237 Chapter 5 Solutions in this chapter: ■ Managing the Exchange 2007 Client Access Server ■ The AutoDiscover Service ■ The Availability Service ■ Client Access Servers and the SSL Certifi cate Dilemma ■ Managing Outlook Anywhere ■ Managing Outlook Web Access 2007 ■ Managing Exchange ActiveSync ■ Managing POP3/IMAP4 ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions Managing the Client Access Server 238 Chapter 5 • Managing the Client Access Server Introduction The Client Access Server (CAS) replaces the front-end server we all know from Exchange 2000 and 2003 and adds some additional functionality. The CAS provides mailbox access for all types of Exchange clients except Outlook MAPI clients, which, as most of you are aware, connect directly to the Mailbox Server on which the respective mailbox is stored. This means the CAS manages access for any user who opens their mailbox using Outlook Anywhere (formerly known as RPC over HTTP), Outlook Web Access (OWA), Exchange ActiveSync (EAS), POP3, and last but not least, IMAP4. In addition to providing client access, the CAS is responsible for supplying access to things such as automatic profi le confi guration, free/busy information, Out of Offi ce (OOF) messages, the Offl ine Address Book (OAB), as well as Unifi ed Messaging (UM), but only for Outlook 2007 and Outlook Web Access 2007. Only these two client versions can take advantage of the new Web-based Exchange services known as the AutoDiscover and Availability services. Legacy clients such as Outlook 2003 and earlier cannot use these two new Exchange Web services. After reading this chapter, you should have a good understanding of how you can manage the feature set on the CAS, at both the server level and organizationwide. Managing the Exchange 2007 Client Access Server The Client Access Server should always be deployed on a domain-member server on the internal network, and not in the DMZ, which many thought was a security best practice for front-end servers in Exchange 2000 and 2003. This is true for several reasons: one is the fact that CAS servers communicate with mailbox servers using RPC traffi c, and to make this work, it required several open ports into your network via your intranet fi rewall. This is not a best practice since it makes it easier for an intruder to gain access to your Active Directory (especially since it is RPC-specifi c ports that must be opened!). In addition, a member server has too many access rights to domain-member servers on the internal network, and thus does not justify deployment in your DMZ. Alternatively, it is highly recommended to publish the CAS using an Internet Security and Acceleration (ISA) Server (ISA Server 2006 is preferred) in your perimeter network. This makes it possible to have your users pre-authenticated on the ISA Server before actually reaching the internal network. A typical CAS scenario following security best practices is shown in Figure 5.1. Managing the Client Access Server • Chapter 5 239 If you plan to split your Exchange 2007 Server roles onto different servers, bear in mind that the CAS is the fi rst server role you should deploy. In addition, at least one CAS is required in each site a Mailbox Server has been deployed. The AutoDiscover Service Several features in Exchange Server 2007 are based on Exchange Web services. One of these services is known as the AutoDiscover service. As most of you are aware, few end-users know how to confi gure an Outlook profi le; this is where the AutoDiscover service shines by simplifying Outlook client deployment through creation of an automatic connection between the Exchange Server and Outlook 2007 clients. No longer are special scripts, complex user intervention, or tools such as the Custom Installation Wizard from the Offi ce Resource Kit needed. Before Outlook 2007 and Exchange Server 2007, information such as the name of the Exchange server and the user account and password were all required when confi guring an Outlook profi le. With the advent of the AutoDiscover service, all you need to enter is the e-mail address and password and the AutoDiscover service will do the rest, automatically discovering and confi guring the client’s home mailbox server information. Entering a username and password, however, is only required when you are confi guring clients not logged on to the Active Directory domain. If you’re confi guring an Outlook 2007 profi le on a machine logged on to the Active Directory domain, AutoDiscover will fetch the domain information from the account you are logged on with, meaning you only have to click Next a few times to confi gure your Outlook 2007 profi le. Other features provided via the AutoDiscover service are the Offl ine Address Books (OABs), Unifi ed Messaging (UM) information, and Outlook Anywhere settings. Figure 5.1 A Typical Client Access Server Scenario 240 Chapter 5 • Managing the Client Access Server As similar services did in previous versions of Outlook and Exchange, the AutoDiscover service will automatically update an Outlook profi le should a user’s respective mailbox be moved to another server in the organization. NOTE You can read more about the new AutoDiscover Service, and how to confi gure Outlook 2007 using this Exchange Web service in the following article, which is located at MSExchange.org: http://www.msexchange.org/tutorials/Uncovering- New-Outlook-2007-Discover-Service.html. It’s not only Outlook 2007 that can take advantage of the new Web-based AutoDiscover services, but Windows mobile devices running the next versions of Windows Mobile (codenamed Crossbow [5.2] and Photon [6.0], and at the time of this writing, still in beta) can also be provisioned automatically using this service. When the Client Access Server role is installed on an Exchange 2007 Server, a virtual IIS directory named AutoDiscover is created under the Default Web Site, as shown in Figure 5.2. Figure 5.2 AutoDiscover Virtual Directory in IIS Manager Managing the Client Access Server • Chapter 5 241 When you open an Outlook 2007 client, this is the virtual directory it connects to in order to download any necessary information. In addition to this virtual directory, a new object named the service connection point (SCP) is also created in Active Directory. The SCP object contains the authoritative list of AutoDiscover service URLs in the forest, and can be updated using the Set-ClientAccessServer cmdlet. Figure 5.3 illustrates what happens when Outlook 2007 connects to an Exchange 2007 server. Figure 5.3 The AutoDiscover Service Process from an Internal Outlook Client Outlook 2007 1. Query the service point connection (SCP) 2. AutoDiscover Service URL returned 3. Outlook 2007 connects using HTTPS 4. The AutoDiscover service returns the addresses of the available services (F/B, OAB, UM, OOF) Domain Controller Mail Server Client Access To see the URLs to each of these services in Outlook, hold down the Ctrl key and right-click your Outlook icon in the Systray. Choose Test E-mail AutoConfi guration in the context menu. In the Test E-mail AutoConfi guration window, enter your e-mail address and password and make sure you only have Use AutoDiscover ticked. Then, click Te s t . Outlook will now test each of the services provided by the AutoDiscover service and list the URLs it fi nds, as well as list any issues or errors for each. The Availability Service Just like the AutoDiscover service, the Availability service is an Exchange Web service, which is installed by default when deploying the Client Access Server role on an Exchange 2007 server. The purpose of the Availability service is to provide secure, consistent, and up-to-date (that is, data in real time!) free/busy data to clients using this service. Since only Outlook 2007 and OWA 2007 can take advantage of this new service, legacy clients, (Outlook 2003 and earlier, as well as OWA 2003), still depend on a Public Folder database, containing the SCHEDULE+ FREE/BUSY system folder. Since only Outlook 2007 and OWA 2007 can use the Availability service to obtain free/busy information, it’s important that Exchange 2007 be able to interact with legacy systems, too. Table 5.1 shows how free/busy data is obtained based on which front-end client version is used compared to the version of Exchange Server the back-end source and target mailboxes resides. . e-mail address and password and the AutoDiscover service will do the rest, automatically discovering and confi guring the client’s home mailbox server information. Entering a username and password,. Offi ce Resource Kit needed. Before Outlook 2007 and Exchange Server 2007, information such as the name of the Exchange server and the user account and password were all required when confi guring. Legacy clients such as Outlook 2003 and earlier cannot use these two new Exchange Web services. After reading this chapter, you should have a good understanding of how you can manage the feature