Chapter 5 Solutions in this chapter: ■ Managing the Exchange 2007 Client Access Server ■ The AutoDiscover Service ■ The Availability Service ■ Client Access Servers and the SSL Certifi c
Trang 1Chapter 5
Solutions in this chapter:
■ Managing the Exchange 2007 Client Access Server
■ The AutoDiscover Service
■ The Availability Service
■ Client Access Servers and the SSL Certifi cate Dilemma
■ Managing Outlook Anywhere
■ Managing Outlook Web Access 2007
■ Managing Exchange ActiveSync
■ Managing POP3/IMAP4
˛ Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Managing the
Client Access Server
Trang 2The Client Access Server (CAS) replaces the front-end server we all know from Exchange 2000 and
2003 and adds some additional functionality The CAS provides mailbox access for all types of
Exchange clients except Outlook MAPI clients, which, as most of you are aware, connect directly
to the Mailbox Server on which the respective mailbox is stored This means the CAS manages access for any user who opens their mailbox using Outlook Anywhere (formerly known as RPC over HTTP), Outlook Web Access (OWA), Exchange ActiveSync (EAS), POP3, and last but not least, IMAP4
In addition to providing client access, the CAS is responsible for supplying access to things such
as automatic profi le confi guration, free/busy information, Out of Offi ce (OOF) messages, the Offl ine Address Book (OAB), as well as Unifi ed Messaging (UM), but only for Outlook 2007 and Outlook Web Access 2007 Only these two client versions can take advantage of the new Web-based Exchange services known as the AutoDiscover and Availability services Legacy clients such as Outlook 2003 and earlier cannot use these two new Exchange Web services
After reading this chapter, you should have a good understanding of how you can manage the feature set on the CAS, at both the server level and organizationwide
Managing the Exchange 2007
Client Access Server
The Client Access Server should always be deployed on a domain-member server on the internal network, and not in the DMZ, which many thought was a security best practice for front-end servers in Exchange 2000 and 2003 This is true for several reasons: one is the fact that CAS servers communicate with mailbox servers using RPC traffi c, and to make this work, it required several open ports into your network via your intranet fi rewall This is not a best practice since it makes
it easier for an intruder to gain access to your Active Directory (especially since it is RPC-specifi c ports that must be opened!) In addition, a member server has too many access rights to
domain-member servers on the internal network, and thus does not justify deployment
in your DMZ
Alternatively, it is highly recommended to publish the CAS using an Internet Security and Acceleration (ISA) Server (ISA Server 2006 is preferred) in your perimeter network This makes it possible to have your users pre-authenticated on the ISA Server before actually reaching the internal network
A typical CAS scenario following security best practices is shown in Figure 5.1
Trang 3If you plan to split your Exchange 2007 Server roles onto different servers, bear in mind that the CAS is the fi rst server role you should deploy In addition, at least one CAS is required in each site a Mailbox Server has been deployed
The AutoDiscover Service
Several features in Exchange Server 2007 are based on Exchange Web services One of these services is
known as the AutoDiscover service As most of you are aware, few end-users know how to confi gure an Outlook profi le; this is where the AutoDiscover service shines by simplifying Outlook client deployment through creation of an automatic connection between the Exchange Server and Outlook 2007 clients
No longer are special scripts, complex user intervention, or tools such as the Custom Installation Wizard from the Offi ce Resource Kit needed Before Outlook 2007 and Exchange Server 2007, information
such as the name of the Exchange server and the user account and password were all required when
confi guring an Outlook profi le With the advent of the AutoDiscover service, all you need to enter is
the e-mail address and password and the AutoDiscover service will do the rest, automatically discovering and confi guring the client’s home mailbox server information Entering a username and password,
however, is only required when you are confi guring clients not logged on to the Active Directory
domain If you’re confi guring an Outlook 2007 profi le on a machine logged on to the Active Directory domain, AutoDiscover will fetch the domain information from the account you are logged on with,
meaning you only have to click Next a few times to confi gure your Outlook 2007 profi le
Other features provided via the AutoDiscover service are the Offl ine Address Books (OABs),
Unifi ed Messaging (UM) information, and Outlook Anywhere settings
Figure 5.1 A Typical Client Access Server Scenario
Trang 4As similar services did in previous versions of Outlook and Exchange, the AutoDiscover service will automatically update an Outlook profi le should a user’s respective mailbox be moved to another server in the organization
You can read more about the new AutoDiscover Service, and how to confi gure Outlook 2007 using this Exchange Web service in the following article, which is located at MSExchange.org:
http://www.msexchange.org/tutorials/Uncovering-New-Outlook-2007-Discover-Service.html
It’s not only Outlook 2007 that can take advantage of the new Web-based AutoDiscover services, but Windows mobile devices running the next versions of Windows Mobile (codenamed Crossbow [5.2] and Photon [6.0], and at the time of this writing, still in beta) can also be provisioned
automatically using this service
When the Client Access Server role is installed on an Exchange 2007 Server, a virtual IIS directory named AutoDiscover is created under the Default Web Site, as shown in Figure 5.2
Figure 5.2 AutoDiscover Virtual Directory in IIS Manager
Trang 5When you open an Outlook 2007 client, this is the virtual directory it connects to in order to
download any necessary information
In addition to this virtual directory, a new object named the service connection point (SCP) is
also created in Active Directory The SCP object contains the authoritative list of AutoDiscover
service URLs in the forest, and can be updated using the Set-ClientAccessServer cmdlet.
Figure 5.3 illustrates what happens when Outlook 2007 connects to an Exchange 2007 server
Figure 5.3 The AutoDiscover Service Process from an Internal Outlook Client
Outlook 2007
1 Query the service point connection (SCP)
2 AutoDiscover Service URL returned
3 Outlook 2007 connects using HTTPS
4 The AutoDiscover service returns the addresses of the available services (F/B, OAB, UM, OOF)
Domain Controller
Mail Server Client
Access
To see the URLs to each of these services in Outlook, hold down the Ctrl key and right-click your Outlook icon in the Systray Choose Test E-mail AutoConfi guration in the context menu
In the Test E-mail AutoConfi guration window, enter your e-mail address and password and make sure you only have Use AutoDiscover ticked Then, click Test Outlook will now test each of the
services provided by the AutoDiscover service and list the URLs it fi nds, as well as list any issues or
errors for each
The Availability Service
Just like the AutoDiscover service, the Availability service is an Exchange Web service, which is
installed by default when deploying the Client Access Server role on an Exchange 2007 server The
purpose of the Availability service is to provide secure, consistent, and up-to-date (that is, data in real time!) free/busy data to clients using this service Since only Outlook 2007 and OWA 2007 can take advantage of this new service, legacy clients, (Outlook 2003 and earlier, as well as OWA 2003), still
depend on a Public Folder database, containing the SCHEDULE+ FREE/BUSY system folder Since only Outlook 2007 and OWA 2007 can use the Availability service to obtain free/busy information, it’s important that Exchange 2007 be able to interact with legacy systems, too Table 5.1 shows how
free/busy data is obtained based on which front-end client version is used compared to the version of Exchange Server the back-end source and target mailboxes resides