Configuring Outlook Web Access

 

By default, Outlook Web Access is enabled for all your users after you install Exchange 2003. However, you can enable the following features for Outlook Web Access:

  • Set up a logon page.

  • Configure authentication.

  • Configure security options.

  • Configure Outlook Web Access compression.

  • Simplify the Outlook Web Access URL.

Setting Up a Logon Page

You can enable a new logon page for Outlook Web Access that stores the user's name and password in a cookie instead of in the browser. When a user closes a browser, the cookie is cleared. Additionally, after a period of inactivity, the cookie is cleared automatically. The new logon page requires the user to enter a domain, user name, and password, or a full user principal name (UPN) e-mail address and password, to access e-mail.

To enable this logon page, you must first enable forms-based authentication on the server, and then secure the logon page by setting the cookie time-out period and adjusting client-side security settings.

Enabling Forms-Based Authentication

To enable the Outlook Web Access logon page, you must enable forms-based authentication on the server.

For detailed steps about enabling forms-based authentication, see How to Enable Forms-Based Authentication.

In Exchange 2003, Outlook Web Access user credentials are stored in a cookie. When the user logs off Outlook Web Access, the cookie is cleared and it is no longer valid for authentication. Additionally, by default, if your user is using a public computer, and selects the Public or shared computer option on the Outlook Web Access logon screen, the cookie on this computer expires automatically after 15 minutes of user inactivity.

The automatic time-out is valuable because it helps protect a user's account from unauthorized access. However, although the automatic time-out greatly reduces the risk of unauthorized access, it does not completely eliminate the possibility that an unauthorized user might access an Outlook Web Access account if a session is left running on a public computer. Therefore, make sure that you educate users about precautions to take to avoid risks.

To match the security requirements of your organization, an administrator can configure the inactivity time-out values on the Exchange front-end server. To configure the time-out value, you must modify the registry settings on the server.

Note

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Configuring Client Security Options for Users

The Outlook Web Access logon page enables the user to select the security option that best fits their requirements. The Public or shared computer option (selected by default) provides a short default time-out option of 15 minutes. Users should select the Private computer option only if the user is the sole operator of the computer, and the computer adheres to that user's organizational security policies. When selected, the Private computer option allows for a much longer period of inactivity before automatically ending the session—its internal default value is 24 hours. Essentially, this option is intended to benefit Outlook Web Access users who are using personal computers in their office or home.

To match the security requirements of your organization, an administrator can configure the inactivity time-out values.

Note

The default value for the public computer cookie time-out is fifteen minutes. To change this, you must modify the registry settings on the server.

Note

Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.

Outlook Web Access Compression

Outlook Web Access supports data compression, which is optimal for slow network connections. Depending on the compression setting you use, Outlook Web Access compresses static Web pages, dynamic Web pages, or both. The following table lists the compression settings that are available in Exchange Server 2003 for Outlook Web Access.

Compression settings for Outlook Web Access

Compression setting Description

High

Compresses both static and dynamic pages.

Low

Compresses only static pages.

None

No compression is used.

Requirements for Outlook Web Access Compression

To use data compression for Outlook Web Access in Exchange Server 2003, verify that your organization meets the following prerequisites:

  • The Exchange server that users authenticate against for Outlook Web Access must be running Windows Server 2003.

  • Your users' mailboxes must be on Exchange 2003 servers. (If you have a mixed deployment of Exchange mailboxes, you can create a separate virtual server on your Exchange server just for Exchange 2003 users and enable compression on it.)

  • Client computers must be running Internet Explorer version 6 or later. The client computers must also be running Microsoft® Windows® XP or Microsoft Windows® 2000 Server and have installed on them the security update that is discussed in Microsoft Security Bulletin MS02-066, "Cumulative Patch for Internet Explorer (Q328970)."

    Note

    If a user does not have a supported browser for compression, the client computer still operates normally.

  • You may need to enable HTTP 1.1 support through proxy servers for some dial-up connections. (HTTP 1.1 support is required for compression to function correctly.)

For detailed steps about how to enable Outlook Web Access compression, see How to Enable Outlook Web Access Data Compression.

Simplifying the Outlook Web Access URL

The HTTP virtual server that is created by Exchange during installation has the following URLs for user access:

  • https://server_name/public   This URL provides access to public folders.

  • https:// server_name/exchange/mailbox_name   This URL provides access to mailboxes.

However, users frequently request that a URL that is simpler than the default URL be made available for accessing their mailboxes. Creating this simple URL makes the URL both easier to remember and easier to enter in a Web browser. For example, https://www.contoso1.com is an easier URL for users to remember than https://contosoexchange01/exchange.

The following procedure provides a method for simplifying the URL that is used to access Outlook Web Access. This procedure configures a request sent to the root directory of the Web server (https://server_name/) to redirect to the Exchange virtual directory. For example, a request to https://server_name/ is directed to https://server_name/exchange/, which then triggers implicit logon.

For detailed steps about how to simplify the Outlook Web Access URL, see How to Simplify the Outlook Web Access URL.