continuation of the features and limitations. This chart is a continuation of the previous chart. You can see that the timed delivery, expiration, spelling checker, reminders, and Outlook rules are also not available in Outlook Web Access 2000. However, Outlook Web Access for Exchange 2000 does have single sign-on feature. You are not asked to log on multiple times as in past versions, depending on your authentication method. We will be discussing this later in the presentation.

In order to open Outlook Web Access, open up Internet Explorer or your browser, and type the following: http://<your exchange server name>/exchange/<your user name>.

Moving to the next slide (slide 6), which is also a continuation of features and limitations. The universality of the browser makes OWA an attractive choice in environments that have a diverse mixture of clients. Outlook Web Access includes support for imbedded items, public folders that contain contact and calendar items, named URLs that reference items, multimedia messages, and checking names against contacts.

Moving to the next slide (slide 7). Once again, Outlook Web Access is not a replacement for the full-featured Outlook Messaging client. In addition to the items on this screen, OWA also does not support Personal Address Books (because they're on your actual workstation), reply and forwarded flags in a List view, message flags and Inbox rules, three-pane view, dragging and dropping onto a folder, searching for messages, Word Mail, and Microsoft Office integration. It also does not support viewing Free/Busy details, exporting to a data-link watch or other devices, Outlook forms, synchronizing local offline folders with server folders, and accessing a local .pst file.

On the next slide (slide 8), we'd like to talk about authentication methods. There are several different authentication methods that we can use for Outlook Web Access. Basic authentication uses clear text to perform a simple challenge response. Integrated Windows leverages the native security attributes of the client. Anonymous authentication provides access to public folders that are intended for general access. Secure sockets layer, or SSL: Although SSL is not actually an authentication method, SSL provides a secure communications channel that can be used in combination with any of the other above methods.

In a default installation of Exchange 2000, basic authentication and integrated Windows authentication are set automatically. Also, all other necessary permissions are set for users who log onto your domain. Exchange 5.5 required you to make numerous permission changes to folders, but this is already done for you in Exchange 2000.

On the next slide (slide 9), basic authentication is a clear text challenge response method. This method requires a user to enter a user name, a domain, and a password in order to use OWA. Basic authentication can be used with front-end server, and it can be used with any type of browser. It's supported by most clients and works fine through proxies and firewalls. It's independent of the browser, which makes it independent of the platform, and here again it allows the use of a front-end server.

Some things which may make basic authentication not acceptable in your situation include having the password sent as clear text unless SSL protocol is used to encrypt it, and the users must enter their name, domain, and password each time they log on.

Moving to the next slide (slide 10): Integrated Windows. Integrated Windows authentication operates best when the workstation uses Windows 2000 and Internet Explorer 5.0 or greater, because then it will use Kerberos, which is an Internet standard authentication protocol used by Active Directory®. Any other Windows version, such as Windows 95, 98, or Windows NT® can also use integrated Windows method for authentication, but they all use legacy NTLM (NT LanMan) authentication.

Integrated Windows authentication requires that users provide or are logged on using a valid Windows 2000 account name. The client and server negotiate the Windows security support provider interface.

Moving to the next slide (slide 11). The password is sent as an encrypted value for the highest security. Integrated Windows authentication provides native authentication from Windows networking clients, and allows browser access without prompting the user for the user ID and password. However, it is supported only by Internet Explorer 4.0 and later. It does not work through HTTP proxies, and is not available in a front-end and back-end server configuration.

On the next slide (slide 12), we'll be talking about anonymous access. Anonymous access is completely non-secure. It is useful for providing access to general public folders on an intranet. Public folders that are provided via this method must be published and then anonymous access must be specified explicitly.

To use anonymous access, you configure each public folder that you want to provide to general users separately. All browsers support anonymous access. It is an easy way to provide insecure access to public folder data. A single point of configuration makes administration simple. Anonymous access does not identify users uniquely, consequently you cannot track usage by user. It does not provide security on an individual basis. All anonymous authenticated users can access any content to which the anonymous user account, or the IUser_ComputerName has access.

Moving to the next slide (slide 13): Secure Sockets Layer or SSL. SSL, although not an authentication method, offers high security through the encryption for the entire transmission of data. What this means is that you can use basic authentication on your Exchange server, and then secure the communication with OWA clients over SSL. Most Web browsers support SSL. SSL provides the best level of security, and the entire communication session is encrypted. Once again, SSL is not actually an authentication mechanism itself, but it provides a secure channel for any authentication mechanism. The most common implementation is basic with SSL.

Moving to the next slide (slide 14). It is a continuation on SSL. Advantages of SSL include, once again, the entire communications session is encrypted. It's supported by most browsers. However, it requires a substantial amount of overhead for creating and dismantling sessions. Thus, SSL communications reduce the overall performance of the authenticating server. When connections are made using SSL, information is encrypted and decrypted, which is processor intensive and can negatively affect performance. If your HTTP virtual servers are deployed in a front-end/back-end configuration, the front-end server can process the encryption with the client. When the front-end server and back-end server communicate, they do so without the overhead of SSL encryption. This reduces the load on the back-end server. Also, basic with SSL authentication requires that users must enter their user name, domain, and password each time they log on.

Moving to the next slide (slide 15). On the next few slides, we'll be talking about firewall requirements and front-end/back-end servers behind a firewall. OWA also works with front-end/back-end servers, which can give you load balancing features if you have a large number of users utilizing OWA.

In terms of ports and firewalls, you'll need only to have port 80 open on your firewall, which in most installations is a standard port to open. OWA does work with SSL over port 443 and also supports Kerberos.

In the front-end/back-end scenario (slide 16), the front-end server can be positioned as a single point of access on or behind an Internet firewall, which is configured to allow traffic only to the front-end from the Internet. Because the front-end server has no user information on it, it provides an additional layer of security for the corporation. In addition, because the front-end server can be configured to authenticate requests before proxying them, the back-end servers are protected from denial of service attacks.

Moving to the next slide (slide 17). Most organizations have connected, or want to connect, their private networks to the Internet so that their users can have convenient access to Internet services such as Web content and Internet e-mail. An Internet firewall creates that comfortable space for your users by restricting inbound and outbound access, and analyzing all traffic between your network and the Internet.

Because the firewall can range from a simple packet filter to a variety of gateways that analyze traffic for various combinations such as routers, computers, networks, and software that protect any resource that can be reached from the Internet-reachable resources. The main function of the firewall is to centralize access control. If outsiders or remote users can access the internal networks without going through a firewall, it's effectiveness is diluted.

Moving to the next slide (slide 18), we'll talk about what ports you need to have open if you're going to have OWA and a firewall. In an Internet scenario, a firewall is required between the corporation and the Internet. The firewall must be configured to allow requests to certain IP addresses and over certain TCP/IP and UDP ports. This table, lists ports required for the different services; 443 for TCP for SSL secured HTTP; 993 for IMAP secured SSL; 995 for POP3 SSL; and port 25 for SMTP.

Moving on to the next slide (slide 19). Additionally, port 80 HTTP; port 143 TCP for IMAP4; port 110 and port 25 for POP3 SMTP.

When configuring an Internet firewall it must be configured between a front-end server and the corporate Internet. In all cases, all supported ports must be open on the inner firewall. The SSL ports do not need to be open, because SSL is not used in communication between a front-end server and a back-end server. The table that is on the screen lists the required ports.

On the next slide (slide 20), we'll be talking about administration of OWA. The installation, configuration, and administration of Outlook Web Access are pretty much straightforward tasks, because some of the concepts in Exchange 2000 Outlook Web Access are gaining a new, solid understanding of the entire process, and the relationships between the components before deployment is recommended.

Outlook Web Access is installed as part of the default setup of Exchange 2000. The requirements for Outlook Web Access, therefore, are the same as the requirements for installing Exchange 2000. You must install it on a Windows 2000 or greater server, running at least Windows 2000 SP1 with Active Directory, and additionally, you must have SMTP and NNTP components installed.

The basic operation requires no additional configuration, and Outlook Web Access users should be able to access mailboxes and default public folder tree. However, you can configure the server to provide customized access for HTTP Web-DAV clients.

Moving to the next slide (slide 21). You will use the Exchange System Manager console and the Active Directory Users and Computers Console in the Microsoft Management Console, otherwise known as the MMC. The changes you make are stored in the Active Directory and then applied by the Exchange server. The virtual Web servers and directories that you create with the Exchange System Manager, appear in the Internet Services Manager Console. Configuration changes made in the Exchange System Manager, overwrite changes made to the similar items with Internet Services Manager. A good rule to follow is if you are able to make the change in the Exchange System Manager, and you did not receive a dialog box telling you to use IIS Console, then make the changes in the Exchange System Manager. Only use Internet Services Manager to make changes that are not available in the Exchange System Manager.

Moving on to the next slide (slide 22). Once again, if you're going to create new virtual servers or new virtual directories, you would use Exchange System Manager to do this. In order to do that, you'll see also on the slide here, setup automatically creates Exchange virtual roots, it creates the http://server/exchange/ virtual root, the http://server/public/ virtual root, and also the http://server/exadmin/ root. If you want to track any usage, you will need to use IIS Admin logs to track usage.

Moving to the next slide (slide 23) on support issues. Problems experienced in OWA are often caused by configuration. However, some error messages that are returned when using HTTP through the front-end server can help target investigations. Depending on the configuration of your browser, the error number might be obvious or might be included somewhere in the text of the response.

Errors that you may encounter would include the "HTTP 404 Error - File not found." Generally, if you get this error, you would check to see if the URL that you entered was valid. Look for any typographical errors in the name of the user or in any other parts of the URL.

For "HTTP 401 Errors - Unauthorized." Oftentimes the user entered an incorrect user name or password. Remember that authentication requires a user name in the format of domain/password.

For the "HTTP 500 Error - Internal Server Error," oftentimes it occurs when in a locked-down perimeter network scenario. It's usually a sign that the front-end cannot connect to domain controllers through a closed-down intranet firewall.

That actually ends the presentation portion.

Jason Bennett: Great. Thanks so much for that presentation, Judy. Just a couple of quick notes before we move into the Q&A portion of the Support WebCast. If you would like to have a copy of the PowerPoint® slides, be sure you download the file from the Past Support WebCast page.

To access information about all upcoming Support WebCasts and the archive content from all past WebCasts, an easy to remember URL is http://support.microsoft.com/webcasts/.

I will note the Q&A portion of the Support WebCast is intended to encourage further discussion of the Support WebCast topic, but one-on-one product support issues are outside the scope of the Support WebCast. If you do need technical assistance please submit an incident on the Web or call Microsoft Product Support Services and speak to a support professional.

So starting out with the first question, and I believe today participating in the Q&A portion are going to be Brad Wilson and Jacqui Williford. So the first question, How do I avoid the "Web page under construction" page when connecting to //servername?

Brad Wilson: Okay, thanks a lot. That's a pretty frequent thing that we see. What that is, is when we're actually connecting to the Exchange server from the actual local Exchange server, we actually want to go ahead and complete that URL address with http://servername/exchange/, because by default we're just going to server name. We're actually going to the default Web site and that virtual root of Exchange. So to get to your Exchange mailbox on the actual local Exchange server, we want to format the URL address as http://exchangeservername/exchange/ and then if we want to go to a particular mailbox, we'll go ahead and trail that with the user name after that, so the complete URL would be http://servername/exchange/username/.

Jason: Is there a way to speed up the logon time?

Brad: That's really beyond the scope of this actual WebCast because it can be a determining factor, whether it's in the networking infrastructure, whether it's the type of machine that we're running it on. That would probably be something, if you're looking as far as a performance issue or something like that, you might want to actually call into support or open up an incident to take a look at that individual setting for a configuration.

Jason: Great. When configuring a cluster back-end server, does each HTTP virtual server require a unique IP address, keeping in mind Exchange autoinstalls HTTP virtual servers in each cluster group?

Brad: You would definitely want some type of mechanism to be able to differentiate between the different HTTP virtual servers. So if one particular virtual server is in use for a particular user segment or a particular company, then yes, you would have to have some manner in which to differentiate those virtual servers, whether it be by IP or by host header or some other mechanism that you're using to differentiate between those virtual servers.

Jason: Okay. Next question, What is meant by a front-end server, as mentioned on slide 9?

Brad: Thanks a lot, Jason. That's a pretty good question. The best way to actually answer that is a front-end/back-end scenario as far as the Outlook Web Access client in Exchange 2000 is, basically, we're going to take a front-end server and place it in an environment that can actually use to be proxied back into your back-end server. So this is an Exchange 2000 that's used for a single namespace. So if you wanted everyone that needs access into Exchange, we don't always want them to have to go to the <server where their mailbox resides>/exchange. What this will allow us to do is be able to allow anyone in the environment that needs to access OWA to type in the server name of the front-end server.

There's a really good white paper that we already have that describes the front-end/back-end technology. If you go to http://www.microsoft.com/exchange/, and then on the left-hand side if you point to Technical Resources, and then you click Deployment & Migration, you're going to see the "Exchange 2000 Front-End and Back-End Topology" link. That provides a lot of information in detail about some of the advantages and some of the things that you'll need to be aware of as you go through the deployment of front-end and back-end topology.

Jason: Okay. Next question, How do I just log in with the user name without typing the domain to where I belong?

Jacqui: You can actually do that in Internet Service Manager, under the properties of the Exchange Virtual Directory, under Basic Authentication, by clicking Edit, and just putting in the domain name right there. If you have multiple domain controllers, you can actually put in the backslash and that'll get rid of the need to put in an actual name.

Jason: How do host names work with virtual servers?

Brad: One of the things that you'll want to take a look at whenever you're setting up host names or as far as some type of host setters now. As far as just a host name, as far as virtual servers are concerned, whenever you're actually going to a host name, by default, the HTTP virtual server that's installed with Exchange 2000 is in use by the server where it's installed. So the host name of the Exchange HTTP Virtual Server would be http:// and then the actual server name or host name of the Exchange 2000 server that's running that HTTP virtual server.

Jason: Great. I don't have to type in a domain name when I log on to Outlook Web Access from the Internet. I only need to type in a user name and password. Is there something wrong with my setup?

Brad: Not necessarily, Jason. Actually there are several different configuration methods that you can go through with the different authentications in Exchange 2000, whether you're using basic, anonymous, NTLM, or Windows integrated authentication method now, as it's called, in Exchange 2000 and IIS 5.0. But it depends on how you actually went through and set up the configuration on either your basic authentication method. Like if you go in and you actually enter in your domain information, like Jacqui had stated on the previous question, that will actually allow you to just put in the user name and password. Sometimes there are some caveats about that, like Judy had discussed in the WebCast about actually put in with SSL. Sometimes you are actually required to put in the domainname/username. But no, there's definitely nothing wrong with your configuration if you only have to put in the user name and the password.

Jason: How can you get the browser "Mail To" function to call up the Outlook Web Access client? I know support for the Hotmail® Web e-mail in Internet Explorer 5.5.

Jacqui: Jason, this actually beyond the scope of this WebCast.

Jason: That's fair. If that person wants to get further information about that, probably the best thing to do would be to call Microsoft Product Support Services and speak to a support professional.

Jason: Okay. How can you find which users access their mailboxes with Outlook Web Access?

Brad: Jason, one of the things that you'll actually have to do when you're going through your administration of Exchange 2000 is you're going to have to start relying also on the IIS administration as well, because your authentication's actually going to be logged in the IIS log files. It's not necessarily going to be something that's readily available directly within the MMC console for Exchange 2000. So you're actually going to have to rely on taking a look in your World Wide Web publishing logs as well. Similar to if you were trying to check and see if someone had logged on to a regular Web page on IIS 5.0.

Jason: Okay. Next question. This is actually a really long question, so bear with me guys. We have one NT 4.0 domain and one Windows 2000 domain. We have an Outlook Web Access box in both domains sharing the same Exchange organization, and we have two links on one. We page to select which environment to use. After selecting the appropriate link, it brings us to a logon screen, and the logon screen asks for a user name and password. We have to supply the domain name\user name, and a password. We can also enter \user name and password. How can we configure this not to specify the domain name or backslash? You might have already answered that.

Brad: One thing that I can give you a hint on this one as well, Jason, is sometimes in your basic authentication box, you can actually put in a backslash which will actually cause IIS to enumerate the available domains that are available with the logon process. Sometimes that gets you around it. Sometimes we actually have seen some problems with that. But if you go through and you actually have entered in the domain name that you have in use, and that doesn't work, you definitely want to call in or submit a Web incident to take a look at that. We have seen some issues with that, as well as after applying a certain security patch that UPN logons or the default logon domain field was not being honored during the logon request.

So if you go through and you put in the domain name authentication in the basic authentication box, and that doesn't work, or if you try the backslash for the default domain and the basic authentication, definitely let us know.

Jason: Great. The next question is, We have several clients who do not use Microsoft Windows or who do not use Internet Explorer, so Outlook Web Access is not quite as robust for those users. Is bringing Outlook Web Access up to par for these clients a function of future non-Internet Explorer browser updates or of improvements to Outlook Web Access code?

Brad: Jason, basically what we're seeing here is during the evolution of OWA, we're trying to move away from the Active Server Pages that we were using in Exchange 5.5 to basically allowing the use of XML to push some of this functionality down onto the client side. So I can't really speak to the topic of where we're going with development on the product, but I know what we're trying to do is stay on the cutting edge of technology.

So as far as with the Internet Explorer versions, we are going to allow the functionality similar. But like the question was posed, yes, we're not going to see all of the drag-and-drop or the right-click mouse functionality unless we are actually using a browser that can take advantage of some of those extended Web-DAV verbs that Exchange 2000 is trying to expose.

Jason: Will integrated Windows authentication work on a portable computer with Windows 2000 out of the office? For example, if a user logs in without DC connectivity and does a dial-up connection to the Exchange Server through the browser?

Brad: That's kind of a hard question to answer. But basically, when we use the Windows integrated authentication, when you're actually in the process of trying to log on to Exchange 2000, we're going to pass the domain credentials that are already cached on that machine. So if the credentials are a match, then there is a good possibility that you would still be able to connect to Exchange 2000, but you are still going to have to make a domain credential check.

Jason: Okay. Someone's asking about the correct port for the SSL. Is it 4430, is that correct?

Jacqui: No, actually Jason it's 443.

Jason: 443? Okay. Next question, What is the Exchange URL that allows one to access their page?

Jacqui: You can actually access it several ways. You can put in the actual IP address as the exchange server/exchange, or you can put in the URL/Exchange, that's the default address.

Jason: Okay, great. Is there a way to display the GAL in Outlook Web Access, instead of going through defined items all the time?

Brad: No, Jason. That's actually been a pretty common question that we've received in Product Support Services. But at this time, actually no. The ability to scan through the GAL is the option when you're composing a message to go in and actually click on two, and then that actually performs an LDAP query over against the Active Directory. Not necessarily the Active Directory Users and Computers, but within Active Directory.

Jason: If Outlook Web Access is being used behind a firewall can Exchange live in a DMZ, that is a demilitarized zone? What issues would there be in this configuration? How would Exchange 2000 authenticate?

Brad: Basically, as far as in a DMZ or in the perimeter network, a lot of the concepts that we see are actually already described and pretty well documented inside of that Exchange 2000 front-end/back-end topology. Because when you're actually doing that type of deployment you're going to have to take into consideration that that Exchange 2000 server is going to have to become a member of a domain that's in the same forest with the Exchange 2000 servers that are on the inside or the internal network.

So basically, the thing that you want to do there is maybe take a look at the security concerns that are already in effect, or the security policies that are already in effect in the company, and then design the Exchange 2000 topology around those security policies.

For a little bit more in-depth discussion on that, though, definitely take a look at the "Exchange 2000 Front-End and Back-End Topology" white paper that we have published, because that actually goes into details as far as the ports and what you would want to do as far as setting up the virtual servers as well.

Jason: Okay. I do want to make a quick note that we do not handle one-on-one product support issues during these WebCasts. I have noticed that a few questions coming in are very specifically geared towards one-on-one product support, and that's really outside the scope of what we're able to do during the WebCast. So if you do have a question about a known issue or you have a question about configuring something, please ask the question. Otherwise you'll want to call Microsoft Product Support Services and speak to a support professional.

Brad: If you're using one of the rich clients, and when I say rich client, that's one of the Internet Explorer 5.0 or above that can actually use some of the new technologies, you can actually just left-click and drag, just like you can within the Outlook 2000 or Outlook 2002. If not, you would have to go through the process of doing a move the messages, just like we did in Outlook Web Access 5.5. But if you're using one of the rich clients, you would actually just "left drag" it from one folder to another.

Jason: Okay. What is your recommendation for the maximum number of concurrent Outlook Web Access users that a four-processor front-end server can support? And what is the recommendation for the maximum CPU utilization on a front-end processor?

Brad: Jason, that's a question that I would definitely love to tackle, but unfortunately, that's a little bit beyond the scope of the WebCast. You definitely want to open up a Web incident or contact Product Support, because in that way you can get more intimate with the support professional that you're talking with and maybe lay out even more on the configuration.

Jason: Okay, good. How do you synchronize Exchange user's e-mail and calendar to Outlook Web Access?

Jacqui: You're actually accessing the same mailbox, so as far as synchronizing, really it's as if you're accessing your e-mail through an Outlook client, like Outlook 2000, Outlook 98. So as far as synchronizing, I wouldn't really call it synchronizing. It's just accessing your Inbox.

Jason: Okay. What are the pros and cons of moving a front-end server to a DMZ, the demilitarized zone we mentioned before, i.e. ports that need to be opened, additional network traffic, improved security versus a single external firewall, etc.?

Brad: Those, Jason, are all going to be considerations that the individual user or individual company would have to take a look at. As far as ports and things, it's similar based on the information that Judy had given us in the PowerPoint presentation. The only difference there is that we are accessing the front-end server on the outside of the internal firewall or on the inside of it. So it depends on the security policies that are already set up inside of the organization.

There is a little bit more information, again, in that "Exchange 2000 Front-End and Back-End Topology" white paper on the Exchange Web site.

Jason: Does Microsoft plan on adding spell check to Outlook Web Access?

Jacqui: I really don't have any information on that. It's actually beyond the scope of this WebCast.

Jason: Yes, oftentimes, just for that user's information, we don't give away product information on future product releases, just because features change all the time in the process of creating software. We don't want to unfairly set expectations and then dash your hopes. So keep checking back, and as we know, and as the public knows, you'll be able to find it on the Microsoft WebCast site.

Brad: That's something that I'm not aware of, Jason. What we can do, though, is have that customer call into Product Support Services to maybe have that taken a look at. If, Jason, you'll actually get that customer's e-mail address, that's something that we can also address as well.

Jason: Okay, good. What we can do is if that person did input their e-mail address when they logged into the show, we can follow up with you after the show with an answer to that question. We can also put an answer in the transcript. Does that work for you Brad?

Follow-up answer: The only way to successfully log off from Outlook Web Access on Exchange 2000, is to close the browser. This is the only supported way to clear the credentials in the OWA session. Please see this Web site for more information about IIS 5.0 Authentication methods: http://www.microsoft.com/windows2000/techinfo/reskit/en/iisbook/c09_iis_5.0_authentication_modes.htm.

Brad: Yes, that's great.

Jason: Okay, good. Next question, Can Exchange be configured to spool to another Exchange server for delivery redundancy using a different set of delivery rules from the defaults? And how would this be done?

Brad: I definitely think that's going a little bit beyond as far as Outlook Web Access in general. This could be something as far as maybe setting up SMTP routing our something of that nature. But as far as Outlook Web Access is concerned, as long as you're in the same forest as the Exchange servers, you should be rerouted specifically to the mailbox server that you're using.

Now there are some differences in a front-end and back-end topology where the front-end server is actually proxying your request to the back-end server. So there are a few differences as far as if the question is about load balancing or something of that nature. If you're interested in it as far as the Outlook Web Access, it's going to be based off of the mailbox server that you're on. Then, of course, you'll want to also take a look at that front-end/back-end topology white paper, because it goes into a little bit more detail as far as how that architecture does the load balancing and proxying on the request.

Jason: Okay. Front-end servers perform authentication against AD. How can we configure FE Servers to use specific global catalogs?

Jacqui: Jason, that's a really good question. What we'll have to do is do some more research, look at some Knowledge Base articles, and get back with that customer. If you did get their e-mail address, we'll get back with that customer with some more information.

Follow-up answer: For more information about how to statically map the domain controllers in use to use for authentication please see Knowledge Base article Q250570, "XCON: Directory Service Server Detection and DSAccess Usage" at http://support.microsoft.com/support/misc/kblookup.asp?id=Q270570

Jason: Okay. Can you restate the URL for Outlook Web Access on the server, i.e. http://OWA.exchangesrvr/. Is that correct?

Brad: Jason, what we'll actually do is, if you're actually doing the testing right from the Exchange 2000 server, you'll put in your URL address as http://and then whatever actually the server's name is. Like if it's called OWA1, and then a forward slash, Exchange, and then forward slash and the user name. But for my example, my machine name is machine01. I would at that server actually go http://machine01/exchange/username, where username in my case might be something like bwilson. So it would be http://machine01/exchange/bwilson. Does that help, Jason?

Jason: Yes. If that didn't answer the user's question give us another write in, send us a message and clarify your question. See if that answers your question.

Brad: Jason, I think a lot of the questions as far as how the Exchange 2000 front-end servers do the authentication methods is covered in that front-end/back-end topology white paper. It actually handles a lot of the problems with authentication, but that front-end server's going to proxy a request back to the Exchange 2000 server and it's going to also handle the authentication against Active Directory. Just like if you had a regular Web site that you were publishing on that front-end server that needed to do authentication.

Jason: Okay, great. In order to disable Outlook Web Access you said to disable HTTP services on the Exchange machine. What impact does that have on other servers or services running on an SBS 2000 machine?

Jacqui: This is actually beyond the scope of the OWA WebCast. What they could do is call into the Microsoft Support line and get some more information about that.

Jason: Okay. Next question, Are virtual servers used for multiple mail domains? If not, please explain their use.

Brad: That's definitely one of the uses for HTTP virtual servers. You can set up one virtual server for your internal network. You can use one for different domains. It's just to allow you to either provide different security measures on the different virtual servers or different access methods to those virtual servers. So the usage can be set up for different things. It's only limited to what you want to do with those virtual servers. But that is one example of what you can do with the virtual servers.

Jason: Does the new Outlook Web Access support creating and using distribution groups under contacts?

Brad: Jason, I think that's actually one of the things that you can use. I don't know that there's a method for you to create the distribution list there. But you can definitely send messages to different objects within your contacts folders.

The thing about contacts is, if you're trying to actually send a message in, maybe check against your contacts folders, you actually will need to use the Check Names button on the new message mail. Also, you can change whether it's going to check names against your local contacts folder or against the global address list by using the options under Outlook Web Access.

Jason: Okay. I would like to take a moment here to solicit some feedback from our listeners today. We are very interested in your feedback regarding the WebCast program. You can send us your feedback the e-mail alias, feedback@microsoft.com. If you use that alias please be sure to include "Support WebCasts" in the subject line.

So we're looking for information about today's WebCast. If you've seen one in the past and you want to comment on it. If you've got future topics that you'd like to see covered, all that stuff. Send it in to us; we do take your feedback into consideration when booking these Support WebCasts.

Okay, next question. What reference materials are available to help configure an ISA 2000, DMZ, Exchange 2000, or Outlook Web Access 2000 configuration?

Brad: Specifically, if you're looking for information as far as ISA and Exchange 2000, the first thing that I would suggest is go ahead and go to support.microsoft.com and enter a query for any type of Knowledge Base that we already have for the ISA Server and Exchange 2000. There's not really any specific information as far as in the front-end/back-end topology that is directly related to any specific type of firewall deployment. This is because we provide you with what you would need to do the connectivity for the front-end and back-end. Then the actual usage of the device would be the configuration that you would need to do.

But definitely go up to support.microsoft.com and take a look as far as querying for Exchange 2000 and ISA.

Jason: Okay. Do I need to create multiple virtual roots in ESM if I'm hosting separate companies using the OU feature of Active Directory?

Jacqui: Jason, that's actually beyond the scope of the WebCast. If they need more information they can call into Microsoft Support line.

Jason: Okay. Next question, Is there an easy way or a quick way to determine if the Outlook Web Access part of IIS configuration has changed?

Brad: On that question, I guess I really don't understand whether we're talking about inside of Internet Information Server Manager or inside of the Exchange System Manager. If you could just ask for the question to be restated in a different manner it would be great. But I'm looking forward to hearing it.

Jason: Okay. If that user just wants to ask the question again and give us a little more clarifying information about which particular server or software you're talking about.

Next question. Can you limit legacy clients Windows Millennium from using Lanman authentication? Will the DS client allow this?

Brad: Jason, I think that's actually something that we would want to direct to one of the Networking Support Professionals inside of Microsoft Product Support Services, because I really don't think that's an issue as far as setting up OWA. Because if you're using the correct version of Internet Explorer with Windows integrated authentication, they should be okay as far as authenticating. But if they have further questions on that, then that's probably something they want to talk to one of the Product Support Services engineers.

Jason: Okay. I will say we are getting a lot of one-on-one product support issues. So if you do have a pretty lengthy topic that requires troubleshooting, rather than something that you're trying to track down, and you have a specific question on features. We do ask that you call in to Microsoft Support Services. We really can't go through it in this WebCast. It's outside the scope of what we're able to do.

Brad: Not that I'm aware of, and that's just speaking from my sole individual experiences. But I'm not aware of any problems with Exchange 2000 Service Pack 1 problems.

Jason: Okay. Next question, Does Exchange 2000 Outlook Web Access have the problem of logon failure due to similar alias names? In Exchange 5.5 Outlook Web Access, entering the display name resolves in place of alias name.

Brad: Not that I'm aware of. And I think what the question is talking about is ambiguous name resolution in Exchange 5.5. I haven't actually seen that same problem with Exchange 2000, because with the Exchange 2000, we're actually linked into the Active Directory, which kind of helps us out getting away from the ambiguous name problem.

Jason: Okay. What tools and white papers are available to secure Outlook Web Access 5.5 and 2000?

Brad: As far as Exchange 2000, you would want to just take a look up on http://www.microsoft.com/exchange/. As far as Exchange 5.5 is concerned, we've got that pretty much well documented, and the best thing is do a Knowledge Base search on Exchange 5.5 and OWA, and maybe something like firewall or ports as some of the keywords. But specifically as far as securing, again that goes back to the individual environments and how the environments are set up.

Jason: Great. Next question, I notice that when my users access the Web-based Outlook using a Mac, this comprises about one percent of my users, they're able to view public folders by default, whereas my PC users are not. Are there any known issues with that?

Brad: We recently had some known issues with Exchange 2000 without Service Pack 1, where there were some problems with accessing public folders. But that's something that I wasn't aware of as far as the difference between the Macintosh connecting. The only thing I can think of is if it was without Service Pack 1, we did have a couple of issues with that. So if it's running Exchange 2000, just release to the individual shells, or however you want to refer to the initial release of Exchange 2000. There were some problems with access to public folders, but we actually corrected that problem with Service Pack 1.

Jason: Okay. Next question, If using SSL, what virtual directory should be set, to allow just basic authentication?

Brad: If you're going to set up Exchange with SSL, you would just want to just go ahead and add that certificate to the default Web site, and then set the Exchange virtual directory to basic. And, of course, if you want to secure your public folder access, you would do the same thing on the public virtual directory.

Jason: Okay. Can you set up IIS to use exchange.myserver.com instead of myserver.com/exchange?

Brad: Yes, you can actually use a generic IIS refresh or redirector to change how you want to access that. But there are actually some Knowledge Base articles about that as well.

Jason: Okay. How can you remove the domain parameter from the logon screen from Outlook Web Access? You might have already mentioned this.

Brad: Yes, I can summarize it again one more time, Jason, that's no problem. Whenever we get to a dialog prompt that has the three-level dialog box (with user name, password, and domain), that specifically means that we're accessing that computer using Windows integrated authentication. What you'd want to do was actually use basic authentication, and in that way you'll get the user name and password field.

Jason: Is there any problem with creating multiple host names for the Exchange 2000 server?

Brad: Not that I'm aware of. We might want to elaborate on the question, but by default whenever we actually install a Windows 2000 server we're only going to have the one host name.

Jason: Okay. What are the RFCs that discuss secure POPs and IMAPs ports?

Brad: Jason, I wish I knew those off the top of my head, but I just haven't committed some of those RFCs to memory. We could probably find out if we get that question originator's e-mail address and get it to him.

Jason: Great. We'll follow up with you by e-mail. And for others that want to know, it will be in the transcript, which will be available in about three weeks. You'll be able to find it on the site.

Follow-up answer: RFC Specific to IMAP4 and POP3 can be found at http://www.rfc-editor.org/cgi-bin/rfcsearch.pl/ and the one that addresses security is RFC2595, http://www.microsoft.com/technet/prodtechnol/exchange/reskit/ex00res/resguide/appendb.asp.

I have one question that was actually sent to me concerning the Support WebCast page. The correct URL is http://support.microsoft.com/webcasts/.

Okay, moving right along. We do have quite a few question in the queue.

Brad: I really can't answer that one, Jason. That's a good question, but I think that's specifically a question about Exchange 2000 requirements rather than OWA.

Jason: Okay. Does Outlook Web Access for Exchange 2000 have a way to actually redirect the client traffic to a more localized front-end server or front-end server cluster? Can I have a front-end cluster in the center of the U.S. to maintain a single company namespace, and then have the client traffic directed to a more local front-end server?

Brad: Not that I'm aware of, Jason, because the front-end server is actually going to proxy that request to the back-end server. We're not actually going to go from front-end to front-end to front-end to back-end. Traffic will be going to be going to the front-end server and then to the back-end server.

Jason: Okay. Next question, Is Outlook Web Access designed to be a stand-alone Web app, or could a developer extend Outlook Web Access functionality?

Brad: You can actually do some development aspects against the Exchange 2000 server. It's not as easy as it was with Exchange 5.5 where we were doing Active Server Pages. But there are some extensibilities that you can actually use by using the URL addresses to the different components within mailboxes. But for more information on that, I'd take a look at MSDN® underneath Exchange 2000 Server.

Jason: Okay. Next question, What are the client licensing requirements for Outlook Web Access?

Brad: That's something that's probably not underneath this actual WebCast. But if I'm not mistaken, and this is something that we can check on, but it's similar to the client access license used for a regular connection to the Exchange 2000 server, whether that would be an Outlook 2000 client or a Web client.

Jason: Okay. Can only Outlook Web Access 2000 be installed and still talk to Exchange 5.5?

Brad: Well, with Exchange 2000 it's actually not a component that can be installed as stand alone like it was in 5.5. So if you install Exchange 2000, you get the Web client basis. And you would have to go through the regular deployment for Exchange 2000 in an existing Exchange 5.5 environment, which is kind of beyond the scope of this WebCast.

Jason: How do you recommend that an Outlook Web Access client logs out?

Brad: There's not actually a Logoff button on Exchange 2000 Web client like there was on 5.5. So if you just go ahead and make sure you close out of the browser, that'll be fine.

Jason: Okay, great. What is the best way to redirect HTTP or HTTPS for Exchange 5.5 or Exchange 2000, without port 80 open on the firewall?

Brad: That's a pretty good question, Jason, but if we're going to do an HTTP request, we're going to have to do it through either the standard port 80 or 443 over SSL.

Jason: Okay. Can Outlook Web Access be used with Apache or Netscape, or is it only usable with IIS?

Brad: It's only available with IIS 5.0 on Windows 2000.

Jason: Okay, great. Next question, If the user keeps Outlook Web Access open, how often will it tell them of new mail? Do they have to do a refresh before they know new mail has arrived, or is it automatic?

Brad: It's actually something that they're going to have to do a refresh on, and that's something that we're taking into consideration, looking into for the next releases of Exchange 2000. They haven't actually done anything "set in stone" yet, but that is something that we are aware of. But if you want to get new mail notification, you're actually going to have to go up and do the "send and receive" or switch between folders.

Jason: Okay. When I use Outlook Web Access I don't get my e-mail and calendar. How do I troubleshoot what is wrong?"

Brad: That's probably something that that customer would want to submit a Web incident or call in to Product Support Services specifically on that issue.

Jason: Okay. Can you view subfolders in your primary contacts folder in Outlook Web Access 2000?

Brad: I don't think you really can on that one, Jason. I think we're still limited to that top-level Contact folder.

Jason: Okay. Next question, Can you explain in more detail the pros and cons of a front-end server outside or inside a firewall?

Brad: I think the difference between the pros and cons is the location and what you would have to have exposed to the open net or the Internet. Whether you wanted to have just the external interface on the firewall exposed or the front-end server. But again, it all goes back to whatever security policies and security considerations that the companies have already in place. It's where they'll need to decide whether they want to deploy it on the inside of the internal firewall or the outside of the firewall. Again, a lot of those advantages and disadvantages are in the Exchange 2000 front-end and back-end topology white paper.

Jason: Okay. If we want to configure our clustered Exchange 2000 server for SSL, would we have to purchase a certificate for each server?

Brad: That's a pretty good question on that one, Jason. I think VeriSign and the other certificate vendors actually require it to be on a specific host name or a server name. So that would be something that you would probably want to, but if you'll get the e-mail address of that customer we can actually find that out for them.

Jason: Okay. Will one Outlook Web Access server be able to serve multiple Exchange 2000 sites under the same organization?

Brad: It really depends on the load that's being placed on those different ones. As far as scenarios like that, you would want to contact a support professional to take a look at that, or even take a look (as an advisory case) at the environment there.

Jason: Okay, great. I want to take another moment to solicit some feedback. We would like to know what you think of today's WebCast, and what you think of the topic as well as the presentation itself, and if you have any feedback or ideas about future WebCasts. You can send us e-mail at feedback@microsoft.com, and make sure you put "Support WebCasts" in the subject line.

A lot of these questions are product support issues, and we aren't able to discuss those during the WebCast. It's really outside the scope of what we can handle.

Brad: The best place to do it, and if you can do it, is actually through the Exchange System Manager. What you'll want to do is expand your server's portion of the Exchange System Manager, and then underneath there you'll see your HTTP Protocol settings. What you can do is right-click the Exchange virtual directory or the public virtual directory and change your authentication method there.

Jason: Is it possible to use Outlook Web Access to access Outlook team folders?

Brad: As long as it's a public folder or some type of that nature you should be able to access it. But if it's the team folders that I think you're asking the question about it's actually not going to have the same functionality as it does through the Outlook 2000 or 2002 client. The reason that is, is because those Outlook clients are actually using individual organizational forms to do some of the different views that you're seeing there, which Outlook Web Access just doesn't have access to. So I hope that answered the question as it was asked, Jason.

Jason: Okay. If that question wasn't answered correctly, you can always send another message in and get it clarified.

Brad: Most of the information that you'll want to look at, as far as troubleshooting Exchange 2000, is going to be up on the newly redesigned Exchange 2000 Web site, which is at http://www.microsoft.com/exchange/. And then what you'll want to do is look at your menu system, which is on the left-hand side for the Technical Resources link. That's going to be where a lot of the information is going to be found as far as troubleshooting Exchange 2000 and OWA in general.

Jason: Okay. Are there any user guides or books for staff using the Outlook Web Access client? Is there anything besides the online help?

Brad: Not that I'm aware of, but that'd be a great idea for someone to write something like that.

Jason: We are coming down to our last few questions. What limitations, if any, are there using Outlook Web Access via Pocket PCs, Pocket Internet Explorer?

Brad: That's a pretty good question. From the shops that I've seen, and from some of the engineers here, it looks like a lot more robust capability than the Exchange 5.5 OWA. I'm not specifically aware of any limitations on that other than the smaller size of the actual Internet Explorer Window there.

Jason: Someone's asking a question, When I'm at a public kiosk accessing Outlook Web Access, and I can't close the browser, is there another way to log off from Outlook Web Access 2000?

Brad: There's actually not, other than closing that browser, and that's a topic that we've seen in discussion before. In an environment such as that, you would actually want to put some type of other, maybe a customized filter or something of that nature. But as far as Exchange 2000, the only way to actually log off of the Web client in Exchange 2000 or Exchange 2000 SP1, is actually closing that browser.

Jason: Okay. Great. We may have already gotten this question before. Is it possible to set up Exchange to spool to a remote Exchange Server? If so, how would you set this up so the default spool period outgoing delivery settings were different for that domain?

Brad: Yes, I definitely think we had that question before, and in that circumstance I think they might be asking the question as far as outbound SMTP delivery, and that's something that is specifically not in the OWA WebCast. But you can always submit an incident request on the Microsoft Web site or call into the Product Support Services.

Jason: Okay. Can you publish Outlook Web Access through the ISA firewall?

Brad: Yes, you sure can. That does entail a little bit more as far as creating your destination set and your Web publishing roles. The best way to get that answered is go up to the Knowledge Base search and just do a search for ISA and OWA, or ISA and Exchange 2000.

Jason: Okay. What script mappings are required for Outlook Web Access 2000, and for Exchange 5.5 if possible?

Brad: If this question is based off of the problem that we just saw with the security batch, I don't know the name of the DLLs by heart (as far as what the script mappings are detailed). But if you'll get the e-mail address of that one, Jason, I can definitely send the script mappings that we'll need on the Exchange virtual directories as well as if we're using instant messaging or something of that nature, I can get the script mappings for those virtual directories as well.

Jason: Okay, great. We did just clear the queue of all the questions. Again, we would like your feedback on these WebCasts. Let us know what you'd like to see covered. Obviously there were a lot of questions about Exchange 5.5 and configuring Exchange, which is really outside the scope of Outlook Web Access, though it's certainly related. So send that feedback in, because we do pass it on to the folks internally, and that determines what our future WebCasts are going to be.

We've got a few questions to follow up on, and it looks like we have not gotten any more questions into the queue. So we're going to go ahead and wrap up the session for today.

I want to thank all of you for joining us today. I hope we covered everything and gave you some good information. We are very interested in your feedback, again please send it to that e-mail alias, feedback@microsoft.com. If you use that alias, again please include "Support WebCasts" in the subject line.

We hope you join us again in the near future. Thanks, and goodbye.