Publishing Outlook Web Access to its Own URL.

Virtual Servers and Directories

Virtual servers allow you to create separate Web server instances for internal and external users, for different departments within a company, or for users with different security requirements.


To create an HTTP virtual server in Exchange System Manager

1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
   
2. Double-click Servers.
   
3. Double-click the appropriate Exchange server.
   
4. Expand Protocols.
   
5. Right-click HTTP, point to New, and then click HTTP Virtual Server.

When you create an HTTP virtual server, there are three tabs to configure:

General Use this tab to configure the virtual server identification (host header, IP address, and port), number of available client connections, and logging. If one domain (for example, bobboff.com) needs different configuration settings from a second domain (for example, bobboff2.com), you can add both domains to the same virtual server.

Note The combination of identification values for each virtual server (host header, IP address, TCP port) must be unique.

Access Use this tab to configure the type of authentication used to access secure content and to configure whether the server allows Anonymous access to shared content.

Security Use this tab to configure security settings for this Exchange Administration object in the Active Directory. You can limit which level of administrator may modify these settings. This tab does not affect client connections.


Disabling Virtual Servers

With Outlook Web Access in Exchange 5.5, you could use the General tab to enable or disable all HTTP access for Exchange. Exchange 2000 has similar functionality. To stop, start, or pause each virtual server, right-click the virtual server object in System Manager and click the appropriate option.

Notes:

1. You can only administer the default Exchange virtual server from Internet Services Manager.
   
2. If you stop the default Exchange virtual server, you also stop the IIS default Web server. If you want this Web server to be available, but you want to eliminate Exchange access, you can remove the Exchange, Exadmin, and public virtual directories. You can also configure security to disable access. Right-click the object, and then click Delete to remove the directories. Removing virtual directories effectively disables management of public folders on that server through HTTP.

For each virtual server, you can configure multiple virtual directories to point to different public folders or to the private mailbox store. Ensure that each virtual server has a corresponding DNS alias to provide named access to the virtual server. When you create a private mailbox virtual directory, System Manager lists the primary SMTP domains of the available recipient policies. Listing the domains allows administrators to assign a virtual directory to users who were modified by a recipient policy.

Virtual directories are similar to the public folder shortcuts used in previous versions of Exchange. The only exception is that custom public folder virtual directories are not automatically exposed to the user unless the Outlook Web Access user interface is customized to take the public folder virtual directories into account.

Security

(The section below describes the options available to secure Outlook Web Access in your Exchange organization.)


Authentication

A number of options are available for Outlook Web Access authentication. Choosing the appropriate method of authentication is usually dependent on the capabilities of the client operating system and the specific security policies.

The default authentication methods for Outlook Web Access in a single-server environment are Basic and Integrated Windows authentication. You set authentication on the HTTP virtual servers configured for Outlook Web Access.

Note Outlook Web Access will not have a logoff button until Exchange 2000 Service Pack 2. In earlier versions of Exchange 2000, to log off the session, the user must close the browser.

Use one of the following methods for authentication:

• Method 1: Basic Uses clear text to perform a simple challenge and response.
  
• Method 2: Integrated Windows authentication uses the security facilities available in the Windows platform.
  
• Method 3: Anonymous provides access to public folders that are intended for general access.
  
• Method 4: Secure Sockets Layer (SSL) although not an authentication method, SSL provides a secure communications channel that can be used in combination with any of the above methods.

For more information about authentication methods in a front-end and back-end server configuration, see the white paper Exchange 2000 Front-end and Back-end Topology on the Exchange site at http://go.microsoft.com/fwlink/?LinkId=4721.


Enabling User Principal Name Option

Windows 2000 includes the ability to log on by using a user principal name, for example [email protected]. To enable users to log on to Outlook Web Access using the user principal name, configure IIS and Exchange to accept basic authentication and set the default domain to ” \” (without the quotation marks). Use the user principal name logon option to mask infrastructure in a hosted environment, such as by not displaying Windows 2000 domain names. The user principal name logon option requires a user to remember only his or her e-mail address and password to log on.

Use the Internet Information Services MMC snap-in to complete the following steps on each back-end server and front-end server that will support user principal name logon requests.

To enable the user principal name logon option for Outlook Web Access users on the IIS side

1. On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
   
2. Right-click the computer name, and then click Properties.
   
3. On the Internet Information Services tab, under Master Properties, verify that the WWW Service check box is selected, and then click Edit.
   
4. In WWW Service Master Properties, on the Directory Security tab, under Anonymous access and authentication control, click edit.
   
5. Verify that the Anonymous Access and Integrated Windows authentication check boxes are cleared.
   
6. Select the Basic Authentication check box. Click Yes when prompted by the Internet Service Manager warning dialog box.
   
7. Beside the Basic authentication option, click Edit.
   
8. In the Basic Authentication Domain text box, type \ in the Domain Name text box, and then click OK.
   
9. In Authentication Methods, click OK.
   
10. In WWW Service Master Properties, click OK.
    
11. In Inheritance Overrides, select the Default Web Site/public and Default Web Site/Exchange check boxes, and then click OK.
    
12. In Internet Information Services, right-click the computer name, and then select Restart IIS.
    
13. In Stop/Start/Reboot, click OK.

After you complete the above procedure, use Exchange System Manager to complete the following steps on each back-end server and front-end Exchange server that will support user principal name logon attempts.

1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
   
2. In Exchange System Manager, double-click Administrative Groups, double-click the appropriate administrative group, double-click Servers, double-click the appropriate Exchange server, expand Protocols, expand HTTP, and then expand Exchange Virtual Server.
   
3. Right click the Exchange virtual directory, and then click Properties.
   
4. In Exchange Properties, click the Access tab, and then click Authentication.
   
5. In Authentication Methods, clear the Anonymous access and Integrated Windows authentication check boxes.
   
6. Select the Basic authentication check box.
   
7. In the Default domain text box, type \.
   
8. For public folders, repeat steps 3-7 on the public virtual directory.

Now Publish with ISA Web Publishing.

Steve Moffat
Senior Support Analyst
Optimum Computer Solutions