501  Configuring Outlook Profiles by Using a PRF File For information about deploying RPC over HTTP in different Exchange Server 2003 scenarios, see the following topics in the Exchange Server 2003 RPC over HTTP Guide:  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003 SP1 (Front-End/Back-End Scenario)  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003 SP1, No Front-End Server  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003, Front-End/Back-End Scenario  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003, Front-End/Back-End Scenario, Back End on Global Catalog Server  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003, No Front-End Server 502 How to Limit SecurID Authentication to the Microsoft-Exchange- ActiveSync Virtual Directory By default, the ACE/Agent is configured to protect the entire Web server. When deploying RSA SecurID in your organization, you can configure the front-end server so that RSA SecurID authentication is limited to Exchange ActiveSync. Before You Begin This procedure is only one of a series of steps that you can perform when deploying RSA SecurID two-factor authentication. Before performing the steps in this procedure, see "How to Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access Guide. Procedure To limit SecurID authentication to the Microsoft-Exchange- ActiveSync virtual directory 1. To disable server-wide protection, in the Internet Information Services (IIS) snap-in, right- click the default Web server, and then click Properties. 503 2. Click the RSA SecurID tab, and then clear the Protect This Resource check box. (This step ensures that RSA SecurID is not enabled for the entire server, but rather only for the virtual roots that you specify.) 3. To enable protection for the virtual directories, in the IIS snap-in, right-click the Microsoft-Server-ActiveSync v irtual directory, and then click Properties. 4. Select the RSA SecurID tab, and then select the Protect This Resource check box. Note: If the check box is selected and shaded, this means that the virtual directory is inheriting its setting from the parent directory. Inspect the properties for the parent directory, and clear the Protect This Resource check box if you do not want the parent directory to be protected. Then, return to the child directory and make sure the check box is selected. 504 For More Information For an overview of RSA SecureID, see "Configuring Exchange ActiveSync to Use RSA SecureID" in "Configuring Mobile Device Support" in the Exchange Server 2003 Client Access Guide. How to Configure Custom HTTP Responses for Devices When deploying RSA SecurID in your organization, the ActiveSync client on the Microsoft® Windows Mobile™ device must be able to distinguish between RSA SecurID authentication and Exchange ActiveSync responses. To enable this capability, you must configure custom HTTP response headers on the WebID virtual root that contains the HTML forms configured by RSA ACE/Agent. Before You Begin This procedure is only one of a series of steps that you must perform when deploying RSA SecurID two-factor authentication. Before performing the steps in this procedure, read "How to Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access Guide. 505 Procedure To configure custom HTTP responses for devices 1. In the IIS snap-in for MMC, locate the WebID virtual directory on the front- end server. This virtual directory is created by SecurID and contains the SecurID authentication forms and responses. 2. Right-click the WebID virtual directory, and then click Properties to open the properties for this virtual directory. 3. Click the HTTP Headers tab, click the Add button, and then enter the following header information. Note: The following value is case-sensitive and must be entered on one line. Custom Header Name: MSAS- TwoFactorAuth Custom Header Value: True Custom Header Name: MS Value: Sync,SendMail,Sma rtForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse 506 How to Enable or Disable Outlook Mobile Access at the User Level By default, Outlook Mobile Access is disabled when you install Microsoft® Exchange Server 2003. For users to use Outlook Mobile Access, you must first enable it. You enable Outlook Mobile Access for specific users or groups of users with Active Directory Users and Computers. Before You Begin You can perform this task using Active Directory Users and Computers, with or without the Exchange Task Wizard. The advantage to doing it with the Exchange Task Wizard is that you can modify the settings for multiple objects at one time. Procedure To enable or disable Outlook Mobile Access at the user level 1. Log on to the Exchange server as an Exchange administrator with the user's mailbox, and then start Active Directory Users and Computers. 2. Expand the domain, and then open the location for the users whose 507 settings that you want to modify. 3. Right-click the user or users whose Outlook Mobile Access settings you want to modify, and then select Exchange Tasks. 4. In the Exchange Task Wizard, on the Available Tasks page, select Configure Exchange Features, and then click Next. 5. On the Configure Exchange Features page, select Outlook Mobile Access, and then select one of the following:  To allow users to use Outlook Mobile Access, select Enable.  To prevent users from using Outlook Mobile Access, select Disable.  To prevent the users' settings from being modified when you have selected more than one user, select Do not Modify. 6. Click Next to apply your changes. 7. Click Finish. 508 For More Information For detailed steps for configuring Outlook Mobile Access at the organizational level, see How to Enable or Disable Outlook Mobile Access at the Organizational Level. For an overview of how to deploy Outlook Mobile Access in your organization, see "Configuring Outlook Mobile Access" in the Exchange Server 2003 Client Access Guide. How to Verify ACE/Agent is Configured to Protect the Entire Web Server When deploying RSA SecureID in your organization, you must configure Internet Information Services (IIS) to protect the virtual directories that your users access when they use Exchange ActiveSync. Microsoft® Exchange Server 2003 uses the \Microsoft-Server-ActiveSync virtual directory. This procedure shows you how to verify that the ACE/Agent is configured to protect the entire Web server. By default, the ACE/Agent is configured to protect the entire Web server. 509 Before You Begin This procedure is only one of a series of steps that you must perform when deploying RSA SecurID two-factor authentication. Before performing the steps in this procedure, see "How to Use RSA SecurID with Exchange ActiveSync" in the Exchange Server 2003 Client Access Guide. If you do not want to protect the entire Web server with RSA SecurID, you configure the RSA ACE/Agent so that SecurID protects only Exchange ActiveSync. You may want to do this if you intend to enable additional services, such as Outlook Web Access and Outlook Mobile Access, on the same server without protecting those services with SecurID. For detailed steps for how to limit RSA SecurID authentication to Exchange ActiveSync, see How to Limit SecurID Authentication to the Microsoft- Exchange-ActiveSync Virtual Directory. Procedure To verify ACE/Agent is configured to protect the entire Web server 1. In the Internet Information Services snap-in for MMC, right-click the 510 default Web server and select Properties. 2. Click the RSA SecurID tab, and verify that the Protect This Resource check box is selected. For More Information For an overview of RSA SecureID, see "Configuring Exchange ActiveSync to Use RSA SecureID" in "Configuring Mobile Device Support" in the Exchange Server 2003 Client Access Guide. How to Enable or Disable Outlook Mobile Access at the Organizational Level By default, Outlook Mobile Access is disabled when you install Microsoft® Exchange Server 2003. For users to use Outlook Mobile Access, you must first enable it. You enable Outlook Mobile Access at the organizational level using Exchange System Manager. . different Exchange Server 2003 scenarios, see the following topics in the Exchange Server 2003 RPC over HTTP Guide:  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003 SP1. Time on Exchange Server 2003, Front-End/Back-End Scenario, Back End on Global Catalog Server  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003, No Front-End Server. RPC over HTTP for the First Time on Exchange Server 2003 SP1, No Front-End Server  How to Deploy RPC over HTTP for the First Time on Exchange Server 2003, Front-End/Back-End Scenario 