Tài liệu Module 12: Deploying Exchange 2000 Outlook Web Access ppt

Outlook Web Access is also more efficient for Internet Explorer 5 users because it does not require that every mouse click in the interface communicate to the Outlook Web Access server,

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, Windows NT, Active Directory directory service, ActiveX, BackOffice, FrontPage, Hotmail, MSN, Outlook, PowerPoint, SQL Server, Visual Studios, and Win32, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead: David Phillips

Instructional Designers: Lance Morrison (Wasser), Janet Sheperdigian, Steve Thues

Lead Program Manager: Mark Adcock

Program Manager: Lyle Curry, Scott Hay, Janice Howd, Steve Schwartz (Implement.Com),

Bill Wade (Wadeware LLC)

Graphic Artist: Kimberly Jackson, Andrea Heuston (Artitudes Layout and Design)

Editing Manager: Lynette Skinner

Editor: Elizabeth Reese (Write Stuff)

Copy Editor: Ed Casper (S&T Consulting), Carolyn Emory (S&T Consulting), Patricia Neff

(S&T Consulting), Noelle Robertson (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aquent Partners)

Online Support: Eric Brandt

Multimedia Developer: Kelly Renner (Entex)

Compact Disc Testing: Data Dimensions, Inc

Production Support: Ed Casper (S&T Consulting)

Manufacturing Manager: Bo Galford

Manufacturing Support: Rick Terek

Lead Product Manager, Development Services:

Lead Product Manager: David Bramble

Group Product Manager: Robert Stewart

This module provides students with students with a description of Microsoft®

Outlook® Web Access features that are new to MicrosoftExchange 2000 Students will examine the components of Outlook Web Access and learn how they work together to process client requests They will plan an Outlook Web Access deployment and explore the considerations for configuring virtual servers and directories Finally, the module will explain how to use custom Web applications to extend Outlook Web Access At the end of this module, students will be able to deploy Outlook Web Access

0DWHULDOV#DQG#3UHSDUDWLRQ#

This section provides you with the required materials and preparation tasks that are needed to teach this module

5HTXLUHG#0DWHULDOV#

To teach this module, you need the following materials:

• Microsoft PowerPoint® file 1569A_12.ppt 3UHSDUDWLRQ#7DVNV#

To prepare for this module, you should:

„#Read all the materials for this module

„#Complete the lab

Use the following strategy to present this module:

„#Introduction to Microsoft Outlook Web Access This section focuses on the primary features and limitations of Outlook Web Access, and outlines the clients that Outlook Web Access supports

„#Outlook Web Access Architecture Begin by introducing the Web-DAV technology and then explain how Outlook Web Access uses HTTP and Web-DAV to communicate between clients and the server Next, use the graphic in the slide to describe the Outlook Web Access Server components Use the next slide to explain what happens when a user logs on to their mailbox, and then explain how

Outlook Web Access opens and displays an e-mail message Conclude this section by discussing client authentication methods and front-end/back-end server authentication methods

„#Outlook Web Access Deployment After explaining how to enable Web access for a user, compare the two typical locations for firewalls when securing Outlook Web Access, and then discuss Kiosk Operation and POP3/IMAP4 integration issues Conclude this section by describing how to use System Monitor and how to increase system capacity by scaling front-end servers and planning back-end server capacity

„#Extending Outlook Web Access Conclude this module by discussing how to extend Outlook Web Access functionality

At the end of this module, you will be able to:

„#Describe the features of Microsoft Outlook® Web Access that are new to Microsoft Exchange 2000

„#List Outlook Web Access components and describe how they process client requests

„#Plan an Outlook Web Access deployment

„#Extend Outlook Web Access in a custom Web application

For UNIX users connecting to a computer running Exchange 2000, Outlook Web Access is the primary Outlook solution for e-mail, calendar, and collaboration functionality

„#Supporting messages that contain embedded items (messages, appointments, contacts, and so on) and Microsoft ActiveX® objects Outlook Web Access renders and displays an ActiveX object, such as an image control, when a message containing the object is opened

„#Supporting public folders that contain contact and calendar items

„#Supporting multimedia messages Outlook Web Access enables you to

easily add audio and video clips directly into a message and send it with the clips

„#Using named URLs to reference items While previous versions of Outlook Web Access used globally unique identifiers (GUIDs) to reference items in the information store, items (messages, folders, and so on) are now accessed using a plain text address, such as http://server/exchange/mailbox/inbox

„#Supporting Microsoft Internet Explorer 5 Internet Explorer 5 users benefit from an interface that is similar to Outlook Outlook Web Access is also more efficient for Internet Explorer 5 users because it does not require that every mouse click in the interface communicate to the Outlook Web Access server, as it does with other clients

Outlook Web Access is not designed to satisfy advanced e-mail and collaboration requirements that the other products in the Outlook client family addressed Outlook Web Access is not intended to replace the full-featured Outlook messaging client for the 16-bit Windows operating system or Macintosh Outlook Web Access does not include advanced features for:

„#Offline use Offline access is not supported A user must connect to an

Exchange server to view information

„#E-mail Outlook Web Access does not support Exchange Server digital

encryption, signature support, and S/MIME support Outlook Web Access also does not include replied and forwarded flags in list view, message flags and inbox rules, three-pane view, search for messages, and WordMail and Microsoft Office integration

„#Calendar and group scheduling Outlook Web Access does not support

displays of discontinuous days side by side, appointment list views, view details with free and busy, track acceptance of meeting attendees, all-day or multiple-day events, task lists and task management, and export to devices such as DataLink watches

„#Collaboration applications Outlook Web Access does not support Outlook

97 forms and Microsoft Exchange Server digital encryption and signatures Outlook Web Access does not synchronize local offline folders with server folders

of Outlook Internet Explorer 5 users can drag and drop messages between folders and use a folder tree to open and create new folders When creating a message, Internet Explorer 5 users can use rich-text editing features to add formatting to the text

2WKHU#%URZVHUV#

You can also use Outlook Web Access with browsers that minimally support HTML 3.2 and European Computer Manufacturer Association (ECMA) compliant JavaScript Outlook Web Access functions by minimizing the client side use of script with the objective of obtaining as broad a reach as possible with maximum performance The specific browsers that Outlook Web Access

supports include Internet Explorer 3.x and 4.x, and Netscape Navigator 3.x and

later running on operating systems such as Apple Macintosh, Microsoft

Windows 3.x, Microsoft Windows95, Microsoft Windows 98, Microsoft Windows NT , and UNIX

Internet Explorer 5 clients use an extended version of HTTP known as Web-DAV Web-DAV makes the Web a collaborative, write-able medium Prior to Web-DAV, users mainly downloaded data to review on their local computer

)HDWXUHV#

Web-DAV provides the following features:

„#Overwrite protection (file locking) Web-DAV makes it possible for Web

users to write, edit, and save shared documents without overwriting another person’s work, regardless of which software program or Internet service they are using Overwrite prevention is the key to the collaboration support

in Web-DAV

„#Namespace management Namespace management capabilities enable users

to conveniently manage Internet files and directories, including the ability to move and copy files The process is similar to the way word-processing files and directories are managed on a regular computer

„#Property (metadata) access The properties feature in Web-DAV is an

efficient means of storing and retrieving what is known as “metadata” information about a Web document, such as the author's name, copyright, publication date, and keywords Internet search engines use metadata to find and retrieve relevant documents

More information on Web-DAV can be found at http://www.webdav.org Web-DAV is defined in Request for Comments (RFC) 2518

Web Folders provide another way to use Web-DAV to access data in Exchange Web Folders are designed to enable you to access a Web server in the same way you access a file server, and Exchange 2000 also allows you to access

directories and items in the information store just like a file server You can use applications like Windows Explorer or Office 2000 to manage the data in the Web Folder

Web Folders are built into Windows 2000 and are added to Windows NT version 4.0 and Windows 98 systems when a full installation of Internet Explorer 5 is performed or Office 2000 is installed You can configure a Web

Folder by adding a network place in My Network Places in Windows 2000 or

in the My Computer – Web Folders section on Windows NT 4.0 and

Windows 98

Client requests to a Web Folder are handled in a similar manner as Web-DAV requests from an Internet Explorer 5 client The primary difference is that Exchange 2000 returns Web pages to browser clients while other clients must render the data returned from Web-DAV themselves

Internet or Intranet

Internet or Intranet

Internet Explorer 5 / Other Browsers

Internet Explorer 5 / Other Browsers

HTTP / WebDAV

Outlook Web Access Server

Outlook Web Access Server

http://server/exchange

Store

Outlook Web Access uses the HTTP and Web-DAV to communicate between client browsers and the Outlook Web Access server In large sites, user

mailboxes can be placed on multiple back-end servers that are referenced by

one or more front-end servers Multiple server architecture provides additional scalability and a single namespace for the back-end servers

$FFHVVLQJ#D#6HUYHU#

When using a typical client, such as Outlook, the user interacts directly with the Exchange server However, with Outlook Web Access, the user interacts with IIS (Internet Information Services) Web service from their browser The browser communicates with the server using HTTP and Web-DAV

When IIS receives a client request for an item in a virtual directory mapped to the Exchange Server information store, IIS transfers the request to an Exchange Internet Services Application Programming Interface (ISAPI) application that communicates with the Exchange Server information store The information store returns the requested data and the ISAPI application renders it into the appropriate HTML for the client’s browser

In addition to HTML, Outlook Web Access sends additional data to Internet Explorer 5 clients by using XML Using XML enables the client to increase processing performance while sending fewer requests to the server

In a scaled or distributed environment, one or more front-end servers process a client’s requests and route them to the back-end server that contains the client user’s mailbox

Windows 2000 Network

IIS

NTFS HTTP Request

Exchange Virtual Directory

IIS Virtual Directory

The Outlook Web Access server functions as a proxy for all message traffic by using Web browsers to access data on a computer running Exchange Client requests are received by the IIS 5.0 Web service and passed to the Outlook Web Access ISAPI application for processing If the server contains the

Exchange 2000 database, Outlook Web Access uses a high-speed channel to access the store If the server is a front-end server, Outlook Web Access proxies the request to a back-end server that is using HTTP

Unlike Exchange Server 5.5, IIS is a required component of Exchange 2000 and is automatically installed on every computer running Exchange 2000

If the client is using Internet Explorer 5, Outlook Web Access uses the DHTML feature of Internet Explorer to perform more of the rendering on the client, which improves server performance By using DHTML behaviors, Outlook Web Access can encapsulate commonly used HTML and script and download it

only once to the client For all other clients, such as Internet Explorer 4.x and

Netscape Navigator, most of the rendering is performed on the server with a small amount of JavaScript being sent to the client

Active Directory-based Domain Controller

Active Directory-based Domain Controller

Outlook Web Access Server

Outlook Web Access Server

Web Browser

Web Browser

http://Outlook Web Access servername/exchange

2 4

3

Outlook Web Access uses logon credentials to automatically open a mailbox The Outlook Web Access server can also use the URL to specify the mailbox to

open (http://Outlook Web Access Servername2exchange/mailbox name)

The following steps describe the flow of information when a user logs on to their mailbox and views the Inbox:

1 The user requests the Exchange 2000 mailbox by specifying the following URL in their browser:

http://Outlook Web Access Servername/exchange/mailbox

2 The user is authenticated by the IIS Web server, which determines a user’s Windows 2000 account

3 The mailbox location for the user is queried from Active Directory™

(\exchange\mailbox name) in the right-hand frame

In Exchange Server 5.5, Outlook Web Access used a separate logon page for users, which asked the user for the name of the mailbox to which they wanted to connect

Web Browser

Exchange

IIS

Exchange ISAPI (DavEx)

High Speed Exchange Interface

IIS-Forms Registry Default Templates

HTTP / WebDAV

ExOleDB Component Outlook Web Access Server-Side Component

Active Directory

Active Directory

Store

DSACCES

Request Renderer

The following process describes how Outlook Web Access opens and displays

an e-mail message This process also applies to other Outlook Web Access operations, such as opening and displaying a folder

41#%URZVHU=#5HTXHVW#)RU#(0PDLO#0HVVDJH#6HQW#

You can access a message from the browser by:

„#Clicking on the message in a folder contents view

„#Typing the URL to the message into the Address field of the browser and

pressing ENTER

„#Choosing a browser favorite item that points to a message

For all of these methods, the browser issues a GET request for a URL that looks like this:

KWWS=22VHUYHU2YURRW2XVHU2IROGHU2PHVVDJH1HPO#

#Because this URL does not have any query strings, the server will return a rendering of this resource based on its Message-Class and the default action configured for this class

When IIS receives the request, IIS passes the request to the Exchange ISAPI component DavEx.dll This component parses the request for the following information and then sends the request to the Exchange store

HTTP User-Agent Field header Determine the browser type, version,

operating system, and how the content should be rendered

HTTP Accept-Language header Determine the language for the rendered

content

HTTP Translate header Determine if the content should be

rendered for a browser or returned without rendering to a Web-DAV application such

71#,,6#:HE#6HUYHU=#([FKDQJH#,6$3,#6HOHFWV#WKH#)RUP#

The Exchange ISAPI application takes these object attributes and looks for a form definition in the Forms Registry that matches the object’s type If the Exchange ISAPI application cannot find a matching form definition, it uses a default form stored in Wmtemplates.dll If the browser language is not English, language specific strings are loaded from other template libraries in the

\Exchsrvr\Res\ directory

81#,QIRUPDWLRQ#6WRUH=#,QIRUPDWLRQ#6WRUH#5HWULHYHV#'DWD#IRU#7KH#)RUP#

After a form definition is found, the Exchange ISAPI application parses the

form, and notifies the information store to retrieve the data it references

conforms to the HTML 3.2 standard Internet Explorer 5 and later browsers will receive dynamic HTML, which means different elements will respond to user clicks and not require communication with the server

Outlook Web Access uses a frameset consisting of two frames, the navigation bar or Outlook Bar and the contents, or viewer frame When a message is opened, it opens in the viewer frame The client now has a rendering of the message in the viewer frame

'RPDLQ

Domain Controller

IIS Server Client

Verification of Client Credentials

Request

Before the IIS Web server enables Outlook Web Access users to access resources on the server, the IIS Web server verifies the user’s credentials by passing the user information to a domain controller for authentication

The following table describes the authentication methods that IIS 5.0 uses to verify client credentials

Authentication

Method

Benefits Disadvantages

Anonymous Supported by all clients, this method is

an easy way to allow access to unsecured content in public folders

Does not provide security on an individual basis All anonymous authenticated users can access any content the Anonymous user account

(IUSER_Computername) has access to

Basic Supported by most clients, this method

works through proxies and firewalls

Password is sent as clear text, unless the Secure Sockets Layer (SSL) protocol is used to encrypt Digest The password is sent as a hashed value,

which works through proxies and firewalls This method works with all HTTP 1.1 compliant browsers

Password is unencrypted in the Windows 2000 domain controller (must protect the server carefully)

Does not work through front-end server

Certificate Very secure and supported by a broad

range of clients

Requires creating, obtaining, and managing certificates, and then deploying them to the clients

Integrated Windows The password is sent as an encrypted

value for highest security

Only supported by Internet Explorer 2.0 and greater clients

Does not work through HTTP proxies

Only works through a front-end server when

using Internet Explorer 5 on Windows 2000

You can also use SSL to encrypt all of the communication between the client and server, regardless of the authentication method selected

You can enable or disable these authentication methods by using the Internet Services Manager program and modifying the properties of the virtual directory

Previous versions of Exchange Server supported authentication methods included with Microsoft Site Server and Microsoft Commercial Internet Services These methods, Distribute Password Authentication and Membership Basic, are not available with Exchange 2000

1RWH#

Basic authentication only works if security properties for each user exist on the front-end server and if you grant users the Log on Locally right

,QWHJUDWHG#:LQGRZV#$XWKHQWLFDWLRQ#+.HUEHURV,#

For authentication methods in which the password is encrypted and cannot be determined by the front-end server, such as Integrated Windows (NTLM protocol or Kerberos), the front-end server must be able to forward the authentication request to the back-end server This is only possible with Kerberos authentication, not NTLM protocol, and requires Internet Explorer 5 client software running on Windows 2000

Integrated Windows authentication uses NTLM protocol authentication for Internet Explorer clients other than Internet Explorer 5 running on

Windows 2000 This does not work with the front-end/back-end architecture

Carefully planning your Outlook Web Access deployment is essential for implementing a scalable and secure system You will be able to monitor Outlook Web Access by using a tool called System Monitor

Active Directory-based Domain Controller

Back-End Exchange Servers Front-End

Server Web

Firewalls Placed Here Need

to Pass HTTP, SSL, NetBIOS, RPC, Kerberos and LDAP

You should carefully consider the placement and configuration of firewalls for network security when deploying Outlook Web Access There are two typical locations for firewalls in an Outlook Web Access deployment

.HUEHURV#$XWKHQWLFDWLRQ#

Internet Explorer 5 and Windows 2000 use the Kerberos protocol when Integrated Windows Authentication is chosen in IIS Clients running Internet Explorer 5 and Windows 2000 must connect to an Active Directory domain controller to build the client authentication credentials used to access the Web server Kerberos requires TCP and UDP port 88 to be open on the firewall

%HWZHHQ#WKH#2XWORRN#:HE#$FFHVV#6HUYHU#DQG#WKH#

([FKDQJH#6HUYHU#

You can also place a firewall between the Outlook Web Access server and the Exchange server This is not recommended because it places the Outlook Web Server outside the firewall protected area If you decide to configure this environment, you will need the HTTP, SSL and Kerberos ports opened as described above You will also need to open additional ports (NetBIOS, RPC, and LDAP) for the Web server to send authentication requests to the domain controller running Active Directory

„#The browser must be closed before you can log off the Outlook Web Access session and clear the logon user information It will not time out as in previous versions

„#Browsers cache data locally, which can be a security risk Outlook Web Access uses “pragma-no-cache” on sensitive pages to reduce potential

security risks Pragma-no-cache is a technique used to prevent the browser

from caching data Outlook Web Access sets pragma-no-cache using an HTML Meta tag in every page and also sets the no-cache HTTP headers

Because many browsers do not support these no-cache directives, you should configure your browser to clear its cache when closed You can also manually configure Internet Explorer to not cache any pages, or to not cache encrypted (SSL) pages

With Exchange 2000, Outlook Web Access automatically attaches an Ical version of the appointment to the message instead of an HTTP link Clients that support Ical (such as Outlook 2000 in Internet-only mode) will process this meeting request without using Outlook Web Access