10135 a 04
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

10135 a 04

  • 946 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
946
On Slideshare
946
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
77
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Module 4: Managing Client Access Course 10135A Presentation: 100 minutes Lab: 110 minutes After completing this module, students will be able to: Configure the Client Access server role Configure client access services for Microsoft® Office Outlook® clients Configure Microsoft Office Outlook Web App Configure Mobile Messaging access to Exchange Server mailboxes Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10135A_04.ppt. Important: We recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Note about the demonstrations : To prepare for the demonstrations, start the 10135A-VAN-DC1 virtual machine and log on to the server before starting the other virtual machines. To save time during the demonstrations, log on to the Exchange servers and open the Exchange Server management tools before starting the demonstrations. Additionally, connect to the Outlook Web App site on the Exchange servers, and then log on as Administrator. It can take more than a minute to open the management tools and Outlook Web App for the first time. Important: If you are using Windows Server 2008 R2 as the host operating system, complete the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1 , and click Settings . 2. Click Network Adapter , and select the Enable spoofing of MAC addresses check box. Click OK . This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. Make sure that students are aware that the Course Companion CD has additional information and resources for the module.
  • Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A
  • Use the diagram on the slide to show how different clients connect to the Microsoft Exchange Server 2010 mailboxes. Stress that all clients use the Client Access server role. If you have students in the class with Microsoft Exchange Server 2003 experience, compare the Client Access server role to the front-end server role in Exchange Server 2003. Both provide similar functionality, but the Client Access server also provides additional functionality, such as Remote Procedure Call (RPC) Client Access Services, and Exchange Web Services. If you have students in class who are familiar with Microsoft Exchange Server 2007 Client Access servers, point out that there is one very significant architectural change to the Client Access server in Exchange Server 2010. In Exchange Server 2007, MAPI clients such as Outlook 2007 connected directly to Mailbox servers when accessing the user mailbox. All of this functionality has been moved to the Client Access server, which now runs the RPC Client Access Services component. In Exchange Server 2010, MAPI clients connect directly to the Client Access server, and clients never directly communicate with the Mailbox servers. Mention that this has several advantages, such as: All clients now use the same mailbox access architecture. For organizations that have deployed highly-available mailbox servers, the client outages in situations where a mailbox database fails over to another server have been reduced. When a mailbox fails over to another server, the Client Access Server is notified, and the client connections will be redirected to the new server within seconds. You now can move Mailboxes from one Mailbox server to another while the user is online and connected to the mailbox. The new architecture supports more concurrent client connections to the mailbox server. Students may ask how the new Exchange Server 2010 Client Access server architecture interacts with previous versions of Exchange Server. Tell the students that this will be covered in Module 12. Module 4: Managing Client Access Course 10135A
  • Use the diagram on the slide to discuss how Client Access works when an organization has multiple Active Directory® directory service sites. Stress that if an organization only has one site that is accessible from the Internet, then using a proxy for client requests is the only option. Also highlight that only Outlook Web App connections can be redirected. Discuss the configuration options that are required for users to access the Client Access servers from the Internet. Mention that you must configure external names for all Client Access servers that are going to be accessible from the Internet, and that the external names must be resolvable through Domain Name System (DNS). Module 4 : Managing Client Access Course 10135A
  • Describe the considerations for deploying a Client Access Server. Stress that without a Client Access Server in each site where there is a mailbox server, users will not be able to access their mailboxes. Describe the different deployment options , and discuss scenarios where organizations might deploy each option : Single server with other Exchange server roles – typical scenario would be a small organization or a branch office in a large organization . Dedicated server – typical scenario would be a medium - sized organization . Multiple dedicated servers in an array – typically , only large organizations or organizations with very high availability requirements will use this option. Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the Exchange Management Console , expand Microsoft Exchange On-Premises (van-ex1.adatum.com) , expand Organization Configuration , and then click Client Access . You apply client access settings to all Client Access servers and mailboxes while in the Organization Configuration node. In the details pane, click the Outlook Web App Mailbox Policies tab. On this tab, you can define Outlook Web App Mailbox policies that will configure the user experience with Outlook Web App. Notice that Exchange defines a default policy, which it does not assign to any users. In the details pane, click the Exchange ActiveSync Mailbox Policies tab. On this tab, you can define Exchange ActiveSync Mailbox policies that will configure the user experience when they connect to the Exchange servers using a mobile device. Notice that Exchange defines a default policy , which it does not assign to any users. In the left pane, expand Server Configuration , and then click Client Access . In this area, you can configure the settings that are specific to each Client Access server. In the details pane, ensure that VAN-EX1 is selected, and in the Actions pane, click Properties . Click the System Settings tab, and then click the Outlook Anywhere tab. These tabs display information only, and cannot be used to configure the server settings. After you have reviewed these settings, click OK . In the results pane, ensure that the Outlook Web App tab is selected, right-click owa (Default Web Site) , and then click Properties . In the owa (Default Web Site) Properties dialog box, you can configure the OWA settings for this server. After you have reviewed these settings, click OK . Click the Exchange Control Panel tab, and then double click ecp (Default Web Site) . In this dialog box, you can configure the Exchange Control Panel (ECP) virtual directory settings for this server. After you have reviewed these settings, click OK. Click the Exchange ActiveSync tab, click the Offline Address Book tab, and then click the POP3 and IMAP4 tab. In each of these locations, you can configure the Client Access server-specific settings.
  • Question: Why would you create multiple Outlook Web App Mailbox policies or Exchange ActiveSync polices, rather than just use the Default polices? Answer: If you want different users to have different experiences with Outlook Web App or Exchange ActiveSync, you would need to create additional policies. In Exchange Server 2010, the only way you can control the Outlook Web App and Exchange ActiveSync user experience is by creating policies, and then assigning the policies to users. Question: Why would you modify the server settings on one Client Access server to be different than the settings on another Client Access server? Answer: When you have two Client Access servers with different security or configuration requirements, you will need to modify the server-specific settings. For example, if you have an Internet-accessible Client Access server, and one that is used only for internal access, you might configure the security settings differently. Module 4: Managing Client Access Course 10135A
  • Stress the importance of using server certificates with Client Access servers. If server certificates and Secure Sockets Layer (SSL) is not used, user credentials and message contents might be passed in clear text. While discussing the authentication options, mention that the default configuration for Outlook Web App is to use Forms-based authentication. Question : Ask students if they can think of situations where they might need to change the default authentication option. Answer : The most common scenario for changing the default authentication option is to support Web browsers or clients that do not support forms-based authentication. Most current clients do support forms-based authentication, but some older clients may need to use basic authentication with Secure Sockets Layer (SSL). Module 4: Managing Client Access Course 10135A
  • While deploying a Client Access server, one of the most important decisions messaging administrators must make is how to configure the certificates on the server. Making the right server certificates choices can have a significant impact on the user experience. While discussing the certificate authority ( CA) options, mention that each Exchange Server 2010 server automatically issues a self-signed certificate when Exchange is installed. Discuss the limitations of using this certificate. Discuss why subject alternative names are needed for CAs, and what is the alternative to using subject alternative names in certificates (multiple Web sites). Add point that you can now use the New Exchange Certificate Wizard to create certificates with correct names. Question : Describe the two CA options, and then ask the students to discuss the benefits and disadvantages of each option. Answer : The two options are a public CA, and a private, internal CA. The main benefit of using the public CA is that the certificates are trusted by all Web browsers, including mobile devices. The disadvantage of the public CA is that you have pay for the certificates. The main benefits of the private CA is that the certificates are free, and you have complete control of the CA environment. However, no clients will trust the private CA certificates by default, and so you have to take extra steps to make sure they are trusted. Stress the importance of choosing the right server names when requesting a certificate. Discuss the concept of subject alternative names, and describe how these will be very important when requesting a Client Access certificate, because the server may use several different names for client connections. Module 4: Managing Client Access Course 10135A
  • While you demonstrate the New Exchange Certificate Wizard, describe the different protocols that can be configured in the wizard, and how each protocol could use a different server name. After installing the certificate, show how those server names are listed in the Subject Alternative Name field. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd.. Demonstration Steps On VAN-DC1, click Start , in the search box, type cmd.exe , and then press ENTER. By default, the Windows Server 2008 CA does not issue certificates with multiple subject alternative names, so we need to modify the server configuration. At the command prompt, type the following command, and then press ENTER: certutil -setreg policy\\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 At the command prompt, type net stop certsvc & net start certsvc , and then press ENTER. On VAN-EX1, if required, open the Exchange Management Console. In the left pane, click Server Configuration , and then click Client Access . In the Actions pane, click Configure External Client Access Domain . You can use this feature to configure the external domain name for Client Access servers in the organization. On the Configure External Client Access Domain page, type mail.Adatum.com as the domain name, and then click Add . In the Select Client Access Server dialog box, press CTRL, click both VAN-EX1 and VAN-EX2 , and then click OK . Click Configure . In the Microsoft Exchange dialog box or boxes, click Yes . This dialog box appears when the name that you are configuring as the external client access domain name cannot be resolved in DNS. Click Finish . In the results pane, ensure that VAN-EX1 is selected, and then in the results pane, double-click owa (Default Web Site) . On the General tab, verify that the External URL field has been changed to https://mail.adatum.com.owa , then click OK . In the left pane, click Server Configuration . In the Actions pane, click New Exchange Certificate to open the New Exchange Certificate Wizard. This wizard helps you determine what type of certificates you need for your Exchange organization. On the Introduction page, type ADatum Mail Certificate as the friendly name for the certificate, and then click Next . Module 4: Managing Client Access Course 10135A
  • On the Domain Scope page, click Next . You can select the Enable wildcarding for this certificate check box, and enter a root domain if you would like to apply the certificate automatically to all subdomains by creating a wildcard certificate. On the Exchange Configuration page, expand Client Access server (Outlook Web App) , and then select both the Outlook Web App is on the Intranet and Outlook Web App is on the Internet check boxes. Expand Client Access server (Exchange ActiveSync) , and then select the Exchange Active Sync is enabled check box. Expand Client Access server, (Web Services, Outlook Anywhere, and Autodiscover) . Enter mail.adatum.com as the external host name. Ensure that the Autodiscover used on the Internet check box is selected, and that the Long URL option is selected, and then click Next . On the Certificate Domains page, click Next . On the Organization and Location page, enter the following information: Organization: A Datum Organizational Unit: Messaging Country/region: Canada City/locality: Vancouver State/province: BC Click Browse , type CertRequest as the File name, and then click Save . Click Next , click New , and then click Finish . Click the Folder icon on the task bar, and then click Documents . Right-click CertRequest.req , and then click Open . In the Windows dialog box, click Select a program from a list of installed programs , and then click OK . In the Open with dialog box, click Notepad , and then click OK . Module 4: Managing Client Access Course 10135A
  • In the CertRequest.req – Notepad window, click Ctrl-A to select all the text, and then click Ctrl-C to save the text to the clipboard. Close Notepad. Click Start , click All Programs , and then click Internet Explorer . Connect to http://van-dc1.adatum.com/certsrv . Log on as Adatum\\administrator using the password Pa$$w0rd . On the Welcome page, click Request a certificate . On the Request a Certificate page, click advanced certificate request . On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded CMC or PKCS#7 file . On the Submit a Certificate Request or Renewal Request page, click in the Saved Request field, and then press CTRL+V to paste the certificate request information into the field. In the Certificate Template list, click Web Server , and then click Submit . On the Certificate Issued page, click Download certificate . In the File Download dialog box, click Save . In the Save As dialog box, click Save . The process for saving the file may take more than a minute. In the Download complete dialog box, click Open . In the Certificate dialog box, on the Details tab, click Subject Alternative Name . Verify that the certificate includes several subject alternative names, and then click OK . In the Exchange Management Console , click Server Configuration . Under VAN-EX1 , click Adatum Mail Certificate , and in the Actions pane, click Complete Pending Request . On the Complete Pending Request page, click Browse . Under Favorites , click Downloads . Click certnew.cer and click Open . Click Complete , and then click Finish. In the results pane, click VAN-EX1 . In the bottom pane, click Adatum Mail Certificate . In the Actions pane, click Assign Services to Certificate . On the Select Servers page, verify that VAN-EX1 is listed, and then click Next . On the Select Services page, select the Internet Information Services check box, click Next , click Assign , and then click Finish . Module 4: Managing Client Access Course 10135A
  • Question: What would you need to change in this procedure if you were also enabling secure access to IMAP4 using a server name of IMAP4? Answer: You would need to add the IMAP4 service while running the New Exchange Certificate Wizard, and make sure that you specify IMAP4.adatum.com as the server name. This name would then get added as to the SAN attribute on the certificate. Question : How would this process change if you were requesting a certificate from an external public CA? Answer : The process would change very little. If the public CA provided a Web site for requesting a certificate, you would connect to the Web site, and then upload the certificate request file. Many public CAs also support e-mailing the certificate request file. After receiving the certificate, you would import it on your server. Module 4: Managing Client Access Course 10135A
  • Question : How many of your organizations are enabling Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) client access? Answer : Answers will vary. Many organizations have disabled these protocols for many years, while some organizations still need to provide this type of access. Based on the student responses to the question, consider how much time you want to spend on this topic. If there are no students deploying these protocols, then cover the content quickly. If several students are deploying the protocols, then consider demonstrating the POP3 and IMAP4 settings in the Exchange Control Panel. Module 4: Managing Client Access Course 10135A
  • Stress that all of the services that the Client Access Server role provides for internal clients can also be made available to Internet clients. This means users from the Internet can automatically be configured by using Autodiscover, and they can access the availability service, the offline address book download, and the Exchange Control Panel (ECP) from the Internet. This topic provides details on how these options are configured. Module 4: Managing Client Access Course 10135A
  • Module 4 Managing Client Access Course 10135A
  • Stress the importance of the Client Access server role in providing services for Outlook clients. Apart from providing access to the user mailbox by using the RPC Client Access Services, the Client Access server role manages virtually all Outlook client interaction with the Exchange servers. Mention that this slide provides an overview for this lesson, and that most of these services will be covered in more detail in the topics and demonstrations in this lesson. Question : What are the implications for server capacity planning when the Client Access Server role now provides the RPC Client Access services as well as these additional services? Answer : The load on the Client Access Server role has increased significantly from previous Exchange versions. In Exchange Server 2007, the recommended ratio of Client Access Server processors to Mailbox server processors was 1:4; in Exchange Server 2010, this ratio is 3:4. This means that organizations will have to deploy more powerful—or simply more—Client Access servers. Module 4: Managing Client Access Course 10135A
  • Be prepared to spend some extra time on this topic, because the RPC Client Access Services feature is a very significant change in the Exchange server architecture. Remind students that in all previous Exchange versions, MAPI clients communicated directly with the Mailbox server role. This has changed in Exchange Server 2010, so that now messaging clients do not communicate directly with the Mailbox server. Consider briefly mentioning that this change in architecture means that the ratio of Client Access servers to Mailbox servers deployed in an organization will need to increase. Module 4: Managing Client Access Course 10135A
  • Describe the process of how Autodiscover works. Consider drawing a diagram that shows a client computer, Active Directory domain controller, a Client Access Server, and a Mailbox server. Explain the part each component plays in automatically configuring the client computer. Question : What do you have to do to configure Office Outlook 2003 clients? Answer : In most cases, with Outlook 2003, you have to manually configure the server settings in the profile. Users may not know the necessary configuration information or understand where to enter the information. However, with Autodiscover, it is conceivable that users could configure their own Outlook 2007 connectivity without any administrator or help desk intervention. Autodiscover is also useful when mailboxes are moved from one server to another. Question : When will Autodiscover be useful in your organization? Answer : Autodiscover is useful when first setting up client profiles internally, but it is also very useful for setting up client profiles for users connecting from the Internet. Both Outlook Anywhere and Exchange ActiveSync clients can be automatically configured using Autodiscover. Module 4: Managing Client Access Course 10135A
  • As you start this topic, stress that for most small or medium organizations with only one Active Directory site, you might never need to modify the default Autodiscover settings. The SCP is created by default whenever you install a Client Access server, and clients are automatically configured to locate and connect to the server. You might need to modify the default settings only when organizations have multiple sites, or when they want to publish Autodiscover information to the Internet. Mention that in addition to configuring the DNS records for external access, you also need to ensure that the external names are configured for all Client Access servers that will be accessible from the Internet. This point is explained later in this lesson. Module 4: Managing Client Access Course 10135A
  • Use the build slide to describe how the Availability service works, and how it interacts with previous of Exchange server versions. Mention that Exchange Server 2007 also used the availability service. Stress that the Availability service is used only by Outlook 2007 clients, and that the service fulfills the same role as the free/busy public folders used in Exchange 2003 and older versions of Outlook. When organizations are ready, they can disable the free/busy public folders and use the Availability service exclusively. To do this, organizations must use Exchange Server 2007 or Exchange Server 2010, and Outlook 2007 or later. Module 4: Managing Client Access Course 10135A
  • MailTips are a new feature in Exchange Server 2010, and students may question the importance of this feature. To encourage them to think about this feature, ask them how much time they, or the help desk personnel, spend troubleshooting nondelivery reports, and how many of those nondelivery reports are as a result of user mistakes, or because the sender was not aware of some limitation or setting. MailTips are designed to alert users about limitations or issues that may affect the delivery of the message thus cutting down on Help Desk calls. Mention that MailTips have some limitations when users send messages to distribution lists as well as a maximum length. For details, refer students to this topic on the student CD. Module 4: Managing Client Access Course 10135A
  • Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, and the 10135A-VAN-EX2 virtual machines are running. Log on to the virtual machines as Administrator using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , point to Microsoft Exchange Server 2010, and then click Exchange Management Shell . At the PS prompt, type Get-OrganizationConfig , and then press ENTER. Review the settings for the following values: MailTipsAllTipsEnabled . Indicates that MailTips are enabled for the organization. MailTipsMailboxSourcedTipsEnabled . Indicates that internal MailTips are enabled. MailTipsExternalRecipientsTipsEnabled . Indicates that external recipient MailTIps are enabled MailTipsLargeAudienceThreshold . Defines the minimum size for a distribution group before the MailTip will be triggered. At the PS prompt, type Set-OrganizationConfig –MailTipsLargeAudienceThreshold 10 , and then press ENTER. Type Set-OrganizationConfig , and then press ENTER. Verify that the large audience threshold has been updated. At the PS prompt, type Set-DistributionGroup Marketing –MailTip ‘The marketing team will be at a conference till next week.’ , and then press ENTER. At the PS prompt, type Get-DistributionGroup ‘Marketing’ | FL MailTip* , and then press ENTER. Verify that the custom MailTip has been configured. Open Internet Explorer, and connect to https://VAN-EX1.adatum.com/owa . Log on to Outlook Web App as Adatum\\Anna using the password Pa$$w0rd ,. Click New to create a new message. In the Untitled Message dialog box, click To , click Paul , click To , and then click OK . Press CTRL+K. Verify that the MailTip appears indicating that Anna does not have permission to send to this user. Click Remove Recipient . In the To box, type Marketing , and then press CTRL+K. Confirm that the Custom MailTip for the Marketing distribution list appears. Question: Will you leave MailTips enabled in your organization? How will you modify the default configuration? Answer: Answers will vary. Some organizations will leave the default configuration. Other organizations may choose to disable MailTips, or modify one or more of the specific MailTips. Module 4: Managing Client Access Course 10135A
  • Stress that the main purpose of Outlook Anywhere is that users can use the full Outlook client while traveling with a portable computer. This removes the need for VPN connections, POP3 or IMAP4 connections, and even Outlook Web App. If required, users can use the port information given in the communication process description for configuring firewalls. Question : Why would you use Outlook Anywhere rather than other connection options? Answer : Outlook Anywhere provides full access to the Exchange mailbox by using an HTTPS connection through the Internet. This is an alternative to using a VPN for scenarios where users only require e-mail access. HTTPS is significantly easier to configure and maintain compared to a VPN infrastructure. The full Outlook client provides better security, and much better functionality than POP3 or IMAP4 clients. The main advantage of Outlook Anywhere over Outlook Web App is that Outlook Anywhere with cache mode enables offline access to the user mailbox while Outlook Web App only provides access to the mailbox when the user is connected to the Internet. Module 4: Managing Client Access Course 10135A
  • Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, open the Exchange Management Shell. In the Exchange Management Shell, type Get-ClientAccessServer –id VAN-EX1 | FL , and then press ENTER. Confirm that the AutodiscoverServiceInternalUri parameter is configured to use https://VAN-EX1.adatum.com/Autodiscover/Autodiscover.xml . On VAN-EX1, click Start , point to Administrative Tools , and then click Server Manager . Click Features . In the Features list, verify that the RPC over HTTP Proxy feature is listed. On VAN-EX1, open the Exchange Management Console. In the Exchange Management Console , expand Server Configuration , and then click Client Access . Click VAN-EX1 , and in the Actions pane, click Enable Outlook Anywhere . On the Enable Outlook Anywhere page, in the External host name field, type Mail.adatum.com . Under Client authentication method , click NTLM authentication , and then click Enable . On the Completion page, click Finish . Module 4: Managing Client Access Course 10135A
  • Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\administrator) , expand Sites , expand Default Web Site , and then click Rpc . In the center pane, in the IIS section, double-click SSL Settings . Ensure that the Require SSL check box is selected. Click Rpc , and then double-click Authentication . Ensure that Basic Authentication and Windows Authentication are enabled. Close Internet Information Services (IIS) Manager. Close all open windows, and restart VAN-EX1 . Note: You can continue with the following steps while VAN-EX1 restarts. On VAN-CL1, ensure that you are logged on as Adatum\\Luca . Click Start , and then click Control Panel . In the Search field, type Mail . Right-click Mail , and then click Open . In the Mail Setup - Outlook dialog box, click E-mail Accounts . In the E-mail Accounts dialog box, click Microsoft Exchange , and then click Change . If you receive a warning that Microsoft Exchange is not available, click Work Offline On the Microsoft Exchange Settings page, click More Settings . In the Microsoft Exchange dialog box, on the Connection tab, select Connect to Microsoft Exchange using HTTP , and then click Exchange Proxy Settings . In the Microsoft Exchange Proxy Settings dialog box, complete the following information: Use this URL (https://): VAN-EX1.adatum.com Connect using SSL only: enable (default) On fast networks, connect using HTTP first, then connect using TCP/IP: enable On slow networks, connect using HTTP first, then connect using TCP/IP: enable (default) Proxy authentication setting: NTLM Authentication (default) Note: In this demonstration, you are configuring the Outlook client to try HTTP first for all connections to the Exchange Server. However, in a production environment, you typically would select the option to connect first using HTTP on slow networks. When you use this configuration, the client uses RPC connections for the internal network, and it uses HTTP only for external networks. Module 4: Managing Client Access Course 10135A
  • Click OK , and then click OK again to close the Microsoft Exchange Server dialog box. On the Microsoft Exchange Settings page, click Next . On the Change E-mail Account page, click Finish . On the E-mail Accounts page, click Close , and then again click Close to close the Mail Setup - Outlook dialog box. Wait until VAN-EX1 restarts, and then log on as Administrator using the password Pa$$w0rd . On VAN-CL1, click Start , click All Programs , click Microsoft Office , and then click Microsoft Office Outlook 2007 . If a Microsoft Office Outlook dialog box appears, click No . Verify that the Office Outlook connection indicator states Online with Microsoft Exchange . Press and hold CTRL, and then right-click the Office Outlook icon in the Windows 7 notification area. You may need to click the arrow in the Windows 7 notification area to view the Office Outlook icon. Click Connection Status . Confirm that the Conn column lists HTTPS as the connection method, and then click Close . Press and hold CTRL, and then click the Outlook icon in the notification area of the Windows task bar. Click Test E-mail AutoConfiguration . In the Password field, type Pa$$w0rd . Clear the Use Guessmart and Secure Guessmart Authentication check boxes. Guessmart is used to automate the process of configuring Outlook 2010 as an IMAP4 or POP3 client. Click Test . View the information displayed on the Results tab. Click the Log tab to view how the client completed Autodiscover. Close the Test E-mail AutoConfiguration dialog box. Close Microsoft Outlook, and then log off VAN-CL1. Question : Will you enable Outlook Anywhere access for clients on the Internet? Answers will vary. Many organizations enable Outlook Anywhere because it provides full mailbox access from an Outlook client while minimizing the security risk, because only an HTTPS connection is required to the Client Access server. Other organizations are hesitant to enable direct access to the Client Access server, and prefer to use a VPN for all client connections from the Internet to the internal network. Module 4: Managing Client Access Course 10135A
  • Stress that many of the troubleshooting tips apply to both internal and external clients using Outlook Anywhere. Ask students to provide other suggestions for troubleshooting Outlook client connectivity. What situations have they seen where users are having trouble connecting to Exchange? How did they resolve the issues? Module 4: Managing Client Access Course 10135A
  • Exercise 1 In this exercise, students will configure Client Access servers.. The main tasks for this exercise are as follows: Prepare the Windows Server 2008 CA to issue certificates with multiple subject alternative names. Configure an External Client Access Domain for VAN-EX2. Prepare a Server Certificate request for VAN-EX2. Request the certificate from the CA. Assign the IIS Exchange service to the new certificate. Verify Outlook connectivity to the Exchange Server. Exercise 2 In this exercise, students will configure Outlook Anywhere. The main tasks for this exercise are as follows: Configure a DNS record for Mail.Adatum.com. Configure Outlook Anywhere on VAN-EX2. Configure the Outlook profile to use Outlook Anywhere. Verify Outlook Anywhere connectivity. Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A
  • Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Answers to the lab review questions will vary depending on the organizations where the students work. Question : In this lab, you configured the Client Access s erver to use a certificate from an i nternal CA. How would the steps you used in the lab change if you were using a public CA? Answer : You would still use the New Exchange Certificate wizard to create the certificate request, and then you would submit the request to the public CA. When you received the certificate file from the public CA, you would install the certificate on the Client Access server. Question : How would the steps in the lab change if you had two company locations and you had to configure Client Access server access to both locations? Answer : You would need to configure an external URL on both Client Access servers. You would also need to configure two host names in the external DNS that matched the external URL for each server. Then you would need to obtain appropriate certificates for both Client Access servers , and configure network access for the client protocols. Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A
  • Many of the students may already be familiar with Outlook Web App. Ask students whether they are using Outlook Web App in their organization. If they are using it, how is it being used? Answers will vary. Some organizations use Outlook Web App almost entirely for external access to e-mail, other organizations use it as an alternative to a full MAPI client like Outlook. Mention that one of the new features in Exchange Server 2010 is that the full Outlook Web App experience is now available for browsers such as Firefox and Safari. In previous Exchange Server versions, these clients could only access some of the features that were available to Internet Explorer clients. Outlook Web App can also be used to provide access to some of the Exchange Server 2010 features that will not be available in a MAPI client until the next version of Outlook comes out. For example, the conversation view is only available in Outlook Web App, not in Outlook 2007. Module 4: Managing Client Access Course 10135A
  • Mention that Outlook Web App is enabled by default on all Client Access servers in Exchange Server 2010, and the all users are configured with permission to use Outlook Web App. The default configuration is also reasonably secure, but many organizations will still want to modify many of these settings. Mention that the next demonstration will show how to configure many of the settings described in this topic. Module 4: Managing Client Access Course 10135A
  • Ensure that students understand that Windows SharePoint Services and Windows Files Shares integration allows users to access documents stored on file shares and Windows SharePoint Services document libraries, rather than documents stored in the Microsoft Exchange Information Store. This ensures they are viewing the latest document version. The document restrictions enabled for Windows SharePoint Services and Windows Files Shares integration also affect which attachments can be viewed by Outlook Web App clients. Question : What are the security risks of allowing Windows SharePoint Services and Windows Files Shares integration? Answer : Windows SharePoint Services and Windows Files Shares integration provides external users with access to documents on Windows Files Shares. This is a security risk. Question : How can you mitigate those security risks? Answer : Separate different types of data onto different servers. Data that is suitable for external access can be stored on one server, and data that is not suitable for external access can be stored on another server. For external users, you can then allow access to only the servers storing data suitable for external access. You can also block and allow different servers depending on whether Outlook Web App is being accessed from public or private computers. However, this requires users to accurately select the correct computer type during logon. Module 4: Managing Client Access Course 10135A
  • While you demonstrate the configuration options, make sure that you show the default values for each setting. Discuss scenarios where you might want to change the default setting. Briefly describe the Web beacon, as it is a new feature in Exchange Server 2010. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click owa . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Under Sites , click Default Web Site , and in the Actions pane, click Bindings . In the Site Bindings dialog box, click https , and then click Edit . Verify that the SSL certificate used for the OWA site is the certificate that you obtained in the earlier demonstration. Click OK , click Close , and then close Internet Information Services (IIS) Manager . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Microsoft Exchange On-Premises , expand Server Configuration , and then click Client Access . In the work pane, select VAN-EX1 , and in the result pane, right-click owa (Default Web Site) , and then click Properties . On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa . Module 4: Managing Client Access Course 10135A
  • Click the Authentication tab, and verify that Use forms-based authentication is selected. Under Logon Format , click User name only , and then click Browse . Click Adatum.com , and then click OK . Click the Segmentation tab, click All Address Lists , and then click Disable . The Segmentation tab allows you to enable and disable features for Outlook Web App users. Click OK , read the Microsoft Exchange Warning dialog box, and then click OK . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Shell . Type IISReset /noforce , and then press ENTER. This allows the logon and segmentation changes to take effect. In the Exchange Management Shell, type set-owavirtualdirectory ‘owa (Default Web Site)’ –ForceSaveFileTypes .xls , and then press ENTER. This command forces attachments with a .xls extension to be saved to disk before they can be opened. Any existing ForceSaveFileTypes are overwritten. The attachment control settings for file types and MIME types can be configured by using the Set-OwaVirtualDirectory cmdlet. File attachment control settings include: ActionForUnknownFileAndMIMETypes . Specifies how to handle files that are not included in other file access management lists. Files can be allowed, blocked, or force saved. AllowedFileTypes . Specifies the file extensions of attachments that the user is allowed to save locally, or view from a Web browser. AllowedMIMETypes . Specifies the MIME types of attachments that users can save locally, or view from a Web browser. BlockedFileTypes . Specifies the file extensions of attachments that are blocked. BlockedMIMETypes . Specifies the MIME types of attachments that are blocked. ForceSaveFileTypes . Specifies the file extensions of attachments that the user is forced to save locally, rather than view from a Web browser. ForceSaveMIMETypes . Specifies the MIME types of attachments that the user is forced to save locally, rather than view from a Web browser. Note: In cases where there is a conflict between management settings for file access, the following precedence applies: Allow overrides Block , and Force Save. Block overrides Force Save . For example, if .you configure the doc files as both a blocked file type and an allowed file type, .doc files will be allowed. Module 4: Managing Client Access Course 10135A
  • Type set-owavirtualdirectory ‘owa (Default Web Site)’ –GzipLevel Off , and then press ENTER. This command disables Gzip compression for Outlook Web App. Gzip compression improves performance over slow network connections by compressing content. Implementing Gzip compression may slow server performance due to increased CPU utilization. Additional valid values for the GzipLevel options are High and Low. The default value is Low. Type Set-OwaVirtualDirectory -identity "Owa (Default Web Site)" -FilterWebBeaconsAndHtmlForms ForceFilter , and then press ENTER. The possible values for FilterWebBeaconsandHtmlforms are as follows: UserFilterChoice . By default, this value blocks Web beacons and HTML forms, but lets the user allow Web beacons and HTML forms on individual messages. ForceFilter . This value blocks all Web beacons and HTML forms. DisableFilter . This value allows Web beacons and HTML forms. Type IISReset , and then press ENTER. Close the Exchange Management Shell. After finishing the demonstration, ask the following question: Question : What settings will you implement in your organization? Answer : Answers will vary. A good place to begin your implementation is to examine the default configuration and verify whether it is acceptable. The default configuration is suitable for most organizations. However, some organizations have special requirements that will require changing settings such as the authentication settings or segmentation settings. For example, some organizations do not want to enable users to change their password through Outlook Web App. They can prevent users from doing this by removing the option in the segmentation settings. Module 4: Managing Client Access Course 10135A
  • Point out that the Outlook Web App policies enable you to configure different Outlook Web App settings for different user accounts. In previous Exchange versions, the same Outlook Web App settings applied to all users; however, in Exchange Server 2010, you can create different policies and assign them to specific users or groups. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . Expand Organization Configuration , and then click Client Access . In the Actions pane, click New Outlook Web App Mailbox Policy . In the New Outlook Web App Mailbox Policy page, type Marketing Policy as the policy name. In the list of features, click Change Password , and then click Disable . Click New , and then click Finish . Right-click Marketing Policy , and then click Properties . On the Public Computer File Access tab, clear all check boxes. On the Private Computer File Access tab, clear all check boxes , and then click OK . Under Recipient Configuration , click Mailbox . In the Mailbox list, double-click Paul West . On the Mailbox Features tab, click Outlook Web App , and then click Properties . Select the Outlook Web App mailbox policy check box, and then click Browse . Click Marketing Policy , and then click OK three times. Module 4: Managing Client Access Course 10135A
  • Click Start , click All Programs , and then click Internet Explorer . In the address field, type https://VAN-EX1.Adatum.com/owa , and then press ENTER. Log on to Outlook Web App as Adatum\\Paul using the password Pa$$w0rd . On the Outlook Web App page, click Options . If prompted for authentication, log on as Adatum\\Paul using the password Pa$$w0rd . In the left pane, click Settings , Notice that you do not have the option to change the user password. Close Internet Explorer. Question : How would you use Outlook Web App policies in your organization? Answer: Answers will vary. Most organizations will probably apply the same policies to all users, but some organizations may want to provide more or fewer features to some groups within the organization. Module 4: Managing Client Access Course 10135A
  • Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1 and VAN-EX1 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click ecp . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Close Internet Information Services (IIS) Manager . Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Server Configuration , and then click Client Access . In the work pane, select VAN-EX1 , and in the result pane, click the Exchange Control Panel tab. Right-click ecp (Default Web Site) , and then click Properties . On the General tab, in the External URL box, type https://van-ex1.adatum.com/owa . This URL should match the URL used on the OWA virtual directory. Click the Authentication tab, and verify that Use forms-based authentication is selected. Click OK . Module 4: Managing Client Access Course 10135A
  • On VAN-EX1, click Start , click All Programs , and then click Internet Explorer . In the address field, type https://VAN-EX1.Adatum.com/ecp , and then press ENTER. Log on to the ECP as Adatum\\Luca using the password Pa$$w0rd . On the Account tab, click Edit , click Contact Numbers , and in the Work phone field, type 555-5555 . Click Save , and verify that the updated phone number is listed. In the left pane, click Organize E-Mail . On the Organize E-Mail tab, users can configure Inbox Rules , and view delivery reports. In the left pane, click Groups . On the Groups tab, users can view the groups to which they belong and manage any groups that they own. In the left pane, click Settings . On the Settings tab, users can configure several options for sending and managing e-mail and calendaring. In the left pane, click Phone . On the Phone tab, users can manage their own mobile devices that have synchronized with Exchange Server 2010. In the left pane, click Block or Allow . On the Block or Allow tab, users can configure their Junk e-mail settings as well as edit their safe recipients list. Close Internet Explorer. Question : How does the ECP functionality compare with the configuration options in Outlook? Answer : Virtually all of the configuration options that are available in Outlook can also be configured in ECP. Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A
  • Describe Exchange ActiveSync by comparing it to Outlook Anywhere. In both cases, the connection between the client device and the Client Access server uses HTTP S . In both cases, HTTP S is used to synchronize messages so that the messages are cached locally on the mobile device. The main difference between Exchange ActiveSync and Outlook Anywhere, apart from the client connection type, is the device that is used to view the e-mail. With Outlook Anywhere, the end device is a mobile computer, which can be a member of the internal Active Directory domain and managed as such. With Exchange ActiveSync, the end device is a mobile client, which cannot be a member of the local domain. This means that extra features on the Exchange server are required to manage the mobile devices. Students are likely to mention Blackberry as their current mobile solution. Be prepared to discuss advantages and disadvantages of Blackberry vs. Exchange ActiveSync. One of the factors to consider is that Exchange ActiveSync does not require any additional infrastructure servers such as the BlackBerry Enterprise Servers. Module 4: Managing Client Access Course 10135A
  • While you perform the demonstration, mention that Exchange ActiveSync is enabled by default, and the default Exchange ActiveSync policy enables access for all users. This means that if the Exchange ActiveSync virtual directory is accessible from the Internet, all users can use Exchange ActiveSync. Also mention that the default configuration is not secure, because the network traffic is not encrypted and the default policy does not enable security for the remote devices. Network traffic will be encrypted if a certificate is installed on Client Access server, and if default Web site is configured to force encryption. Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Important: If you are using Windows Server 2008 R2 as the host operating system, ensure that you have completed the following steps before starting VAN-CL1. 1. In the Hyper-V Management console, in the Virtual Machines pane, right-click 10135A-VAN-CL1 , and click Settings . 2. Click Network Adapter , and select the Enable spoofing of MAC addresses check box. Click OK . This step is required in order for the Windows Mobile Device emulator to communicate on the virtual network. Demonstration Steps On VAN-EX1, click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager . Expand VAN-EX1 (ADATUM\\Administrator) , expand Sites , expand Default Web Site , and then click Microsoft-Server-ActiveSync . In the center pane, and under IIS , double-click SSL Settings . Notice that SSL is required by default. Clear the Require SSL check box, and then click Apply . Caution: In a production environment, you should require SSL for the Exchange ActiveSync virtual directory. You are disabling SSL only because the mobile emulator does not trust the server certificate. Close Internet Information Services (IIS) Manager. Click Start , point to All Programs , click Microsoft Exchange Server 2010 , and then click Exchange Management Console . In the console tree, expand Microsoft Exchange On-Premises , expand Server Configuration , and then click Client Access . In the result pane, click VAN-EX1 , and in the work pane, click the Exchange ActiveSync tab. Right-click Microsoft-Server-ActiveSync , and then click Properties . Review the information on the General tab. Module 4: Managing Client Access Course 10135A
  • Click the Authentication tab. Notice that Basic authentication is enabled. This is acceptable, because SSL would normally be used to secure the credentials in transit. Click the Remote File Servers tab. The options on this tab are the same as the Remote File Servers settings for accessing attachments using Outlook Web App, and are used for synchronizing file attachments. However, these options are independent of the Remote File Servers settings for accessing attachments using Outlook Web App. Click OK. On VAN-CL1, click Start , point to All Programs , click Windows Mobile 6 SDK , click Standalone Emulator Images , and under US English , click WM 6.1.4 Professional . While the emulator is booting, in the WM 6.1.4 Professional window, click File , and then click Configure . On the Network tab, select the Enable NE2000 PCMIA network adapter and bind to check box, and then click OK . In Windows Mobile 6 Professional, click Start , and then click Settings . Click the Connections tab, and then double-click Network Cards . On the Configure Network Adapters page, under My network card connects to , click The Internet , and then click NE2000 Compatible Ethernet Driver . Click Use specific IP address , and then type the following settings: IP address 10.10.0.70 subnet mask 255.255.0.0 default gateway: 10.10.0.1 On the Name Servers tab, type 10.10.0.10 as the DNS server address, and then click OK twice. Close the Settings window. In the WM 6.1.4 Professional window, click Start , click Programs , and then click ActiveSync . Read the ActiveSync information, and then click the set up your device to sync with it link. On the Enter Email Address page, in the Email address box, type [email_address] , and then click Next . The device will attempt to use Autodiscover to configure the user settings. On the User Information page, type Scott in the User name field, type Pa$$w0rd in the Password field, Adatum in the Domain field, and then click Next . On the Edit Server Settings page, in the Server Address field, type VAN-EX1.adatum.com , and then clear the This server requires an encrypted (SSL) connection check box. In the ActiveSync message window, click OK , and then click Next . In the Choose the data you wish to synchronize box, click Calendar , and then click Settings . Module 4: Managing Client Access Course 10135A
  • In the Synchronize only the past list, click All , and then, in the upper-right corner, click OK . In the Choose the data you wish to synchronize box, click E-mail , and then click Settings . In the Download the past list, click All , and then in the upper-right corner, click OK . Confirm that the Contacts , Calendar , E-mail , and Tasks check boxes are selected, and then click Finish . In the ActiveSync dialog box, click OK . After synchronization is complete, click the X in the upper-right corner to close ActiveSync. Close the Programs window. On VAN-EX1, open Internet Explorer, and connect to https://van-ex1.adatum.com/owa . Log on as adatum\\Wei using the password Pa$$w0rd . Click New , in the To field, type Scott , and then press CTRL+K to resolve the name. In the Subject line, type Test Message from Wei . In the message body, type Testing mobile messaging , and then click Send . On VAN-CL1, in Windows Mobile 6 Professional, wait for a minute and then notice the animated Synchronization arrows indicating that the device is synchronizing automatically, triggered by the arrival of a message in Scott's mailbox. Wait for the Windows Mobile device to complete synchronization. At the bottom of the Today screen, view the notification stating that a new message has arrived. Click the notification and click View . Open the message from the Inbox. Click Reply at the bottom of the message window. In the message body, type Test Reply , and then click Send . Wait until the device finishes synchronizing, and then, on VAN-EX1, in Outlook Web App, click the Check Messages icon or press F5 to refresh the screen, and then confirm that the message from Scott was received. Module 4: Managing Client Access Course 10135A
  • Students may be familiar with System Center Mobile Device Manager 2008. If you deploy this product, Windows Mobile 6.1 devices can be listed in Active Directory Domain Services and managed through Active Directory and Mobile Device Manager policies. If students have experience with this tool, ask them to compare managing mobile devices with Mobile Device Manager versus Exchange ActiveSync Policies. Question : What are the security concerns with Exchange ActiveSync? Answer : The security concerns relate to the security of the mobile device, and the security of the network connections to the Client Access server. Mobile devices are easily lost or stolen, and may contain confidential information. This means that organizations should use Exchange ActiveSync policies to restrict access to mobile devices, and be prepared to wipe mobile devices that are lost or stolen. Securing the network traffic requires that the Client Access server and all client devices be configured to use SSL. Question : What level of security will your organization require? Answer: Answers will vary. Some organizations will set very stringent requirements (or may ban Exchange ActiveSync completely). Other organizations may not require any security. Be prepared to discuss the implications of each scenario. Module 4: Managing Client Access Course 10135A
  • Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-EX1, if required, open the Exchange Management Console . In the console tree, expand Organization Configuration , and then click Client Access . In the Actions pane, click New Exchange ActiveSync Mailbox Policy . In the Mailbox policy name box, type EAS Policy 1 . Confirm that the Allow attachments to be downloaded to device option is selected. This option is required for mobile devices to synchronize attachments and store them locally on the device. Select the Require password check box. This forces all accounts that synchronize, to have a password. Any mailboxes without a password cannot be synchronized to a mobile device when this option is enabled. There also are additional password requirements you can enable. Select the Enable password recovery check box. This will enable users to recover their Windows Mobile password through the ECP. Click New to create the mobile mailbox policy. Read the completion summary, and then click Finish . Notice the Exchange Management Shell command that was used to create the new mobile mailbox policy. Right-click EAS Policy 1 , and then click Properties . Notice that the General tab has additional options: Click the Password tab. Notice that there is an additional password option list here—Number of failed attempts allowed— that was not available when creating the mobile mailbox policy. This password option wipes the device of all data after the specified number of failed attempts. On the Sync Settings tab, review the configuration options. Module 4: Managing Client Access Course 10135A
  • On the Device tab, review the configuration options. On the Device Applications tab, review the configuration options. To implement these settings, you must have an Enterprise Client Access License for each mailbox. On the Other tab, review the options for allowing or blocking specific applications, and then click OK . In the console tree, expand Recipient Configuration , and then click Mailbox . In the result pane, right-click Scott MacDonald , and then click Properties . Click the Mailbox Features tab, click Exchange ActiveSync , and then click Properties . In the Exchange ActiveSync Properties dialog box, click Browse . Select EAS Policy 1 , and then click OK . Click OK twice to save and apply the changes. On VAN-CL1, wait for ActiveSync to synchronize, or click Menu , and click Send/Receive . In the Update Required dialog box, click OK . In the Password and the Confirm Password fields, type 12345 , and then click OK . Question : What types of Exchange ActiveSync policies will you implement in your organization? Answer : Answers will vary. However, some of the most likely implementation options will be for password security, wiping lost devices, and selecting which data to synchronize. Module 4: Managing Client Access Course 10135A
  • Preparation Ensure that the 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, and 10135A-VAN-CL1 virtual machines are running. Log on to the VAN-DC1, VAN-EX1, and VAN-EX2 virtual machines as Administrator using the password Pa$$w0rd . Log on to VAN-CL1 as Adatum\\Luca using the password Pa$$w0rd . Demonstration Steps On VAN-CL1, open Internet Explorer, and connect to https://van-ex1.adatum.com/ecp . Log on as Adatum\\Scott using the password Pa$$w0rd . Click Phone. Notice the PocketPC listed in the Device list. On VAN-EX1, in the Exchange Management Console , under Recipient Configuration , click Mailbox . In the result pane, click Scott MacDonald . In the Actions pane, click Refresh . In the Actions pane, click Manage Mobile Phone . On the Manage Mobile Phone page, click Perform a remote wipe to clear mobile phone data , and then click Clear . In the Microsoft Exchange warning message, click Yes , and then click Finish . In Windows Mobile 6 Professional, wait for the device to synchronize. You can also force synchronization by opening Exchange ActiveSync, and then clicking Sync. Confirm that the device is wiped. If the device goes blank, it is rebooting after performing the remote wipe. On the Windows Mobile 6 Professional window File menu, click Exit . Question : What are the implications of using remote wipe as an administrator or user? Answer : Remote wipe removes all configuration and data on the mobile device, and returns it to the factory defaults. This means that if the device is recovered, it needs to be reconfigured. This is not difficult if you enable Autodiscover for Exchange ActiveSync. Question : How will you manage mobile devices in your organization? Answer : Answers will vary. Some organizations will be quite resistant to having the administrator wipe a mobile device, while other organizations will recognize the security risk posed by a mobile device that has been lost or stolen. Module 4: Managing Client Access Course 10135A
  • Exercise 1: Configuring Outlook Web App (Level 200) In this exercise, students will configure Outlook Web App. The main tasks for this exercise are as follows: Configure IIS to use the Internal CA certificate. Configure Outlook Web App settings for all users. Configure an Outlook Web App Mailbox Policy for the Branch Managers. Verify the Outlook Web App configuration.   Exercise 2: Configuring Exchange ActiveSync (Level 200) In this exercise, students will configure Exchange ActiveSync.  The main tasks for this exercise are as follows: 1. Disable SSL for Exchange ActiveSync. 2. Verify the Exchange ActiveSync virtual directory configuration. 3. Connect to the server using Exchange ActiveSync. 4. Create a new Exchange ActiveSync mailbox policy. 5. Validate the Exchange ActiveSync mailbox policy. 6. Install a root CA on the mobile device. 7. Wipe the mobile device. Module 4: Managing Client Access Course 10135A
  • Module 4: Managing Client Access Course 10135A
  • Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question : What additional steps could you take to enhance the security for the Outlook Web App and Exchange ActiveSync connections in your organization? Answer : You could install a reverse proxy server so that clients do not connect directly to the Client Access server. Some reverse proxy solutions also support multi-factor authentication, which provides an additional level of security. Question : How would you modify the procedures in this lab if you needed to ensure that users cannot download attachments using Outlook Web App? Answer : You would need to block all attachment downloads on the Outlook Web App virtual directory. You could still enable Web Ready Document viewing. Module 4: Managing Client Access Course 10135A
  • Review Questions You need to ensure that users from the Internet can connect to a Client Access server by using Outlook Anywhere. How will you configure the firewall between the Internet and the Client Access server? Answer: You need to enable port 443 access to the Client Access server, and well as enable access to the \\RPC virtual directory. You need to ensure that the same Exchange ActiveSync policies are assigned to all users, with the exception of the Executives group. This group requires higher security settings. What should you do? Answer: You should configure the default Exchange ActiveSync Mailbox policy with the settings for all users. You should then create a new policy for the Executive group, and assign the policy to all members of the Executive group. You have deployed an Exchange Server 2010 server in an organization that includes several Exchange Server 2003 servers. How will Exchange Server 2010 obtain free\\busy information for user mailboxes on the Exchange Server 2003 servers? Answer: The Client Access server will query the Schedule+ Free\\Busy folder on an Exchange Server 2003 server. Common Issues Related to Client Connectivity to the Client Access server Identify the causes for the following common issues related to client connectivity to the Client Access server, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module. Real-World Issues and Scenarios Your organization has two locations with an Internet connection in each location. You need to ensure that when users access their e-mail using Outlook Web App from the Internet, they will always connect to the Client Access server in their home office. Answer: First, configure an external URL for each Client Access server. The external URL will be the name that the clients use to connect to the server. Next, ensure that you have configured a DNS host record for each Client Access server using the external URL. You are planning on enabling Outlook Web App, Outlook Anywhere, and Exchange ActiveSync access to your Client Access server. You want to ensure that all client connections are secure by using SSL, and that none of the clients receive errors when they connect to the Client Access server. You plan on requesting a certificate from a Public CA. What should you include in the certificate request? Answer: You should request a certificate with multiple subject alternative names so that all client connections are supported using the protocol specific server name. You should also include the Autodiscover in the subject alternative name, if you are enabling Autodiscover to the Internet. You have deployed two Client Access servers in the same Active Directory site. When one of the Client Access servers shuts down, users can no longer access their e-mail. What should you do? Answer: You should configure the Client Access servers in an array to ensure redundancy. Module 4: Managing Client Access Course 10135A
  • Best Practices for Implementing Client Connectivity to the Client Access Server Help the students understand the best practices presented in this section. Ask students to consider these best practices in the context of their own business situations. Tools Point out the location from which each key tool can be installed. Let students review the function and usage of each tool on their own. Remind students that they can use this as a master list to help them gather all the tools required to facilitate their application support work. Module 4: Managing Client Access Course 10135A

Transcript

  • 1. Module 4 Managing Client Access
  • 2. Module Overview
    • Configuring the Client Access Server Role
    • Configuring Client Access Services for Outlook Clients
    • Configuring Outlook Web App
    • Configuring Mobile Messaging
  • 3. Lesson 1: Configuring the Client Access Server Role
    • How Client Access Works
    • How Client Access Works with Multiple Sites
    • Deployment Options for a Client Access Server
    • Demonstration: How to Configure a Client Access Server
    • Securing a Client Access Server
    • Considerations for Deploying a Client Access Server
    • Configuring Certificates for Client Access Servers
    • Options for Configuring POP3 and IMAP4 Client Access
    • Configuring the Client Access Server for Internet Access
  • 4. How Client Access Works RPC/MAPI HTTPS IMAP4 POP3 Mailbox Server Domain Controller Client Access Server RPC/MAPI 1 3 2 4
  • 5. How Client Access Works with Multiple Sites Multiple Internet Access Points Single Internet Access Point Client request is redirected Client request is proxied
    • Proxying is used for Outlook Web App, Exchange ActiveSync, and Exchange Web Services
    • Redirection is used only for Outlook Web App
  • 6. Deployment Options for a Client Access Server Client Access servers:
    • Must be deployed in each Active Directory site that has Mailbox servers
    • Must have a fast connection to Mailbox servers and domain controllers
    • Need to be accessible from the Internet using the client protocol in Internet-facing sites
    You can deploy Client Access servers:
    • On a single server with other Exchange Server roles
    • On a dedicated server to provide scalability
    • On multiple dedicated servers in an array
  • 7. Demonstration: How to Configure a Client Access Server
    • In this demonstration, you will review:
    • The Client Access settings for an organization
    • The Client Access server settings
  • 8. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 9. Securing a Client Access Server To secure a Client Access server: Install server certificates, and ensure that SSL is required
    • Configure authentication settings:
      • Integrated Windows authentication
      • Digest authentication
      • Basic authentication
      • Forms-based authentication
      Protect the server with an application layer firewall 
  • 10. Considerations for Implementing Client Access Server Certificates When implementing Client Access certificates, consider:
    • Whether to use an internal or public CA
    • The client access protocols in use
    • The server names used by messaging clients
  • 11. Demonstration: How to Configure Certificates for Client Access Servers
    • In this demonstration, you will review:
    • The New Exchange Certificate Wizard
    • How to approve a certificate request
    • The Subject Alternative Names in the certificate
  • 12. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 13. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 14. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 15. Options for Configuring POP3 and IMAP4 Client Access Option Description Bindings Configure local server addresses Authentication Configure authentication options Connection settings Configure server connection settings Retrieval settings Configure message formats and calendar retrieval settings User access Configure whether a user can use the protocol
  • 16. Configuring the Client Access Server for Internet Access To enable Internet access to Client Access services: Configure external URLs Configure the external DNS names Configure access to Client Access virtual directories Implement SSL certificates with multiple subject alternative names Plan for Client Access server access with multiple sites     
  • 17. Lesson 2: Configuring Client Access Services for Outlook Clients
    • Services Provided by a Client Access Server for Outlook Clients
    • What Is RPC Client Access Services?
    • What Is Autodiscover?
    • Configuring Autodiscover
    • What Is the Availability Service?
    • What Are MailTips?
    • Demonstration: How to Configure MailTips
    • What Is Outlook Anywhere?
    • Demonstration: How to Configure Outlook Anywhere
    • Troubleshooting Outlook Client Connectivity
  • 18. Services Provided by a Client Access Server for Outlook Clients Service Description RPC Client Access Service Enables MAPI connectivity to user mailboxes Autodiscover Enables automatic configuration for Outlook and mobile clients Availability Provides free or busy information MailTips Provides notifications regarding issues with sending a message Offline Address Book download Provides offline address book download for Outlook clients Exchange Control Panel Provides an administrative interface for accessing mailbox and recipient information Exchange Web Services Provides a developer interface for accessing all Exchange server content and settings Service Outlook Anywhere Enables RPC over HTTPS access to user mailboxes
  • 19. What Is RPC Client Access Services? Mailbox Server Role Client Access Server Role MAPI MAPI
  • 20. What Is Autodiscover? Autodiscover provides information that you can use to configure Outlook 2007 client profiles Outlook 2007 Autodiscover Process : The client locates the Autodiscover service The Autodiscover service on the client sends each Client Access server an HTTP Post command The appropriate Client Access server responds by returning an XML file Outlook downloads the required configuration information from the Autodiscover service 1 2 3 4
  • 21. Configuring Autodiscover To configure Autodiscover: Use the Exchange Management Shell Configure site affinity for Exchange Servers in multiple sites Configure DNS records for external clients Use Outlook's Test E-mail AutoConfiguration feature to test    
  • 22. What Is the Availability Service? Availability service makes free/busy information available for Outlook 2007 and Outlook Web App clients Exchange Server 2010 Exchange Server 2010 Exchange Server 2003 1 2 4 5 3
  • 23. What Are MailTips? Exchange Server 2010 provides:
      • Default MailTips
      • Custom MailTips
    MailTips provide information about a message delivery before the message is sent The Client Access server provides the MailTips to the client
  • 24. Demonstration: How to Configure MailTips
    • In this demonstration, you will see how to:
    • Review and configure the default MailTips for an Exchange organization
    • Configure custom MailTips
    • Verify that the MailTips work as expected
  • 25. What Is Outlook Anywhere? Outlook Anywhere enables RPC connections over HTTPS to an Exchange Server 2010 server Mailbox Server Client Access Server Outlook 2003 or Outlook 2007 Client Global Catalog Servers RPC HTTPS LDAP
  • 26. Demonstration: How to Configure Outlook Anywhere
    • In this demonstration, you will see how to:
    • Configure Autodiscover settings
    • Configure an Client Access server for Outlook Anywhere
    • Configure an Outlook 2007 profile for Outlook Anywhere
    • Verify Outlook Anywhere connectivity
  • 27. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 28. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 29. Troubleshooting Outlook Client Connectivity To troubleshoot Outlook Client connectivity: Verify network connectivity Verify DNS name resolution Verify Exchange Server availability Test the client autoconfiguration process     Verify Client Access server certificates  Verify client configuration 
  • 30. Lab A: Configuring Client Access Servers for Outlook Anywhere Access
    • Exercise 1: Configuring Client Access Servers
    • Exercise 2: Configuring Outlook Anywhere
    Logon information Estimated time: 60 minutes Virtual machine 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, 10135A-VAN-CL1 User name Administrator Password Pa$$w0rd
  • 31. Lab Scenario
    • You are working as a messaging administrator in A. Datum Corporation. Your organization has decided to deploy Client Access Servers so that the servers are accessible from the Internet for a variety of messaging clients. To ensure that the deployment is as secure as possible, you must secure the Client Access server, and configure a certificate on the server that will support the messaging client connections. You also need to configure the server to support Outlook Anywhere connections.
  • 32. Lab Review
    • In this lab, you configured the Client Access server to use a certificate from an internal CA. How would the steps change if you used a public CA?
    • How would the steps in the lab change if you had two company locations, and you had to configure Client Access server access to both locations?
  • 33. Lesson 3: Configuring Outlook Web App
    • What Is Outlook Web App?
    • Configuration Options for Outlook Web App
    • What Is File and Data Access for Outlook Web App?
    • Demonstration: How to Configure Outlook Web App
    • Demonstration: How to Configure Outlook Web App Policies
    • Demonstration: How to Configure User Options by Using the ECP
  • 34. What Is Outlook Web App? Outlook Web App provides:
    • Web-based access to all Exchange mailbox components
    • Secure HTTPS access from the Internet
    • An alternative to deploying a messaging client
    • Access to Exchange Server 2010 features that are not available in Outlook 2007
  • 35. Configuration Options for Outlook Web App Configuration Option Description Server certificates Required to enable SSL SSL settings Enables secure access to Outlook Web App Authentication Determines which clients can connect Segmentation settings Determines the available features in Outlook Web App Gzip compression Enables compression of messages and attachments Web beacon settings Manages Web beacon access
  • 36. What Is File and Data Access for Outlook Web App? With file and data access, you can configure: File and data access for Outlook Web App enables users to access attachments and files stored on other servers
    • WebReady document viewing
    • Direct file access
    • Different settings when users connect from public or private computers
    • Access to files stored on Windows SharePoint Services servers and Windows file shares
    • Restrict access to files based on file types or internal servers
  • 37. Demonstration: How to Configure Outlook Web App
    • In this demonstration, you will see how to configure:
    • A server to require SSL
    • Outlook Web App virtual directories
    • Authentication options for Outlook Web App virtual directories
    • Gzip compression settings
    • Segmentation settings
    • Web beacon settings
  • 38. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 39. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 40. Demonstration: How to Configure Outlook Web App Policies
    • In this demonstration, you will see how to:
    • Configure an Outlook Web App policy
    • Assign an Outlook Web App policy to a user account
  • 41. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 42. Demonstration: How to Configure User Options Using the ECP
    • In this demonstration, you will see how to:
    • Configure the Exchange Control Panel virtual directory
    • Configure user mailbox settings through the Exchange Control Panel
  • 43. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 44. Lesson 4: Configuring Mobile Messaging
    • What Is Exchange ActiveSync?
    • Demonstration: How to Configure Exchange ActiveSync
    • Options for Securing Exchange ActiveSync
    • Demonstration: How to Configure Exchange ActiveSync Policies
    • Demonstration: How to Manage Mobile Devices
  • 45. What Is Exchange ActiveSync? Mailbox Server Client Access Server Exchange ActiveSync Client Mailbox Server Client Access Server 1 3 2
  • 46. Demonstration: How to Configure Exchange ActiveSync
    • In this demonstration, you will see how to:
    • Configure the Exchange Server settings for Exchange ActiveSync
    • Configure a mobile device for Exchange ActiveSync
  • 47. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 48. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 49. Options for Securing Exchange ActiveSync To secure Exchange ActiveSync : Configure Exchange ActiveSync policies for security Wipe lost or stolen devices Enable self-service mobile device management Ensure that SSL is required for the Exchange ActiveSync virtual directory Install CA root certificates on client devices     
  • 50. Demonstration: How to Configure Exchange ActiveSync Policies
    • In this demonstration, you will see how to:
    • Configure Exchange ActiveSync mailbox policies
    • Configure user accounts for Exchange ActiveSync
  • 51. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
  • 52. Demonstration: How to Manage Mobile Devices
    • In this demonstration, you will see how to:
    • Manage mobile devices as an administrator
    • Perform self-service mobile device management using the Exchange Control Panel
  • 53. Lab B: Configuring Client Access Servers for Outlook Web App and Exchange ActiveSync
    • Exercise 1: Configuring Outlook Web App
    • Exercise 2: Configuring Exchange ActiveSync
    Logon information Estimated time: 50 minutes Virtual machine 10135A-VAN-DC1, 10135A-VAN-EX1, 10135A-VAN-EX2, 10135A-VAN-CL1 User name Administrator Password Pa$$w0rd
  • 54. Lab Scenario
    • To enable client access to the server, your organization has decided to enable both Outlook Web App and Exchange ActiveSync for its users. However, the security officer at A. Datum Corporation has defined security requirements for the Outlook Web App and Exchange ActiveSync deployment. Therefore, you need to enable the security features for both Outlook Web App and Exchange ActiveSync.
  • 55. Lab Review
    • What additional steps can you take to enhance the security for the Outlook Web App and Exchange ActiveSync connections in your organization?
    • How would you modify the procedures in this lab if you needed to ensure that users cannot download attachments using Outlook Web App?
  • 56. Module Review and Takeaways
    • Review Questions
    • Common Issues and Troubleshooting Tips
    • Real-World Issues and Scenarios
    • Best Practices
    • Tools
  • 57. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.