Configuring remote file share access with Exchange 2007 OWA

One feature that Exchange 2007 introduced is the ability to access local file shares remotely via Outlook Web Access (OWA), enabling users to download any manner of document, spreadsheet, application, etc from any machine with Internet Explorer 6 or later installed on it without having to establish a VPN connection to the local network.

Configuring the Exchange Server

File share access is enabled and configured within the Exchange Management Console. Browse to Server Configuration --> Client Access --> Outlook Web Access and open the properties for the OWA site. Different permissions can be defined for users accessing the site from Public and Private computers:

Enable the feature by ticking the option to enable Windows File Shares. The types of files that users should have access to, or not, can be defined by Customizing direct file access:

File extension types can be defined explicitly:

The details of the file servers that should be available to OWA users are defined on the Remote File Servers tab:

Click on the Block button to define those servers that should NOT be accessible. Any servers that are not explicitly blocked are automatically allowed.

The Allow list does not define those file shares that should be accessible to users, rather it defines the hosts FROM which users are connecting that should be allowed to access file shares:

As users will typically be connecting from the Internet at large, if you want your users to have access to file shares from wherever they are, the Unknown Servers option should be set to Allow rather than block.

To enable users to enter only the NETBIOS name of the file server they wish to access rather than its FQDN (Fully Qualified Domain Name), the Domain Suffix configuration allows the administrator to add any suffixes (eg 'domain.com') that should be automatically appended to any server names users enter within OWA:

NOTE - the Exchange Server should be able to resolve these domains via DNS.

Verify that the file share configured on the remote file server is configured with the correct user access permissions - ie, those users that wish to access the share via OWA won't be able to if they are not able to locally via the LAN.

Accessing the share via Outlook Web Access

Log into Outlook Web Access using Internet Explorer - the file share feature is not available from Firefox (although from looking at the Beta it looks like this is resolved in Exchange 2010). If the administrator configured different permissions for 'private' and 'public' computers, be sure to select the correct login option.
Once logged in, click on the Documents link in the bottom left-hand corner:

Select the option to Open Location:

Type in the server and share address in the form "\\server1\share"

A list of available files will be displayed:

Selecting the file will allow you to open it or save it to disk:

You can also view the file share within Windows Explorer, effectively allowing you to work from the folder as if you had mapped a drive to the share directly.
Links to files or shares contained within email messages can be selected directly (provided that they are in the correct format including the full path to the server share)

Access to remote file shares is also possible from Windows Mobile devices, provided that they are running version 6 or later of the Windows Mobile operating system. For more information on configuring this feature read this article HERE.

Configuring remote file share access with Exchange 2007 Server ActiveSync

Exchange 2007 introduced the ability to access file shares on the local network remotely either from a PC web browser via Outlook Web Access (OWA) or directly from your Windows Mobile device without the need to first establish a VPN connection.

For details on how to configure Outlook Web Access, read this article HERE.

Configuring Exchange

File share access must be enabled on the Exchange Server within the Server ActiveSync mailbox policy. This is done within the Exchange Management Console, browse to Organisation Configuration --> Client Access:

Ensure that the option to enable Windows File Shares is ticked.

Specific shares can be defined within Server Configuration --> Client Access:

The details of the file servers that should be available to OWA users are defined on the Remote File Servers tab. Click on the Block button to define those servers that should NOT be accessible. Any servers that are not explicitly blocked are automatically allowed.

The Allow list does not define those file shares that should be accessible to users, rather it defines the hosts FROM which users are connecting that should be allowed to access file shares:

As users will typically be connecting from the Internet at large, if you want your users to have access to file shares from wherever they are, the Unknown Servers option should be set to Allow rather than block.

To enable users to enter only the NETBIOS name of the file server they wish to access rather than its FQDN (Fully Qualified Domain Name), the Domain Suffix configuration allows the administrator to add any suffixes (eg 'domain.com') that should be automatically appended to any server names users enter on their device:

NOTE - the Exchange Server should be able to resolve these domains via DNS.

Verify that the file share configured on the remote file server is configured with the correct user access permissions - ie, those users that wish to access the share from their PDA won't be able to if they are not able to locally via the LAN.

Accessing files from the Windows Mobile client

NOTE - only devices running Windows Mobile 6 or later support this feature.

Because the Windows File Share access feature uses the Server ActiveSync protocol, the Windows Mobile client must be correctly configured for Server ActiveSync and have synchronised at least once successfully with the Exchange Server.

Files can be accessed either from within Internet Explorer or directly from the File Explorer application by entering a path to the remote file share in the form \\server\share\filename.xxx
Links to files contained within email messages can be clicked on directly, provided that they are in the correct format.

NOTE - unlike Outlook Web Access which allows users to access the share itself and be displayed a list of available files within that share, Windows Mobile devices must request the specific file itself that is to be accessed.

Enabling RPC via HTTP on Exchange 2007

RPC over the HTTP(S) is the technical term for ‘Outlook Anywhere’ – the technology that allows you to access Exchange from an Outlook client via any Internet connection as if you were connected via the local network.

Outlook Anywhere is similar to the Server ActiveSync protocol used by Windows Mobile devices to access Exchange in that it is used to synchronise email, contacts and calendar with the client device, but whereas Server ActiveSync can only synchronise data with a specific user mailbox, Outlook Anywhere allows the user to use the full functionality of their Outlook client remotely – this includes accessing mailboxes other than their own (should they have permission to), public folders, everything they can do when connected locally in the office.

RPC stands for Remote Procedure Call. Whenever you perform an action in Outlook that requires a response from the Exchange server, Outlook sends a remote procedure call to the Exchange server and gets a response back.

What Outlook Anywhere does is to encrypt these remote procedure calls using a digital certificate and then send them to the Exchange server over the Internet, hence RPC over HTTPS.

Install RPC over HTTP Proxy Service

You first need to install the RPC over HTTP proxy service. This is a component of the Windows Server operating system and is installed via the Add/Remove Windows Components applet within the Control Panel. It is located under Networking Services (assuming you are running Server 2003 rather than Server 2008):

Enable Outlook Anywhere

The Outlook Anywhere function is enabled within the Exchange Management Console. Expand the Server Configuration container and select the Client Access folder:

Select the option to Enable Outlook Anywhere – a wizard will be displayed:

Enter the external name of the server and configure the authentication options to be used.

Install the SSL certificate on the client PC

Before you can use Outlook to connect to the Exchange server via RCP over HTTPS, you will first need to install the correct SSL certificate onto the client PC to authenticate the certificate used by the Exchange server. This is only necessary if you are using a self-issued certificate. If you are using a root-trusted certificate on the Exchange server then ignore this step.

The certificate that needs to be installed on the client PC is not the certificate used by the RPC virtual directory on the Exchange server, but the root certificate of the Certificate Authority that issued the certificate to the RPC directory.

To locate this certificate, log into the server that has the Certificate Authority service installed on it. This may well be the Exchange server itself, it depends on how your network is deployed.

On the server that is acting as the CA, open the Control Panel and open Internet Options.

Click on the Security tab and the on the Certificates button.

Click on the Trusted Root Certification Authorities tab.

Locate the certificate issued by the CA and export it as a CER file. Copy this file to the client PC.

On the client PC double click the CER file to install it. Select the option to install it to the Trusted Root Certification Authorities folder.

Configure the Outlook Client

NOTE – to use Outlook via RPC over HTTPS you will require Outlook 2003 or later.

Create a new Outlook profile if required.

Select the option to create an Exchange Server account.

In the Server Name field enter the LOCAL address of the Exchange server (ie the machine name, or the NETBIOS name)

Enter your username.

DO NOT CLICK NEXT at this point, click on the More Setting button.

You may receive an error saying that the Exchange server cannot be contacted, click OK. A further window will be displayed asking you to verify the address of the Exchange server, click Cancel.

The More Settings window will now be displayed. Click on the Connection tab:

Tick the option to Connect to Microsoft Exchange using HTTP. Click on the Exchange Proxy Settings button:

Enter the external web address of the Exchange server (ie the address used for Outlook Web Access) in the fields as shown above. In the second text field, the ‘msstd’ is required!

Click OK, OK again, Next and then Finish.

Now launch Microsoft Outlook.

You will be prompted to enter your NT domain login credentials:

Enter your username in the form ‘DOMAIN\Username’

You will now be connected to the Exchange server:

Exchange 2007 Features

Architecture

It has always been possible to run Exchange on a single server, indeed the Small Business Server product is designed as a complete one-box solution for small and medium-sized businesses. However the ability to deploy different server roles onto different boxes offers increased security, scalability and flexibility.

It was Exchange 2000 that first offered the concept of front-end servers: an optional method of deploying an Exchange server to ‘load-balance’ incoming client requests to the correct back-end mailbox server, as well as requiring that users need only remember one server address when accessing their email via Outlook Web Access (OWA) or Exchange ActiveSync (EAS), regardless of where their mailbox be physically located.

Exchange 2007 has expanded on this approach, allowing the administrator to allocate specific Exchange-based roles to specific servers and deploy a ‘distributed’ messaging infrastructure.

An Exchange 2007 deployment can be separated into the following roles:

• Client Access – similar to a front-end server in an Exchange 2000 or 2003 installation. This server receives incoming client requests and directs them to the correct back-end mailbox server. This server runs Outlook Web Access, Server ActiveSync, POP & IMAP (if enabled) as well as receiving RPC over HTTP(s) requests.
• Mailbox – stores user mailboxes and public folders.
• Hub Transport – routes all messages, be they between users on the same mailbox server, from Unified Messaging servers, or external messages from Edge servers. Also enforces the messaging policy for messages moving within and outside the company (size limits, number of recipients allowed, etc).
• Unified Messaging – enables PBX integration to allow voice mail and fax messages to be delivered to the user’s Exchange mailbox. Also provides ‘voice dial-in’ feature enabling users to dial into their mailbox to have voicemails played back or emails ‘read’ to them. This feature is known as Outlook Voice Access which I will look at in more detail.
• Edge Transport – can reside outside the company network and provides routing, anti-spam and anti-virus services.

The Edge Transport server can be placed in a DMZ environment with no requirement for any inbound TCP ports to be open to the internal network. The Hub Transport server establishes an outbound-initiated connection with the Edge Transport server using a protocol designed for purpose called EdgeSync.

The EdgeSync protocol also sends information to the Edge Transport server on existing mailboxes and addresses as well as safe-sender lists to reduce the number of requests to the internal network to verify the validity of spam messages.

The Client Access Server should not be placed in the DMZ, despite being Internet-facing, due to the fact that it needs to be able to issue RPC requests to the Active Directory.

Exchange 2007 supports an unlimited information store database size. Standard edition supports up to 5 storage groups and databases per server, Enterprise Edition up to 50.

Possibly the biggest difference with Exchange 2007 is that it can only be installed on 64-bit hardware and the 64-bit version of the Server 2003 operating system (Server 2008 also only being available in 64-bit). In real terms this means that the operating system can address up to 16 Exabytes of memory (264), as opposed to the 4GB supported by 32-bit systems.

New Features

Increased security – with Exchange 2007, all messages sent between servers within the same organisation are encrypted using TLS (Transport Layer Security). All client communications, be they via OWA, ActiveSync or RPC over HTTP are all encrypted using SSL.

All Exchange 2007 servers are configured with a self-signed SSL certificate automatically.

Exchange Management Console – the Exchange Management Console has been reorganised to reflect the role-based architecture of Exchange 2007. With Exchange 2007, Exchange Administrative Groups have been done away with. Permissions are now delegated at the organisation level. Administrative groups allowed for permissions to be assigned to specific groups, but once created were quite limiting: a server could not be moved between administrative groups, for example. Routing Groups have also been done away with, Exchange 2007 instead using the existing Active Directory Sites and Site Links topology to route email between Exchange servers within the same organisation.

• Organisation Configuration allows you to configured Exchange global data that applies to all servers running a particular server role.
• Server Configuration allows you to manage the servers based on their roles. You can use this area to configure all of the Exchange servers and their child objects.
• Recipient Configuration allows you to manage the Exchange recipients.
• The Toolbox provides a central location for Exchange administrative tools and troubleshooters.

Exchange Management Shell – the Management Shell is a command-line scripting technology that allows the administrator to perform complicated actions against a number of sources, including the mailbox database and Active Directory, with minimal code and avoiding the need to ‘point and click’ within the Management Console.

Outlook AutoDiscover – this feature removes the need for users to know the name of their Exchange server when creating an Exchange profile within Outlook. All the user needs to know is their username, password and email address.

When the user enters their email address, the Outlook client performs an MX lookup via DNS to locate the Exchange server for the domain. A configuration request is then issued to the Exchange server, which is accepted by the Client Access Server. The appropriate configuration information is then returned to the client automatically. This requires a DNS entry for 'autodiscover.domain.com'

Improved Outlook Web Access – Exchange 2007 OWA has been updated to have a general look and feel more like Outlook 2007, to ‘streamline the user experience’ as marketing types might say. One immediately apparent difference is the log in screen, whih gives the users the option of specifying whether they are connecting from a ‘public’ (ie untrusted) or ‘private’ (ie trusted) computer:

There is also the option of selecting ‘Outlook Web Access Light’ which only displays a reduced amount of features. Microsoft say this mode is useful for those accessing OWA over a slow Internet connection. Actually ‘light’ mode looks in IE how ‘full’ mode looks in all browsers other than IE. Indeed OWA 2007 in Firefox doesn’t give you access to any of the more advanced features that are available in Internet Explorer.

OWA Share Access – Exchange 2007 Outlook Web Access provides users with the ability to access Sharepoint or file shares enabling centralised access to information remotely, without the need for a VPN connection.

Within the properties of the OWA web site within the Exchange Management Console, the administrator can allow or disallow both File Share and Sharepoint access:

Different access rights can be granted depending on whether the user is connecting in from a ‘private’ computer or a ‘public’ computer (which users specify when they log in).

The administrator can then explicitly allow or disallow file shares on specific servers. The domain suffix can also be entered so that users need only enter the name of the server rather than its FQDN.

Within OWA, there is an entry for Documents along with the usual Mail, Contacts, Calendar, Tasks, etc:

Selecting the option to Open Location allows the user to enter the name of a file share (for example, ‘\\UKFILE01\’). Provided that the administrator has allowed access to this share, the contents of the directory is listed in the IE window, with the option of ‘view in Windows Explorer’, in exactly the same way that FTP sites are handled by IE.

OWA Document Viewing – Outlook Web Access 2007 also has the ability to convert a variety of document types into HTML so that that document can be viewed on the client in a browser window, even if the application that was used to create the document is not installed on the client. Formats include Word, Excel, Powerpoint and PDF files.

Flexible Out of Office Rules – this feature allows the user to configure different Out of Office rules for internal and external users. Each rule can be given a start and an end date.

Unified Messaging – this feature gives users central remote access to all forms of business communications, including email, voice mail and fax messages, in one location – their Exchange Inbox. Voicemail, faxes and emails are delivered to the Inbox where they can be accessed from a range of clients – OWA, EAS, Outlook, etc. With the new Outlook Voice Access technology, users can dial into the UM Server from any ordinary telephone and access their Email, Voicemail, Contacts and Calendar. Once dialled in, users can manage their Inbox over the phone by saying commands such as 'delete message' or 'forward message', etc. I admit I have played with this feature briefly and was impressed, but did find that if there is any background noise the auto attendant got confused and there was a lot of "I'm sorry I don't understand that command" so I expect it's brilliant if you're in the car with all the windows shut and the radio off, but not so good if you're on a crowded platform.

The UM functionality requires that the Exchange Server be linked into the corporate telephone system. If an IP PBX is used, then the PBX can communicate with the UM Server directly using the SIP VoIP protocol (Session Initiation Protocol). If a legacy PBX is used, then a VoIP gateway will need to be deployed between the PBX and the UM server.

If a user’s telephone extension is not available, voicemail messages can be recorded and notification sent to the user's Inbox. That user can then dial in to listen to the message, or choose to download it as a sound file.

The UM server can also be integrated into the corporate PBX to provide an auto attendant that can transfer you to the person you wish to speak to based on the information held in the Global Address List, using Speech Recognition technology.

The diagram below gives an overview of the functionality using Outlook Voice Access, or OVA:

This image is available in PDF format from the Microsoft web site, here:

http://download.microsoft.com/download/6/7/e/67ef31de-9ee0-47aa-a2ff-a89...

Users have the ability to edit some of the OVA features within OWA, as well as resetting their PIN number should they forget it:

Exchange ActiveSync – Users can now manage their mobile devices through Outlook Web Access. For example, if a device is lost or stolen, the user can remotely ‘wipe’ or ‘kill’ that device through OWA without needing to speak to their corporate IT department.

Administrators can now also define separate per-user or per-group ActiveSync policies with different settings, for example allowing or disallowing attachments.

Windows Mobile 6.1 devices provide users with the ability to manage their Out of Office status and messages directly from their device.

Exchange 2007 also provides the administrator with the ability to remotely manage their device fleet by deploying corporate policies defining how those devices can be used, including the ability to disable hardware and software elements on the device as well as blacklist applications.

File shares can also be accessed from Windows Mobile 6.1 devices without the need for a VPN connection. In the same way that file shares can be accessed via OWA. The shares available can be defined independently from OWA:

Summary

In short, then, Exchange 2007 has been developed with mobility very much the focus. The requirement for 64-bit architecture will require the purchase of new hardware for most companies and if you plan to make the most use out of a separate EdgeSync server then this will add to the cost. The question you have to ask is do the benefits outweigh the expense?