Configure IT Quick: Enable Web access of Exchange accounts using Outlook Web Access

Learn how to provide on-the-road Exchange e-mail access to users without setting up a VPN.

Do you have traveling users who want to access their Exchange e-mail from the road, but you don’t want to go through the trouble of setting up VPN access for them? You can solve this problem by using Microsoft’s Outlook Web Access (OWA) for Exchange server. In this Daily Drill Down, I’ll explain some of the limitations of OWA, as well as how to install it.

What does OWA do?
OWA provides secure access to e-mail on your Microsoft Exchange server using a Web browser. This allows your organization to have identical clients on all platforms, including UNIX workstations. It also makes it inexpensive to access mail since you can download browsers for free from the Web.

Although the Web browser performs some processing on the client computer, the OWA server handles most of the processing that’s normally performed by the client. The server processes includes MAPI sessions, client logic, state information, address resolution, rendering, content conversion, and RPC communications with the Exchange server. Because of this, the server on which you install OWA must meet the following server requirements:
  • Pentium 6/200 single or dual processor
  • 256 MB of RAM, minimum
  • High-speed network connection to the Microsoft Exchange server
  • Microsoft Windows NT Server 4.0 operating system with Service Pack 4 or later
  • Microsoft Internet Information Server (IIS) (Microsoft Exchange Server 5.0 supports only IIS 3.0. Microsoft Exchange Server 5.5 supports IIS 3.0 and later.)
  • Active Server Pages (ASP)
  • Active Server components or Outlook Web Access components

It’s a good idea to test your server’s configuration by starting small. Give only about 100 users OWA and monitor your server to make sure it can support them. You may need to add more resources to the server or add more servers to handle the full load.

Each client requires a compatible browser to connect to the ASP on the OWA server. Internet Explorer 3.02, 4.0, or later (or any browser that supports frames, such as Netscape Navigator) will work, but it’s recommended that you use Internet Explorer 5.0. Otherwise, you may experience problems accessing your folder list.

OWA features
Outlook Web Access has many features, including the following:
  • Basic e-mail: You can use the Microsoft Exchange Server global address book, send and receive file attachments and hyperlinks, set message priority, request delivery, read receipts, and create folders.
  • Calendar and group scheduling access: You can create one-time and recurring appointments in a personal calendar, access day and week views, see free and busy times for multiple users, and automatically send and respond to meeting requests.
  • Public folder access: You have access to custom views in table format, and you can group and sort messages in a folder.

OWA limitations
OWA will not allow you to use advanced e-mail features. It isn’t supposed to replace the Outlook client. The following are features not available when using OWA:
  • Offline use: You must be connected to Microsoft Exchange Server to view information.
  • E-mail: You do not have access to personal address books, spell checking, or digital encryption.
  • Calendar and group scheduling: You are without the monthly view and other customized views of your calendar; you also cannot view details with Free/Busy, drag and drop to move appointments, or track acceptance of meeting attendees.
  • Public folder access: Outlook views are not in table format.
  • Collaboration applications: You cannot use Outlook 97 forms, use Microsoft Exchange Server digital encryption and signatures, or synchronize local offline folders with server folders.

Capacity planning
The number of ASP requests per second that the server can process determines the load placed on IIS by Outlook Web Access. Before installing Outlook Web Access throughout your organization, you should use Performance Monitor to measure the overall number of ASPs processed per second. If the Performance Monitor counters are consistently too high and users frequently get “server too busy” messages, you should consider adding additional Outlook Web Access servers. Some counters to keep track of in Performance Monitor are listed below:
  • The Requests Per Second counter for Active Server Pages: This should be between 10 and 15. When this counter exceeds 15 ASP requests per second, the server will respond more slowly to user requests, it will start to queue incoming user requests, and CPU usage will reach 100 percent.
  • The Requests Executing counter for Active Server Pages: If requests are executing but the IIS server is idle, you should restart the IIS server.
  • The Requests Queued counter for Active Server Pages: This should be between one and 20.
  • The Requests Total counter for Active Server Pages: This shows the total number of ASP requests started.
  • The Active Sessions counter for Active Server Pages: This shows the number of ASP sessions that are open on the IIS/Outlook Web Access Server.
  • The Sessions Time Out counter for Active Server Pages: This shows the number of ASP sessions that have timed out.
  • The Messages Rendered counter for the MSExchangeWEB component: This shows the number of messages opened by clients and helps classify the user profile.

Another recommendation is that you should dedicate one or more servers, other than your Microsoft Exchange Server, to IIS and Outlook Web Access components. However, if Outlook Web Access and Microsoft Exchange Server are not installed on the same computer, Windows NT Challenge/Response (NTLM) authentication is not supported.

The Outlook Web Access server will actually perform most of the work for connected clients. Supporting one client connection is the same as running an instance of Outlook on the Outlook Web Access server. Because of this, the Outlook Web Access server will run many active MAPI sessions to Microsoft Exchange Server. Even though a single connection will not consume many resources, many sessions will. If the number of clients increases, you can always add more Outlook Web Access servers to load balance.

Installing OWA
The installation of OWA is straightforward. You use the Exchange Server CD to start the installation. Choose to set up Exchange and its components and then choose Add/Remove. On the next screen you will be presented with the components to install or uninstall, as shown in Figure A.

Figure A
To add support for OWA, select Outlook Web Access from the Options menu.

Be sure that everything you want to install or have already installed has its check box selected. If you deselect any box, that component will be uninstalled. Click Continue and follow the directions that appear.

OWA security issues
If Outlook Web Access clients access Microsoft Exchange Server over an Internet connection, Microsoft recommends that you implement a firewall. There are two ways to implement a firewall with the OWA architecture:
  • Between IIS/OWA and Microsoft Exchange server
  • Between the client and the IIS/Outlook Web Access server

Outlook Web Access can be configured to use the following methods of user authentication:
  • Anonymous
  • Basic (clear text)
  • Basic (clear text) over Secure Sockets Layer (SSL)
  • Windows NT Challenge/Response (NTLM)

I’ll discuss each method and its advantages and disadvantages below.

Anonymous authentication allows users to use OWA without specifying a Windows NT user account name and password. The user has the rights of the default anonymous account, which is usually named IUSR_ComputerName. Anonymous authentication provides access only to resources that are published anonymously, such as public folders and directory content.

The advantages of this type of authentication are:
  • All browsers support Anonymous authentication.
  • Users are not prompted for credentials.

The disadvantages are:
  • Anonymous authentication is not secure.
  • Users can only access the Global Address List and public folders that are configured for anonymous access.

Basic (clear text)
Basic authentication requires the user to specify a valid Windows NT user account name and password in order to use OWA. Both the user name and password are transmitted as clear text over the network to the IIS/Outlook Web Access server.

The advantages of this type of authentication are:
  • All browsers support Basic authentication.
  • Users can access an unlimited number of resources, even if those resources are not on the user’s OWA server.

The disadvantages are:
  • Basic authentication is not secure because it transmits passwords across the network as unencrypted information. If you choose this method of authentication, you should also use Secure Sockets Layer, which encrypts all information passing through IIS.
  • Users are prompted for a username and password.
  • Users must be granted the Log On Locally right on IIS.

Basic (clear text) over Secure Sockets Layer
Basic authentication over SSL requires users to specify a valid Windows NT user account name and password before they can use OWA. The username and password are then transmitted as encrypted information over the network to the IIS/OWA server. Using Basic over SSL authentication also allows users to access resources that are not on the user’s OWA server.

The advantages of this type of authentication are:
  • Almost all browsers support Basic over SSL authentication.
  • Users can access all Microsoft Exchange Server resources.
  • Basic over SSL authentication is much more secure than Basic authentication without SSL.

The disadvantages include:
  • Due to the encryption, performance can be reduced.
  • Users must enter a valid username and password.
  • Users must be granted the Log on Locally right on IIS.

Windows NT Challenge/Response (NTLM) Authentication
NT Challenge/Response requires users to specify a Windows NT user account name and password before they can use OWA. The username and password are sent from the browser to the IIS server as encrypted information. The limitation of NTLM is that all resources the user can access must reside on the same server as IIS and OWA. NTLM authentication is not supported if IIS/OWA and Microsoft Exchange Server are located on different computers.

The advantages of this type of authentication include:
  • NTLM authentication is relatively secure.
  • Users are not prompted for a username or password.

The disadvantages include:
  • Users can access resources only on the IIS/OWA server.
  • Not all browsers support NTLM authentication.

Other security issues
For increased security, you should not use the Save Password feature in Internet Explorer—especially if the computer is shared among users. Also, it is a good idea to disable local caching on the browser. If caching is not disabled, the messages accessed during the previous OWA session may still remain on the local disk, which makes it possible for someone to see another user’s messages.

Users should be instructed to log off from their OWA session instead of just closing their browsers. If an OWA session is not properly shut down when the client is finished connecting to the server, the abandoned sessions will continue to consume server resources until they are timed out. Even if users log off from their OWA sessions properly, the server may still perform poorly because ASP memory cleanup happens as a background process.

In this Daily Drill Down, I’ve shown how Outlook Web Access gives you additional functionality for servicing your e-mail needs. It makes it easy for users to check messages from anywhere in the world using a browser—no additional client software is needed. Since it is simple to install and maintain, it is well worth the time and effort required to set it up.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox