Simplify access for your users

Outlook Web Access (OWA) for Exchange Server 5.5 provides a quick and convenient means for accessing email through a Web browser. A prerequisite for OWA is Microsoft IIS. IIS consists of Web sites that contain virtual directories that point to files' physical locations. Although one IIS server can host multiple Web sites, no two Web sites can occupy the same IP address and port number combination. If they do, individual Web sites will fail to start. A default configuration of IIS contains one Web siteā€”the Default Web site. To achieve optimum integration with IIS, Microsoft designed OWA as a virtual directory within the default IIS site.

Thus, you can access OWA from your browser by entering http://IIS servername/exchange. If you add a Fully Qualified Domain Name (FQDN) to your DNS for your IIS server, you might end up with a URL like http:// webmail.xyz.com/exchange. If you add Secure Sockets Layer (SSL) through Microsoft Certificate Server or a commercial certificate authority such as VeriSign, you get https://webmail.xyz .com/exchange.

To simplify user access to such a powerful tool as OWA, you can eliminate the need to enter a complex URL on a browser's address line by making the OWA URL a hotlink on a corporate Web page. Users need only access the Web page and click the link. Companies that prefer to establish OWA as a separate Web service can provide access to OWA through one URL.

Creating access to OWA through a URL lets you to tell the president and CEO of your company that they can access email from the Web by entering only webmail.xyz.com on the address line of the browser and entering their network credentials when prompted. All other mechanisms of this communication, such as the virtual directory and security, occur under the covers.

What's the easiest way to create one URL for OWA with the least effort and for the most gain? Neither IIS nor OWA in Exchange Server 5.5 Service Pack 3 (SP3) provides this capability in a built-in fashion. You can't choose to establish one URL when you install OWA. Nor does IIS let you configure your IIS server for multiple Web sites. Because Microsoft designed OWA to integrate optimally within the IIS default installation and coded OWA to exist as the /exchange virtual directory within the default Web site, you can't relocate the exchange virtual directory to the root of the Default Web site.

However, you can redirect a URL to the default /exchange virtual directory through IIS. This redirection can also take into account SSL security and can include the https prefix.

I explain two ways to accomplish this redirection without changing the default location of Exchange OWA files or modifying any code or the Windows NT Registry. The methods I present here work for both single-site and multisite Exchange implementations. However, if you have multiple NT domains with trusts, you can set only one domain as the default NT logon domain. Users accessing OWA in other NT domains must preface their username with their home NT domain (NTdomain\username). Slower linked sites will, of course, yield proportionately slower response times. As always, practice good predeployment testing to adequately flush out potential problems.

Preliminaries
The information in this article is specific to installations of Exchange Server 5.5 SP3. I assume that you have successfully installed and configured OWA in its default configuration and that you're familiar with the Internet Service Manager (ISM) interface in Administrative Tools in IIS 5.0 and in the NT 4.0 Option Pack menu in IIS 4.0. Further, I don't delve into the specifics of how to make DNS entries beyond saying that you need an FQDN mapped to the IP address of your IIS server.

I don't include detailed configuration information for accessing OWA through a firewall. Essentially, you need to decide on the URL that you'll advertise to all your users for OWA (e.g., webmail.xyz.com). You must map this URL to an IP address in your DNS as an A record. The ports on the firewall that you need to open are typically port 80 for HTTP and port 443 for HTTP over SSL (HTTPS).

I recommend that you use OWA with SSL for security. The sidebar "SSL's Benefits on OWA," page 9, describes SSL's advantages and offers tips for configuring OWA with SSL.

Method 1: Apply Redirection to IIS Default Documents
A simple way to redirect a URL is to apply the redirection directly to one of the default documents on the Default Web site's Properties Documents tab. You apply the redirection to the IIS default document (i.e., iisstart.asp for IIS 5.0 and default.htm for IIS 4.0). Applying the redirection directly is appropriate when the IIS server's primary role is to facilitate OWA and not to host any other Web application.

To use this method, open ISM, select theDefault Web site, right-click the default document and select Properties. Under When connecting to this resource, the content should come from in the dialog box that Figure 1 shows, select A redirection to a URL, and enter the URL (e.g., http://webmail.xyz.com) in the Redirect to text box. Select the A permanent redirection for this resource check box. Now, to access the OWA site, users need only enter webmail.xyz.com in their browser.

The main advantage of this approach is its simplicity and its convenience for administering and maintaining the Web site. The FQDN maps to the IP address of your IIS server, and the IIS server handles the redirection to the Exchange virtual directory. This configuration also doesn't adversely affect system upgrades and OWA patches because you haven't modified any of the default OWA directory paths.

The disadvantage of this method is that the root for the IIS server is no longer accessible through a Web browser. If the loss of Web administrative functionality is an acceptable compromise, this lack of access isn't necessarily bad because the default site as installed has components that can pose security risks. The most important of these risks is the IISSamples virtual directory. If you're setting up an IIS server, be sure to read the "Microsoft Internet Information Server 4.0 Security Checklist" (http://www.microsoft.com/technet/security/iischk.asp).

Method 2: Allocate an IPAddress
Another way to assign one URL to your OWA server is to allocate an IP address specifically for OWA and assign this IP address to the IIS server. This approach is appropriate when the IIS server hosts Web pages in addition to OWA.

Configuring OWA with a specific IP address lets administrators move OWA to another server at any time. To move OWA, you need only unassign the IP address associated with the URL and reassign it to the new server. Follow these steps.

  1. Assign a second IP address. If you assign a second IP address, the new Web site has a unique IP address and port. IIS Web sites must have a unique IP address/port combination. IIS automatically assigns the default Web site the IP address of the server's NIC.


  2. Allocate a second IP address to your IIS server and assign it to the URL for your company OWA site. In my example, I have an IIS server with an IP address of 192.192.192.1, and I add 192.192.192.2 as a second IP address. To add an IP address in Windows 2000, select Start, Settings, Network and Dial-up Connections, Local Area Connection. Choose Properties, select Internet Protocol (TCP/IP), then Properties. Click Advanced, then select Add. In NT 4.0, double-click the Control Panel Network applet. On the Protocols tab, double-click the TCP/IP Protocol. Click Properties, then select Advanced. Click Add to add the second IP address.

  3. Create a new Web site. To create a new Web site, open the ISM, right-click on the IIS server in the left pane, and select New, New Web Site. When the New Web Site Creation Wizard appears, click Next.


  4. Enter the description of your Web site. In the Web Site Creation Wizard screens that Figure 2 shows, enter an appropriate name for the Web site (e.g., webmail.xyz.com) in the left dialog box. Click Next, and in the right dialog box, assign the second IP address (e.g., 192.192.192.2) to this Web site. Click Next.


  5. Assign the directory path. In the next two wizard screens, which Figure 3 shows, create an empty directory location for the new Web site in the left dialog box. This location can be a subdirectory of the default root directory for IIS (e.g., C:\inetpub\web mail). Click Next. In the right dialog box, set the site access permissions by selecting the Read, Run scripts (such as ASP), and Execute (such as ISAPI applications or CGI) check boxes.


  6. Add the Internet Server API filter. The Internet Server API (ISAPI) filter for Exchange (exchfilt.dll) handles localization. The filter detects the preferred language settings on the originating browser and either adjusts OWA accordingly or sends a message that the language isn't available.


  7. To add the ISAPI filter, right-click the new Web site and select Properties. On the ISAPI Filters tab, which Figure 4 shows, click Add. In the Filter Properties dialog box, enter the filter's name and path.

  8. Create the Exchange virtual directory, enter the directory path, and set permissions. Now, recreate the Exchange virtual directory that OWA requires in the new Web site. Right-click your new Web site, and select New, Virtual Directory. At the prompt in the New Virtual Directory Creation Wizard, enter Exchange as the alias for the virtual directory. On the next wizard screen, enter the directory path to your exchsrvr\webdata directory (e.g., C:\exchsrvr\webdata).


  9. On the next screen, set the access permissions by selecting the Read, Run scripts (such as ASP), and Execute (such as ISAPI applications or CGI) check boxes. You now have an Exchange virtual directory in IIS similar to that which Figure 5 shows.
  10. Redirect the Web site root. Redirecting the Web site root lets users enter the OWA URL (i.e., webmail.xyz.com) on their browser's address line. IIS then redirects the URL to the Exchange virtual directory and applies SSL security, if your site uses it.


  11. Right-click your new Web site, and select Properties to bring up the dialog box you see in Figure 6. Under When connecting to this resource, the content should come from on the Virtual Directory tab, select A redirection to a URL. In the Redirect to text box, enter the URL of your new Web site and add /exchange at the end of the URL. Under The client will be sent to, select the A directory below this one and A permanent redirection for this resource check boxes.

  12. Set the directory security. In the ISM, right-click the Exchange virtual directory in the new Web site, and select Properties. On the Directory Security tab, ensure that you've set file access permissions to Anonymous access and Basic authentication.


  13. Stop and restart the IIS Admin and Web services. To apply the changes, you need to stop and restart the IIS services. In Win2K, go to My Computer, Manage. In NT, go to the Control Panel Services applet. Stop and restart IIS Admin Service and World Wide Web Publishing Service.


  14. After you restart the services, test your work by opening your Web browser and entering your URL (e.g., webmail.xzy.com) to access OWA. The configuration automatically redirects the URL to http://webmail.xyz.com/ exchange/logon.asp.

The Web-exclusive sidebar "Customize Your Logon and Logoff Screens" on the Exchange Administrator Web site (http://www.exchangeadmin.com/) explains how you can display attractive OWA screens for your company (as Web Figure 1 shows) and provides Active Server Pages (ASP) code (Web Listing 1 and Web Listing 2) for implementing logon and logoff screens in Exchange Server 5.5 OWA. As the sidebar "OWA in Exchange 2000" explains, Exchange 2000 doesn't use ASP-based banner pages. The sidebar outlines the downstream effect for Exchange 2000 of adopting the procedures in this article.

Simplify Your Deployment
Establishing a URL for OWA helps simplify your deployment of this service to your users. The methods I present here have minimal effect as systems architecture changes. Through one OWA namespace, users need to know only one URL, even if you add and remove servers and mailboxes.