Managing the Client Access Server • Chapter 5 307 If you need to enable or disable one of these services for thousands of users, you could make use of piping. Let’s say you wanted to enable IMAP4 access to all users with a mailbox on a particular Exchange 2007 Server, you could type: Get-Mailbox <servername> | Set-CASMailbox –ImapEnabled $true Of course this is just a simple command to show you how powerful the Exchange Management Shell is when it comes to bulk-enabling a feature for a set of users. 308 Chapter 5 • Managing the Client Access Server Summary In this chapter, we had a look inside the services that are provided by, and can be confi gured for, an Exchange 2007 Server with the Client Access Server role installed. As you have seen throughout the chapter, many tasks can be performed on this server role. The CAS role is the one responsible for providing access to the AutoDiscover and Availability Services, used by features such as free/busy information, Unifi ed Messaging, Out of Offi ce messages, and Offl ine Address Books, as well as providing auto-profi le settings to Outlook 2007 clients. Since the CAS replaces the earlier front-end server we know from Exchange 2000 and 2003, this server role is also responsible for proxying Internet clients such as Outlook Anywhere (formerly known as RPC over HTTP), Exchange ActiveSync devices, Outlook Web Access (OWA), and, fi nally, POP3 and IMAP4 to the Mailbox servers in the organization. Solutions Fast Track Managing the Exchange 2007 Client Access Server ˛ The Client Access Server role replaces the front-end server we know from Exchange 2000 and 2003, and adds some additional functionality. ˛ The Client Access Server is also responsible for providing access to the Offl ine Address Book (OAB), but only for Outlook 2007 clients—Outlook 2007 being the only client version that can take advantage of the new Web-based distribution method. ˛ The AutoDiscover service and the Availability service are two new Web-based services that provide functionalities such as automated profi le confi guration, free/busy time, meeting suggestions, and Out of Offi ce (OOF) messages.http://blogs.msdn.com/mca/rss.xml. Another Web-based service on the CAS is the Unifi ed Messaging (UM) service, which provides automatic UM settings in Outlook 2007. ˛ The Client Access Server should always be deployed on a domain-member server, on the internal network, and not in the DMZ (which many thought was a security best practice for Exchange 2000 or 2003 front-end servers). The AutoDiscover Service ˛ The AutoDiscover service simplifi es Outlook client deployment by creating an automatic connection between Exchange Server and Outlook 2007 clients without the need for using special scripts, complex user intervention, or tools such as the Custom Installation Wizard from the Offi ce Resource Kit. ˛ If you’re confi guring an Outlook 2007 profi le on a machine logged on to the Active Directory, AutoDiscover will fetch the domain account information from the logged-on user credentials, meaning you only have to click Next a few times and that’s it. ˛ When the Client Access Server role is installed on an Exchange 2007 Server, a virtual IIS directory named AutoDiscover is created under the Default Web Site. Managing the Client Access Server • Chapter 5 309 ˛ When installing the CAS, a new object named the service connection point (SCP) is also created in Active Directory. The SCP object contains the authoritative list of AutoDiscover service URLs in the forest, and can be updated using the Set-ClientAccessServer cmdlet. The Availability Service ˛ The purpose of the Availability service is to provide secure, consistent, and up-to-date (that is, data in real time!) free/busy data to clients using this service. Since only Outlook 2007 and OWA 2007 can take advantage of this new service, legacy clients such as Outlook 2003 and earlier, as well as OWA 2003, still depend on a Public Folder database containing the SCHEDULE+ FREE/BUSY system folder. ˛ Since only Outlook 2007 and OWA 2007 can use the Availability service to obtain free/busy information, it’s important that Exchange 2007 can interact with legacy systems, too. ˛ Outlook 2007 discovers the Availability Service URL using the AutoDiscover service. Actually, the AutoDiscover service is like a DNS Web Service for Outlook, since it’s used to fi nd various services like Availability Service, UM, and OAB. It simply tells Outlook 2007 where to go when searching for these Web services. Client Access Servers and the SSL Certifi cate Dilemma ˛ In previous versions of Exchange, you simply issued a request for an SSL certifi cate, and when received, assigned this certifi cate to the Default Web Site in the IIS Manager. But in Exchange 2007, it is a different beast when it comes to securing client connectivity to the CAS using SSL certifi cates. ˛ A default self-signed SSL certifi cate is assigned to the Default Web Site during the installation of the Exchange 2007 CAS role. If you take a closer look at this certifi cate, you’ll notice that it contains multiple subject alternative names. ˛ An SSL certifi cate that supports additional subject alternative names typically costs in the range of $600 per year. Managing Outlook Anywhere ˛ Outlook Anywhere makes it possible for your end users to remotely access their mailbox from the Internet using their full Outlook client. Those of you with Exchange 2003 experience most likely know the technology behind the Outlook Anywhere feature already since Outlook Anywhere is just an improved version of RPC over HTTP. ˛ The technology behind Outlook Anywhere is basically the same as in Exchange 2003 since it still works by encapsulating the RPC-based MAPI traffi c inside an HTTPS session, which then is directed toward the server running the RPC over HTTP proxy component on your internal network. This gives you the same functionality as you get by using the 310 Chapter 5 • Managing the Client Access Server Outlook client from a machine on your internal network. When the HTTPS packets reach the RPC over HTTP proxy server, all the RPC MAPI traffi c is removed from the HTTPS packets and forwarded to the respective Mailbox server. ˛ In order to use Outlook Anywhere, you must install a valid Secure Sockets Layer (SSL) certifi cate from a trusted Certifi cate Authority (CA) that the clients trust by default. Managing Outlook Web Access 2007 ˛ During the development of Exchange Server 2007, one of the goals for the Exchange Product group was to make the best Web mail client in the world even better. In order to do this, Outlook Web Access (OWA) 2007 was completely rewritten in managed code to make it scale even better and make it easier to add new features to the GUI in the future. Speaking about the GUI, one thing you’ll notice immediately is that the interface has been completely redesigned. ˛ OWA 2007 supports 47 different languages in total! ˛ Forms-based authentication is enabled by default, unlike OWA 2003 where you had to enable this feature manually. ˛ We can specify whether our OWA users should be able to access fi les from internal Windows File Shares or Windows SharePoint Services. OWA 2007 has a document access feature built right into the UI, which makes it possible for the users to access documents on any of these types of servers. ˛ OWA Light is the solution for all browsers and operating systems other than IE6 or IE7 on a Windows platform. So if you’re a Firefox, Mac, or even a Linux user, or simply just a user of something other than IE6+, this Web mail client is for you. ˛ The new URL for OWA 2007 is https://mobile.domain.com/owa. ˛ Just as with previous versions of Exchange, you can simplify the URL to OWA in order to provide an even better experience for your end users. Managing Exchange ActiveSync ˛ One of the features that has really been improved in Exchange Server 2007 is, without a doubt, the Exchange ActiveSync communication protocol. Exchange Server ActiveSync is still based on the DirectPush technology (sometimes also referred to as AUTD v2) that was introduced in Exchange Server 2003 SP2. This improves the mobile messaging experience for your users by providing close to real-time over-the-air access to your e-mail messages, schedules, contacts, tasks lists, and other Exchange server mailbox data. ˛ DirectPush is the only method you can use when synchronizing your mailbox using Exchange ActiveSync (EAS) in Exchange Server 2007, and is therefore enabled by default. That means AUTD v1, which was based on text messaging (SMS), has been dropped. Managing the Client Access Server • Chapter 5 311 ˛ DirectPush works by keeping an HTTPS connection alive between a mobile device and the Exchange 2007 CAS server. Because DirectPush uses long-standing HTTPS requests, it’s important that both your mobile carrier and your fi rewall are confi gured with a time-out value from the default to between 15 and 30 minutes. If a short time-out value is confi gured, it will cause the device to initiate a new HTTPS request much more frequently, which not only shortens battery life on your device, but becomes more expensive since more data will be transferred. ˛ With Exchange Server 2007, it’s possible to create multiple Exchange ActiveSync policies, giving you much more control of your mobile deployment. Managing POP3/IMAP4 ˛ Like its predecessors, Exchange Server 2007 also supports the Post Offi ce Protocol version 3 (POP3) and Internet Message Access Protocol version 4 (IMAP4) clients, but since these client types aren’t that popular anymore (especially with the evolution of Outlook Anywhere, a superb Web mail client and EAS), they are disabled by default. ˛ Both the POP3 and IMAP4 protocols have been rewritten from the ground up in managed code, and are no longer dependant on the IIS component. Instead, they run as a separate Windows Service. ˛ Other things worth noting about POP3 and IMAP4 services in Exchange Server 2007, is the fact that we are limited to one POP3 or IMAP4 service per server, and the same SSL certifi cate must be used for all POP3 and IMAP4 connections to the respective Client Access Server. ˛ When the POP3 and IMAP4 services have been started, all mailbox-enabled users can access their mailbox using one of these two services. Since there might be situations where you want to lock down access to these two services to a specifi c set of users (for example, in a shared hosting environment), you can use the Exchange Management Shell cmdlets Set-PopSettings and Set-ImapSettings to enable or disable specifi c users individually. . alive between a mobile device and the Exchange 2007 CAS server. Because DirectPush uses long-standing HTTPS requests, it’s important that both your mobile carrier and your fi rewall are confi gured. Anywhere, a superb Web mail client and EAS), they are disabled by default. ˛ Both the POP3 and IMAP4 protocols have been rewritten from the ground up in managed code, and are no longer dependant on. about POP3 and IMAP4 services in Exchange Server 2007, is the fact that we are limited to one POP3 or IMAP4 service per server, and the same SSL certifi cate must be used for all POP3 and IMAP4