Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a 10135 b 04
Semelhante a 10135 b 04 (20)
10135 b 04
- 1. Module 4 Managing Client Access
- 2. Module Overview • Configuring the Client Access Server Role • Configuring Client Access Services for Outlook Clients • Configuring Outlook Web App • Configuring Mobile Messaging
- 3. Lesson 1: Configuring the Client Access Server Role • How Client Access Works • How Client Access Works with Multiple Sites • Deployment Options for a Client Access Server • Demonstration: How to Configure a Client Access Server • Securing a Client Access Server • Considerations for Implementing Client Access Server Certificates • Demonstration: How to Configure Certificates for Client Access Servers • Options for Configuring POP3 and IMAP4 Client Access • Configuring Throttling Policies • Configuring the Client Access Server for Internet Access
- 4. How Client Access Works Domain Controller Client Access 3 Mailbox Server Server 4 RPC/MAPI 1 2 RPC/MAPI HTTPS IMAP4 POP3
- 5. How Client Access Works with Multiple Sites Multiple Internet Single Internet Access Points Access Point Client request Client request is redirected is proxied A proxy is used for Outlook Web App, Exchange ActiveSync, and Exchange Web Services Redirection is used only for Outlook Web App
- 6. Deployment Options for a Client Access Server Client Access servers: • Must be deployed in each AD Ds site that has Mailbox servers • Must have a fast connection to Mailbox servers and domain controllers • Need to be accessible from the Internet using the client protocol in Internet-facing sites You can deploy Client Access servers: • On a single server with other Exchange Server roles • On a dedicated server to provide scalability • On multiple dedicated servers in an array
- 7. Demonstration: How to Configure a Client Access Server In this demonstration, you will review: • The Client Access settings for an organization • The Client Access server settings
- 8. Securing a Client Access Server To secure a Client Access server: Install server certificates, and ensure that SSL is required Configure authentication settings: • Integrated Windows authentication • Digest authentication • Basic authentication • Forms-based authentication Protect the server with an application layer firewall
- 9. Considerations for Implementing Client Access Server Certificates When implementing Client Access certificates, consider: • Whether to use an internal or public CA • The client access protocols in use • The server names used by messaging clients
- 10. Demonstration: How to Configure Certificates for Client Access Servers In this demonstration, you will review: • The New Exchange Certificate Wizard • How to approve a certificate request • The Subject Alternative Names in the certificate
- 11. Options for Configuring POP3 and IMAP4 Client Access Option Description Bindings Configure local server addresses Authentication Configure authentication options Connection settings Configure server connection settings Retrieval settings Configure message formats and calendar retrieval settings User access Configure whether a user can use the protocol
- 12. Configuring Throttling Policies Use client throttling policies to manage the performance of your Exchange organization When configuring throttling policies: • Throttling Policies limit the number of RPC requests from clients • Default throttling policy is automatically created • Additional policies can be created • Consider using Delivery Class Throttling
- 13. Configuring the Client Access Server for Internet Access To enable Internet access to Client Access services: Configure external URLs Configure the external DNS names Configure access to Client Access virtual directories Implement SSL certificates with multiple subject alternative names Plan for Client Access server access with multiple sites
- 14. Lesson 2: Configuring Client Access Services for Outlook Clients • Services Provided by a Client Access Server for Outlook Clients • What Is RPC Client Access Services? • What Is Autodiscover? • Configuring Autodiscover • What Is the Availability Service? • What Are MailTips? • Demonstration: How to Configure MailTips • What Is Outlook Anywhere? • Demonstration: How to Configure Outlook Anywhere • Troubleshooting Outlook Client Connectivity
- 15. Services Provided by a Client Access Server for Outlook Clients Service Description RPC Client Access Enables MAPI connectivity to user mailboxes Service Autodiscover Enables automatic configuration for Outlook and mobile clients Availability Provides free or busy information MailTips Provides notifications regarding issues with sending a message Offline Address Book Provides offline address book download for download Outlook clients Exchange Control Provides an administrative interface for Panel accessing mailbox and recipient information Exchange Web Provides a developer interface for accessing all Services Exchange server content and settings Outlook Anywhere Enables RPC over HTTPS access to user mailboxes
- 16. What Is RPC Client Access Services? RPC Client Access Services provides MAPI clients with ability to connect to Client Access Server instead to Mailbox server Mailbox Server Role MAPI MAPI Client Access Server Role
- 17. What Is Autodiscover? Autodiscover provides information that you can use to configure Outlook 2007 and 2010 client profiles Outlook 2007/2010 Autodiscover Process: 1 The client locates the Autodiscover service The Autodiscover service on the client sends each Client 2 Access server an HTTP Post command The appropriate Client Access server responds by returning 3 an XML file Outlook downloads the required configuration information 4 from the Autodiscover service
- 18. Configuring Autodiscover To configure Autodiscover: Use the Exchange Management Shell Configure site affinity for Exchange Servers in multiple sites Configure DNS records for external clients Use Outlook's Test E-mail AutoConfiguration feature to test Use TestExchangeConnectivity website
- 19. What Is the Availability Service? Availability service makes free/busy information available for Outlook 2007, 2010 and Outlook Web App clients Exchange Exchange Server 2010 Server 2003 Exchange Server 2010 2 3 4 5 1
- 20. What Are MailTips? MailTips provide information about a message delivery before the message is sent Exchange Server 2010 provides: • Default MailTips • Custom MailTips The Client Access server provides the MailTips to the client
- 21. Demonstration: How to Configure MailTips In this demonstration, you will see how to: • Review and configure the default MailTips for an Exchange organization • Configure custom MailTips • Verify that the MailTips work as expected
- 22. What Is Outlook Anywhere? Outlook Anywhere enables RPC connections over HTTPS to an Exchange Server 2010 server Outlook 2003,2007 or Outlook 2010 Client Global LDAP Catalog Servers HTTPS RPC Mailbox Server Client Access Server
- 23. Demonstration: How to Configure Outlook Anywhere In this demonstration, you will see how to: • Configure Autodiscover settings • Configure an Client Access server for Outlook Anywhere • Configure an Outlook 2010 profile for Outlook Anywhere • Verify Outlook Anywhere connectivity
- 24. Troubleshooting Outlook Client Connectivity To troubleshoot Outlook Client connectivity: Verify network connectivity Verify client configuration Verify DNS name resolution Verify Exchange Server availability Verify Client Access server certificates Test the client autoconfiguration process
- 25. Lab A: Configuring Client Access Servers for Outlook Anywhere Access • Exercise 1: Configuring Client Access Servers • Exercise 2: Configuring Outlook Anywhere Logon information Estimated time: 60 minutes
- 26. Lab Scenario You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to deploy Client Access Servers so that the servers are accessible from the Internet for a variety of messaging clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server, and configure a certificate on the server that will support the messaging client connections. You also need to configure the server to support Outlook Anywhere connections.
- 27. Lab Review • In this lab, you configured the Client Access server to use a certificate from an internal CA. How would the steps change if you used a public CA? • How would the steps in the lab change if you had two company locations, and you had to configure Client Access server access to both locations?
- 28. Lesson 3: Configuring Outlook Web App • What Is Outlook Web App? • Configuration Options for Outlook Web App • What Is File and Data Access for Outlook Web App? • Demonstration: How to Configure Outlook Web App • Demonstration: How to Configure Outlook Web App Policies • Demonstration: How to Configure User Options by Using the ECP
- 29. What Is Outlook Web App? Outlook Web App allows users to access their mailboxes through a Web browser Outlook Web App provides: • Web-based access to all Exchange mailbox components • Secure HTTPS access from the Internet • An alternative to deploying a messaging client • Access to Exchange Server 2010 features that are not available in Outlook 2007
- 30. Configuration Options for Outlook Web App Configuration Description Option Server Required to enable SSL certificates SSL settings Enables secure access to Outlook Web App Authentication Determines which clients can connect Segmentation Determines the available features in Outlook settings Web App GZIP Enables compression of messages and compression attachments Web beacon Manages Web beacon access settings Cross site silent Redirects clients to appropriate OWA URL redirection
- 31. What Is File and Data Access for Outlook Web App? File and data access for Outlook Web App enables users to access attachments on messages With file and data access, you can configure: • WebReady document viewing • Direct file access • Different settings when users connect from public or private computers • Restrict access to files based on file types
- 32. Demonstration: How to Configure Outlook Web App In this demonstration, you will see how to configure: • A server to require SSL • Outlook Web App virtual directories • Authentication options for Outlook Web App virtual directories • Gzip compression settings • Segmentation settings • Web beacon settings
- 33. Demonstration: How to Configure Outlook Web App Policies In this demonstration, you will see how to: • Configure an Outlook Web App policy • Assign an Outlook Web App policy to a user account
- 34. Demonstration: How to Configure User Options Using the ECP In this demonstration, you will see how to: • Configure the Exchange Control Panel virtual directory • Configure user mailbox settings through the Exchange Control Panel
- 35. Lesson 4: Configuring Mobile Messaging • What Is Exchange ActiveSync? • Demonstration: How to Configure Exchange ActiveSync • Options for Securing Exchange ActiveSync • Mobile Device Quarantine in Exchange Server 2010 • Demonstration: How to Configure Exchange ActiveSync Policies
- 36. What Is Exchange ActiveSync? Exchange Active Sync is a protocol that enables mobile devices to access Exchange Server data 1 Exchange ActiveSync 2 Client Client Access Server Mailbox Server 3 Client Access Server Mailbox Server
- 37. Demonstration: How to Configure Exchange ActiveSync In this demonstration, you will see how to: • Configure the Exchange Server settings for Exchange ActiveSync
- 38. Options for Securing Exchange ActiveSync To secure Exchange ActiveSync: Configure Exchange ActiveSync policies for security Wipe lost or stolen devices Enable self-service mobile device management Ensure that SSL is required for the Exchange ActiveSync virtual directory Install CA root certificates on client devices
- 39. Mobile Device Quarantine in Exchange Server 2010 Exchange Server 2010 SP2 allows you to manage mobile devices based on model or family Each mobile device can be in one of three states: • Allowed • Blocked • Quarantined You can use ECP or EMS to manage Device Access Rules
- 40. Demonstration: How to Configure Exchange ActiveSync Policies In this demonstration, you will see how to: • Configure Exchange ActiveSync mailbox policies • Configure user accounts for Exchange ActiveSync
- 41. Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync Exercise 1: Configuring Outlook Web App Exercise 2: Configuring Exchange ActiveSync Logon information Estimated time: 50 minutes
- 42. Lab Scenario To enable client access to the server, your organization has decided to enable both Outlook Web App and Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you need to enable the security features for both Outlook Web App and Exchange ActiveSync.
- 43. Lab Review • What additional steps can you take to enhance the security for the Outlook Web App and Exchange ActiveSync connections in your organization? • How would you modify the procedures in this lab if you needed to ensure that users cannot download attachments using Outlook Web App?
- 44. Module Review and Takeaways • Review Questions • Common Issues and Troubleshooting Tips • Real-World Issues and Scenarios • Best Practices • Tools
Notas do Editor
- Module 4: Managing Client Access Course 10135B Presentation: 100 minutes Lab: 110 minutes After completing this module, students will be able to: Configure the Client Access server role Configure client access services for Microsoft® Office Outlook® clients Configure Microsoft Office Outlook Web App Configure Mobile Messaging access to Exchange Server mailboxes Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135B_04.ppt. Important: We recommended that you use PowerPoint 2002 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135B-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Outlook Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time. Important: If you are using Windows Server® 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V® Management console, in the Virtual Machines pane, right-click 10135B-VAN-CL1 , and click Settings . 2. Click Network Adapter , and select the Enable spoofing of MAC addresses check box. Click OK . This step is required in order for the Windows Mobile® Device emulator to communicate on the virtual network.
- Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B
- Use the diagram on the slide to show how different clients connect to the Microsoft ® Exchange Server 2010 mailboxes. Stress that all clients use the Client Access server role. If you have students in the class with Microsoft ® Exchange Server 2003 experience, compare the Client Access server role to the front-end server role in Exchange Server 2003. Both provide similar functionality, but the Client Access server also provides additional functionality, such as Remote Procedure Call (RPC) Client Access Services, and Exchange Web Services. If you have students in class who are familiar with Microsoft ® Exchange Server 2007 Client Access servers, point out that there is one very significant architectural change to the Client Access server in Exchange Server 2010. In Exchange Server 2007, MAPI clients such as Outlook 2007 connected directly to Mailbox servers when accessing the user mailbox. All of this functionality has been moved to the Client Access server, which now runs the RPC Client Access Services component. In Exchange Server 2010, MAPI clients connect directly to the Client Access server, and clients never directly communicate with the Mailbox servers. Mention that this has several advantages, such as: All clients now use the same mailbox access architecture. For organizations that have deployed highly-available mailbox servers, the client outages in situations where a mailbox database fails over to another server have been reduced. When a mailbox fails over to another server, the Client Access Server is notified, and the client connections will be redirected to the new server within seconds. You now can move Mailboxes from one Mailbox server to another while the user is online and connected to the mailbox. The new architecture supports more concurrent client connections to the mailbox server. Students may ask how the new Exchange Server 2010 Client Access server architecture interacts with previous versions of Exchange Server. Tell the students that this will be covered in Module 12. Module 4: Managing Client Access Course 10135B
- Use the diagram on the slide to discuss how Client Access works when an organization has multiple Active Directory® Directory Service (AD DS) sites. Stress that if an organization only has one site that is accessible from the Internet, then using a proxy for client requests is the only option. Also highlight that only Outlook Web App connections can be redirected. Discuss the configuration options that are required for users to access the Client Access servers from the Internet. Mention that you must configure external names for all Client Access servers that are going to be accessible from the Internet, and that the external names must be resolvable through Domain Name System (DNS). Module 4: Managing Client Access Course 10135B
- Describe the considerations for deploying a Client Access Server. Stress that without a Client Access Server in each site where there is a mailbox server, users will not be able to access their mailboxes. Describe the different deployment options , and discuss scenarios where organizations might deploy each option : Single server with other Exchange server roles – typical scenario would be a small organization or a branch office in a large organization . Dedicated server – typical scenario would be a medium - sized organization . Multiple dedicated servers in an array – typically , only large organizations or organizations with very high availability requirements will use this option. Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the Exchange Management Console , expand Microsoft Exchange On-Premises (van-ex1.adatum.com) , expand Organization Configuration , and then click Client Access . You apply client access settings to all Client Access servers and mailboxes while in the Organization Configuration node. In the details pane, click the Outlook Web App Mailbox Policies tab. On this tab, you can define Outlook Web App Mailbox policies that will configure the user experience with Outlook Web App. Notice that Exchange defines a default policy, which it does not assign to any users. In the details pane, click the Exchange ActiveSync Mailbox Policies tab. On this tab, you can define Exchange ActiveSync Mailbox policies that will configure the user experience when they connect to the Exchange servers using a mobile device. Notice that Exchange defines a default policy, which it does not assign to any users. In the left pane, expand Server Configuration, and then click Client Access . In this area, you can configure the settings that are specific to each Client Access server. In the details pane, ensure that VAN- EX1 is selected, and in the Actions pane, click Properties . Click the System Settings tab, and then click the Outlook Anywhere tab. These tabs display information only, and cannot be used to configure the server settings. After you have reviewed these settings, click OK. In the results pane, ensure that the Outlook Web App tab is selected, right-click owa (Default Web Site ), and then click Properties . In the owa (Default Web Site) Properties dialog box, you can configure the OWA settings for this server. After you have reviewed these settings, click OK . Click the Exchange Control Panel tab, and then double click ecp (Default Web Site) . In this dialog box, you can configure the Exchange Control Panel (ECP) virtual directory settings for this server. After you have reviewed these settings, click OK . Click the Exchange ActiveSync tab, click the Offline Address Book Distribution tab, and then click the POP3 and IMAP4 tab. In each of these locations, you can configure the Client Access server-specific settings.
- Question : Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the default policies? Answer : If you want different users to have different experiences with Outlook Web App or Exchange ActiveSync, you would need to create additional policies. In Exchange Server 2010, the only way you can control the Outlook Web App and Exchange ActiveSync user experience is by creating policies, and then assigning the policies to users. Question : Why would you modify the server settings on one Client Access server to be different from those on another Client Access server? Answer : When you have two Client Access servers with different security or configuration requirements, you will need to modify the server-specific settings. For example, if you have an Internet-accessible Client Access server, and one that is used only for internal access, you might configure the security settings differently. Module 4: Managing Client Access Course 10135B
- Stress the importance of using server certificates with Client Access servers. If server certificates and Secure Sockets Layer (SSL) is not used, user credentials and message contents might be passed in clear text. While discussing the authentication options, mention that the default configuration for Outlook Web App is to use Forms-based authentication. Also, explain the importance of implementing application layer firewall such as TMG in front of Exchange. Question : Ask students if they can think of situations where they might need to change the default authentication option. Answer : The most common scenario for changing the default authentication option is to support Web browsers or clients that do not support forms-based authentication. Most current clients do support forms-based authentication, but some older clients may need to use basic authentication with Secure Sockets Layer (SSL). Module 4: Managing Client Access Course 10135B
- While deploying a Client Access server, one of the most important decisions messaging administrators must make is how to configure the certificates on the server. Making the right server certificates choices can have a significant impact on the user experience. While discussing the certification authority (CA) options, mention that each Exchange Server 2010 server automatically issues a self-signed certificate when Exchange is installed. Discuss the limitations of using this certificate. Discuss why subject alternative names are needed for CAs, and what is the alternative to using subject alternative names in certificates (multiple websites). Add point that you can now use the New Exchange Certificate Wizard to create certificates with correct names. Question : Describe the two CA options, and then ask the students to discuss the benefits and disadvantages of each option. Answer : The two options are a public CA, and a private, internal CA. The main benefit of using the public CA is that the certificates are trusted by all Web browsers, including mobile devices. The disadvantage of the public CA is that you have pay for the certificates. The main benefits of the private CA is that the certificates are free, and you have complete control of the CA environment. However, no clients will trust the private CA certificates by default, and so you have to take extra steps to make sure they are trusted. Stress the importance of choosing the right server names when requesting a certificate. Discuss the concept of subject alternative names, and describe how these will be very important when requesting a Client Access certificate, because the server may use several different names for client connections. Module 4: Managing Client Access Course 10135B
- While you demonstrate the New Exchange Certificate Wizard, describe the different protocols that can be configured in the wizard, and how each protocol could use a different server name. After installing the certificate, show how those server names are listed in the Subject Alternative Name field. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd. Demonstration Steps On VAN-EX1, if required, open the Exchange Management Console. In the left pane, click Server Configuration , and then click Client Access . In the Actions pane, click Configure External Client Access Domain . You can use this feature to configure the external domain name for Client Access servers in the organization. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add . In the Select Client Access Server dialog box, press Ctrl, click both VAN-EX1 and VAN-EX2 , and then click OK . Click Configure . In the Microsoft Exchange dialog box or boxes, click Yes . This dialog box appears when the name that you are configuring as the external client access domain name cannot be resolved in DNS. Click Finish . In the results pane, ensure that VAN -EX1 is selected, and then in the results pane, double-click owa (Default Web Site) . On the General tab, verify that the External URL field has been changed to https://mail.adatum.com/owa, then click OK . In the left pane, click Server Configuration . In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, type ADatum Mail Certificate as the friendly name for the certificate, and then click Next . On the Domain Scope page, click Next . You can select the Enable wildcard certificate check box, and enter a root domain if you would like to apply the certificate automatically to all subdomains by creating a wildcard certificate. On the Exchange Configuration page, expand Client Access server (Outlook Web App) , and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes. Module 4: Managing Client Access Course 10135B
- Expand Client Access server (Exchange ActiveSync) , and then select the Exchange Active Sync is enabled check box. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover) . Enter mail.adatum.com as the external host name. Ensure that the Autodiscover used on the Internet check box is selected, and that the Long URL option is selected, and then click Next . On the Certificate Domains page, click Next . On the Organization and Location page, enter the following information: Organization: A Datum Organization Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC Click Browse , type CertRequest as the File name, and then click Save . Click Next , click New , and then click Finish . Click the Folder icon on the task bar, and then click Documents . Right-click CertRequest.req , and then click Open . In the Windows dialog box, click Select a program from a list of installed programs , and then click OK . In the Open with dialog box, click Notepad , and then click OK . In the CertRequest.req – Notepad window, click Ctrl-A to select all the text, and then click Ctrl-C to save the text to the clipboard. Close Notepad. Click Start , click All Programs , and then click Internet Explorer . Connect to http://van-dc1.adatum.com/certsrv . Log on as Adatum\\administrator using the password Pa$$w0rd . On the Welcome page, click Request a certificate . On the Request a Certificate page, click advanced certificate request . On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file . Module 4: Managing Client Access Course 10135B
- On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press Ctrl+V to paste the certificate request information into the field. In the Certificate Template list, click Web Server , and then click Submit . On the Certificate Issued page, click Download certificate . In the File Download dialog box, click Save . Click Open . In the Certificate dialog box, on the Details tab, click Subject Alternative Name . Verify that the certificate includes several subject alternative names, and then click OK . In the Exchange Management Console , click Server Configuration . Under VAN-EX1 , click Adatum Mail Certificate , and in the Actions pane, click Complete Pending Request . On the Complete Pending Request page, click Browse . Under Favorites , click Downloads . Click certnew.cer, and then click Open . Click Complete , and then click Finish . In the results pane, click VAN-EX1 . In the bottom pane, click Adatum Mail Certificate . In the Actions pane, click Assign Services to Certificate . On the Select Servers page, verify that VAN-EX1 is listed, and then click Next . On the Select Services page, select the Internet Information Services check box, click Next , click Assign , and then click Finish . Question : What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4? Answer : You would need to add the IMAP4 service while running the New Exchange Certificate wizard, and make sure that you specify IMAP4.adatum.com as the server name. This name then is added to the subject alternative name attribute on the certificate. Question : How would this process change if you were requesting a certificate from an external, public CA? Answer : The process would change very little. If the public CA provided a website for requesting a certificate, you would connect to the website and upload the certificate request file. Many public CAs also support emailing the certificate request file. After receiving the certificate, you would import it on your server. Module 4: Managing Client Access Course 10135B
- Question : How many of your organizations are enabling Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) client access? Answer : Answers will vary. Many organizations have disabled these protocols for many years, while some organizations still need to provide this type of access. Based on the student responses to the question, consider how much time you want to spend on this topic. If there are no students deploying these protocols, then cover the content quickly. If several students are deploying the protocols, then consider demonstrating the POP3 and IMAP4 settings in the Exchange Control Panel. Module 4: Managing Client Access Course 10135B
- Describe throttling policies. Explain the scenario where these policies help to maintain Exchange performance. Discuss default throttling policies and Delivery Class Throttling . Also, mention that you might want to define custom throttling policies when using BlackBerry Enterprise Server. BlackBerry Enterprise Server uses a single service account to proxy all of the connections to Exchange on behalf of BlackBerry users. The side effect of this is that it’s quite likely that BES will need to have more than twenty (default limit) connections open to Exchange at a given time , and that might cause problems. Course 10135B Module 4: Managing Client Access
- Stress that all of the services that the Client Access Server role provides for internal clients can also be made available to Internet clients. This means users from the Internet can automatically be configured by using Autodiscover, and they can access the availability service, the offline address book download, and the Exchange Control Panel (ECP) from the Internet. This topic provides details on how these options are configured. Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B
- Stress the importance of the Client Access server role in providing services for Outlook clients. Apart from providing access to the user mailbox by using the RPC Client Access Services, the Client Access server role manages virtually all Outlook client interaction with the Exchange servers. Mention that this slide provides an overview for this lesson, and that most of these services will be covered in more detail in the topics and demonstrations in this lesson. Question : What are the implications for server capacity planning when the Client Access Server role now provides the RPC Client Access services as well as these additional services? Answer : The load on the Client Access Server role has increased significantly from previous Exchange versions. In Exchange Server 2007, the recommended ratio of Client Access Server processors to Mailbox server processors was 1:4; in Exchange Server 2010, this ratio is 3:4. This means that organizations will have to deploy more powerful—or simply more—Client Access servers. Module 4: Managing Client Access Course 10135B
- Be prepared to spend some extra time on this topic, because the RPC Client Access Services feature is a very significant change in the Exchange server architecture. Remind students that in all previous Exchange versions, MAPI clients communicated directly with the Mailbox server role. This has changed in Exchange Server 2010, so that now messaging clients do not communicate directly with the Mailbox server. Consider briefly mentioning that this change in architecture means that the ratio of Client Access servers to Mailbox servers deployed in an organization will need to increase. Module 4: Managing Client Access Course 10135B
- Describe the process of how Autodiscover works. Consider drawing a diagram that shows a client computer, AD DS controller, a Client Access Server, and a Mailbox server. Explain the part each component plays in automatically configuring the client computer. Question : What do you have to do to configure Office Outlook 2003 clients? Answer : In most cases, with Outlook 2003, you have to manually configure the server settings in the profile. Users may not know the necessary configuration information or understand where to enter the information. However, with Autodiscover, it is conceivable that users could configure their own Outlook 2007 connectivity without any administrator or help desk intervention. Autodiscover is also useful when mailboxes are moved from one server to another. Question : When will Autodiscover be useful in your organization? Answer : Autodiscover is useful when first setting up client profiles internally, but it is also very useful for setting up client profiles for users connecting from the Internet. Both Outlook Anywhere and Exchange ActiveSync clients can be automatically configured using Autodiscover. Module 4: Managing Client Access Course 10135B
- As you start this topic, stress that for most small or medium organizations with only one AD DS site, you might never need to modify the default Autodiscover settings. The SCP is created by default whenever you install a Client Access server, and clients are automatically configured to locate and connect to the server. You might need to modify the default settings only when organizations have multiple sites, or when they want to publish Autodiscover information to the Internet. Mention that in addition to configuring the DNS records for external access, you also need to ensure that the external names are configured for all Client Access servers that will be accessible from the Internet. This point is explained later in this lesson. Also, mention, and if possible demonstrate TestExchangeConnectivity Web site, as a very usefull tool for testing Autodiscover functionality. It is available at : https://www.testexchangeconnectivity.com/ Module 4: Managing Client Access Course 10135B
- Use the build slide to describe how the Availability service works, and how it interacts with previous of Exchange server versions. Mention that Exchange Server 2007 also used the availability service. Stress that the Availability service is used only by Outlook 2007 and 2010 clients, and that the service fulfills the same role as the free/busy public folders used in Exchange 2003 and older versions of Outlook. When organizations are ready, they can disable the free/busy public folders and use the Availability service exclusively. To do this, organizations must use Exchange Server 2007 or Exchange Server 2010, and Outlook 2007 or later. Module 4: Managing Client Access Course 10135B
- MailTips are a new feature in Exchange Server 2010, and students may question the importance of this feature. To encourage them to think about this feature, ask them how much time they, or the help desk personnel, spend troubleshooting nondelivery reports, and how many of those nondelivery reports are as a result of user mistakes, or because the sender was not aware of some limitation or setting. MailTips are designed to alert users about limitations or issues that may affect the delivery of the message thus cutting down on Help Desk calls. Mention that MailTips have some limitations when users send messages to distribution lists as well as a maximum length. For details, refer students to this topic on the student CD. Module 4: Managing Client Access Course 10135B
- Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and the 10135B-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , point to Microsoft Exchange Server 2010, and then click Exchange Management Shell . At the PS prompt, type Get-OrganizationConfig , and then press Enter. Review the settings for the following values: MailTipsAllTipsEnabled . Indicates if the MailTips are enabled for the organization. MailTipsMailboxSourcedTipsEnabled . Indicates if the internal MailTips are enabled. MailTipsExternalRecipientsTipsEnabled . Indicates if the external recipient MailTips are enabled. MailTipsLargeAudienceThreshold . Defines the minimum size for a distribution group before the MailTip will be triggered. At the PS prompt, type Set-OrganizationConfig –MailTipsLargeAudienceThreshold 10 , and then press Enter. Type Get-OrganizationConfig , and then press Enter. Verify that the large audience threshold has been updated. At the PS prompt, type Set-DistributionGroup Marketing –MailTip ‘The marketing team will be at a conference till next week.’ , and then press Enter. At the PS prompt, type Get-DistributionGroup ‘Marketing’ | FL MailTip* , and then press Enter. Verify that the custom MailTip has been configured. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa . Log on to Outlook Web App as Adatum\\Anna using the password Pa$$w0rd . Click New to create a new message. In the To box, type Marketing , and then press Ctrl + K. Confirm that the Custom MailTip for the Marketing distribution list appears. Log off from Outlook Web App and close Internet Explorer. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/ecp . Log on to Outlook Web App as Adatum\\Administrator using the password Pa$$w0rd , In the Exchange Control Panel page, click Mailboxes. Module 4: Managing Client Access Course 10135B
- Question : Will you leave MailTips enabled in your organization? How will you modify the default configuration? Answer : Answers will vary. Some organizations will leave the default configuration. Other organizations may choose to disable MailTips, or modify one or more of the specific MailTips. Module 4: Managing Client Access Course 10135B
- Stress that the main purpose of Outlook Anywhere is that users can use the full Outlook client while traveling with a portable computer. This removes the need for VPN connections, POP3 or IMAP4 connections, and even Outlook Web App. If required, users can use the port information given in the communication process description for configuring firewalls. Question : Why would you use Outlook Anywhere rather than other connection options? Answer : Outlook Anywhere provides full access to the Exchange mailbox by using an HTTPS connection through the Internet. This is an alternative to using a VPN for scenarios where users only require email access. HTTPS is significantly easier to configure and maintain compared to a VPN infrastructure. The full Outlook client provides better security, and much better functionality than POP3 or IMAP4 clients. The main advantage of Outlook Anywhere over Outlook Web App is that Outlook Anywhere with cache mode enables offline access to the user mailbox while Outlook Web App only provides access to the mailbox when the user is connected to the Internet. Module 4: Managing Client Access Course 10135B
- Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and 10135B-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, open the Exchange Management Shell. In the Exchange Management Shell, type Get-ClientAccessServer –id VAN-EX1 | FL , and then press Enter. Confirm that the AutodiscoverServiceInternalUri parameter is configured to use https://VAN-EX1.adatum.com/Autodiscover/Autodiscover.xml . On VAN-EX1, click Start , point to Administrative Tools , and then click Server Manager . Click Features . In the Features list, verify that the RPC over HTTP Proxy feature is listed. On VAN-EX1, open the Exchange Management Console. In the Exchange Management Console , expand Server Configuration , and then click Client Access . Click VAN-EX1 , and in the Actions pane, click Enable Outlook Anywhere . On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com . Under Client authentication method , click NTLM authentication , and then click Enable . On the Completion page, click Finish . Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\administrator) , expand Sites , expand Default Web Site , and then click Rpc . In the center pane, in the IIS section, double-click SSL Settings . Ensure that the Require SSL check box is selected. Click Rpc , and then double-click Authentication . Ensure that Basic Authentication and Windows Authentication are enabled. Close Internet Information Services (IIS) Manager. Close all open windows, and restart VAN-EX1 . Note: You can continue with the following steps while VAN-EX1 restarts. On VAN-CL1, ensure that you are logged on as Adatum\\Luca . Click Start , and then click Control Panel . In the Search field, type Mail . Right-click Mail , and then click Open . In the Mail Setup - Outlook dialog box, click E-mail Accounts . Module 4: Managing Client Access Course 10135B
- In the E-mail Accounts dialog box, click [email_address] , and then click Change . If you receive a warning that Microsoft Exchange is not available, click Work Offline. On the Server Settings page, click More Settings . In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP , and then click Exchange Proxy Settings . In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): VAN-EX1.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default) Note : In this demonstration, you are configuring the Outlook client to try HTTP first for all connections to the Exchange Server. However, in a production environment, you typically would select the option to connect first using HTTP on slow networks. When you use this configuration, the client uses RPC connections for the internal network, and it uses HTTP only for external networks. Click OK , and then click OK again to close the Microsoft Exchange dialog box. On the Server Settings page, click Next . On the Change Account page, click Finish . On the E-mail Accounts page, click Close , and then again click Close to close the Mail Setup - Outlook dialog box. Wait until VAN-EX1 restarts, and then log on as Administrator using the password Pa$$w0rd . On VAN-CL1, click Start , click All Programs , click Microsoft Office , and then click Microsoft Outlook 2010 . If a Microsoft Office Outlook dialog box appears, click No . Verify that the Office Outlook connection indicator states Online with Microsoft Exchange . Press and hold Ctrl, and then right-click the Office Outlook icon in the Windows 7 notification area. You may need to click the arrow in the Windows 7 notification area to view the Office Outlook icon. Click Connection Status . Confirm that the Conn column lists HTTPS as the connection method, and then click Close . Module 4: Managing Client Access Course 10135B
- Press and hold Ctrl, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration . In the Password field, type Pa$$w0rd . Clear the Use Guessmart and Secure Guessmart Authentication check boxes. Guessmart is used to automate the process of configuring Outlook 2010 as an IMAP4 or POP3 client. Click Test . View the information displayed on the Results tab. Point that Exchange Server 2010 SP2 provides some more information during testing than Exchange 2010 RTM. Click the Log tab to view how the client completed Autodiscover. Close the Test E-mail AutoConfiguration dialog box. Close Microsoft Outlook, and then log off VAN-CL1. Module 4: Managing Client Access Course 10135B
- Stress that many of the troubleshooting tips apply to both internal and external clients using Outlook Anywhere. Ask students to provide other suggestions for troubleshooting Outlook client connectivity. What situations have they seen where users are having trouble connecting to Exchange? How did they resolve the issues? Module 4: Managing Client Access Course 10135B
- Exercise 1 In this exercise, students will configure Client Access servers.. The main tasks for this exercise are as follows: Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names. Configure an External Client Access Domain for VAN-EX2. Prepare a Server Certificate request for VAN-EX2. Request the certificate from the CA. Assign the IIS Exchange service to the new certificate. Verify Outlook connectivity to the Exchange Server. Exercise 2 In this exercise, students will configure Outlook Anywhere. The main tasks for this exercise are as follows: Configure a DNS record for Mail.Adatum.com. Configure Outlook Anywhere on VAN-EX2. Configure the Outlook profile to use Outlook Anywhere. Verify Outlook Anywhere connectivity. Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B
- Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Answers to the lab review questions will vary depending on the organizations where the students work. Question : In this lab, you configured the Client Access server to use a certificate from an i nternal CA. How would the steps you used in the lab change if you were using a public CA? Answer : You would still use the New Exchange Certificate wizard to create the certificate request, and then you would submit the request to the public CA. When you received the certificate file from the public CA, you would install the certificate on the Client Access server. Question : How would the steps in the lab change if you had two company locations and you had to configure Client Access server access to both locations? Answer : You would need to configure an external URL on both Client Access servers. You would also need to configure two host names in the external DNS that matched the external URL for each server. Then you would need to obtain appropriate certificates for both Client Access servers, and configure network access for the client protocols. Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B
- Many of the students may already be familiar with Outlook Web App. Ask students whether they are using Outlook Web App in their organization. If they are using it, how is it being used? Answers will vary. Some organizations use Outlook Web App almost entirely for external access to email, other organizations use it as an alternative to a full MAPI client like Outlook. Mention that one of the new features in Exchange Server 2010 is that the full Outlook Web App experience is now available for browsers such as Firefox and Safari. In previous Exchange Server versions, these clients could only access some of the features that were available to Internet Explorer clients. Outlook Web App can also be used to provide access to some of the Exchange Server 2010 features that will not be available in a MAPI client until the next version of Outlook comes out. For example, the conversation view is only available in Outlook Web App, not in Outlook 2007. Module 4: Managing Client Access Course 10135B
- Mention that Outlook Web App is enabled by default on all Client Access servers in Exchange Server 2010, and the all users are configured with permission to use Outlook Web App. The default configuration is also reasonably secure, but many organizations will still want to modify many of these settings. Mention that the next demonstration will show how to configure many of the settings described in this topic. Module 4: Managing Client Access Course 10135B
- Discuss how you can controll access to files attached to messages. Explain options available for public and private computers. If time permits, demonstrate these options. Module 4: Managing Client Access Course 10135B
- While you demonstrate the configuration options, make sure that you show the default values for each setting. Discuss scenarios where you might want to change the default setting. Briefly describe the Web beacon, as it is a new feature in Exchange Server 2010. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and 10135B-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click owa . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Under Sites , click Default Web Site , and in the Actions pane, click Bindings . In the Site Bindings dialog box, click https , and then click Edit . Verify that the SSL certificate used for the OWA site is the certificate that you obtained in the earlier demonstration. Click OK , click Close , and then close Internet Information Services (IIS) Manager . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Microsoft Exchange On-Premises , expand Server Configuration , and then click Client Access . In the work pane, select VAN-EX1 , and in the result pane, right-click owa (Default Web Site) , and then click Properties . On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa . Click the Authentication tab, and verify that Use forms-based authentication is selected. Under Logon Format , click User name only , and then click Browse . Click Adatum.com , and then click OK . Click the Segmentation tab, click All Address Lists , and then click Disable . The Segmentation tab allows you to enable and disable features for Outlook Web App users. Module 4: Managing Client Access Course 10135B
- Click OK , read the Microsoft Exchange Warning dialog box, and then click OK . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Shell . Type IISReset /noforce , and then press Enter. This allows the logon and segmentation changes to take effect. In the Exchange Management Shell, type set-owavirtualdirectory ‘owa (Default Web Site)’ –ForceSaveFileTypes .xls , and then press Enter. This command forces attachments with an .xls extension to be saved to disk before they can be opened. Any existing ForceSaveFileTypes are overwritten. The attachment control settings for file types and MIME types can be configured by using the Set-OwaVirtualDirectory cmdlet. File attachment control settings include: ActionForUnknownFileAndMIMETypes . Specifies how to handle files that are not included in other file access management lists. Files can be allowed, blocked, or force saved. AllowedFileTypes . Specifies the file extensions of attachments that the user is allowed to save locally, or view from a Web browser. AllowedMIMETypes . Specifies the MIME types of attachments that users can save locally, or view from a Web browser. BlockedFileTypes . Specifies the file extensions of attachments that are blocked. BlockedMIMETypes . Specifies the MIME types of attachments that are blocked. ForceSaveFileTypes . Specifies the file extensions of attachments that the user is forced to save locally, rather than view from a Web browser. ForceSaveMIMETypes . Specifies the MIME types of attachments that the user is forced to save locally, rather than view from a Web browser. Note : In cases where there is a conflict between management settings for file access, the following precedence applies: Allow overrides Block, and Force Save. Block overrides Force Save. For example, if you configure the doc files as both a blocked file type and an allowed file type, .doc files will be allowed. Type set-owavirtualdirectory ‘owa (Default Web Site)’ –GzipLevel Off , and then press Enter. This command disables GZIP compression for Outlook Web App. GZIP compression improves performance over slow network connections by compressing content. Implementing GZIP compression may slow server performance due to increased CPU utilization. Additional valid values for the GzipLevel options are High and Low. The default value is Low. Module 4: Managing Client Access Course 10135B
- Type Set-OwaVirtualDirectory -identity "Owa (Default Web Site )" -FilterWebBeaconsAndHtmlForms ForceFilter , and then press Enter. The possible values for FilterWebBeaconsandHtmlforms are: UserFilterChoice . By default, this value blocks Web beacons and HTML forms, but lets the user allow Web beacons and HTML forms on individual messages. ForceFilter . This value blocks all Web beacons and HTML forms. DisableFilter . This value allows Web beacons and HTML forms. Type IISReset , and then press Enter. Module 4: Managing Client Access Course 10135B
- Point out that the Outlook Web App policies enable you to configure different Outlook Web App settings for different user accounts. In previous Exchange versions, the same Outlook Web App settings applied to all users; however, in Exchange Server 2010, you can create different policies and assign them to specific users or groups. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and 10135B-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . Expand Organization Configuration , and then click Client Access . In the Actions pane, click New Outlook Web App Mailbox Policy . In the New Outlook Web App Mailbox Policy page, type Marketing Policy as the policy name. In the list of features, click Change Password , and then click Disable . Click New , and then click Finish . Right-click Marketing Policy , and then click Properties . On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes , and then click OK . Under Recipient Configuration , click Mailbox . In the Mailbox list, double-click Paul West . On the Mailbox Features tab, click Outlook Web App , and then click Properties . Select the Outlook Web App mailbox policy check box, and then click Browse . Click Marketing Policy , and then click OK three times. Click Start , click All Programs , and then click Internet Explorer . In the address field, type https://VAN-EX1.Adatum.com/owa , and then press Enter. Log on to Outlook Web App as Adatum\\Paul using the password Pa$$w0rd . On the Outlook Web App page, click Options . If prompted for authentication, log on as Adatum\\Paul using the password Pa$$w0rd . Module 4: Managing Client Access Course 10135B
- Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and 10135B-VAN-CL1 virtual machines are running. Log on to the VAN-DC1 and VAN-EX1 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click ecp . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Close Internet Information Services (IIS) Manager . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Server Configuration , and then click Client Access . In the work pane, select VAN-EX1 , and in the result pane, click the Exchange Control Panel tab. Right-click ecp (Default Web Site) , and then click Properties . On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa . This URL should match the URL used on the OWA virtual directory. Click the Authentication tab, and verify that Use forms-based authentication is selected. Click OK . On VAN-EX1, click Start , click All Programs , and then click Internet Explorer . In the address field, type https://VAN-EX1.Adatum.com/ecp , and then press Enter. Log on to the ECP as Adatum\\Luca using the password Pa$$w0rd . On the Account tab, click Edit , click Contact Numbers , and in the Work phone field, type 555-5555 . Click Save , and verify that the updated phone number is listed. In the left pane, click Organize E-Mail . On the Organize E-Mail tab, users can configure Inbox Rules , and view delivery reports. In the left pane, click Groups . On the Groups tab, users can view the groups to which they belong and manage any groups that they own. Module 4: Managing Client Access Course 10135B
- In the left pane, click Settings . On the Settings tab, users can configure several options for sending and managing email and calendaring. In the left pane, click Phone . On the Phone tab, users can manage their own mobile devices that have synchronized with Exchange Server 2010. In the left pane, click Block or Allow . On the Block or Allow tab, users can configure their Junk email settings as well as edit their safe recipients list. Close Internet Explorer. Module 4: Managing Client Access Course 10135B
- Module 4: Managing Client Access Course 10135B
- Describe Exchange ActiveSync by comparing it to Outlook Anywhere. In both cases, the connection between the client device and the Client Access server uses HTTPS. In both cases, HTTPS is used to synchronize messages so that the messages are cached locally on the mobile device. The main difference between Exchange ActiveSync and Outlook Anywhere, apart from the client connection type, is the device that is used to view the email. With Outlook Anywhere, the end device is a mobile computer, which can be a member of the internal AD DS and managed as such. With Exchange ActiveSync, the end device is a mobile client, which cannot be a member of the local domain. This means that extra features on the Exchange server are required to manage the mobile devices. Students are likely to mention Blackberry as their current mobile solution. Be prepared to discuss advantages and disadvantages of Blackberry vs. Exchange ActiveSync. One of the factors to consider is that Exchange ActiveSync does not require any additional infrastructure servers such as the BlackBerry Enterprise Servers. Module 4: Managing Client Access Course 10135B
- While you perform the demonstration, mention that Exchange ActiveSync is enabled by default, and the default Exchange ActiveSync policy enables access for all users. This means that if the Exchange ActiveSync virtual directory is accessible from the Internet, all users can use Exchange ActiveSync. Also mention that the default configuration is not secure, because the network traffic is not encrypted and the default policy does not enable security for the remote devices. Network traffic will be encrypted if a certificate is installed on Client Access server, and if default website is configured to force encryption. Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, 10135B-VAN-EX2, and 10135B-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Important: If you are using Windows Server 2008 R2 as the host operating system, ensure that you have completed the following steps before starting VAN-CL1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135B-VAN-CL1 , and click Settings . Click Network Adapter , and select the Enable spoofing of MAC addresses check box. Click OK . This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click Microsoft-Server-ActiveSync . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Close Internet Information Services (IIS) Manager. Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Microsoft Exchange On-Premises , expand Server Configuration , and then click Client Access . In the result pane, click VAN-EX1 , and in the work pane, click the Exchange ActiveSync tab. Right-click Microsoft-Server-ActiveSync , and then click Properties . Review the information on the General tab. Module 4: Managing Client Access Course 10135B
- Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because SSL would normally be used to secure the credentials in transit. Click the Remote File Servers tab. The options on this tab are the same as the Remote File Servers settings for accessing attachments using Outlook Web App, and are used for synchronizing file attachments. However, these options are independent of the Remote File Servers settings for accessing attachments using Outlook Web App. Click OK. Module 4: Managing Client Access Course 10135B
- Discuss options for securing mobile devices. Emphasize that each device that connects to Exchange Server should have some security policy applied. Also, point that not all mobile operating systems support all ActiveSync policies. Question : What are the security concerns with Exchange ActiveSync? Answer : The security concerns relate to the security of the mobile device, and the security of the network connections to the Client Access server. Mobile devices are easily lost or stolen, and may contain confidential information. This means that organizations should use Exchange ActiveSync policies to restrict access to mobile devices, and be prepared to wipe mobile devices that are lost or stolen. Securing the network traffic requires that the Client Access server and all client devices be configured to use SSL. Question : What level of security will your organization require? Answer: Answers will vary. Some organizations will set very stringent requirements (or may ban Exchange ActiveSync completely). Other organizations may not require any security. Be prepared to discuss the implications of each scenario. Module 4: Managing Client Access Course 10135B
- Discuss new features for mobile device management in Exchange Server 2010 SP2. Define what is blocked and what is quarantined device. Explain some scenarios where this can be appropriate (for example, if you want to prevent users from connecting their private mobile devices to Exchange). In next demonstration you will show this practically. Course 10135B Module 4: Managing Client Access
- Preparation Ensure that the 10135B-VAN-DC1, 10135B-VAN-EX1, and 10135B-VAN-EX2 are running . Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, if required, open the Exchange Management Console . In the console tree, expand Organization Configuration , and then click Client Access . In the Actions pane, click New Exchange ActiveSync Mailbox Policy . In the Mailbox policy name box, type EAS Policy 1 . Confirm that the Allow attachments to be downloaded to device option is selected. This option is required for mobile devices to synchronize attachments and store them locally on the device. Select the Require password check box. This forces all accounts that synchronize, to have a password. Any mailboxes without a password cannot be synchronized to a mobile device when this option is enabled. There also are additional password requirements you can enable. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the ECP. Click New to create the mobile mailbox policy. Read the completion summary, and then click Finish . Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy. Right-click EAS Policy 1 , and then click Properties . Notice that the General tab has additional options: Click the Password tab. Notice that there is an additional password option list here—Number of failed attempts allowed— that was not available when creating the mobile mailbox policy. This password option wipes the device of all data after the specified number of failed attempts. On the Sync Settings tab, review the configuration options. On the Device tab, review the configuration options. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. On the Other tab, review the options for allowing or blocking specific applications, and then click OK . In the console tree, expand Recipient Configuration , and then click Mailbox . In the result pane, right-click Scott MacDonald , and then click Properties . Click the Mailbox Features tab, click Exchange ActiveSync , and then click Properties . Course 10135B Module 4: Managing Client Access
- In the Exchange ActiveSync Properties dialog box, click Browse . Select EAS Policy 1 , and then click OK . Click OK twice to save and apply the changes. On VAN-EX1, click Start , click All Programs , and then click Internet Explorer . In the address field, type https://VAN-EX1.Adatum.com/ecp , and then press Enter. Log on to the ECP as Adatum\\Administrator using the password Pa$$w0rd . Click Phone&Voice option in navigation bar. Click ActiveSync Access in central pane, and then scroll down to Device Access Rules . Click New…. In Exchange ActiveSync Device Access Rule window, review the configuration options. Click Cancel. Click ActiveSync Device Policy and show that EAS Policy 1 also appears here. Click New…. In New Exchange ActiveSync Device Policy window, review the configuration options, and then show that you also can create ActiveSync policies from this window. Course 10135B Module 4: Managing Client Access
- Exercise 1: Configuring Outlook Web App (Level 200) In this exercise, students will configure Outlook Web App. The main tasks for this exercise are as follows: Configure IIS to use the Internal CA certificate. Configure Outlook Web App settings for all users. Configure an Outlook Web App Mailbox Policy for the Branch Managers. Verify the Outlook Web App configuration. Exercise 2: Configuring Exchange ActiveSync (Level 200) In this exercise, students will configure Exchange ActiveSync. The main tasks for this exercise are as follows: 1. Disable SSL for Exchange ActiveSync. 2. Verify the Exchange ActiveSync virtual directory configuration. 3. Connect to the server using Exchange ActiveSync. 4. Create a new Exchange ActiveSync mailbox policy. 5. Validate the Exchange ActiveSync mailbox policy. 6. Install a root CA on the mobile device. 7. Wipe the mobile device. Course 10135B Module 4: Managing Client Access
- Course 10135B Module 4: Managing Client Access
- Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question : What additional steps could you take to enhance the security for the Outlook Web App and Exchange ActiveSync connections in your organization? Answer : You could install a reverse proxy server so that clients do not connect directly to the Client Access server. Some reverse proxy solutions also support multi-factor authentication, which provides an additional level of security. Question : How would you modify the procedures in this lab if you needed to ensure that users cannot download attachments using Outlook Web App? Answer : You would need to block all attachment downloads on the Outlook Web App virtual directory. You could still enable Web Ready Document viewing. Course 10135B Module 4: Managing Client Access
- Review Questions You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server? Answer: You need to enable port 443 access to the Client Access server, and well as enable access to the \\RPC virtual directory. You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do? Answer: You should configure the default Exchange ActiveSync Mailbox policy with the settings for all users. You should then create a new policy for the Executive group, and assign the policy to all members of the Executive group. You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\\busy information for user mailboxes on the Exchange Server 2003 servers? Answer: The Client Access server will query the Schedule+ Free\\Busy folder on an Exchange Server 2003 server. Common Issues Related to Client Connectivity to the Client Access server Identify the causes for the following common issues related to client connectivity to the Client Access server, and complete the troubleshooting tips. For answers, refer to relevant lessons in the module. Real-World Issues and Scenarios Your organization has two locations with an Internet connection in each location. You need to ensure that when users access their email using Outlook Web App from the Internet, they will always connect to the Client Access server in their home office. Answer: First, configure an external URL for each Client Access server. The external URL will be the name that the clients use to connect to the server. Next, ensure that you have configured a DNS host record for each Client Access server using the external URL. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receive errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request? Answer: You should request a certificate with multiple subject alternative names so that all client connections are supported using the protocol specific server name. You should also include the Autodiscover in the subject alternative name, if you are enabling Autodiscover to the Internet. You have deployed two Client Access servers in the same AD DS site. When one of the Client Access servers shuts down, users can no longer access their email. What should you do? Answer: You should configure the Client Access servers in an array to ensure redundancy. Course 10135B Module 4: Managing Client Access
- Best Practices for Implementing Client Connectivity to the Client Access Server Help the students understand the best practices presented in this section. Ask students to consider these best practices in the context of their own business situations. Tools Point out the location from which each key tool can be installed. Let students review the function and usage of each tool on their own. Remind students that they can use this as a master list to help them gather all the tools required to facilitate their application support work. Course 10135B Module 4: Managing Client Access